Ex Parte Doctor et alDownload PDFPatent Trial and Appeal BoardFeb 9, 201814039251 (P.T.A.B. Feb. 9, 2018) Copy Citation United States Patent and Trademark Office UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O.Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 14/039,251 09/27/2013 Brad Bernay Doctor 0436-US-Ul 3494 83579 7590 02/13/2018 LEVEL 3 COMMUNICATIONS, LLC Attn: Patent Docketing 1025 Eldorado Blvd. Broomfield, CO 80021 EXAMINER CERVETTI, DAVID GARCIA ART UNIT PAPER NUMBER 2436 NOTIFICATION DATE DELIVERY MODE 02/13/2018 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): patent, docketing @ leve!3. com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte BRAD BERNAY DOCTOR, SKYLER JAMESON BINGHAM, KESHAVA BERG, JOHN SHERWOOD REYNOLDS II, and JUSTIN GEORGE MOHR Appeal 2016-005844 Application 14/039,2511 Technology Center 2400 Before NORMAN H. BEAMER, ADAM J. PYONIN, and MICHAEL J. ENGLE, Administrative Patent Judges. ENGLE, Administrative Patent Judge. DECISION ON APPEAL Appellants appeal under 35 U.S.C. § 134(a) from a final rejection of claims 1—18. A hearing was held on February 6, 2018. We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM-IN-PART. Technology The application relates to “identifying and mitigating malicious network threats.” Spec. Abstract. 1 According to Appellants, the real party in interest is Level 3 Communications, LLC. App. Br. 2. Appeal 2016-005844 Application 14/039,251 Illustrative Claim Claims 1 and 5 are illustrative and reproduced below with certain limitations at issue emphasized: 1. A system for identifying malicious threats on a network comprising: a computing device including a processor coupled to a system memory, the system memory storing instructions for execution on the processor, the instructions configured to cause the processor to: retrieve a network data associated with at least one of an IP address or a domain; analyze the network data and identify a malicious network threat; and perform a mitigating action to neutralize the malicious network threat. 5. The system of claim 1, wherein the instructions are further configured to cause the processor to push a notification including the mitigating action for the malicious network threat to a third party device. Rejections Claims 1, 5, 10, and 14 stand rejected under 35 U.S.C. § 102(b) as anticipated by Shukla (US 2008/0016339 Al; Jan. 17, 2008). Final Act. 2. Claims 2, 3, 11, and 12 stand rejected under 35 U.S.C. § 103(a) as obvious over the combination of Shukla and Bajpay et al. (US 2009/0238077 Al; Sept. 24, 2009). Final Act. 3. Claims 4 and 13 stand rejected under 35 U.S.C. § 103(a) as obvious over the combination of Shukla and Krishnamurthy et al. (US 7,916,664 B2; Mar. 29, 2011). Final Act. 4. 2 Appeal 2016-005844 Application 14/039,251 Claims 6—9 and 15—18 stand rejected under 35 U.S.C. § 103(a) as obvious over the combination of Shukla and Connary et al. (US 2004/0044912 Al; Mar. 4, 2004). Final Act. 4. ISSUES 1. Did the Examiner err in finding Shukla discloses “retrieve a network data associated with at least one of an IP address or a domain” and “analyze the network data,” as recited in claim 1 ? 2. Did the Examiner err in finding Shukla discloses “push a notification including the mitigating action for the malicious network threat to a third party device,” as recited in claim 5? 3. Did the Examiner err in finding Connary teaches or suggests “weight the network data according to a threat associated with the data,” as recited in claim 6? ANALYSIS Claims 1 and 10 Independent claims 1 and 10 recite “retrieving] a network data associated with at least one of an IP address or a domain” and “analyzing] the network data.” According to Appellants, “the Office interprets the term network data associated with at least one of an IP address or a domain ... to mean ‘website or IP address visited by the user.’” App. Br. 9. Appellants argue, however, that “the term ‘network data’ must be interpreted to mean more than merely an IP address.” App. Br. 8. In particular, Appellants contend the broadest reasonable interpretation of network data ... consistent with that term’s explicitly defined meaning and consistent with the entire usage limited to that explicitly defined 3 Appeal 2016-005844 Application 14/039,251 meaning is network data associated with at least one of an IP address or a domain such as “an edge router identifier, an interface identifier for the particular edge router (in the case of multiple network interfaces per router), a source port, a destination port, an origin Autonomous System (AS) number, an origin AS name, a destination AS number, and/or any other network data information. Such information may also include an estimation or approximation of the amount traffic transceived at that particular ingress interface of an edge router 120-130, as well as the rate of the traffic flowing through the edge router 120- 130,” etc. App. Br. 9 (quoting Spec. 115). We are not persuaded by Appellants’ argument. First, the Examiner did not rely exclusively on an IP address, and Appellants have not sufficiently addressed whether the Examiner erred in finding a “website” or “downloaded module/ActiveX control” are the claimed network data. Ans. 6 (citing Shukla 114). Second, the claim is written in the alternative and Appellants have not sufficiently addressed whether an IP address, website, or downloaded module are “associated with ... a domain.” Third, the listed items in paragraph 15 of the Specification are non-exhaustive examples of network data, not a definition. Fourth, the first item listed in Appellants’ proposed definition is “an edge router identifier,” and an IP address is an identifier for a router. See Spec. 115; see also Spec. 119 (discussing “to collect network data from border gateway protocol (BGP) tables” that “include, for example, routing tables” that “have connectivity information (e.g., IP addresses . . .)”) (emphasis added). Therefore, an IP address would be “a network data” under Appellants’ proposed definition. Accordingly, we sustain the Examiner’s rejection of claims 1 and 10. 4 Appeal 2016-005844 Application 14/039,251 Claims 5 and 14 Claims 5 and 14 recite “pushing] a notification including the mitigating action for the malicious network threat to a third party device.” We agree with Appellants that the Examiner has not explained sufficiently where within paragraphs 112—120 of Shukla this limitation is disclosed. App. Br. 13. Monitoring information to determine a risk score or threat level—without more—does not disclose pushing, let alone the specific information pushed in claims 5 and 14. Ans. 7. Although the Examiner also finds “Shukla loads sandbox rules from a remote network device,” the Examiner does not explain how this teaches pushing rather than pulling (i.e., the disclosed loading implies the rules are pulled), let alone pushing a notification including the mitigating action. Ans. 6 (citing Shukla 140). Accordingly, we reverse the Examiner’s rejection of claims 5 and 14. Claims 6 and 15 Claims 6 and 15 recite “weighing] the network data according to a threat associated with the data.” The Examiner finds Connary teaches to “generate threat level data 40 based on the event data 38.” Connary 1158; Ans. 7; see also Connary 11209-217. At the hearing, Appellants stated that they no longer separately appealed claims 6 and 15, and instead relied only on their dependence from claims 1 and 10. As discussed above, we sustain the Examiner’s rejection of claims 1 and 10. Accordingly, we sustain the Examiner’s rejection of claims 6 and 15. 5 Appeal 2016-005844 Application 14/039,251 Claims 2—4, 1—9, 11—13, and 16—18 Appellants contend claims 2—4, 7—9, 11—13, and 16—18 are “allowable for being dependent from an allowable base claim.” App. Br. 14. However, we affirm the rejection of the base claims and therefore also affirm the rejections of claims 2—4, 7—9, 11—13, and 16—18. DECISION For the reasons above, we affirm the Examiner’s decision rejecting claims 1—4, 6—13, and 15—18. We reverse the Examiner’s decision rejecting claims 5 and 14. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 41.50(f). AFFIRMED-IN-PART 6 Copy with citationCopy as parenthetical citation
