DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 2/19/2026 has been placed of record in the file.
Claims 1-15 have been amended.
Claims 16-20 have been added.
Claims 1-20 are now pending.
The applicant’s arguments with respect to claims 1-20 have been considered but are moot in view of the following new grounds of rejection.
Response to Amendment
Claims have been amended to further define the probe. The amendment proves a change in scope to the independent claims as the independent claims now explicitly state that the probe is physically inserted between the memory controller and the memory to intercept data that is exchanged during read and write operations, etc. However, none of the amended claims show a patentable distinction over the prior art as evidenced by the following new grounds of rejection.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chen et al. (U.S. Patent Application Publication Number 2016/0379136), hereinafter referred to as Chen, in view of Golden (U.S. Patent Number 11,144,638).
Chen disclosed techniques for performing program analysis based on behavior. In an analogous art, Golden disclosed techniques for detecting malicious action based on memory accesses. Both systems are directed toward detecting malicious action based on operation analysis.
Regarding claim 1, Chen discloses a computing system comprising: a central processing unit (CPU) (paragraph 37, processor); a memory controller coupled to the CPU (paragraph 63, memory controller); a memory coupled to the memory controller (paragraph 37, memory); a probe that is physically inserted between the memory controller and another component to intercept data that is exchanged during communication between the memory controller and the another component during operations (paragraph 71, behavior observer module collects behavior information pertaining to communications, operations, etc., and paragraph 82, monitors memory controller); and an inspection circuit that is separate from the CPU and coupled to the probe (paragraph 74, behavior analyzer module, and paragraph 70, each module separate component), wherein the inspection circuit is to: access the data intercepted by the probe (paragraph 71, behavior information pertaining to communications, operations, etc.); determine a state of a process executing on the CPU, based on the data intercepted by the probe (paragraph 71, behavior information includes execution of process, etc.); and apply the state as input to a model to infer that malicious activity is occurring on the CPU (paragraph 112, uses execution states, and paragraph 74, applies behavior vectors to classifier modules to determine whether behavior is non-benign, and paragraph 29, machine-learning classifier models).
Chen does not explicitly state that the another component is the memory and that the operations are read and write operations. However, monitoring such behavior information was well known in the art as evidenced by Golden. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Chen by adding the ability for a probe that is physically inserted between the memory controller and the memory to intercept data that is exchanged during communication between the memory controller and the memory during read and write operations as provided by Golden (see column 38, line 52, through column 39, line 11, monitors reads from and writes to memory). One of ordinary skill in the art would have recognized the benefit that monitoring memory accesses in this way would assist in detecting and responding to malicious actions (see Golden, column 38, lines 4-13).
Regarding claim 2, the combination of Chen and Golden discloses wherein the inspection circuit is to apply a remediation action to the computing system based on an output of the model (Chen, paragraph 74, performs actions to fix problems).
Regarding claim 3, the combination of Chen and Golden discloses wherein, to apply the remediation action, the inspection circuit is to: log the output of the model; restore the process or the computing system to a previous state; reboot the computing system; modify operation of the computing system; or block, modify, rewrite, or reroute communications between the memory and the memory controller (Chen, paragraph 74, terminates software applications).
Regarding claim 4, the combination of Chen and Golden discloses wherein the inspection circuit is to configure the probe based on a policy (Chen, paragraph 91, performs coarse observations).
Regarding claim 5, the combination of Chen and Golden discloses wherein the policy comprises filtering rules that are based on a source, a destination, a direction, or a type of data intercepted by the probe (Chen, paragraph 79, monitors activities based on particular type of call, operation, etc.).
Regarding claim 6, the combination of Chen and Golden discloses wherein the model comprises state transition rules for a state machine executing the process, a probabilistic state model of the computing system, a heuristic state model of the computing system, or a neural network (Chen, paragraph 105, full classifier model with finite state machine).
Regarding claim 7, the combination of Chen and Golden discloses wherein the model comprises a classifier that is trained on a set of training data (Chen, paragraph 93, training dataset).
Regarding claim 8, Chen discloses a method for identifying malicious activity on a computing system, the method comprising: accessing, by an inspection circuit of the computing system that is separate from a central processing unit (CPU) of the computing system (paragraph 74, behavior analyzer module, and paragraph 70, each module separate component), data intercepted by a probe that is physically inserted between a memory controller of the computing system and another component of the computing system, wherein the data intercepted by the probe is exchanged between the memory controller and the another component during operations (paragraph 71, behavior observer module collects behavior information pertaining to communications, operations, etc., and paragraph 82, monitors memory controller); determining, by the inspection circuit based on the data intercepted by the probe, a state of a process executing on the CPU (paragraph 71, behavior information includes execution of process, etc.); applying, by the inspection circuit, the state as input to a model (paragraph 112, uses execution states, and paragraph 29, machine-learning classifier models); and inferring, by the inspection circuit, that the process is a malicious process based on the output of the model (paragraph 74, applies behavior vectors to classifier modules to determine whether behavior is non-benign).
Chen does not explicitly state that the another component is the memory and that the operations are read and write operations. However, monitoring such behavior information was well known in the art as evidenced by Golden. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Chen by adding the ability for a probe that is physically inserted between a memory controller and a memory, wherein the data intercepted by the probe is exchanged between the memory controller and the memory during read and write operations as provided by Golden (see column 38, line 52, through column 39, line 11, monitors reads from and writes to memory). One of ordinary skill in the art would have recognized the benefit that monitoring memory accesses in this way would assist in detecting and responding to malicious actions (see Golden, column 38, lines 4-13).
Regarding claim 9, the combination of Chen and Golden discloses applying, by the inspection circuit, a remediation action to the computing system based on the output of the model (Chen, paragraph 74, performs actions to fix problems).
Regarding claim 10, the combination of Chen and Golden discloses wherein applying the remediation action comprises: issuing, by the inspection circuit, a command to the CPU; and executing, by the CPU, the remediation action based on the command (Chen, paragraph 74, terminates software applications).
Regarding claim 11, the combination of Chen and Golden discloses wherein the command causes the CPU to restore the computing system to a prior state, reboot the computing system, or shutdown the computing system (Chen, paragraph 74, heals or cures problem).
Regarding claim 12, the combination of Chen and Golden discloses modifying, by the inspection circuit, communication of data packets between the memory controller and the memory responsive to inferring that the process is the malicious process (Chen, paragraph 39, terminates process).
Regarding claim 13, the combination of Chen and Golden discloses wherein modifying the communication of data packets between the memory controller and the memory comprises: accessing a policy specifying configuration rules for the communication of data packets between the memory controller and the memory; and reconfiguring the communication of data packets between the memory controller and the memory based on the configuration rules (Chen, paragraph 74, fixes identified problems).
Regarding claim 14, the combination of Chen and Golden discloses wherein: the memory controller is coupled to the CPU (Chen, paragraph 63, memory controller, and paragraph 37, processor); and the memory is coupled to the memory controller (Chen, paragraph 37, memory).
Regarding claim 15, Chen discloses a non-transitory machine-readable storage medium encoded with instructions executable by a processor of a computing device to: access, at an inspection circuit of the computing device that is separate from a central processing unit (CPU) of the computing device (paragraph 74, behavior analyzer module, and paragraph 70, each module separate component), data intercepted by a probe that is physically inserted between a memory controller of the computing device and another component of the computing device, wherein the data intercepted by the probe is exchanged between the memory controller and the another component during operations (paragraph 71, behavior observer module collects behavior information pertaining to communications, operations, etc., and paragraph 82, monitors memory controller); determine, at the inspection circuit, a state of a process executing on the CPU based on the data intercepted by the probe (paragraph 71, behavior information includes execution of process, etc.); and apply, at the inspection circuit, a classifier to the state to infer that the process is a malicious process (paragraph 112, uses execution states, and paragraph 74, applies behavior vectors to classifier modules to determine whether behavior is non-benign, and paragraph 29, machine-learning classifier models).
Chen does not explicitly state that the another component is the memory and that the operations are read and write operations. However, monitoring such behavior information was well known in the art as evidenced by Golden. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Chen by adding the ability for a probe that is physically inserted between a memory controller and a memory, wherein the data intercepted by the probe is exchanged between the memory controller and the memory during read and write operations as provided by Golden (see column 38, line 52, through column 39, line 11, monitors reads from and writes to memory). One of ordinary skill in the art would have recognized the benefit that monitoring memory accesses in this way would assist in detecting and responding to malicious actions (see Golden, column 38, lines 4-13).
Regarding claim 16, the combination of Chen and Golden discloses wherein the instructions are executable by the processor to control the probe to block or modify data exchanged between the memory controller and the memory in response to inferring that the process is the malicious process (Chen, paragraph 39, terminates process).
Regarding claim 17, the combination of Chen and Golden discloses wherein the instructions are executable by the processor to command the CPU to restore the computing device to a prior state, reboot the computing device, or shutdown the computing device in response to inferring that the process is the malicious process (Chen, paragraph 74, heals or cures problem).
Regarding claim 18, the combination of Chen and Golden discloses wherein the instructions are executable by the processor to configure the probe based on a policy comprising a set of filtering rules (Chen, paragraph 79, monitors activities based on particular type of call, operation, etc.).
Regarding claim 19, the combination of Chen and Golden discloses wherein the inspection circuit is to control the probe to block or modify data exchanged between the memory controller and the memory in response to inferring that malicious activity is occurring on the CPU (Chen, paragraph 39, terminates process).
Regarding claim 20, the combination of Chen and Golden discloses controlling, by the inspection circuit, the probe to block or modify data exchanged between the memory controller and the memory in response to inferring that the process is the malicious process (Chen, paragraph 39, terminates process).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached at 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Victor Lesniewski/Primary Examiner, Art Unit 2493
Prosecution Insights