DETAILED ACTION
Claims 1-7, 9-17 and 19-22 are pending in this action.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-6, 9, 12-17, 20 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Giokas (US PGPUB No. 2015/0033340) in view of Reddy et al. (US PGPUB No. 2019/0306173) [hereinafter “Reddy”] in further view of Deng et al. (US 2022/0014561) [hereinafter “Deng”] in further view of Jagannath et al. (US PGPUB No. 2017/0242591) [hereinafter “Jagannath”].
As per claim 1, Giokas teaches the method comprising: identifying, by at least one computing device and based on a scan of a cloud environment, software in the cloud environment ([0058], identifying resources provided by a cloud network including servers see [0060] SaaS); determining, by the at least one computing device, whether any of the identified software components correspond to predetermined vulnerabilities ([0011], scanning the cloud for passive vulnerabilities which includes vulnerabilities of network software see [0084]); identifying, by the at least one computing device, one or more vulnerabilities in the identified software components, if any ([0013], identifying different vulnerability signatures across network residing in software see [0084]); determining, by the at least one computing device, an operational status for the vulnerable software component in the cloud environment ([0086]-[0087], determining whether the behavior of the software, i.e. operations, are legitimate or illegitimate, i.e. status) see also ([0127], including an operation status of active/inactive for a vulnerability signature); and generating, by the at least one computing device, an alert of a compromised vulnerability if a vulnerability software component status during the corresponding period of time ([0089], sending a vulnerability scanning report to a user, see also [0019] sending alerts based on vulnerability signatures); and analyzing vulnerabilities over a corresponding period of time ([0013], analyzing vulnerabilities during a specified time period).
Giokas does not explicitly teach determining, by the at least one computing device, an operational status for the vulnerable software component in the cloud environment; generating, by the at least one computing device, an alert of a dormant vulnerability if a vulnerable software component has been identified and has not had an active operational status; and generating, by the at least one computing device, an alert of an active vulnerability if a vulnerable software component has been identified and has had an active operational status. Reddy teaches determining, by the at least one computing device, an operational status for the vulnerable software component in the cloud environment ([0194], determining active or inactive status of a software bugs which is interpreted to be determining whether a particular configuration of the software has been active or not see also [0057]); generating, by the at least one computing device, an alert of a dormant vulnerability if a vulnerable software component has been identified and has not had an active operational status ([0194], generating an inactive vulnerability alert if software bug is inactive – which means the particular software configuration was inactive); and generating, by the at least one computing device, an alert of an active vulnerability if a vulnerable software component has been identified and has had an active operational status ([0194], generating an active vulnerability alert if the vulnerability is active – which means the particular software configuration was inactive).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Giokas with the teachings of Reddy, determining, by the at least one computing device, an operational status for the vulnerable software component in the cloud environment; generating, by the at least one computing device, an alert of a dormant vulnerability if a vulnerable software component has been identified and has not had an active operational status; and generating, by the at least one computing device, an alert of an active vulnerability if a vulnerable software component has been identified and has had an active operational status, to provide the user all relevant information so that an efficient and accurate response can be made.
The combination of Giokas and Reddy does not explicitly teach constructing, by the at least one computing device, a plurality of graphs, each graph comprising a plurality of node connected by a plurality of edges, wherein each node of the plurality of nodes represents a logical entity from software components deployed in the cloud environment and each edge of the plurality of edges represents a behavioral relationship between nodes connected by the edge, and wherein the plurality of graphs correspond to different times; identifying, by the at least one computing device, changes between graphs to distinguish between processes of the same type some of which are using a vulnerable software component and some of which are not using a vulnerable software component. Deng teaches constructing, by the at least one computing device, a plurality of graphs, each graph comprising a plurality of node connected by a plurality of edges, wherein each node of the plurality of nodes represents a logical entity from software components deployed in the cloud environment ([0055], constructing one or more knowledge graphs with nodes representing various packages and components that can be potentially explicitly or implicitly vulnerable) and each edge of the plurality of edges represents a behavioral relationship between nodes connected by the edge ([0037], edges represent dependencies between the various components and packages) wherein the plurality of graphs correspond to different times ([0029] and [0032], graphs can be based on an edition or versions of particular components, i.e. different time which can be used to track history of modifications to assist in determining vulnerabilities – these would appear as metadata of the component graphs see [0056]); identifying, by the at least one computing device, changes between graphs to distinguish between processes of the same type some of which are using a vulnerable software component and some of which are not using a vulnerable software component ([0056] and [0058], comparing various constructed graphs of packages and components, i.e. types, to identify explicitly vulnerable, implicitly vulnerable and not vulnerable packages using filtering and thresholds and confidence scores see [0059]-[0060]).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Giokas and Reddy with the teachings of Deng, constructing, by the at least one computing device, a plurality of graphs, each graph comprising a plurality of node connected by a plurality of edges, wherein each node of the plurality of nodes represents a logical entity from software components deployed in the cloud environment and each edge of the plurality of edges represents a behavioral relationship between nodes connected by the edge, and wherein the plurality of graphs correspond to different times; identifying, by the at least one computing device, changes between graphs to distinguish between processes of the same type some of which are using a vulnerable software component and some of which are not using a vulnerable software component, to provide additional data to filter vulnerable components and packages from the graph database.
The combination of Giokas, Reddy and Deng does not explicitly teach a graph representing a snapshot of a cloud environment at a respective time. Jagannath teaches a graph representing a snapshot of a cloud environment at a respective time ([0031], reconstructing in the form of graph, a snapshot of data records representing machine entities in a cloud environment at historic points in time).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Giokas, Reddy and Deng with the teachings of Jagannath, a graph representing a snapshot of a cloud environment at a respective time, to provide additional data to filter vulnerable components and packages from the graph database.
As per claim 2, the combination of Giokas, Reddy, Deng and Jagannath teaches the method of claim 1, wherein the operational status for the vulnerable software component is representative of a level of activity of the vulnerable software component over a predetermined amount of time (Giokas; [0013], determining vulnerabilities over a predetermined period of time which in turn affects the operational status of the device see [0086]-[0087] vulnerability signatures used to classify operational behaviors as legitimate or illegitimate).
As per claim 3, the combination of Giokas, Reddy, Deng and Jagannath teaches the method of claim 1, wherein the determining the operational status is performed by an agent deployed in the cloud environment (Giokas; [0063], network security tool deployed on clients and servers across cloud environment, see Fig. 1B and [0038]).
As per claim 4, the combination of Giokas, Reddy, Deng and Jagannath teaches the method of claim 1, wherein the generating the alert includes determining a type of alert based on the operational status for the vulnerable software component (Giokas; [0116], alert type can be for a vulnerability, exploit or signature of a particular software see [0084]) see also (Giokas; [0127], including an operation status of active/inactive for a vulnerability signature).
As per claim 5, the combination of Giokas, Reddy, Deng and Jagannath teaches the method of claim 4, wherein the type of alert includes one of: a dormant vulnerability (Giokas; [0127], including an operation status of active/inactive for a vulnerability signature), an active vulnerability See id., or a compromised vulnerability (Giokas; [0022] and [0028], identifying an exploited vulnerability based on an active attack signature, i.e. the vulnerability is compromised).
As per claim 6, the combination of Giokas, Reddy, Deng and Jagannath teaches the method of claim 4, further comprising prioritizing the type of alert based on the operational status for the vulnerable software component (Giokas; [0027]-[0028], vulnerabilities of system component under attack, i.e. a vulnerability with the operational status of “currently being exploited”, are prioritized for alerts versus non-exploited vulnerabilities).
As per claim 9, the combination of Giokas, Reddy, Deng and Jagannath teaches the method of claim 1, further comprising marking each node of the plurality of nodes associated with the vulnerable software component (Giokas; [0097]-[0098], vulnerabilities and attack signatures stored in repositories which can include graph databases as taught in Jagannath).
As per claim 12, the combination of Giokas, Reddy, Deng and Jagannath teaches the method of claim 1, wherein the identifying the vulnerable software component comprises: identifying, based on the scan of the cloud environment, software components deployed in the cloud environment (Giokas; [0084], scanning for vulnerabilities includes software see also [0090]); and comparing the software components deployed in the cloud environment to predetermined vulnerabilities (Giokas; Abstract, comparing signatures with active and inactive signatures.
As per claim 13, the combination of Giokas, Reddy, Deng and Jagannath teaches the method of claim 12, wherein the predetermined vulnerabilities are configurable by a user (Giokas; [0013], scanning for vulnerabilities can be configured by system administrators).
As per claim 14, the substance of the claimed invention is identical or substantially similar to that of claim 1.
As per claim 15, the substance of the claimed invention is identical or substantially similar to that of claim 2.
As per claim 16, the substance of the claimed invention is identical or substantially similar to that of claim 4.
As per claim 17, the combination of Giokas, Reddy, Deng and Jagannath teaches the computer program product of claim 16, wherein the computer instructions are further capable of being executed to prioritize the type of alert based on the operational status for the vulnerable software component from a higher level of activity to a lower level of activity (Giokas; [0127], including an operation status of active/inactive for a vulnerability signature) see also (Giokas; [0027]-[0028], vulnerabilities of system component under attack, i.e. “higher level of activity”, are prioritized for alerts versus non-exploited vulnerabilities).
As per claim 20, the substance of the claimed invention is identical or substantially similar to that of claim 1.
As per claim 22, the substance of the claimed invention is identical or substantially similar to that of claim 9.
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Giokas, Reddy, Deng and Jagannath in view of Vasudevan et al. (US PGPUB No. 2017/0324763) [hereinafter “Vasudevan”].
As per claim 7, the combination of Giokas, Reddy, Deng and Jagannath teaches the method of claim 6.
The combination of Giokas, Reddy, Deng and Jagannath does not explicitly teach wherein a first type of alert for a first vulnerable software component having an active operational status is prioritized over a second type of alert for a second vulnerable software component having a dormant operational status. Vasudevan teaches wherein a first type of alert for a first vulnerable software component having an active operational status is prioritized over a second type of alert for a second vulnerable software component having a dormant operational status ([0028], prioritizing alerts if a threat matches an open vulnerability, i.e. active status versus not active) see also ([0045]-[0046], addressing vulnerabilities based on priority).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Giokas, Reddy, Deng and Jagannath with the teachings of Vasudevan, wherein a first type of alert for a first vulnerable software component having an active operational status is prioritized over a second type of alert for a second vulnerable software component having a dormant operational status, to ensure that the most relevant and time sensitive issues are addressed as soon as possible.
Claims 10, 19 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Giokas, Reddy, Deng and Jagannath in view of Drew (US Patent No. 6,928,555).
As per claim 10, the combination of Giokas, Reddy, Deng and Jagannath teaches the method of claim 1.
The combination of Giokas, Reddy, Deng and Jagannath does not explicitly teach caching, based on the scan of the cloud environment, a caching identifier representative of information resulting from the scan and associated with one or more software components deployed in the cloud environment; and refraining, based on the caching identifier, from scanning the one or more software components until the one or more software components have changed from a previous scan of the cloud environment. Drew teaches caching, based on the scan of the cloud environment, a caching identifier representative of information resulting from the scan and associated with one or more software components deployed in the cloud environment; and refraining, based on the caching identifier, from scanning the one or more software components until the one or more software components have changed from a previous scan of the cloud environment (Col. 2, lines 15-30, setting a flag in a cache associated with a particular file which shows if the file has been modified and if it should be skipped or scanned by a virus scanner).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Giokas, Reddy, Deng and Jagannath with the teachings of Drew, caching, based on the scan of the cloud environment, a caching identifier representative of information resulting from the scan and associated with one or more software components deployed in the cloud environment; and refraining, based on the caching identifier, from scanning the one or more software components until the one or more software components have changed from a previous scan of the cloud environment, to maximize power and processing resources in the cloud environment.
As per claim 21, the substance of the claimed invention is identical or substantially similar to that of claim 10.
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Giokas, Reddy, Deng and Jagannath in view of Toper et al. (US PGPUB No. 2018/0364994) [hereinafter “Toper”].
As per claim 11, the combination of Giokas, Reddy, Deng and Jagannath teaches the method of claim 1.
The combination of Giokas, Reddy, Deng and Jagannath does not explicitly teach wherein the scan of the cloud environment includes recursively scanning nested software components. Toper teaches wherein the scan of the cloud environment includes recursively scanning nested software components ([0041]-[0042], using various static code analysis to discover vulnerabilities in nested loops and program code).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Giokas, Reddy, Deng and Jagannath with the teachings of Toper, wherein the scan of the cloud environment includes recursively scanning nested software components, to ensure that potential hidden vulnerabilities are discovered.
Response to Arguments
Applicant's arguments with respect to the rejection of claims 1-7, 9-17 and 19-22 under 35 U.S.C. 112 has been fully considered and are persuasive. Accordingly, these rejections are withdrawn.
Applicant's arguments with respect to the rejection of claims 1-20 under 35 U.S.C. 102 and 103 have been fully considered and are persuasive. In light of the new amendments, a new prior art reference has been introduced and cited to, Jagannath. See rejections above.
To expedite prosecution, Examiner is open to conducting an interview to discuss claim amendments to overcome the current rejection and/or place the application in condition for allowance.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Kotler et al. (Patent No. 9,473,522), Henrikson (Patent No. 9,690,690), Sun et al. (PGPUG No. 2017/0206016), Wendt et al. ("Partitioning Communication Streams Into Graph Snapshots," in IEEE Transactions on Network Science and Engineering, vol. 10, no. 2, pp. 809-826, 1 March-April 2023, doi: 10.1109/TNSE.2022.3223614) and Wei et al. ("Graph Representation Learning based Vulnerable Target Identification in Ransomware Attacks," 2022 IEEE International Conference on Big Data (Big Data), Osaka, Japan, 2022, pp. 2423-2430, doi: 10.1109/BigData55660.2022.10021008) all disclose various aspect so the claimed invention including scanning for vulnerabilities on the cloud and generating appropriate alerts.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PETER C SHAW whose telephone number is (571)270-7179. The examiner can normally be reached Max Flex.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/PETER C SHAW/Primary Examiner, Art Unit 2493 February 4, 2026