Ex Parte Poletto et al

Patent Trial and Appeal Board

Oct 25, 2012

10701356 (P.T.A.B. Oct. 25, 2012)

UNITED STATES PATENT AND TRADEMARK OFFICE
UNITED STATES DEPARTMENT OF COMMERCE
United States Patent and Trademark Office
Address: COMMISSIONER FOR PATENTS
P.O. Box 1450
Alexandria, Virginia 22313-1450
www.uspto.gov
APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO.
10/701,356 11/03/2003 Massimiliano Antonio Poletto RIV-0530 5155
87555 7590 10/26/2012
Riverbed Technology Inc. - PVF
c/o PARK, VAUGHAN, FLEMING & DOWLER LLP
2820 Fifth Street
Davis, CA 95618
EXAMINER
MEHRMANESH, ELMIRA
ART UNIT PAPER NUMBER
2113
MAIL DATE DELIVERY MODE
10/26/2012 PAPER
Please find below and/or attached an Office communication concerning this application or proceeding.
The time period for reply, if any, is set in the attached communication.
PTOL-90A (Rev. 04/07)

UNITED STATES PATENT AND TRADEMARK OFFICE
_____________

BEFORE THE PATENT TRIAL AND APPEAL BOARD
_____________

Ex parte MASSIMILIANO ANTONIO POLETTO,
ANDREW RATIN, and ANDREW GORELIK
_____________

Appeal 2010-005229
Application 10/701,356
Technology Center 2100
______________

Before HOWARD B. BLANKENSHIP, JUSTIN T. ARBES, and BRYAN
F. MOORE, Administrative Patent Judges.

MOORE, Administrative Patent Judge.

DECISION ON APPEAL
This is a decision on appeal under 35 U.S.C. § 134(a) of the final
rejection of claims 1-9, 11, 12, 19-28, 30, and 34-36. App. Br. 4.1 Claims

1 The Examiner appears to have withdrawn the rejection of claims 10 and
31. Compare Ans. 4, 9 (stating that claims 10 and 31 are objected to as
being dependent upon a rejected base claim, but would be allowable if
rewritten in independent form including all of the limitations of the base
claim and any intervening claims), with Final Rej. 5, 7-8 (rejecting claims 10
Appeal 2010-005229
Application 10/701,356

2
10, 13-18, 29, and 31-33 are objected to as being dependent upon a rejected
base claim, but would be allowable if rewritten in independent form
including all of the limitations of the base claim and any intervening claims.
Id. We have jurisdiction under 35 U.S.C. § 6(b).
We AFFIRM-IN-PART the Examiner’s rejection of these claims.

INVENTION
The invention is directed to techniques to detect network anomalies.
See Spec. p. 1, ll. 13-14.
Claim 1 is representative of the invention and is reproduced below:
1. A device, comprising:
a processor;
a memory storing:
a connection table that maps each node of a
network to a host object that stores information about
traffic to the node and from the node; and
a computer readable medium storing a computer program
product comprising instructions for causing the device to:
detect anomalies in network traffic based on information
in the connection table and to aggregate the anomalies into
network events according to connection patterns.

REFERENCES
Ontiveros US 2002/0107953 A1 Aug. 8, 2002

and 31 under 35 U.S.C. § 102(e)). Consequently, our review is limited to
claims 1-9, 11, 12, 19-28, 30, and 34-36.
Appeal 2010-005229
Application 10/701,356

3
REJECTIONS AT ISSUE
Claims 11-12 and 23-24 stand rejected under 35 U.S.C. § 112, second
paragraph, as being indefinite. Ans. 3.
Claims 1-9, 19-22, 25-28, 30, and 34-36 stand rejected under 35
U.S.C. § 102(e) as being anticipated by Ontiveros. Ans. 3-9.

ISSUE
1. Did the Examiner err in rejecting claims 11-12 and 23-24 under 35
U.S.C. § 112, second paragraph, as being indefinite?
2. Did the Examiner err in finding that Ontiveros discloses the
following limitations:
a. “storing[] a connection table that maps each node of a
network to a host object that stores information about traffic
to the node and from the node” (independent claim 1);
b. “detect[ing] anomalies in network traffic based on
information in the connection table and to aggregate the
anomalies into network events according to connection
patterns” (independent claim 1);
c. “the connection table further includes group information,
with Host objects storing group information about an
identified group of nodes that an associated node belonged
to” (claim 2);
d. “the information about traffic includes aggregated network
traffic statistics and the host object maintains the aggregated
network traffic statistics for the associated node and a hash
Appeal 2010-005229
Application 10/701,356

4
map from host identifiers of peers of a node as host pair
objects that maintain traffic statistics for each pair of nodes”
(claim 4);
e. “each host object in the connection table maps to a plurality
of records that are indexed by time, the plurality of records
including host-pair records that map network traffic between
pairs of nodes” (claim 7); and
f. “the connection table includes a plurality of connection sub-
tables to track data at different time scales” (claim 9)?

ANALYSIS
35 U.S.C. § 112, second paragraph
Claims 11-12 and 23-24
We are not persuaded that the Examiner erred in asserting that aspects
of claims 11-12 and 23-24 lack antecedent basis, and thus do not meet the
definiteness requirement of 35 U.S.C. § 112, second paragraph. See App.
Br. 6-7. The Examiner finds that there is no antecedent basis for the
recitation of “the measured statistics” in claim 11-12 and 23-24. Ans. 3.
Appellant asserts that the term “aggregated network traffic statistics” in
claim 4 serves as a proper antecedent basis for “the measured statistics.”
App. Br. 6-7. We note that claims 23 and 24, however, do not depend from
claim 4 and thus Appellants’ argument does not apply to those claims.
Additionally, even if one of ordinary skill might be able to speculate as to
Appellants’ intended meaning of claims 11 and 12, the rejection is
appropriate so as to remove unnecessary ambiguity during prosecution. See
Appeal 2010-005229
Application 10/701,356

5
Ex parte Miyazaki, 89 USPQ2d 1207, 1212 (BPAI 2008) (precedential)
(during prosecution, the threshold standard of ambiguity for indefiniteness is
lower than it might be during litigation of an issued patent). Accordingly,
we affirm the rejection of claims 11-12 and 23-24.
35 U.S.C. § 102(e) – Ontiveros
Claims 1-9, 19-22, 25-28, 30, 34-36
Claim 1
Claim 1 recites “storing[] a connection table that maps each node of a
network to a host object that stores information about traffic to the node and
from the node.”
Appellants argue that Ontiveros does not disclose the claimed
“connection table.” App. Br. 9. Specifically, Appellants argue that “the
structures of Fig. 2 of Ontiveros neither describe nor depict a host object that
stores information about packet traffic to the node and packet traffic from
the node”; rather, Ontiveros describes a hit table that “keeps a count of the
number of times a source address is detected.” App. Br. 9-10.
We are not persuaded by this argument. Ontiveros discloses that “[a]
‘hit-count’ table is preferably created in memory to count the number of
times a particular pair of source and destination IP addresses is detected.”
(Ontiveros [0038]) (emphasis added). See Ans. 9-10. Thus, traffic between,
or to and from, the source and the destination is stored. Based on this
disclosure of Ontiveros, we conclude that there is ample support for the
Examiner’s finding that Ontiveros discloses the claimed connection table.
Ans. 5-6. Therefore, we agree with the Examiner that Ontiveros discloses
“storing[] a connection table that maps each node of a network to a host
object that stores information about traffic to the node and from the node.”
Appeal 2010-005229
Application 10/701,356

6
Appellants further argue that the Examiner does not address the
features of a “host object,” including “map[ping] any host (IP address) ‘B’
with which ‘A’ communicates to a ‘host pair record’ that has information
about all the traffic from ‘A’ to ‘B’ and ‘B’ to ‘A’.” App. Br. 11 (citing
Spec, p. 10, ll. 22-27). We are not persuaded by this argument. The hit
table of Ontiveros is described as having all of those features in the portions
cited by the Examiner. See Ontiveros [0037]; Ans. 9-10.
Claim 1 also recites “detect[ing] anomalies in network traffic based on
information in the connection table and . . . aggregat[ing] the anomalies into
network events according to connection patterns.”
Appellants argue that “Ontiveros deals with statistical information,
e.g., ‘hit-count’ table, each time a data packet is received, a preferred
algorithm as described herein creates a new reference index (if one does not
already exist) or increments the existing reference (i.e., counting packets),
but not the feature of ‘connection patterns.’” App. Br. 14. Additionally,
Appellants argue that “Ontiveros does not aggregate detected anomalies in
the network into events that are reported to, e.g., an operator or a console.”
Id.
We are not persuaded by this argument. Ontiveros discloses that by
using information from the “hit table” and keys such as source address and
destination address, “a hash table can be created to monitor for and
determine data attack types depending upon the particular security needs of
the network.” Ontiveros [0043]-[0050]; see also Ans. 10-11. Also, as
discussed above, the “hit table” is a connection table as recited in claim 1.
Ontiveros uses the traffic between a source and destination address to
monitor for attacks or anomalies in the network. As to reporting to an
Appeal 2010-005229
Application 10/701,356

7
operator or console, Appellants’ argument is not commensurate with the
claim’s scope. Claim 1 does not recite a limitation of reporting to an
operator or console. Therefore, we agree with the Examiner that Ontiveros
discloses “detect[ing] anomalies in network traffic based on information in
the connection table and . . . aggregating the anomalies into network events
according to connection patterns.” Id.
Claim 2
Claim 2 recites “the connection table further includes group
information, with Host objects storing group information about an identified
group of nodes that an associated node belonged to.”
Appellants argue that Ontiveros fails to disclose this limitation. App.
Br. 16. We disagree. As the Examiner found, Ontiveros discloses that the
hit count traffic information is collected for at least three source addresses.
Ontiveros [0040], Fig. 2; see also Ans. 4-5. Ontiveros also stores
information about pairs of sources and destinations that have been locked
out. Ontiveros [0054]; see also Ans. 4-5. Thus, Ontiveros stores
information about the group of at least three nodes and the groups of locked
out source and destination pairs. Thus, we conclude that there is ample
support for the Examiner’s finding that Ontiveros discloses the claimed
storing group information. Ans. 4-5. Therefore, we agree with the
Examiner that Ontiveros discloses “the connection table further includes
group information, with Host objects storing group information about an
identified group of nodes that an associated node belonged to.” Id.
Claim 4
Claim 4 recites “the information about traffic includes aggregated
network traffic statistics and the host object maintains the aggregated
Appeal 2010-005229
Application 10/701,356

8
network traffic statistics for the associated node and a hash map from host
identifiers of peers of a node as host pair objects that maintain traffic
statistics for each pair of nodes.”
Appellants argue that Ontiveros fails to disclose this limitation. App.
Br. 16. Again, we disagree. Ontiveros discloses a table to count the number
of times a particular pair of source and destination IP addresses is detected
and storing entries using a hash table, keyed by the source and destination
addresses. Ontiveros [0038], [0040]; see also Ans. 5, 11. Ontiveros further
discloses cataloging packets by sorting data with various keys such as
Source Address and Destination Address. Ontiveros [0041]-[0049]; see also
Ans. 11. Thus, we conclude that there is ample support for the Examiner’s
finding that Ontiveros discloses the claimed aggregated network traffic
statistics. Ans. 4-5, 11. Therefore, we agree with the Examiner that
Ontiveros discloses “the information about traffic includes aggregated
network traffic statistics and the host object maintains the aggregated
network traffic statistics for the associated node and a hash map from host
identifiers of peers of a node as host pair objects that maintain traffic
statistics for each pair of nodes.” Id.
Claim 7
Claim 7 recites “each host object in the connection table maps to a
plurality of records that are indexed by time, the plurality of records
including host-pair records that map network traffic between pairs of nodes.”
Appellants argue that “[t]he time/date stamp . . . [in Ontiveros] refers
to the packet logging mentioned in [0042] and bears no relationship to a host
object in the connection table that maps to a plurality of records indexed by
time, with the plurality of records including host-pair records that map
Appeal 2010-005229
Application 10/701,356

9
network traffic between pairs of nodes.” App. Br. 18. We are not persuaded
by this argument. The packet logging is logging records from the hit count
table that is a connection table as recited in parent claim 1. Ontiveros
[0042]-[0049]. For example, Ontiveros discloses that the algorithm used to
create the hit count table is cataloging packet information. Ontiveros [0041].
The cataloging results in a relational database file that includes a time/date
stamp. Ontiveros [0042]. Thus, Ontiveros discloses a time/date stamp that
is used as a key to sort traffic information taken from the hit count table.
Ontiveros [0038], [0049], [0050]; see also Ans. 12-13. Thus, we conclude
that there is ample support for the Examiner’s finding that Ontiveros
discloses the claimed indexing by time. Ans. 4-5. Therefore, we agree with
the Examiner that Ontiveros discloses “each host object in the connection
table maps to a plurality of records that are indexed by time, the plurality of
records including host-pair records that map network traffic between pairs of
nodes.” Id.
Claim 9
Claim 9 recites “the connection table includes a plurality of
connection sub-tables to track data at different time scales.” Appellants
argue that Ontiveros does not disclose this limitation. App. Br. 18-19. We
find Appellants’ arguments persuasive.
The Examiner states that “Ontiveros discloses ‘the cataloging function
preferably creates a small ASCII file which provides information captured
from the data packets, ... This file is preferably transmitted using a secure
channel on a short-time based interval to a large RDBMS.’” Ans. 13 (citing
Ontiveros [0042]). However, the Examiner does not explain how this
database relates to the limitation of claim 9 at issue. See Id. We have not
Appeal 2010-005229
Application 10/701,356

10
found any disclosure, in the portion of Ontiveros cited by the Examiner or in
any other portion of Ontiveros, of a connection table that includes a plurality
of connection sub-tables to track data at different time scales. Thus, we
cannot sustain the Examiner’s rejection of claim 9.
SUMMARY
Appellants do not present substantive arguments regarding claims 3,
5, 6, and 8, and therefore those claims fall with claim 1. See App. Br. 7, 17-
18. Claims 19-22, 25-28, and 34-36 are not argued separately and contain
limitations essentially the same as the limitations in claims 1-8 discussed
above. Thus, we affirm the rejection of those claims for the reasons stated
above. Claim 30 contains a limitation essentially the same as the limitation
in claim 9 discussed above. Thus, we cannot sustain the rejection of claim
30 for the same reasons stated above. Therefore, for the reasons stated
above, we find no error in the Examiner’s decision to reject claims 1-8, 19-
22, 25-28, and 34-36 under 35 U.S.C. § 102(e) as being anticipated by
Ontiveros. However, we reverse the Examiner’s decision to reject claims 9
and 30 under 35 U.S.C. § 102(e) as being anticipated by Ontiveros. We also
affirm the Examiner’s decision to reject claims 11-12 and 23-24 under 35
U.S.C. § 112, second paragraph, as being indefinite. 2

2 In the event of further prosecution of claims 19-24 and 35, which are all
directed to a “computer program product residing on a computer readable
medium,” we direct the Examiner’s attention to 35 U.S.C. § 101; 1351 Off.
Gaz. Pat. Office 212 (Feb. 23, 2010); Subject Matter Eligibility of Computer
Readable Media; In re Nuijten, 500 F.3d 1346, 1356-57 (Fed. Cir. 2007)
(transitory embodiments are not directed to statutory subject matter); and
Interim Examination Instructions for Evaluating Subject Matter Eligibility
Under 35 U.S.C. § 101, Aug. 24, 2009; p. 2, available at
http://www.uspto.gov/web/offices/pac/dapp/opla/2009-08-
25_interim_101_instructions.pdf.
Appeal 2010-005229
Application 10/701,356

11

DECISION
The Examiner’s decision to reject claims 1-8, 11-12, 19-28, and 34-36
is affirmed. The Examiner’s decision to reject claims 9 and 30 is reversed.
No time period for taking any subsequent action in connection with
this appeal may be extended under 37 C.F.R. § 1.136(a)(1). See 37 C.F.R.
§ 1.136(a)(1)(iv) (2012).
AFFIRMED-IN-PART

msc