2021000057 (P.T.A.B. Mar. 21, 2022)

Bitdefender IPR Management Ltd.

Patent Trials and Appeals BoardMar 21, 2022

2021000057 (P.T.A.B. Mar. 21, 2022)

UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 16/233,750 12/27/2018 Alin O. DAMIAN SOF-1444-C1 1052 23574 7590 03/21/2022 Law Office of Andrei D. Popovici, P.C. 1450 W Highway 290 #1200 Dripping Springs, TX 78620 EXAMINER JACKSON, JENISE E ART UNIT PAPER NUMBER 2439 NOTIFICATION DATE DELIVERY MODE 03/21/2022 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): ANDREI@APATENT.COM PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE _______________ BEFORE THE PATENT TRIAL AND APPEAL BOARD _______________ Ex parte ALIN O. DAMIAN _______________ Appeal 2021-000057 Application 16/233,750 Technology Center 2400 _______________ Before JOSEPH L. DIXON, LARRY J. HUME, and JAMES W. DEJMEK, Administrative Patent Judges. DEJMEK, Administrative Patent Judge. DECISION ON APPEAL Appellant1 appeals under 35 U.S.C. § 134(a) from a Final Rejection of claims 1-21. We have jurisdiction over the pending claims under 35 U.S.C. § 6(b) We reverse. 1 Throughout this Decision, we use the word “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42 (2019). Appellant identifies Bitdefender IPR Management Ltd. as the real party in interest. Appeal Br. 4. Appeal 2021-000057 Application 16/233,750 2 STATEMENT OF THE CASE Introduction Appellant’s disclosed and claimed invention generally relates to detecting online fraud, particularly, fraudulent webpages. Spec. ¶ 2. Appellant describes an Internet domain that hosts or distributes fraudulent electronic documents (e.g., webpages) is considered a fraudulent Internet domain. Spec. ¶ 19. In a disclosed embodiment, a computer system identifies and selects a candidate Internet domain if the candidate domain is located at the IP address of a known fraudulent Internet domain and also satisfies a registration condition according to registration data of the candidate domain. Spec. ¶ 7. The system analyzes electronic documents hosted or distributed by the candidate Internet domain to determine whether the documents are fraudulent. Spec. ¶ 7. If the analyzed documents are fraudulent, the system determines that the candidate Internet domain is also fraudulent. Spec. ¶ 7. Claim 1 is illustrative of the subject matter on appeal and is reproduced below: 1. A computer system comprising at least one hardware processor configured to: in response to identifying a known fraudulent Internet domain located at an Internet Protocol (IP) address, select a candidate Internet domain according to whether the candidate Internet domain is located at the IP address; in response to selecting the candidate Internet domain, determine whether the candidate Internet domain satisfies a registration condition according to domain name registration data characterizing the candidate Internet domain; in response, when the candidate Internet domain satisfies the registration condition, analyze an electronic document Appeal 2021-000057 Application 16/233,750 3 distributed by the candidate Internet domain to determine whether the electronic document is fraudulent; and in response to analyzing the electronic document, when the electronic document is fraudulent, determine that the candidate Internet domain is fraudulent. The Examiner’s Rejections 1. Claims 1-4, 9-14, and 19-21 stand rejected under 35 U.S.C. § 103 as being unpatentable over Mitchell (US 2015/0350229 A1; Dec. 3, 2015) and Dingle et al. (US 8,528,084 B1; Sept. 3, 2013) (“Dingle”). Final Act. 6-11. 2. Claims 5, 6, 8, 15, 16, and 18 stand rejected under 35 U.S.C. § 103 as being unpatentable over Mitchell, Dingle, and Abifaker et al. (US 2015/0278817 A1; Oct. 1, 2015) (“Abifaker”). Final Act. 11-13. 3. Claims 7 and 17 stand rejected under 35 U.S.C. § 103 as being unpatentable over Mitchell, Dingle, Abifaker, and Hu et al. (US 2011/0112931 A1; May 12, 2011) (“Hu”). Final Act. 13-14. ANALYSIS2 In rejecting claim 1, inter alia, the Examiner relies on the combined teachings of Mitchell and Dingle. See Final Act. 6-8. In particular, the Examiner finds Mitchell teaches (i) selecting a candidate Internet domain according to whether it is located at the IP address of a known fraudulent 2 Throughout this Decision, we have considered the Appeal Brief, filed July 29, 2020 (“Appeal Br.”); the Reply Brief, filed October 1, 2020 (“Reply Br.”); the Examiner’s Answer, mailed September 15, 2020 (“Ans.”); and the Final Office Action, mailed January 30, 2020 (“Final Act.”), from which this Appeal is taken. Appeal 2021-000057 Application 16/233,750 4 Internet domain; and (ii) determining whether the candidate Internet domain satisfies a registration condition according to domain name registration data. Final Act. 6-7 (citing Mitchell ¶¶ 55-58); see also Ans. 6-8 (citing Mitchell ¶¶ 37, 40, 42, 55-56, 60-63, 69, 71, 78, 93). In addition, the Examiner finds Dingle teaches (i) analyzing an electronic document distributed by the candidate Internet domain, and (ii) determining that the candidate Internet domain is fraudulent if the analyzed electronic document is fraudulent. Final Act. 7 (citing Dingle, col. 1, ll. 53-60, col. 9, ll. 48-61, Fig. 6C). The Examiner determines it would have been obvious to combine Dingle’s teaching of document analysis to determine whether a candidate Internet domain is fraudulent with Mitchell’s teaching of selecting a candidate Internet domain to provide “an efficient security method that insures [sic] that a document can be determined to be fraudulent by analyzing the domain.” Final Act. 7-8 (citing Dingle, Fig. 6C). Appellant asserts that Mitchell fails to teach selecting a candidate Internet domain that is located at the IP address of a known fraudulent Internet domain. Appeal Br. 14-15; Reply Br. 6-9. Rather than selecting a candidate Internet domain having the same IP address as a known fraudulent Internet domain, Appellant argues that Mitchell describes selecting a candidate Internet domain based on whether it has the same physical address as a known fraudulent Internet domain. Appeal Br. 14-15 (citing Mitchell ¶¶ 29, 47, 55); Reply Br. 6-9. As such, Appellant argues that “Mitchell’s ‘analysis surrounding the domain name’ does not disclose identifying a domain according to whether it has the same IP address as another domain.” Reply Br. 8. Appeal 2021-000057 Application 16/233,750 5 Mitchell generally relates to using both network transaction data and name service transaction data to detect potential threats on a network. Mitchell ¶ 23. Mitchell describes that potential threats may come from an abuse resource, such as a computer connected to the network and controlled by a malicious entity for nefarious purposes. Mitchell ¶¶ 25-26. In a disclosed embodiment, Mitchell describes a system for abuse detection, the system comprising a threat detection device. Mitchell ¶ 24, Fig. 1. The threat detection module is comprised of three modules: (i) a DNS (Domain Name System) analysis module; (ii) a threat recognition module; and (iii) a mitigation module. Mitchell ¶ 36. Mitchell describes that threat recognition module evaluates network data and data received from the DNS module to determine whether a common abuse entity is a potential malicious entity of the network environment. Mitchell ¶ 38. More particularly, the threat detection module uses threat rules to identify a source as a malicious entity. Mitchell ¶ 38. In addition, Mitchell describes that the DNS analysis module (which supplies data to the threat recognition module) “performs analysis surrounding the domain name to assist threat recognition module 122 in determining whether a domain is a potential abuser.” Mitchell ¶ 40; see also Mitchell ¶ 78 (describing the threat recognition module “may look to the number of IP addresses mapped to a particular domain in the Domain Name System” to identify malicious behavior). As part of the DNS analysis module, Mitchell describes a threat recognition module “correlates the domain information with the underlying transaction data . . . [and] determines whether the domain, and its associated IP addresses, represents a threat.” Mitchell ¶ 40 (emphasis added). Appeal 2021-000057 Application 16/233,750 6 Further, Mitchell describes the DNS analysis module comprises a Whois analysis module, which analyzes a Whois directory entry for a domain name. Mitchell ¶ 41, Fig. 2. “Whois is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information.” Mitchell ¶ 42. Mitchell teaches that the DNS analysis module may determine whether the retrieved Whois domain information includes fraudulent information. Mitchell ¶ 42. In addition, Mitchell teaches the Whois registration information may be correlated across other domains. Mitchell ¶ 55. Based on our review of Mitchell, we disagree with Appellant’s assertion that Mitchell is limited to examining a physical address, rather than an IP address, associated with an Internet domain. Although the Whois registration data described in Mitchell includes a physical address, Mitchell’s DNS analysis module and threat recognition module perform their respective analyses, in part, using the IP address of the domain “and its associated IP addresses.” See, e.g., Mitchell ¶¶ 37, 40. Thus, we agree with the Examiner that Mitchell teaches, inter alia, a computer system (i.e., threat detection device) configured to select a candidate Internet domain according to whether the candidate Internet domain is located at the IP address of a known fraudulent (i.e., abuser entity) Internet domain. Moreover, we agree with the Examiner that Mitchell teaches using Whois registration data, for example to determine whether the candidate Internet domain satisfies a registration condition. Appeal 2021-000057 Application 16/233,750 7 Appellant also disputes the Examiner’s proposed combination of Mitchell and Dingle, asserting that, absent impermissible hindsight, the Examiner has not shown why an ordinarily skilled artisan would have been motivated to combine Dingle’s analysis of electronic documents to Mitchell’s system of detecting an abuse entity. Appeal Br. 16-18; Reply Br. 9-10. Moreover, Appellant asserts that Dingle is directed to identifying fraudulent documents rather than fraudulent domains. Appeal Br. 18. Additionally, Appellant argues Dingle teaches away from the Appellant’s claimed invention because Dingle describes analyzing electronic documents prior to steps “involving domain information.” Appeal Br. 17. That is, Dingle does not suggest analyzing electronic documents in response to determining whether the candidate domain satisfies a registration condition. See Appeal Br. 17. Dingle generally relates to detecting whether a suspect electronic document is potentially fraudulent. Dingle, Abstract. More particularly, Dingle describes “identifying a document as being suspect based on whether the document requests personal or private information from a user and analyzing data or attributes associated with the suspect document.” Dingle, col. 1, ll., 53-57 (emphasis added). Dingle describes an exemplary process that begins by “analyzing a collected document history of the suspect document, an associated site, to determine the suspect document’s age or the age of the site associated with the document.” Dingle, col. 7, ll. 48-51, Fig. 6A. Dingle also describes that references to the suspect document, “or to a domain associated with the suspect document,” may be analyzed over time. Dingle, col. 9, ll. 48-50. Dingle further teaches that a determination may be made as to whether the suspect document is from a domain, Appeal 2021-000057 Application 16/233,750 8 nameserver, or IP subnet associated with known fraudulent document. Dingle, col. 9, ll. 54-57. We disagree with Appellant that Dingle teaches away from the claimed invention. “A reference may be said to teach away when a person of ordinary skill, upon reading the reference, would be discouraged from following the path set out in the reference, or would be led in a direction divergent from the path that was taken by the applicant.” Ricoh Co., Ltd. v. Quanta Computer, Inc., 550 F.3d 1325, 1332 (Fed. Cir. 2008) (citations omitted). Contrary to Appellant’s assertions, Dingle teaches an exemplary process may begin with analyzing “as associated site” of a suspect document. See Dingle, col. 7, ll. 48-51, Fig. 6A. Accordingly, we do not find Dingle is limited to analyzing electronic documents prior to steps involving domain information, as asserted by Appellant. Accordingly, we do not find Appellant’s argument persuasive of error. In addition, we disagree with Appellant (see Appeal Br. 18) that Dingle is limited to identifying fraudulent documents rather than fraudulent domains. Rather, Dingle teaches a process for “assessing the trustworthiness of a document.” See Dingle, col. 5, ll. 47-48, Figs. 5A, 5B. Dingle further describes that according to the process set forth in Figures 5A and 5B, “the website may be determined to be untrustworthy.” Dingle, col. 10, ll. 4-5. Although one of ordinary skill in the art may understand that two references could be combined as reasoned by the Examiner, this does not imply a motivation to combine the references. Personal Web Techs., LLC v. Apple, Inc., 848 F.3d 987 993-94 (Fed. Cir. 2017); see also Belden Inc. v. Berk-Tek LLC, 805 F.3d 1064, 1073 (Fed. Cir. 2015) (“[O]bviousness concerns whether a skilled artisan not only could have made but would have Appeal 2021-000057 Application 16/233,750 9 been motivated to make the combinations or modifications of prior art to arrive at the claimed invention.”); InTouch Techs., Inc. v. VGO Communications, Inc., 751 F.3d 1327, 1352 (Fed. Cir. 2014). Here, Appellant argues that the Examiner has not shown that the ordinarily skilled artisan would have been motivated to combine Mitchell and Dingle together as proffered by the Examiner. See Appeal Br. 16-18; Reply Br. 9-10. In response, the Examiner reiterates: the Examiner stated in the Final Office action dated (1/30/2020) that Dingle discloses analyze an electronic document distributed by the candidate Internet domain to determine whether the electronic document is fraudulent, determine whether the electronic document is fraudulent, and in response to analyzing the electronic document, when the electronic document is fraudulent, determine that the candidate Internet domain is fraudulent (Dingle: col. 9, lines 48-61, See Fig. 6C #675). Thus, Dingle discloses known fraudulent domains hosted on the same domain, than other documents appearing on the same domain are fraudulent. Therefore, it is determine the electronic document is fraudulent, than the candidate Internet domain is fraudulent (Dingle: col. 9, lines 54-61). Ans. 11. It is not clear how the Examiner’s statement is responsive to Appellant’s argument that one of ordinary skill in the art would have been motivated to combine Dingle’s teaching of analyzing an electronic document to determine whether it is fraudulent with Mitchell’s system of detecting an abuse entity. Constrained by the record before us, we do not sustain the Examiner’s rejection of independent claim 1. For similar reasons, we do not sustain the Examiner’s rejection of claims 2-20, each of which relies at least in part on the combined teachings of Mitchell and Dingle. Appeal 2021-000057 Application 16/233,750 10 CONCLUSION We reverse the Examiner’s decision rejecting claims 1-21 under 35 U.S.C. § 103. DECISION SUMMARY Claim(s) Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1-4, 9-14, 19-21 103 Mitchell, Dingle 1-4, 9- 14, 19-21 5, 6, 8, 15, 16, 18 103 Mitchell, Dingle, Abifaker 5, 6, 8, 15, 16, 18 7, 17 103 Mitchell, Dingle, Abifaker, Hu 7, 17 Overall Outcome 1-21 REVERSED