METHOD AND SYSTEM FOR COMPUTATIONAL STORAGE ATTACK REDUCTION

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/10/2025 has been entered. Information Disclosure Statement The information disclosure statement (IDS) submitted on 01/23/2026 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Priority Acknowledgement is made of applicant’s claiming of priority to U.S. Provisional application No. 63/417,536 filed on 10/19/2022. Response to Amendment This office action is in response to the RCE filed on 01/07/2026. Claims 1-20 remain pending. Claims 1 and 11 are independent. Response to Arguments Rejections under 35 U.S.C. § 103: Applicant’s arguments on pages 6-11 of Applicant’s Remarks, filed 12/10/2025 (hereinafter “REMARKS”), with respect to the rejection of the claims under 35 U.S.C. § 103 have been fully considered but are not persuasive. Applicant argues the prior art of record Bert (U.S. PGPub No. 2024/0020181; hereinafter “Bert”) in view of Waisman et al. (U.S. PGPub No. 2005/0262556; hereinafter “Waisman”) does not disclose all the limitations of the amended independent claims. The examiner respectfully disagrees. Bert teaches a storage product receiving incoming packets from a remote host system (¶ 0328-0329, Fig. 1, Fig. 9, Fig. 17, Examiner’s Note: remote host system interpreted as a user device). The processor of the storage product is a Computational Storage Processor (¶ 0208-0211, Fig. 9, element 159). Messages are received and operated on such as by authenticating users, managing access privileges and security settings, authorizing access, storing or retrieving data, etc. (¶ 0022). When operating, a computational storage function is a set of routines performed by the storage product and applied to transform data that is going into or coming out of storage (¶ 0204). As such, Bert reads on “receiving, from a user device, a computational storage (CS) request”. Additionally, Bert discloses identifying among messages, of incoming packets, first messages, second messages, and third messages (¶ 0329, ¶ 0330). This reads on “identifying the CS request”. Waisman teaches performing analysis on incoming packets, especially on the incoming payload such as with signature analysis or misuse detection (¶ 0014, ¶ 0016-0018). In the analysis, a number of current risk points are assigned to the transmission when the packet exhibits characteristics of a harmful transmission and depending on the threat posed by the transmission. The risk points identify the transmission as a security risk along with the place it came from (¶ 0017-0018). The recitation of “an attack” in the context of the claims is not further described other than the CS request being identified as one, and under the broadest reasonable interpretation is interpreted as a request that is identified as potentially harmful, i.e., exhibits characteristics of a harmful transmission. Therefore, Bert in view of Waisman read on the limitation “identifying the CS request as an attack”. Furthermore, Waisman teaches a new cumulative risk rating being the sum of current risk points (a number of risk points applied to the incoming packet) and previous cumulative risk points (from previous packets from the same IP) (¶ 0020, ¶ 0025, ¶ 0027). Therefore, summing the current risk points with the previous cumulative risk points reads on “increment a total attack value that represents a total number of attacks received from the device based on the identified attack”. Applicant argues (see pages 8-9 of REMARKS) the points of the previous cumulative risk points do not represent a number of attacks received from the device. As the claim simply reads “incrementing”, and not by a specific amount the previous cumulative risk points (¶ 0027) are still representative of previously identified attacks regardless of whether they are a large or smaller number as long as they increase with new attacks. The new cumulative risk rating is then compared with a pre-established risk level threshold (¶ 0028). Given that the new cumulative risk rating is a sum including previous assigned risk points which is based on a number of previous packets with security risks from the same IP address (¶ 0025) then the combination of Bert, which teaches a host device, in combination with Waisman, reads on the limitations “increment a total attack value that represents a total number of attacks received from the user device based on the identified attack; comparing the total attack value of the user device to a threshold”. Furthermore, Waisman teaches applying a new rule to block transmissions from the IP address when the new cumulative risk rating is greater than the pre-established threshold (¶ 0029). Therefore, Bert in combination with Waisman reads on the limitation “identifying the user device as an attacker based on the comparison”. Therefore, applicant’s arguments are not persuasive, the combination of Bert in view of Waisman disclose all the limitations of the independent claims, and the rejection is maintained. Applicant argues the rejection of the dependent claims fail to remedy the issues of the independent claims, and therefore distinguish over the prior art of record for the same reasons as the independent claims. As per the reasons described above, all the limitations of the independent claims are disclosed by Bert in view of Waisman. Therefore, the respective rejections of the dependent claims are maintained. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1, 4-5, 11, and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Bert (U.S. PGPub No. 2024/0020181; hereinafter “Bert”) in view of Waisman et al. (U.S. PGPub No. 2005/0262556; hereinafter “Waisman”). As per claim 1: Bert discloses a method of a computational storage device (CSD) (a storage product … a computational storage processor [Bert, abstract, ¶ 0199-0204, Fig. 1, Fig. 9, storage product, computational storage processor, Fig. 16, Fig. 17]), the method comprising: receiving, from a user device, a computational storage (CS) request (a network interface 113 of a storage product 102 operating on a computer network 114 receives incoming packets 202 from a remote host system 121 [Bert ¶ 0328-0329, Fig. 1, Fig. 9, Fig. 17, Examiner’s Note: remote host system interpreted as a user device]; in response to the messages, the CPU is configured via the instructions to authenticate users, manage access privileges and security settings, authorize access, manage the storage capacity, store data into the memory devices, retrieve data from the memory devices [¶ 0022, Examiner’s Note: authorize users in response to received messages, received from the remote host system 121]; the storage product 102 has a processing device 107 coupled to the network interface 113 to generate storage access messages 151 represented by the incoming packets 202 and identifying among the storage access messages 151, first messages 205, second messages 251, and third messages 255 [¶ 0329]; Since the memory sub-system 110, as a product, is configured to specifically service the storage access requests received via the network interface 113 [Bert ¶ 0047]; in general, a computational storage function can be a set of routine operations applied to transform data going into, or coming out of, the storage capacity of the storage device 105 of the storage product 102 [¶ 0204]); identifying the CS request (identifies, among storage access messages 151 represented by the incoming packets 202, first messages 205, second messages 251, and third messages 255 [Bert ¶ 0329, ¶ 0330]) [as an attack]; [increment a total attack value that represents a total number of attacks received from] the user device [based on the identified attack]; [comparing the total attack value of] the user device (remote host system 121 [Bert ¶ 0328, Fig. 1, Host System B 121, Fig. 9, Fig. 17]; the CPU is configured via the instructions to authenticate users [Bert ¶ 0022, ¶ 0040]) [to a threshold] (remote host system 121 [Bert ¶ 0328, Fig. 1, Host System B 121, Fig. 9, Fig. 17]; the CPU is configured via the instructions to authenticate users [Bert ¶ 0022, ¶ 0040]); [and identifying] the user device (remote host system 121 [Bert ¶ 0328, Fig. 1, Host System B 121, Fig. 9, Fig. 17]; the CPU is configured via the instructions to authenticate users [Bert ¶ 0022, ¶ 0040]) [as an attacker based on the comparison]. Bert discloses the claimed subject matter as discussed above but does not explicitly disclose identify the request as an attack; increment a total attack value that represents a total number of attacks received from the device based on the identified attack; comparing the total attack value of the device to a threshold; and identifying the device as an attacker based on the comparison. However, Waisman teaches identify the request as an attack (the first level analysis 20 performs two types of recognition techniques to determine if the payload is potentially harmful: (1) signature analysis or misuse detection, and (2) correlation of lesser events [Waisman ¶ 0016]; if the first level analysis 20 locates a substring within the payload that matches one of the harmful signatures stored within the database of signatures of harmful transmissions 40, the transmission 10 is assigned a number of current risk points, the number depending on how much of a threat is posed by the transmission [Waisman ¶ 0017, Examiner’s Note: assigning of current risk points is identifying the transmission and place it came from as an attack]; if the first level analysis 20 determines that the payload is not similar to one of the signatures, the transmission 10 is not assigned any current risk points [¶ 0017]; the system can recognize if any aspect of the transmission 10 is abnormal or nonstandard … it may nevertheless suggest that a transmission 10 is harmful… assigns a relatively low number of current risk points [Waisman ¶ 0018]); increment a total attack value that represents a total number of attacks received from the device based on the identified attack (after the transmission 10 is assigned current risk points, the control logic 60 determines whether additional processing is needed for the transmission [Waisman ¶ 0020]; the second level IP analysis 70 determines whether earlier risky transmission were received from the same originating IP address as the current transmission 10 … The database of known IP addresses 90 also contains a running total of the previous cumulative risk points associated with the transmission from each IP address [Waisman ¶ 0025]; the second level IP analysis 70 assigns a new cumulative risk rating to the IP address stored in the database of known IP addresses 90, the new cumulative risk rating being the sum of the current risk points and the previous cumulative risk points stored in the database [Waisman ¶ 0027, Examiner’s Note: new cumulative risk rating is interpreted as a total attack value as it’s based on sum of current risk points and previous cumulative risk points]); comparing the total attack value of the device to a threshold (after the transmission 10 is assigned current risk points, the control logic 60 determines whether additional processing is needed for the transmission [Waisman ¶ 0020]; the second level IP analysis 70 determines whether earlier risky transmission were received from the same originating IP address as the current transmission 10 … The database of known IP addresses 90 also contains a running total of the previous cumulative risk points associated with the transmission from each IP address [Waisman ¶ 0025]; the second level IP analysis 70 assigns a new cumulative risk rating to the IP address stored in the database of known IP addresses 90, the new cumulative risk rating being the sum of the current risk points and the previous cumulative risk points stored in the database [Waisman ¶ 0027, Examiner’s Note: new cumulative risk rating is interpreted as a total attack value as it’s based on sum of current risk points and previous cumulative risk points]; After the database of known IP addresses 90 is updated, the new cumulative risk rating of the transmission 10 is compared to the pre-established threshold risk level [Waisman ¶ 0028, Examiner’s Note: comparing new cumulative risk rating with a pre-established threshold risk level]); and identifying the device as an attacker based on the comparison (Control logic 110 determines whether the transmission 10 is allowed to pass on to the network or whether it is blocked and prevented from passing on to the network … If the new cumulative risk rating is greater than the pre-established threshold, the control logic 110 passes on to the firewall 120 a new rule to block transmissions from the originating IP address of the current transmission 10 [Waisman ¶ 0029, Examiner’s Note: blocking the transmission when the new cumulative risk rating is greater than the threshold is interpreted as identifying it as an attacker]). Waisman and the instant application are analogous art because they are from the same field of endeavor of transmission security. Therefore, based on Bert in view of Waisman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Waisman to the system of Bert in order to prevent harmful transmissions from reaching and harming the internal network and devices (Waisman ¶ 0028-0029). Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim. As per claim 4: Bert in view of Waisman teach all the limitations of claim 1. Furthermore, Waisman discloses further comprising logging the identified attack in a user device data structure associated with the total attack value (When a transmission 10 enters the second level IP analysis 70, it is first sent to the logging module 80. The logging module keeps a complete record of all transmissions that were assigned current risk points after the first level of analysis … the logging module 80 is a database [Waisman ¶ 0023]; The database of known IP addresses 90 also contains a running total of the previous cumulative risk points associated with the transmission from each IP address [Waisman ¶ 0025]). As per claim 5: Bert in view of Waisman teach all the limitations of claim 1. Furthermore, Bert and Waisman disclose wherein identifying the user device as the attacker based on the comparison comprises identifying the user device as the attacker (remote host system 121 [Bert ¶ 0328, Fig. 1, Host System B 121, Fig. 9, Fig. 17]; the CPU is configured via the instructions to authenticate users [Bert ¶ 0022, ¶ 0040]; the second level IP analysis 70 assigns a new cumulative risk rating to the IP address stored in the database of known IP addresses 90, the new cumulative risk rating being the sum of the current risk points and the previous cumulative risk points stored in the database [Waisman ¶ 0027, Examiner’s Note: new cumulative risk rating is interpreted as a total attack value as it’s based on current risk points previous cumulative risk points]; After the database of known IP addresses 90 is updated, the new cumulative risk rating of the transmission 10 is compared to the pre-established threshold risk level [Waisman ¶ 0028, Examiner’s Note: comparing new cumulative risk rating with a pre-established threshold risk level]; Control logic 110 determines whether the transmission 10 is allowed to pass on to the network or whether it is blocked and prevented from passing on to the network … If the new cumulative risk rating is greater than the pre-established threshold, the control logic 110 passes on to the firewall 120 a new rule to block transmissions from the originating IP address of the current transmission 10 [Waisman ¶ 0029, Examiner’s Note: blocking the transmission when the new cumulative risk rating is greater than the threshold is interpreted as identifying it as an attacker]), in response to the total attack value of the user device being greater than or equal to the threshold (After the database of known IP addresses 90 is updated, the new cumulative risk rating of the transmission 10 is compared to the pre-established threshold risk level [Waisman ¶ 0028, Examiner’s Note: comparing new cumulative risk rating with a pre-established threshold risk level]; If the new cumulative risk rating is greater than the pre-established threshold, the control logic 110 passes on to the firewall 120 a new rule to block transmissions from the originating IP address of the current transmission 10 [Waisman ¶ 0029, Examiner’s Note: it’s noted the comparison being greater than or greater than or equal to the threshold is an arbitrary convention]). As per claim 11: Bert in view of Waisman teach all the limitations of claim 1. Furthermore, Bert discloses a computational storage device (CSD), comprising: a memory (the storage product 102 has … a random-access memory 101 [Bert, ¶ 0210, Fig. 1, Fig. 9, random-access memory]); and a processor configured to: (a storage product 102 has a computational storage processor to perform computations on data received from a remote host system 121 [Bert, ¶ 0199, Fig. 1, Fig. 9, computational storage processor]). The limitations of claim 11 are substantially similar to claim 1 above, and therefore the claim is likewise rejected. As per claim 14: Bert in view of Waisman teach all the limitations of claim 11. The limitations of claim 14 are substantially similar to claim 4 above, and therefore the claim is likewise rejected. As per claim 15: Bert in view of Waisman teach all the limitations of claim 11. The limitations of claim 15 are substantially similar to claim 5 above, and therefore the claim is likewise rejected. Claims 2-3 and 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Bert in view of Waisman further in view of DIMITROVA et al. (U.S. PGPub No. 2023/0097770; hereinafter “DIMITROVA”). As per claim 2: Bert in view of Waisman teach all the limitations of claim 1. Furthermore, Bert and Waisman disclose wherein identifying the CS request as the attack comprises (a network interface 113 of a storage product 102 operating on a computer network 114 receives incoming packets 202 from a remote host system 121 [Bert ¶ 0328-0329, Fig. 1, Fig. 9, Fig. 17, Examiner’s Note: remote host system interpreted as a user device]; remote host system 121 [Bert ¶ 0328, Fig. 1, Host System B 121, Fig. 9, Fig. 17]; the CPU is configured via the instructions to authenticate users [Bert ¶ 0022, ¶ 0040, Examiner’s Note: Bert teaches of authenticating users for access]; the transmission 10 is assigned a number of current risk points, the number depending on how much of a threat is posed by the transmission [Waisman ¶ 0017, Examiner’s Note: assigning of current risk points is identifying the transmission and place it came from as an attack]) [performing CS resource authorization]. Bert in view of Waisman discloses the claimed subject matter as discussed above but does not explicitly disclose performing CS resource authorization. However, DIMITROVA teaches performing CS resource authorization (capturing the set of authorization checks in association with operations performed during a plurality of sessions over a time period … detecting based on a privilege usage rule, a privilege usage pattern in the captured set of authorization checks, wherein the privilege usage rule indicates inaccessibility of a resource of the computing environment due to granted privileges … generating based on the detected privilege usage pattern, an inaccessible resource notification indicating a resource that is inaccessible [DIMITROVA ¶ 0098]; the privilege usage rule indicates performance of a malicious operation during the session [DIMITROVA ¶ 0097]; the set of authorization checks are associated with requests for access to resources of the computing environment … processing resources and data storage resources [DIMITROVA ¶ 0100]; a user operates a user device 146 to access, via the physical network 112, the functionality of VM1 118 to VMN 120, using a web client 148 [DIMITROVA ¶ 0031, Fig. 1]). The instant application and DIMITROVA are analogous art because they are from the same field of endeavor of providing computer resources. Therefore, based on Bert in view of Waisman further in view of DIMITROVA, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of DIMITROVA to the system of Bert in view of Waisman in order to ensure security of the computing resources given authorization checks such that only users with correct privileges utilize the resources (¶ 0098, ¶ 0100). Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim. As per claim 3: Bert in view of Waisman teach all the limitations of claim 1. Furthermore, Bert and Waisman disclose wherein identifying the CS request as the attack comprises (a network interface 113 of a storage product 102 operating on a computer network 114 receives incoming packets 202 from a remote host system 121 [Bert ¶ 0328-0329, Fig. 1, Fig. 9, Fig. 17, Examiner’s Note: remote host system interpreted as a user device]; remote host system 121 [Bert ¶ 0328, Fig. 1, Host System B 121, Fig. 9, Fig. 17]; the CPU is configured via the instructions to authenticate users [Bert ¶ 0022, ¶ 0040, Examiner’s Note: Bert teaches of authenticating users for access]; the transmission 10 is assigned a number of current risk points, the number depending on how much of a threat is posed by the transmission [Waisman ¶ 0017, Examiner’s Note: assigning of current risk points is identifying the transmission and place it came from as an attack]) [verifying that a CS resource that is requested is valid for use by] a CS application (a storage product 102 has a computational storage processor to perform computations on data received from a remote host system 121 [Bert ¶ 0199]; In general, a computational storage function can be a set of routine operations applied to transform data going into, or coming out of, the storage capacity of the storage device 105 of the storage product 102 [Bert ¶ 0204]; Instead of entirely relying upon pre-coded firmware and/or hardware logic circuits to perform pre-determined computational storage functions, the external processor can adjust, change, and/or inject instructions for the computational storage processor to perform functions that can be dependent on a user, an account, a namespace, a time in a day, week, month or year, and/or other attributes related to the data to be stored or retrieved and/or storage access requests [Bert ¶ 0205]; a portion of the functionality of the storage product 102 having the computational storage processor can be defined via software (e.g., storage application) [¶ 0206]). Bert in view of Waisman discloses the claimed subject matter as discussed above but does not explicitly disclose verifying that a CS resource that is requested is valid for use by. However, DIMITROVA teaches verifying that a CS resource that is requested is valid for use by (In examples where an operation during a session 204 is granted access to the requested system resources 210 by the authorization module 208, the operation of the session 204 is enabled to use the requested system resources 210. In some examples, the requested system resources 210 include data storage resources, computation or processing resources, or the like. For instance, an operation of a session 204 requests to write data to data storage resources and/or read data from data storage resources. Alternatively, or additionally, the operation of the session 204 requests to use processing resources to execute a script, application, or other program. Further, in some examples, system resources 210 include objects, applications or programs, and/or APIs configured to access other system resources 210. For instance, a user of a session 204 is granted a session privilege that gives an operation of the session 204 permission to make an API call that uses one or more other system resources 210 [DIMITROVA ¶ 0036]; detecting based on a privilege usage rule, a privilege usage pattern in the captured set of authorization checks, wherein the privilege usage rule indicates inaccessibility of a resource of the computing environment due to granted privileges … generating based on the detected privilege usage pattern, an inaccessible resource notification indicating a resource that is inaccessible [DIMITROVA ¶ 0098]; the privilege usage rule indicates performance of a malicious operation during the session [DIMITROVA ¶ 0097]; the set of authorization checks are associated with requests for access to resources of the computing environment … processing resources and data storage resources [DIMITROVA ¶ 0100]). The instant application and DIMITROVA are analogous art because they are from the same field of endeavor of providing computer resources. Therefore, based on Bert in view of Waisman in view of DIMITROVA, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of DIMITROVA to the system of Bert in view of Waisman in order to ensure access to resources is protected with privileges for ensuring correct usage of the computational and storage resources. Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim. As per claim 12: Bert in view of Waisman teach all the limitations of claim 11. The limitations of claim 12 are substantially similar to claim 2 above, and therefore the claim is likewise rejected. As per claim 13: Bert in view of Waisman teach all the limitations of claim 11. The limitations of claim 13 are substantially similar to claim 3 above, and therefore the claim is likewise rejected. Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Bert in view of Waisman further in view of Winkler et al. (U.S. PGPub No. 2013/0246105; hereinafter “Winkler”). As per claim 6: Bert in view of Waisman teach all the limitations of claim 1. Furthermore, Bert and Waisman disclose further comprising designating the user device as the attacker (Control logic 110 determines whether the transmission 10 is allowed to pass on to the network or whether it is blocked and prevented from passing on to the network … If the new cumulative risk rating is greater than the pre-established threshold, the control logic 110 passes on to the firewall 120 a new rule to block transmissions from the originating IP address of the current transmission 10 [Waisman ¶ 0029, Examiner’s Note: blocking the transmission when the new cumulative risk rating is greater than the threshold is interpreted as identifying it as an attacker]) in [a service level agreement (SLA)]-User mapping table associated with the user device (When a transmission 10 enters the second level IP analysis 70, it is first sent to the logging module 80. The logging module keeps a complete record of all transmissions that were assigned current risk points after the first level of analysis … the logging module 80 is a database [Waisman ¶ 0023]; The database of known IP addresses 90 also contains a running total of the previous cumulative risk points associated with the transmission from each IP address [Waisman ¶ 0025, Examiner’s Note: Waisman discloses a database which is interpreted as a mapping of an attackers points to originating IP of the device]). Bert in view of Waisman discloses the claimed subject matter as discussed above but does not explicitly disclose a service level agreement (SLA). However, Winkler teaches a service level agreement (SLA) (to assess and evaluate potential damages or losses that may be caused by a threat to critical business processes … a service level agreement classifier configured to classify the selected service level agreement based on one or more violations [Winkler, abstract]; a Business Continuity Management (BCM) editor 116 that creates dependency models arranging a plurality of services and annotates the dependency model with risk information, service impact tables, recovery times, delay times, and service level agreement (SLA) information [Winkler ¶ 0042]). Winkler and the instant application are analogous art because they are from the same field of endeavor of providing services. Therefore, based on Bert in view of Waisman in view of Winkler, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Winkler to the system of Bert in view of Waisman in order to store critical information such as risk information and potential service impact for correctly managing business resources. Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim. As per claim 16: Bert in view of Waisman teach all the limitations of claim 11. The limitations of claim 16 are substantially similar to claim 6 above, and therefore the claim is likewise rejected. Claims 7-8 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Bert in view of Waisman further in view of Winkler further in view of DIMITROVA. As per claim 7: Bert in view of Waisman further in view of Winkler teach all the limitations of claim 6. Furthermore, Bert, Waisman, and Winkler disclose further comprising: receiving a request to start a session, from the user device (the control messages can include a message containing access credentials 161 to start a session or an operation [Bert ¶ 0065]; remote host system 121 [Bert ¶ 0328, Fig. 1, Host System B 121, Fig. 9, Fig. 17]; the CPU is configured via the instructions to authenticate users [Bert ¶ 0022, ¶ 0040]), the request including a user identifier (UID) of the user device (the control messages can include a message containing access credentials 161 to start a session or an operation [Bert ¶ 0065, Examiner’s Note: the access credentials are interpreted as a user identifier]); [comparing the UID of the user device to] the SLA-User mapping table associated with the user device (access credentials 161 to start a session or an operation [Bert ¶ 0065, Examiner’s Note: the access credentials are interpreted as a user identifier]; The database of known IP addresses 90 also contains a running total of the previous cumulative risk points associated with the transmission from each IP address [Waisman ¶ 0025]; dependency models arranging a plurality of services and annotates the dependency model with risk information, service impact tables, recovery times, delay times, and service level agreement (SLA) information [Winkler ¶ 0042]); identifying the user device as the attacker based on the designation in the SLA-User mapping table associated with the user device (remote host system 121 [Bert ¶ 0328, Fig. 1, Host System B 121, Fig. 9, Fig. 17]; the CPU is configured via the instructions to authenticate users [Bert ¶ 0022, ¶ 0040]; The database of known IP addresses 90 also contains a running total of the previous cumulative risk points associated with the transmission from each IP address [Waisman ¶ 0025, Examiner’s Note: designations of previous cumulative risk points from other transmissions from other devices IPs]; dependency models arranging a plurality of services and annotates the dependency model with risk information, service impact tables, recovery times, delay times, and service level agreement (SLA) information [Winkler ¶ 0042]); and [modifying access for the user device, in response to identifying the user device as the attacker]. Bert in view of Waisman further in view of Winkler discloses the claimed subject matter as discussed above but does not explicitly disclose comparing the UID of the user device to; modifying access for the user device, in response to identifying the user device as the attacker. However, DIMITROVA teaches comparing the UID of the user device to (the sessions 204 are configured to enable performance of operations that include requests to access system resources 210 by the other systems of the sessions 204. Requests to access those system resources 210 include authorization checks 206 sent to the authorization module 208. In such examples, the authorization module 208 is configured to evaluate the authorization checks 206 to determine whether a session 204 has privileges to access a requested system resource 210. It should be understood that authorization checks 206 are also called privilege checks in some examples. The authorization checks 206 include identifying information, such as a session identifier, a user identifier, a user role identifier, or the like [DIMITROVA ¶ 0035, Examiner’s Note: evaluation of authorization checks such as a user identifier, checking is interpreted as comparing]); modifying access for the user device, in response to identifying the user device as the attacker (the detected usage patterns 226 include patterns that are indicative of whether a resource is accessible to sessions 204. When new resources are included in the system resources 210 and/or privilege configurations are changed in some way, it is possible that some system resources 210 are rendered inaccessible [DIMITROVA ¶ 0051, Examiner’s Note: rendering resource access to be inaccessible for the user from their device]; the flagged usage patterns and data associated with the session, such as the user identifier, user role identifier, date and time information, and or the like, are provide to a system administrator to enable the administrator to determine if the detected activity is legitimate or abnormal … classify the detected usage pattern as legitimate or abnormal and to create one or more privilege usage rules 222 for identifying similar future usage patterns and handling those associated sessions 204 appropriately (e.g., … if classified as malicious, new rules created such that future usage patterns that match are treated as malicious operations and stopped by the system) [DIMITROVA ¶ 0053]). DIMITROVA and the instant application are analogous art because they are from the same field of endeavor of providing computer resources. Therefore, based on Bert in view of Waisman further in view of Winkler in view of DIMITROVA, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of DIMITROVA to the system of Bert in view of Waisman further in view of Winkler in order to protect system access and resources from malicious users based on their identifier. Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim. As per claim 8: Bert in view of Waisman further in view of Winkler further in view of DIMITROVA teach all the limitations of claim 7. Furthermore, Bert and DIMITROVA disclose further comprising: receiving, from the user device, another CS request (a network interface 113 of a storage product 102 operating on a computer network 114 receives incoming packets 202 from a remote host system 121 [Bert ¶ 0328-0329, Fig. 1, Fig. 9, Fig. 17, Examiner’s Note: multiple requests being received]; privilege configurations are changed in some way, it is possible that some system resources 210 are rendered inaccessible [DIMITROVA ¶ 0051]); and modifying access for the another CS request and returning an indication (classify the detected usage pattern as legitimate or abnormal and to create one or more privilege usage rules 222 for identifying similar future usage patterns and handling those associated sessions 204 appropriately (e.g., … if classified as malicious, new rules created such that future usage patterns that match are treated as malicious operations and stopped by the system) [DIMITROVA ¶ 0053]; detecting based on privilege rule, a privilege usage pattern in the set of authorization checks, wherein the privilege usage rule indicates performance of a malicious operation during the session; and generating based on the detected privilege usage pattern, a malicious operation notification indicating the malicious operation is being performed during the session [DIMITROVA ¶ 0097]). As per claim 17: Bert in view of Waisman further in view of Winkler teach all the limitations of claim 16. The limitations of claim 17 are substantially similar to claim 7 above, and therefore the claim is likewise rejected. As per claim 18: Bert in view of Waisman further in view of Winkler further in view of DIMITROVA teach all the limitations of claim 17. The limitations of claim 18 are substantially similar to claim 8 above, and therefore the claim is likewise rejected. Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Bert in view of Waisman further in view of Dubeyko et al. (U.S. PGPub No. 2024/0095076; hereinafter “Dubeyko”). As per claim 9: Bert in view of Waisman teach all the limitations of claim 1. Furthermore, Bert and Waisman disclose further comprising: in response to identifying the user device as an attacker (Control logic 110 determines whether the transmission 10 is allowed to pass on to the network or whether it is blocked and prevented from passing on to the network … If the new cumulative risk rating is greater than the pre-established threshold, the control logic 110 passes on to the firewall 120 a new rule to block transmissions from the originating IP address of the current transmission 10 [Waisman ¶ 0029, Examiner’s Note: blocking the transmission when the new cumulative risk rating is greater than the threshold is interpreted as identifying it as an attacker]), [stopping any CS applications associated with] the user device (remote host system 121 [Bert ¶ 0328, Fig. 1, Host System B 121, Fig. 9, Fig. 17]; the CPU is configured via the instructions to authenticate users [Bert ¶ 0022, ¶ 0040]); and [reclaiming any CS resources associated with] the user device (remote host system 121 [Bert ¶ 0328, Fig. 1, Host System B 121, Fig. 9, Fig. 17]; the CPU is configured via the instructions to authenticate users [Bert ¶ 0022, ¶ 0040]). Bert in view of Waisman discloses the claimed subject matter as discussed above but does not explicitly disclose stopping any CS applications associated with; reclaiming any CS resources associated with. However, Dubeyko teaches stopping any CS applications associated with (every application has to be properly terminated in the case of user request and/or in case of any possible issue with execution [¶ 0046]; computation threads in computational storage [¶ 0087]; To terminate an application, the process may issue a termination command or a termination request to all computation threads in computational storage. In response to receiving the termination command or termination request, the management thread on host side can issue an I/O request for the computation thread(s) on the computational storage side to finish execution. For example, a management thread may send a request to a computation thread to terminate. In response to receiving the request to terminate, the computation thread may execute a termination logic or a destruction logic and free resources [¶ 0087]); reclaiming any CS resources associated with (In response to receiving the request to terminate, the computation thread may execute a termination logic or a destruction logic and free resources [¶ 0087, Examiner’s Note: freeing resources is reclaiming resources]). Dubeyko and the instant application are analogous art because they are from the same field of endeavor of computational storage. Therefore, based on Bert in view of Waisman in view of Dubeyko, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Dubeyko to the system of Bert in view of Waisman in order to reclaim resources no longer used by the computational storage application so they can be used by other applications. Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim. As per claim 19: Bert in view of Waisman teach all the limitations of claim 11. The limitations of claim 19 are substantially similar to claim 9 above, and therefore the claim is likewise rejected. Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bert in view of Waisman further in view of Winkler further in view of Black et al. (U.S. PGPub No. 2021/0136107; hereinafter “Black”). As per claim 10: Bert in view of Waisman teach all the limitations of claim 1. Furthermore, Bert and Waisman disclose further comprising: receiving, from an authorized user device (remote host system 121 [Bert ¶ 0328, Fig. 1, Host System B 121, Fig. 9, Fig. 17]; the CPU is configured via the instructions to authenticate users [Bert ¶ 0022, ¶ 0040]; control messages on a separate processing path can include administrative and management commands used to create a namespace in the storage capacity, to map the namespace to a client, to authenticate users, to set security attributes ( e.g., read only permitted vs. both read and write permitted), to provide authorization to which operation is allowed, to manage configuration changes, etc. Such control messages (e.g., for administrative and management functions) can be configured to flow through the processing device … perform access control, administrative operations, management operations [Bert ¶ 0029]), [an update for] [a service level agreement (SLA)]-User mapping table associated with another user device (When a transmission 10 enters the second level IP analysis 70, it is first sent to the logging module 80. The logging module keeps a complete record of all transmissions that were assigned current risk points after the first level of analysis … the logging module 80 is a database [Waisman ¶ 0023]; The database of known IP addresses 90 also contains a running total of the previous cumulative risk points associated with the transmission from each IP address [Waisman ¶ 0025]) [that the authorized user device is identifying an attacker]; and designating the another user device as the attacker in [the SLA]-User mapping table associated with the another user device (When a transmission 10 enters the second level IP analysis 70, it is first sent to the logging module 80. The logging module keeps a complete record of all transmissions that were assigned current risk points after the first level of analysis … the logging module 80 is a database [Waisman ¶ 0023]; The database of known IP addresses 90 also contains a running total of the previous cumulative risk points associated with the transmission from each IP address [Waisman ¶ 0025]), based on the update (the second level IP analysis 70 assigns a new cumulative risk rating to the IP address stored in the database of known IP addresses 90, the new cumulative risk rating being the sum of the current risk points and the previous cumulative risk points stored in the database [Waisman ¶ 0027]). Bert in view of Waisman discloses the claimed subject matter as discussed above but does not explicitly disclose a service level agreement (SLA); the SLA. However, Winkler teaches a service level agreement (SLA) (to assess and evaluate potential damages or losses that may be caused by a threat to critical business processes … a service level agreement classifier configured to classify the selected service level agreement based on one or more violations [Winkler, abstract]; a Business Continuity Management (BCM) editor 116 that creates dependency models arranging a plurality of services and annotates the dependency model with risk information, service impact tables, recovery times, delay times, and service level agreement (SLA) information [Winkler ¶ 0042]); the SLA (to assess and evaluate potential damages or losses that may be caused by a threat to critical business processes … a service level agreement classifier configured to classify the selected service level agreement based on one or more violations [Winkler, abstract]; a Business Continuity Management (BCM) editor 116 that creates dependency models arranging a plurality of services and annotates the dependency model with risk information, service impact tables, recovery times, delay times, and service level agreement (SLA) information [Winkler ¶ 0042]). Winkler and the instant application are analogous art because they are from the same field of endeavor of providing services. Therefore, based on Bert in view of Waisman in view of Winkler, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Winkler to the system of Bert in view of Waisman in order to store critical information such as risk information and potential service impact for correctly managing business resources. Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim. Bert in view of Waisman in view of Winkler discloses the claimed subject matter as discussed above but does not explicitly disclose an update for another device that the authorized user device is identifying an attacker. However, Black teaches an update for another device that the authorized user device is identifying an attacker (accept an incident creation request from an administrator of the electronic communication platform who detects a suspicious attack at one user account, wherein the incident creation request may be submitted by the administrator via a client side web-based application/service [¶ 0014]). Black and the instant application are analogous art because they are from the same field of endeavor of securing access. Therefore, based on Bert in view of Waisman in view of Winkler in view of Black, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Black to the system of Bert in view of Waisman in view of Winkler in order to allow administrators to specify accounts as an attacker for improved attack detection for future computational storage requests. Hence, it would have been obvious to combine the references above to obtain the invention as specified in the instant claim. As per claim 20: Bert in view of Waisman teach all the limitations of claim 11. The limitations of claim 20 are substantially similar to claim 10 above, and therefore the claim is likewise rejected. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES P MOLES whose telephone number is (703)756-1043. The examiner can normally be reached M-F 8:00am-5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JAMES P MOLES/Examiner, Art Unit 2494 /JUNG W KIM/Supervisory Patent Examiner, Art Unit 2494