10701353 (B.P.A.I. Jun. 25, 2012)

Ex Parte Poletto et al

Board of Patent Appeals and InterferencesJun 25, 2012

10701353 (B.P.A.I. Jun. 25, 2012)

UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 10/701,353 11/03/2003 Massimiliano Antonio Poletto RIV-0500 5157 87555 7590 06/25/2012 Riverbed Technology Inc. - PVF c/o PARK, VAUGHAN, FLEMING & DOWLER LLP 2820 Fifth Street Davis, CA 95618 EXAMINER TRAN, ELLEN C ART UNIT PAPER NUMBER 2433 MAIL DATE DELIVERY MODE 06/25/2012 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________________ BEFORE THE BOARD OF PATENT APPEALS AND INTERFERENCES ____________________ Ex parte MASSIMILIANO ANTONIO POLETTO and BENJAMIN WILKEN ____________________ Appeal 2010-001214 Application 10/701,353 Technology Center 2400 ____________________ Before: JOSEPH L. DIXON, THU A. DANG, and JAMES R. HUGHES, Administrative Patent Judges. DIXON, Administrative Patent Judge. DECISION ON APPEAL Appeal 2010-001214 Application 10/701,353 2 STATEMENT OF CASE Appellants appeal under 35 U.S.C. Â§ 134 from a rejection of claims 1-22. We have jurisdiction under 35 U.S.C. Â§ 6(b). We affirm. The claims are directed to detection of scanning attacks. Claim 1, reproduced below, is illustrative of the claimed subject matter: 1. A method comprising: detecting scans emanating from hosts; analyzing records of scans to determine receivers of a scan and to determine which of those receivers of scans later became sources for a subsequent scan; and reconstructing the path by which a worm spread based on the analyzed records; and sending notification of the reconstructed path to a console. REFERENCES The prior art relied upon by the Examiner in rejecting the claims on appeal is: Zuk Porras Baba Silverman US 2003/0154399 A1 US 6,711,615 B2 US 7,051,369 B1 US 7,107,619 B2 Aug. 14, 2003 Mar. 23, 2004 May 23, 2006 Sept. 12, 2006 REJECTIONS Claims 1, 7, and 13 stand rejected under 35 U.S.C Â§ 103(a) as being unpatentable over Baba and Silverman. Appeal 2010-001214 Application 10/701,353 3 Claims 2, 8, and 14 stand rejected under 35 U.S.C Â§ 103(a) as being unpatentable over Baba, Silverman, and Zuk. Claims 3, 4, 9, 10, 15, and 16 stand rejected under 35 U.S.C Â§ 103(a) as being unpatentable over Baba, Silverman, Zuk, and Porras. Claims 5, 6, 11, 12, 15, and 17-22 stand rejected under 35 U.S.C Â§ 103(a) as being unpatentable over Baba, Silverman, and Porras. ANALYSIS Appellants have elected to group independent claims 1, 7, and 13 together as a single group. (App. Br. 6). Therefore, we will address Appellants' arguments with respect to independent claim 7 which Appellants have set forth in their arguments as the representative claim. We note that Appellants' arguments generally follow the format of reciting the language of the claim, then reciting a portion of the teachings of the prior art references then a conclusory statement that the prior art relied upon by the Examiner does not teach or suggest the respective claim language. With respect to representative claim 7, Appellants contend that "Baba combined with Silverman does not teach to determine receivers of a scan and which receivers later became sources for a subsequent scan" (App. Br. 7) (emphasis omitted). We disagree with Appellants' contention and find it to be merely a conclusory statement without a supporting line of reasoning. Appellants further contend that "Silverman does not teach the zombie as an obvious variant of a worm." (App. Br. 8) (emphasis omitted). Appellants repeat proffered descriptions of a zombie and a worm and contend that the two are not equivalent (id. at 8). While we agree with Appellants' descriptions, we find no error in the Examiner's application of the prior art teachings to essentially maintain that the zombie/commandeered computer is Appeal 2010-001214 Application 10/701,353 4 formed by a replication from the master and attempts to effectuate replication to make additional zombies which may be deemed a form of a worm malware since it is replicated. (Ans. 4). We find Appellants' contention to be unavailing of error in the Examiner's showing of obviousness of representative claim 7. While Appellants contend that zombies are not equivalent to receivers of scans that later became sources for a subsequent scan (App. Br. 8), Appellants provide no line of reasoning to support this contention. Appellants contend that the claimed features are directed to detection of the presence of scanning attacks and then infer the presence of a worm attack (App. Br. 8), but this argument is not commensurate in scope with the express language of representative claim 7. Appellants reiterate that Silverman merely "traces traffic from the zombie," while "claim 1 requires analyzing records of scans, which Silverman does not teach, to determine which receivers of scans later become sources of subsequent scans, which Silverman also does not teach." (App. Br. 9). While we agree with Appellants that the express language of representative claim 7 is not found in the teachings of Silverman, we find no error in the Examinerâ€™s finding that the relied upon portions of Silverman in columns 4 and 5 clearly identify that defending against malware attacks can be processed by Internet Service Provider (ISP) trace records of traffic in an area and used to identify suspicious activity. (Ans. 5). We agree with the Examiner that these teachings along with the teachings of the Baba reference with respect to port scans to detect attacks entering a network would have taught and fairly suggested analyzing records of scans to determine receivers of a scan and determine which of those receivers of scans later become sources for a subsequent scan to reconstruct the path which malware (worm) Appeal 2010-001214 Application 10/701,353 5 spread." Clearly, the prior art teaches and fairly suggests monitoring and detecting port scans whether they be by a hacker manually or by a hacker using software based malware which may then replicate itself and continued the process. Therefore, we find Appellants' argument unpersuasive of error in the Examiner's showing of obviousness of representative claim 7. With respect to dependent claims 2, 8, and 14, we address claim 8 as the representative claim as argued by Appellants. (App. Br. 9). Appellants maintain that the signature of the Zuk reference "would not encompass 'instructions to examine ports used by the worm to determine which services were exploited by the scan. '" (Id.) We disagree with Appellants and find that for the Zuk reference to utilize a signature of a worm, the system would have to have used instructions to examine the ports as disclosed by the combination of Baba and Silverman. Therefore, we find Appellants' argument to be unpersuasive of error in the Examiner's showing of obviousness With respect to dependent claims 3, 4, 9, 10, 15, and 16, Appellants group these claims together as standing or falling with representative claim 9. (App. Br. 10). Appellants contend that the teachings of the Porras reference regarding domains does not suggest the claimed feature of "sets of hosts scanned as used by Appellant[s] are computers that were victimized by a scan attack." (Id.) Appellants have identified no express definition for "sets of hosts scanned" in the Specification, and we find no antecedent basis for "the sets of hosts scanned" in claims 9 as it depends from independent claim 7 to further give context to the proffered distinction in the language. Therefore, Appellants' argument does not show error in the Examiner's reliance upon the teachings of Porras (column 4) with respect to correlating activity reports produced across a set of monitored domains to focus on Appeal 2010-001214 Application 10/701,353 6 network-wide threats including worm-like attacks in combination with the teachings of Baba, Silverman, and Zuk. Therefore, Appellants have not shown error in the Examiner's showing of obviousness of representative claim 9. With respect to claims 5 and 11, Appellants address representative claim 11. (App. Br. 10-11). Appellants contend that the teachings of Porras does not describe or suggest instructions to determine ports that a worm spread through to identify vulnerable services in the hosts. We disagree with Appellants and find that for the Porras reference to utilize analysis for worm and port scans as discussed above, the combination would have to have used instructions to examine the ports as disclosed by the combination of Baba and Silverman. Appellants maintain that the combination of references does not teach or suggest reconstructing the path by which the worm spread based on analyzed records of scans and that therefore there would be no motivation to determine the ports that a worm spread through to identify vulnerable services in the hosts. (App. Br. 11). We disagree with Appellants because we find no error in the Examinerâ€™s finding that the combination of Baba and Silverman teach and suggest reconstructing the path. (Ans. 3-4 and 20-21). Appellants have identified no express definition or interpretation of "reconstructing" and we find the Examiner's application of the prior art teachings to be reasonable in light of the broad claim language. Therefore, we find Appellants' argument to be unpersuasive of error in the Examiner's showing of obviousness of representative claim 11. With respect to claims 6 and 12, Appellants contend that the combination does not teach the claimed limitation and that a scan detection process to determine those that were targets of scans is not taught by Porras. Appeal 2010-001214 Application 10/701,353 7 (App. Br. 11-12). Appellants proffer a distinction based upon a distinction between a scan attack and a scan detection process in the Specification at pages 20-22. We find Appellants' argument unavailing since we find the combination of Baba and Silverman teaches and suggests a scan detect process which would have been instructions to carry the process out and Porras further teaches and suggests the process specifically with respect to malware worms. Therefore, we find Appellants' argument unpersuasive of error in the Examiner's showing of obviousness of dependent claim 12. With respect to claims 17, 19, and 21, Appellants address claim 19 as the representative claim. (App. Br. 12). Appellants contend that none of the references provide any explicit teaching of "host-pairs." (App. Br. 13). Appellants contend that host pairs are "derivable from the connection table" (App. Br. 13; fn. 20). Appellants' argument is not commensurate in scope with the express language of dependent claim 19 since a connection table is not recited nor a derivation therefrom in the dependent claim 19 or its parent claims. Therefore, Appellants' argument is not persuasive of error in the Examiner's showing of obviousness. Appellants further argue "reconstructing", but reconstructing is not found in the additional limitations or in the step of analyzing. We rely on our above discussion for "reconstructing." Therefore, Appellants' argument does not show error in the Examiner's showing of obviousness. With respect to claims 18, 20, and 22, Appellants set forth arguments with respect to representative claim 20. (App. Br. 13-14). Appellants repeat the language of the claim and the portions of the reference identified by the Examiner and maintain that Porras does not "determine which port [of] the host that spread the scan used to connect to the subsequent host." We find Appellants' argument to be unavailing and find that the combined teachings Appeal 2010-001214 Application 10/701,353 8 of the references would have taught and fairly suggested instructions to determine the port as discussed above. Therefore, we sustain the rejection of representative dependent claim 20. CONCLUSIONS OF LAW Appellants have not shown error in the Examiner's showing of obviousness of representative independent claim 7. DECISION For the above reasons, the Examinerâ€™s rejections of claims 1-22 are affirmed. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. Â§ 1.136(a)(1)(iv) (2011). See 37 C.F.R. Â§ 41.50(f). AFFIRMED llw