PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 16/360,264
Filing Date: 21 Mar 2019
Appellant(s): Renner et al.



__________________
Stephen Terrile (Reg. No. 32,946)
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed 3/29/2021.

(1) Grounds of Rejection to be Reviewed on Appeal

Claims 21-40 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.

Claims 21-40 is/are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Application Publication Number 2018/0285363 by Dennis et al. in view of U.S. Patent Application Publication Number 2015/0256550 by Taylor et al.

(2) Response to Argument
Written Description
In the applicant’s 5/1/2020 amendment, the applicant amended the claims to specify that an event stream is received from a protected endpoint and that the protected endpoint comprises an endpoint agent.  The Examiner had to consider what it would mean to receive an event stream from a protected endpoint in order to evaluate the patentability of the claims.  Figure 3 ref. no. 302 of the applicant’s disclosure shows the concept of the protected endpoint.  Paragraph 31 of the specification defines the protected endpoint as “broadly referring to a policy based approach to network security”.  The protected endpoint, as disclosed by the applicant in paragraph 31, is not a physical entity that can provide a stream to be received.  Instead, it is a “policy-based approach” that somehow applies to the end point devices 304. It would appear that the end point devices interact with an endpoint agent 306 in paragraphs 37-42 but there is no disclosure of how the endpoint agent is related to the concept of the protected endpoint other than the endpoint agent 306 being shown as being in the same protected 
According to section 2163.02 of the MPEP:
The subject matter of the claim need not be described literally (i.e., using the same terms or in haec verba) in order for the disclosure to satisfy the description requirement. If a claim is amended to include subject matter, limitations, or terminology not present in the application as filed, involving a departure from, addition to, or deletion from the disclosure of the application as filed, the examiner should conclude that the claimed subject matter is not described in that application. This conclusion will result in the rejection of the claims affected under 35 U.S.C. 112(a)  or pre-AIA  35 U.S.C.112, first paragraph - description requirement, or denial of the benefit of the filing date of a previously filed application, as appropriate.

By specifying that the concept of a protected endpoint is creating an event stream in the 5/1/2020 amendment, the applicant made a significant departure from what is originally disclosed.  There is no specific disclosure of how the concept of the protected endpoint would create a stream when it is only idea for managing actual devices.  While the Examiner agrees that there is support for endpoint agents to create event streams, the Examiner believes that the language to state that the protected endpoint provides the stream creates meaning that was not supported by what is disclosed.
The applicant argues that:
As the examiner notes, claim 1 recites receiving an event stream from a protected endpoint. Applicant respectfully submits that one of ordinary skill in the art would reasonably conclude that Applicant’s disclosure adequately described the claimed invention at the time of filing because the feature of receiving an event stream from a protected endpoint is at least impliedly taught by the present application as it was originally filed, and art to which the claimed invention belongs is mature and the predictable nature of the art mandates a generally lower showing of possession.
The protected endpoint is described in a plurality of locations within the application as filed. (See e.g., application, Figures 3, 4 and 5 and paragraphs [0029] - [0031].) Additionally, the specification specifically sets forth that the endpoint agent may be implemented to communicate a stream of event data collected by an event data collector module (which is shown within an In-Line Entity Resolution Feature Pack of an Endpoint Agent) to the security analytics system (see e.g., application, Figure 9 and Paragraph [00178]). Those of ordinary skill in the art would understand that such a disclosure at least 

However the applicant’s arguments do not explicitly identify “some construct” that is implied by the disclosure and the applicant has not explained what is meant by “the maturity and predictability of the subject art”.  The applicant has failed to explain how Figures 3-5 and 9 and paragraphs 29-31 and 178 imply the presence of a construct to receive an event stream from an abstract concept such as the applicant’s disclosed concept of a protected endpoint.
The applicant further argues that:
The specification as filed also describes and shows an event collector which receives an event stream. (See application, e.g., paragraph [0046]; Figure 4.) Those of ordinary skill in the art would understand that such a disclosure at least implies (and arguably expressly describes) that a protected endpoint would be one instantiation of the event collector. Further, it is respectfully submitted that one of ordinary skill in the art would have understood that a protected endpoint would be one instantiation of the event collector.

Paragraph 43 states that Figure 4 is a block diagram of the security analytics system.  Figure 4 shows an event stream collector that provides an event stream to an enrichment module 406.  This is described in paragraph 46.  Figure 4 however is separate from the endpoint agent because it is part of the security analytics system which, as shown in Figures 5 and 9, is separate any component that could be part of a protected endpoint, as defined with respect the concept box 302 in Figure 3.   In paragraphs 51-56, the applicant discloses that endpoint agent 306 sends contextual information to edge device 202 which is disclosed as implementing the security analytics systems.  The applicant’s assertion that the protected endpoint would be one instantiation of the event collector is contrary to what is disclosed because the event stream collector is disclosed as part of the security analytics system which is disclosed as separate from the protected endpoint.


Arguments Regarding the Prior Art
The following is the applicant’s first argument:
When discussing the elements of receiving an event stream from a protected endpoint, the event stream comprising a plurality of events, the protected endpoint comprising an endpoint agent used in combination with an endpoint device, the examiner cites to a variety of components of Dennis. Specifically, the examiner cites to computing device 500 as the protected endpoint and matching system 110 as the endpoint agent, and requestor system 120 as the endpoint device (see e.g., Dennis, Figures 1 and 5). However, none of these components disclose or suggest a protected endpoint as disclosed and claimed. Specifically, none of these components disclose a protected endpoint providing a policy-based approach to network security, the policy-based approach requiring the endpoint device to comply with a particular criteria before being granted access to a network resource, as required by claims 21, 27 and 33.

The Examiner mapped the computing system 500 of Dennis to the protected endpoint.  The Examiner mapped the matching system 110 to the endpoint agent.  Figure 5 of Dennis shows that the computer system 500 comprises the matching system, thus satisfying the limitation where the protected endpoint comprises the endpoint agent.  The matching system 110 is clearly “in combination with” the requestor system 110, as shown in Figure 1, which is mapped to the endpoint device.  The matching system 110 receives the stream of events shown in Figure 1 via communication connections 520 of computing device 500.  Therefore the events are received from a protected endpoint when they are received by the communications connection 520 of computing device 500 and forwarded to the matching system which receives the events in order to perform the rest of the data processing claimed. 
The applicant’s argument is not persuasive because it ignores how the rejection treated the subject matter.   The Examiner acknowledges in the rejection that computing device 500 of Dennis does not provide a policy-based approach to network security, the policy-based approach requiring the endpoint device to comply with a particular criteria before being granted access to a network resource.  
Additionally, the applicant applicant’s argument is inherently flawed because according to section 2145(IV) of the MPEP:
One cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., Inc., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).

The combination of Dennis and Taylor was relied upon to show the elements in question and not just Dennis, which is the only reference argued by the applicant with respect to the protected endpoint limitation.  The applicant’s argument regarding the protected endpoint is clearly procedural deficient because it failed to address the teachings of Taylor.
	Next the applicant argues:
	When discussing the element of normalizing an entity identifier element to provide a normalized entity identifier element, the normalizing the entity identifier element generating a type-dependent normalized entity identifier element, the examiner cites to Dennis. Specifically, the examiner cites to a portion of Dennis which discloses that a demographic field is sanitized and standardized (see e.g., 
	
The applicant makes no attempt to explain what the difference is between normalizing an entity identifier element as claimed and sanitizing and standardizing of demographic information disclosed by Dennis.  The applicant cited paragraph 111 of the specification to show this feature in their Summary Section of their appeal brief.  Paragraph 111 shows how time formats can be sanitized and standardized.  Paragraph 112 shows further examples of normalizing entity identifier information by sanitizing and standardizing the demographic information of email addresses.  Paragraph 113 makes a point of stating that normalizing entity identifier could cover any user identity factors.  Dennis clearly shows in paragraphs 19 and 20 that identify factors such as a name or address can be normalized in the same manner disclosed by the applicant.  If the applicant had a specific normalization embodiment in mind, then they should have claimed such an embodiment because the claim is broad enough to cover any type of normalization of any type of entity identifier information. 
The applicant next argues:
Specifically, Dennis does not disclose or suggest normalizing an entity identifier element to provide a normalized entity identifier element, the normalizing the entity identifier element generating a type-dependent normalized entity identifier element, the normalizing using rules stored within a repository of entity identifier normalization rules, as required by claims 21, 27 and 33. This deficiency of Dennis is not cured by Taylor.

Dennis discloses that the normalized data is type-dependent because it is formatted into types of name fields, address field, data of birth fields, social security number fields, etc. (paragraph 19 of Dennis).  Each of these fields is type-dependent because they require different formatting considerations in order to be normalized.  The system of Dennis has rules, as discussed in the examples in paragraph 20, for normalizing these fields.  These rules are stored as part of program instructions 508 shown in Figure 5.  The system memory 510 is a repository of entity identifier normalization rules, as claimed.  The applicant’s disclosure uses the terms repository of entity identifier normalization rules in 
Next the applicant argues the following:
However, nowhere within the cited portions of Taylor (nor anywhere else in Taylor) is there any disclosure or suggestion of using the identity of the entity to assess a risk associated with a particular entity, much less identifying anomalous, abnormal, unexpected or malicious behavior when accessing the risk associated with the particular entity, as required by claims 21, 27 and 33. These deficiencies of Taylor are not cured by Dennis.

The Examiner will address each of the two limitations involved in this argument separately.  As to the first limitation, the whole point of Taylor is to use the identity of an entity to assess the risk associated with the entity.  The first sentence of paragraph 46 of Taylor explains that Figure 6 is a method of performing a risk value calculation for a user or subscriber.  As described in paragraph 46, the value is calculated using different components that identify the user such as the user’s device, the user’s location, the user’s account information, and the user’s finance information.  Paragraph 53 further explains that this account information can include identifiers of an entity such as street address, social security number, telephone number, email address, IP address, and MAC address.  Taylor clearly teaches the concept of using the identity of an entity to assess the risk associated with a particular entity as claimed.
As to the second limitation, the applicant’s original disclosure did not use the phrase “accessing risk”.  This phrase was introduced in the amendment filed on 7/20/2020.  The applicant amended the final limitation to overcome a rejection based on 35 USC section 112(a) made in the 5/18/2020 Office Action.  Since the actual phrase “accessing risk” did not appear in the original disclosure, the Examiner interpreted the phrase to cover determining risk.  With this in mind, the limitation covers using 
The applicant continues by arguing:
Additionally, it is respectfully submitted that nowhere within Dennis or Taylor, taken alone or in combination is there any disclosure or suggestion of using the identity of the entity to assess a risk associated with a particular entity, much less identifying anomalous, abnormal, unexpected or malicious behavior based upon the risk associated with the particular entity, as required by claims 21, 27 and 33.

As pointed out, Taylor teaches the concept of using the identity of an entity to assess the risk associated with a particular entity in paragraphs 46 and 53.  As to the argument that the references do not teach identifying anomalous, abnormal, unexpected, or malicious behavior based upon the risk associated with the particular entity, such a limitation is no longer claimed.  That limitation was subject to a 35 USC section 112a written description rejection in the 5/18/2020 Final Rejection.  The applicant amended the limitation after the 5/18/2020 Final Rejection to no longer claim the cause and effect that behavior was identified based on risk because paragraph 82 of the disclosure made it clear that behavior was identified for the purpose of accessing the risk associated with a particular entity.  The applicant’s argument appears to have been a carry-over cut-and-paste job from previous responses but is no longer relevant to the current claims.
Next the applicant argues:
Additionally, it is respectfully submitted that nowhere within Dennis or Taylor, taken alone or in combination is there any disclosure or suggestion of classifying an entity identifier element with an entity identifier element type, the entity identifier element type comprising a representation of a particular 

Dennis is clearly mapped to the limitations in question.  The request is parsed in operation 220 and classified into different demographic fields.  The request reads on the entity identifier information.  The particular types of fields read on the entity identifier element types.  The parsed request is the entity identifier element.  Each particular value pertaining to a particular demographic field type is the claimed representation of a particular attribute.  Once the request is parsed into fields, the values in each parsed field are normalized according rules stored along with the matching engine.  The matching engine has different parsing rules for each field in step 230, as described in paragraph 20, and is thus implementing “type-dependent normalization”.  As explained the rules are stored as instructions in memory 510 which is a “repository of entity identifier normalization rules”.  The identity is resolved in steps 240 and 250 of Figure 2 of Dennis.
Finally the applicant argues:
Additionally, it is respectfully submitted that when making the rejection under 35 U.S.C.§ 103, the examiner fails to consider the claimed invention “as a whole.” Specifically, the examiner cites to the references as disclosing various elements of the claimed invention without a consideration of how these elements interact to provide the claimed resolving an identity of an entity in-line via a security analytics system, using the identity of the entity to assess a risk associated with a particular entity and identifying anomalous, abnormal, unexpected or malicious behavior when accessing the risk associated with the particular entity. This is contrary to the guidance provided by MPEP § 2141.02 (In determining the differences between the prior art and the claims, the question under 35 U.S.C. 103 is not whether the differences themselves would have been obvious, but whether the clamed invention as a whole would have been obvious).



Dennis is relied upon to show that the applicant’s handling of event streams in order to resolve identities is anticipated by the prior art.  Dennis does not get into security for using the system.  Taylor shows that providing the generic security of a “policy-based approach requiring an endpoint device to comply with a particular criteria before being granted access to a network resource” would be obvious.  One of ordinary skill in the art would recognize that the computing device 500 of Dennis could be modified to apply the access control shown by paragraphs 36-38 of Taylor.  Dennis is a system pertaining to medical records to once of ordinary skill would recognize the need for the generic policy-based approach to security claimed by the applicant.  Separately, Taylor shows that once an identity of an entity is resolved, the identity can be used to assess the risk with entity and that the behavior of the entity can be identified when accessing this risk.  Taylor shows how this can be done with respect to the exact same data that is handled in paragraphs 19 and 20 of Dennis (paragraph 53 of Taylor shows that 


Finality of the 11/30/2020 Office Action
The applicant’s arguments are not relevant to appeal for two reasons.  
First, finality of an office action is not appealable.  See section 706.07(c) of the MPEP.  Challenges against the finality of an action are reviewable by petition under 37 CFR 1.181.  Therefore the applicant’s arguments to the finality of the rejection are irrelevant to this appeal.
Second, the finality of the rejection was proper.  The applicant states that the amendments “materially limited the breadth of the claims” however such a characterization of the claims is irrelevant to whether an action can be made final after an RCE.  The standards for when an action can be made Final directly following an RCE are described in section 706.07(b) of the MPEP.  The second paragraph of this section of the MPEP explains that the next action may be made final when claims are “patentably indistinct” for the claims in the prior application and would have been properly rejected on the grounds and art of record in the next office action had they been entered.  The Examiner explained, in the 7/31/2020 Advisory Action, how the claim set that was submitted after final were patentably indistinct.  The applicant added trivial limitations after the Advisory Action in the 8/18/20 amendment that was filed with the RCE.  The 11/30/20 Office Action indicates how these limitations are clearly not patentable for the same reasons that were already presented to the applicant.  Specifically, the classifying performed by Dennis was clearly done in response to the parsing as shown in paragraph 19 that was cited in the 5/18/20 Final Rejection.  The limitation regarding the rules being stored within a repository 
In conclusion, had the applicant actually made amendments that “materially limited the breadth of the claims”, the action would not have been made Final and new search and consideration would have been conducted.  Instead, the applicant made amendments that restated the obvious and therefore the Examiner found them to be patentably indistinct and made the action final after RCE as allowed by section 706.07(b) of the MPEP.

Respectfully submitted,
/DOUGLAS B BLAIR/Primary Examiner, Art Unit 2442                                                                                                                                                                                                        
Conferees:
/WILLIAM G TROST IV/Supervisory Patent Examiner, Art Unit 2442   

                                                                                                                                                                                                     /Chris Parry/Supervisory Patent Examiner, Art Unit 2451                                                                                                                                                                                                        
Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.