Ex Parte Wang et alDownload PDFPatent Trial and Appeal BoardApr 17, 201713950252 (P.T.A.B. Apr. 17, 2017) Copy Citation United States Patent and Trademark Office UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O.Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 13/950,252 07/24/2013 Wei David Wang FORT-011900 4792 64128 7590 04/19/2017 MICHAEL A DESANCTIS HAMILTON DESANCTIS & CHA LLP FINANCIAL PLAZA AT UNION SQUARE 225 UNION BOULEVARD, SUITE 150 LAKEWOOD, CO 80228 EXAMINER BAYOU, YONAS A ART UNIT PAPER NUMBER 2434 NOTIFICATION DATE DELIVERY MODE 04/19/2017 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): mdesanctis @ hdciplaw.com docket @ hdciplaw .com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte WEI DAVID WANG, DAYONG ZHOU, and IHAB KHALIL Appeal 2016-004018 Application 13/950,2521 Technology Center 2400 Before MARC S. HOFF, JOHN R. PINKERTON, and JOYCE CRAIG, Administrative Patent Judges. HOFF, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Appellants appeal under 35 U.S.C. § 134 from a final rejection of claims 1—19. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. Appellants’ invention concerns attack context data logging. A predetermined or configurable time frame of packets both before and after detection of an attack packet is logged. The additional context facilitates understanding of the attack and can help in connection with improving the 1 The real party in interest is Fortinet, Inc. Appeal 2016-004018 Application 13/950,252 implementation of signatures that are used to detect attacks and reducing false positives. See Spec. 1 8. Claim 1 is exemplary of the claims on appeal: 1. A network appliance system comprising: one or more processors; a communication interface device; one or more internal data storage devices operatively coupled to the one or more processors and storing: a configuration module to allow configuration of a quantity of packets to be logged prior to a network attack; a logging module configured to receive information regarding a plurality of packets and generate a log to facilitate analysis of a context of the network attack; a buffer module configured to define a buffer based on the quantity and receive and temporarily store within the buffer packets provided thereto; and an intrusion prevention module configured to scan a plurality of received packets and copy a subset of the plurality of received packets to the buffer module and when a packet of the plurality of received packets triggers detection of the network attack by the intrusion prevention module, the intrusion prevention module causes the subset of the plurality of received packets and the packet to be sent to the logging module. The Examiner relies upon the following prior art in rejecting the claims on appeal: Lyle US 6,971,028 B1 Nov. 29, 2005 Xie US 2007/0050846 A1 Mar. 1,2007 Claims 1—19 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over Xie and Lyle. 2 Appeal 2016-004018 Application 13/950,252 Throughout this decision, we make reference to the Appeal Brief (“App. Br.,” filed Aug. 5, 2015) and the Examiner’s Answer (“Ans.,” mailed Nov. 19, 2015) for their respective details. ISSUES Appellant’s arguments present us with the following issues: 1. Does the combination of Xie and Lyle teach or suggest a configuration module to allow configuration of a quantity of packets to be logged prior to a network attack? 2. Does the combination of Xie and Lyle teach or suggest a buffer module configured to define a buffer based on the quantity of packets, and receive and temporarily store within the buffer packets provided thereto? 3. Does the combination of Xie and Lyle teach or suggest an intrusion prevention module that, when a packet triggers detection of network attack, causes the subset of received packets and the packet to be sent to the logging module? ANALYSIS Appellants exclusively argue certain limitations of independent claim 1. Therefore, we select claim 1 as representative of claims 1—19 under appeal, and claims 2—19 stand or fall with claim 1. We are not persuaded that Xie fails to teach “a configuration module to allow configuration of a quantity of packets to be logged prior to a network attack,” as recited in representative claim 1. See App. Br. 11—12. Appellants’ Specification discloses that its configuration module 202: 3 Appeal 2016-004018 Application 13/950,252 allows a network administrator to define and structure the number of packets to be logged before and the number of packets to be logged after an attack has been detected .... According to one embodiment, the number of packets to be logged can be predetermined or can be configured in real-time such that only packets of interest are logged instead of all packets.... [T]he number and kind of packets to be logged can be defined by the configuration module 202 to enable efficient and desired logging. Spec. 137. Appellants’ Specification thus contemplates that the configuration module may be structured to simply log a predetermined number of packets, or may log a plurality of packets of interest according to certain criteria. Similarly, Xie teaches firewall 21, which “serves as a filter recognizing the format of the packet and selecting the packets that are to be logged onto the storage 22.” Xie 134 (emphasis omitted). Firewall 21 “selectively decides which network packets are to be stored in the storage 22 based on the user specified criteria.” Xie 135 (emphasis omitted). We agree, therefore, with the Examiner’s finding that Xie teaches the claimed “configuration module” that allows “configuration of a quantity of packets to be logged.” See Ans. 8. We are also unpersuaded by Appellants’ contention that Xie does not teach “a buffer module configured to define a buffer based on the quantity and receive and temporarily store within the buffer packets provided thereto.” See App. Br. 12—13. We agree with the Examiner that Xie teaches that “gateway computer 41 filters the data received using the parameters set by the user and sends the filter data to the storage 42. In the storage 42, the data is sent to a respective hard disk using a controller.” Xie 142 (emphasis 4 Appeal 2016-004018 Application 13/950,252 omitted); see Ans. 9. Xie’s storage (i.e., buffer module) thus receives and stores a quantity of packets that are provided thereto.2 We do not agree with Appellants that Lyle does not teach sending buffered packets to a logging module responsive to a packet triggering detection of a network attack. App. Br. 11. We agree, instead, with the Examiner’s finding that Lyle teaches such a module, as well as sending packets to said module responsive to detection of a network attack. Lyle teaches that “[w]hen information related to an actual or suspected attack is received,” “event manager 306 receives the suspicious data, referred to herein as ‘event’ data, places it in a queue, and provides data to the analysis framework module 308 for processing... .The event manager 306 also supplies event data to the log database 320 as it is received either from the handoff receiver 302 or from the sniffer module 304.” Lyle col. 7:43—53 (emphasis omitted). We find that the Examiner did not err in rejecting representative claim 1 over the combination of Xie and Lyle. We sustain the Examiner’s § 103 rejection of claims 1—19. CONCLUSIONS 1. Xie teaches a configuration module to allow configuration of a quantity of packets to be logged prior to a network attack. 2 Appellants’ remarks concerning traffic viewer 700 are inapposite, as we do not rely on the section of Xie contested by Appellants concerning said traffic viewer. 5 Appeal 2016-004018 Application 13/950,252 2. Xie teaches a buffer module configured to define a buffer based on the quantity of packets, and receive and temporarily store within the buffer packets provided thereto. 3. Lyle teaches an intrusion prevention module that, when a packet triggers detection of network attack, causes the subset of received packets and the packet to be sent to the logging module. ORDER The Examiner’s decision to reject claims 1—19 is affirmed. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 41.50(f). AFFIRMED 6 Copy with citationCopy as parenthetical citation
