VMware, Inc.Download PDFPatent Trials and Appeals BoardMay 4, 20212019005407 (P.T.A.B. May. 4, 2021) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/142,593 04/29/2016 Vardan Movsisyan C951 5696 152625 7590 05/04/2021 GLOBAL IP SERVICES, PLLC/VMWARE, INC./NICIRA, INC. 121 MOORE ST. PRINCETON, NJ 08540 EXAMINER DOAN, HUAN V ART UNIT PAPER NUMBER 2437 NOTIFICATION DATE DELIVERY MODE 05/04/2021 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): docketing@globalipservices.com ipadmin@vmware.com pnama@globalipservices.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte VARDAN MOVSISYAN ____________ Appeal 2019-005407 Application 15/142,593 Technology Center 2400 ____________ Before KALYAN K. DESHPANDE, CHARLES J. BOUDREAU, and SHARON FENICK, Administrative Patent Judges. FENICK, Administrative Patent Judge. DECISION ON APPEAL STATEMENT OF THE CASE Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the Examiner’s decision to reject claims 1–20. We have jurisdiction under 35 U.S.C. § 6(b)(1). We AFFIRM. 1 We use the word “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42. Appellant identifies VMware, Inc. as the real party in interest. Appeal Br. 3. Appeal 2019-005407 Application 15/142,593 2 CLAIMED SUBJECT MATTER Appellant’s invention relates to triggering an alert when a particular client attempts and fails to log in to a server a number of times that exceeds a threshold (indicating that an attack from a nefarious entity is underway), and preemptively alerting other servers of the network to reduce the ability of an attacker to successfully gain entry to the network. Spec. ¶¶ 8–12. The invention detects certain patterns of events from stored event information in event logs generated by “log sources.” Id. ¶¶ 8, 11–14. A log source may be a server, virtual computing instance, host, network device, desktop computing device, event channel, log aggregator, or log file. Id. ¶¶ 8, 14–15. “[E]mbodiments [of the invention] can determine a range of patterns of events sufficient to trigger an alert in one log source, and preemptively alert other log sources of the network providing a same functionality as the one log source.” Id. ¶ 12. Claims 1, 13, and 18 are independent. Claim 1, reproduced below, is illustrative of the subject matter on appeal (emphasis added): 1. A non-transitory machine-readable medium storing instructions executable by a processing resource to cause a computing system to: receive a log from a first log source; determine whether a pattern of events in the log exceeds an alert threshold of the first log source, wherein the pattern of events is associated with an event source; in response to the pattern of events exceeding the alert threshold, trigger an alert particular to the event source; and in response to the pattern of events exceeding the alert threshold, initiate a sensitivity threshold of a second log source that provides a same functionality as the first log source; Appeal 2019-005407 Application 15/142,593 3 wherein the sensitivity threshold is more sensitive than the alert threshold; and wherein the sensitivity threshold is particular to the event source. Appeal Br. 16 (Claims App.). REJECTIONS2 The Examiner rejects claims 1–3 and 5–20 under 35 U.S.C. § 103 as being unpatentable over Wang,3 Ginter,4 and Weiser.5 Final Act. 6–29. The Examiner rejects claim 4 under 35 U.S.C. § 103 as being unpatentable over Wang, Ginter, Weiser, and Applicant’s admitted prior art (“AAPA”). Final Act. 30. OPINION Appellant argues that the combination of Wang, Ginter, and Weiser fails to teach or suggest “in response to the pattern of events exceeding the alert threshold, initiat[ing] a sensitivity threshold of a second log source” as recited in independent claim 1 and similarly recited in independent claims 13 and 18. Appeal Br. 11–13. Specifically, Appellant argues that Ginter’s different alarm levels or thresholds cited by the Examiner have a default value and may be changed by a user specifying or selecting a new threshold level, but are not changed “in response to the pattern of events exceeding the alert threshold.” Appeal Br. 11–12 (citing Ginter Abstr., ¶¶ 246–247); see 2 A rejection of claims 1–20 under 35 U.S.C. § 101 as being directed to patent-ineligible subject matter has been withdrawn. Ans. 3. 3 Wang et al., US 2012/0331127 A1 (pub. Dec. 27, 2012). 4 Ginter et al., US 2005/0015624 A1 (pub. Jan. 20, 2005). 5 Weiser et al., US 2013/0147902 A1 (pub. June 13, 2013). Appeal 2019-005407 Application 15/142,593 4 Final Act. 9 (citing Ginter Abstr., ¶¶ 15, 17–18, 65, 133, 225, 246, 291, Fig. 3). Appellant further argues that the Examiner “mischaracterize[s] the teachings of Ginter,” specifically arguing that Ginter’s “usage of the web server ‘in response to a detected alert or alarm’ and . . . usage of the web server in ‘obtaining settings for different threshold and alarm levels . . .’ are not linked.” Appeal Br. 12–13 (quoting Ginter ¶ 133). We are unpersuaded by Appellant’s arguments. Appellant does not address the Examiner’s findings that Weiser discloses “a threshold is reduced (i.e. a sensitive threshold is obtained) for allowing quick response to a DoS attack when a client is identified as a suspected malicious attacker based on the number of requests (i.e. the pattern of events) received from the client within a predetermined time period” and that “the combination of Ginter-Weiser discloses to initiate a sensitivity threshold in response to the pattern of events exceeding the alert threshold.” Final Act. 5, 9–10 (citing Weiser ¶ 200); see Ans. 5–6. We agree with the Examiner that Ginter’s disclosure of different thresholds or alarm levels (see, e.g., Ginter ¶ 291), combined with Weiser’s disclosure of “determin[ing] if the number of . . . requests received from the client exceeds a predetermined number or threshold of requests within a predetermined time period” and reducing the threshold “responsive to suspected denial of service attacks or similar behaviors” to “allow[] quick response for distributed denial of service attacks” (Weiser ¶ 200), teaches or at least suggests initiating a sensitivity threshold “in response to the pattern of events exceeding the alert threshold” as claimed. See Final Act. 4–5, 9–10; Ans. 5–6. Appeal 2019-005407 Application 15/142,593 5 Accordingly, we sustain the Examiner’s § 103 rejections of independent claims 1, 13, and 18, and dependent claims 2–12, 14–17, 19, and 20 not argued separately by Appellant. CONCLUSION The Examiner’s rejections of claims 1–20 under 35 U.S.C. § 103 are affirmed. DECISION SUMMARY In summary: TIME PERIOD FOR RESPONSE No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED Claims Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1–3, 5–20 103 Wang, Ginter, Weiser 1–3, 5–20 4 103 Wang, Ginter, Weiser, AAPA 4 Overall Outcome 1–20 Copy with citationCopy as parenthetical citation
