11437912 (B.P.A.I. Aug. 23, 2012)

Ex Parte Rand et al

Board of Patent Appeals and InterferencesAug 23, 2012

11437912 (B.P.A.I. Aug. 23, 2012)

UNITED STATES PATENT AND TRADEMARKOFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 11/437,912 05/19/2006 David Rand 10033.004510 2220 31894 7590 08/24/2012 OKAMOTO & BENEDICTO, LLP P.O. BOX 641330 SAN JOSE, CA 95164 EXAMINER GORNEY, BORIS ART UNIT PAPER NUMBER 2444 MAIL DATE DELIVERY MODE 08/24/2012 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ________________ BEFORE THE BOARD OF PATENT APPEALS AND INTERFERENCES ________________ Ex parte DAVID RAND, SCOTT D. ESTERS, PAUL MORIARTY, and JERRY SCHARF ________________ Appeal 2010-003584 Application 11/437,912 Technology Center 2400 ________________ Before JOSEPH F. RUGGIERO, JOHN A. JEFFERY, and ANDREW CALDWELL, Administrative Patent Judges. CALDWELL, Administrative Patent Judge. DECISION ON APPEAL Appeal 2010-003584 Application 11/437,912 2 SUMMARY Appellants appeal under 35 U.S.C. §§ 6(b) and 134(a) from the Examiner’s rejection of claims 1-12. We reverse. STATEMENT OF CASE Appellants describe the present invention as a Domain Name System (DNS) security network that includes several DNS appliances and a security operations center (SOC) server computer. The SOC server computer receives telemetry from the DNS appliances including information about DNS client queries received in the respective DNS appliances. From the telemetry data, the SOC server generates security policies for distribution to the DNS appliances. The DNS appliances use the security policies to determine whether a DNS client query is originated by a client computer performing a prohibited activity. An answer to a client query may be replaced or discarded altogether in cases where the originator is performing a prohibited activity. Abstract. Independent claim 1 is illustrative of a DNS appliance applying the security policy to a client query with disputed limitations in italics: 1. A method of processing a domain name system (DNS) client query sent to a DNS server, the method to be performed by the DNS server and comprising: receiving in the DNS server a client query from a client computer, the client query requesting an Internet Protocol (IP) address associated with a domain name identified in the client query; comparing a first set of information about the client query against security policies to determine if the client computer is Appeal 2010-003584 Application 11/437,912 3 performing a prohibited activity indicated in at least one of the security policies, the first set of information being with the client query as first received by the DNS server; comparing a second set of information about the client query against the security policies to determine if the client computer is performing the prohibited activity, the second set of information including information that became available in the DNS server after the client query has been received in the DNS server; determining an answer to the client query, the answer providing the IP address associated with the domain name identified in the client query; and replacing the answer with a different answer when the client computer is deemed to be performing the prohibited activity. THE REJECTIONS 1. The Examiner rejected claims 1, 3-6, and 10-12 under 35 U.S.C. 103(a) as being unpatentable over Motsinger (US 2005/0188221 A1; Aug. 25, 2005) in view of Holzer (US 2002/0059396 A1; May 16, 2002).1 Ans. 3-7. 2. The Examiner rejected claims 2 and 7-9 under 35 U.S.C. 103(a) as being unpatentable over Motsinger in view of Holzer and Proctor (US 6,530,024 B1; Mar. 4, 2003). Ans. 7-9. THE OBVIOUSNESS REJECTION – MOTSINGER AND HOLZER The Examiner concludes that the combination of Motsinger and Holzer teaches the method of claim 1. Id. at 3-7. The Examiner relies upon 1 Throughout this opinion, we refer to the Appeal Brief (App. Br.) filed October 7, 2009, the Examiner’s Answer (Ans.) mailed November 12, 2009, and the Reply Brief (Reply Br.) filed on December 23, 2009. Appeal 2010-003584 Application 11/437,912 4 Holzer, in particular, to teach the steps of “determining an answer to the client query, the answer providing the IP address associated with the domain name identified in the client query; and replacing the answer with a different answer when the client computer is deemed to be performing the prohibited activity.” Id. at 4-5. Appellants assert, among other things, that Holzer does not teach what the Examiner asserts. App. Br. 4-6; Reply Br. 2. Appellants contend that Holzer teaches replacing an error message with an Internet Protocol (IP) address rather than replacing an answer providing the IP address associated with the name identified in the client query with a different answer. Id. ISSUE Do Motsinger and Holzer collectively teach the steps of “determining an answer to the client query, the answer providing the IP address associated with the domain name identified in the client query; and replacing the answer with a different answer when the client computer is deemed to be performing the prohibited activity?” ANALYSIS Motsinger is directed to detecting security threats to a server application. Motsinger ¶ 0002. More specifically, Motsinger describes monitoring a web application to alert an operator when suspicious activity is detected. Id. at ¶ 0107. Motsinger does not explicitly describe an embodiment directed to detecting threats against a Domain Name System (DNS) server. When Motsinger discusses DNS, Motsinger merely describes that the monitoring system is aware of the IP addresses of the primary and Appeal 2010-003584 Application 11/437,912 5 secondary DNS servers that are used by a monitored web server. Id. at ¶ 0435. Holzer teaches a method used by a proxy to retrieve alternative data in the case of a faulty DNS request or URL request of a client to a server in an IP network. Holzer cl. 11. When the proxy receives an error message from a DNS server in response to a faulty request, the error message is replaced by the IP address of an error-server. Holzer cl. 16. The DNS server produces an error message when the domain name in a request cannot be resolved to an IP address. Id. at ¶¶ 0006-07. On this record, we are persuaded that Appellants have identified reversible error in the rejection of claim 1. The claim specifies that an answer provides the IP address associated with the domain name identified in the client query. Moreover, the claim language requires that the answer, which is subsequently replaced, must provide (i.e., include) an IP address. As discussed above, the portions of Holzer relied upon by the Examiner describe how an error message from a DNS server is replaced by the IP address of an error-server. The DNS server produces an error message when there is no IP address associated with a particular domain name in a client request. Since there is no IP address to provide in the error message, we find no probative evidence in Holzer that the error message provides an IP address. We also find no probative evidence in Holzer that the system modifies responses to client queries that resolve to an IP address (i.e., do not generate an error). Absent probative evidence that Holzer teaches replacing an answer including an IP address, Holzer, at best, teaches replacing an answer without an IP address with an answer including an IP address. We Appeal 2010-003584 Application 11/437,912 6 are therefore persuaded by Appellants’ argument that Holzer does not teach replacing an answer with a different answer as in claim 1. Since the Examiner has not shown that Motsinger, the other cited prior art reference, teaches determining an answer and then replacing the answer with a different answer, we do not sustain the obviousness rejection of independent claim 1 and dependent claims 3-6. Independent claim 10 includes substantially the same limitation as discussed above with respect to claim 1. We therefore do not sustain the rejection of independent claim 10 and dependent claims 11-12. Since the issue discussed above is dispositive regarding our reversing the rejections of these claims, we need not address Appellants’ other arguments in the Appeal Brief or the Reply Brief. THE OBVIOUSNESS REJECTION – MOTSINGER, HOLZER, AND PROCTOR With respect to claims 2 and 7-9, Appellants argue, among other things, that the rejection of these claims should be reversed for the rationale given for claim 1. App. Br. 8-10. Since independent claim 7 contains limitations similar to those in claim 1 which we previously found to be problematic, and the Examiner has not shown that Proctor cures those deficiencies, we do not sustain the obviousness rejection of these claims for the reasons given above. CONCLUSION Appellants have shown that the Examiner erred in rejecting claims 1- 12 under § 103. Appeal 2010-003584 Application 11/437,912 7 DECISION The Examiner’s decision rejecting claims 1-12 is reversed. REVERSED rwk