DETAILED ACTION
This Office Action has been issued in response to Applicant's Amendment filed January 1, 2026.
Claims 1 and 11 have been amended. Claims 1-13 and 17-23 have been examined and are pending.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's arguments filed January 1, 2026 have been fully considered but they are not persuasive.
Applicant argues Symons does not disclose monitoring to determine real changes to a fabric. Paragraph [0048] of Symons discloses devices 110 and switches 120 in the current infrastructure description are compared to devices 110 and switches 120 in the expected infrastructure description to detect any new devices 110 or switches 120 in the network or any changed configurations of devices 110 and/or switches 120 in the network. A report may be output describing any discrepancies between the infrastructure descriptions. The result of the comparison in Symons is detecting new devices or switches which is determining real changes to a fabric. Paragraph [0055] of Symons discloses the present invention allows a data center operator to quickly determine changes to the network infrastructure such as a new device 110 or switch 120 which has been added to the network.
Applicant’s arguments are directed toward their detecting being fundamentally different than what occurs in Symons however as currently claimed it does not appear to capture this difference.
Applicant argues in Kleinsteiber the changes do not actually occur and thus changes are not detected. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric). The reference states the zoning changes are made and thus appear to occur.
Applicant argues the references in combination with Cohen do not disclose the limitation. The claims recite a variety of patterns involving changes in the number of switches and changes in zoning. Cohen discloses that identifying patterns among known indicators of compromise is known in the art. Symons and Kleinsteiber disclose that changes in the number of switches and changes in zoning are known indicators of compromise.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 2, 3, 6, 8, 9, 10, 12, 17, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub. No. 2004/0221047 to Grover (hereinafter “Grover”) and further in view of US Pub. No. 2003/0105881 to Symons et al. (hereinafter “Symons”) and further in view of US Pub. No. 2003/0163692 Kleinsteiber et al. (hereinafter “Kleinsteiber”).
As to Claim 1, Grover discloses a computer-implemented intrusion detection method for identifying cybersecurity attack, the method comprising:
obtaining network-related information about one or more switches or devices acting as switches in a Fibre Channel (FC) fabric (Paragraph [0048] of Grover discloses detects a possible security breach by determining that the extracted WWN of the PLOGI request has previously been logged into the device 30 with a different SID);
examining at least some of the network-related information for presence of one or more indicators indicative of an unauthorized device attempting to compromise the FC fabric or has compromised the FC fabric, [at least one of the one or more indicators comprises: detecting, in real-time or near real-time, a change in a number of switches or devices acting as switches in the FC fabric and a change in zoning] (Paragraph [0046] of Grover discloses the device 30 determines that the associated SID does not match the extracted SID. Accordingly, the device 30 determines that another host is already logged into the device 30 using the same WWN extracted from the PLOGI request. The device 30 is therefore alerted that a possible WWN spoofing has occurred); and
in response to identifying at least one of the one or more indicators, generating an alert (Paragraph [0030] of Grover discloses if these SIDs do not match, the device is alerted that a possible spoofing of the WWN has occurred).
Grover does not explicitly disclose the one or more indicators comprising a change in a number of the one or more switches in the FC fabric.
However, Symons discloses this. Paragraph [0023] of Symons discloses detect and prevent network intrusion in a network such as virtually-wired switching fabric. Paragraph [0048] of Symons discloses devices 110 and switches 120 in the current infrastructure description are compared to devices 110 and switches 120 in the expected infrastructure description to detect any new devices 110 or switches 120 in the network or any changed configurations of devices 110 and/or switches 120 in the network. A report may be output describing any discrepancies between the infrastructure descriptions.
It would have been obvious to one of ordinary skill in the art before the effective filing of the invention to combine the intrusion detection system as disclosed by Grover, with detecting new switches as disclosed by Symons. One of ordinary skill in the art would have been motivated to combine to apply a known technique to a known device. Grover and Symons are directed toward intrusion detection systems and as such it would be obvious to use the techniques of one in the other. Using the techniques of Symons in Grover would improve Grover’s ability to detect intrusions.
Grover does not explicitly disclose a change in zoning.
However, Kleinsteiber discloses this. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric). Paragraph [0055] of Symons discloses the present invention allows a data center operator to quickly determine changes to the network infrastructure such as a new device 110 or switch 120 which has been added to the network.
It would have been obvious to one of ordinary skill in the art before the effective filing of the invention to combine the security system as disclosed by Grover, with using change in zoning as an indication as disclosed by Kleinsteiber. One of ordinary skill in the art would have been motivated to combine to apply a known technique to a known device. Grover and Kleinsteiber are directed toward security systems and as such it would be obvious to use the techniques of one in the other. Paragraph [0055] of Grover discloses may perform this procedure in conjunction with other feature, e.g., zoning, to provide added measures of security.
As to Claim 2, Grover-Symons-Kleinsteiber discloses the computer-implemented method of claim 1 wherein the one or more indicators further comprise: detecting one or more segmentations, one or more link resettings, or both (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links).
Examiner recites the same rationale to combine used for claim 1.
As to Claim 3, Grover-Symons-Kleinsteiber discloses the computer-implemented method of claim 1 wherein the unauthorized device is at least one of an unauthorized host that acts as a switch or a host bus adapter that acts as a switch (Paragraph [0048] of Symons discloses devices 110 and switches 120 in the current infrastructure description are compared to devices 110 and switches 120 in the expected infrastructure description to detect any new devices 110 or switches 120 in the network or any changed configurations of devices 110 and/or switches 120 in the network. A report may be output describing any discrepancies between the infrastructure descriptions).
Examiner recites the same rationale to combine used for claim 1.
As to Claim 6, Grover-Symons-Kleinsteiber discloses the computer-implemented method of claim 1 wherein the cybersecurity attack comprises E-port spoofing (Paragraph [0030] of Grover discloses if these SIDs do not match, the device is alerted that a possible spoofing of the WWN has occurred).
As to Claim 8, Grover-Symons-Kleinsteiber discloses the computer-implemented method of claim 7 wherein the alert comprises a risk score (Paragraph [0032] of Grover discloses personnel responsible for maintaining the storage device may be alerted if a possible security breach has occurred. In addition, or as an alternative, a security breach warning may be sent to a remote user console from the device, or to other network components that perform security functions for the FC network).
As to Claim 9, Grover discloses a non-transitory computer-readable medium or media comprising one or more sequences of instructions which, when executed by at least one processor, causes steps to be performed comprising:
receiving network information regarding one or more switches or devices acting as switches in a Fibre Channel (FC) fabric (Paragraph [0048] of Grover discloses detects a possible security breach by determining that the extracted WWN of the PLOGI request has previously been logged into the device 30 with a different SID);
examining at least some of the network information for presence of one or more indicators indicative of an unauthorized device attempting to compromise the FC fabric or has compromised the FC fabric, [at least one of the one or more indicators comprises: detecting a change in a number of the switches or devices acting as switches in the FC fabric and a change in zoning] (Paragraph [0046] of Grover discloses the device 30 determines that the associated SID does not match the extracted SID. Accordingly, the device 30 determines that another host is already logged into the device 30 using the same WWN extracted from the PLOGI request. The device 30 is therefore alerted that a possible WWN spoofing has occurred); and
in response to identifying at least one of the one or more indicators, generating an alert (Paragraph [0030] of Grover discloses if these SIDs do not match, the device is alerted that a possible spoofing of the WWN has occurred).
Grover does not explicitly disclose the one or more indicators comprising a change in a number of the one or more switches in the FC fabric.
However, Symons discloses this. Paragraph [0023] of Symons discloses detect and prevent network intrusion in a network such as virtually-wired switching fabric. Paragraph [0048] of Symons discloses devices 110 and switches 120 in the current infrastructure description are compared to devices 110 and switches 120 in the expected infrastructure description to detect any new devices 110 or switches 120 in the network or any changed configurations of devices 110 and/or switches 120 in the network. A report may be output describing any discrepancies between the infrastructure descriptions.
Examiner recites the same rationale to combine used for claim 1.
Grover does not explicitly disclose a change in zoning.
However, Kleinsteiber discloses this. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric).
Examiner recites the same rationale to combine used for claim 1.
As to Claim 10, Grover-Symons-Kleinsteiber discloses the non-transitory computer-readable medium or media of claim 9 wherein the one or more indicators further comprise, detecting one or more link segmentations, one or more link resettings, or both (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links).
Examiner recites the same rationale to combine used for claim 1.
As to Claim 12, Grover-Symons-Kleinsteiber discloses the non-transitory computer-readable medium or media of claim 9 wherein the step of examining is performed by a switch in the FC fabric or a remotely located device that uses the one or more indicators to predict a risk of a security breach of the FC fabric (Paragraph [0035] of Grover discloses an FC switch may verify a PLOGI request sent by a host to a storage device).
As to Claim 17, Grover discloses a system for identifying cybersecurity attacks, the system comprising: one or more processors; and a non-transitory computer-readable medium or media comprising one or more sets of instructions which, when executed by at least one of the one or more processors, causes steps to be performed comprising:
receiving network-related information regarding one or more switches or devices acting as switches in a Fibre Channel (FC) fabric (Paragraph [0048] of Grover discloses detects a possible security breach by determining that the extracted WWN of the PLOGI request has previously been logged into the device 30 with a different SID);
examining at least some of the network-related information for presence of one or more indicators indicative of an unauthorized device attempting to compromise the FC fabric or has compromised the FC fabric, [at least one of the one or more indicators comprises: detecting a change in a number of switches or devices acting as switches in the FC fabric and a change in zoning] (Paragraph [0046] of Grover discloses the device 30 determines that the associated SID does not match the extracted SID. Accordingly, the device 30 determines that another host is already logged into the device 30 using the same WWN extracted from the PLOGI request. The device 30 is therefore alerted that a possible WWN spoofing has occurred); and
in response to identifying at least one of the one or more indicators, generating an alert (Paragraph [0030] of Grover discloses if these SIDs do not match, the device is alerted that a possible spoofing of the WWN has occurred).
Grover does not explicitly disclose the one or more indicators comprising a change in a number of the one or more switches in the FC fabric.
However, Symons discloses this. Paragraph [0023] of Symons discloses detect and prevent network intrusion in a network such as virtually-wired switching fabric. Paragraph [0048] of Symons discloses devices 110 and switches 120 in the current infrastructure description are compared to devices 110 and switches 120 in the expected infrastructure description to detect any new devices 110 or switches 120 in the network or any changed configurations of devices 110 and/or switches 120 in the network. A report may be output describing any discrepancies between the infrastructure descriptions.
Examiner recites the same rationale to combine used for claim 1.
Grover does not explicitly disclose a change in zoning.
However, Kleinsteiber discloses this. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric).
Examiner recites the same rationale to combine used for claim 1.
As to Claim 19, Grover-Symons-Kleinsteiber discloses the system of claim 17 wherein the non-transitory computer-readable medium or media further comprises one or more sets of instructions which, when executed by at least one of the one or more processors, causes steps to be performed comprising using at least one of the one or more indicators to predict a risk of a security breach of the FC fabric (Paragraph [0032] of Grover discloses personnel responsible for maintaining the storage device may be alerted if a possible security breach has occurred. In addition, or as an alternative, a security breach warning may be sent to a remote user console from the device, or to other network components that perform security functions for the FC network).
As to Claim 20, Grover-Symons-Kleinsteiber discloses the system of claim 19 wherein the security breach comprises E-port spoofing (Paragraph [0030] of Grover discloses if these SIDs do not match, the device is alerted that a possible spoofing of the WWN has occurred).
Claims 4, 5, 7, 11, 13, 18, and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Grover-Symons-Kleinsteiber and further in view of US Pub. No. 2024/0362321 to Cohen (hereinafter “Cohen”).
As to Claim 4, Grover-Symons-Kleinsteiber discloses the computer-implemented method of claim 1 wherein the one or more indicators further comprise: detecting one or more link segmentations, one or more link resettings, or both [preceding] an increase in a number of switches or devices acting as switches in the FC fabric (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links).
Examiner recites the same rationale to combine used for claim 1.
Grover-Symons-Kleinsteiber does not explicitly disclose preceding.
However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs).
It would have been obvious to one of ordinary skill in the art before the effective filing of the invention to combine the intrusion detection system as disclosed by Grover, with detecting sequences as disclosed by Cohen. One of ordinary skill in the art would have been motivated to combine to apply a known technique to a known device. Grover and Cohen are directed toward intrusion detection systems and as such it would be obvious to use the techniques of one in the other. Paragraph [0003] of Cohen discloses such a technique is a broadly known cyber defense technique.
As to Claim 5, Grover-Symons-Kleinsteiber discloses the computer-implemented method of claim 1 wherein indicator of detecting a change in a number of switches or devices acting as switches in the FC fabric and a change in zoning comprises: detecting an increase in a number of switches or devices acting as switches in the FC fabric [followed] by a change in zoning (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric)).
Grover-Symons-Kleinsteiber does not explicitly disclose followed.
However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs).
Examiner recites the same rationale to combine used for claim 4.
As to Claim 7, Grover-Symons-Kleinsteiber discloses the computer-implemented method of claim 1 wherein the indicator of detecting a change in a number of switches or devices acting as switches in the FC fabric and a change in zoning comprises: detecting an increase in a number of switches in the FC fabric, [followed] by a change in zoning, [followed] by a decrease in the number of switches or devices acting as switches in the FC fabric (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric)).
Grover-Symons-Kleinsteiber does not explicitly disclose followed.
However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs).
Examiner recites the same rationale to combine used for claim 4.
As to Claim 11, Grover-Symons discloses the non-transitory computer-readable medium or media of claim 9 wherein the one or more indicators further comprise: detecting one or more link segmentations, one or more link resettings, or both [preceding] an increase in a number of switches or devices acting as switches in the FC fabric (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links).
Examiner recites the same rationale to combine used for claim 1.
Grover-Symons-Kleinsteiber does not explicitly disclose preceding.
However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs).
Examiner recites the same rationale to combine used for claim 4.
As to Claim 13, Grover-Symons discloses the non-transitory computer-readable medium or media of claim 9 wherein the indicator of detecting a change in a number of switches or devices acting as switches in the FC fabric and a change in zoning comprises: detecting an increase in a number of switches or devices acting as switches in the FC fabric, [followed] by a change in zoning, followed by a decrease or devices acting as switches in the number of switches in the FC fabric (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric)).
Grover-Symons-Kleinsteiber does not explicitly disclose followed.
However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs).
Examiner recites the same rationale to combine used for claim 4.
As to Claim 18, Grover-Symons discloses the system of claim 17 wherein the one or more indicators further comprise detecting one or more link segmentations, one or more link resettings, or both that precede a change in the number of the switches or devices acting as switches (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links).
Examiner recites the same rationale to combine used for claim 1.
Grover-Symons-Kleinsteiber does not explicitly disclose preceding.
However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs).
Examiner recites the same rationale to combine used for claim 4.
As to Claim 21, Grover-Symons-Kleinsteiber discloses the system of claim 19 wherein the one or more indicators further comprise: detecting an increase in a number of switches or devices acting as switches in the FC fabric [followed] by a change in zoning (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric)).
However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs).
Examiner recites the same rationale to combine used for claim 4.
As to Claim 22, Grover-Symons-Kleinsteiber discloses the system of claim 19 wherein the one or more indicators further comprise: detecting an increase in a number of switches or devices acting as switches in the FC fabric, followed by a change in zoning, followed by a decrease in the number of switches or devices acting as switches in the FC fabric (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric)).
Grover-Symons-Kleinsteiber does not explicitly disclose followed.
However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs).
Examiner recites the same rationale to combine used for claim 4.
As to Claim 23, Grover-Symons-Kleinsteiber discloses the system of claim 19 wherein the one or more indicators further comprise: detecting one or more link segmentations, one or more link resettings, or both [followed] by an increase in a number of switches or devices acting as switches in the FC fabric, [followed] by a change in zoning, and [followed] by a decrease in the number of switches or devices acting as switches in the FC fabric (Paragraph [0026] of Symons discloses these embodiments may periodically re-discover the network physical topology and compare it with an expected topology to detect unexpected changes, which may indicate a security violation. Paragraph [0050] of Symons discloses this graphical data structure represents the expected network infrastructure. Each device 110 and switch 120 are represented in a graph, where nodes represent devices 110 and switches 120, links represent the connections between those devices 110 and switches 120, and both nodes and links have attributes that represent the expected configuration of the device 110/switch 120 or connection. Paragraph [0056] of Symons discloses these marks are used later in the process 500 to find missing devices 110 and switches 120 or links. Paragraph [0098] of Kleinsteiber discloses if zoning changes are somehow made on a non-FCS switch, the inter-switch updates will be rejected by other switches in the fabric and the compromised switch will be segmented (logically disconnected from the fabric)).
Grover-Symons-Kleinsteiber does not explicitly disclose followed.
However, Cohen discloses this. Paragraph [0003] of Cohen discloses may monitor network traffic and determine sequences and patterns based on a list of known indicators of compromise (IOCs).
Examiner recites the same rationale to combine used for claim 4.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kevin S Mai whose telephone number is (571)270-5001. The examiner can normally be reached Monday to Friday 9AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KEVIN S MAI/Primary Examiner, Art Unit 2499