Ex Parte Herrmann et alDownload PDFBoard of Patent Appeals and InterferencesJun 1, 200910249073 (B.P.A.I. Jun. 1, 2009) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE ____________________ BEFORE THE BOARD OF PATENT APPEALS AND INTERFERENCES ____________________ Ex parte CONRAD K. HERRMANN and SINDUJA MURARI ____________________ Appeal 2008-004188 Application 10/249,073 Technology Center 2400 ____________________ Decided:1 June 2, 2009 ____________________ Before ALLEN R. MACDONALD, Vice Chief Administrative Patent Judge, LEE E. BARRETT, and THU A. DANG, Administrative Patent Judges. DANG, Administrative Patent Judge. DECISION ON APPEAL 1 The two-month time period for filing an appeal or commencing a civil action, as recited in 37 CFR § 1.304, begins to run from the decided date shown on this page of the decision. The time period does not run from the Mail Date (paper delivery) or Notification Data (electronic delivery). Appeal 2008-004188 Application 10/249,073 2 I. STATEMENT OF CASE Appellants appeal under 35 U.S.C. § 134(a) from a final rejection of claims 17-52. We have jurisdiction under 35 U.S.C. § 6(b). A. INVENTION According to Appellants, the invention relates to policy enforcement on computer systems connected to one or more networks, such as Local Area Networks and Wide Area Networks, including the Internet (Spec., 1-2, para. [0001]). B. ILLUSTRATIVE CLAIMS Claim 17 is exemplary and is reproduced below: 17. A method for enforcing compliance with security rules required as a condition for access, the method comprising: specifying security rules that clients must comply with as a condition for access; generating at a particular client a request to be sent to an authentication module that requests that the client be authenticated for access; trapping the request before it is received by the authentication module; before sending the trapped request to the authentication module, forwarding the trapped request to a policy server that may collect information from the client about the client's compliance with said security rules; Appeal 2008-004188 Application 10/249,073 3 verifying authentication of the client requesting access, including determining by the policy server whether the client complies with said specified security rules, and determining by the authentication module whether the client is authentic; and if the client is authenticated for access, providing access to the client in accordance with the security rules based at least in part on said information collected by the policy server from the client during authentication. C. REJECTIONS The prior art relied upon by the Examiner in rejecting the claims on appeal is: Ide WO 02/03178 A2 Jan. 10, 2002 Haverinen US 2002/0012433 A1 Jan. 31, 2002 Sobel US 2004/0103310 A1 May 27, 2004 (filed Nov. 27, 2002) Claims 17-23, 27, 29-37, 39-46, 49, 51 and 52 stand rejected under 35 U.S.C. § 103(a) over the teachings of Ide in view of Sobel. Claims 24-26, 28, 38, 47, 48, and 50 stand rejected under 35 U.S.C. § 103(a) over the teachings of Ide in view of Sobel, and Haverinen. We affirm. II. ISSUE The issue is whether Appellants have shown that the Examiner erred in concluding that claims 17-52 are unpatentable under 35 U.S.C. § 103(a). Appeal 2008-004188 Application 10/249,073 4 In particular, the issue turns on whether the combination of Ide and Sobel teaches and/or would have suggested “trapping the request before it is received by the authentication module” and “verifying authentication of the client requesting access, including determining by the policy server whether the client complies with said specified security rules” (claim 17). III. FINDINGS OF FACT The following Findings of Fact (FF) are shown by a preponderance of the evidence. Ide 1. Ide discloses providing a user with assurance that a networked computer is secure, before completion of the log-in operation, by extending the local log-in process to perform a host assessment of the workstation prior to requesting the user’s credentials (Abstract). 2. A network server is able to determine whether the workstation is a “trusted” platform from which to accept authentication requests (id.). Sobel 3. Sobel discloses enforcing computer network security policies by assigning network membership to a client based on the client’s compliance with the security policies (Abstract). 4. Compliance verification component 190 determines whether the client is in compliance with the security policies (p. 2, para [0020]; Figs. 1- 2), and once the compliance verification component 190 determines Appeal 2008-004188 Application 10/249,073 5 whether the client is in compliance, the client notifies the DHCP proxy 110 by transmitting its compliance data (id. at [0021]). 5. The DHCP proxy 110 is configured to intercept the DHCP request from the client 105, and before providing the client 105 with an IP address, the DHCP proxy 110 first queries the compliance registration manager 135 for the compliance data associated with the client 105 (id. at [0021]; Fig. 3). IV. PRINCIPLES OF LAW "[T]he PTO gives claims their 'broadest reasonable interpretation.'" In re Bigio, 381 F.3d 1320, 1324 (Fed. Cir. 2004) (quoting In re Hyatt, 211 F.3d 1367, 1372 (Fed. Cir. 2000)). "Moreover, limitations are not to be read into the claims from the specification." In re Van Geuns, 988 F.2d 1181, 1184 (Fed. Cir. 1993) (citing In re Zletz, 893 F.2d 319, 321 (Fed. Cir. 1989)). Our reviewing court has repeatedly warned against confining the claims to specific embodiments described in the specification. Phillips v. AWH Corp., 415 F.3d 1303, 1323 (Fed. Cir. 2005) (en banc). One cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. In re Merck & Co., Inc., 800 F.2d 1091, 1097 (Fed. Cir. 1986). Section 103 forbids issuance of a patent when “the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at Appeal 2008-004188 Application 10/249,073 6 the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.” KSR Int'l Co. v. Teleflex Inc., 550 U.S. 398, 406 (2007). The Supreme Court emphasized “the need for caution in granting a patent based on the combination of elements found in the prior art,” and discussed circumstances in which a patent might be determined to be obvious. Id. at 415 (citing Graham v. John Deere Co., 383 U.S. 1, 12 (1966)). The Court reaffirmed principles based on its precedent that “[t]he combination of familiar elements according to known methods is likely to be obvious when it does no more than yield predictable results.” Id. at 416. We must determine whether or not the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. See KSR, at 406. Obviousness determination is not the result of a rigid formula, and we will consider the facts of a case and the common sense of those skilled in the art. Leapfrog Enters., Inc. v. Fisher-Price, Inc., 485 F.3d 1157, 1161 (Fed. Cir. 2007). That is, the test for obviousness is rather what the combined teachings of the references would have suggested to those of ordinary skill in the art. See In re Keller, 642 F.2d 413, 425 (CCPA 1981); In re Young, 927 F.2d 588, 591 (Fed. Cir. 1991). Appeal 2008-004188 Application 10/249,073 7 V. ANALYSIS Claims 17-23, 27, 29-37, 39-46, 49, 51, and 52 Appellants argue that the limitation “determining by the policy server whether the client complies with said specified rules” as recited in claim 17 “are not taught or suggested by the combined art of record” because “the policy server explicitly participates in the authentication of the client, but does so in a manner that is entirely transparent to existing server mechanisms” (App. Br. 12). Though Appellants admits that “the prior art teaches verifying the authentication of a client requesting access and determining whether the client complies with an application security policy,” Appellants argue that the claimed invention “is not merely verifying the authentication (e.g., username/password logon) of a client requesting access followed by checking whether the client complies with a security policy, but is instead a specific approach that integrates the security policy check into the authentication process” (id. at 13). The Appellants then contend that the prior art does not teach or suggest “trapping the request before it is received by the authentication module” which “allow Appellant’s system to test the security of the client (i.e., the client that originated the request for access), so that the client’s compliance with security rules is checked in addition to – and contemporaneous with – the normal user authentication process” (id. at 14), since, in Sobel, “DHCP use is optional” and thus “using it as a basis for security appears to be less-than robust” (id. at 16). Appeal 2008-004188 Application 10/249,073 8 The Examiner finds that “Ide’s invention relates to authentication process, which can restrict access to a network service based on information about the integrity and security posture of the workstation that originates the service request” (Ans. 12). In particular, the Examiner finds that “Ide teaches verifying authentication of the client request the access and determining whether the workstation/client complies with security policy” while “Sobel teaches the policy server (proxy server) which determines whether the client is complied with the security policies by intercepting (i.e. monitoring or trapping) the request (communications).” Id. at 13 Appellants’ argument that Appellants’ policy server “explicitly participates in the authentication” but “in a manner that is entirely transparent to existing server mechanisms” (App. Br. 12) is not commensurate with the language of the claimed invention. That is, claim 17 does not recite any such “manner that is transparent to existing server mechanism” as Appellants contend, and we will not read such limitation into the claim. Similarly, Appellants’ contentions that the claimed invention “is instead a specific approach that integrates the security policy check into the authentication process” (id. at 13), that the client’s compliance with security rules is checked “contemporaneous with” the normal user authentication process (id. at 14), and that Sobel’s “DHCP use is optional” (id. at 16), are also not commensurate with the language of the claimed invention. Furthermore, by arguing that Sobel’s teaching “as a basis for security appears to be less-than robust” (App. Br. 16), Appellants appear to be Appeal 2008-004188 Application 10/249,073 9 arguing that Sobel alone fails to disclose or suggest the claim limitations. However, the Examiner has rejected the claims based on the combination of Ide and Sobel, and nonobviousness cannot be shown by attacking the references individually. See In re Merck, 800 F.2d at 1097. Thus, the issues we address on appeal are whether the combination of Ide and Sobel teaches and/or would have suggested “trapping the request before it is received by the authentication module” and “verifying authentication of the client requesting access, including determining by the policy server whether the client complies with said specified security rules” as claimed in claim 17. We begin our analysis by giving the claims their broadest reasonable interpretation. See In re Bigio, 381 F.3d at 1324. Furthermore, our analysis will not read limitations into the claims from the Specification. See In re Van Geuns, 988 F.2d at 1184. It is the Appellants’ burden to precisely define the invention. See In re Morris 127 F.3d 1048, 1056 (Fed. Cir. 1997). Claim 17 simply does not place any limitation on what the term “authentication” is to be, to represent, or to mean, other than that the authentication module receives the request after it has been trapped and determines whether the client requesting access is authentic, and that information is collected by the policy server during authentication. Similarly, claim 17 simply does not place any limitation on what the term “policy server” is to be, to represent, or to mean, other than that the policy server “may collect information from the client about the client’s Appeal 2008-004188 Application 10/249,073 10 compliance with said security rules” and determines whether the client complies with said specified security rules. Ide discloses determining whether a networked computer is secure, before completion of the log-in operation, by extending the local log-in process to perform a host assessment of the workstation prior to requesting the user’s credentials (FF 1), wherein a network server is able to determine whether the workstation is a “trusted” platform from which to accept authentication requests (FF 2). An artisan would have understood such step of determining whether the computer is secure before the log-in operation for accepting authentication requests to be a step of determining whether the client complies with specified security rules “before [the request] is received by the authentication module” (claim 17). Sobel determining the client’s compliance with the security policies (FF 3). In particular, Sobel determines whether the client is in compliance with the security policies, and once a compliance verification component determines whether the client is in compliance, the client notifies a DHCP proxy by transmitting its compliance data (FF 4) and the DHCP proxy intercepts the DHCP request, and before providing the client with an IP address, the DHCP proxy first obtains the compliance data associated with the client (FF 5). An artisan would have understood such intercepting of the request by the DHCP proxy to be “trapping the request before it is received by the authentication module” and would have understood such determining whether the client is in compliance with security policies to be “determining Appeal 2008-004188 Application 10/249,073 11 by the policy server whether the client complies with said specified security rules,” as required by claim 17. Further, we find an artisan would have understood Ide in view of Sobel would teach or at least suggest a list including “trapping the request before it is received by the authentication module” and “verifying authentication of the client requesting access, including determining by the policy server whether the client complies with said specified security rules” (claim 17). That is, we find the subject matter sought to be patented by Appellants as a whole would have been obvious to the artisan as we consider the facts of the case and the common sense of those skilled in the art. See Leapfrog, 485 F.3d at 1161. As Appellants admit, “the prior art teaches verifying the authentication of a client requesting access and determining whether the client complies with an application security policy” (App. Br. 13). Yet, Appellants have presented no evidence that adding the teachings of Sobel of determining whether the client complies with specified security rules to the teachings of Ide of trapping the request and determining whether the client is secure before sending the request is received by the authentication module "was uniquely challenging or difficult for one of ordinary skill in the art" (see Leapfrog, 485 F.3d at 1162), nor have Appellants presented evidence that these "represented an unobvious step over the prior art" (id.). Rather, Appellants’ invention is simply an arrangement of the well-known teachings of adding the determining of security compliance step with the well-known Appeal 2008-004188 Application 10/249,073 12 teaching of trapping the request and determining whether the client is secure before sending the request to the authentication module. The combined teachings of the references represent merely a combination of familiar elements according to known methods and do no more than yield predictable results. See KSR, at 416. Accordingly, we conclude that the Appellants have not shown that the Examiner erred in rejecting independent claim 17, and claims 18-34 depending therefrom, under 35 U.S.C. § 103(a). Because Appellants do not provide separate arguments with respect to independent claims 35 and 44, claims 35 and 44 fall with claim 17. Accordingly, we also conclude that the Appellants have not shown that the Examiner erred in rejecting claims 35 and 44, and claims 36-43 and 45-52 depending respectively therefrom under 35 U.S.C. § 103(a) over Ide in view of Sobel. Claims 24-26, 28, 38, 47, 48, and 50 As to claim 24-26, 28, 38, 47, 48, and 50, Appellants add the argument that Haverinen does not provide any teaching or suggestion “as to how one would modify the combination of Ide and Sobel, to provide compliance verification – during the authentication process itself – in a manner that is transparent to concurrent EAP-based authentication” (App. Br. 19). However, such “manner that is transparent to concurrent EAP- based authentication” limitation is not recited in the claims, and we will not read such limitation into the claim. Further, since the rejection is over the Appeal 2008-004188 Application 10/249,073 13 teachings Haverinen combined with Ide and Sobel, Appellants cannot show nonobviousness by attacking Haverinen individually. Representative claim 24 depends ultimately from claim 17, and merely recites that “said authentication protocol comprises an Extensible Authentication Protocol (EAP).” As discussed above, we agree with the Examiner’s finding that the combination of Ide and Sobel teaches and would have suggested the limitations of claim 17. In particular, as Appellants admit, the combination of Ide and Sobel “teaches verifying the authentication of a client requesting access and determining whether the client complies with an application security policy” (App. Br. 13). Further, as the Examiner finds, in Haverinen, the authentication “is designed so that it can be embedded in a well-known standard IP protocol or implemented as an extension to the existing protocol” (Ans. 14). An artisan would have understood such protocol of Haverinen to comprise “an Extensible Authentication Protocol (EAP),” as required by representative claim 24. Appellants have provided no argument to dispute that the Examiner has correctly shown where all the claimed elements appear in Ide, Sobel, and Haverinen. In fact, Appellants have presented no evidence that using the EAP protocol of Haverinen as the authentication protocol used in the combined teachings of Ide and Sobel "was uniquely challenging or difficult for one of ordinary skill in the art" (see Leapfrog, 485 F.3d at 1162), nor have Appellants presented evidence that these "represented an unobvious step over the prior art" (id.). Such use of EAP protocol is merely a use of Appeal 2008-004188 Application 10/249,073 14 familiar elements according to known methods and do no more than yield predictable results. See KSR, at 416. Accordingly, we conclude that the Appellants have not shown that the Examiner erred in rejecting representative claim 24 and claims 25, 26, 28, 38, 47, 48, and 50, falling with claim 24 under 35 U.S.C. § 103(a). VI. CONCLUSION OF LAW (1) Appellants have not shown that the Examiner erred in finding that claims 17-23, 27, 29-37, 39-46, 49, 51, and 52 are unpatentable under 35 U.S.C. § 103(a) over the teachings of Ide and Sobel. (2) Appellants have not shown that the Examiner erred in finding that claims 24-26, 28, 38, 47, 48, and 50 are unpatentable under 35 U.S.C. § 103(a) over the teachings of Ide, Sobel, and Haverinen. (3) Claims 17-52 are not patentable. VII. DECISION We affirm the Examiner’s rejections of claims 17-52 under 35 U.S.C. § 103(a). Appeal 2008-004188 Application 10/249,073 15 No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). AFFIRMED rwk JOHN A. SMART 201 LOS GATOS SARATOGA RD, #161 LOS GATOS CA 95030-5308 Copy with citationCopy as parenthetical citation
