DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant's arguments have been fully considered but they are not persuasive.
Applicant argues against the Ahmed-Bargury-Bhalotra combination, writing that “the security services of Bargury utilizes a machine learning model to detect unused open ports on machines connected to a cloud-based service and thereby prevents the open ports from being attacked. In comparison, the background of the instant application involves security developer(s) to develop a bunch of rules for defining (e.g., restricting) access and transition rights (authorities) of user(s), user space application(s), process(es), director(ies) and (configuration) file(s) in an operating system… the security threat model of the instant application is created according to the plurality of activities occurred in a kernel space of the operating system, while the detecting of open ports on computer networks in Barbury is nothing to do with the kernel space. In other words, the first system test performed on the security model of the instant application is different from the testing of the machine learning model of Bargury.”
In response to Applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). In this case, the Ahmed reference teaches recording a plurality of activities that occurred in a kernel space of an OS. For instance, [0118] of Ahmed states that “[t]he terms ‘computing resource process,’ ‘computer resource process’ or ‘CR process,’ as used in this disclosure, means a computing resource that is in execution or in a state of being executed on an operating system or an operating system kernel of a computing device. Every computing resource that is created, opened or executed on or by the operating system can create a corresponding ‘CR process.’” Additionally, [0062] and [0071] of Ahmed state that “[f]or each computing resource, the data structure can include, for example, CRP identification data, CRP state data, and CRP control data to uniquely identify each corresponding CR process when running on the OS kernel” and that “DB 120D can be arranged to contain information about each computer resource in the computing device 30 (shown in FIG. 1), including computer resources 190. The DB 120D can contain, for example, configuration data, Internet Protocol (IP) address, media access control (MAC) address, policies, or rules. The database 12D can be arranged to store the records of: operating systems or OS kernels; instantiated CR processes, including, for example, instantiated CR process name, instantiated CR process identification number, instantiated CR cryptographic hash and instantiated CR process canonical path; CR process instantiation verification data, including, for example, CR process name, identification number, CR cryptographic hash and canonical path; SMA table data, including mutex, semaphore or atomic data; timestamps; event logs; and CRP whitelists.” Finally, [0082]-[0084] of Ahmed describe how “ransomware monitor 170 can be arranged to check and enumerate all CR processes running on the OS kernel. The ransomware monitor 170 can be arranged to monitor and enumerate every CR process running on or interacting with the OS kernel, including the CR process's file path (including, for example, canonical path), process name, process cryptographic hash and process identification number, which can be generated by the OS kernel for each CR process.”
Both Bargury and Ahmed concern a learning and protect phase, as well as learning from collected log data, and the test for obviousness is not whether the features of a secondary reference may be bodily incorporated into the structure of the primary reference; nor is it that the claimed invention must be expressly suggested in any one or all of the references. Rather, the test is what the combined teachings of the references would have suggested to those of ordinary skill in the art. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981). In this case, Bargury has been relied upon for its teachings concerning implement machine learning and model testing during a learning phase.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-3, 5-7 and 9-11, and 13-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ahmed (US 2022/0050896 A1) in view of Bargury (US 2019/0286826 A1) and Bhalotra (US 10,397,255 B1).
Regarding claim 1, Ahmed discloses: A method of handling security of an operation system, comprising turning on an unlocked mode of the operating system, and turning off an interactive mode of the operating system;
Refer to at least [0089] and [0091] of Ahmed with respect to a learn mode and protect mode of an operating system to be secured, where the modes may be switched via timer or trigger.
recording a plurality of activities occurred in a kernel space (e.g., [0071], [0082]-[0084], and [0118] of Ahmed with respect to recording resources of computer resources in an OS kernel) of the operating system in a list; creating a security threat model for the operating system according to the plurality of activities;
Refer to at least [0041], [0055], [0063], [0069], and [0093]-[0100] of Ahmed with respect to recording computer resource process information during the learn mode, further including creating a record of normal behavior and implementing a whitelist.
and turning off the unlocked mode, and turning on the interactive mode.
Refer to at least [0041], [0060], [0082]-[0084], [0087], and [0102]-[0108] of Ahmed with respect to switching to the protect mode and implementing policy enforcement.
performing a second system test on the security threat model or manually editing the security threat model; and
Refer to at least 245-280 in FIG. 3A-B and [0102]-[0108] of Ahmed with respect to protect mode policy enforcement (e.g., checking computer resource processes for authorization).
turning off the interactive mode after performing the second system test or manually editing the security threat model.
Refer to at least 280-285 in FIG. 3B, [0104], and [0108] of Ahmed with respect to switching from the protect mode after a timer runs out.
Ahmed does not disclose: performing a first system test on the security threat model; swapping the modes (“turning off the unlocked mode, and turning on the interactive mode”) being performed after performing the first system test; performing the second test or manually editing the security threat model after turning off the unlock mode and turning on the interactive mode; wherein the first system test is different from the second system test. However, in view of Bargury discloses: performing a first system test on the security threat model; swapping the modes (“turning off the unlocked mode, and turning on the interactive mode”) being performed after performing the first system test;
Refer to at least FIG. 2 of Bargury with respect to a training phase followed by an execution phase, where the training phase includes testing the model. As per at least FIG. 2, [0006], [0039], [0041], and [0047], the training phase transitions to the execution phase after performing the testing.
The teachings of Bargury likewise concern a learning and protect phase, as well as learning from collected log data. They are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Ahmed to further implement machine learning and model testing during the learning phase for the purpose of improving the accuracy of detecting normal behavior (e.g., [0044] and [0055] of Ahmed; [0006] and [0069] of Bargury concerning improved accuracy).
Ahmed-Bargury does not specify: performing the second test or manually editing the security threat model after turning off the unlock mode and turning on the interactive mode; wherein the first system test is different from the second system test. However, Ahmed-Bargury in view of Bhalotra discloses: performing the second test or manually editing the security threat model after turning off the unlock mode and turning on the interactive mode; wherein the first system test is different from the second system test.
Refer to at least Col. 3, Ll. 42-51, Col. 4, Ll. 50-53, Col. 12, Ll. 53-59, and Col. 13, Ll. 62-Col. 14, Ll. 21 of Bhalotra with respect to updating models (e.g., Col. 9, Ll. 4-37 of Bhalotra), including during the operational phase and using manual user feedback. As per Col. 13, Ll. 62-Col. 14, Ll. 21 of Bhalotra, switching may be performed after the operational phase back into the learning phase (although it is dispreferred due to potential disruptions).
The teachings of Bhalotra also concern a learning and protect phase, as well as implementing security models. They are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Ahmed-Bargury to further implement testing and updating models during the protect mode for at least the reasons discussed in Col. 9, Ll. 24-37 and Col. 13, Ll. 62-Col. 14, Ll. 21 of Bhalotra (i.e., improved efficiency, less operational downtime, and adapting to constantly changing security issues).
Regarding claim 2, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations to the OS and kernel).
Regarding claim 3, Ahmed-Bargury-Bhalotra discloses: The method of claim 1, wherein the unlocked mode is turned on in a security environment of the operating system.
Refer to at least [0054] and [0060] of Ahmed with respect to the OS, Kernel, and cybersecurity system MDAP.
Regarding claim 5, Ahmed-Bargury-Bhalotra discloses: The method of claim 1, further comprising: recording at least one of at least one port, a number of at least one program, at least one hash of the at least one program, an execution order of the at least one program, at least one timing offset and at least one peripheral equipment.
Refer to at least [0057], [0061]-[0062], [0069], and [0071] of Ahmed with respect to information gathered about the computer resource processes, including process name, hash, timestamp, configuration data, and canonical path.
Regarding claim 6, Ahmed-Bargury-Bhalotra discloses: The method of claim 1, further comprising: creating a plurality of rules for protecting the operating system according to the security threat model.
Refer to at least [0041], [0055], [0063], [0069], [0071], and [0093]-[0100] of Ahmed with respect to obtaining normal behavior, a whitelist, and polices and rules for computer resource processes; databases and data structures storing such.
Regarding claim 7, it is rejected for substantially the same reasons as claim 6 above (i.e., a size of a database / list / data structure being “related to” its level of granularity).
Regarding independent claim 9, it is substantially similar to independent claim 1 above, and is therefore likewise rejected (i.e., see the citations).
Regarding claims 10-11 and 13-15, they are substantially similar to claims 3 and 5-7 above, and are therefore likewise rejected.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432
/V.S/Examiner, Art Unit 2432