2020002608 (P.T.A.B. Dec. 29, 2021)

HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP

Patent Trials and Appeals BoardDec 29, 2021

2020002608 (P.T.A.B. Dec. 29, 2021)

UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/420,420 01/31/2017 Manish Marwah 90323953 9736 146568 7590 12/29/2021 MICRO FOCUS LLC 500 Westover Drive #12603 Sanford, NC 27330 EXAMINER AVERY, JEREMIAH L ART UNIT PAPER NUMBER 2431 NOTIFICATION DATE DELIVERY MODE 12/29/2021 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): software.ip.mail@microfocus.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte MANISH MARWAH, RENATO KESHET, BARAK RAZ and BRENT JAMES MILLER Appeal 2020-002608 Application 15/420,420 Technology Center 2400 Before CARL W. WHITEHEAD JR., ERIC S. FRAHM, and DAVID M. KOHUT, Administrative Patent Judges. PER CURIAM DECISION ON APPEAL Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the Examiner’s decision to reject claims 1–20. We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM and enter NEW GROUNDS OF REJECTION under 37 C.F.R. § 41.50(B). 1 We use “Appellant” to reference the applicant as defined in 37 C.F.R. § 1.42. Appellant identifies the real party in interest as “MICRO FOCUS LLC.” Appeal Br. 1. Appeal 2020-002608 Application 15/420,420 2 STATEMENT OF THE CASE Appellant’s Invention According to the Specification, the present invention concerns a “security operation center (SOC) [for] protect[ing a] computing arrangement from security issues.” Spec. ¶ 10. “In an SOC, analysts may monitor for alerts relating to security issues in the computing arrangement, and in response to the alerts, can take actions to address the security issues.” Id. ¶ 11. “[A]nalysts of an SOC can perform manual investigations to respond to alerts,” e.g., “collect[] more information to make sense of the alert[.]” Id. ¶ 14. The invention provides an analyst “contextual information [that] can include . . . distributions of instances of the alert or similar alerts,” e.g., “a spatial distribution of instances of the alert or similar alerts across different physical or virtual locations or a temporal distribution of instances of the alert or similar alerts across time instances.” Id. ¶ 15. Claim 1, reproduced below, is illustrative of argued subject matter. 1. A non-transitory machine-readable storage medium storing instructions that upon execution cause a system to: receive a first alert relating to an issue in a computing arrangement; determine a second alert that is similar to the first alert, based on comparing a property of the second alert to a property of the first alert; determine contextual information for the first alert, the determined contextual information comprising spatial and Appeal 2020-002608 Application 15/420,420 3 temporal distributions of previous instances of the second alert that is similar to the first alert; communicate, to a remediation engine, the contextual information for use in addressing the issue in the computing arrangement; and perform, by the remediation engine, a remediation action that resolves the issue. Appeal Br., Claims Appendix. Rejection Claims 1–20 are rejected under 35 U.S.C. § 103 as being unpatentable over Donoho (US 2004/0177053 A1; Sept. 9, 2004) and Dyell (US 2015/0364022 A1; Dec. 17, 2015). Final Act. 5–14.2 OPINION Claims 1–3, 5–9, 16, and 18 Appellant argues independent claim 1 and depending claims 2, 3, 5–9, 16, and 18 as group (under one heading). Appeal Br. 7. We select claim 1 as representative. 37 C.F.R. § 41.37(c)(1)(iv). Appellant first argues that the Examiner errs in applying Donoho against the claimed “determine[] contextual information comprising spatial and temporal distributions of previous instances of the second alert that is similar to the first alert.” Appeal Br. 8. Specifically, Appellant contends that Donoho’s invention3 determines “when and how frequently the alert generation and processing systems performs its operations” and this is not, 2 The Answer withdraws the Final Action’s double-patenting rejection of claims 1–15. Ans. 3; see also Final Act. 3–4. 3 Any reference herein to a prior art “invention” means the features applied by the Examiner. Appeal 2020-002608 Application 15/420,420 4 as is claimed, a determination of spatial and temporal distributions of alerts. Id. at 9. Appellant further contends that Donoho’s invention determines “events and entities” having similar spatial and temporal relationships and this is not, as is claimed, a determination of alerts having such similar relationships. Reply Br. 2. Appellant argues that the Examiner errs in applying Dyell against the claimed “determine [the] second alert that is similar to the first alert[] based on comparing a property of the second alert to a property of the first alert.” Appeal Br. 13. Specifically, Appellant argues that Dyell’s invention determines an “alarm fatigue level” and this is not, as is claimed, a determination of similar alerts. Id. at 13–14. Appellant further contends Dyell’s invention determines “historical information and trends learnt” and this is not, as is claimed, a determination based on a comparison of alerts. Id. at 14. Thus, generally speaking, Appellant first argues that (1) Donoho’s invention does not determine similar spatial and temporal relationships between two alerts. Supra 3–4 (describing first argument). Appellant secondly argues that (2) Dyell’s invention does not determine two similar alerts based on a comparison of the alerts. Id. at 4 (describing second argument). We are unpersuaded of error. In view of the following, we find the Donoho-Dyell combination achieves the argued determinations. Donoho’s invention generates an alert for events that satisfy a temporal criterion and spatial criterion. Donoho ¶¶ 69–72; see also Ans. 3–4 (applying Donoho). In Donoho’s example, a money-laundering alert is generated in-part because alike money orders were purchased for a total Appeal 2020-002608 Application 15/420,420 5 value less than $3,000, at locations proximate to each other (spatial), and at moments proximate to each other (temporal). Donoho ¶ 69. Dyell’s invention groups alerts that have similar properties and assesses each new alert in view of its group. Dyell ¶¶ 35–36; see also Ans. 4–5 (applying Dyell). In Dyell’s example, a new alert is determined to be a false alert (“false alarm”) if designated properties group the new alert with prior alerts already determined to be false alerts; i.e., the new and previous alerts have similar values for the properties. Dyell ¶ 36. We find that, by aggregating these features, the combination generates and groups alerts. Specifically, in view of Donoho, the combination designates criteria for monitoring events—two of the criteria being a spatial criterion and temporal criterion—and assigns respective values to the criteria for each event. Supra 4 (describing Donoho’s invention). Further in view of Donoho, the combination generates an alert if the values for associated events satisfy the spatial criterion and temporal criterion. Id. And in view of Dyell, the combination groups each alert with other prior alerts having similar values for designated properties. Supra 5 (describing Dyell’s invention). Nothing more is needed to reach the argued features (see supra 4 (generalizing the arguments as “(1)” and “(2)”). Assuming (arguendo) a bodily combination of Donoho’s and Dyell’s above examples of their inventions, the combination would designate criteria for monitoring money orders and generate an alert in-part because alike money orders were purchased for a total value less than $3,000, at locations sufficiently proximate to each other (spatial), and at moments sufficiently proximate to each other (temporal). Supra 4 (describing Donoho’s example). The combination would determine the new alert to be a false alert Appeal 2020-002608 Application 15/420,420 6 if/because, for designated properties indicative of false alerts, the new alert has values similar to prior false alerts and thus groups with (i.e., is clustered among) prior false alerts.4 Supra 5 (describing Dyell’s example). Turning back to Appellant’s arguments, we find the Donoho-Dyell combination (e.g., as in the bodily combination) achieves the first argued determination—of similar spatial and temporal distributions of two alerts— by generating alerts that each have associated events satisfying the same spatial criterion (e.g., the events of each alert are spatially proximate) and same temporal criterion (e.g., the events of each alert are temporally proximate). In other words, the generation of alerts is a determination that each alert satisfies the same spatial criterion and temporal criterion, which is also a determination that any two alerts have a similar spatial distribution and temporal distribution of their respective events. Thus, the combination “determine[s] contextual information . . . comprising spatial and temporal distributions of previous instances of the second alert that is similar to the first[/new] alert” (claim) by generating the new alert and previous alerts as a result of each alert pertaining to events that satisfy the spatial criterion and temporal criterion. The combination achieves the second argued determination—of two similar alerts based on a comparison of their properties—by grouping alerts that are similar with respect to a designated property (e.g., both alerts are a ‘yes’ with respect thereto). In other words, the grouping of some alerts is a determination that each grouped alert satisfies a same property, which is also 4 We can conceive that, for instance, a false alert may be an alert for alike money orders paid to children of the same surname at Christmas time (i.e., more indicative of gifts to grandchildren than means of money laundering). Appeal 2020-002608 Application 15/420,420 7 a determination that the alerts share the property. Thus, the combination “determine[s the] second alert that is similar to the first alert[] based on comparing a property of the second alert to a property of the first alert” (claim) by determining, based on a property of alerts, the new alert shares the property with prior alerts (e.g., with prior false alerts). For the foregoing reasons, Appellant has not shown the combination fails to teach or suggest the argued claim limitations. We therefore affirm the Examiner’s decision to reject claims 1–3, 5–9, 16, and 18. We designate our affirmance of claims 1–3, 5–9, 16, and 18 as new ground of rejection to safeguard Appellant’s procedural entitlements. See In re Leithem, 661 F.3d 1316, 1319 (Fed. Cir. 2011) (“Mere reliance on the same statutory basis and the same prior art references, alone, is insufficient to avoid making new ground of rejection when the Board relies on new facts and rationales not previously raised to the applicant by the examiner.”). We do so because the Examiner does not articulate the above bodily combination of Donoho’s and Dyell’s examples of their inventions. Of course, the Examiner need not articulate a bodily combination of Donoho’s and Dyell’s teachings to support the rejection. See In re Keller, 642 F.2d 413, 425 (CCPA 1981) (citations omitted) (“The test for obviousness is not whether the features of a secondary reference may be bodily incorporated into the structure of the primary reference[.]”). Claim 4 Claim 4 is separately argued, depends from claim 1, and adds: “wherein the contextual information further comprises information temporally correlating the first alert and the second alert.” Appeal 2020-002608 Application 15/420,420 8 Appellant argues: “[Donoho’s] ‘entities and events’ . . . are not the same as alerts[. [T]hus[,] temporal or spatial relationships between [the] events and entities do not provide any teaching or hint of ‘temporally correlating the first alert and the second alert.’” Appeal Br. 15 (emphasis omitted). We are unpersuaded of error. The Examiner finds the Donoho-Dyell combination achieves the claimed correlating because the alerts have similar values for the temporal criterion; that is, each alert satisfies the same temporal criterion. Ans. 6–7. We agree that the events of each alert satisfy the same temporal criterion (supra 5–6 (describing the combination and addressing the arguments for claim 1)) and the alerts are thus “temporally correlated” (claim) because their respective sets of events are temporally similar (inasmuch each set satisfies the same temporal criterion). For the foregoing reasons, Appellant has not shown the Donoho-Dyell combination fails to teach or suggest the argued claim limitation. We therefore affirm the Examiner’s decision to reject claim 4. Because the Examiner does not fully articulate the combination (see supra 7–8), we affirm under 37 C.F.R. § 41.50(b). Claims 10–14 Appellant’s arguments for claims 11–14 do not raise further issues for our consideration, but rather repeat the contentions presented for claim 1. Appeal Br. 16. We therefore affirm the Examiner’s decision to reject claims 10–14. Because the Examiner does not fully articulate the Donoho-Dyell combination (see supra 7–8), we affirm under 37 C.F.R. § 41.50(b). Appeal 2020-002608 Application 15/420,420 9 Claim 15 Claim 15 is separately argued, depends from independent claim 14, and adds: “wherein the distributions comprise a spatial distribution of the previous instances of the second alert across different virtual networks.” Appellant argues that “Donoho refers to an axis . . . ‘represent[ing] the virtual or physical location of an entity or an event’” but this “has nothing to do with . . . claim 15[.]” Appeal Br. 17 (quoting Donoho ¶ 72). We are unpersuaded of error. As discussed, the Examiner finds the Donoho-Dyell combination achieves the claimed spatial distribution because an alert’s events satisfy the same spatial criterion (e.g., the events occur at spatially-proximate locations). See supra 4–6 (describing the combination). In rejecting claim 15, the Examiner cites Donoho’s above-noted “axis” to show it would have been obvious for the combination’s spatial criterion to concern a spatial distribution of physical and/or spatial distribution of virtual locations (i.e., both are relevant). Ans. 7–8 (addressing Donoho’s ¶¶ 71– 72). We agree that, with regard to the combination evaluating a spatial distribution of events (e.g., determining their proximity), Donoho shows it would have been obvious to consider both physical and virtual locations of events. Appellant also argues that “Donoho . . . makes no mention of virtual networks[] and thus . . . does not provide any . . . hint of . . . ‘[the claimed] spatial distribution . . . across different virtual networks.’” Appeal Br. 17. We are unpersuaded of error. As discussed immediately above, the combination can evaluate a spatial distribution of the virtual locations for events. Appellant does not show that such evaluation fails to suggest, to a skilled artisan, evaluating a spatial distribution of virtual networks for events Appeal 2020-002608 Application 15/420,420 10 (e.g., evaluating their proximity). See In re Piasecki, 745 F.2d 1468, 1472 (Fed. Cir. 1984) (“After a prima facie case . . . has been established, the burden of . . . [r]ebuttal is . . . a showing of facts supporting the opposite conclusion.” (internal quotation marks and citation omitted)). For example, Appellant does not show that, here, the evaluations of virtual locations (combination) and virtual networks (claim) are patentably distinct. For the foregoing reasons, Appellant has not shown the Donoho-Dyell combination fails to teach or suggest the argued claim limitation. We therefore affirm the Examiner’s decision to reject claim 15. Because the Examiner does not fully articulate the combination (see supra 7–8), we affirm under 37 C.F.R. § 41.50(b). Claims 17, 19, and 20 Appellant argues claims 17, 19, and 20 as a group. Appeal Br. 17. We select claim 17 as representative. 37 C.F.R. § 41.37(c)(1)(iv). Claim 17 depends from claim 1 and adds: “wherein the comparing of the property of the second alert to the property of the first alert comprises applying a distance function that calculates a similarity value based on a difference between the property of the second alert and the property of the first alert.” Appellant argues that Dyell’s invention teaches only “fatigue data” that “has nothing to do with” claim 17’s features. Appeal Br. 18. We are unpersuaded of error in the Examiner’s decision to reject claim 17. As discussed for claim 1, the Examiner finds the Donoho-Dyell combination groups each alert with other prior alerts having similar values for designated criteria. Supra 5 (describing Dyell’s invention). The grouping of alerts (e.g., grouping a new alert with previous alerts known to be false alerts) occurs as part of Dyell’s “smart alarm,” machine-learning, Appeal 2020-002608 Application 15/420,420 11 etc. Dyell ¶¶ 35–36. These features use “clustering” (id. ¶ 35), which axiomatically entails plotting/charting of each alert (as a data point) by its values for designated properties and then grouping alerts if plotted/charted sufficiently close in distance to one another (i.e., if clustered on the plot/chart). Thus, by implementing these features, the combination “appl[ies] a distance function that calculates a similarity value based on a difference between the [compared] property” of each alert (claim) because the combination’s clustering plots/charts the alerts by the property’s value, calculates the distances between alerts (as plotted/charted), and thereby determines alerts are similar/close enough to be grouped (based on those calculated distances). For the foregoing reasons, Appellant has not shown the Donoho-Dyell combination fails to teach or suggest the argued claim limitation. We therefore affirm the Examiner’s decision to reject claims 17, 19, and 20. We do so under 37 C.F.R. § 41.50(b) for two reasons. First, the Examiner does not fully articulate the Donoho-Dyell combination. See supra 7–8. Second, and as explained below, our reasons for affirming the Examiner’s decision clearly differ from the Examiner’s findings for representative claim 17. The Examiner rejects claim 17 over the combination’s use of Dyell’s “alarm fatigue”—not over the combination’s use of Dyell’s above grouping of false alerts. More specifically, the Examiner: incorporates Dyell’s determinations of alarm fatigue and false alerts into the combination (Ans. 4–6); and reads claim 17 on the determination of alarm fatigue (not on the determination of false alerts) because it includes a calculation of the Appeal 2020-002608 Application 15/420,420 12 distance a person walks in response to a given alert (id. at 8). We must, therefore, consider Dyell’s determination of alarm fatigue. We agree with Appellant’s above argument that Dyell’s determination of “alarm fatigue”—and particularly the cited calculation of walking distance—does not teach or suggest the claimed “distance function that calculates a similarity value based on a difference between [properties of alerts].” Appeal Br. 18. We agree because Dyell’s calculation of walking distance for an alert (i.e., for responding) is not a calculation of distance that, as is claimed, concerns a difference between two alerts. OVERALL CONCLUSION We affirm the Examiner’s decision to reject claims 1–20. DECISION SUMMARY Claim(s) Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed New Grounds 1–20 103 Donoho, Dyell 1–20 1–20 TIME PERIOD FOR RESPONSE No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). See 37 C.F.R. § 41.50(f). 37 C.F.R. § 41.50(b) provides that “[a] new ground of rejection . . . , shall not be considered Final for judicial review.” 37 C.F.R. § 41.50(b) also provides that Appellant, WITHIN TWO MONTHS FROM THE DATE OF THE DECISION, must exercise one of the following two options with respect to the new ground of rejection to avoid termination of the appeal as to the rejected claims: Appeal 2020-002608 Application 15/420,420 13 (1) Reopen prosecution. Submit an appropriate amendment of the claims so rejected or new evidence relating to the claims so rejected, or both, and have the matter reconsidered by the examiner, in which event the proceeding will be remanded to the examiner.... (2) Request rehearing. Request that the proceeding be reheard under § 41.52 by the Board upon the same record . . . . Further guidance on responding to a new ground of rejection can be found in the Manual of Patent Examining Procedure § 1214.01. AFFIRMED; 37 C.F.R. § 41.50(b)