T 2243/09 (Packet network auditing/INTELLINX) of 20.2.2014

European Case Law Identifier: ECLI:EP:BA:2014:T224309.20140220
Date of decision: 20 February 2014
Case number: T 2243/09
Application number: 05703070.2
IPC class: H04L 12/26
H04L 12/24
G06F 11/34
Language of proceedings: EN
Distribution: D
Download and more information:
Decision text in EN (PDF, 258.464K)
Documentation of the appeal procedure can be found in the Register
Bibliographic information is available in: EN
Versions: Unpublished
Title of application: APPARATUS AND METHOD FOR MONITORING AND AUDITING ACTIVITY OF A LEGACY ENVIRONMENT
Applicant name: Intellinx Ltd.
Opponent name: -
Board: 3.5.05
Headnote: -
Relevant legal provisions:
European Patent Convention 1973 Art 56
Keywords: Inventive step - main request (yes)
Catchwords:

-

Cited decisions:
-
Citing decisions:
-

Summary of Facts and Submissions

I. The appeal is against the decision of the examining division, posted on 7 July 2009, to refuse European patent application No. 05 703 070.2 on the grounds of lack of inventive step with respect to a main request and a first auxiliary request, having regard to the disclosure of

D2: US 2003/0135612

and the common general knowledge of the skilled person,

or having regard only to the common general knowledge of the skilled person.

A second auxiliary request was not admitted into the examination proceedings under Rule 137(3) EPC on the ground that it was not clearly allowable under

Article 56 EPC.

II. Notice of appeal was received on 10 September 2009 and the appeal fee was paid on the same day. With the statement setting out the grounds of appeal, received on 16 November 2009, the appellant filed amended claims according to a main request (claims 1 to 19) and an auxiliary request (claims 1 to 19). The appellant requested that the decision under appeal be set aside and that a patent be granted on the basis of the main request or on the basis of the auxiliary request. The appellant further requested reimbursement of the appeal fee on the ground that a substantial procedural violation had occurred and, as a precaution, oral proceedings.

III. A summons to oral proceedings was issued on 29 October 2013. In an annex to this summons, the board expressed its preliminary opinion, pursuant to

Article 15(1) RPBA, that the main request met the requirements of Article 56 EPC 1973, having regard to the disclosure of D2. It also expressed its opinion that no substantial procedural violation had occurred in the proceedings before the first instance and that, as a consequence, the appeal fee should not be reimbursed under Rule 67 EPC 1973.

Furthermore, the board stated that it would remit the case to the department of first instance with the order to grant a patent based on the claims of the main request, provided that the request for reimbursement of the appeal fee was withdrawn. The board thus invited the appellant to indicate whether it maintained its requests for reimbursement of the appeal fee and for oral proceedings.

IV. By letter dated 9 January 2014, the appellant withdrew both those requests.

V. Independent claim 1 of the main request reads as follows:

"1. An apparatus (107) for monitoring and auditing activity of a legacy system, the apparatus comprising:

an analyzer (303) being configured to analyze intercepted packets, wherein said packets are conveyed between terminals and hosts (102, 103, 104) in said legacy system, wherein said hosts in said legacy system use at least one incremental legacy screen protocol for conveying fields associated with a screen to a terminal and wherein said analyzer is further configured to generate analyzed data based on information associated with at least some of said packets, the analyzed data being indicative of sessions in said legacy system and indicative of an incremental screen protocol used in said sessions;

a mirror manager (305) being responsive to said analyzed data for generating data representative of mirror sessions, each mirror session corresponding to one of said sessions;

an audit event analyzer (307) being responsive to said mirror data, said audit event analyzer being configured to generate an outbound audit event comprising fields associated with a screen to be displayed on a terminal in said legacy system, said fields comprising at least one input field for allowing a user to insert input information therein and an inbound audit event comprising input information inserted by a user of a terminal into an input field associated with a screen and a screen location indicating where said input information was inserted in said screen;

said audit event analyzer further being configured to associate an inbound audit event with an outbound audit event; to identify data representative of input information inserted by a user in an inbound audit event; and, to form data representative of a united audit event by combining data representative of an outbound audit event with data representative of input information in an associated inbound audit event."

The main request further comprises an independent claim (claim 11) directed towards a corresponding method.

Reasons for the Decision

1. The appeal is admissible.

2. Main request

2.1 Article 123(2) EPC

Claim 1 has been clarified compared with claim 1 of the main request on which the impugned decision was based, by means of the following amendments:

a) the term "client" has been replaced by "terminal",

b) the hosts have been more precisely defined as using at least one incremental legacy screen protocol for conveying fields associated with a screen to a terminal,

c) the outbound audit event has been more precisely defined as comprising fields associated with a screen to be displayed on a terminal in the legacy system, the fields comprising at least one field for allowing a user to insert input information therein,

d) the inbound audit event has been more precisely defined as comprising input information inserted by a user of a terminal into an input field associated with a screen location indicating where said input information was inserted in said screen.

Similar amendments have been made to independent

claim 11.

These amendments are all supported by the application documents as originally filed:

- for feature a), see page 6, lines 16 to 19 of the published application,

- for feature b), see page 7, lines 9 to 12, page 21, lines 9 to 12 and page 28, lines 1 to 7 of the published application,

- for features c) and d), see page 9, lines 10 to 13, page 21, lines 16 to 22, page 22, lines 25 to 28,

page 25, lines 14 to 18 and page 27, lines 17 to 19 of the published application.

The board is thus satisfied that the amendments comply with the requirements of Article 123(2) EPC.

2.2 Inventive step

2.2.1 Prior art

The board agrees with the examining division that D2 represents the most relevant prior-art document and that the other document on file is more remote than D2.

D2 discloses a system for monitoring network traffic (e.g. IP traffic) and providing statistical information concerning the traffic. Packets corresponding to requests and responses of a session are detected and stored in order to reconstruct webpage sequences for display on a user's terminal later. D2 mentions the use of the well-known HTTP, HTTPS, and FTP protocols, and, as such, can be considered as a legacy system. Using these protocols, when a user inputs data in a field of a displayed screen, the whole screen is refreshed and sent to the host. Therefore, contrary to what is stated in the impugned decision (see reasons II.A-1.4),

D2 does not disclose, even implicitly, the use of an incremental screen protocol, wherein only a user's input in a field and the position of said field in the screen, instead of the whole refreshed screen, are sent to the host. D2 is thus able to replay web sessions only in the form of successive displayed screens but not in the form of the actual user inputs in each screen.

2.2.2 The differences between the subject-matter of claim 1 and the disclosure of D2 are thus in substance the following:

- an incremental screen protocol is used for conveying fields of a screen from a host to a terminal,

- outbound audit events are generated, comprising input fields of screens sent from a host to a terminal using the incremental screen protocol,

- inbound audit events are generated, comprising input information inserted by a terminal's user into input fields of a screen and transmitted back to the host using the incremental screen protocol,

- unified audit events are generated, comprising input information and input field of an outbound audit event and its corresponding audit event.

The technical effect of these differences is that the unified audit event allows the simultaneous display of input fields and input information inserted by a user in these input fields in one screen. This makes it possible to analyse all the user's inputs in a host-terminal session, independently of the application making use of the screen protocol.

The objective technical problem can thus be defined as how to improve the auditing system of D2 to enable an analysis at the level of screen field inputs. In this respect, the board agrees with the appellant that introducing the use of an incremental screen protocol in the formulation of the technical problem, as in the decision under appeal (see reasons II.A-1.3 and II.A-1.4), represents an inadmissible direct pointer to the solution, contrary to the established case law on the problem-solution approach for assessing inventive step.

D2 relates to an HTTP, TCP/IP-based system wherein whole screens of a host-terminal session may be stored for further replay. The appellant has plausibly argued that, due to the non-incremental nature of the HTTP messages conveying the information for drawing the successive screens, the auditing system of D2 does not store the inputs of a user in fields of a screen but only the result of these inputs as a next screen. The skilled person trying to solve the above-mentioned problem would not be incited to leave the framework of the HTTP and TCP/IP protocols, which is at the basis of the monitoring scheme of D2. He would thus try to adapt the analysis of packets exchanged in a session between host and terminal, rather than adapting the whole system of D2 to an incremental screen protocol for displaying screens to a user. In that respect, the board also considers that the skilled person would have had no reason to depart drastically from the basic structure of the web screen transmission and capture scheme used in D2 in 2003, by relying on much older incremental screen technology such as the IBM 3270, in order to improve the auditing of host-terminal sessions.

2.2.3 The decision under appeal apparently presents a second line of reasoning under "Further comment", starting in page 6, third paragraph. Apart from the fact that these arguments do not appear to have been discussed during the oral proceedings before the first instance, contrary to the requirements of Article 113(1) EPC 1973, the board makes the following remarks for the sake of completeness.

This second line of reasoning is based only on the common general knowledge of the skilled person. However, this common general knowledge appears to consist in a multiplicity of information items (e.g. the 3270 system, the "man in the middle", the auditing by intelligence service, known network management tools, the professional activities of an examiner, etc....) that the skilled person could supposedly piece together, like a puzzle, to arrive at the subject-matter of claim 1 without having to exercise inventive step. The board however considers that such a reasoning is inherently based on hindsight and, as the appellant argued, alien to the established practice of the EPO, and in particular to the settled case law of the boards of appeal.

2.2.4 For these reasons, the board judges that the subject-matter of claim 1 and of the corresponding method

claim 11 involves an inventive step (Article 56 EPC 1973).

3. Auxiliary request

Since the main request is allowable, there is no need for the board to consider the auxiliary request.

Order

For these reasons it is decided that:

1. The decision under appeal is set aside.

2. The case is remitted to the department of first instance with the order to grant a patent on the basis of the main request filed with letter dated 16 November 2009 and a description to be adapted accordingly.

Quick Navigation