10853591 (B.P.A.I. Sep. 28, 2010)

Ex Parte Koppol et al

Board of Patent Appeals and InterferencesSep 28, 2010

10853591 (B.P.A.I. Sep. 28, 2010)

UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 10/853,591 05/25/2004 Pramod N. V. Koppol Koppol 7-1 4662 46368 7590 09/28/2010 CARLSON, GASKEY & OLDS, P.C./Alcatel-Lucent 400 W MAPLE RD SUITE 350 BIRMINGHAM, MI 48009 EXAMINER ZECHER, CORDELIA P K ART UNIT PAPER NUMBER 2432 MAIL DATE DELIVERY MODE 09/28/2010 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE BOARD OF PATENT APPEALS AND INTERFERENCES ____________ Ex parte PRAMOD N. V. KOPPOL and THYAGARAJAN NANDAGOPAL ____________ Appeal 2009-006820 Application 10/853,591 Technology Center 2400 ____________ Before JAMES D. THOMAS, HOWARD B. BLANKENSHIP, and JEAN R. HOMERE, Administrative Patent Judges. BLANKENSHIP, Administrative Patent Judge. DECISION ON APPEAL1 1 The two-month time period for filing an appeal or commencing a civil action, as recited in 37 C.F.R. § 1.304, or for filing a request for rehearing, as recited in 37 C.F.R. § 41.52, begins to run from the “MAIL DATE” (paper delivery mode) or the “NOTIFICATION DATE” (electronic delivery mode) shown on the PTOL-90A cover letter attached to this decision. Appeal 2009-006820 Application 10/853,591 2 STATEMENT OF THE CASE This is an appeal under 35 U.S.C. § 134(a) from the Examiner’s final rejection of claims 1-3, 5-13, and 15-23, which are all the claims remaining in the application. Claims 4 and 14 have been cancelled. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. Invention Appellants’ invention relates to identifying the source of a denial-of- service attack by analyzing flow information about packets collected at different points in the network. See Abstract. Representative Claim 1. A method for identifying a source of a Denial-of-Service (DoS) attack in a network, the network including at least a first autonomous system (AS) and a second AS, the method comprising: the first AS storing first flow information about packets entering the first AS; the second AS storing second flow information about packets entering the second AS; when a DoS attack occurs on a victim in the first AS, the first AS analyzing the first flow information to reconstruct a path taken by a packet associated with the DoS attack to identify the source of the DoS attack; and when a DoS attack occurs on a victim in the second AS, the second AS analyzing the second flow information to Appeal 2009-006820 Application 10/853,591 3 reconstruct a path taken by a packet associated with the DoS attack to identify the source of the DoS attack. Prior Art Turtle US 5,265,065 Nov. 23, 1993 Porras US 6,321,338 B1 Nov. 20, 2001 Kohler US 2002/0032774 A1 Mar. 14, 2002 Bennett US 2004/0081102 A1 Apr. 29, 2004 Examiner’s Rejections Claims 1-3, 5, 6, 8-13, 15-20, 22, and 23 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over Kohler and Porras. Claim 7 stands rejected under 35 U.S.C. § 103(a) as being unpatentable over Kohler, Porras, and Turtle. Claim 21 stands rejected under 35 U.S.C. § 103(a) as being unpatentable over Kohler, Porras, and Bennett. FINDINGS OF FACT Kohler Kohler teaches an arrangement 10 (Fig. 1) for preventing DoS attacks on a victim data center 12. An attacker may infiltrate one or more computers at other sites or data centers 20a - 20c, causing the data centers to simultaneously send large volumes of data to victim 12. ¶¶ [0021] - [0022]. As shown in Figure 1, a control center 24 communicates with and controls gateways 26 and data collectors 28 disposed in the network (Internet) 14. The control center is coupled to the gateways and data Appeal 2009-006820 Application 10/853,591 4 collectors by a hardened, redundant network 30. The gateways and data collectors monitor and collect statistics on network traffic. ¶ [0023]. The control center 24 aggregates traffic information received from the gateways and data collectors, and coordinates measures to track down and block the sources of an attack. ¶ [0024]. Although in preferred embodiments the hardened, redundant network 30 is inaccessible to the attacker, when less than complete assurance is required, Kohler teaches an alternative embodiment in which the control center is resistant to attack, yet connected to the Internet 14. ¶ [0037]. Porras Porras teaches an enterprise 10 (Fig. 1) that includes different domains 12a - 12c. Each domain includes one or more computers offering local and network services. Col. 3, ll. 16-30. Network enterprise 10 includes network monitors 16a - 16f that analyze and respond to network activity. The monitors can interoperate to form an analysis hierarchy, for recognizing global threats to interdomain connectivity, such as coordinated attempts to infiltrate or destroy connectivity across an entire enterprise. Col. 3, ll. 31-40. PRINCIPLES OF LAW “[W]hen a patent ‘simply arranges old elements with each performing the same function it had been known to perform’ and yields no more than one would expect from such an arrangement, the combination is obvious.” KSR Int’l Co. v. Teleflex, Inc., 550 U.S. 398, 417 (2007) (quoting Sakraida v. Ag Pro, Inc., 425 U.S. 273, 282 (1976)). The operative question is Appeal 2009-006820 Application 10/853,591 5 “whether the improvement is more than the predictable use of prior art elements according to their established functions.” Id. ANALYSIS Appellants argue claim 1 as representative of the invention. We will thus decide the appeal on the basis of claim 1 alone. See 37 C.F.R. § 41.37(c)(1)(vii). We observe at the outset, however, that claim 1 does not require that the “first” and the “second” AS exchange any information with the other. As such, the subject matter of claim 1 may be considered as obvious over Kohler taken alone. That is, it would have been obvious to reproduce the invention of Kohler and have another separate, independent arrangement 10 (Kohler Figure 1) at a different location on the Internet 14. In any event, Appellants argue that Kohler has no disclosure of storing or analyzing any flow information within any AS that could be the victim of a DoS attack. According to Appellants, the control center 24 of Kohler is clearly not within any autonomous system where a DoS attack can occur. Appellants’ argument is inconsistent with Appellants’ disclosure and with claim 1. The Specification (at 8) provides an expansive definition of what might comprise an autonomous system or “AS” -- defining in terms of what an AS “may include” or “may be” coupled to. The Specification (at 8) also indicates that a domain can be considered an “AS.” The combination of control center 24 (Kohler Fig. 1) and data center victim 12 can thus constitute an AS within the meaning of claim 1. Since the victim 12 is susceptible to DoS attack, an AS comprised of victim 12 and control center 24 is susceptible to DoS attack. Moreover, instant claim 1 recites “when a DoS attack occurs on a victim in the first AS,” which means that the Appeal 2009-006820 Application 10/853,591 6 “victim” may be contained within the “AS,” rather than the two entities being co-extensive. See also instant Fig. 1, Victim 110 in AS 102(1). Appellants also argue in the Appeal Brief that Kohler “teaches away” from a combination with Porras because such a combination would be contrary to isolating control center 24 with a hardened, redundant network. Appellants do not explain how information exchange over a redundant, hardened network would be contrary to sharing information between different domains as taught by Porras. In any event, when the Examiner in the Answer pointed out that Kohler teaches an alternative embodiment in which the data center 24 is connected to the Internet rather than to a hardened network, Appellants merely repeat in the Reply Brief the argument that Kohler isolates the controller with a hardened network. We thus find Appellants’ position to be untenable. Appellants also allege that Porras is not properly combinable with Kohler, because the Examiner has offered no explanation of how the proposed combination could possibly function. The control center 24 (Fig. 1) of Kohler stores and analyzes flow information entering the first AS, the flow information being received from the gateway 26 associated with victim 12. Kohler ¶¶ [0023], [0026] - [0027]. Porras teaches network monitors attached to different domains that can interoperate and form an “analysis hierarchy” for recognizing attacks that might not be limited to a single domain (col. 3, ll. 31-40). In view of the level of skill in the art that is demonstrated by the references, we do not consider it beyond the skill of the ordinary artisan to effect sharing of information between different control centers. In any event, Appellants have provided no evidence tending to show that providing information between Appeal 2009-006820 Application 10/853,591 7 control centers was “uniquely challenging or difficult for one of ordinary skill in the art.” Leapfrog Enters., Inc. v. Fisher-Price, Inc., 485 F.3d 1157, 1162 (Fed. Cir. 2007) (citing KSR, 550 U.S. at 419). We are therefore not persuaded that any claim has been rejected in error. We sustain the Examiner’s rejections under § 103(a). DECISION We affirm the Examiner’s § 103(a) rejections against claims 1-3, 5- 13, and 15-23. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 41.50(f). AFFIRMED llw CARLSON, GASKEY & OLDS, P.C./Alcatel-Lucent 400 W MAPLE RD SUITE 350 BIRMINGHAM, MI 48009