Ex Parte Palliyil et alDownload PDFBoard of Patent Appeals and InterferencesAug 21, 201210735509 (B.P.A.I. Aug. 21, 2012) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE BOARD OF PATENT APPEALS AND INTERFERENCES ____________ Ex parte SUDARSHAN PALLIYIL, SHIVAKUMARA VENKAT SHAMURTHY, and TEJASVI ASWATHANARAYANA ____________ Appeal 2010-001051 Application 10/735,509 Technology Center 2400 ____________ Before CARLA M. KRIVAK, CARL W. WHITEHEAD, JR., and ANDREW J. DILLON, Administrative Patent Judges. WHITEHEAD, JR., Administrative Patent Judge. DECISION ON APPEAL Appeal 2010-001051 Application 10/735,509 2 STATEMENT OF THE CASE Appellants appeal under 35 U.S.C. § 134 from the rejection (mailed March 13, 2008) of claims 24-44. Appeal Brief 2. We have jurisdiction under 35 U.S.C. § 6(b) (2002). We affirm. Introduction The invention uses a comparison of hash values computed from the bit patterns representing stored files to identify which files have changed since the last virus scan and therefore avoids full virus scanning of files which have not been changed since the last scan. Appeal Brief 3. Illustrative Claim 24. A method comprising the steps of: computing first hash values derived from and representing a plurality of replicas of a resource, wherein the replicas are stored on respective data processing systems within a network; a) storing the computed first hash values; b) computing current hash values for the replicas of the resource; c) comparing the current and first hash values in order to identify whether all the hash values match, wherein nonmatching first and current hash values for a respective one of the replicas indicates the respective one of the replica has changed since the computing of the first hash value; d) detecting that a vulnerability exists responsive to the hash value comparison indicating more than a predetermined number of Appeal 2010-001051 Application 10/735,509 3 changed replicas of the resource, and that no vulnerability exists responsive to the hash value comparison indicating less than or equal to the predetermined number of changed replicas, wherein the predetermined number is at least one; and e) presenting a message for a user indicating a vulnerability, wherein the presenting is responsive to the predetermined number being exceeded. (disputed claim limitation emphasized). Rejections on Appeal Claims 24-29, 31-36, and 38-43 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over Radatti (U.S. Patent Number 7,143,113 B2; issued November 28, 2006) and Szor (U.S. Patent Application Publication Number 2005/0022018 A1; published January 27, 2005). Answer 3-6. Claims 30, 37, and 44 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over Radatti, Szor, and Okamoto (Takeshi Okamoto and Yoshiteru Ishida, A Distributed Approach against Computer Viruses Inspired by the Immune System, ICICE Trans. Commun., Vol. E83 B, No.5, 908-15 (2000)). Answer 7-8. Issue on Appeal Do Radatti and Szor, either alone or in combination, disclose “detecting that a vulnerability exists responsive to the hash value comparison indicating more than a predetermined number of changed replicas of the resource, and that no vulnerability exists responsive to the hash value comparison indicating less than or equal to the predetermined Appeal 2010-001051 Application 10/735,509 4 number of changed replicas, wherein the predetermined number is at least one,” as recited in claim 24? ANALYSIS Appellants contend that the invention does not indicate “a vulnerability” unless more than one file is changed. Appeal Brief 10. Appellants argue that Radatti actually teaches away from the invention because Radatti teaches that any difference in hash value comparison (any file change) indicates “a vulnerability” and therefore is deficient. Id. The Examiner relies upon Szor to address Radatti’s deficiency and finds that: Szor discloses a local analysis center (LAC) that receives notification packets about malicious code [paragraphs 102-104]. The LAC then checks to see if an attack threshold has been exceeded which is incremented by one for each notification packet [paragraphs 108-109] then appropriate action is taken [paragraph 113]. It would have been obvious to one of ordinary skill in the art at the time of invention to modify the method of Radatti to include the functionality of the LAC of Szor in order to determine a minimum level of suspicious activity [paragraph 108]. Answer 5. Appellants argue that the Examiner’s reliance upon Szor to teach the claim limitation “the predetermined number is at least one” consequently indicating “a vulnerability” is erroneous. Appeal Brief 10. Appellants further argue that: Szor teaches a host computer monitoring calls to a critical function of an operation system and responsively sending fileless code to an LAC if the code called that function and is deemed suspicious by an attack checking operation 204, Appeal 2010-001051 Application 10/735,509 5 and then the LAC counting instances of received suspicious fileless code (or portions thereof), as explained above. Contrast this to “detecting that a vulnerability exists responsive to the hash value comparison indicating more than a predetermined number of changed replicas of the resource” . . . where hash values represent “replicas. . . stored on respective data processing systems,” as claimed, and as the rejection contends that Radatti teaches. Appeal Brief 12. However, the Examiner contends: The teachings of Szor are being applied to Radatti. The teachings of Szor in the specification are exemplary embodiments of the invention and the scope of the invention is not limited by the exemplary embodiments [paragraph 149 of Szor]. Appellants are arguing the exact components and teachings of the exemplary embodiments while the examiner relied upon the teachings of the LAC to receive notification packets about malicious code and check to see if an attack threshold has been exceeded which is incremented by one for each notification packet. The combination of the two teachings, Radatti and Szor, results in a method and apparatus that detects a change in the local replica, sends a notification to LAC, similar to the LAC of Szor, and the LAC determines when a threshold has been met and whether or not there is a security vulnerability. Answer 9. Appellants disagree with the Examiner’s contentions and argue that, “A contrary teaching of Radatti about a single changed instance weighs against the combination of Szor and Radatti, even though the rejection relies upon Szor for a particular number test, as claimed.” Reply Brief 2. Appellants conclude: Appeal 2010-001051 Application 10/735,509 6 That is, regarding the numerosity issue, the rejection points out Szor teaches that a vulnerability is indicated by more than one notification. But the notifications taught by Szor are notifications of instances of fileless code having matching signatures or parameters (or both). Szor, col. 7, lines 9-48. Counting matching notifications is in opposition to what is claimed and to the teaching of Radatti that the rejection relies upon, i.e., that a vulnerability is indicated by an occurrence of non- matching instances of a file. This issue, and the failure to address this issue, further undermines the rational underpinning of the combination presented in the rejection. Id. We do not find Appellants’ arguments to be persuasive. Appellants cite to Szor, column 7, lines 9-48, to support their argument that Szor’s counting matching notifications are in opposition to the claimed subject matter (Reply Brief 2), however, we do not find support for Appellants’ arguments within the cited portion of Szor’s incompatibly with Radatti. Further, we find nothing in Radatti that would have discouraged a person skilled in the art from making such a modification. See In re ICON Health & Fitness, Inc., 496 F.3d 1374, 1381 (Fed. Cir. 2007) (“A reference may be said to teach away when a person of ordinary skill, upon reading the reference, would be discouraged from following the path set out in the reference, or would be led in a direction divergent from the path that was taken by the applicant.” (Citation omitted)). The Examiner finds that modifying Radatti by the teachings of Szor “results in a method and apparatus that detects a change in the local replica, sends a notification to LAC, similar to the LAC of Szor, and the LAC Appeal 2010-001051 Application 10/735,509 7 determines when a threshold has been met and whether or not there is a security vulnerability” (Answer 9). We agree. Therefore, we sustain the Examiner’s rejection of independent claim 24 as well as independent claims 31 and 38 that are commensurate in scope and argued together. We also sustain the Examiner’s rejection of dependent claims 25-30, 32-37, and 39-44, whose merits are not separately argued. In re Nielson, 816 F.2d 1567, 1572 (Fed. Cir. 1987). DECISION The rejections of claims 24-44 are sustained. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). See 37 C.F.R. § 41.50(f). AFFIRMED llw Copy with citationCopy as parenthetical citation
