Ravi Chakravarthi. Kumar et al.Download PDFPatent Trials and Appeals BoardApr 15, 202011320593 - (D) (P.T.A.B. Apr. 15, 2020) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 11/320,593 12/30/2005 Ravi Chakravarthi Kumar 909497-US- NP/AVA270PA 4532 136582 7590 04/15/2020 STEVENS & SHOWALTER, LLP Box AVAYA Inc. 7019 Corporate Way Dayton, OH 45459-4238 EXAMINER TRAN, TONGOC ART UNIT PAPER NUMBER 2434 NOTIFICATION DATE DELIVERY MODE 04/15/2020 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): pair_avaya@firsttofile.com pto@sspatlaw.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________________ Ex parte RAVI CHAKRAVARTHI KUMAR, TAL I. LAVIAN, VASANT SAHAY, NIRMALENDU DAS, BIJU SAJIBHAVAN KUNJUKUNJU, DAVID BURTON LEVI, and PHILIPPE MICHELET ____________________ Appeal 2018-004962 Application 11/320,5931 Technology Center 2400 ____________________ Before ST. JOHN COURTENAY III, THU A. DANG, and BARBARA A. BENOIT, Administrative Patent Judges. DANG, Administrative Patent Judge. 1 In a prior Decision (Appeal Number 2011-008906, decided February 3, 2014, hereinafter “Prior Dec.”), we affirmed the Examiner’s rejections of claims 1, 8–16, 18, and 19 under 35 U.S.C. § 103(a) over the teachings of Brebner and Sweet; and of claims 2–7 under 35 U.S.C. § 103(a) over the teachings of Brebner, Sweet, and Karthik. Appeal 2018-004962 Application 11/320,593 2 DECISION ON APPEAL I. STATEMENT OF THE CASE Appellant appeals under 35 U.S.C. § 134(a) from the Examiner’s Final Rejection of claims 1, 3, 5, 7–16, 19, and 22–26 (Appeal Br. 13), which constitute all the claims pending in this application.2 Claims 2, 4, 6, 17, 18, 20, and 21 were previously cancelled. We have jurisdiction under 35 U.S.C. § 6(b). We reverse. A. INVENTION According to Appellant, the claimed invention is directed to authenticating network users, including evaluating a security context prior to a request for connection to a network and assigning access privileges based upon the evaluation. Spec., Abstract. B. ILLUSTRATIVE CLAIM Claim 1 is exemplary and is reproduced below: 1. A method for authenticating network users comprising the steps of: receiving, from a client device, a request for connection to a network; receiving, from the client device, a security context associated with the requested connection, wherein at least a portion of the security context is obtained by the client device prior to the request for connection to the network by scanning the client device for potential security threats before the client device requests to access the network using an agent program 2 We use the word “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42. According to Appellant, the real party in interest is Avaya, Inc. Appeal Br. 3. Appeal 2018-004962 Application 11/320,593 3 previously downloaded to the client device before the request for connection was received; evaluating the security context associated with the requested connection; assigning the client device one or more access privileges based at least in part on the evaluation of the security context; generating a security token that records the one or more access privileges assigned to the client device; and downloading the security token to the client device. C. REJECTION The prior art relied upon by the Examiner in rejecting the claims on appeal is: Name Reference Date Sweet US 2002/0031230 A1 Mar. 14, 2002 Brebner US 2004/00893394 A1 Apr. 29, 2004 Cain US 2006/005032 A1 Jan. 5, 2006 Claims 1, 3, 5, 7–16, 19, and 22–26 stand rejected under 35 U.S.C. § 103(a) as being unpatentable over Brebner in view of Sweet and Cain. II. ISSUES The dispositive issues before us are whether the Examiner has erred in determining that the combination of Brebner, Sweet, and Cain teaches or suggests “receiving, from the client device, a security context associated with the requested connection,” wherein “at least a portion of the security context is obtained by the client device prior to the request for connection to the network” by “scanning the client device for potential security threats before the client device requests to access the network using an agent Appeal 2018-004962 Application 11/320,593 4 program previously downloaded to the client device before the request for connection was received.” Claim 1 (emphasis added). III. FINDINGS OF FACT The following Findings of Fact (FF) are shown by a preponderance of the evidence. Brebner 1. Brebner discloses a method for dynamically collecting and assessing a plurality of confidence parameters that reflect factors relating to the security of the transaction context after the user initiates an authentication request. ¶¶ 19–21. The confidence parameters may include intrinsic context parameters such as user input device security, required transaction security level, required resource security level and the like; and/or extrinsic context parameters such as changes in network characteristics, dynamic changes in the sensitivity of the transaction and the like. ¶¶ 29–31. Cain 2. Cain discloses a method for managing access to a resource over a network, wherein, upon receiving a request for access to a resource over a network, a resource controller determines a parameter associated with the request based on a query of the user and a scan of the client device associated with the request. Abstract. In particular, the resource controller authorizes a user employing a client device for sign-on with authentication, wherein the authorization process begins with the client device transmitting a request for sign-on, and the resource controller determines scanning requirements based on the user’s request. ¶¶ 53–54. The resource controller downloads a scanner applet, the download performs the security scan, Appeal 2018-004962 Application 11/320,593 5 transmits scan results back to the resource controller, and the resource controller then evaluates the scan results and the requirements for signing on. ¶ 54. The resource controller evaluates access control rules based on the session characteristics and the trust parameters. ¶ 57. Rao 3. Rao discloses a scanning agent generated to gather information about a node requesting access to a resource, wherein the scanning agent is transmitted to the node and gathers information regarding the node. Abstract. III. ANALYSIS In a Prior Decision, we affirmed the Examiner’s rejection of independent claims 1 and 19, as well as claims 8–16 and 18, depending therefrom, over Brebner and Sweet. See Prior Dec. 6. In particular, we determined that Appellant “fail[s] to address the actual obviousness rejection of record, Brebner in view of Sweet,” where “the Examiner relies upon Brebner’s method of authenticating a user’s access privileges through the step of collecting dynamic confidence parameters related [to] the security of the transaction context.” Id. at 5. In the present Appeal, independent claim 1 has been amended to recite, inter alia, the step of “receiving, from the client device, a security context associated with the requested connection,” wherein at least a portion of the security context is “obtained by the client device prior to the request for connection to the network” by “scanning the client device for potential security threats before the client device requests to access the network using an agent program previously downloaded to the client device before the Appeal 2018-004962 Application 11/320,593 6 request for connection was received.” Claim 1 (emphasis added). Independent claims 19 and 23 were similarly amended. According to Appellant, in the claimed invention, the agent program (that was previously downloaded to the client device before the request was received) scans the client device (again, before the client device requests to access the network) to create at least a portion of the security context. Appeal Br. 16. Appellant agrees with the Examiner that Brebner does not teach or suggest “at least a portion of the security context is obtained by the client device prior to the request for connection to the network,” as recited in claim 1, for example. Appeal Br. 16. However, although the Examiner relies on paragraph 54 of Cain for such teaching, Appellant contends that paragraph 54 of Cain indicates that the resource controller pushes a scanner applet to the client “after receiving the request,” and then the scanner applet performs the scan and reports the results of the scan to the resource controller for evaluation. Id. at 17 (citing Final Act. 5). That is, according to Appellant, in the claimed invention as set forth in the amended claims, the agent program is “previously downloaded and stored” from a previous request for connection, but, on the other hand, “Cain is silent with regard to having the scanner applet on the client device before the request for connection is received.” Id. According to Appellant, although the Examiner finds that “a virus scanner [previously downloaded] is well known in the art” (Appeal Br. 18 (citing Final Act. 5–6)), Appellant contends that the citations in the exemplary reference of Rao provided by the Examiner “merely indicate that virus scanning occurs, not that context scanning occurs prior to the request for connection to the network.” Appeal Br. 18. That is, Appellant contends Appeal 2018-004962 Application 11/320,593 7 that the Examiner indicates that a “virus scanner” (not a “security context scanner” as set forth in the claims) is well known in the art, wherein “there is no association between a virus scanner and the network to which a client device requests connection.” Id. at 19. We have considered all of Appellant’s arguments and evidence presented. We agree with Appellant that the preponderance of the evidence on this record does not support the Examiner’s legal conclusion that the claims would have been obvious over Brebner, Sweet, and Cain. We agree with the Examiner’s reliance on Brebner for teaching “receiving, from the client device, a security context associated with the requested connection” (Final Act. 4; see also FF 1), and on Cain for teaching at least a portion of the security context being “obtained by the client device” by “scanning the client device for potential security threats” using “an agent program” such as a scanner applet (Final Act. 4–5 (emphasis omitted); see also FF 2). However, we agree with Appellant that Cain teaches that the resource controller pushes the scanner applet to the client “after receiving the request.” Appeal Br. 17 (citing Final Act. 5); see FF 2. A preponderance of the evidence does not support the Examiner’s conclusion that it would have been obvious “to implement Brebner’s dynamic evaluation of the client device with Cain’s scanning of client’s device for potential security threats to ensure client device . . . is free of potential security threat before [being downloaded to] client for secure transaction.” Ans. 5 (emphasis added). As the Examine finds, “Cain does not explicitly disclose the agent program [is] previously downloaded to the client device and the scanning is performed before the request.” Id. Although the Examiner finds that “downloading agent at the client device to collect security data or scanning for virus is well known in the art,” Appeal 2018-004962 Application 11/320,593 8 and cites to Rao as an example, we are unpersuaded. Ans. 5. As Appellant points out, the citations in Rao provided by the Examiner “merely indicate that virus scanning occurs, not that context scanning occurs prior to the request for connection to the network,” wherein “there is no association between a virus scanner and the network to which a client device requests connection.” Appeal Br. 18–19; see also FF 3. That is, Rao does not disclose any obtaining of “security context associated with the requested connection” by scanning, as claimed. Claim 1 (emphasis added); see FF 3. We would have to engage in some degree of speculation regarding the Examiner’s finding and conclusion (Ans. 5–6) that it would have been obvious to implement Brebner’s method of assessing transaction context parameters after the user authentication request (FF 1) with Cain’s method of determining scanning requirements based on the user’s request (FF 2), to arrive at the claimed limitation of “at least a portion of the security context [associated with the requested connection] is obtained by the client device prior to the request for connection to the network” by “scanning the client device for potential security threats before the client device requests to access the network using an agent program previously downloaded.” See claim 1. The citation to Rao’s scanning agent gathering information about a node (FF 3) does not cure the deficiencies of Brebner and Cain. To affirm the Examiner’s finding of obviousness would require us to resort to speculation, unfounded assumptions, or hindsight reconstruction. See In re Warner, 379 F.2d 1011, 1017 (CCPA 1967). We do not resort to hindsight reconstruction, speculation, or assumptions to cure the deficiencies in the proffered combination in order to support the Examiner’s rejection. The Examiner adds in the Answer that “Cain also mentions the level of access may have additional conditions, such as repeating the scan of the Appeal 2018-004962 Application 11/320,593 9 client device at predetermined intervals.” Ans. 14 (emphasis omitted) (citing Cain ¶ 49). However, we would have to engage in some degree of speculation regarding the Examiner’s finding and conclusion that “Cain also suggests that the information may need to be collected before the user initiate the request.” Id. (emphasis added). We decline to engage in such speculation. Here, as Appellant contends, a reasonable interpretation of the passage of Cain cited by the Examiner could be “that after a level of access has been determined, the level of access may be determined again within the same connection at predetermined intervals.” Reply Br. 4 (emphasis added). Thus, the Examiner’s conclusion of obviousness appears to have been constructed using impermissible hindsight, wherein the Examiner appears to have worked backward by inventing reasons to modify Brebner and Cain to arrive at the claimed invention rather than showing evidence that would have suggested the claimed invention. See Ex parte Markovitz, Appeal No. 1999- 1942, slip op. at 8–9 (PTAB Sept. 26, 2001). Accordingly, we are persuaded by Appellant’s contentions that Brebner, Sweet, and Cain fail to teach or suggest “receiving, from the client device, a security context associated with the requested connection,” wherein “at least a portion of the security context is obtained by the client device prior to the request for connection to the network” by “scanning the client device for potential security threats before the client device requests to access the network using an agent program previously downloaded to the client device before the request for connection was received,” as recited in claim 1. Consequently, we are constrained by the record before us to find that the Examiner erred in finding the combination of Brebner, Sweet, and Cain Appeal 2018-004962 Application 11/320,593 10 teaches or suggests Appellant’s claim 1. Independent claims 19 and 23 include limitations of commensurate scope. Dependent claims 3, 5, 7–16, 22, and 24–26 depend on claims 1, 19 and 23 respectively, and stand with their respective independent claims. Accordingly, we do not sustain the Examiner’s obviousness rejection of claims 1–3, 5, 7–16, 19, and 22–26 over Brebner, Sweet and Cain. IV. CONCLUSION AND DECISION The Examiner’s rejection of claims 1–3, 5, 7–16, 19, and 22–26 under 35 U.S.C. § 103(a) is reversed. Claims Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1–3, 5, 7– 16, 19, 22– 26 103(a) Brebner, Sweet, Cain 1–3, 5, 7– 16, 19, 22– 26 REVERSED Copy with citationCopy as parenthetical citation
