Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
1. Applicant argues that Vajipayajula does not teach “a representation of the cloud computing environment”. Applicant argues that Vajipayajula teaches a graph that “represents security risk knowledge”. Applicant argues that the claim detects “a node representing a cloud entity and not to detect a cybersecurity threat as suggested by the office action.
Examiner asserts that Vajipayajula teaches a “security graph”. A knowledge graph is well known in the art, and as stated in Vajipayajula [0002] “nodes in the graph database represent entities”. and [0023] “servers 104, 106, 108 represent multiple computing nodes in a cloud environment” Vajipayajula teaches [0055] “cloud computing environment includes a set of one or more cloud computing nodes with which local computing devices…may communicate” Therefore examiner asserts that the graph database includes a node as a “representation of the cloud computing environment”
Examiner admits that the security graphs also contain data security risk information that is pertinent to the nodes. The inclusion of pertinent security risk information does not disqualify a node from “representing a cloud computing environment”
With respect to Applicant’s argument that the claim is directed to “detecting a node representing a cloud entity” and not to detect a cyber security threat, the claim states “detecting a node representing a cybersecurity threat connected to the cloud entity”. Examiner asserts that the claim is in fact, doing both. Examiner asserts that the invention is geared towards that end and therefore Vajipayajula is relevant.
Applicant points out that the specification [0039]-[0042] (but not the claim) that the cloud computing environment is “resources, principals, enrichments, and the like”.
If Applicant’s argument that Vajipayajula is “not teaching a representation of the cloud environment, but instead a graph of “security risk information” Examiner would assert that “security risk information” itself is a resource or enrichment. Examiner points to [0040] which states that the security information graph includes for example “IP address” associated with an entity or network connection.
Examiner additionally points to previously used reference Salman US 2023/0088034 which is not relied upon for rejection of these independent claims, but more clearly articulates what Applicant is arguing for. Examiner asserts that even if Applicant’s argument was persuasive, which it is not, Examiner would incorporate Salman and the claims would still not be in an allowable state.
2. Applicant argues that Giorgio cannot meet the claim limitation as stated because the traffic logs of Giorgio are “do not represent any node”. Applicant additionally argues that Giorgio does not provide for a compact forensic event log.
Examiner asserts that network traffic logs do not exist in a vacuum. As stated by Giorgio the “nodes and edges are comprised of extracted features from the metadata of the network traffic”. Giorgios stated aim is to determine the likelihood that a specified network component is infected with malware based on nodes extracted from metadata of network traffic.
Giorgio additionally teaches saving network logs, the network logs containing metadata, and compressing these logs for later analysis in a “compact” fashion.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Vajipayajula US 2019/0394225 in view of Giorgio US 11,057,414
As per claims 1, 10, 11. Vajipayajula teaches A method for generating a compact forensic event log based on a cloud log, comprising: traversing a security graph to detect a node representing a cloud entity in a cloud computing environment, deployed on a cloud computing infrastructure wherein the security graph includes a representation of the cloud computing environment; detecting a node representing a cybersecurity threat connected to the node representing the cloud entity; [0023][0040][0063][0068] (teaches creating a knowledge graph based on cloud entities, traversing the graph to detect a cybersecurity threat)
Giorgio teaches parsing a cloud log of the cloud computing environment to detect a data record, the data record including an attribute of the node representing the cloud entity; and generating a compact forensic event log including the detected data record. (Column 5 lines 38-50) (Column 6 lines 5-41)(Column 7 lines 4-48)(Column 9 line 32 to Column 10 line 28) (teaches parsing logs, and attributes of nodes and compressing logs including detected data records)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the logs of Giorgio with the prior art because it provides more comprehensive and yet efficient data records.
As per claims 2, 12 Vajipayajula teaches the method of claim 1, further comprising: receiving an identifier of the cloud entity; and traversing the security graph further based on the received identifier to detect the node representing the cloud entity. [0023][0040][0063][0068] (teaches creating a knowledge graph based on cloud entities, including identifiers and attributes, and traversing it to detect a threat)
As per claims 3, 13. Vajipayajula teaches the method of claim 1, further comprising: detecting the data record further based on an identifier of the cybersecurity threat. [0023][0040][0063][0068] (teaches creating a knowledge graph and traversing it to detect a threat) (Vulnerability information and scores)
As per claims 4, 14 Giorgio teaches the method of claim 1, further comprising: generating the compact forensic event log in response to detecting that the node representing the cloud entity is connected to the node representing the cybersecurity threat. (Column 5 lines 38-50) (Column 6 lines 5-41)(Column 7 lines 4-48)(Column 9 line 32 to Column 10 line 28) (teaches parsing logs, and attributes of nodes, compressing logs, storing logs, threat detection, time periods, data records)
As per claims 5, 15 Giorgio teaches the method of claim 1, wherein the cloud log is any one of: a network log, and a role log. (Column 6 lines 5-10) (network log)
As per claims 6, 16 Vajipayajula teaches the method of claim 1, wherein the attribute is any one of: a unique identifier, an IP address, a workload type, a user account name, a role, and an authentication status. [0023][0040][0063][0068] (teaches creating a knowledge graph and traversing it to detect a threat and identify attributes) (IP address)
As per claims 7, 17 Vajipayajula teaches the method of claim 1, wherein the cybersecurity threat is any one of: a vulnerability, a misconfiguration, and an exploit. [0023][0040][0063][0068] (teaches creating a knowledge graph and traversing it to detect a threat) (Vulnerability information and scores)
As per claims 8, 18 Giorgio teaches the method of claim 1, further comprising: generating the compact forensic event log based on a plurality of cloud logs, each cloud log parsed to detect a data record including the attribute of the node representing the cloud entity. (Column 5 lines 38-50) (Column 6 lines 5-41)(Column 7 lines 4-48)(Column 9 line 32 to Column 10 line 28) (teaches parsing logs, and attributes of nodes, compressing logs, storing logs, threat detection, time periods, data records)
As per claims 9, 19 Giorgio teaches the method of claim 1, further comprising: storing the compact forensic event log in a storage; and storing a time-based portion of the cloud log in the storage. (Column 5 lines 38-50) (Column 6 lines 5-41)(Column 7 lines 4-48)(Column 9 line 32 to Column 10 line 28) (teaches parsing logs, and attributes of nodes, compressing logs, storing logs, threat detection, time periods, data records)
Claim(s) 20, 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Vajipayajula US 2019/0394225 in view of Giorgio US 11,057,414 in view of Salman US 2023/0088034.
As per claim 20, Salman teaches the method of claim 1 wherein the security graph represents they could computing environment according to a predefined schema. [0032][0046][0047] (teaches security graph representing according to graph construction overlay parameters) [0024][0025][0031] (represents cloud computing).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teachings of Salman with the prior art of record because it increases security awareness of kill chains.
As per claims 21. Salman teaches the method of claim 1 wherein detecting a node representing a cybersecurity threat connected to the node representing the cloud entity is based on the security graph. [0024][0025][0027][0031][0067][0071][0072] (teaches constructing a security graph with nodes where at least one node represents a cloud entity and detecting a threat from another node)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teachings of Salman with the prior art of record because it increases security awareness of kill chains.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439