Nicira, Inc.Download PDFPatent Trials and Appeals BoardMay 24, 20212019005596 (P.T.A.B. May. 24, 2021) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 14/320,581 06/30/2014 Kiran Kumar Thota N162.05 (B839.05) (P0285) 1061 109858 7590 05/24/2021 ADELI LLP P.O. Box 516 Pacific Palisades, CA 90272 EXAMINER ALMAMUN, ABDULLAH ART UNIT PAPER NUMBER 2431 NOTIFICATION DATE DELIVERY MODE 05/24/2021 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): ipadmin@vmware.com mail@adelillp.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte KIRAN KUMAR THOTA, AZEEM FEROZ, and JAMES C. WIESE Appeal 2019-005596 Application 14/320,5811 Technology Center 2400 Before MAHSHID D. SAADAT, ALLEN R. MacDONALD, and NABEEL U. KHAN, Administrative Patent Judges. SAADAT, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Pursuant to 35 U.S.C. § 134(a), Appellant2 appeals from the Examiner’s decision to reject claims 1–11 and 13–20. We have jurisdiction under 35 U.S.C. § 6(b). We affirm. 1 Appeal No. 2020-001137 (Application No. 14/815,950) appears to be related to this appeal because both appeals share the same inventors and real parties in interest, and are directed to substantially similar inventions. 2 We use the word Appellant to refer to “applicant” as defined in 37 C.F.R. § 1.42(a). Appellant identifies the real parties in interest as VMware, Inc., and Nicira, Inc. Appeal Br. 2. Appeal 2019-005596 Application 14/320,581 2 CLAIMED SUBJECT MATTER The claims are directed to an encryption method for encrypting data messages sent by guest virtual machines (“GVMs”). Spec. ¶ 5. Claim 1, reproduced below, illustrates the claimed subject matter: 1. A method of providing encryption services on a computer that executes a plurality of virtual machines (VMs), the method comprising: at a service VM executing on the computer, dynamically detecting an event on a particular VM, wherein dynamically detecting an event comprises one of detecting an initiation of a data message flow and detecting malware; based on the detected event, dynamically generating an encryption rule for encrypting data messages that are sent from the particular VM, the encryption rule specifying a set of header values identifying a data message flow requiring encryption; providing the generated encryption rule to an encryptor that intercepts data messages sent by the particular VM; and applying the encryption rule at the encryptor to encrypt intercepted messages sent by the particular VM when the intercepted messages have header values that match the set of header values specified in the encryption rule. REFERENCES The prior art relied upon by the Examiner is: Name Reference Date Chopra US 2014/0226820 A1 Aug. 14, 2014 Yung US 7,778,194 B1 Aug. 17, 2010 Dube US 2007/0098010 A1 May 3, 2007 REJECTION Claims 1–11 and 13–20 stand rejected under 35 U.S.C. § 103 as unpatentable over Chopra, Yung, and Dube. Appeal 2019-005596 Application 14/320,581 3 OPINION We have reviewed the Examiner’s rejection under 35 U.S.C. § 103 in light of Appellant’s contentions and the evidence of record. We agree with the Examiner’s findings and highlight the following for emphasis. Claims 1, 2, and 11 The Examiner found that Chopra discloses, inter alia, “dynamically detecting an event on a particular VM,” and “based on the detected event, dynamically generating an encryption rule for encrypting data messages that are sent from the particular VM,” as recited in independent claim 1. See Final Act. 6. More specifically, the Examiner found Chopra discloses an encryption module that detects a transmission of a frame to a physical network interface card (“pNIC”), intercepts the frame, selects an encryption policy rule from a set of encryption policy rules that is applicable based on the Internet Protocol (“IP”) address of the frame and a decision whether to encrypt or not encrypt, and uses an encryption key to encrypt the frame based on the selected encryption policy rule. See id. (citing Chopra ¶¶ 35, 40, Table 1); see also Ans. 4–5 (citing Chopra ¶¶ 34–36, 40, Table 1, Fig. 1). The Examiner further found that Yung discloses “wherein dynamically detecting an event comprises one of detecting an initiation of a data message flow and detecting malware,” as recited in claim 1. See Final Act. 7. More specifically, the Examiner found Yung discloses a traffic classification engine that detects packets that are transmitted during a handshake (i.e., an initiation of a data message flow), and that further detects computer viruses contained within packets. See id. (citing Yung 3:28–38, 11:20–25); see also Ans. 4 (citing Yung 3:28–38, 11:20–25, 13:41–44, Abstract). Appeal 2019-005596 Application 14/320,581 4 The Examiner additionally found that Dube discloses “the encryption rule specifying a set of header values identifying a data message flow requiring encryption,” as recited in claim 1. Final Act. 7. More specifically, the Examiner found Dube discloses analyzing a header value contained within a packet and sending the packet to a peripheral hardware device for encryption based on the analyzed header value. See id. (citing Dube ¶ 12); see also Ans. 4 (citing Dube ¶ 12). Regarding claim 2, the Examiner found that the combination of Chopra and Yung discloses “wherein generating the encryption rule comprises examining a plurality of encryption policies to determine whether an encryption rule needs to be specified for the detected event, wherein generating the encryption rule comprises generating the encryption rule based on the examination of the encryption policies,” as recited in the claim. See Final Act. 8. More specifically, the Examiner found Chopra discloses examining a set of encryption policy rules and selecting an encryption policy rule from the set of encryption policy rules, and further finds Yung discloses traffic classification matching rules. See id. (citing Chopra ¶ 40, Table 1; Yung 13:41–44); see also Ans. 8 (citing Chopra ¶¶ 39–40, Table 1). With respect to independent claim 11, the Examiner made findings substantially similar to its findings regarding claims 1 and 2, discussed above. See Final Act. 10–12; see also Ans. 6–8. Regarding claim 1, Appellant contends the combination of Chopra and Yung fails to address generating an encryption rule based on either of the specifically-recited events (i.e., detecting an initiation of a data message flow or detecting malware). See Appeal Br. 10, 13; see also Reply Br. 2. This argument is not persuasive because the argument addresses the references individually rather than the combination of references. In other Appeal 2019-005596 Application 14/320,581 5 words, as described above, the Examiner found Chopra teaches the claimed “detecting an event,” and “generating an encryption rule,” Yung teaches the claimed “detecting an event comprises one of detecting an initiation of a data message flow and detecting malware,” and that it would have been obvious to a person of ordinary skill in the art to modify the system of Chopra to detect an event involving an initiation of a data message flow and malware based on the teachings of Chopra and Yung. See Final Act. 7 (citing Yung, Abstract). One cannot show non-obviousness by attacking references individually when the rejection is based on a combination of references. See In re Merck & Co., Inc., 800 F.2d 1091, 1097 (Fed. Cir. 1986); see also In re Keller, 642 F.2d 413, 425 (CCPA 1981). With respect to claim 1, Appellant additionally contends that Dube and Yung are completely silent regarding dynamically generating encryption rules based on a detected event, and thus, the combination of Chopra, Yung, and Dube fails to disclose or suggest dynamically generating an encryption rule identifying a data message flow requiring encryption based on detecting an event on a virtual machine. See Appeal Br. 11; see also Reply Br. 2. This argument is not persuasive either as the Examiner relied upon Chopra, rather than Yung or Dube, for teaching dynamically generating encryption rules based on a detected event. See Final Act. 7. Thus, this argument addresses the references individually as well, rather than the combination of references, and is not persuasive. Regarding claim 2, Appellant argues the encryption keys of Chopra are generated or fetched when a new secure wire is initially added or when a virtual network interface card (“vNIC”) joins a secure wire, not based on encryption policy rules. See Appeal Br. 16. According to Appellant, Chopra neither describes examining encryption polices to determine whether Appeal 2019-005596 Application 14/320,581 6 an encryption rule needs to be specified for a detected event, nor generating an encryption rule based on an examination of the encryption policy rules. See id.; see also Reply Br. 4–5. Appellant additionally argues that Yung’s traffic classification matching rule is not an encryption rule. See Appeal Br. 17. These arguments are not persuasive either. We agree with the Examiner that Appellant’s Specification does not provide a definition for the claimed generating an encryption rule, or otherwise distinguish the claimed generating an encryption rule from Chopra’s disclosure of selecting an encryption policy rule and applying the selected encryption policy rule to encrypt the payload of a frame. See Ans. 8. With respect to claim 11, Appellant’s arguments are similar to its arguments regarding claims 1 and 2 (see Appeal Br. 13–14; see also Reply Br. 2–3), and are not persuasive for the reasons previously discussed. Claims 8 and 18 The Examiner found that the combination of Chopra and Yung discloses “wherein generating the encryption rule comprises forwarding the detected event to a set of controllers, said controller set determining whether an encryption policy has to be provided to the computer to generate, at the computer, an encryption rule for the detected event,” as recited in claim 8 and similarly recited in claim 18. See Final Act. 9–10. More specifically, Chopra discloses an encryption module (which the Examiner finds as teaching the claimed “set of controllers” under its broadest reasonable interpretation) that examines a set of encryption policy rules and selects an encryption policy rule from the set of encryption policy rules, and further finds Yung discloses traffic classification matching rules. See id. (citing Chopra ¶ 40, Table 1; Yung 13:41–44); see also Ans. 9 (citing Chopra ¶¶ 39–40, Figs. 1, 3, 4). Appeal 2019-005596 Application 14/320,581 7 Appellant contends the Examiner may not reasonably interpret the claimed “set of controllers” to read on Chopra’s encryption module because Chopra’s encryption module merely determines whether a data frame should be encrypted and invokes an application programming interface (“API”) in a key management module to encrypt the data frame, as opposed to determining whether an encryption policy has to be provided to a computer to generate, at the computer, an encryption rule for a detected event. See Reply Br. 5–6; see also Appeal Br. 18. Appellant however did not provide any additional explanation, nor pointed to any part of the Specification to rebut the Examiner’s explanation. See Reply Br. 6. As the Examiner correctly found, Chopra discloses that the encryption module determines whether an encryption policy rule is applicable to a frame based on the IP address of the frame. See Ans. 9 (citing Chopra ¶¶ 39–40). We further agree with the Examiner that Appellant’s Specification does not define the term “controller” and its function in any manner that distinguishes the claimed “set of controllers” from Chopra’s encryption module. See Ans. 9. Thus, we are not persuaded of Examiner’s error in finding that Chopra’s encryption module teaches the claimed “set of controllers . . . determining whether an encryption policy has to be provided to the computer to generate, at the computer, an encryption rule for the detected event.” Claims 10 and 19 The Examiner found that Chopra discloses “wherein the encryption rule specifies an encryption key identifier that identifies an encryption key to use to encrypt the data messages, wherein the encryption key is also provided to the encryptor, wherein before providing the encryption key, the encryption key is retrieved from a key manager,” as recited in claim 10 and Appeal 2019-005596 Application 14/320,581 8 similarly recited in claim 19. See Final Act. 10. More specifically, the Examiner finds Chopra discloses the encryption module encrypts a payload of a frame using an encryption key associated with an encryption policy rule. See id. (citing Chopra ¶ 22); see also Ans. 10 (citing Chopra ¶¶ 34–35, 39, 40, 43, Table 1, Fig. 1). Appellant contends Chopra’s encryption policy rules do not include an encryption key identifier. See Reply Br. 6–7; see also Appeal Br. 19–20. We are not persuaded by this argument either. As found by the Examiner (Ans. 10), Chopra discloses that the encryption module determines which secure wire a vNIC belongs to, and further discloses that a selected encryption policy rule identifies which secure wire a vNIC belongs to. See Chopra ¶¶ 36, 39, 40, Table 1. Chopra further discloses that the encryption module invokes an API exposed by a key management module to encrypt a payload of the frame using an encryption key associated with the secure wire identified by the encryption policy rule. See Chopra ¶ 37. By identifying the secure wire, which is subsequently used to identify an encryption key, Chopra’s encryption policy rules do include an encryption key identifier that identifies an encryption key used to encrypt the payload of the frame. Claims 3–7, 9, 13–17, and 20 No separate arguments are presented for claims 3–7, 9, 13–17, and 20. See generally Appeal Br. Accordingly, we sustain the rejection of claims 3– 7, 9, 13–17, and 20 under 35 U.S.C. § 103. CONCLUSION We affirm the Examiner’s decision to reject claims 1–11 and 13–20 under 35 U.S.C. § 103. Appeal 2019-005596 Application 14/320,581 9 DECISION SUMMARY In summary: Claims Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1–11, 13– 20 103 Chopra, Yung, Dube 1–11, 13– 20 TIME PERIOD FOR RESPONSE No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a). See 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED Copy with citationCopy as parenthetical citation
