DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/13/2023 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Examiner’s Note
The Examiner cites particular columns, paragraphs, figures, and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may also apply. It is respectfully requested that, in preparing responses, the Applicant fully consider the references in its entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the Examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 as being directed to an abstract idea without significantly more.
Regarding claim 1:
At step 1, the claim is directed to a method which is a statutory category of invention.
At step 2A, prong one, the limitation of “determining an observation phase for observing execution of processes on the computing system”, as drafted, covers performance of the mind but for recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, a human could determine when to perform the observing in the mind, encompassing an observation, evaluation, and judgement.
The limitation of “generating a control flow directed graph representing execution sequences of an application based on the telemetry”, as drafted, covers performance of the mind but for recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, a human could feasibly generate the CFDG on paper by examining the execution data, identifying execution sequences, and sketching the corresponding CFDG on paper, encompassing an observation, evaluation, and judgement.
The limitation of “determining a hash table with entries representing hash values for sequences of transitions within the control flow directed graph”, as drafted, covers performance of the mind but for recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, a human with the aid of pen and paper could feasibly examine the CFDG, mentally group sequences of transitions, and assign representative hash values, encompassing an observation, evaluation, and judgement.
The limitation of “determining a monitoring phase based at least in part on the control flow directed graph”, as drafted, covers performance of the mind but for recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, a human could determine when to perform the monitoring in the mind, encompassing an observation, evaluation, and judgement.
The limitation of “monitoring transfers of instruction pointers at the computing system”, as drafted, covers performance of the mind but for recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, “monitoring” encompasses an observation and evaluation.
The limitation of “determining a rolling hash associated with the transfers”, as drafted, covers performance of the mind but for recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, a human with the aid of pen and paper could assign the transfers representative rolling hash values, encompassing an observation, evaluation, and judgement.
The limitation of “determining a validity of the transfers based at least in part on the rolling hash and the hash table”, as drafted, covers performance of the mind but for recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, a human with the aid of pen and paper could utilize the rolling hash and check the information against the hash table to determine transfer validity, encompassing an observation, evaluation, and judgement.
At step 2A, prong two, the limitation of "determining telemetry, during the observation phase, representing execution of the processes", as drafted, under its broadest reasonable interpretation, is nothing more than insignificant extra solution activities which is not a practical application under prong 2.
At step 2B, the limitation of "determining telemetry, during the observation phase, representing execution of the processes", as drafted, amounts to well-understood, routine, conventional activity. The courts have found that the performance of basic computer functions such as gathering, displaying, updating, transmitting, and storing data cannot amount to significantly more than the judicial exception (TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 614, 118 USPQ2d 1744, 1748 (Fed. Cir. 2016)). See MPEP 2106.05(d). For example, “determining telemetry” in the context of this claim encompasses gathering data.
Considering the additional elements individually and in combination and the claim as a whole, the additional elements do not provide significantly more than the judicial exception. The claim is not patent eligible.
Claim 8 recites similar limitations as those of claim 1, directed towards a system, additionally reciting one or more processors and one or more non-transitory computer-readable media storing computer-executable instructions.
At step 2A, prong two, the limitations of "one or more processors and one or more non-transitory computer-readable media storing computer-executable instructions", as drafted, does not integrate the judicial exception into a practical application. The additional elements are recited at a high-level of generality such that it amounts to no more than mere instructions to apply the exception using generic computer, and/or mere computer components.
At step 2B, the limitations of "one or more processors and one or more non-transitory computer-readable media storing computer-executable instructions", as drafted, amounts to no more than mere instructions, or generic computer/computer components to carry out the exception. The recitation of generic computer instruction and computer components to apply the judicial exception do not amount to significantly more, thus, cannot provide an inventive concept.
Considering the additional elements individually and in combination and the claim as a whole, the additional elements do not provide significantly more than the judicial exception. The claim is not patent eligible.
Claim 15 recites similar limitations as those of claim 1, directed towards a manufacture, additionally reciting one or more non-transitory computer-readable media storing computer-readable instructions.
At step 2A, prong two, the limitations of “one or more non-transitory computer-readable media storing computer-executable instructions", as drafted, does not integrate the judicial exception into a practical application. The additional elements are recited at a high-level of generality such that it amounts to no more than mere instructions to apply the exception using generic computer, and/or mere computer components.
At step 2B, the limitations of "one or more non-transitory computer-readable media storing computer-executable instructions", as drafted, amounts to no more than mere instructions, or generic computer/computer components to carry out the exception. The recitation of generic computer instruction and computer components to apply the judicial exception do not amount to significantly more, thus, cannot provide an inventive concept.
Considering the additional elements individually and in combination and the claim as a whole, the additional elements do not provide significantly more than the judicial exception. The claim is not patent eligible.
Regarding claim 2:
At step 1, the claim is directed to a method which is a statutory category of invention.
At step 2A, prong one, the limitations of “determining a sequence of multiple transfers; determining a hash value of the rolling hash associated with the sequence of transfers; and determining that the sequence of multiple transfers is valid based on the hash value corresponding to an entry of the hash table” covers performance of the mind but for recitation of generic computer components. That is, nothing in the claim element precludes the steps from practically being performed in the mind. For example, a human could practically determine a sequence in the mind given the telemetry information. A human could further assign a hash value of the rolling hash associated with the sequence. A human could further determine validity in the mind by comparing the assigned hash value against the hash table. Therefore, “determining” in this context encompasses an observation, evaluation, and judgement.
The limitation recites additional mental processes which further limits the validity determination of claim 1 which can reasonably be performed in the human mind and is thus an additional mental process defined in the claims. The claim does not include any additional element; thus, no limitation needs to be analyzed under step 2A, prong two, or step 2B. The claim is not patent eligible.
Claim 9 recites similar limitations as those of claim 2. Claim 9 is rejected for similar reasons as those of claim 2.
Claim 16 recites similar limitations as those of claim 2. Claim 16 is rejected for similar reasons as those of claim 2.
Regarding claim 3:
At step 1, the claim is directed to a method which is a statutory category of invention.
At step 2A, prong one, the claim is dependent on claim 1 which as discussed above recites an abstract idea.
The limitation of “wherein generating the control flow directed graph is based on observed transfers during the observation phase, wherein the observed transfers during the observation phase are considered valid transfers” recites an additional mental process that further limits the generation of the CFDG of claim 1 which can reasonably be performed in the human mind and is thus an additional mental process defined in the claims. The claim does not include any additional element, thus, no limitation that needs to be analyzed under prong 2 for practical application, or under step 2B for significantly more. The claim is not patent eligible.
Claim 11 recites similar limitations as those of claim 3. Claim 11 is rejected for similar reasons as those of claim 3.
Regarding claim 4:
At step 1, the claim is directed to a method which is a statutory category of invention.
At step 2A, prong one, the limitation of “determining one or more sequences of transitions based at least in part on the one or more sequences being traversed over a threshold number of times during the observation phase”, as drafted, covers performance of the mind but for recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, a human with the aid of a pen and paper with information available to them could determine that a sequence is performed a particular threshold number of times during a particular time period, encompassing an observation, evaluation, and judgement.
The limitation of “determining one or more hash values associated with the one or more sequences”, as drafted, covers performance of the mind but for recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, a human could assign each sequence a particular hash value, encompassing an observation, evaluation, and judgement.
The claim does not include any additional element; thus, no limitation needs to be analyzed under step 2A, prong two, or step 2B. The claim is not patent eligible.
Claim 10 recites similar limitations as those of claim 4. Claim 10 is rejected for similar reasons as those of claim 4.
Claim 17 recites similar limitations as those of claim 4. Claim 17 is rejected for similar reasons as those of claim 4.
Regarding claim 5:
At step 1, the claim is directed to a method which is a statutory category of invention.
At step 2A, prong one, the limitations of “determining a set of hash values from the hash table based on a start position within the control flow directed graph; determining a subset of the set of hash values based on a number of transitions included within the transfers; and determining the validity based on a subset of the rolling hash associated with the transfers corresponding to a hash value of the subset of the set of hash values” covers performance of the mind but for recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, a human could feasibly retrieve a set of hash values from a hash table based on the entry point of the CFDG, further filter the set of hash values based on the number of transitions, and perform validity checks by comparing the rolling hash and the set of hash values, encompassing an observation, evaluation, and judgement.
The claim does not include any additional element; thus, no limitation needs to be analyzed under step 2A, prong two, or step 2B. The claim is not patent eligible.
Claim 12 recites similar limitations as those of claim 5. Claim 12 is rejected for similar reasons as those of claim 5.
Claim 18 recites similar limitations as those of claim 5. Claim 18 is rejected for similar reasons as those of claim 5.
Regarding claim 6:
At step 1, the claim is directed to a method which is a statutory category of invention.
At step 2A, prong one, the claim is dependent on claim 1 which as discussed above recites an abstract idea.
The limitation of “wherein the telemetry comprises central processing unit (CPU) telemetry, and wherein generating the control flow directed graph comprises normalizing the CPU telemetry into a control flow directed graph representation” recites an additional mental process that further limits the telemetry information and CFDG generation of claim 1 which can reasonably be performed in the human mind and is thus an additional mental process defined in the claims. The claim does not include any additional element, thus, no limitation that needs to be analyzed under prong 2 for practical application, or under step 2B for significantly more. The claim is not patent eligible.
Claim 13 recites similar limitations as those of claim 6. Claim 13 is rejected for similar reasons as those of claim 6.
Claim 19 recites similar limitations as those of claim 6. Claim 19 is rejected for similar reasons as those of claim 6.
Regarding claim 7:
At step 1, the claim is directed to a method which is a statutory category of invention.
At step 2A, prong one, the claim is dependent on claim 6 which as discussed above recites an abstract idea.
The limitation of “wherein determining the validity is based at least in part on identifying an instruction sequence in the CPU telemetry that is not present in the control flow directed graph”, as drafted, covers performance of the mind but for recitation of generic computer components. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, a human could determine validity by identifying that a particular sequence is not present in the CFDG, encompassing an observation, evaluation, and judgement.
At step 2A, prong two, the limitation of "wherein the monitoring phase is performed using a hardware device of the computing system", as drafted, does not integrate the judicial exception into a practical application. The additional element is recited at a high-level of generality such that it amounts to no more than mere instructions to apply the exception using generic computer, and/or mere computer components.
At step 2B, the limitation of "wherein the monitoring phase is performed using a hardware device of the computing system", as drafted, amounts to no more than mere instructions, or generic computer/computer components to carry out the exception. The recitation of generic computer instruction and computer components to apply the judicial exception do not amount to significantly more, thus, cannot provide an inventive concept.
Considering the additional elements individually and in combination and the claim as a whole, the additional elements do not provide significantly more than the judicial exception. The claim is not patent eligible.
Claim 14 recites similar limitations as those of claim 7. Claim 14 is rejected for similar reasons as those of claim 7.
Claim 20 recites similar limitations as those of claim 7. Claim 20 is rejected for similar reasons as those of claim 7.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 8-9, 11, and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Tshouva et al. (US 20200159553 A1) hereafter Tshouva in view of Zou et al. (US 20200236143 A1) hereafter Zou, further in view of Chan et al. (US 20120023304 A1) hereafter Chan.
Regarding claim 1, Tshouva teaches:
determining an observation phase for execution of processes on the computing system (Paragraph 57; “Each of the intermediate code file(s) may be analyzed to identify the plurality of routines. Each intermediate code file may be further analyzed to identify one or more valid executions paths” requires the observation of execution behavior of processes or routines in the system. The analysis of intermediate code files represents an observation phase in which execution information is gathered.);
determining telemetry, during the observation phase, representing execution of the processes (Paragraph 57; “Each of the valid executions paths may describe a respective order of execution of one or more preceding routines executed prior to execution of a critical routine” where the order of execution of routines corresponds to telemetry representing execution of the processes, is determined and therefore corresponds to the claimed limitation.);
generating a control flow directed graph representing execution sequences of an application based on the telemetry (Paragraph 57; “For example, a Control flow Graph (CFG) may be generated for the intermediate code file(s) to identify the valid executions path(s) and the preceding routine(s).” A CFG is always a directed graph, therefore a CFG is always a CFDG.);
determining entries representing hash values for sequences of transitions within the control flow directed graph (Paragraph 59; “Moreover, the runtime execution sequence may be expressed by a rolling hash value calculated for the predefined number of most recently registered routines using the rolling hash function(s) used to calculate the rolling hash value(s) of the valid execution path(s). The rolling hash value of the runtime execution sequence may be calculated and constantly updated for the unique identifiers of the current most recently registered routines” where maintaining multiple rolling hash values representing different execution sequences corresponds to determining a plurality of hash values for the sequences of transitions.);
determining a monitoring phase based at least in part on the control flow directed graph (Paragraph 99; “After the critical routine(s) are defined, the constructor 210 may analyze the CFG created for the intermediate code file(s) to identify all possible execution paths leading to execution of each of the critical routine(s) and mark them as valid. For example, the constructor 210 may create a valid execution dataset, for example, a list, a table, a record and/or the like mapping the identified valid execution path(s) leading to execution of the critical routine(s)” discloses using the CFG to determine and mark execution paths to critical routines which establishes which portions of program execution should be observed/validated. Selection and marking of valid execution paths derived from the CFG defines a phase of monitoring in the form of identifying sequences or conditions to monitor at runtime, where the monitoring is performed by the flow validation code segment as disclosed in Paragraph 32, “The flow validation code segment is configured to verify a match between the ordered pattern of the runtime execution sequence and the ordered pattern of at least one of valid execution path(s).”);
monitoring transfers of instruction pointers at the computing system (Paragraph 32; “The flow validation code segment is configured to verify a match between the ordered pattern of the runtime execution sequence and the ordered pattern of at least one of valid execution path(s)” monitors runtime execution by maintaining an ordered pattern representing the runtime execution sequence and comparing it to valid execution paths. Each routine transition in the ordered pattern represents a transfer in the instruction pointer as execution proceeds between code locations.);
determining a rolling hash associated with the transfers (Paragraph 59; “Moreover, the runtime execution sequence may be expressed by a rolling hash value calculated for the predefined number of most recently registered routines using the rolling hash function(s) used to calculate the rolling hash value(s) of the valid execution path(s). The rolling hash value of the runtime execution sequence may be calculated and constantly updated for the unique identifiers of the current most recently registered routines” teaches calculating a rolling hash value that represents the runtime execution sequence which is updated based on the most recently executed changes. Each change in the runtime sequence corresponds to a transfer, thus the rolling hash is determined and associated with each transfer.);
determining a validity of the transfers based at least in part on the rolling hash (Paragraph 57; “For example, a Control flow Graph (CFG) may be generated for the intermediate code file(s) to identify the valid executions path(s) and the preceding routine(s). In order to identify each of the valid execution path(s), each of the plurality of routines may be assigned with a unique identifier such that each of the valid execution path(s) may be represented by a respective ordered pattern concatenating the unique identifiers of the preceding routines identified to execute along the respective valid execution path” teaches that, during runtime, a rolling hash of the observed execution sequence is computed and compared to the stored valid hash values to verify correspondence.).
While Tshouva implies that observation occurs during execution, Tshouva does not explicitly teach that the observation occurs during execution; or a hash table.
However, Zou teaches:
observing execution at runtime (Paragraph 172; “When testing algorithm 1325, the secured gateway software appliance (installed at data consumer system 1360) may monitor the behavior of data consumer system 1360 by monitoring various activities that occur at data consumer system 1360”).
Tshouva and Zou are considered to be analogous to the claimed invention because they are in the same field of control flow integrity. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Tshouva to incorporate the teachings of Zou and have performed the observation and monitoring at runtime. A person of ordinary skill in the art would have recognized that this would have yielded predictable benefits in validation real execution paths and detecting deviations during actual execution.
Tshouva in view of Zou does not teach a hash table.
However, Chan teaches:
a hash table (Paragraph 60; “Level 2 flow control 504 and level 3 flow control 506 may look up message objects by source and message ID or destination and message ID in message object hash table 610 for flow control, as will be further described. Message object hash table 610 may maintain hash values as indexes into each entry”).
Tshouva, Zou, and Chan are considered to be analogous to the claimed invention because they are in the same field of control flow integrity. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Tshouva in view of Zou to incorporate the teachings of Chan and incorporate a hash table. A person of ordinary skill in the art would have understood that hash tables are a well-known data structure employed to enable efficient lookup, comparison, and storage of indexed values, and would have been motivated to use a hash table to quickly access and verify execution path data, yielding a predictable improvement in computational efficiency.
Claim 8 recites similar limitations as those of claim 1, additionally reciting one or more processors; and one or more non-transitory computer-readable media storing computer-executable instructions. Tshouva further teaches:
one or more processors (Paragraph 53; “The executable file(s) may be executed by one or more processors of one or more devices, systems and/or platforms collectively designated device herein after.”);
and one or more non-transitory computer-readable media storing computer-executable instructions (Paragraph 86; “The storage 206 used for storing data and/or program code may include one or more non-transitory memory devices”).
Claim 8 is rejected for similar reasons as those of claim 1.
Claim 15 recites similar limitations as those of claim 1, additionally reciting one or more non-transitory computer-readable media storing computer-readable instructions. Tshouva further teaches:
one or more non-transitory computer-readable media storing computer-readable instructions (Paragraph 86; “The storage 206 used for storing data and/or program code may include one or more non-transitory memory devices”).
Claim 15 is rejected for similar reasons as those of claim 1.
Regarding claim 2, Tshouva in view of Zou, further in view of Chan teach the method of claim 1. Tshouva further teaches:
wherein determining the validity of the transfers comprises:
determining a sequence of multiple transfers (Paragraph 58; “The intermediate code file(s) may be adjusted to include a registration code segment configured to register each of the plurality of routines in a runtime execution sequence upon execution of the respective routine. In particular, the registration code segment may be configured to register the respective routine by appending the unique identifier of the respective routine to the runtime execution sequence”, where each addition to the runtime execution sequence corresponds to a transfer event, therefore determining the runtime execution sequence includes determining a sequence of multiple transfers.);
determining a hash value of the rolling hash associated with the sequence of transfers (Paragraph 59; “Moreover, the runtime execution sequence may be expressed by a rolling hash value calculated for the predefined number of most recently registered routines using the rolling hash function(s) used to calculate the rolling hash value(s) of the valid execution path(s). The rolling hash value of the runtime execution sequence may be calculated and constantly updated for the unique identifiers of the current most recently registered routines” explicitly discloses a calculation, corresponding to a determination, of a hash value of the rolling hash associated with the sequence of transfers.);
and determining that the sequence of multiple transfers is valid based on the hash value (Paragraph 61; “the flow validation code segment may be configured to apply one or more pattern matching methods, technique and/or algorithms for matching the runtime execution sequence to the ordered patterns of the valid execution path(s). In particular, in case of expressing the valid execution path(s) and the runtime execution sequence using the rolling hash values, the flow validation code segment may be configured to match between the rolling hash value calculated for the runtime execution sequence, in particular for the predefined number of most recently executed routines and the hash value(s) calculated for each of the valid execution path(s)” teaches the validity check based on the hash value corresponding to the expected hash.).
Chan teaches:
a hash table (Paragraph 60; “Level 2 flow control 504 and level 3 flow control 506 may look up message objects by source and message ID or destination and message ID in message object hash table 610 for flow control, as will be further described. Message object hash table 610 may maintain hash values as indexes into each entry”).
Claim 9 recites similar limitations as those of claim 2. Claim 9 is rejected for similar reasons as those of claim 2.
Claim 16 recites similar limitations as those of claim 2. Claim 16 is rejected for similar reasons as those of claim 2.
Regarding claim 3, Tshouva in view of Zou, further in view of Chan teaches the method of claim 1. Tshouva further teaches:
wherein generating the control flow directed graph is based on observed transfers during the observation phase, wherein the observed transfers during the observation phase are considered valid transfers (Paragraph 57; “For example, a Control flow Graph (CFG) may be generated for the intermediate code file(s) to identify the valid executions path(s) and the preceding routine(s). In order to identify each of the valid execution path(s), each of the plurality of routines may be assigned with a unique identifier such that each of the valid execution path(s) may be represented by a respective ordered pattern concatenating the unique identifiers of the preceding routines identified to execute along the respective valid execution path” teaches identifying valid execution paths composed of transfers between routines. Each execution path corresponds to a sequence of control transfers observed. The created CFG is therefore based on the transfers which are identified as valid execution paths.).
Claim 11 recites similar limitations as those of claim 3. Claim 11 is rejected for similar reasons as those of claim 3.
Claims 4, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Tshouva in view of Zou, further in view of Chan, further in view of Nakaike (US 20150149988 A1), further in view of Mallon et al. (US 20210326413 A1) hereafter Mallon.
Regarding claim 4, Tshouva in view of Zou, further in view of Chan teach the method of claim 1. Tshouva further teaches:
determining one or more sequences of transitions (Paragraph 58; “The intermediate code file(s) may be adjusted to include a registration code segment configured to register each of the plurality of routines in a runtime execution sequence upon execution of the respective routine. In particular, the registration code segment may be configured to register the respective routine by appending the unique identifier of the respective routine to the runtime execution sequence” corresponds to determining one or more sequences of transitions.).
Tshouva in view of Zou, further in view of Chan does not teach being based at least in part on the one or more sequences being traversed over a threshold number of times during the observation phase.
However, Nakaike teaches:
based at least in part on the one or more sequences being traversed over a number of times during the observation phase (Paragraph 160; “In step 306, the computer (101) obtains execution frequency information by using the control flow graph modified in step 305. In the case where step 305 is not carried out, the computer (101) obtains execution frequency information by using the control flow graph prepared in step 303.”).
Tshouva, Zou, Chan, and Nakaike are considered to be analogous to the claimed invention because they are in the same field of control flow integrity. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Tshouva in view of Zou further in view of Chan to incorporate the teachings of Nakaike and have the sequences of transitions determined at least in part on one or more of the sequences being traversed over a number of times during the observation phase. A person of ordinary skill in the art would have recognized frequency of execution as a known and predictable indicator of importance, relevance, or abnormality in runtime behavior. Motivation to use traversal frequency to determine sequences of transitions would come from the goal of prioritizing frequently executed paths for validation, yielding expected improvements in performance analysis and system efficiency.
Tshouva in view of Zou, further in view of Chan, further in view of Nakaike does not teach a threshold.
However, Mallon teaches:
a threshold (Paragraph 15; “For example, in an embodiment the first variable may be selected from a set of variable that have small liveness regions, e.g., that at most a threshold number of blocks. The threshold may be, say, 2, 4, or the like.”).
Tshouva, Zou, Chan, Nakaike, and Mallon are considered to be analogous to the claimed invention because they are in the same field of control flow integrity. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Tshouva in view of Zou further in view of Chan further in view of Nakaike to incorporate the teachings of Mallon and incorporate a threshold as thresholds are a well-known technique for filtering, triggering, or decision-making, with the expected and predictable improvement of distinguishing significant events or values from normal variation.
Claim 10 recites similar limitations as those of claim 4. Claim 10 is rejected for similar reasons as those of claim 4.
Claim 17 recites similar limitations as those of claim 4. Claim 17 is rejected for similar reasons as those of claim 4.
Claims 5, 12, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Tshouva in view of Zou, further in view of Chan, further in view of Ghose (US 9767284 B2), further in view of Venkatesan et al. (US 20040225996 A1) hereafter Venkatesan.
Regarding claim 5, Tshouva in view of Zou, further in view of Chan teaches the method of claim 1. Chan teaches:
determining a set of hash values from the hash table (Paragraph 60; “Level 2 flow control 504 and level 3 flow control 506 may look up message objects by source and message ID or destination and message ID in message object hash table 610 for flow control, as will be further described. Message object hash table 610 may maintain hash values as indexes into each entry”).
Tshouva teaches:
determining a subset of the set of hash values (Paragraphs 58-59; “The runtime execution sequence may be therefore implemented as a sliding window comprising the unique identifiers of a predefined number of routines most recently executed and hence most recently registered”, where the sliding window comprising the unique identifiers of a predefined number of routines whose runtime execution sequence is “expressed by a rolling hash value calculated for the predefined number of most recently registered routines using the rolling hash function(s) used to calculate the rolling hash value(s) of the valid execution path(s)” corresponds to a subset of the set of hash values)
determining the validity based on a subset of the rolling hash associated with the transfers corresponding to a hash value of the subset of the set of hash values (Paragraphs 59-61; “Moreover, the runtime execution sequence may be expressed by a rolling hash value calculated for the predefined number of most recently registered routines using the rolling hash function(s) used to calculate the rolling hash value(s) of the valid execution path(s)”. Further, “the flow validation code segment may be configured to match between the rolling hash value calculated for the runtime execution sequence, in particular for the predefined number of most recently executed routines and the hash value(s) calculated for each of the valid execution path(s).”).
Tshouva in view of Zou further in view of Chan does not teach the determination being based on a start position within the control flow directed graph; or based on a number of transitions included within the transfers.
However, Ghose teaches:
based on a start position within the control flow directed graph (Col. 15, lines 56-60; “Each legal flow path within a single execution module may be specified as a segment from an entry point or instruction that can change the flow of control to a next instruction that can change the flow of control, and wherein each segment has a predetermined reference signature.”).
Tshouva, Zou, Chan, and Ghose are considered to be analogous to the claimed invention because they are in the same field of control flow integrity. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Tshouva in view of Zou further in view of Chan to incorporate the teachings of Ghose and have the set of hash values be determined based on the start position within the CFDG. A person of ordinary skill in the art would have recognized that anchoring computation to a known starting node, such as the entry point of instruction in a graph, would be a predictable method of maintaining consistency and context when representing execution paths, thereby improving accuracy in path validation and comparison.
Tshouva in view of Zou further in view of Chan further in view of Ghose does not teach based on a number of transitions included within the transfers.
However, Venkatesan teaches:
based on a number of transitions included within the transfers (Paragraph 114; “Here is heuristic based upon the above illustration of "random walk": Let R be the undirected graph whose vertices are the nodes of the CFG and which has an edge on a vertex pair if and only if the corresponding vertex pair in the CFG has a (directed) control flow edge, in either direction. Clearly, R is a graph with maximum degree three. It starts at the original node w, and at any node x, takes one of the dx edges with uniform probability. (dx is the degree of x). It aborts when it encounters a procedure boundary (call or branch to another procedure) or when the path length crosses a pre-determined limit”, where the path length corresponds to the applicant’s number of transitions).
Tshouva, Zou, Chan, Ghose, and Venkatesan are considered to be analogous to the claimed invention because they are in the same field of control flow integrity. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Tshouva in view of Zou further in view of Chan further in view of Ghose to incorporate the teachings of Venkatesan and have determined a subset of the set of hash values based on the number of transitions within the transfers. A person of ordinary skill in the art would have recognized that filtering data according to path length or transition count is a known and predictable technique for managing computational complexity and focusing analysis on relevant code segments, yielding the predictable improvement of balancing accuracy and efficiency.
Claim 12 recites similar limitations as those of claim 5. Claim 12 is rejected for similar reasons as those of claim 5.
Claim 18 recites similar limitations as those of claim 5. Claim 18 is rejected for similar reasons as those of claim 5.
Claims 6-7, 13-14, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Tshouva in view of Zou, further in view of Chan, further in view of Martinez et al. (US 20230047295 A1) hereafter Martinez.
Regarding claim 6, Tshouva in view of Zou, further in view of Chan teach the method of claim 1. Tshouva teaches:
wherein generating the control flow directed graph comprises normalizing the telemetry into a control flow directed graph representation (Paragraph 57; “For example, a Control flow Graph (CFG) may be generated for the intermediate code file(s) to identify the valid executions path(s) and the preceding routine(s). In order to identify each of the valid execution path(s), each of the plurality of routines may be assigned with a unique identifier such that each of the valid execution path(s) may be represented by a respective ordered pattern concatenating the unique identifiers of the preceding routines identified to execute along the respective valid execution path”, where the respective ordered pattern corresponds to a form of normalized telemetry which concatenates unique identifiers of valid execution paths.).
Tshouva in view of Zou further in view of Chan does not teach wherein the telemetry comprises central processing unit (CPU) telemetry.
However, Martinez teaches:
wherein the telemetry comprises central processing unit (CPU) telemetry (Paragraph 27; “The telemetry unit 121 may be responsible for obtaining, processing, and/or storing information received regarding computer resources 160a-n. Non-limiting examples of computer resources 160a-n include a CPU, a GPU, and a VPU”).
Tshouva, Zou, Chan, and Martinez are considered to be analogous to the claimed invention because they are in the same field of telemetry analysis. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Tshouva in view of Zou further in view of Chan to incorporate the teachings of Martinez and have the telemetry comprise CPU telemetry. A person of ordinary skill in the art would have recognized that monitoring processor-specific metrics are a well-known and predictable means of characterizing system performance and execution state, and would have been motivated to include such CPU telemetry to obtain greater visibility into program execution and resource usage, yielding the predictable improvement of improving accuracy of runtime monitoring and control flow analysis.
Claim 13 recites similar limitations as those of claim 6. Claim 13 is rejected for similar reasons as those of claim 6.
Claim 19 recites similar limitations as those of claim 6. Claim 19 is rejected for similar reasons as those of claim 6.
Regarding claim 7, Tshouva in view of Zou, further in view of Chan, further in view of Martinez teaches the method of claim 6. Tshouva teaches:
wherein the monitoring phase is performed using a hardware device of the computing system (Paragraph 47; “For example, hardware for performing selected tasks according to embodiments of the invention could be implemented as a chip or a circuit”);
wherein determining the validity is based at least in part on identifying an instruction sequence in the telemetry that is not present in the control flow directed graph (Paragraphs 57-60; “On the other hand, in case the runtime execution sequence does not match any of the valid execution path(s) associated with the respective critical routine, the validation code segment may determine that the runtime execution path is invalid and that the processor(s)′ control flow may be compromised”, where the runtime execution sequence not matching any valid execution path corresponds to identifying an instruction sequence in telemetry that is not present in the CFG. The CFG is further disclosed to identify valid execution paths in Paragraph 57, “For example, a Control flow Graph (CFG) may be generated for the intermediate code file(s) to identify the valid executions path(s) and the preceding routine(s)”).
Martinez teaches:
CPU telemetry (Paragraph 27; “The telemetry unit 121 may be responsible for obtaining, processing, and/or storing information received regarding computer resources 160a-n. Non-limiting examples of computer resources 160a-n include a CPU, a GPU, and a VPU”).
Claim 14 recites similar limitations as those of claim 7. Claim 14 is rejected for similar reasons as those of claim 7.
Claim 20 recites similar limitations as those of claim 7. Claim 20 is rejected for similar reasons as those of claim 7.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Henriksen et al. (US 9639351 B2) discusses matching and attributing code violations using a graph of the snapshots of the code base utilizing a rolling hash function for a fixed window representing a subset of the sequence.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KENNETH P TRAN whose telephone number is (571)272-6926. The examiner can normally be reached M-TH 5:30 a.m. - 2 p.m. PT, F 5:30 a.m. - 9:30 a.m. PT, or at Kenneth.Tran@uspto.gov.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, April Blair can be reached at (571) 270-1014. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KENNETH P TRAN/Examiner, Art Unit 2196
/APRIL Y BLAIR/Supervisory Patent Examiner, Art Unit 2196