PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 16/402,946
Filing Date: 3 May 2019
Appellant(s): Fortinet, Inc.



__________________
Douglas M Hamilton
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed 5/12/2022.

(1) Grounds of Rejection to be Reviewed on Appeal
Every ground of rejection set forth in the Office action dated 01/06/2022 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”

(2) Response to Argument
Appellant argues that Ismael fails to teach “determining an occurrence of a pivot of an intrusion wherein the determination of the occurrence of the pivot of the intrusion is based on an indication of a transmission from the first internal resource to a second internal resource”.  Appellant argues that Column 16 of Ismael fails to teach said limitation.
Examiner respectfully disagrees that Ismael fails to teach said limitation.   Examiner argues that as cited, Ismael teaches in Column 10 line 60 to Column 11 line 6 that the malware detection appliance is configured “to analyze communication traffic associated with one or more endpoints coupled to a segment of the network such as private network”, and that “appliance may be…positioned to intercept traffic…. appliance may manage each endpoint” Examiner points to Column 11 lines 17-25 which explicitly state that malware is detected from said traffic inspection.   Examiner argues that this citation teaches the claims at issue, as traffic is intercepted from an endpoint, and malware is detected.   Figure 1 shows that the interception node at question is between two end nodes.
Examiner pointed to Column 16 lines 40-55 to explicitly teach that the infection is a “lateral propagation” meaning that the transmission is from a first internal resource to a second internal resource.
Appellant has pointed out a recitation in Column 16 lines 21-25.  Examiner does not rely on this citation in the rejection.  Appellant additionally points to Column 16 lines 44-45 which were relied upon in the rejection.  Appellant argues that “not only does Ismael not determine an occurrence of the infection propagating from one endpoint to the next as required by claim 1, it is not necessary in the system of Ismael to make such determination as the system operates as if a lateral propagation is inevitable and therefore immediately applies a prophylactic solution”.   
Examiner argues that the teaching in Ismael teaches actions taken after detection of malware.  It would have been obvious to prevent additional communications from “endpoints” (emphasis on the plural) after detecting endpoints are infected.  As Examiner stated in the rejection, with regard to Columns 10 and 11, the traffic from the endpoint is intercepted and malware is detected, then security measures are taken to prevent further lateral spread.  

In the alternative, Examiner points out Column 16 lines 20-40, which are not cited in the rejection, but were pointed at by Appellant.  Appellant implies context from this section of the reference.
Column 16 lines 20-40, do teach that the MDS appliance, which was previously used to intercept traffic, may miss intercepting an infection.  Appellant argues that because of this, the MDS does not teach “determining an occurrence of a pivot of an intrusion wherein the determination of the occurrence of the pivot of the intrusion is based on an indication of a transmission from the first internal resource to a second internal resource”.   

Examiner argues that in this contextual citation, it is taught that by not intercepting the malware, the infection is spread from end node to end node (plural), and then detected on multiple end nodes.  Examiner argues that detecting an infection of multiple end nodes, which are then instructed to prevent further communication is also a teaching of “an indication of a transmission from the first internal resource to a second internal resource”.   Examiner argues that in this alternate recitation, lateral infection is detected by detecting rapidly spreading malware at each end node.  Thus, while a transmission is not literally intercepted, an “indication” of said transmission is clearly taught. 

For the above reasons, it is believed that the rejections should be sustained.

Respectfully submitted,
/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439                                                                                                                                                                                                        
Conferees:
/KARI L SCHMIDT/Primary Examiner, Art Unit 2439  
                                                                                                                                                                                                      /JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433         


                                                                                                                                                                                               
Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.