10890798 (B.P.A.I. Aug. 22, 2012)

Ex Parte McKenna

Board of Patent Appeals and InterferencesAug 22, 2012

10890798 (B.P.A.I. Aug. 22, 2012)

UNITED STATES PATENT AND TRADEMARK OFFICE ________________ BEFORE THE BOARD OF PATENT APPEALS AND INTERFERENCES ________________ Ex parte JOHN K. McKENNA ________________ Appeal 2010-003833 Application 10/890,798 Technology Center 2400 ________________ Before JOSEPH F. RUGGIERO, BRUCE R. WINSOR, and GLENN J. PERRY, Administrative Patent Judges. PERRY, Administrative Patent Judge. DECISION ON APPEAL Appeal 2010-003833 Application 10/890,798 2 STATEMENT OF THE CASE Introduction Appellant invokes our review under 35 U.S.C. § 134(a) from the Examiner’s rejection1 of claims 1, 2, 5-9, 11, 12, and 20. We have jurisdiction under 35 U.S.C. § 6(b). We affirm-in-part. Invention Appellant’s invention relates in general to responding to computer security threats. Upon receiving a notification of a security threat, a first threat management vector (TMV) is generated. A TMV is an electronic record including multiple fields such as a type of system affected by the threat, a software release level, and identification of countermeasures that may be effective in remediating the threat.2 A first TMV is transmitted to target systems. In response to a notification from a particular target system that an intrusion threat has been detected, a second TMV is generated and transmitted to the particular target system. See generally Abstract; claim 1. Evidence Considered The Examiner relies on the following prior art in rejecting the claims: Gupta US 2003/0004689 A1 Jan. 2, 2003 Friedrichs US 2003/0084349 A1 May 1, 2003 Banzhof US 2003/0126472 A1 July 3, 2003 Chang Liu & Debra J. Richardson, Automated Security Checking and Patching Using TestTalk, AUTOMATED SOFTWARE ENG’G 261 (2000). 1 Final Office Action dated April 14, 2009. 2 See Application Figure 4 and associated explanation in the text of specification. Appeal 2010-003833 Application 10/890,798 3 The Rejections 1. The Examiner provisionally rejected claims 1, 2, 5-9, 11, 12, and 20 under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claims 1-23 of copending Application No. 10/624,344. Ans. 3-4.3 2. The Examiner provisionally rejected claims 1, 2, 5-9, 11, 12, and 20 under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claims 1-23 of U.S. Patent No. 7,370,345. Ans. 4. 3. The Examiner rejected claims 1, 9, and 20 under 35 U.S.C. § 103(a) as being unpatentable over Friedrichs and Gupta. Ans. 6. 4. The Examiner rejected claim 2 under 35 U.S.C. § 103(a) as being unpatentable over Friedrichs, Gupta, and Liu. Ans. 7. 5. The Examiner rejected claims 5-8, 11, 12, and 20 under 35 U.S.C. § 103(a) as being unpatentable over Friedrichs, Gupta, and Banzhof. Ans. 8, 11. REJECTIONS 1 AND 2 Both of the double patenting rejections are noted as “provisional” 4 and are held in abeyance until such time as patentable subject matter is otherwise indicated which first requires resolution of this appeal with regard to rejections 3, 4 and 5. 3 Throughout this opinion, we refer to (1) the Appeal Brief (“Br.”) filed July 13, 2009; and (2) the Examiner’s Answer (“Ans.”) mailed October 13, 2009. 4 Final Office Action dated April 14, 2009. Appeal 2010-003833 Application 10/890,798 4 REJECTION 3: CLAIMS 1 AND 9 Appellant first argues independent claims 1 and 9. Br. 6. Illustrative claim 1 is reproduced with disputed limitations emphasized and with added bracketed letters designating the various limitations for later reference. 1. A method of disseminating instructions for removing an intrusion of a computer security threat, comprising: [a] receiving a notification of a computer security threat; [b] generating a computer-actionable first Threat Management Vector (TMV) from the notification that was received, the first TMV including therein a computer-readable field that provides identification of at least one system type that is affected by the computer security threat, and a computer- readable field that provides identification of a release level for the system type; [c] transmitting the first TMV that is generated to a plurality of target systems for processing by the plurality of target systems; [d] generating a computer-actionable second TMV in response to receiving a notification from a target system, included in the plurality of targets systems, that intrusion of the computer security threat has been detected, the second TMV including therein a computer-readable field that identifies instructions for removing the intrusion of the computer security threat that was detected; and [e] transmitting the second TMV to the target system for processing by the target system. The Examiner’s Findings The Examiner relies upon Friedrichs5 as teaching all limitations of claim 1 except for limitation [d], for which reliance is placed on Gupta.6 Ans. 6-7. 5 The Examiner relies upon Friedrichs’s paragraphs [0008]-[0009], [0016]- [0020], [0028]-[0037], and [0040]-[0044]. 6 The Examiner relies upon Gupta’s Abstract and paragraphs [0008] and [0154]-[0165]. Appeal 2010-003833 Application 10/890,798 5 Appellant’s Contentions Appellant characterizes Friedrichs as a “system that analyzes network traffic, identifies security threats in the network traffic, and provides alerts based on the identified security threats.” Br. 6. Appellant argues that paragraphs [0016]-[0020] and [0040]-[0044] of Friedrichs do not teach limitation [b] (Br. 6-7) and that Gupta does not teach limitation [d] (Br. 8). Analysis As a preliminary matter, we agree with the Examiner that the described and claimed “TMV” is a data structure that describes a threat.7 Ans. 12. Appellant argues that Friedrichs does not teach generating a computer-actionable TMV specifying at least one system type that is affected by a threat and identifies a release level for the system type. See Br. 6. Appellant characterizes Friedrichs as merely disclosing uploading security events in network traffic to a database server and analyzing the security events to identify threats to a network. Appellant admits that Friedrichs discloses generating alerts based on identified security threats in network traffic that may be provided to target systems. However, the Friedrichs disclosure does not amount to generating and transmitting a TMV as required by claims 1 and 9. Friedrichs merely aggregates security events. See Br. 7. According to the Examiner, the cited portions of Friedrichs disclose events aggregated from multiple sources that are analyzed and distributed. 7 Application Fig. 4 and relevant Specification description. Appeal 2010-003833 Application 10/890,798 6 The distributed information is supplemented with demographic and geographic information including fields related to type of network, applications or operating systems, and security measures implemented on the network. An “all events database” analyzes security events based on event type, location, type of network, etc. The “product database” provides information regarding vendor, product, and version. Aggregated and analyzed data is distributed via email. Ans. 12-14. The Examiner concludes from this characterization that that Friedrichs teaches limitation [b] and we agree. We find the first TMV described by claim 1 encompasses the Friedrichs email sent to various clients. As to limitation [d], Appellant disagrees with the Examiner that Gupta teaches 1) generating a computer-actionable second TMV in response to receiving a notification from a target system and 2) that the second TMV includes a field that identifies instructions for removing an intrusion. In Appellant’s view, Gupta merely discloses identifying computer-attacks and downloading appropriate countermeasures that are relevant to a target platform. See Br. 8. The Examiner disagrees, and we concur with the Examiner. Rather than repeat the Examiner’s position, we adopt as our own the Examiner’s findings and conclusions as set forth in the Answer at pages 16-18. We are, therefore, not persuaded of error as to the rejection of claim 1. Claim 9, written in computer-readable program code format, has limitations similar to those of claim 1. Based on our analysis with respect to claim 1, we sustain the rejection of claim 9 as well. We also sustain the rejection of dependent claim 12, not separately argued. Appeal 2010-003833 Application 10/890,798 7 For the reasons set forth above with respect to claim 1, we sustain the rejection of dependent claims 7 and 8, not separately argued. REJECTION 3: CLAIM 20 Appellant separately argues independent claim 20. Br. 9. Claim 20 is reproduced below with the disputed limitation emphasized. 20. A computer security threat management system, comprising: means for receiving a notification of a test that detects intrusion of a computer security threat; means for generating a computer-actionable Threat Management Vector (TMV) from the notification that was received, the TMV including therein a computer-readable field that provides identification of at least one system type that is affected by the computer security threat, a computer- readable field that provides identification of a release level for the system type, and a computer-readable field that provides identification of the test that detects intrusion of the computer security threat for a system type and a release level; means for transmitting the TMV that is generated to a plurality of target systems; means for receiving the TMV that is generated, at the plurality of target systems; and means for performing the test that detects intrusion of the computer security threat, at the target system, in response to receipt of the TMV. Analysis The Examiner lumps together description of the rejection of claims 1, 9, and 20. See Ans. 6-7. The Examiner relies upon the teachings of Friedrichs and Gupta with respect to the rejection of claim 20. See Ans. 20. Appellant correctly points out that the Examiner does not address the specific language of claim 20 directed to “identification of the test that detects intrusion.” See Br. 9. Appeal 2010-003833 Application 10/890,798 8 Because the Examiner has not addressed the specific language of claim 20, in particular, the “identification of the test that detects intrusion” and it is not readily apparent to us where in Friedrichs or Gupta that limitation is taught, the Examiner has not met the initial burden of establishing a prima facie case as to claim 20. Therefore, we will not sustain the rejection of claim 20. REJECTION 4 Appellant separately argues claim 2. Claim 2 depends from claim 1 and adds a limitation that “the first TMV further includes a computer- readable field that provides identification of a possible countermeasure for a system type and a release level.” The Examiner relies upon Liu as teaching the added limitation. See Ans. 7 (citing Liu 262, § 2). We have reviewed the Liu reference. Section 2, titled “Automated Security Checking and Patching” describes a Securibot that automatically checks for a “vulnerability” and patches it. An example describes determining whether a patch is required based on a version level of RedHat Linux based on whether a version of an Ipd package is lower than a specified value. Ans. 7; see Liu 262. We also note the Liu Abstract which states (footnote omitted): “[T]he Securibot framework allows system vendors to publish recently discovered security weaknesses and new patches in a machine-readable form so that the Securibot system running on deployed systems can automatically check out security updates and apply the patches.” We also note that Gupta describes the use of countermeasures as well. See Gupta Abstract. Appeal 2010-003833 Application 10/890,798 9 We conclude that the countermeasure limitation set forth in claim 2 is disclosed and are therefore not persuaded of error as to the rejection of claim 2. REJECTION 5 Claim 5 Independent claim 5 with disputed limitations emphasized is set forth below. 5. A method of disseminating instructions for removing an intrusion of a computer security threat, comprising: receiving a notification of a computer security threat; generating a computer-actionable first Threat Management Vector (TMV) from the notification that was received, the first TMV including therein a computer-readable field that provides identification of at least one system type that is affected by the computer security threat, and a computer- readable field that provides identification of a release level for the system type; transmitting the first TMV that is generated to a plurality of target systems for processing by the plurality of target systems; generating a null TMV in response to receiving a notification from a target system, included in the plurality of targets systems, that intrusion of the computer security threat has been detected, the null TMV including therein a computer-readable field that identifies that no instructions are available for removing the intrusion of the computer security threat that was detected; and transmitting the null TMV that is generated to the target system for processing by the target system. The Examiner relies upon Banzhof as teaching a “null TMV.” Ans. 8. The Examiner reasons that “the only difference between the ‘TMV’ recited in claims 1 and 9 and the ‘null TMV’ recited in claim 5 is the ‘TMV’ has ‘instructions for removing the intrusion’ while the ‘null TMV’ has ‘no Appeal 2010-003833 Application 10/890,798 10 instructions are available for removing the intrusion.’” Ans. 18 (emphasis omitted). Appellant argues that the “null TMV” has a specific meaning, namely that “instructions are not available for removing a computer security threat that was detected by the target system.” See Br. 8. We note Specification [0022] which supports Appellant’s position. According to Appellant, and we agree, Banzhof discloses a “remediation signature” which is a “group of actions which address or resolve a subject vulnerability by modifying settings, changing security permissions, installing patches, etc.” See Br. 8-9. We have reviewed the cited portions of Banzhof and find no specific teaching directed to a “null TMV.” We are not satisfied by the Examiner’s reasoning that if there are no instructions, the TMV is necessarily a “null TMV” per the claim language. We are, therefore, persuaded of error and do not sustain the rejection of claim 5. For the reasons set forth above with respect to claim 5, we also will not sustain the rejection of dependent claim 6, not separately argued. Claim 11 Appellant separately argues dependent claim 11 beginning at Brief page 10. Claim 11, set forth below with disputed limitations emphasized, depends from claim 9 but adds the limitation that the TMV identifies applicable tests. 11. A computer program product according to Claim 9: wherein the first TMV further includes a computer-readable field that provides identification of a plurality of tests for a system type and a release level; and Appeal 2010-003833 Application 10/890,798 11 wherein the computer-readable program code is configured to perform the test comprise computer-readable program code that is configured to perform the plurality of tests that detect intrusion of the computer security threat, at the target system in response to receiving the first TMV. Appellant argues that claim 11 requires that the first TMV identify tests relevant to the system type and release level set forth in the first TMV and code necessary to perform the identified tests. Banzhof teaches only a “remediation signature” that performs specific remediation actions. See Br. 10. The Examiner’s position is that the combination of Friedrichs, Gupta, and Banzhof teaches all the limitations of claim 11. The Examiner mapping of claim 11 talks about instructions for removing an intrusion, but does not address the language of claim 11 requiring a plurality of tests and performing those tests. Ans. 10-11. The Examiner responds to Appellant’s argument directed to claim 11 by indicating that the references cannot be attacked individually. Ans. 20. We do not see any rebuttal from the Examiner as to Appellant’s arguments directed to the specific language of claim 11. We therefore are persuaded of error and do not sustain the rejection of claim 11. ORDER The Examiner’s decision rejecting claims 1, 2, 7-9, and 12 is affirmed. The Examiner’s decision rejecting claims 5, 6, 11, and 20 is reversed. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1). See 37 C.F.R. § 1.136(a)(1)(iv) (2010). Appeal 2010-003833 Application 10/890,798 12 AFFIRMED-IN-PART babc