14003020 (P.T.A.B. Oct. 23, 2018)

Ex Parte Stites et al

Patent Trial and Appeal BoardOct 23, 2018

14003020 (P.T.A.B. Oct. 23, 2018)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 14/003,020 09/04/2013 31894 7590 10/23/2018 OKAMOTO & BENEDICTO, LLP P.O. BOX 641330 SAN JOSE, CA 95164 FIRST NAMED INVENTOR Ronald S. Stites UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. 10033.026700 3001 EXAMINER AMORIN, CARLOS E ART UNIT PAPER NUMBER 2498 MAIL DATE DELIVERY MODE 10/23/2018 PAPER Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte RONALD S. STITES, CRAIG D. BOTKIN, and BRIAN K. CAMPBELL Appeal2018-002652 Application 14/003,020 Technology Center 2400 Before JOHN A. JEFFERY, JOHNNY A. KUMAR, and MATTHEW J. McNEILL, Administrative Patent Judges. JEFFERY, Administrative Patent Judge. DECISION ON APPEAL Appellants 1 appeal under 35 U.S.C. Â§ 134(a) from the Examiner's decision to reject claims 1, 30, 37, 38, and 61. We have jurisdiction under 35 U.S.C. Â§ 6(b). We reverse. STATEMENT OF THE CASE Appellants' invention prevents computer network intrusions by matching data patterns to identify threats. To this end, both partial and full match determinations are made with respect to data blocks of a received data 1 Appellants identify the real party in interest as Trend Micro, Inc. App. Br. 1. Appeal2018-002652 Application 14/003,020 word, including the blocks' value and position in a signature data pattern. See generally Abstract; Spec. ,r 1. Claim 1 is illustrative: 1. A method of intrusion prevention for protecting a computer network, the method comprising: generating, via an intrusion-prevention system (IPS), a plurality of preprocessing-signature-pattern-hash results for a signature data pattern, wherein the IPS includes a processor and hardware; mapping, via the IPS, the signature data pattern to a first pre- processing memory address of a first memory device and a second pre- processing memory address of a second memory device based on the pre- processing-signature-pattern-hash results; flagging, via the IPS, the first pre-processing memory address of the first memory device and the second pre-processing memory address of the second memory device; receiving, via a network interface of the IPS, a subject data word; generating, via the IPS, a plurality of pre-processing-subject-hash results for the subject data word; mapping, via the IPS, the subject data word to a first subject data word preprocessing memory address of the first memory device and a second subject data word pre-processing memory address of the second memory device based on the corresponding pre-processing-subject-hash results; performing, via the IPS, subsequent to a determination that the first subject data word pre-processing memory address of the first memory device is the same as the flagged first pre-processing memory address and the second subject data word preprocessing memory address of the second memory device is the same as the flagged second pre-processing memory address, a partial-match determination including determining that a partial- match number of a plurality of subject-data blocks of the subject data word respectively match the same partial-match number of a plurality of 2 Appeal2018-002652 Application 14/003,020 signature-data blocks of the signature data pattern with respect to both value and position in the signature data pattern; performing, via the IPS, subsequent to making the partial-match determination, a full-match determination comprising a determination that all of the subject-data blocks respectively match all of the signature-data blocks with respect to both value and position in the signature data pattern; and subsequent to making the full-match determination, indicating that the subject data word comprises a known threat to the computer network. THE REJECTION The Examiner rejected claims 1, 30, 37, 38, and 61 under 35 U.S.C. Â§ 103 as unpatentable over Pandya (US 2011/0145181 Al; published June 16, 2011) and Sherwood (US 2007/0233628 Al; published Oct. 4, 2007). Ans. 3-12.2 FINDINGS AND CONTENTIONS Regarding independent claim 1, the Examiner finds that Pandya discloses, among other things, (1) mapping a subject data word to first and second pre-processing memory addresses based on corresponding hash results by generating "k" hash indices in step 2109 of Figure 21, and (2) determining a partial match of subject- and signature-data blocks by determining whether memory bit values at memory locations HI to Hk are all "1" in step 2111. See Ans. 3---6. Although the Examiner finds that Pandya also determines an exact or "full" match in steps 2113 and 2114 after 2 Throughout this opinion, we refer to (1) the Appeal Brief filed July 13, 2017 ("App. Br."); (2) the Examiner's Answer mailed November 16, 2017 ("Ans."); and (3) the Reply Brief filed January 8, 2018 ("Reply Br."). 3 Appeal2018-002652 Application 14/003,020 the "coarse" or partial match in step 2111, the Examiner nonetheless cites Sherwood for teaching that a full-match determination, namely determining that all subject-and signature-data blocks match with respect to value and position in the signature data pattern, occurs after determining a partial match. Ans. 6-7. Based on these collective teachings, the Examiner concludes that the claim would have been obvious. Id. Appellants argue that although Pandya discloses pre-processing followed by full matching, Pandya lacks the recited partial match determination, and Sherwood does not cure this deficiency. App. Br. 4--8; Reply Br. 2-3. According to Appellants, unlike pre-processing hashing that involves matching the subject data word's hash against a compressed signature (i.e., the signature's hash), the recited partial match determination matches particular data blocks of the subject data word against those of the signature itself. App. Br. 6-7; Reply Br. 2-3. As such, Appellants contend, Pandya's hash match falls short in this regard because a hash represents more than one signature data pattern and, therefore, matching a hash does not match the signature's data blocks in both value and position. Id. ISSUE UnderÂ§ 103, has the Examiner erred in rejecting claim 1 by finding that Pandya and Sherwood collectively would have taught or suggested the recited partial match determination? ANALYSIS We begin by noting that it is undisputed that Pandya discloses hash- based pre-processing followed by a full-match determination. See App. Br. 4 Appeal2018-002652 Application 14/003,020 5-6; Reply Br. 3. Rather, this dispute hinges on whether Pandya also discloses an intervening partial-match determination that occurs after pre- processing, but before the full-match determination. Turning to claim 1, the recited partial-match determination includes determining that a number of blocks, namely a "partial-match number," of a subject data word respectively match the same number of blocks of a signature data pattern with respect to both value and position in that pattern. The subsequent full-match determination is similar, but for all such blocks. Given this distinction between a "partial-match number" of blocks and all such blocks with respect to these determinations, a "partial match- number" of blocks is less than all blocks when interpreted in light of Appellants' disclosure. Otherwise, the two determinations would be duplicative for all blocks, essentially conflating the partial-and full-match determinations in that circumstance. Such a result runs counter to the clear distinction between these determinations detailed in Appellants' disclosure. Compare Spec. ,r,r 131-172 with Spec. ,r,r 173-205. That Appellants' Abstract states explicitly that the partial-match determination involves less than all subject-data blocks only underscores this distinction, as does original claim 1 that recited explicitly that the partial-match number is less than a total number of the subject-data blocks. A key aspect of both determinations is that the subject data word's data blocks must match those of the signature data pattern with respect to both value and position. Therefore, not only must the blocks themselves match in these determinations, but also with respect to their value and position in the signature data pattern. 5 Appeal2018-002652 Application 14/003,020 Given these limitations, we find the Examiner's rejection problematic on this record. According to the Examiner, Pandya's system determines a partial match of subject-and signature-data blocks by determining whether memory bit values at memory locations HI to Hk are all "1" in step 2111 of Figure 21. See Ans. 5---6, 16 (finding that Pandya's system first compares "fully expanded" data in a "coarse" way to determine if a subset of locations have the same matching bit before determining a complete "exact" match of the entire content stream). To be sure, this memory bit value comparison in step 2111 in Pandya's Figure 21 occurs before a full-match determination in steps 2113 and 2114 and, therefore, is an initial or "coarse" match determination at least with respect to determining whether memory bit values match the value of "I." See Pandya ,r 139. But this "coarse" determination is not the particular partial-match determination in claim 1 that requires determining whether the subject data word's data blocks match those of the signature data pattern with respect to both value and position. Nor is this particular comparison achieved by Pandya's comparing hash values that represent multiple signatures as Appellants indicate. App. Br. 6-7; Reply Br. 2. So even if Pandya's system determines whether all subject-data blocks match those of the signature data pattern with respect to both value and position in the exact match determination in steps 2113 and 2114 in Figure 21, the same cannot be said for the initial or "coarse" match determination in step 2111 that is said to correspond to the recited partial- match determination. Nor does Sherwood cure that deficiency. 6 Appeal2018-002652 Application 14/003,020 Therefore, we are persuaded that the Examiner erred in rejecting (1) independent claim 1; (2) independent claim 30 that recites commensurate limitations; and (3) the dependent claims for similar reasons. CONCLUSION The Examiner erred in rejecting claims 1, 30, 37, 38, and 61 under Â§ 103. DECISION We reverse the Examiner's decision to reject claims 1, 30, 37, 38, and 61. REVERSED 7