2020002434 (P.T.A.B. Sep. 28, 2021)

Seculert Ltd.

Patent Trials and Appeals BoardSep 28, 2021

2020002434 (P.T.A.B. Sep. 28, 2021)

UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/017,636 02/07/2016 Amnon Lotem RADW P0896 8786 122066 7590 09/28/2021 M&B IP Analysts, LLC 150 Morristown Road Suite 205 Bernardsville, NJ 07924-2626 EXAMINER WOLDEMARIAM, NEGA ART UNIT PAPER NUMBER 2433 NOTIFICATION DATE DELIVERY MODE 09/28/2021 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): eofficeaction@appcoll.com pair@mb-ip.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte AMNON LOTEM, DORON PERI, and AVIV RAFF ___________ Appeal 2020-002434 Application 15/017,636 Technology Center 2400 ____________ Before CAROLYN D. THOMAS, CARL W. WHITEHEAD JR., and ERIC B. CHEN, Administrative Patent Judges. CHEN, Administrative Patent Judge. DECISION ON APPEAL Appeal 2020-002434 Application 15/017,636 2 STATEMENT OF THE CASE Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the Examiner’s decision to reject claims 1–25. We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM. CLAIMED SUBJECT MATTER The claims are directed to log-based analysis for protecting computers and networks from malicious communications and malware attacks. (Abstract.) Claim 1, reproduced below, is illustrative of the claimed subject matter, with disputed limitations in italics: 1. A log-analytic system for identifying outbound communications to detect at least one security threat in at least one client network, said system comprising: at least one log-analytic detection platform configured to receive a plurality of log files from said at least one client network via a communication network, said plurality of log files including at least one outbound communications log; at least one asset associated with said at least one client network and configured to communicate with at least one host via said communication network; and at least one network entity associated with said at least one client network configured to enable outbound communication and further log assessment attributes associated with at least one channel into at least one log file of said plurality of log files; 1 We use the word “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42(a). Appellant identifies the real party in interest as Seculert. (Appeal Br. 3.) Appeal 2020-002434 Application 15/017,636 3 wherein said at least one channel connects said at least one asset with at least one host and said log-analytic detection system is configured to identify said at least one channel and generate a risk factor that is at least based on said outbound communications log for at least one entity associated with entities of said at least one channel; and wherein said log-analytic system causes blocking of communication for said at least one entity when said risk factor is indicative of said at least one entity being a security threat. REFERENCES Name Reference Date Stephenson US 2008/0082380 A1 Apr. 3, 2008 Whitehouse US 2011/0035390 A1 Feb. 10, 2011 Moghe US 2011/0035781 A1 Feb. 10, 2011 REJECTIONS Claims 1–6, 9–18, 23, and 24 stand rejected under 35 U.S.C. § 103 as being unpatentable over Moghe and Stephenson. Claims 7, 8, 19–22, and 25 stand rejected under 35 U.S.C. § 103 as being unpatentable over Moghe, Stephenson, and Whitehouse.2 OPINION Claims 1, 3–6, 9–18, 23, and 24 We are unpersuaded by Appellant’s arguments (Appeal Br. 10; see also Reply Br. 4) that the combination of Moghe and Stephenson would not 2 Appellant does not present any arguments with respect to the rejection of dependent claims 7, 8, 19–22, and 25 under 35 U.S.C. § 103. (Appeal Br. 23–24.) Thus, any such arguments are deemed to be waived. Appeal 2020-002434 Application 15/017,636 4 have rendered obvious independent claim 1, which includes the limitation “generate a risk factor.” The Examiner found that network-based appliance 104 of Moghe, as illustrated in Figure 1, which includes fourth module 116, a risk mitigation layer, and second module 112, an analytics layer, corresponds to the limitation “generate a risk factor.” (Final Act. 5; see also Ans. 3.) We agree with the Examiner’s findings. Moghe relates to “realtime monitoring, auditing and protection of information assets in enterprise repositories such as databases, file servers, web servers and application servers.” (¶ 3.) Figure 1 of Moghe illustrates network-based appliance 104 (¶ 21), which includes analytics module or layer 112, risk mitigation module or layer 116, and policy management module or layer 118 (¶ 22). Moghe explains that “fourth module 116 (called the risk mitigation layer) allows for flexible actions to be taken in the event alert events are generated in the analytics layer [112]” (¶ 31) and that such analytics layer 112 contains “algorithms that characterize the behavior of a user’s information access and determine any significant deviations from it to infer theft or other proscribed activities” (¶ 27). In addition, Moghe explains “fifth module 118 (called the policy management layer) interacts with all the other layers” that “allows administrators to specify auditing and theft rules” and “define policy filters (and, in particular, given attack expressions) that capture insider intrusions in an expressive, succinct manner.” (¶ 33.) Because Moghe explains that analytics layer 112 includes algorithms to infer theft based on user behavior and fifth module 118 allow administrators to specify auditing and theft rules, Moghe teaches the limitation “generate a risk factor,” as recited in claim 1. Appeal 2020-002434 Application 15/017,636 5 Appellant argues the following: [W]ith regard to the claim element of generate a risk factor for at least one entity associated with entities of said at least one channel, the Examiner cites Moghe, paragraph 36 and fourth module 116 called the risk mitigation layer. However, these items of Moghe do not correspond to the claim language. This layer of Moghe simply takes a particular action in response to an alert event. However, there is no teaching of a “risk factor” as required by the claim. In this regard, note that it appears that in Moghe an alert event is an actual intrusion, not a risk thereof. (Appeal Br. 10 (emphasis omitted); see also Reply Br. 4.) However, the Examiner also cited to second module 112 of Moghe, an analytics layer which contains algorithms to characterize user behavior, and fifth module 118 of Moghe, a policy management layer that allows administrators to specify auditing and theft rules, for teaching the limitation “generate a risk factor.” (Ans. 3.) Appellant has not provided any persuasive arguments or evidence as to why the Examiner’s findings with respect to second module 112 and fifth module 118 of Moghe are in error. Thus, we agree with the Examiner that the combination of Moghe and Stephenson would have rendered obvious independent claim 1, which includes the limitation “generate a risk factor.” We are further unpersuaded by Appellant’s arguments (Appeal Br. 13–20; see also Reply Br. 5–8) that the combination of Moghe and Stephenson would not have rendered obvious independent claim 1, which includes the limitation “at least one log-analytic detection platform configured to receive a plurality of log files from said at least one client network via a communication network, said plurality of log files including at least one outbound communications log.” Appeal 2020-002434 Application 15/017,636 6 The Examiner found that the security policy domains of Stephenson, including inter-domain communications policies, correspond to the limitation “at least one log-analytic detection platform configured to receive a plurality of log files from said at least one client network via a communication network, said plurality of log files including at least one outbound communications log.” (Final Act. 5; see also Ans. 4.) In particular, the Examiner found that that “inter domain communication log” of Stephenson includes both “out bound and inbound communication log[s].” (Ans. 4.) The Examiner concluded that “it would have been obvious . . . to modify distributed data search, audit and analytics disclosed by Moghe to include method for evaluating system risk, as thought by Stephenson, to include log data to perform analysis of inter-domain communication including out bound communication” (Final Act. 5) and articulated that “[a] person with ordinary skill in the art would have been motivated to include the analysis of communication log data to enhance security and usability” (id. at 5–6). We agree with the Examiner’s findings and conclusions. Stephenson relates to “risk analysis and management for computer information systems.” (¶ 2.) Stephenson explains that “[t]he security policy domains, the inter-domain communications policies and the log data are . . . used to perform the inter-domain communications analysis” and “[t]he results of this analysis will represent violations of inter-domain communications policies and therefore potential threats against the system.” (¶ 26.) Because Stephenson explains that inter-domain communications (i.e., both inbound and outbound communications) policies are used to perform threat analysis, Stephenson teaches the limitation “at least one log- Appeal 2020-002434 Application 15/017,636 7 analytic detection platform configured to receive a plurality of log files from said at least one client network via a communication network, said plurality of log files including at least one outbound communications log,” as recited in claim 1. A person of ordinary skill in the art would have recognized that incorporating the threat analysis of Stephenson, based upon inter-domain communications, with network-based appliance 104 of Moghe for monitoring, auditing and protection of information assets, provides the additional ability to detect threats from inter-domain communications. See KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 417 (2007) (“[I]f a technique has been used to improve one device, and a person of ordinary skill in the art would recognize that it would improve similar devices in the same way, using the technique is obvious unless its actual application is beyond his or her skill.”). Alternatively, the combination of Moghe and Stephenson is nothing more than incorporating the known threat analysis of Stephenson, based upon inter-domain communications, with network-based appliance 104 of Moghe for monitoring, auditing and protection of information assets, to yield predictable results. See id. at 416 (“The combination of familiar elements according to known methods is likely to be obvious when it does no more than yield predictable results.”). Thus, we agree with the Examiner that it would have been obvious to combine Moghe with Stephenson. (Final Act. 5–6.) First, Appellant argues that “Moghe appears to demonstrate only an interest in incoming communication, as evidenced by FIG. 2 and paragraphs 24, 25, 29, and 34” and accordingly, “Moghe fails to recognize or have any facility to make use of any outbound communications log as called for by Appeal 2020-002434 Application 15/017,636 8 the claim.” (Appeal Br. 13 (emphases omitted); see also Reply Br. 6.) However, the Examiner also cited to inter-domain communications policies of Stephenson for teaching the limitation “including at least one outbound communications log.” (Ans. 4.) Appellant has not provided any persuasive arguments or evidence as to why the Examiner’s findings are in error. Second, Appellant argues that it appears that the Examiner is relying on an underlying assumption [in Moghe and Stephens] which is implied by the equality attempted to be made that whatever comes out of a first machine goes into a second machine, with nothing else being received by the second machine and everything that is transmitted by the first machine being properly received by the second machine. (Reply Br. 5.) Again, the Examiner also cited to the inter-domain communications policies of Stephenson for teaching the limitation “including at least one outbound communications log.” (Ans. 4.) Appellant has not provided any persuasive arguments or evidence as to why the Examiner’s findings are in error. Third, Appellant argues that “given that neither Moghe nor Stephenson teaches or suggests at least one outbound communications log as specifically required by the claim, they cannot teach or suggest any element of the claim that relies on or refers back to the at least one outbound communications log.” (Appeal Br. 14 (emphasis omitted); see also Reply Br. 8.) However, other than a conclusory statement that Stephenson does not teach the limitation “at least one outbound communications log,” Appellant has not provided any persuasive arguments or evidence as to why the Examiner’s findings with respect to Stephenson are in error. (Id.) Fourth, Appellant argues that Appeal 2020-002434 Application 15/017,636 9 the Examiner erroneously appears to believe that there is some such thing disclosed by Stephenson as an “inter domain communication log.” However, no such log appears to be mentioned in Stephenson. Rather, there is only inter-domain communications policies, which are not logs. Thus, the Examiner’s reasoning is based on a simple misreading of Stephenson, and, as such, is clearly incorrect. (Appeal Br. 15 (emphasis omitted).) Contrary to Appellant’s arguments, Stephenson explains that “the log data are . . . used to perform the inter- domain communications analysis.” (¶ 26.) Fifth, Appellant argues that “it appears that this alleged motivation has been concocted using improper hindsight given Appellants’ own teachings to simply justify collecting various elements, or piece parts thereof” and “there is no recognition of the problem solved by the Appellants, there is no suggestion in the references to combine them, or the piece parts disclosed therein, in a manner that would form Appellants’ invention as claimed.” (Appeal Br. 19 (emphasis omitted).) Contrary to Appellant’s arguments, as discussed previously, the combination of Moghe and Stephenson is based on the improvement of a similar device in the same way as in the prior art, or alternatively, combining known elements to achieve predictable results. Lastly, Appellant argues the following: Moghe and Stephenson are directed to very different things. Moghe appears primarily concerned with detecting improper insider access and cutting off such access. By contrast, Stephenson appears to be directed to evaluating a system having at least one portal by a method which includes examining the at least one portal to identify at least one accessible portal, performing a qualitative analysis responsive to the at least one accessible portal, performing a quantitative analysis responsive to the qualitative analysis and generating a Appeal 2020-002434 Application 15/017,636 10 risk profile responsive to the performing a qualitative analysis and the performing a quantitative analysis. (Appeal Br. 20 (emphasis omitted).) To the extent Appellant is arguing that Moghe and Stephenson are non-analogous art, the “Background” section in Appellant’s Specification acknowledges that “Internet security is challenging [because] the types of threats computers are exposed to are rapidly increasing” and “[s]oftware infecting computers is commonly known as malware, referring to a variety of forms of hostile or intrusive software.” (Spec. 1:20–22.) Moreover, Moghe “relates generally to real-time monitoring, auditing and protection of information assets in enterprise repositories such as databases, file servers, web servers and application servers.” (¶ 3.) Additionally, Stephenson “relates generally to computer information systems and more particularly to a method of risk analysis and management for computer information systems.” (¶ 2.) Accordingly, because Appellant’s Specification, Moghe, and Stephenson are from the same field of endeavor—security of computer networks—Moghe and Stephenson are analogous art. See In re Bigio, 381 F.3d 1320, 1325 (Fed. Cir. 2004). Thus, we agree with the Examiner that the combination of Moghe and Stephenson would have rendered obvious independent claim 1, which includes the limitation “at least one log-analytic detection platform configured to receive a plurality of log files from said at least one client network via a communication network, said plurality of log files including at least one outbound communications log.” Accordingly, we sustain the rejection of independent claim 1 under 35 U.S.C. § 103. Claim 3 depends from claim 1, and Appellant has not presented any additional substantive arguments with respect to this claim. Appeal 2020-002434 Application 15/017,636 11 Therefore, we sustain the rejection of claim 3 under 35 U.S.C. § 103 for the same reasons discussed with respect to independent claim 1. Independent claims 4 and 16 recite limitations similar to those discussed with respect to independent claim 1, and Appellant has not presented any additional substantive arguments with respect to these claims. We sustain the rejection of claims 4 and 16, as well as dependent claims 5, 6, 9–15, 17, 18, 23, and 24, for the same reasons discussed with respect to claim 1. Claim 2 Although Appellant nominally argues the rejection of dependent claim 2 separately (Appeal Br. 21–22), the arguments presented do not point out with particularity or explain why the limitations of this dependent claim are separately patentable. Instead, Appellant argues the following There is no showing in this paragraph [36 of Moghe] that any of these components correspond to any of a channel, an asset, or a host such as are disclosed, defined, and situated in claim [2]. In other words, the Examiner fails to relate the elements of paragraph 36 of Moghe to those elements that it cites for claim [2]. (Id. at 22 (emphasis omitted).) Appellant merely provides a conclusory statement that Moghe does not disclose the features of this dependent claim, without a sufficiently detailed explanation of the differences between the limitations of claim 2 and Moghe. (See id.) Accordingly, Appellant has not presented any substantive arguments with respect to dependent claim 2. See In re Lovin, 652 F.3d 1349, 1357 (Fed. Cir. 2011) (“[T]he Board reasonably interpreted Rule 41.37 to require more substantive arguments in an appeal brief than a mere recitation of the claim elements and a naked assertion that Appeal 2020-002434 Application 15/017,636 12 the corresponding elements were not found in the prior art.”). We are not persuaded by these arguments for the reasons discussed with respect to claim 1 from which claims 2 depends. CONCLUSION The Examiner’s decision rejecting claims 1–25 under 35 U.S.C. § 103 is affirmed. DECISION SUMMARY In summary: Claims Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1–6, 9–18, 23, 24 103 Moghe, Stephenson 1–6, 9–18, 23, 24 7, 8, 19–22, 25 103 Moghe, Stephenson, Whitehouse 7, 8, 19–22, 25 Overall Outcome 1–25 TIME PERIOD FOR RESPONSE No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED