12983897 (P.T.A.B. Aug. 10, 2016)

Ex Parte Gaist

Patent Trial and Appeal BoardAug 10, 2016

12983897 (P.T.A.B. Aug. 10, 2016)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 12/983,897 01/04/2011 7590 08/11/2016 NIR GAIST (AT Nyotron Information Security Inc.) 6 Galgaley Haplada St. HERZLIY A, 46733 ISRAEL FIRST NAMED INVENTOR Nir Gaist UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 8150-US2 1269 EXAMINER KHOSHNOODI, NADIA ART UNIT PAPER NUMBER 2494 MAILDATE DELIVERY MODE 08/11/2016 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte NIR GAIST Appeal2014-009254 Application 12/983,897 Technology Center 2400 Before ERIC S. FRAHM, NORMAN H. BEAMER, and JAMES W. DEJMEK, Administrative Patent Judges. FRAHM, Administrative Patent Judge. DECISION ON APPEAL Appeal2014-009254 Application 12/983,897 STATEMENT OF THE CASE Introduction Appellant appeals under 35 U.S.C. Â§ 134(a) from the Examiner's rejections of claims 1-32 (Br. 9-15; Final Act. 5-12). We have jurisdiction under 35 U.S.C. Â§ 6(b ). We affirm. Appellant's Invention Appellant's invention relates to a method for reacting to system calls made to a kernel of the operating system of a computer (Spec. i-f 3). Exemplary Claims Exemplary independent claim 1 and dependent claims 3 and 5 under appeal, with disputed limitations emphasized, read as follows: 1. A method for reacting to system calls made to a kernel of a computerized system, the method comprising: receiving a first control data structure that comprises multiple segments; wherein each segment comprises a system call type field, at least one system call initiator field and at least one system call request field; converting the first control data structure into a non- executable control data structure that comprises multiple data- structure elements (DEs), wherein the DEs comprise DE fields that correspond to the system call type fields, to the system call initiator fields and to the system call request fields of the segments of the first control data structure; monitoring system calls made to the kernel by comparing information of system calls made to the kernel to DE-fields of the non-executable control data structure; and controlling an execution of at least one system call by the kernel in response to a result of the comparing. 2 Appeal2014-009254 Application 12/983,897 3. The Method of claim 1, wherein the first control data structure comprise interrelations information indicative of interrelations between segments of at least one group of segments, wherein the converting comprises inserting into DEs of the non-executable control data structure pointers to other DEs selected in response to the interrelations-information. 5. The Method according to claim 1, wherein an order of segments in the first control data structure determines a selection order of DEs in the non-executable control data structure during the monitoring. Examiner's Rejections (1) The Examiner rejected claims 1--4, 11-14, 21-24, and 30 under Â§ 103(a) as being obvious over Xie et al. (US 2009/0199296 Al; published Aug. 6, 2009) and Baker (US 2005/0257243 Al; published Nov. 17, 2005). Final Act. 5-9. (2) The Examiner rejected claims 5-10, 15-20, 25-29, 31, and 32 underÂ§ 103(a) as being obvious over Xie, Baker, and Kim et al. (US 2009/0158385 Al; published June 18, 2009). Final Act. 9-12. Appellant's Contentions (1) Appellant contends (Br. 9-10) that the Examiner erred (a) in rejecting claims 1, 2, 11, 12, 21, 22, and 30 as being unpatentable by Xie and Baker because the Xie reference fails to teach "converting the first control data structure into a non-executable control data structure that comprises multiple data-structure elements (DEs ), wherein the DEs comprise DE fields that correspond to the system call type fields, to the system call initiator fields and to the system call request fields of the segments of the first control 3 Appeal2014-009254 Application 12/983,897 data structure," as required by claims 1, 11, and 21; 1 and (b) in rejecting claims 3, 4, 13, 14, 23, and 24 as being unpatentable by Xie and Baker because the Baker reference fails to teach "wherein the first control data structure comprise interrelations information indicative of interrelations between segments of at least one group of segments, wherein the converting comprises inserting into DEs of the non-executable control data structure pointers to other DEs selected in response to the interrelations-information" as required by claims 3, 13, and 23 (Br. 12);2 and (2) Appellant contends that the Examiner erred in rejecting claims 5- 10, 15-20, 25-29, 31, and 32 as being unpatentable by Xie, Baker, and Kim because (a) the Kim reference fails to teach "wherein an order of segments in the first control data structure determines a selection order of DEs in the non-executable control data structure during the monitoring" as required by claims 5, 15, and 25 (Br. 12); and (b) the Kim reference teaches away from the claimed invention and, therefore, the use of Kim in combination was improper (Br. 11-12).3 1 Based on Appellant's argument (Br. 9-10, 14--15) with regard to the Â§ 103(a) rejection of claims 1, 2, 11, 12, 21, 22, and 30 as being unpatentable by Xie and Baker we select claim 1 as representative of the group of claims. 2 Based on Appellant's argument (Br. 9-10, 14--15) with regard to the Â§ 103(a) rejection of claims 3, 4, 13, 14, 23, and 24 as being unpatentable by Xie and Baker we select claim 3 as representative of the group of claims. 3 Based on Appellant's argument (Br. 11-13) with regard to theÂ§ 103(a) rejection of claims 5-10, 15-20, 25-29, 31, and 32 as being unpatentable by Xie, Baker, and Kim we select claim 5 as representative of the group of claims. 4 Appeal2014-009254 Application 12/983,897 Reply Brief No Reply Brief has been presented. Therefore, Appellant has not disputed the Examiner's articulated reasoning and findings found at pages 2-15 of the Answer, including many new citations, reasoning, and findings with regard to each of the references applied in the rejections (e.g., as to Xie, Baker, and Kim). Issues on Appeal Based on Appellant's arguments in the Appeal Brief (Br. 8-15), the following principal issue is presented on appeal: (1) Did the Examiner err (a) in rejecting claims 1, 2, 11, 12, 21, 22, and 30 as being unpatentable under 35 U.S.C. Â§ 103(a) as obvious in light of Xie and Baker because the combination fails to teach or suggest "converting the first control data structure into a non-executable control data structure that comprises multiple data-structure elements (DEs ), wherein the DEs comprise DE fields that correspond to the system call type fields, to the system call initiator fields and to the system call request fields of the segments of the first control data structure," as required by representative claim 1; and (b) in rejecting claims 3, 4, 13, 14, 23, and 24 as being unpatentable underÂ§ 103(a) by Xie and Baker because Xie fails to teach or suggest "wherein the first control data structure comprise interrelations information indicative of interrelations between segments of at least one group of segments, wherein the converting comprises inserting into DEs of the non-executable control data structure pointers to other DEs selected in response to the interrelations-information" as required by representative claim 3? 5 Appeal2014-009254 Application 12/983,897 (2) Did the Examiner err in rejecting claims 5-10, 15-20, 25-29, 31, and 32 as being unpatentable under 35 U.S.C. Â§ 103(a) as obvious in light of Xie, Baker, and Kim because (a) the Kim reference fails to teach or suggest "wherein an order of segments in the first control data structure determines a selection order of DEs in the non-executable control data structure during the monitoring," as required by representative claim 5; and (b) properly combining Kim with Xie and Baker? ANALYSIS We have reviewed the Examiner's rejections (Final Act. 5-12) in light of Appellant's contentions in the Appeal Brief (Br. 9-15) that the Examiner has erred, as well as the Examiner's response to Appellant's arguments in the Appeal Brief (see Ans. 2-16). We disagree with Appellant's conclusions. Obviousness Rejections We disagree with Appellant's conclusion regarding the obviousness rejection of claims 1--4, 11-14, 21-24, and 30 over Xie and Baker. With regard to the representative claims 1, 3, and 5 we adopt as our own (1) the findings and reasons set forth by the Examiner in the action from which this appeal is taken (Final Act. 5---6 and 9-11), and (2) the reasons set forth by the Examiner in the Examiner's Answer in response to Appellant's Appeal Brief (Ans. 2-8 and 13-16). We highlight and amplify certain teachings and suggestions of Xie as follows. Xie discloses a system for monitoring system calls in a computer system (see Abs.) with a system call monitor (see Xie i-fi-152 and 56) where 6 Appeal2014-009254 Application 12/983,897 each of the system calls are converted into behavioral graphs (see Xie iii! 62 and 79). Accordingly, we agree with the Examiner that Xie and Baker teaches or suggests the subject matter of representative claim 1, including "converting the first control data structure into a non-executable control data structure that comprises multiple data-structure elements (DEs), wherein the DEs comprise DE fields that correspond to the system call type fields, to the system call initiator fields and to the system call request fields of the segments of the first control data structure" (Ans. 6-7). In view of the foregoing, we sustain the rejection based on Xie and Baker of representative claim 1, as well as claims 2, 11, 12, 21, 22, and 30 grouped therewith. Additionally, we agree with the Examiner that Xie and Baker teaches or suggests the disputed limitation of claim 3, separately argued by Appellant, in light of the disclosure of Xie of and the teaching of Baker of pointers to navigate to the start instruction for various system calls (Ans. 16; Xie iii! 55-56 and 78) wherein the monitoring comprises selecting, in response to the result of the comparing, a DE that is made available for selection only after its availability for selection was modified in response to the interrelation information (see Baker iii! 21-23). In view of the foregoing, we sustain the obviousness rejection based on Xie and Baker of claim 3, as well as claims 4, 13, 14, 23, and 24 grouped therewith. We disagree with Appellant's conclusions regarding the obviousness rejection of claims 5-10, 15-20, 25-29, 31, and 32 over Xie, Baker, and Kim. We adopt as our own ( 1) the findings and reasons set forth by the Examiner in the action from which this appeal is taken (Final Act. 9-12), 7 Appeal2014-009254 Application 12/983,897 and (2) the reasons set forth by the Examiner in the Examiner's Answer in response to Appellant's Appeal Brief (Ans. 11-14). We highlight and amplify certain teachings and suggestions of Xie, Baker, and Kim as follows. Kim teaches a system for tracing the system call log in a computer system for the generation of a security policy (see Abs.) where list data for the logged system calls are arranged at least in alphabetical order (see Kim i-fi-135-36). Accordingly, we agree with the Examiner that Xie, Baker, and Kim renders the subject matter of representative claim 5 obvious, including teaching "wherein an order of segments in the first control data structure determines a selection order of DEs in the non-executable control data structure during the monitoring" (Ans. 13-14). We are also unpersuaded by Appellant's contention (Br. 11-12) that the Examiner improperly combined Xie, Baker, and Kim because Kim teaches a method that executes all system calls (Kim i-fi-132-34) which teaches away from the claimed invention which requires controlled execution of system calls (Claim 1; Br. 11 ). We find this argument mischaracterizes Kim's teachings. Kim merely discusses tracing all potentially executed system calls (See Kim i-f 33) not executing all system calls. Further, the argument mischaracterizes the subject matter of claim 1. Claim 1 is drawn to "a method for reacting to system calls" with a step for converting data structures for "DE fields that correspond to the system call type fields" but there simply is no positive limitation regarding what system calls are to be executed by the computerized system and no negative limitation restricting the number of system calls that may be executed by the computerized system. Kim monitors system calls, traces the system call log, 8 Appeal2014-009254 Application 12/983,897 and arranges the entries in a list for further processing (Kim iii! 35-36); not a criticism of monitoring system calls and reacting to specific system call type fields. See DePuy Spine, Inc. v. Medtronic Sofarmor Danek, Inc., 567 F.3d 1314, 1327 (Fed. Cir. 2009) ("A reference does not teach away ... ifit merely expresses a general preference for an alternative invention but does not 'criticize, discredit, or otherwise discourage' investigation into the invention claimed." (citation omitted)). Additionally, we sustain the obviousness rejection of claims 6-10, 15-20, 25-29, 31, and 32 (based on Xie, Baker, and Kim) for the same reasons as claim 5 just discussed. CONCLUSIONS (1) The Examiner did not err in rejecting claims 1--4, 11-14, 21-24, and 30 underÂ§ 103(a) as being unpatentable by Xie and Baker because (a) the combination of Xie and Baker teaches or suggests each of the disputed limitations in representative claim 1; and (b) the combination of Xie and Baker teaches or suggests each of the disputed limitations in representative claim 3. (2) The Examiner did not err in rejecting claims 5-10, 15-20, 25-29, 31, and 32 underÂ§ 103(a) as being unpatentable by Xie, Baker, and Kim because (a) the combination of Xie, Baker, and Kim teaches or suggests each of the disputed limitations in representative claim 5; and (b) Xie, Baker, and Kim were properly combined. 9 Appeal2014-009254 Application 12/983,897 DECISION The Examiner's rejections of claims 1-32 under 35 U.S.C. Â§ 103(a) are affirmed. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. Â§ 1.136(a)(l )(iv). AFFIRMED 10