PNG
    media_image1.png
    172
    172
    media_image1.png
    Greyscale
United States Patent and Trademark Office
    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov






BEFORE THE BOARD OF PATENT APPEALS 
AND INTERFERENCES






Application Number: 15/974,019
Filing Date: March 9, 2021
Appellant: Hemant Kumar Jain
 



______________
Douglas M. Hamilton
Registration No. 47,629
For Appellant





EXAMINER’S ANSWER 





(1) Grounds of Rejection to be Reviewed on Appeal
Every ground of rejection set forth in the Office action dated March 9, 2021 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”

(2) Response to Argument
	Appellants’ arguments filed March 9, 2021 have been fully considered but are not persuasive.  It is respectfully submitted that the rejections are proper and should be maintained for the reasons that follow.

A.  	Appellant’s arguments (Brief, pages 11-18) have been fully considered and are addressed below.

	Appellant argues in substance, that “The combination of Wang and Harris fails to disclose each and every limitation of claims 1-5, 8,10-15,18, and 20 as required under 35 USC §103.

A.1	In the Office Action, the Examiner rejected claims 1-5, 8-15, and 17-20 under 35 U.S.C. §103 for allegedly being unpatentable over Wang and Harris. The undersigned respectfully disagrees with the Examiner’s characterization of the teachings and/or applicability of Wang and Harris to the claims.

NO PRIMA FACIE CASE - NON-ANALOGOUS ART 

As an initial matter, the undersigned respectfully submits a combination of nonanalogous art is not sufficient to render the claims prima facie obvious. In order for a reference to be proper for use in an obviousness rejection under 35 U.S.C. § 103, the reference must be analogous art to the claimed invention. In re Bigio, 381 F.3d 1320, 1325 (Fed. Cir. 2004). The undersigned respectfully submits Harris is non-analogous art to the claimed invention as explained further below.
The Federal Circuit has adopted a “two-step test” for determining whether a particular reference is within the appropriate art. First, a determination is made regarding whether the reference at issue is “within the field of the inventor’s endeavor.” Second assuming the reference is outside of that field, it must be determined whether the reference is “reasonably pertinent to the particular problem, with which the inventor was involved.” See In re Deminiski, 796 F.2d 436 (Fed. Cir. 1986) (emphasis added). In re Bigio, 381 F.3d 1320 (Fed. Cir. 2004) and MPEP § 2141.01(a). See also. “Analogous Art for Obviousness Rejections” Memorandum to Patent Examining Corps from Robert W. Bahr dated July 26, 2011.

The problem addressed by the above-captioned patent application relates to the difficulties of attributing DDoS attacks to specific application layer (e.g., HTTP) attributes (e.g., user-agent, host, referrer, or URL) having variable length strings, which may not fit within a few bytes. See e.g. Specification at [0006]-[0007].”

The Examiner respectfully disagrees with Appellant’s arguments.  Applicant appears to misunderstand the secondary reference, as Harris is from the same field of endeavor aligned, reasonably pertinent to the particular problem, and analogous being from the field of event detection, e.g. attack signature detection of H04L63/1416 in transmission of digital information; which applies to network security of computer networks. Here, the implementation monitors, tracks, correlates and observes objects (i.e. processes, files, data, URLs, and the like) to discern trusted and untrusted processes; where an increased context-sensitivity detects various malware and threats by employing a more complex and granular labeling schemes such as a three-tiered scheme that identifies a category (e.g., financial, e-mail, game, etc.), static threat detection attributes (e.g., signatures, hashes, application calls, etc.), and explicit identification (e.g., what a file or process calls itself). The objects being observed a URL, a script, a function, etc. Hence, the presence of HTTP attributes is taught by Harris and thus analogous art [Harris, ¶¶0003-0004, 0006 0063 and 0214].

A.2  	(p. 12) Step One: Harris relates to “threat detection using reputation scores for particular actions that expire after a predetermined time.” See e.g., Harris at ¶[0002]. Notably, there is no reference to DDoS attacks or attribution of same anywhere Harris. In view of the foregoing, Harris is clearly outside of the field of the inventor’s endeavor.

The Examiner disagrees. Harris is the secondary reference used to teach the last two limitations of the independent claims, in particular: “notifying, by the DDoS detection module, a host computer coupled to the DDoS detection module of the attack status and the details of the under-attack HTTP attribute; and-3-Appl. No. 13/012,465Amdt. Dated August 19, 2013 Reply to Office Action of April 17, 2013responsive to identifying the under-attack HTTP attribute, causing, by the DDoS detection module, subsequently received packets having the under-attack HTTP attribute to be dropped for a pre-determined blocking period.” Examiner cited to paras 0247-0250 of Harris, which describes an improved implementation of indications of compromise (IOC) detecting malicious activity, using reputation (scores), and prevalence of a sequence of IOCs as part of locally normalized IOCs shown in Fig. 10 [Harris, ¶¶0245-0246]. As described above, the objects being observed include: a URL, a script, a function, etc.; wherein the object persists as long as the process is alive. This also include antivirus and advanced persistent threats (APTs) which are bad, malware threat attacks experienced at an enterprise facility 102 from various end-point devices by detection techniques facility 
Furthermore, it is well known in the arts that advanced persistent threats are associated with advanced persistent Denial of Service (APDoS), where specialized DDoS mitigations would need to be put in place to thwart attacks that can stealthily persist for weeks involving terabits to petabits of malicious traffic [https://en.wikipedia.org/wiki/Denial-of-service_attack#Advanced_persistent_DoS]. Hence, the presence of APTs and viruses referenced is taught by Harris and thus analogous.


A.3	(p. 12) Step Two: Since Harris is in a field different from that of the Applicant’s field of endeavor (i.e., Harris fails the inquiry at step one of the two-step test), the next step is to determine Harris’ pertinence to the particular problem faced by the Applicant. Harris purports to address overlaps and gaps in protection caused by treating viruses and spyware as separate problems. See Harris at ¶[0067]. Harris’ lack of contemplation of the particular problem with which the inventor of the above-captioned patent application was involved makes the likelihood of an inventor seeking to solve the particular problem looking to Harris for a solution very low. And, thus this is why the Federal Circuit created this two-step test - so as to preclude a prior art reference outside of the field of endeavor of the claim invention from qualifying as analogous art unless it is found to be “reasonably pertinent” to the problem to be solved. In the present circumstances, it is clearly improper for Harris’ use of reputation scores to address overlays and gaps in protection caused by treating viruses and spyware as separate problems to the problem address by the above-cautioned patent application relating to difficulties of attributing DDoS attacks to specific application layer (e.g., HTTP) attributes (e.g., user-agent, host, referred or URL) having variable length strings, which nay not fit within a few bytes.  As such, it is unreasonable to expect Harris to have commended itself to the attention of an inventor seeking to address the particular problem. In view of the foregoing, Harris does not satisfy the Federal Circuit’s two-step test and hence cannot qualify as being analogous art for purposes of being applied in an obviousness rejection. For at least this reason, the Examiner’s proposed combination of Harris with Wang is improper and cannot properly render the claims prima facie obvious. Therefore, the undersigned respectfully requests the Examiner to withdraw all obviousness rejections relying on the combination of Harris with any other prior art reference.

The Examiner disagrees. As discussed above, Harris is the secondary reference brought in to teach two limitations which it teaches; further Harris appears to teach and reasonably teach the claim limitations and meets the two-step test. Lastly, a Supreme Court decision KSR Int’l Co v. Teleflex Inc., 550 U.S. 398,416 (2007) “has determined that the conclusion of obviousness can based on the interrelated teachings of multiple patents, the effects of the demands known to the design community or present in the marketplace, and the background knowledge possessed by a person having ordinary skill in the art. The skilled artisan would “be able to fit the teachings of multiple patents together like pieces of a puzzle” since the skilled artisan is “a person of ordinary prima facie obvious; Additionally meets both step 1 and step 2 as appropriate prior art.

A.4	THE COMBINATION IS DEFICIENT 
Even if the combination of Wang and Harris was proper, which it is not, the undersigned points out significant distinctions between the claimed subject matter and the relied upon references individually and in combination. 
Regarding independent claim 1, Wang and Harris do not teach or reasonably suggest at least the following expressly recited limitations...

With respect to the above-quoted “receiving” limitations, the Examiner relied on FIG. 3, FIG. 7 and [0040], [0068]-[0069] and [0075] of Wang for allegedly teaching the “receiving ... information regarding a plurality of Hypertext Transfer Protocol (HTTP) attributes for which an attack status is to be monitored.” For the Examiner’s benefit of understanding, the undersigned points out in ¶[0068] of Wang what is said to be received is “a known bad domains list/blacklist.” Notably, this list is used in the context of Wang to generate a “severity score” for network traffic. See e.g., Wang at ¶[0069]. In ¶[0040] of Wang, Wang indicates an example of suspicious behavior that may be identified by its heuristic analysis is “command and control communication.” Notably, neither Wang’s blacklist nor Wang’s identification of command and control communication is properly equated with receipt of “information regarding a plurality of 
Importantly, Wang does not purport to monitor an attack status for particular HTTP attributes (e.g., a DDoS attack from multiple IP address that have the same user-agent and which are directed to the same URL). Rather, Wang monitors for potentially suspicious behavior by looking for network traffic communications that make use of fewer than a threshold number of HTTP header fields (see e.g., Wang at ¶[0075]) and/or that include short strings within an HTTP header, for example, to distribute the string “POST” over three IP packets (see e.g., Wang at ¶[0076]). 
Furthermore, nowhere in Wang’s discussion relating to the monitoring of network traffic and identifying whether a URL is blacklisted or recently registered in ¶[0069] of Wang has any relationship to “an attack status” of an HTTP attribute, for example, whether the HTTP attribute at issue is under attack, flooded or a victim. See e.g. Specification at ¶[0053]. Meanwhile, Harris is not relied upon by the Examiner to address these deficiencies of Wang and the undersigned finds no such teachings in Harris. For at least these reasons, independent claim 1 and its dependent claims, which add further limitations, are thought to be clearly distinguishable over the Examiner’s proposed combination of Wang and Harris.”

The Examiner disagrees. Applicant overlooks the purpose of Wang invention which presents a heuristic botnet detection that includes monitoring network traffic to identify suspicious network traffic, which again includes: HTTP traffic, IRC traffic, and unclassified application traffic [Wang, Abstract and ¶¶0037-0041]. Wang takes it 

A.5	With respect to the above-quoted “determining” limitations, the Examiner relies on ¶¶[0068]-[0069] and [0075] of Wang. Nowhere in these relied upon portions of Wang or elsewhere in Wang is there any teaching or reasonable suggestion regarding “comparing ... granular traffic rates directed to a first hash value of each of the plurality of monitored HTTP attributes to a plurality of corresponding adaptive thresholds” as required. Notably, the hash values referred to in Wang are not related to HTTP attributes, but rather are used “for a more efficient black list storage approach.” See Wang at ¶[0068].
In any event, as noted above, Wang is not concerned with “the attack status ... of monitored HTTP attributes.” Rather, Wang simply teaches examining HTTP header 

The Examiner disagrees. Examiner refers to specification highlighting that the first stage of tracking rates at Stage 1 meter 201 monitors and tracks accesses to HTTP URLs hosted by a server protected by a DDoS mitigation system [specification, ¶0033]. Additionally, Wang teaches an analysis of the data and traffic monitored, collected, aggregated and collated on whether recently visited domains are anomalous; hence, performing matching of data attributes against existing known attributes associated with common behavior and/or signatures [Wang, ¶¶0073]. “Network traffic flows can be monitored using a traffic flow analysis engine to identify or classify monitor network traffic by traffic flow types and application associations and forwarded to a heuristic botnet detection engine for potential C&C behavior analysis using various heuristic a hash lookup utility to determine if the HTTP attribute was previously registered, which generates a severity score as a valuation or classification based on multiple traffic flows correlations on the heuristic analysis of the monitored network traffic behaviors). “The severity score or severity score range is used for classifying monitored network traffic (e.g., traffic flows associated with an application(s)). In some embodiments, a value range of a severity score is classified as not malicious, a second value range (e.g., a higher range of values) is classified as potentially malicious behavior, and a third value range (e.g., an even higher range of values) is classified as malware behavior corresponding to botnet detection” [Wang, ¶0058].  More importantly, these classifications of scores allocated by a range of values are indications of determining if the traffic flow of monitored attributes meet or are within a certain range and/or value; where the security device 302 stores recent hash table as part of the hash lookup to determine and report on meet thresholds when severity scores are higher than expected [Wang, ¶0069]. Hence, Wang teaches “comparing ... granular traffic rates directed to a first hash value of each of the plurality of monitored HTTP attributes to a plurality of corresponding adaptive thresholds.

A.6	With respect to the above-quoted “when a granular traffic rate” limitations, the Examiner relied on [¶¶0068]-[0069] of Wang. Notably, however, there is no indication in these portions of Wang or elsewhere in Wang that “when a granular traffic rate of the plurality of granular traffic rates for the first hash value of a particular monitored HTTP attribute ... exceeds an adaptive threshold for the particular monitored HTTP attribute, the particular monitored HTTP attribute is determined to be an under-attack HTTP attribute” as required. While Wang notes that botnets can execute DDoS attacks (see e.g., Wang at [¶0030]), Wang is not attempting to identify or mitigate such attacks or attempting to identify a particular HTTP attribute that is under attack, but instead purports to be able to identify a bot based on various observed behaviors within monitored network traffic. Meanwhile, Harris is not relied upon by the Examiner to address these deficiencies of Wang and the undersigned finds no such teachings in Harris. For at least these additional reasons, independent claim 1 and its dependent claims, which add further limitations, are thought to be clearly distinguishable over the Examiner’s proposed combination of Wang and Harris.

The Examiner disagrees.  The specification states that the DDoS attack mitigation module comprises an apparatus that allows granular threshold set for layers 3, 4, or 7 parameters; once traffic threshold breached the specific parameter either rate limited or identified for a specific treatment [specification, ¶¶0015-0018]. Here, Wang uses the heuristic botnet detection to utilize an intrusion prevention system evasion techniques and a URL filter to monitor and identify URLs of different categories and 

A.7	With respect to the above-quoted “storing” limitations, the Examiner relied on [¶0066] of Wang. Notably, Wang’s mere indication that “various other security related information, such as heuristics for botnet detection (e.g., general and/or specific C&C patterns as described herein)” may be stored in data store 310 does not meet the limitations at issue, which specifically require “storing ... details regarding the under-attack HTTP attribute in a memory.


The Examiner disagrees. Specification states that after the layer 7 DDoS detection module calculates a second hash value based on  the collisions of the attributes of a first hash value, a “hash 2” column is instantiated to store that instance of the collision occurrence [¶0049]. Hence, the heuristic behavior analysis engine 108 analogously performs local storage of C&C behavior results to behavior correlation engine 114; as well as various security related information such as heuristics for botnet detection (e.g., general and/or specific C&C patterns as describe herein) [Wang, ¶¶0056 and 0066]. Therefore, respectfully disagrees as again as stated above the “storing” limitation is not a novel feature and as such Wang teaches in para 0066.

A.8	With respect to the above-quoted “notifying” limitations, the Examiner correctly acknowledges Wang does not teach these limitations and therefore relies on Harris’ reporting or notification of indications of compromise (IOCs) to the threat management facility and/or to a user. None of the examples of IOCs provided in FIG. 16 of Harris or elsewhere in Harris relate to “details of the under-attack HTTP attribute” as required. For at least this additional reason, independent claim 1 and its dependent 

The Examiner disagrees.  The specification describes only instance of “notify” which is performed by the layer 7 DDoS detection module where the detail of for the under attack attribute stored within stage 2 table in memory, at block 304 shown in Fig. 3. More importantly, the specification states “The details of operation of blocks 304 and 305 are well known in the art, therefore detailed descriptions thereof are omitted for sake of brevity” [specification, ¶¶0040 and 0045-0046].As such, Harris, teaches a reporting mechanism of the system protector 1006 receiving lOCs 1006 from an IOC detector 1004; as such sending a notification 1010 is analogous. Therefore, the “notifying” limitations are taught by Harris.

A.9	With respect to the above-quoted “causing” limitations, the Examiner relied on Harris’ teachings in [¶¶0244 and 0247] relating to taking action accordingly when a particular IOC or a sequence of IOCs are identified as malicious. Clearly, this general language cannot be said to meet the limitations at issue which specifically require “causing ... subsequently received packets having the under-attack HTTP attribute to be dropped for a pre-determined blocking period.” For at least this additional reason, independent claim 1 and its dependent claims, which add further limitations, are thought to be clearly distinguishable over the Examiner’s proposed combination of Wang and Harris.



B.  Appellant’s arguments (Brief, pages 18-19) have been fully considered and are addressed below.
	Appellant argues in substance, that “B. The combination of Wang, Harris, and Chesla fails to disclose each and every limitation of claims 6 and 16 as required under 35 USC §103.

The Examiner disagrees. Applicant fails to detail any argument specifics beyond stating deficiency of these dependent claims 6 and 16. As such, Examiner maintains Chesla rejection with no rebuttal; with respect to teaching “the pre-determined blocking period is from 0 to 15 seconds”, in paras 0159 and 0175.


C.  Appellant’s arguments (Brief, page 19) have been fully considered and are addressed below.

	Appellant argues in substance, that “The combination of Wang, Harris, and Denninghoff fails to disclose each and every limitation of claims 9 and 19 as required under 35 USC §103. 
In the Office Action, the Examiner rejected dependent claims 9 and 19 under 35 U.S.C. §103 for allegedly being unpatentable over Wang, Harris, and Denninghoff. The 

The Examiner disagrees. Applicant fails to detail any argument specifics beyond stating deficiency of these dependent claims 9 and 19. As such, Examiner maintains Denninghoff rejection with no rebuttal; with respect to teaching “wherein the first hash value of each of the plurality of monitored HTTP attributes is less than 20 bits”, in paras 0119-0120.

For the above reasons, it is believed that the rejections should be sustained.

Respectfully submitted,

/Sakinah White Taylor/           Examiner, Art Unit 2497                



/HARUNUR RASHID/           Primary Examiner, Art Unit 2497       
                                                                                                                                                                                      /ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497                                                                                                                                                                                                        


                                                                                                                                                                                                        
Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.