Boyer, Stephen Wayne. et al.Download PDFPatent Trials and Appeals BoardMar 16, 202013240572 - (D) (P.T.A.B. Mar. 16, 2020) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 13/240,572 09/22/2011 Stephen Wayne Boyer BST-004 2423 51414 7590 03/16/2020 GOODWIN PROCTER LLP PATENT ADMINISTRATOR 100 NORTHERN AVENUE BOSTON, MA 02210 EXAMINER KANAAN, SIMON P ART UNIT PAPER NUMBER 2492 NOTIFICATION DATE DELIVERY MODE 03/16/2020 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): JGoodwin@goodwinlaw.com PSousa-Atwood@goodwinlaw.com US-PatentBos@goodwinlaw.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte STEPHEN WAYNE BOYER, NAGARJUNA VENNA, and MEGUMI ANDO ____________ Appeal 2019-001684 Application 13/240,572 Technology Center 2400 ____________ BEFORE JAMES B. ARPIN, STACEY G. WHITE, and JON M. JURGOVAN, Administrative Patent Judges. ARPIN, Administrative Patent Judge. DECISION ON APPEAL Appellant1 appeals under 35 U.S.C. § 134(a), the Examiner’s final rejections of claims 1, 4, 5, 7–14, 16, 121, 124, 126–132, and 134–141. Final Act. 4.2 Claim 2, 3, 6, 15, 17–120, 122, 123, 125, and 133 are 1 “Appellant” here refers to “applicant” as defined in 37 C.F.R. § 1.42. Appellant identifies the real party-in-interest as BitSight Technologies Inc. Appeal Br. 2. According to the Specification, because Appellant’s work was supported by an award from the National Science Foundation, the U.S. Government has certain rights to the claimed invention. Spec., 1:4–5. 2 In this Decision, we refer to Appellant’s Appeal Brief (“Appeal Br.,” filed December 21, 2017) and Reply Brief (“Reply Br.,” filed July 27, 2018); the Final Office Action (“Final Act.,” mailed February 13, 2017) and the Examiner’s Answer (“Ans.,” mailed May 16, 2018); and the originally-filed Specification (“Spec.,” filed September 22, 2011). Rather than repeat the Appeal 2019-001684 Application 13/240,572 2 canceled. Amdt., 3–8 (Nov. 9, 2016). We have jurisdiction under 35 U.S.C. § 6(b). Because the claims lack adequate written description, we enter a new ground of rejection under 35 U.S.C. § 112, ¶ 1, and procedurally reverse the rejection under 35 U.S.C. § 103(a). STATEMENT OF THE CASE Appellant’s claimed methods are “for creating a composite security rating from security characterization data of a third party computer system.” Spec., 1:30–31. As noted above, claims 1, 4, 5, 7–14, 16, 121, 124, 126–132, and 134– 141 stand rejected. Claims 1, 136, and 141 are independent. Appeal Br. 15– 16 (claim 1), 18–19 (claim 136), 20 (claim 141), (Claims App.). Claims 4, 5, 7–14, 16, 121, 124, and 137–140 depend directly or indirectly from claim 1. Id. at 16–20. The Examiner relies on the same references and substantially similar arguments in rejecting claims 1, 136, and 141 (Final Act. 4–7, 14–16, 18– 20), and Appellant does not contest the rejection of claims 4, 5, 7–14, 16, 121, 124, and 137–140 separately from claim 1 (Appeal Br. 11–13). Therefore, we focus our analysis on independent claim 1 and the disputed and overlapping limitations recited in independent claims 136 and 141. Claim 1, reproduced below with disputed limitations emphasized, is representative. 1. A method comprising: Examiner’s findings and determinations and Appellant’s contentions in their entirety, we refer to these documents. Appeal 2019-001684 Application 13/240,572 3 collecting information about two or more organizations that have computer systems, network resources, and employees, the organizations posing risks through business relationships of the organizations with other parties, the information collected about the organizations being indicative of compromises, vulnerabilities or configurations of technology systems of the organizations and indicative of resiliencies of the organizations to recover from such compromises, vulnerabilities or configurations, the information indicative of durations of events associated with compromises or vulnerabilities or configurations, at least some of the information about each of the organizations being collected automatically by computer using sensors on the Internet, the information about each of the organizations being collected from two or more sources, one or more of the sources not being controlled by the organization, the information from at least the one or more sources that are not controlled by the organization being collected without permission of the organization, at least partly automatically gathering information about assets that each of the organizations owns, controls, uses, or is affiliated with, including IP addresses and IP network address ranges, computer services residing within address ranges, or domain names, at least one of the sources for each of the organizations comprising a public source or a commercial source, processing by computer the information from the two or more sources for each of the organizations to form a composite rating of the organization that is indicative of a degree of risk to the organization or to a party through a business relationship with the organization, the composite rating comprising a calculated composite of metrics and data derived or collected from the sources, the processing comprising applying transformations to the data and metrics, and the processing comprising applying weights to the data and the metrics, Appeal 2019-001684 Application 13/240,572 4 the metrics including a measure of the extent of, the frequency of, or duration of compromise of the technology systems of the organization, or of a configuration or vulnerability of the organization, and a measure of the resilience of the organization to recover from such vulnerability, the measure of the resilience being inversely proportional to one or more of the duration of detected malicious activity and the duration of the vulnerability, and in connection with assessing a business risk to the organization or to a party through a business relationship with at least one of the organizations, delivering reports of the composite ratings of the organizations through a reporting facility to enable users of the reporting facility to monitor, assess, and mitigate the risks, based on the security vulnerabilities and resiliencies, in doing business with the organization and to compare the composite ratings of the organizations. Id. at 15–16 (emphasis added). REFERENCES AND REJECTION The Examiner relies upon the following references in rejecting the claims: Name3 Number Published Filed Newton US 2004/0250122 A1 Dec. 9, 2004 May 9, 2003 Shull US 2006/0212925 A1 Sept. 21, 2006 Mar. 2, 2006 Specifically, claims 1, 4, 5, 7–14, 16, 121, 124, 126–132, and 134–141 stand rejected as unpatentable under 35 U.S.C. § 103(a) over the combined teachings of Newton and Shull. Final Act. 4–20. Appellant contests the obviousness rejection of independent claim 1 (Appeal Br. 4–7) and relies on the alleged deficiencies in that rejection to overcome the rejection of the independent claims 136 and 141 and of the 3 All reference citations are to the first named inventor only. Appeal 2019-001684 Application 13/240,572 5 dependent claims (id. at 7–20). Because we determine that reversal of the rejection of independent claim 1 is dispositive, except for our ultimate decision, we do not discuss the merits of the rejections of claims 4, 5, 7–14, 16, 121, 124, 126–132, and 134–141 further herein. We review the appealed rejection of independent claim 1 for error based upon the issues identified by Appellant, and in light of the arguments and evidence produced thereon. Ex parte Frye, 94 USPQ2d 1072, 1075 (BPAI 2010) (precedential). We address the rejection of claim 1 below. ANALYSIS 1. Obviousness of Claim 1 Over Newton and Shull As noted above, the Examiner rejects independent claim 1 as obvious over the combined teachings of Newton and Shull. Final Act. 3–7. In particular, the Examiner finds that Newton teaches or suggests all of the limitations of claim 1, except for the composite rating comprising a calculated composite of metrics and data derived or collected from the sources, the processing comprising applying transformations to the data and metrics, and the processing comprising applying weights to the data and the metrics, the metrics including a measure of the extent of the frequency of, or the duration of compromise of the technology systems of the organization, or of a configuration or vulnerability of the organization, and a measure of the resilience of the organization to recover from such vulnerability, the measure of the resilience being inversely proportional to one or more of the duration of detected malicious activity and the duration of the vulnerability. Id. at 7 (emphasis omitted); see Appeal Br. 15–16 (Claims App.). However, the Examiner finds, Shull [0058] and figure 8, item 812, teaches creating a score for Appeal 2019-001684 Application 13/240,572 6 an entity from multiple sources which is similar to a credit score which informs requester of the trust of the entity, this score is received by the requester where activities are accounted for both legitimate (i.e.[,] positive) and illegitimate (i.e.[,] negative) and [0069] and [0073], teaches giving an overall trust score between 1 and 5 i.e.[,] a normalized composite score where 1 is a reputable business and 5 is likely engaged in illicit activity.). Final Act. 7 (emphasis added). The Examiner concludes that a person of ordinary skill in the art would have had reason “to modify the method of collecting security characteristics from multiple sources as taught by Newton by creating a score representative of the different collected data as taught by Shull because it would aid the requester in determining whether the entity is trusted or not.” Id. Appellant notes that the Examiner fails to show where Shull teaches measuring “the resilience of the organization to recover from such vulnerability, the measure of the resilience being inversely proportional to one or more of the duration of detected malicious activity and the duration of the vulnerability.” Appeal Br. 8; see Reply Br. 5–7 (citing Shull ¶¶ 59, 68). Further, Appellant notes, Newton provides a list of exemplary properties that it does consider - seventeen to be exact - and the claimed resiliency is unsurprisingly absent. [See Newton ¶¶ 12–29.] As such, Appellant[] fail[s] to see how either Newton or Shull address[es] the claimed resiliency as claimed and as such disagree[s] with the Examiner’s rejection. Appeal Br. 8. We agree with Appellant. Shull explains: Merely by way of example, a scoring system from 1 to 5 may be implemented. A score of 1 may indicate the online entity has been verified and/or certified reliable by a provider of the trust evaluation system, such as through a certification process. A Appeal 2019-001684 Application 13/240,572 7 score of 2 may indicate that the entity is relatively likely to be reputable (that is, to be engaged only in legitimate activities), while a score of 3 may indicate that the identification and/or reputation of an entity is doubtful and/or cannot be authenticated, and scores of 4 or 5 indicate that the entity is known to be disreputable (e.g., engage in and/or facilitate illicit activity). Shull ¶ 58 (emphasis added). Shull, however, does not link an entity’s reputation to a measure of its resilience. The Examiner finds, Newton, [0012] teaches that every network in the world would have a rating in the database and [0030] teaches establishing a reputation for a network, and a reputation/rating is indicative on how trust worthy a network is and the information gathered would be indicative on the resilience a network would likely be due to a compromise as a larger organization with more resources that has existed longer is more likely to be resilient than a smaller organization with less resources and age. Thus Newton [0012]-[0030] to show that all ORs of the limitation are actually disclosed and Shull [0059], [0068] as well teaches some of the alternative limitations. Ans. 4 (emphasis added); see Final Act. 3. We are not persuaded that the Examiner’s findings regarding Newton’s teachings of reputational ratings databases together with Shull’s teachings of scores evidencing reputation teach or suggest measuring resilience, as recited in claim 1. Finally, Appellant contends that, in combining the teachings of Newton and Shull to achieve the recitations of claim 1, “the Examiner appears to be relying on hindsight to connect the dots from the network properties considered by Newton and Applicant[’s] resiliency metric, however, impermissible hindsight must be avoided and the legal conclusion must be reached on the basis of the facts gleaned from the prior art.” Appeal Br. 9. Any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning, but so long as it Appeal 2019-001684 Application 13/240,572 8 takes into account only knowledge which was within the level of ordinary skill [in the art] at the time the claimed invention was made and does not include knowledge gleaned only from applicant’s disclosure, such a reconstruction is proper. In re McLaughlin, 443 F.2d 1392, 1395, (CCPA 1971). Nevertheless, in view of the lack of evidence supporting the Examiner’s finding that Newton’s and Shull’s teachings regarding reputation together teach or suggest “the measure of the resilience being inversely proportional to one or more of the duration of detected malicious activity and the duration of the vulnerability,” this finding appears to be based on nothing more than improper hindsight gleaned from Appellant’s claim. See Alza Corp. v. Mylan Labs., Inc., 464 F.3d 1286, 1290 (Fed. Cir. 2006) (“At its core, our anti-hindsight jurisprudence is a test that rests on the unremarkable premise that legal determinations of obviousness, as with such determinations generally, should be based on evidence rather than on mere speculation or conjecture.”). Consequently, we are persuaded that the Examiner erred in rejecting claim 1 as obvious over Newton and Shull, and we do not sustain the obviousness rejection of claim 1. 2. The Remaining Claims As noted above, Appellant challenges the rejection of independent claim 136 and 141 for the same reasons as claim 1. Appeal Br. 11–13. Each of claims 4, 5, 7–14, 16, 121, 124, 126–132, 134, 135, and 137–140 depends directly from independent claim 1. Id. at 16–20 (Claims App.). Appellant does not challenge the rejection of the independent claims 136 and 141 or of the dependent claims separately from its challenge to the rejection of independent claim 1. Id. at 11–13; see Reply Br. 9. Because we are Appeal 2019-001684 Application 13/240,572 9 persuaded the Examiner erred with respect to the obviousness rejection of claim 1, we also are persuaded the Examiner erred with respect to the obviousness rejections of claims 4, 5, 7–14, 16, 121, 124, 126–132, and 134–141. For this reason, we do not sustain the rejection of those claims. NEW GROUND OF REJECTION OF CLAIMS 26–49 UNDER 37 C.F.R. § 41.50(B) We make the following new ground of rejection: • Claims 1, 4, 5, 7–14, 16, 121, 124, 126–132, and 134–141 are rejected under 35 U.S.C. § 112, ¶ 1,4 as lacking adequate written description. 35 U.S.C. § 112, ¶ 1, provides: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor . . . of carrying out his invention. As our reviewing court has explained, The ‘written description’ requirement implements the principle that a patent must describe the technology that is sought to be patented; the requirement serves both to satisfy the inventor’s obligation to disclose the technologic knowledge upon which the patent is based, and to demonstrate that the patentee was in possession of the invention that is claimed. Capon v. Eshhar, 418 F.3d 1349, 1357 (Fed. Cir. 2005). Claim 1 was amended to recite a method wherein: 4 Final Act. 2; see MPEP § 2159.01. Appeal 2019-001684 Application 13/240,572 10 the measure of the resilience being inversely proportional to one or more of the duration of detected malicious activity and the duration of the vulnerability. Appeal Br. 16 (Claims App.) (emphases added); see Amdt. After Final, 2 (Sept. 9, 2016). Claims 136 and 141 were amended to recite corresponding limitations. Appeal Br. 19, 20 (Claims App.); see Amdt. After Final at 7, 8. In the Amendment, Appellant stated, “[s]upport for the amendments may be found at least at paragraphs [0077] and [0078] of the application as published.” Amdt. After Final at 9; see Appeal Br. 3 (citing Spec., 13:14–24 (Specification text corresponding to published paragraphs)). The Specification discloses: Organizational security risk may be measured along two vectors: vulnerability and resilience. An entity’s vulnerability is defined as its “physical, technical, organizational, and cultural states,” which can be exploited to create a security breach. An entity’s resilience is defined to be its ability to recover from a security breach. The system 10 uses the concepts of vulnerability and resilience by examining externally observable proxies for them. An example proxy for entity vulnerability is the number of entity-owned IP addresses, which are reported to be malicious. The higher the number of reports the more likely the entity was vulnerable and had been compromised. Resilience is inversely proportional to the duration of detected malicious activity. The shorter the duration of the malicious activity, the higher level of resilience the entity demonstrates as it can quickly identify and remove malicious infections. Spec., 13:14–24 (emphases added). Thus, the Specification describes vulnerability and resilience as two separate vectors. Id. Further, the Specification describes resilience as inversely related to the duration of malicious activity. Id. However, apart from amended claims 1, 136, and 141, we do not find where the Specification describes “the measure of the Appeal 2019-001684 Application 13/240,572 11 resilience being inversely proportional to . . . the duration of the vulnerability.” See Spec., 29 (Claim 88 recites, “the resilience is inversely proportional to a duration of the malicious behavior.”). Therefore, we reject independent claims 1, 136, and 141, and the claims dependent therefrom, under 35 U.S.C. § 112, ¶ 1, for lack of adequate written description. DECISIONS 1. The Examiner erred in rejecting claims 1, 4, 5, 7–14, 16, 121, 124, 126–132, and 134–141 under 35 U.S.C. § 103(a) as obvious over the combined teachings of Newton and Shull; and. 2. We determine that claims 1, 4, 5, 7–14, 16, 121, 124, 126–132, and 134–141 are unpatentable under 35 U.S.C. § 112, ¶ 1, as lacking of adequate written description. 3. Thus, on this record, claims 1, 4, 5, 7–14, 16, 121, 124, 126–132, and 134–141 are unpatentable. CONCLUSION For the above reasons, we reverse the Examiner’s decision rejecting claims 1, 4, 5, 7–14, 16, 121, 124, 126–132, and 134–141 as obvious over the combined teachings of Newton and Shull, but we determine claims 1, 4, 5, 7–14, 16, 121, 124, 126–132, and 134–141 are unpatentable as lacking adequate written description. Appeal 2019-001684 Application 13/240,572 12 In summary: Claims Rejected 35 U.S.C. § References/Basis Affirmed Reversed New Ground 1, 4, 5, 7–14, 16, 121, 124, 126–132, 134–141 103(a) Newton, Shull 1, 4, 5, 7–14, 16, 121, 124, 126–132, 134–141 1, 4, 5, 7–14, 16, 121, 124, 126–132, 134–141 112, ¶ 1 Written Description 1, 4, 5, 7–14, 16, 121, 124, 126–132, 134–141 Overall Outcome 1, 4, 5, 7–14, 16, 121, 124, 126–132, 134–141 1, 4, 5, 7–14, 16, 121, 124, 126–132, 134–141 This decision contains a new ground of rejection pursuant to 37 C.F.R. § 41.50(b). 37 C.F.R. § 41.50(b) provides “[a] new ground of rejection pursuant to this paragraph shall not be considered final for judicial review.” 37 C.F.R. § 41.50(b) also provides that Appellant, WITHIN TWO MONTHS FROM THE DATE OF THE DECISION, must exercise one of the following two options with respect to the new ground of rejection to avoid termination of the appeal as to the rejected claims: (1) Reopen prosecution. Submit an appropriate amendment of the claims so rejected or new Evidence relating to the claims so rejected, or both, and have the matter reconsidered by the examiner, in which event the prosecution will be remanded to the examiner. . . . Appeal 2019-001684 Application 13/240,572 13 (2) Request rehearing. Request that the proceeding be reheard under § 41.52 by the Board upon the same Record. . . . Further guidance on responding to a new ground of rejection can be found in the Manual of Patent Examining Procedure § 1214.01. No time for taking any action connected with this appeal may be extended under 37 C.F.R. § 1.136(a)(1). REVERSED; 37 C.F.R. § 41.50(b) Copy with citationCopy as parenthetical citation
