PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 16/403,994
Filing Date: 6 May 2019
Appellant(s): Line Corporation



__________________
Paul M. Kim (reg.no. 69,640)
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed on 5 July 2022 appealing from the Office action mailed on 4 November 2021.

(1) Grounds of Rejection to be Reviewed on Appeal 
Every ground of rejection set forth in the Office action dated 4 November 2021 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.” New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”
The following ground(s) of rejection are applicable to the appealed claims.
1.1.	Claims 1, 3-6, 8, 10-13, 16, and 18-21 are rejected under 35 U.S.C. 103 as being unpatentable over Castillo et al. (U.S. 7,469,287 B1), hereinafter “Castillo”, in view of Kim (U.S. 2016/0205118 A1). 
1.2.	Claims 2, 9, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Castillo et al. (U.S. 7,469,287 B1), in view of Kim (U.S. 2016/0205118 A1), further in view of Cowan et al. (U.S. 8,578,493 B1), hereinafter “Cowan”.
1.3	Claims 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Castillo et al. (U.S. 7,469,287 B1), in view of Kim (U.S. 2016/0205118 A1), further in view of Shelton et al. (U.S. 2015/0213358 A1), hereinafter “Shelton”.

(2) Response to Argument
A. Castillo fails to disclose or suggest "receiving, using at least one processor. an event to be analyzed from a security information & event management (SIEM) server, the event to be analyzed corresponding to a potential attack, the event to be analyzed selected by the SIEM server from a plurality of events detected by different security devices based on a desired correlation rule used to filter the plurality of events received by the different security devices," limitation of claim 1.  (see appeal brief, page 17)
(a) Appellants submit:
“Appellants submit the relied upon sections of Castillo fail to disclose or suggest
"receiving ... an event to be analyzed from a security information & event management (SIEM) server, the event to be analyzed corresponding to a potential attack, the event to be analyzed selected by the SIEM server from a plurality of events detected by different security devices based on a desired correlation rule used to filter the plurality of events received by the different security devices," as required by claim 1.”  (see appeal brief, page 19, 2nd par)
Examiner maintains:
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  In this case, claim 1 is rejected by Castillo in view of Kim, therefore it is the combination of Castillo and Kim that disclose or suggest the limitations in claim 1.
Castillo discloses at col. 3, line 65 “unknown anomaly was found [i.e., a network behavior anomaly was detected by a security device. Some network behavior anomalies are deliberately caused by intruders with malicious intent such as a denial-of-service attack in an IP network, while others maybe purely an accident such as an overpass falling in a busy road network. Therefore, a network behavior anomaly event could potentially be a network attack event, and needs to be sent over from the security device to the SIEM server to analyze and verify.]”.
Therefore, Castillo discloses or suggests a security device detecting a network behavior anomaly event, which could potentially be a network attack event.
Castillo further discloses: fig. 2, top left box “Event occurs [i.e., a plurality of events detected by different security devices ], is processed by Event Reception Engine [i.e., a security information & event management (SIEM) server ]”.
In addition, Castillo further elaborates on Event Reception Engine (the SIEM server): “During systems management, events generated on individual systems [i.e., a plurality of events detected by different security devices, where ‘individual systems’ corresponding to ‘different security devices’, which monitor, detect, and report detected abnormal network events to Event Reception Engine (the SIEM server) to be analyzed and validated ] (objects) are usually sent to central Event Reception Engine [i.e., the SIEM server ]” (see Castillo, col. 8, line 61)
Therefore, Castillo discloses or suggests “receiving ... an event to be analyzed from a security information & event management (SIEM) server … a plurality of events detected by different security devices.” 
Castillo further discloses “(a) receiving an event having event details, wherein the event details include event class [i.e., the event has been classified and selected for analysis, based on a desired correlation rule to filter the events ];” (see Castillo, col. 2, line 62)
In addition, Castillo further elaborates on event class: “The method also includes the step of determining whether the event class qualifies for automated event processing so that if it does not qualify the process is exited. To determine whether the event class qualifies for automated event processing, the event class is compared with a predetermined list of event classes that qualify for automated event processing [i.e., the event has been classified and selected by the SIEM server for analysis, based on a desired correlation rule to filter the events, where ‘a predetermined list of event classes’ corresponding to ‘a desired correlation rule to filter the events’ ].” (see Castillo, col. 3, lines 22-26). 
Therefore, Castillo discloses or suggests the event to be analyzed selected by the SIEM server from a plurality of events detected by different security devices based on a desired correlation rule used to filter the plurality of events received by the different security devices.
Thus, Castillo discloses or suggests "receiving ... an event to be analyzed from a security information & event management (SIEM) server, the event to be analyzed corresponding to a network behavior anomaly, the event to be analyzed selected by the SIEM server from a plurality of events detected by different security devices based on a desired correlation rule used to filter the plurality of events received by the different security devices,".
Castillo discloses or suggests the event to be analyzed corresponding to a network behavior anomaly (see Castillo, col. 3, line 65 “unknown anomaly was found [i.e., a network behavior anomaly was detected ]).  However, Castillo does not explicitly disclose that the event to be analyzed corresponding to a potential attack.
Kim discloses: “provide a function of collecting evidence data [i.e., where ‘collecting evidence data’ associated with the event is for analyzing the event ] of the intrusion event.” (see Kim, [0006])
Therefore, Kim discloses the event to be analyzed is corresponding to a potential attack.
Thus, the combination of Castillo and Kim disclose or suggest "receiving ... an event to be analyzed from a security information & event management (SIEM) server, the event to be analyzed corresponding to a potential attack , the event to be analyzed selected by the SIEM server from a plurality of events detected by different security devices based on a desired correlation rule used to filter the plurality of events received by the different security devices,", as claimed in claim 1. 
(b) Appellants submit:
“Further, the relied upon sections of Castillo fails to disclose or suggest that the
Castillo event alerts, which the Examiner alleges is the equivalent of the "plurality of
events," are "detected by different security devices." The relied upon sections of
Castillo fails to disclose or suggest the managed elements are "security devices" as
required by claim 1 and as defined by the Instant Specification.”  (see appeal brief, page 19, last par)
Examiner maintains:
Castillo discloses at col. 3, line 65 “unknown anomaly was found [i.e., a network behavior anomaly was detected by a security device. Some network behavior anomalies are deliberately caused by intruders with malicious intent such as a denial-of-service attack in an IP network, while others maybe purely an accident such as an overpass falling in a busy road network. Therefore, a network behavior anomaly event could potentially be a network attack event, and needs to be sent over from the security device to the SIEM server to analyze and verify.]”.
Therefore, Castillo discloses or suggests a security device detecting a network behavior anomaly event, which could potentially be a network attack event.
Castillo further discloses: fig. 2, top left box “Event occurs [i.e., a plurality of events detected by different security devices ], is processed by Event Reception Engine [i.e., a security information & event management (SIEM) server ]”.
In addition, Castillo further elaborates on  Event Reception Engine (the SIEM server): “During systems management, events generated on individual systems [i.e., a plurality of events detected by different security devices, where ‘individual systems’ corresponding to ‘different security devices’, which monitor, detect, and report detected network behavior anomaly events to Event Reception Engine (the SIEM server) ] (objects) are usually sent to central Event Reception Engine [i.e., the SIEM server ]” (see Castillo, col. 8, line 61)
Therefore, Castillo discloses or suggests the plurality of network behavior anomaly events are detected by different security devices.
Additionally, Kim discloses “Moreover, the server 200 may supply an analysis result of the cause of the intrusion event to an external cyber security monitoring and control system [i.e., where ‘external cyber security monitoring and control system’ corresponding to different security devices ] (not shown).” (see Kim, [0024]).
Thus, the references disclose or suggest the plurality of events are detected by different security devices, as claimed in claim 1.
(c) Appellants submit:
“Moreover, the relied upon sections of Castillo fail to disclose or suggest that a SIEM server selects the event to be analyzed corresponding to a potential network attack "based on a desired correlation rule used to filter the plurality of events received by the different security devices."”  (see appeal brief, page 19, last par)
Examiner maintains:
Castillo discloses at col. 3, line 65 “unknown anomaly was found [i.e., a network behavior anomaly was detected by a security device. Some network behavior anomalies are deliberately caused by intruders with malicious intent such as a denial-of-service attack in an IP network, while others maybe purely an accident such as an overpass falling in a busy road network. Therefore, a network behavior anomaly event could potentially be a network attack event, and needs to be sent over from the security device to the SIEM server to analyze and verify.]”.
Therefore, Castillo discloses or suggests a security device detecting a network behavior anomaly event, which could potentially be a network attack event.
Castillo further discloses: fig. 2, top left box “Event occurs [i.e., a plurality of events detected by different security devices ], is processed by Event Reception Engine [i.e., a security information & event management (SIEM) server ]”.
In addition, Castillo further elaborates on Event Reception Engine (the SIEM server): “During systems management, events generated on individual systems [i.e., a plurality of events detected by different security devices, where ‘individual systems’ corresponding to ‘different security devices’, which monitor, detect, and report detected network behavior anomaly events to Event Reception Engine (the SIEM server) for analysis and validation ] (objects) are usually sent to central Event Reception Engine [i.e., the SIEM server ]” (see Castillo, col. 8, line 61)
Therefore, Castillo discloses or suggests “receiving ... an event to be analyzed from a security information & event management (SIEM) server … a plurality of events detected by different security devices.”
Castillo further discloses “(a) receiving an event having event details, wherein the event details include event class [i.e., the event has been selected and classified by Event Reception Engine (the SIEM server) for analysis, based on a desired correlation rule to filter the events ]; (b) performing automated validation of the event based on event class…” (see Castillo, col. 2, line 62)
In addition, Castillo further elaborates on event class: “The method also includes the step of determining whether the event class qualifies for automated event processing so that if it does not qualify the process is exited. To determine whether the event class qualifies for automated event processing, the event class is compared with a predetermined list of event classes that qualify for automated event processing [i.e., the event has been classified and selected by the SIEM server for analysis, based on a desired correlation rule to filter the events, where ‘a predetermined list of event classes’ corresponding to ‘a desired correlation rule to filter the events’ ].” (see Castillo, col. 3, lines 22-26).
Therefore, Castillo discloses or suggests that a SIEM server selects the event to be analyzed corresponding to a network behavior anomaly "based on a desired correlation rule used to filter the plurality of events received by the different security devices."
Castillo discloses or suggests the event to be analyzed corresponding to a network behavior anomaly (see Castillo, col. 3, line 65 “unknown anomaly was found [i.e., a network behavior anomaly was detected, Some network behavior anomalies are deliberately caused by intruders with malicious intent such as a denial-of-service attack in an IP network. ]”).  However, Castillo does not explicitly disclose the event to be analyzed corresponding to a potential attack.
Kim discloses: “provide a function of collecting evidence data [i.e., where ‘collecting evidence data’ associated with the event is for analyzing the event ] of the intrusion event [i.e., a potential attack ].” (see Kim, [0006])
Therefore, Kim discloses the event to be analyzed is corresponding to a potential attack. 
Thus, the combination of Castillo and Kim disclose or suggest  that a SIEM server selects the event to be analyzed corresponding to a potential attack "based on a desired correlation rule used to filter the plurality of events received by the different security devices.", as claimed claim 1.
(d) Appellants submit:
“Moreover, the Examiner completely fails to identify any section of Castillo which
corresponds to the event to be analyzed being "selected by the SIEM server from a
plurality of events detected by the different security devices based on a desired correlation rule used to filter the plurality of events received by the different security devices."”  (see appeal brief, page 20, 2nd par)
Examiner maintains:
          The combination of Castillo and Kim disclose or suggest that the event to be analyzed being "selected by the SIEM server from a plurality of events detected by the different security devices based on a desired correlation rule used to filter the plurality of events received by the different security devices.", as claimed (see (e) above).

B. Castillo fails to disclose or suggest "simulating, using the at least one processor, a network attack using the acquired location information based on the network attack corresponding to the registered event," and "determining, using the at least one processor, a validity status of the registered event based on the simulated network attack," limitations of claim 1. (see appeal brief, page 21)
(e) Appellants submit:
“Second, Appellants submit Castillo fails to disclose or suggest "simulating a
network attack ... based on the network attack corresponding to the registered event," and "determining a validity status of the registered event based on the simulated attack," (emphases added) as required by claim 1.”  (see appeal brief, page 21, 3rd par)
Examiner maintains:
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  In this case, claim 1 is rejected by Castillo in view of Kim, therefore it is the combination of Castillo and Kim that disclose or suggest the limitations in claim 1.
 Castillo discloses at col. 3, line 65 “unknown anomaly was found [i.e., a network behavior anomaly was detected by a security device. Some network behavior anomalies are deliberately caused by intruders with malicious intent such as a denial-of-service attack in an IP network, while others maybe purely an accident such as an overpass falling in a busy road network. Therefore, a network behavior anomaly event could potentially be a network attack event, and needs to be sent over from the security device to the SIEM server to analyze and verify.]”.
Therefore, Castillo discloses or suggests a security device detecting a network behavior anomaly event, which could potentially be a network attack event.
Castillo further discloses: 
at col. 14, line 27 ‘verifying Node reachability [i.e., simulating a network behavior anomaly event using the acquired location information corresponding to the registered network behavior anomaly event, where ‘node’ corresponding to the location information of the node, such node IP address ]’; 
at col. 18, line 17 ‘HTTP Status: The HTTP Status triage script is responsible for verifying the availability of a specific URL [i.e., simulating a network behavior anomaly event using the acquired location information corresponding to the registered network behavior anomaly event, where URL corresponding to the location information ] from the TMR Server.  This script uses the LWP::UserAgent perl module to query the URL and determine the connection success status [i.e., determining the validity status of the registered event based on the acquired location information ].’; and 
at col. 18, line 39 ‘verifying the availability of a specific TCP port [i.e., simulating a network behavior anomaly event using the acquired location information corresponding to the registered network behavior anomaly event, where ‘a specific TCP port’ corresponding to the location information ] on a given device’.
Therefore, Castillo disclose or suggest "simulating, using the at least one processor, a network behavior anomaly using the acquired location information based on the network behavior anomaly corresponding to the registered event," and "determining, using the at least one processor, a validity status of the registered event based on the simulated network behavior anomaly,".
Castillo discloses or suggests the event to be analyzed corresponding to a network behavior anomaly (see Castillo, col. 3, line 65 ‘unknown anomaly was found [i.e., a network behavior anomaly was detected by a security device. Some network behavior anomalies are deliberately caused by intruders with malicious intent such as a denial-of-service attack in an IP network, while others maybe purely an accident such as an overpass falling in a busy road network. ]’).  However, Castillo does not explicitly disclose a network attack.
Kim discloses: “provide a function of collecting evidence data [i.e., where collecting evidence data associated with the event is for analyzing the event ] of the intrusion event.” (see Kim, [0006]); “In the network security field, a cyber intrusion event denotes a case of attacking an information communication network” (see Kim, [0003]).
Therefore, Kim discloses the event to be analyzed is corresponding to a network attack.
Additionally, Kim further discloses or suggests simulating, using the at least one processor, a network attack using the acquired location information based on the network attack corresponding to the registered event (see Kim, [0057] ‘may reconstruct the cyber attack scenario, based on extracted information, and may reproduce a corresponding intrusion event according to the reconstructed attack scenario [i.e., using the acquired location information, simulating a network attack corresponding the registered event ].’).
Thus, the combination of Castillo and Kim  disclose or suggest  "simulating, using the at least one processor, a network attack using the acquired location information based on the network attack corresponding to the registered event," and "determining, using the at least one processor, a validity status of the registered event based on the simulated network anomaly,", as claimed in claim 1. 

C. Kim also fails to disclose or suggest "receiving . .. an event to be analyzed from a security information & event management (SIEM) server, the event to be analyzed corresponding to a potential attack, the event to be analyzed selected by the SIEM server from a plurality of events detected by different security devices based on a desired correlation rule used to filter the plurality of events received by the different security devices," "simulating, ... , a network attack using the acquired location information based on the network attack corresponding to the registered event," and "determining, using the at least one processor, a validity status of the registered event based on the simulated network attack," limitations of claim 1. (see appeal brief, page 22)
(f) Appellants submit:
“Appellants submit Kim fails to disclose or suggest, and/or fails to remedy the
deficiencies of Castillo, because Kim states that the data collector device stores the
"entire packet data, flow data, and a PE file ... as evidence data from network traffic .
. . for a long time . . . . since evidence data collected from network traffic is preserved
for a long time," and is transmitted to the server when the server transmits a request to
the data collector device. See Kim at 0023 and 0068-0069 (emphases added). The relied upon sections of Kim fail to disclose or suggest a "desired correlation rule," as required in claim 1, and further fail to disclose or suggest that the Kim server selects an "event to be analyzed ... from a plurality of events detected by different security devices based on [the] desired correlation rule."”  (see appeal brief, page 23, 3rd par)
Examiner maintains:
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  In this case, claim 1 is rejected by Castillo in view of Kim, therefore it is the combination of Castillo and Kim that disclose or suggest the limitations in claim 1.
The combination of Castillo and Kim disclose or suggest a "desired correlation rule,", and server selects an "event to be analyzed ... from a plurality of events detected by different security devices based on [the] desired correlation rule." (see (c) above).
(g) Appellants submit:
“Additionally, the relied upon sections of Kim also fail to disclose or suggest
"simulating a network attack ... based on the network attack corresponding to the
registered event," and "determining a validity status of the registered event based on the simulated attack," as required by claim 1.”  (see appeal brief, page 24, 2nd par)
Examiner maintains:
           The combination of Castillo and Kim disclose or suggest "simulating a network attack ... based on the network attack corresponding to the registered event," and "determining a validity status of the registered event based on the simulated attack," as required by claim 1 (see (e) above).
(h) Appellants submit:
“Additionally, the relied upon sections of Kim fail to disclose or suggest the
"determining a validity status of the registered event based on the simulated attack,"
limitation of claim 1 as well.”  (see appeal brief, page 24, 3rd par)
Examiner maintains:
           The combination of Castillo and Kim disclose or suggest "simulating a network attack ... based on the network attack corresponding to the registered event," and "determining a validity status of the registered event based on the simulated attack," as required by claim 1 (see (e) above). 

D. The Examiner fails to provide a proper motivation to combine Castillo and Kim. (see appeal brief, page 25)

(i) Appellants submit:
“The Examiner fails to provide any explanation as to why a person of ordinary skill in the art would have been motivated to add the cyber security functionality of Kim to Castillo and what the benefit would be in modifying Castillo to include the selected features of Kim, when they would have the option of using the system of Kim by itself instead.”  (see appeal brief, page 27, 2nd par)
Examiner maintains: 
Castillo teaches "method, apparatus, and program for monitoring an object in a network and validating the status of the object.” (see Castillo, col. 1, line 18).
Kim teaches analyzing an event corresponding to a potential attack, and collecting raw data associated with an event in response to the registration of the event (see Kim, [0006] ‘provide a function of collecting evidence data [i.e., where ‘collecting evidence data (raw data)’ associated with the event is for analyzing and validating the event ] of the intrusion event.’).
Therefore, Kim’s teaching could enhance the system of ‘monitoring an object and validating the status of the object’, because Kim teaches analyzing an event  corresponding to a potential attack, and collecting raw data associated with an event in response to the registration of the event.
(j) Appellants submit:
“As discussed above, the Castillo method is capable of validating the "status of the object," e.g., determining whether a computer is operating correctly or not using triage scripts, and the Examiner fails to identify any reason that determining whether an event is a potential network attack or not would benefit the triage scripts of Castillo.”  (see appeal brief, page 28, 1st par)
Examiner maintains:
Kim’s teaching could enhance the system of ‘monitoring an object and validating the status of the object’, because Kim teaches analyzing an event corresponding to a potential attack, and collecting raw data associated with an event in response to the registration of the event (see (h) above). 

E. The Examiner Failed to Establish a Prima Facie Case of Obviousness. (see appeal brief, page 28)
(k) Appellants submit:
“Accordingly, for at least the reasons stated above, Appellants submit that the relied upon sections of Castillo and Kim, alone or combined, fail to disclose or suggest all of the elements of independent claim 1 and thus, the Examiner has failed to establish
a prima facie case of obviousness with respect to independent claim 1.”  (see appeal brief, page 28, 4th  par)
Examiner maintains:
	Appellants do not provide any specific argument in this section.  Therefore, the combination of Castillo and Kim disclose or suggest all of the elements of independent claim 1 (see (a)-(j) above).


For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,
/PEILIANG PAN/           Examiner, Art Unit 2492                                                                                                                                                                                             
Conferees:

Saleh Najjar 

 /SALEH NAJJAR/            Supervisory Patent Examiner, Art Unit 2492                                                                                                                                                                                            

Michael W. Chao
/MICHAEL W CHAO/Primary Examiner, Art Unit 2492                                                                                                                                                                                                        
Requirement to pay appeal forwarding fee. In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in
effect on March 18, 2013.