DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment / Arguments
Regarding the objection to claim 4 for minor informalities:
Applicant’s amendment is considered to have overcome the applied objection. As such, the objection has been withdrawn.
Regarding claims rejected under 35 USC 112(b):
Applicant’s amendment is considered to have overcome the applied rejections. As such, the rejections have been withdrawn.
Regarding claims rejected under 35 USC 102:
Applicant’s arguments, in view of the amended claim language, have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Bettini (US 2013/0347094 A1).
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: “a fuzzing system configured to perform a fuzzing operation” and “a test controller configured to (i) detect… (ii) generate and transmit” in claims 11-19.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. For instance, [0044] of the instant specification stating that “[p]ortions of the IDS 208 are implemented within the vehicle 204 while other portions of the IDS 208 are implemented on one more remote servers… The fuzzing system, the system under test 220, and the test controller 224 may be considered components of the IDS 208 of the present disclosure” (e.g., FIG. 2 of the instant drawings). Likewise, [0027] of the instant specification recites “dedicated Intrusion Detection Systems (IDSs) implemented on one or more of the ECUs (e.g., on gateway ECUs),” while [0081] states that “[p]rocessor 520 may be configured to read into memory 522 and execute computer- executable instructions residing in non-volatile storage 516 and embodying one or more IDS methodologies of one or more embodiments.” Further, [0042]-[0043] of the instant specification provide example implementations for “a system.”
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-4, 6-9, 10-16, and 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Flores (“Runtime vulnerability discovery as a service on Industrial Internet of Things (IIoT) systems”) in view of Bettini (US 2013/0347094 A1).
Regarding claim 1, Flores discloses: A method of operating an Intrusion Detection System (IDS) for monitoring a device, the method comprising:
performing a fuzzing operation on a software program being executed on a system under test (e.g., “FUZZER” in FIG. 1 and “Fuzzer Layer” in section IV.B of Flores), wherein the software program [corresponds to] a deployed software program (e.g., paragraph 2 in section V of Flores concerning post-deployment monitoring) on the device monitored by the IDS and the system under test is configured to emulate at least one system of the device (e.g., paragraph 3 in section IV and “virtualized environment” in FIG. 1 of Flores), the fuzzing operation comprising (i) supplying fuzzing inputs to the software program being executed on the system under test (e.g., the last paragraph in section II and paragraph 1 in section V.A of Flores), (ii) monitoring outputs of the software program while being executed on the system under test (e.g., sections IV.B and V.B of Flores concerning monitoring after providing fuzzed inputs), and (iii) detecting, based on the outputs, a vulnerability to intrusion in the software program caused by the supplying of the fuzzing inputs to the software program (e.g., sections IV.B and V.B of Flores concerning analysis and vulnerability discovery based on the monitoring);
generating and storing a vulnerability entry corresponding to the detected vulnerability, wherein the vulnerability entry includes information identifying the detected vulnerability (e.g., the last paragraph in section V.B of Flores concerning creating a vulnerability discovery report using STIX); and
updating, based on the vulnerability entry, at least one of (i) a component of the IDS and (ii) a code portion of the deployed software program (e.g., merely updating a vulnerability database as in the last paragraphs of IV.B and V.B is considered to disclose this claim limitation, since “a component of the IDS” may be its vulnerability database; additionally, refer to at least the abstract and section I of Flores with respect to a software patch being produced to fix issues detected during a software test).
Flores does not specify: wherein the system under test is separate from and external to the device monitored by the IDS; the software program corresponding to the deployed software program further comprising that the software program is an emulated version of the deployed software program. However, Flores in view of Bettini discloses: wherein the system under test is separate from and external to the device monitored by the IDS;
Refer to at least FIG. 1 of Bettini with respect to an application screen platform 116, an instrumented emulation engine 108, and monitored devices 120, 122, and 124.
the software program corresponding to the deployed software program further comprising that the software program is an emulated version of the deployed software program.
Refer to at least [0083]-[0084] of Bettini with respect to performing dynamic analysis on an application using run-time emulation. Dynamic analysis can include fuzzing as in [0082] of Bettini.
The teachings of Bettini likewise concern software testing and vulnerabilities, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Flores to further implement a dedicated emulation environment for dynamic analysis because the particular known technique was recognized as part of the ordinary capabilities of one skilled in the art and allows for improved malware detection (e.g., [0031] of Bettini; also see paragraph 1 in section III of Flores concerning SAGE).
Regarding claim 2, Flores-Bettini discloses: The method of claim 1, wherein supplying the fuzzing inputs includes supplying fuzzing inputs that are configured to cause errors in at least one of a plurality of code portions of the software program.
Refer to at least paragraph 1 in section II, as well as to section VII.A of Flores concerning causing errors via software testing using the fuzzer.
Regarding claim 3, Flores-Bettini discloses: The method of claim 1, wherein generating and storing the vulnerability entry includes storing the vulnerability in a vulnerability database.
Refer to at least the last paragraph in section V.B, and to the second paragraph in section VI of Flores concerning data storage and vulnerability reports.
Regarding claim 4, Flores-Bettini discloses: The method of claim 1, wherein the vulnerability entry includes at least one of a software version of the software program a hardware version being emulated by the system under test executing the software program, a time and date that the vulnerability was detected, the supplied fuzzing inputs, an identification of a fix for the detected vulnerability, and a hash of one or more values contained in the vulnerability entry.
Refer to at least the second-to-last paragraph in section V.B of Flores concerning the specific fuzz test and pattern that led to anomalous behavior being obtained as part of a procedure to exploit a possible new bug or vulnerability.
Regarding claim 6, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations concerning a software patch).
Regarding claim 7, it is rejected for substantially the same reasons as claims 1 and 3-4 above (e.g., paragraph 2 on page 952 of Flores concerning information of previously executed tests).
Regarding claim 8, Flores-Bettini discloses: The method of claim 1, further comprising at least one of (i) generating an alarm in response to detecting the vulnerability and (ii) generating instructions to a user of the device in response to detecting the vulnerability.
Refer to at least section IV.B and the last paragraph in section VIII of Flores with respect to threat reports.
Regarding claim 9, Flores-Bettini discloses: The method of claim 1, further comprising, in response to detecting the vulnerability, (i) generating a fingerprint associated with an operating characteristic of the system under test during detection of the vulnerability and (ii) updating the IDS based on the fingerprint.
Refer to at least the first 2 paragraphs of section V.B of Flores with respect to measured parameters that are collected (e.g., events, timings, CPU load, memory consumption, and traffic). This information is passed to the STIX reports as per paragraphs 3-4.
Regarding claim 10, Flores-Bettini discloses: The method of claim 1, further comprising: detecting, by the IDS, an intrusion at the device; where the supplying the fuzzing inputs to the software program includes supplying the fuzzing inputs based on the detected intrusion at the device; and updating at least one of (i) the component of the IDS and (ii) the code portion of the deployed software program based on performance of the software program in response to the fuzzing inputs supplied to the software program.
Refer to at least [0158] and [0131] of Bettini with respect to intrusion detection monitoring which “can be used to… communicate with a mobile app analysis system, in order to, for example, identify the transfer of mobile apps on the network that are known or determined to be likely to be/or at risk of being affected by security, privacy, and/or other related issues or policy defined issues, or to identify communications coming from or going to mobile apps, that are affected by these same kinds of issues. Identification of issues of concern can be used by systems of this type to generate alerts or take other corrective or responsive action(s).”
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Flores-Bettini to further implement a multi-stage analysis for at least the purpose of improving detection and reducing computation (i.e., targeted dynamic analysis for more likely true positives).
Regarding independent claim 11, it is substantially similar to elements of independent claim 1 above, and is therefore likewise rejected.
Regarding claims 12-16 and 19, they are substantially similar to elements of claims 1-4 and 6-9 above, and are therefore likewise rejected.
Regarding independent claim 20, it is substantially similar to elements of independent claim 1 above, and is therefore likewise rejected.
Claim(s) 5 and 17-18 are is/are rejected under 35 U.S.C. 103 as being unpatentable over Flores-Bettini as applied to claims 1-4, 6-9, 10-16, and 19-20 above, and further in view of Reyes (US 2009/0132999 A1).
Regarding claim 5, Flores does not specify: further comprising determining whether the detected vulnerability corresponds to a vulnerability to intrusion for the deployed software program being monitored by the IDS by at least one of (i) determining whether a software version of the software program corresponds to a software version of the deployed software program and (ii) determining whether the software version of the software program predates the software version of the deployed software program. However, Flores in view of Reyes discloses: further comprising determining whether the detected vulnerability corresponds to a vulnerability to intrusion for the deployed software program being monitored by the IDS by at least one of (i) determining whether a software version of the software program corresponds to a software version of the deployed software program and (ii) determining whether the software version of the software program predates the software version of the deployed software program.
Refer to at least the abstract, FIG. 1, [0017], [0020]-[0022], and [0024] of Reyes with respect to comparing outputs of an unpatched and a patched software application as part of investigating and remediating a vulnerability. The comparison determines correspondence between the outputs.
The teachings of Flores and Reyes both concern software testing and vulnerabilities, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Flores to further implement comparing different software versions in regards to fuzzed inputs for at least the reasons discussed in [0002]-[0007] of Reyes (i.e., improved patching, and making sure that patches function correctly).
Regarding claim 17, it is substantially similar to claim 5 above, and is therefore likewise rejected.
Regarding claim 18, it is substantially similar to elements of claims 11 and 9 above, and therefore likewise rejected.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432
/V.S/Examiner, Art Unit 2432