11106286 (P.T.A.B. Jul. 11, 2018)

Ex Parte Fosdick

Patent Trial and Appeal BoardJul 11, 2018

11106286 (P.T.A.B. Jul. 11, 2018)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE FIRST NAMED INVENTOR 11/106,286 04/14/2005 Nicolas E. Fosdick 30449 7590 07/13/2018 SCHMEISER, OLSEN & WATTS 22 CENTURY HILL DRIVE SUITE 302 LATHAM, NY 12110 UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. END920040l91US1 3941 EXAMINER PAN, PEILIANG ART UNIT PAPER NUMBER 2492 NOTIFICATION DATE DELIVERY MODE 07/13/2018 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): 30449@IPLA WUSA.COM PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte NICOLAS E. FOSDICK 1 Appeal2016-008762 Application 11/106,286 Technology Center 2400 Before ROBERT E. NAPPI, DEBRA K. STEPHENS, and HUNG H. BUI, Administrative Patent Judges. NAPPI, Administrative Patent Judge. DECISION ON APPEAL This is a decision on appeal under 35 U.S.C. Â§ 134(a) from the Examiner's Final Rejection of claims 31 through 35, 37 through 41, 43 through 47, and 49 through 53. App. Br. 4. We have jurisdiction under 35 U.S.C. Â§ 6(b). We AFFIRM-IN-PART. 1 According to Appellant, the real party in interest is International Business Machines Corporation. App. Br. 1. Appeal 2016-008762 Application 11/106,286 INVENTION Appellant's disclosed and claimed invention is directed to a method for detecting a denial of service attack on a plurality of computers. Abstract. Claim 31 is representative of the invention and reproduced below. 31. A method for detecting a denial of service attack on a plurality of destination computers, the method comprising the steps of: a management server obtaining from the destination computers records of respective requests previously received by the destination computers from a plurality of source computers, wherein each request is a message, wherein each request comprises a source IP address of one of the source computers and a destination address of one of the destination computers, wherein the obtaining the records comprises: periodically requesting from the destination computers logged recordings of the requests received by the destination computers from the source computers, and in response, receiving the requested logged recordings from the destination computers, and wherein the obtained records comprise the received logged recordings; and the management server determining, from an analysis of the obtained records, that the total number of requests sent over a specified period of time by one source computer of the plurality of source computers to the destination computers exceeds a specified threshold, and in response, the management server configuring a firewall to block subsequent requests sent by the one source computer from being received by the destination computers. REJECTIONS AT ISSUE2 (1) The Examiner has rejected claims 31 through 33, 35, 37 through 39, 41, 43, 44, 45, 47, and 49 and 50 under 35 U.S.C. Â§ 103(a) for 2 Throughout this Decision we refer to the Appeal Brief filed August 3, 2015, the Reply Brief filed September 26, 2016, the Final Office Action mailed March 5, 2015, and the Examiner's Answer mailed July 27, 2016. 2 Appeal 2016-008762 Application 11/106,286 being unpatentable over Anderson (US 2003/0002436 Al; publ. Jan. 2, 2003), Njemanze (US 8,230,507 Bl; iss. July 24, 2012) and Fan (US 6,219,706 Bl; iss. Apr. 17, 2001). Answer 3-7. (2) The Examiner has rejected claims 34, 40, 46, and 51 through 53 under 35 U.S.C. Â§ I03(a) for being unpatentable over Anderson, Njemanze, Fan and Mikurak (US 2004/0064351 Al). Answer 3-7. ISSUES With respect to the Examiner's rejection of independent claims, 31, 37, and 43, Appellant's arguments on pages 7 through 14 of the Appeal Brief present us with the following issues: a) Did the Examiner err in finding that Anderson, Njemanze, and Fan teaches a management server receives from destinations computer records of requests previously received as recited in representative claim 3 1? b) Did the Examiner err in finding that the skilled artisan would combine teachings of Anderson and Njemanze? c) Did the Examiner err in finding that Anderson, Njemanze, and Fan teaches a management server obtaining records by periodically requesting from the destination computers logged recordings of requests as recited in representative claim 31? d) Did the Examiner err in finding that Anderson, Njemanze, and Fan teaches each request is a message and that the management server determines that a total number of requests sent over a specified period by a source computer exceeds a threshold as recited in representative claim 31? 3 Appeal 2016-008762 Application 11/106,286 e) Did the Examiner err in finding that Anderson, Njemanze, and Fan teaches a management server configuring a firewall to block subsequent requests as recited in representative claim 31? With respect to the Examiner's rejections of claims 32 through 35, 38 through 41, 44 through 47, and 49 through 53, Appellant's arguments present us with additional issues, which we address in the analysis section. ANALYSIS We have reviewed Appellant's arguments in the Briefs, the Examiner's rejections, and the Examiner's response to Appellant's arguments. Appellant's arguments have persuaded us of error in the Examiner's determination that claims 49, 50 and 51 are unpatentable. However, Appellant's arguments have not persuaded us of error in the Examiner's determination that claims 31 through 3 5, 3 7 through 41, 4 3 through 47, 52, and 53 are unpatentable. Arguments directed to independent claims 31. 3 7. and 43 First issue Appellant's arguments directed to the first issue, are directed to the teachings ofNjemanze, asserting that Njemanze discusses agent (item 12), which collects information from any sources that produce event logs or messages, can operate at the native device, but does not identify that native device is a destination computer. Answer 8, Reply Br. 2-3. The Examiner provides a detailed response to Appellant's arguments on pages 8 through 9 or the Answer. In particular, the Examiner finds 4 Appeal 2016-008762 Application 11/106,286 Njemanze teaches that the event logs can come from many different devices including web servers, mail servers, and database servers, which are destination computers. Answer 9 ( citing col. 4, 11. 50-59, col. 6, 11. 23-30). We concur with the Examiner's findings. Appellant's attention is directed to the column 4 lines 50-59, discussion of the agent collecting data, and not the column 6 teachings of e-mail, web, or database server providing logs, which was cited by the Examiner. Accordingly, Appellant's arguments directed to the first issue have not persuaded us of Examiner error in rejecting represented claim 3 1. Second issue Appellant's arguments directed to the second issue, assert the Examiner's rationale for modifying Anderson is inefficient and wasteful. App. Br. 9, Reply Br. 4--5. The Examiner provides a detailed response to Appellant's arguments directed to the second issue. Answer 9-10. We concur with the Examiner. We also note that using additional sources for traffic data such as taught by Njemanze in addition to ( or in lieu of) the sensors of Anderson is merely substitution of known methods to perform their known functions. "The combination of familiar elements according to known methods is likely to be obvious when it does no more than yield predictable results." KSR Int 'l Co. v. Teleflex Inc., 550 U.S. 398, 416 (2007). Thus, Appellant's arguments directed to the second issue have not persuaded of Examiner error in rejecting representative claim 31. Third issue 5 Appeal 2016-008762 Application 11/106,286 Appellant's arguments directed to the third issue, are focused on the teachings of Anderson. App. Br. 10-11. Appellant argues that Anderson teaches director item 102 (which is equated to the claimed management server) periodically or on demand receives data, but does not teach periodically, requesting data as claimed. App. Br. 10-11 (citing Anderson para. 24). The Examiner responds to Appellant's arguments stating: Anderson disclose[ s] that the system is able to request from the destination computers logged recordings, and that the system is able to periodically perform a task, e.g., make a request. Thus, it would have been obvious to modify requesting to periodically requesting from the destination computers logged recordings. Answer 12 ( citing Anderson par. 24 ). We concur with the Examiner. While as Appellant argues, paragraph 24 of Anderson says the director, receives the information periodically or demands the information, the Examiner concludes that periodically demanding the data is obvious. We concur, and note that Anderson also teaches the process of obtaining data and analyzing data is performed periodically (see para. 29), which when coupled with the teaching that the data is demanded, further supports the Examiner's finding that periodically requesting data is obvious. Thus, Appellant's arguments directed to the third issue have not persuaded us of Examiner error in rejecting representative claim 31. Fourth issue Appellant's arguments directed to the fourth issue, focus on the teachings of Anderson. App. Br. 11-12. Specifically, Appellant argues that 6 Appeal 2016-008762 Application 11/106,286 Anderson discloses a number of packets being sent to a node exceeding a threshold and not a number of messages as claimed. App. Br. 12 The Examiner responds that the combination of Anderson and Njemanze teaches the limitation. Specifically the Examiner relies upon Anderson to teach the comparison of data to a threshold and Njemanze to teach the data in the logs includes messages. Answer 13. We are not persuaded of error by Appellant's arguments. While we concur with Appellant that the number of packets exceeding a threshold, is different from request messages exceeding a threshold, the concepts are not completely unrelated; there is a correlation between the two (Appellant admits messages are made up of packets of data (App. Br. 2)). Further, the Examiner has relied upon the combination of the references to teach this limitation, not just Anderson as argued by Appellant. Thus, Appellant does not address the Examiner's finding that the combination teaches this limitation. Additionally, we note that Njemanze teaches that the data logs include different types of data including messages/requests (see Table 1, and col. 7, 11. 1-20 (e.g., actions and types of service requested)). Further, Njemanze teaches that rules can be used to determine action, and provides an example, which involves comparison of a number of evasion attacks ( which can be by messages received) from the same IP address over a period of time to a threshold to determine action. See, e.g., Njemanze col. 11, 11. 8-11). Thus, Appellant's arguments directed to the fourth issue have not persuaded us of Examiner error in rejecting representative claim 31. Fifth issue 7 Appeal 2016-008762 Application 11/106,286 Appellant's arguments directed to the fifth issue, focus on the teachings of Anderson and Fan. App. Br. 13-14. Specifically, Appellant argues that "the Examiner has not explained why a firewall having access control lists provides motivation for Anderson to have director 102 (the management server) management server configure a firewall to block subsequent requests sent by the one source computer from being received by the destination computers." App. Br. 14. The Examiner finds that Anderson teaches that a director determines whether a network link is being misused and imposes selective regulations to control the network including regulating traffic. Answer 14--15 ( citing Anderson para. 26, and Wetherall (US 6,801,503 Bl; iss. Oct. 5, 2004) (incorporated into Anderson). Further, the Examiner finds that Fan teaches using an access control list to block some traffic on the network. Answer 15 (citing Fan col. 8, 11. 49-59). Thus, the Examiner concludes the references suggest using a firewall configured by a management server (Anderson's director) to block requests sent by a source computer as claimed. We have reviewed the teaching cited by the Examiner, and consider the Examiner to have provided a sufficient rationale to combine the references. The combination is merely using known elements to perform their known functions. Accordingly, Appellant's arguments directed to the fifth issue have not persuaded us of error in the Examiner's rejection of representative claim 31. As Appellant's arguments directed at these five issues with respect to the rejection of claim 31, have not persuaded us of error, we sustain the Examiner's rejection of claim 31 and claims 37 and 43, grouped with claim 31. 8 Appeal 2016-008762 Application 11/106,286 Arguments directed to dependent claims 32 through 35. 38 through 41. 44 through 47. and 49 through 53 Claims 32, 38, and 44 With respect to these claims, Appellant argues that the combination of Anderson, Njemanze, and Fan do not teach grouping obtained records by source IP address into groups as recited in representative claim 32. Appellant acknowledges that Anderson discloses receiving a number of packets from the same source IP address may be suspicious, but argue such a disclosure is not a teaching of grouping records by source IP address. App. Br. 15 (citing Anderson para 35). Further, Appellant argues that Njemanze teaches organizing data and grouping data based upon level of threat, but not grouping as claimed. App. Br. 15 (citing Njemanze col. 11, 11. 36-38), Reply Br. 11-12. The Examiner provides a comprehensive response to Appellant's arguments on pages 15 and 16 of the Answer. The Examiner finds that Anderson teaches analysis based upon aggregated data and that the data can include the number of packets being sent from the same IP address. Further, the Examiner also finds that Njemanze teaches aggregating data based upon key fields, e.g., source IP addresses. Answer 16 ( citing Njemanze col. 11, 11. 36-38 and col. 16, 11. 27-28). Based upon these findings, the Examiner concludes the disputed limitation of representative claim 32 is obvious. We have reviewed the cited references and concur with the Examiner's findings and conclusions. We additionally, note that Njemanze also teaches batching the data, which is grouping the data. See, e.g., col 9. 11. 12-14. While the references may not explicitly identify that the data is grouped by level of threat (e.g., by source IP address), we determine an ordinarily skilled artisan 9 Appeal 2016-008762 Application 11/106,286 would have found the references teach data concerning communications from the same IP addresses is maintained and aggregated which suggests the claimed grouping of the data. Accordingly, Appellant has not persuaded us of Examiner error in rejecting claim 32 and we sustain the rejection of claims 32, 38, and 44. Claims 33, 39, and 45 With respect to these claims, Appellant argues that the combination of Anderson, Njemanze and Fan do not teach notifying an administrator that a source computer may be the source of a denial of service attack in response to the determining that a number of requests from one source exceeds a threshold as recited in representative claim 33. App. Br. 16-18. Reply Br. 13. Further, Appellant argues that the Examiner has not provided a rationale to modify Anderson to include a notification, as in Njemanze. App. Br. 18. The Examiner finds that Anderson teaches determining a denial of service attack based upon a threshold as claimed, but does not teach notifying an administrator of the attack. Answer 17 ( citing Anderson paras. 2, 35). Further, the Examiner cites Njemanze as teaching notifying appropriate personnel of an attack. Answer 17 ( citing Njemanze col. 2, 11. 15-17). The Examiner relies upon the same rationale to combine the teachings as applied to the independent claims and also identifies that including the notification to the administrator to provide an enhancement to the system of Anderson. Final Action 3, Adv. Act. 3 (mailed May 21, 2015). We concur with the Examiner, noting the Njemanze teaches notifying a security supervisor (administrator) if a number of 10 Appeal 2016-008762 Application 11/106,286 communications from a same source IP address exceeds a threshold. See col. 11, 11. 9--11. Further, as the Examiner has shown that notifying an administrator is a known feature of systems that sense and mitigate network attacks, modifying Anderson to incudes this feature is merely using known techniques to perform their known functions. Thus, we concur with the Examiner that the skilled artisan would combine this feature with Anderson. Further, we note that Appellant for the first time in the Reply Brief, argues that the Examiner has not shown that the combination of the references teach providing the records to the administrator, Appellant's arguments in the Appeal Brief focus on the notifying the administrator. We have not considered this arguments as it is waived. Appellant has not shown good cause as to why these arguments could not have be presented earlier. As such, these arguments have not been considered, and are waived. 37 C.F.R. Â§ 41.41(b)(2). Accordingly, Appellant's arguments directed to claim 33 have not persuaded us of Examiner error in rejecting claims 33, 39, and 45 and we sustain the Examiner's rejection of these claims. Claims 35, 41, and 47 With respect to these claims, Appellant argues that the combination of Anderson, Njemanze, and Fan do not teach determining that a number of access requests exceeds a threshold as recited in representative claim 35. App. Br. 19--20. Reply Br. 15-16. The Examiner finds that both Anderson and Njemanze teach monitoring access requests for applications on the monitored servers. 11 Appeal 2016-008762 Application 11/106,286 Answer 19. We have reviewed the teachings of Anderson and Njemanze cited by the Examiner in response to Appellant's arguments and the teachings discussed above. We concur with the Examiner's findings concerning claim 3 5. Accordingly, we are not persuaded of Examiner error and sustain the Examiner's rejection of claims 35, 41, and 47. Claims 49 and 50 With respect to claim 49, Appellant argues that the combination of Anderson, Njemanze, and Fan do not teach determining that a number of requests for a specific file exceeds a threshold as recited in claim 49. App. Br. 21-22. Specifically, the Appellant argues that Anderson and Njemanze are silent about a request to a specific file. App. Br. 21. Further, Appellant argues that Fan's disclosure of analyzing FTP packets does not teach comparing the number of requests to a single file to a threshold as claimed. App. Br. 22. The Examiner finds that Fan teaches determining whether a packet is a FTP packet and when combined with the teachings of Anderson and Njemanze the claimed feature is obvious. Answer 19-20 (citing col. 3, 1. 30 of Fan). Appellant's arguments have persuaded us of Examiner error. Claim 49 recites comparing the number of requests to a single file with a threshold. While as discussed above the references teach comparing the number or requests from a source computer to a threshold, the Examiner has not cited sufficient evidence to show the combined references teach comparing the number or requests from one source for a specific file to a threshold. The cited teaching in Fan of monitoring a FTP request is not sufficient to show 12 Appeal 2016-008762 Application 11/106,286 this limitation as the FTP request is not shown to be for a (singular) specific file. Accordingly, we do not sustain the Examiner's rejection of claim 49 or of claim 50, which depends upon claim 49. Claims 34, 40, and 46 With respect to these claims, Appellant argues that the combination of Anderson, Njemanze, Fan, and Mikurak do not teach that the request is a SCP request which includes the identity of the file or the request is a LDAP request, which includes a request for a specific type of information as recited in representative claim 34. App. Br. 25-26, Reply Br. 21-23. Appellant argues that the teachings in Mikurak are silent about the data in the record of the requests including either the identity of the file or the specific type of information. App. Br. 26. In response, the Examiner cites to Fan as teaching an FTP request will include information such as file name associated with a packet and that Mikurak teaches use of SCP or LDAP protocols. Answer 21 ( citing Fan col. 3, 1. 11, and Mikurak paras. 383, 1796). We are not persuaded of error in the Examiner's rejection. Initially we note that the limitation is recited in the alternative and the limitations directed to either the identity of the file or the specific type of information are describing the data conveyed by the protocol. The Examiner has shown that both SCP and LDAP are known protocols. Answer 21 The claims do not recite any limitation which acts or functions based upon the data conveyed by the protocol. Thus, we construe the limitations directed to the file or the specific type of information as non-functional descriptive material (printed matter) which is not afforded patentable weight. "[O]nce it is 13 Appeal 2016-008762 Application 11/106,286 determined that the limitation is directed to printed matter, one must then determine if the matter is functionally or structurally related to the associated physical substrate, and only if the answer is 'no' is the printed matter owed no patentable weight." In re DiStefano, 808 F.3d. 845, 851 (Fed. Cir. 2015). Further, we concur with the Examiner that Fan teaches that requests can include the identity of an application associated with the packet, which is reasonably construed as a file name associated with the packet. Accordingly, Appellant's arguments directed to claims 34, 40, and 46 have not persuaded us of Examiner error and we sustain the rejection of these claims. Claim 51 With respect to claim 51, Appellant argues that the combination of Anderson, Njemanze, Fan, and Mikurak do not teach that the management server determines that a product or service promotion caused the increase in need for requests sent by the one source computer as recited in claim 51. App. Br. 27-26, Reply Br. 24--25. Appellant argues that the teachings of Mikurak disclose applying rebates and discounts, but do not disclose teach they cause an increase need for requests sent from one computer as claimed. App. Br. 28 ( citing Mikurak para. 492). In response, the Examiner explains: Anderson discloses "whether a server is uncharacteristically excessive in responding to the same source address, whether a normal busty behavior is absent from the traffic" (see abstract, Anderson). Therefore, the references at least suggest "the management server determining that a product or service 14 Appeal 2016-008762 Application 11/106,286 promotion caused an increased need for the requests sent by the one source computer", as claimed. Answer 22. Further in the rejection of claim 51 the Examiner explains: Ande[r]son, Njemanze, Fan, and Mikurak teach the claimed subject matter: a method for detecting a denial of service attack on a plurality of destination computers (see claim 1 above). They further disclose the product or promotion (see [0492] 'promotion,' Mikurak). Final Act. 6-7. Appellant's arguments have persuaded us of Examiner error. Claim 51 recites the management server determining that a product or promotion caused an increase in need for requests. The Examiner has not demonstrated that Mikurak's teaching of a product or promotion when combined with the other references teaches or suggests the disputed limitation. Thus, the Examiner has not provided sufficient evidence and explanation to demonstrate the combined teachings of Anderson, Njemanze, Fan, and Mikurak teach or suggest the disputed limitation. Accordingly, we do not sustain the Examiner's rejection of claim 51. Claims 5 2 and 5 3 Claim 52 recites, inter alia: where the received request is a SCP request. Appellant argue the Examiner has not provided support to show this limitation is taught or suggested by the prior art. App. Br. 29, Reply Br. 25-26. Appellant presents a similar argument with respect to the claim 53 recitation of the request being a LDAP. App. Br. 30. We are not persuaded of Examiner error, as discussed above with respect to claims 34, 40, and 46, i.e., the Examiner has shown that both SCP 15 Appeal 2016-008762 Application 11/106,286 and LDAP are known protocols. Thus, Appellant's argument is not persuasive of Examiner error. DECISION We affirm the Examiner's rejections of claims 31 through 35, 37 through 41, 43 through 47, 52, and 53 under 35 U.S.C. Â§ 103(a). We reverse the Examiner's rejections of claims 49, 50, and 51 under 35 U.S.C. Â§ 103(a). No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. Â§ 1.136(a). See 37 C.F.R. Â§ 1.136(a)(l )(iv). AFFIRMED-IN-PART 16