Ex Parte CHIU et alDownload PDFPatent Trial and Appeal BoardFeb 15, 201914873627 (P.T.A.B. Feb. 15, 2019) Copy Citation UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 14/873,627 10/02/2015 31894 7590 02/19/2019 OKAMOTO & BENEDICTO, LLP P.O. BOX 641330 SAN JOSE, CA 95164 FIRST NAMED INVENTOR Li-Hsiang CHIU UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 10033.025100 7196 EXAMINER TRAN, TONGOC ART UNIT PAPER NUMBER 2434 MAIL DATE DELIVERY MODE 02/19/2019 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Exparte LI-HSIANG CHIU, WEI-CHING CHANG, and SHIH-HAO WENG Appeal2018-006873 Application 14/873,627 1 Technology Center 2400 Before KAL YANK. DESHPANDE, CATHERINE SHIANG, and JOHN P. PINKERTON, Administrative Patent Judges. SHIANG, Administrative Patent Judge. DECISION ON APPEAL Appellants appeal under 35 U.S.C. § 134(a) from the Examiner's rejection of claims 1-17, which are all the claims pending in the application. We have jurisdiction under 35 U.S.C. § 6(b). We reverse. 1 Appellants identify Trend Micro, Incorporated as the real party in interest. App. Br. 1. Appeal2018-006873 Application 14/873,627 STATEMENT OF THE CASE Introduction The present invention "relates generally to computer security, and more particularly but not exclusively to methods and apparatus for detecting advanced persistent threats." Spec. 1:7-9. In one embodiment, a system for detecting an advanced persistent threat (APT) attack on a private computer network includes hosts computers that receive network traffic and process the network traffic to identify an access event that indicates access to a critical asset of an organization that owns or maintains the private computer network. The critical asset may be a computer that stores confidential data of the organization. Access events may be stored in an event log as event data. Access events indicated in the event log may be correlated using a set of alert rules to identify an APT attack. Spec. 2:2-9. Claim 1 is exemplary: 1. A system for detecting an advanced persistent threat (APT) attack on a private computer network of an organization, the system comprising: a plurality of hosts computers, the plurality of hosts computers receives network traffic over the private computer network, parses the network traffic to generate event data that indicate access to particular computers on the private computer network that store confidential data of the organization, and transmits the event data over the private computer network; and an APT detection server comprising one or more computers that receive the event data from the plurality of hosts computers, store the event data in an event log, and correlate data in the event log using a set of alert rules to detect an APT attack by identifying an anomalous access to one or more of the particular computers. 2 Appeal2018-006873 Application 14/873,627 References and Re} ections2 Claims 1-5, 7-13, and 15-17 stand rejected under 35 U.S.C. § 103 as being unpatentable over the teachings of Korsunsky et al. (US 2011/0238855 Al, published Sept. 29, 2011) ("Korsunsky"). Final Act. 6-9. Claims 6 and 14 stand rejected under 35 U.S.C. § 103 as being unpatentable over the collective teachings of Korsunsky and Moritz et al. (US 9,185,095 Bl, issued Nov. 10, 2015) ("Moritz"). Final Act. 9. ANALYSIS 3 We have reviewed the Examiner's rejection in light of Appellants' contentions and the evidence of record. We concur with Appellants' contention that the Examiner erred in finding the cited portions of Korsunsky teach "an APT detection server comprising one or more computers that receive the event data from the plurality of hosts computers, store the event data in an event log, and correlate data in the event log using a set of alert rules to detect an APT attack by identifying an anomalous access to one or more of the particular computers," as recited in independent claim 1 (italics added). See App. Br. 5---6; Reply Br. 3. In the Final Action, the Examiner cites Korsunsky's paragraphs 118, 128, and 132 for teaching the above claim limitation, but does not provide any analysis articulating how those cited paragraphs teach or suggest the 2 Throughout this opinion, we refer to the (1) Final Rejection dated October 26, 2017 ("Final Act."); (2) Appeal Brief dated March 14, 2018 ("App. Br."); (3) Examiner's Answer dated June 15, 2018 ("Ans."); and (4) Reply Brief dated June 26, 2018 ("Reply Br."). 3 Appellants raise additional arguments. Because the identified issue is dispositive of the appeal, we do not address the additional arguments. 3 Appeal2018-006873 Application 14/873,627 claimed subject matter. See Final Act. 7. In the Examiner's Answer, the Examiner responds to Appellants' arguments by citing numerous paragraphs and three figures of Korsunsky for all of the limitations of claim 1, but does not specify which portions of Korsunsky teach or suggest the italicized limitation. See Ans. 8-13. That is, the Examiner does not adequately explain why the cited Korsunsky excerpts teach or suggest the italicized limitation in the Final Action or the Examiner's Answer. Furthermore, we do not find the cited Korsunsky excerpts describe the italicized limitation of claim 1. In particular, although the cited Korsunsky excerpts generally discusses logs and alerts, they do not disclose sufficient details to teach or suggest the italicized limitation. Absent further explanation from the Examiner, we do not agree with the Examiner that the cited Korsunsky excerpts teach the italicized limitation. Accordingly, we are constrained by the record to reverse the Examiner's rejection of claim 1. Independent claim 10 recites a claim limitation that is substantively similar to the italicized limitation of claim 1. The Examiner applies the same findings and conclusions to both claims 1 and 10. See Final Act. 7-8; Ans. 3-5, 7-13. Therefore, for similar reasons, we reverse the Examiner's rejection of independent claim 10. We also reverse the Examiner's rejection of corresponding dependent claims 2-9 and 11-17. Although the Examiner cites an additional reference for rejecting some dependent claims (claims 6 and 14), the Examiner has not shown the additional reference overcomes the deficiency discussed above in the rejection of claim 1. 4 Appeal2018-006873 Application 14/873,627 DECISION We reverse the Examiner's decision rejecting claims 1-17. REVERSED 5 Copy with citationCopy as parenthetical citation
