11647274 (P.T.A.B. Jul. 15, 2014)

Ex Parte Bu et al

Patent Trial and Appeal BoardJul 15, 2014

11647274 (P.T.A.B. Jul. 15, 2014)

UNITED STATES PATENT AND TRADEMARK OFFICE _____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte TIAN BU, LI LI, and RAMACHANDRAN RAMJEE ____________ Appeal 2012-000922 Application 11/647,274 Technology Center 2400 ____________ Before DENISE M. POTHIER, ERIC B. CHEN, and JEREMY J. CURCURI, Administrative Patent Judges. POTHIER, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Appellants appeal under 35 U.S.C. § 134(a) from the Examiner’s rejection of claims 1-16. We have jurisdiction under 35 U.S.C. § 6(b). We affirm-in-part. Invention Appellants’ invention relates to a method and system for making Internet-based networks less vulnerable. See Spec. ¶ 3. Claims 1 and 5 are reproduced below with emphasis: 1. A method for controlling access to nodes in a network comprising: Appeal 2012-000922 Application 11/647,274 2 generating an authorization request message (AUTHREQ) that includes a source access certificate (SAC) for authorizing one or more destination nodes to send data packets to a source node; forwarding the (AUTHREQ) with its SAC to one or more intermediate control nodes via a first pathway, the pathway comprising a signaling and control pathway; and receiving a valid authorization reply message (AUTHREP) that includes a destination access certificate (DAC) that includes consent and binding, identity-based signatures from one of the one or more destination nodes via a second pathway that is distinct from the first pathway, wherein the (AUTHREP) authorizes the source node to send data packets to the destination node associated with the (AUTHREP). 5. A method for controlling access to nodes in a network comprising: receiving an authorization request message (AUTHREQ) from a source node, the (AUTHREQ) including a source access certificate (SAC), via a signaling and control pathway; comparing the SAC to stored access and denial values associated with at least one destination node; forwarding the (AUTHREQ) to the at least one destination node as a high priority request via the signaling and control pathway when the comparison indicates the SAC matches an access value; forwarding the (AUTHREQ) to the at least one destination node as a low priority request via the signaling and control pathway when the comparison indicates the SAC does not match an access or denial value; and declining to forward the (AUTHREQ) to the at least one destination node when the comparison indicates the SAC matches a denial value. The Examiner relies on the following as evidence of unpatentability: Randle US 2006/0053290 A1 Mar. 9, 2006 Appeal 2012-000922 Application 11/647,274 3 Xiaowei Yang et al., A DoS-limiting Network Architecture, 35 Procs. of ACM SIGCOMM 241-252 (2005) (“Yang”). The Rejection Claims 1-16 are rejected under 35 U.S.C. § 103(a) as unpatentable over Yang and Randle. Ans. 4-9. CONTENTIONS Regarding independent claim 1, Appellants argue that section 3.2 of Yang fails to teach receiving a valid authorization reply message (AUTHREP) having a destination access certification (DAC) that includes consent and binding, identity-based signatures. App. Br. 6. For the first time in the Reply Brief, Appellants further submit that the Specification has defined a consent signature and a binding signature to have particular meanings and that Yang’s “capabilities” are not consistent with the claimed DAC. Reply Br. 1-2. Regarding independent claim 5, Appellants assert that Yang and its disclosed capability fail to teach comparing a source access certification (SAC) to stored access and denial values associated with at least one destination node. App. Br. 7; Reply Br. 2-3. Regarding independent claim 7, Appellants incorporate the arguments presented for claim 1. App. Br. 8; Reply Br. 3. ISSUES Under § 103, has the Examiner erred by finding that Yang and Randle collectively would have taught or suggested: Appeal 2012-000922 Application 11/647,274 4 (1) receiving a valid authorization reply message (AUTHREP) having a DAC that includes consent and binding, identity-based signatures as recited in claim 1 and similarly recited in claim 9; (2) generating an authorization reply message (AUTHREP) having a DAC that includes consent and binding, identity-based signatures as recited in claim 7 and similarly recited in claim 15; and (2) comparing the SAC to stored access and denial values associated with at least one destination node as recited in claim 5 and similarly recited in claim 13? ANALYSIS Claims 1-4 and 9-12 Based on the record before us, we find error in the Examiner’s rejection of independent claim 1 which calls for, in pertinent part, receiving a valid authorization reply message having a DAC that includes consent and binding, identity-based signatures. The Examiner finds that this limitation is mainly taught by Yang. Ans. 5 (citing Yang § 3.2), 9 (citing Yang §§ 2 ¶ 6, 3.1 ¶¶ 1-2, 3.4 ¶ 2). We review each of these passages. The key disputed limitation of claim 1 involves “consent and binding, identity-based signatures.” Figure 2 of the disclosure shows binding part 201 that includes a signature 202 and consent part 203 that includes a separate signature 204. Spec. ¶ 47; Fig. 2. Thus, when construing this limitation in light of the disclosure, we find that the claim requires two separate signatures or both a consent, identity-based signature and a binding, identity-based signature. Appeal 2012-000922 Application 11/647,274 5 Appellants further assert that both the consent signature and binding signature have been defined in the Specification. Reply Br. 1 (citing Spec. ¶¶ 24-25). We find no such definitions in these passages. See Spec. ¶¶ 24-25. Paragraphs 36 and 37, however, describe what the consent and binding signature include, describing similar features to those argued in the Reply Brief. See Spec. ¶¶ 36-37. Yet, we do not find these discussions define the recited signatures in a clear and deliberate manner or limit what they must contain. Given that the disclosure does not define these terms, we construe the recited signatures under the broadest, reasonable construction. A signature is defined as “1. a sequence of data used for identification, such as text appended to an email message or a fax. 2. A unique number built into hardware or software for authentication purposes.”1 As such, we find a broad, but reasonable construction for both the recited consent signature and the recited binding signature includes a data sequence or unique number used for identification or authentication. We next turn to the cited passages in Yang. Yang discusses a receiver placing a capability into each data packet to allow the network to verify the packet was authorized by the receiver. Yang § 2 ¶ 6. Yang further states that the capability is information that each router can use to determine whether the packet is wanted by the destination. Yang § 3.1 ¶ 1. Yang even further discusses and shows that capability includes a hash. See Yang §§ 3.4-3.5; Fig. 3. A hash is a data sequence or unique number used for identification or authentication (e.g., a “signature”). Moreover, because this signature is used to verify authorization, we find that 1 Microsoft® Computer Dictionary 480 (5th ed. 2002). Appeal 2012-000922 Application 11/647,274 6 this can be at least a “consent . . . identity-based signature” as broadly as recited. However, all of these passages describe a capability that has a single hash or signature. Granted, other cited passages discuss a response with capabilities, suggesting the packet can contain multiple hashes or signatures. See Yang § 3.2 ¶ 1 (discussing returning capabilities that are piggybacked on a TCP SYN/ACK response); Fig. 1 (accompanying description discusses receiving a response with adding capabilities). However, on the record, the Examiner has not clearly taken this position or explained that Yang’s packet contains multiple capabilities or hashes. See Ans. 5, 9-10. Thus, even if Yang’s cryptography binds a capability to a specific network path and thus arguably teaches a “binding” signature (see Ans. 10 (citing Yang § 3.4 ¶ 2)), the rejection as presented inadequately explains what in Yang is being mapped to both the recited consent identity-based signature and the separate binding identity-based signature. Finally, even assuming both capabilities are taught by Yang, the Examiner proposes to convert each capability into a certificate. See Ans. 5, 10-11 (citing Randle). Following this logic, both purportedly taught signatures would have been converted to certificates, yielding two certificates, each with a signature, instead of the recited DAC that includes a consent and binding, identity-based signatures. Given the record as proposed, we find that the Examiner has not established a prima facie case of obviousness that Yang and Randle collectively teach or suggest a valid authorization reply message having a DAC that includes both consent and binding identity-based signatures as recited. Appeal 2012-000922 Application 11/647,274 7 For the foregoing reasons, Appellants have persuaded us of error in the rejection of (1) independent claim 1, (2) independent claim 9, which recites commensurate limitations, and (3) dependent claims 2-4 and 10-12 for similar reasons. Claims 7, 8, 15, and 16 Independent claims 7 and 15 recite similar limitations to claims 1 and 9 or “generating an authorization reply message (AUTHREP) that includes a destination access certificate (DAC) that includes consent and binding, identity-based signatures.” Appellants incorporate the arguments made in connection with claims 1 and 9. App. Br. 8. For the above stated reasons, we find Appellants’ arguments persuasive and will not sustain the rejection of claims 7, 8, 15, and 16. Claims 5, 6, 13, and 14 We reach the opposite conclusion for claims 5, 6, 13, and 14. Representative independent claim 5 differs in scope from independent claims 1, 7, 9, and 15 and recites “comparing the [source access certificate] SAC to stored access and denial values associated with at least one destination node.” Appellants contend that Yang fails to disclose or discuss comparing an SAC to stored values. App. Br. 7; Reply Br. 2-3. We disagree. Specifically, the Examiner relies on various portions of Yang and Randle to teach this limitation. See Ans. 6 (citing Yang § 3.2 ¶¶ 1, 4, 5), 12-13 (citing Yang §§ 3.1 ¶ 2, 3.2 ¶¶ 3-4, 3.3 ¶ 3, 3.4 ¶¶ 2-4, 3.5 ¶¶1-2). For example, Yang discusses a router verifying capabilities. See Yang § 3.1 ¶ 2. Additionally, Yang discusses sending TCP SYN packets or requests with capabilities for the router to validate. See Yang § 3.2 ¶ 1. Yang further Appeal 2012-000922 Application 11/647,274 8 discusses the router tagging a packet with a hash to determine queuing priorities. See Yang § 3.2 ¶¶ 4-5. Yang also illustrates a “capability checking” for regular packets in this context. Yang § 3.1 ¶1, Fig. 2. All these passages teach or suggest that the router examines the capability for verification or validation. We further find that an ordinarily skilled artisan would have known or recognized various techniques for verify, validating, or checking a capability, including comparing the capability to stored values. As an example, the Examiner discusses section 3.3 in Yang. See Ans. 12. Specifically, Yang teaches a server that temporarily blacklists sender’s request and expires its capability for misbehaving. See Yang § 3.3 ¶ 3. This scenario suggests to one skilled in the art using the capability to determine whether the user’s capability has expired. Moreover, we find that there are only finite number of identifiable and predictably ways to verify, validate, or check a capability as discussed in Yang and that one recognizable manner of checking whether the capability has expired would have been to compare the capability to different values to determine whether to provide access for the sender or not (e.g., access and denial values). We also find that a known technique of verifying or checking whether the capability has been expired would have included comparing the capability to access and denial values, when accounting for the inferences and creative steps that an ordinarily skilled artisan would have employed. Additionally, Yang discusses that this checking is done “to determine whether the packet is wanted by the destination.” Yang § 3.1 ¶ 1. We thus find that the values checked are “associated with at least one destination node” as recited. As the Examiner also explains, Randle is relied upon to Appeal 2012-000922 Application 11/647,274 9 teach modifying the capability to a certificate. See Ans. 7, 13. Appellants do not dispute the specific findings concerning Randle or combining Randle’s teaching with Yang. App. Br. 7; Reply Br. 2-3. Lastly, we are not persuaded that an access value has been defined to comprise both consent and binding signatures. Reply Br. 3 (citing Spec. ¶ 23). There is no clear and deliberate manner in the disclosure of defining this term, as Appellants contend. Id. Rather, the cited passage fails to discuss a consent or binding signature. See Spec. ¶ 23. As such, we conclude that the Examiner did not err in finding that Yang and Randle teach and suggest “comparing the SAC to stored access and denial values associated with at least one destination node” as recited in claim 5. For the foregoing reasons, Appellants have not persuaded us of error in the rejection of independent claim 5 and claims 6, 13, and 14 not separately argued with particularity. App. Br. 7. CONCLUSION The Examiner did not err in rejecting claims 5, 6, 13, and 14 under § 103. The Examiner erred in rejecting claims 1-4, 7-12, 15, and 16 under § 103. DECISION The Examiner’s decision rejecting claims 1-16 is affirmed-in-part. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). Appeal 2012-000922 Application 11/647,274 10 AFFIRMED-IN-PART tj Notice of References Cited Application/Control No. 11/647,274 Applicant(s)/Patent Under BU Appeal No. 2012-000922 Art Unit Page 1 of 1 U.S. PATENT DOCUMENTS * Document Number Country Code-Number-Kind Code Date MM-YYYY Name Classification A US- B US- C US- D US- E US- F US- G US- H US- I US- J US- K US- L US- M US- FOREIGN PATENT DOCUMENTS * Document Number Country Code-Number-Kind Code Date MM-YYYY Country Name Classification N O P Q R S T NON-PATENT DOCUMENTS * Include as applicable: Author, Title Date, Publisher, Edition or Volume, Pertinent Pages) U Webster’s Third New International Dictionary of the English Language Unabridged, G&C Merriam Co. (1971). V W X *A copy of this reference is not being furnished with this Office action. (See MPEP § 707.05(a).) Dates in MM-YYYY format are publication dates. Classifications may be US or foreign. U.S. Patent and Trademark Office PTO-892 (Rev. 01-2001) Notice of References Cited Part of Paper No.