14496032 (P.T.A.B. Mar. 27, 2018)

Ex Parte Palumbo et al

Patent Trial and Appeal BoardMar 27, 2018

14496032 (P.T.A.B. Mar. 27, 2018)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 14/496,032 09/25/2014 29683 7590 03/29/2018 Harrington & Smith, Attorneys At Law, LLC 4 RESEARCH DRIVE, Suite 202 SHELTON, CT 06484-6212 FIRST NAMED INVENTOR Paolo PALUMBO UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 060B.0074.Ul(US) 1022 EXAMINER HAILU, TESHOME ART UNIT PAPER NUMBER 2434 NOTIFICATION DATE DELIVERY MODE 03/29/2018 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address( es): USPTO@HSPATENT.COM PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte PAOLO PALUMBO and ANDREW PATEL Appeal2017-007538 Application 14/496,032 Technology Center 2400 Before ALLEN R. MacDONALD, IRVINE. BRANCH, and JOSEPH P. LENTIVECH, Administrative Patent Judges. LENTIVECH, Administrative Patent Judge. DECISION ON APPEAL Pursuant to 35 U.S.C. Â§ 134(a), Appellants 1 appeal from the Examiner's decision to reject claims 1-18 and 20. Claim 19 has been canceled. See App. Br. 21 (Claims App'x.). We have jurisdiction over the pending claims under 35 U.S.C. Â§ 6(b). We affirm. 1 According to Appellants, the real party in interest is F-Secure Corporation. App. Br. 2. Appeal2017-007538 Application 14/496,032 STATEMENT OF THE CASE Appellants 'Invention Appellants' invention generally "relates to analysis of unknown files to detect potential malware." Spec. 1:6. Claim 1, which is illustrative, reads as follows: 1. A method of inspecting a file on a client computer in order to determine if the file is malicious and improve the anti-malware protection of the client computer, the method comprising: at the client computer: sending a hash of the file to a server; at the server: comparing the hash of the file to a database of hashes of known files; using results of the comparison to determine whether or not the file is unknown to the server; in the case that the file is unknown: sending a request for a first security analysis of the file to the client computer; at the client computer: in response to receiving the request, performing said first security analysis on the file; modifying the results of the first security analysis by removing selected data from the results; sending the modified results of the first security analysis to the server; and at the server: performing a second security analysis on the modified results m order to determine if the file is malicious. 2 Appeal2017-007538 Application 14/496,032 Rejection Claims 1-18 and 20 stand rejected under 35 U.S.C. Â§ 103(a) as being unpatentable over the combination of Gryaznov (US 8,438,637 Bl; issued May 7, 2013) and Cocotis et al. (US 2002/0112162 Al; published Aug. 15, 2002) ("Cocotis"). Final Act. 3-9. ANALYSIS Claim 1 MODIFYING THE RESULTS OF THE FIRST SECURITY ANALYSIS Appellants contend the combination of Gryaznov and Cocotis fails to teach or suggest "modifying the results of the first security analysis by removing selected data from the results," as recited in claim 1, and similarly recited in independent claims 8, 16, and 18. App. Br. 8-11; Reply Br. 3-7. Appellants argue removing a file from a file list, as taught by Cocotis, "is clearly not the same as removing (modifying) the results of a security analysis performed on a (single) file as disclosed in claim 1." App. Br. 9; Reply Br. 5-6. Appellants further argue "Cocotis teaches removing an entire file from consideration by a method, rather than removing only those parts or selected data of the file." App. Br. 10 (underlining omitted); see also Reply Br. 6. Appellants argue: even if the skilled person were to consider the disclosure of Cocotis in the context of Gryaznov, he would surely only consider applying it to avoid sending files (or parts of files) from the client to the server that the server already has. Confidentiality would not be enhanced in any way. App. Br. 1 O; see also Reply Br. 6-7. 3 Appeal2017-007538 Application 14/496,032 We do not find Appellants arguments persuasive. The Examiner finds Gryaznov teaches or suggests performing the claimed "first security analysis" on potentially malicious data (e.g., a file). Final Act. 4; Ans. 9 (citing Gryaznov 8:5-15). The Examiner finds Cocotis teaches that the client creates a modified list by removing a file from a list of files received from the server and, therefore, teaches or suggests "modifying by removing selected data." Final Act. 5-6; Ans. 9-10 (citing Cocotis i-f 63). As such, the Examiner is relying on the combined teachings of Gryaznov and Cocotis to teach or suggest the argued limitation and not merely Cocotis. Appellants' arguments do not take into account what the collective teachings of the references would have suggested to one of ordinary skill in the art and are therefore ineffective to rebut the Examiner's prima facie case of obviousness. See In re Keller, 642 F.2d 413, 425 (CCPA 1981). The test for obviousness is not whether the features of a secondary reference may be bodily incorporated into the structure of the primary reference; nor is it that the claimed invention must be expressly suggested in any one or all of the references. Rather, the test is what the combined teachings of the references would have suggested to those of ordinary skill in the art. (Citations omitted). This reasoning is applicable here as Appellants fail to explain why Cocotis' teaching of modifying a result by removing selected data is not combinable with the teaching of Gryaznov. We are not persuaded by Appellants' arguments that "[ c ]onfidentiality would not be enhanced in any way" (App. Br. 10) and "[b ]oth the server and the client though both possess all of the files in the unmodified list, i.e. no information is held back from either the client or the server" (App. Br. 11) because they are not commensurate with 4 Appeal2017-007538 Application 14/496,032 the scope of the claim. Claim 1 does not recite that the removed data is non- duplicate data (e.g., data already possessed by the server). Nor does claim 1 require the removing of data to enhance confidentiality. Claim 1 merely recites "removing selected data." Accordingly, we are not persuaded the Examiner erred in finding the combination of Gryaznov and Cocotis teaches or suggests the disputed limitations. IMPROPER COMBINATION Appellants contend the combination of Gryaznov and Cocotis is improper. App. Br. 11-13; Reply Br. 7-11. Appellants argue "Gryaznov and Cocotis are clearly in conflict and cannot be combined" because Cocotis teaches that the server digital signature of the local content file has already been successfully validated and "in Gryaznov the client has apparently not validated a server digital certificate as the client of Gryaznov has detected that potentially malicious data has not been received" (App. Br. 11-12 (citing Cocotis i-f 61) (underlining omitted)). Appellants argue modifying Gryaznov with the teachings of Cocotis would create a conflict because: [T]he client of Gryaznov would not detect the potentially malicious data as the client 16 of Cocotis does not appear to detect or use potential malicious activity to prevent use of a malicious file. As similarly stated above, in Cocotis it need only be that the server digital certificate is successfully validated in order to confirm that the local file is safe to display. It is respectfully submitted that for at least these reasons the client in Gryaznov cannot both detect potentially malicious data and at the same time determine that the server digital signature of the local content file has already been successfully validated and the content can thus be safely displayed as in Cocotis. App. Br. 13 (underlining omitted). 5 Appeal2017-007538 Application 14/496,032 We do not find Appellants' arguments persuasive. "[I]t is not necessary that the inventions of the references be physically combinable to render obvious the invention under review." In re Sneed, 710 F.2d 1544, 1550 (Fed. Cir. 1983). The relevant inquiry is whether the claimed subject matter would have been obvious to those of ordinary skill in the art in light of the combined teachings of those references. See Keller, 642 F.2d at 425. Further, the Examiner relies upon Cocotis for teaching or suggesting that a result may be modified by removing portions of data therefrom and not for determining whether the server digital signature of the local content file has already been successfully validated. Accordingly, we are not persuaded the Examiner erred in combining Gryaznov and Cocotis. For the foregoing reasons, we are not persuaded the Examiner erred in rejecting independent claims 1, 8, 12, and 16-18; and claims 2--4, 9--11, and 13-15, which dependent from claims 1, 8, and 12 and are not separately argued. Claim 5 Appellants contend the combination of Gryaznov and Cocotis fails to teach or suggest "wherein the database of hashes of known files comprises a list of files on which analysis has been requested, and the method comprises: at the server, in response to sending the request for analysis: adding the file to the list of files on which analysis has been requested," as recited in claim 5. App. Br. 13; Reply Br. 11-13. Appellants argue: Gryaznov as cited simply discloses that if it is determined in decision 502 that notification from the client of detection of the potentially malicious data has been received, then in 6 Appeal2017-007538 Application 14/496,032 operation 504 portions of the potentially malicious data are requested from a plurality of devices, and as an option, each of the requests for a portion of the potentially malicious data may include an identifier of the potentially malicious data, an indication of the portion requested (e.g., using a starting point, size, ending point, etc. of the portion), etc. Gryaznov does not disclose that the decision 502 includes, in response to sending the request for analysis, adding the file to the list of files on which analysis has been requested. App. Br. 13; see also Reply Br. 12-13. We do not find Appellants' arguments persuasive. Gryaznov teaches that a notification ("first notification") may be received from a client in response to the detection of the potentially malicious data by the client. Gryaznov 7:22-24. The notification may be compared against additional notifications received from additional clients to determine whether more than one client has detected the potentially malicious data. Gryaznov 7:30- 34. Gryaznov, therefore, teaches or suggests that the potentially malicious data identified in the first notification is compared to the potentially malicious data identified in the additional notifications. Gryaznov, therefore, teaches or suggests that the potentially malicious data identified in the first notification is compared to a list of potentially malicious data (e.g., the potentially malicious data identified in the additional notifications). Because, as discussed supra, Gryaznov teaches requesting portions of the potentially malicious data upon determining that a notification has been received from a client, Gryaznov teaches or suggests that analysis had been requested for each of the additional notifications. Although Gryaznov does not expressly teach that the first notification is added to the additional notifications, one of ordinary skill in the art at the time of Appellants' invention would understand that, upon receiving a subsequent notification, 7 Appeal2017-007538 Application 14/496,032 the subsequent notification would be compared to the additional notifications as well as the first notification in order to determine whether more than one client has detected the potentially malicious data identified in the subsequent notification. Accordingly, we are not persuaded the Examiner erred in rejecting claim 5. Claims 6 and 7 Appellants' contentions regarding claims 6 and 7 merely include a recitation of the corresponding limitations recited in the claims and respective statements contending Gryaznov does not disclose these limitations. See App. Br. 14; Reply Br. 13-15. Appellants do not address the Examiner's findings with respect to claims 6 and 7 and offer no explanation or reasoning as to how or why the cited portions of Gryaznov fail to teach or suggest the limitations of claims 6 and 7. Because Appellants do not provide any explanation or reasoning as to how or why Gryaznov fails to disclose the respective limitations, these contentions are unpersuasive. See 37 CPRÂ§ 41.37(c)(l)(iv) ("The arguments shall explain why the examiner erred as to each ground of rejection contested by appellant. . . . [A ]ny arguments or authorities not included in the appeal brief will be refused consideration by the Board for purposes of the present appeal.") (emphasis added). Moreover, arguments not made are deemed waived. See id. Cf In re Baxter Travenol Labs., 952 F.2d 388, 391 (Fed. Cir. 1991) ("It is not the function of this court to examine the claims in greater detail than argued by an [A ]ppellant[ s ], looking for nonobvious distinctions over the prior art."). 8 Appeal2017-007538 Application 14/496,032 Accordingly, we are not persuaded the Examiner erred in rejecting claims 6 and 7. Claim 20 Appellants contend the combination of Gryaznov and Cocotis fails to teach or suggest "wherein modifying the results comprises: hashing the selected data; and including the hash of the selected data in the results," as recited in claim 20. App. Br. 14--15; Reply Br. 16-17. Appellants argue: Gryaznov as cited discloses that an individual device receiving a request for a portion of the potentially malicious data may create a checksum for their respective portion of the potentially malicious data using the hash algorithm, and, in another embodiment, the checksum may be coupled to the requested portion. However, Gryaznov does not disclose that this checksum is part of modifying the results of the first security analysis by removing selected data from the results as in claim 1. For this matter, if the selected results were removed in Gryaznov (as in claim 1) then there would be no respective portion of potentially malicious data to identify using the hash algorithm. App. Br. 14--15. We do not find Appellants' arguments persuasive. As discussed supra, with respect to claim 1, from which claim 20 depends, the Examiner finds Cocotis teaches or suggests modifying a result by removing selected data from the result. Ans. 9 (citing Cocotis i-f 63). The Examiner finds Gryaznov teaches hashing the requested portions of the potentially malicious data. Ans. 14 (citing Gryaznov 8:8-15). As such, the Examiner finds the combination of Gryaznov and Cocotis teaches or suggests the limitations recited in claim 20. Appellants' arguments do not address the combined teachings of the references and, therefore, are unpersuasive of error. See Keller, 642 F.2d at 425. 9 Appeal2017-007538 Application 14/496,032 Accordingly, we are not persuaded the Examiner erred in rejecting claim 20. DECISION We affirm the Examiner's rejection of claims 1-18 and 20 under 35 U.S.C. Â§ 103(a). No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. Â§ 1.136(a)(l )(iv). AFFIRMED 10