MIGRATION OF ATTACKING SOFTWARE AS A MITIGATION TO AN ATTACK BY A MALICIOUS ACTOR

Detailed Action This final office action is in response filed 12/05/2025. In which, no claims have been amended, no claims have been cancelled, and claims 1-19 and 20 remain pending in the application. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments/Remarks The Applicant argument regarding (remark pages 3-4): “the invention preserves the execution state of the attacked process (avoiding costly actions that negatively affect performance per para 0001 - noting a VM migration greatly, negatively affects performance and does not operate on the process level, but on the application level) while silently breaking its access to sensitive data (e.g., isolation)-an important property neither Browne nor Drissi teaches or suggests.”. The Examiner respectfully disagrees and arguments is not persuasive because there is no recitation of “the invention preserves the execution state of the attacked process (avoiding costly actions that negatively affect performance… noting a VM migration greatly, negatively affects performance and does not operate on the process level, but on the application level) while silently breaking its access to sensitive data (e.g., isolation)”. The Applicant argument regarding (remark pages 4-5): “A. Browne Does Not Teach or Suggest the Claimed Process Migration Architecture Nothing in Browne teaches monitoring process execution state, let alone preserving that state for migration… Browne's architecture is incapable of performing the claimed step: migrating the process to execute in a second computing location isolated from the first computing location.”. The Examiner respectfully agrees because not only Brown teaches corrective action that includes killing the suspicious application, deleating those associated with the suspicious application etc. (see par. 29 and abstract of Brown), the 103 rejection relied on Drissi to teach that limitation “migrating the process to execute in a second computing location isolated from the first computing location.”. Moreover, One cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., Inc., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). The Applicant argument regarding (remark pages 5-6): “B. Drissi Does Not Cure Browne's Deficiencies Drissi never teaches or suggests: migrating a running process; preserving an execution state of a running process, migrating the process from a first computing location on a computing device; migrating the process to a second computing location that is isolated from the first; or "breaking access" to information located at the first computing location…. Drissi neither teaches nor suggests the key claim feature: "initiating an attack countermeasure by migrating the process ... thereby breaking access to information at the first computing location.". The Examiner respectfully disagrees and arguments is not persuasive because there is no recitation of limitations that suggest a running process; preserving an execution state of a running process, (emphasis italic). Drissi does teach initiating an attack countermeasure by migrating the process to execute in a second computing location isolated from the first computing location, thereby breaking access to information at the first computing location. (See Drissi Col.9 lines037-45: “Implementing (initiating) at least one of the suggested actions or countermeasures (the process) can comprise performing moving target actions including at least one of migrating an application or a workload and rebuilding a software image; performing a quarantine action; and performing a scaling back action. The moving target actions can comprise changing IP addresses, and migrating an application or a workload can comprise migrating the application or workload from one virtual machine (the first computing location) to another virtual machine (a second computing location) or from one CPU to another CPU.” Examiner interpret the migration of one virtual machine as the first computing location and another virtual machine as the second computing location). Furthermore applicant argument regarding: “Drissi does not describe (because of the technology used): unmapping pages of the prior memory, revoking data access, breaking shared memory links, isolating the migrated entity, guaranteeing the workload cannot access prior host memory, or discarding or sealing sensitive data, which is fatal to the attempted mapping to "thereby breaking access to information in the first computing location."”. The Examiner respectfully disagrees and arguments is not persuasive because there is no recitation of limitations that suggest unmapping pages of the prior memory, revoking data access, breaking shared memory links, ...guaranteeing the workload cannot access prior host memory, or discarding or sealing sensitive data. Drissi does teach "thereby breaking access to information in the first computing location.". (See Drissi Col.9 lines 37-45: “migrating an application or a workload can comprise migrating the application or workload from one virtual machine (the first computing location) to another virtual machine (a second computing location) or from one CPU to another CPU.” Examiner interpret the migration of one virtual machine as the first computing location and another virtual machine as the second computing location).”. The Applicant argument regarding (remark pages 7-8): “C. Browne and Drissi Are Incompatible and Would Not Reasonably Be Combined The Office Action asserts that it would have been obvious to combine Browne's attack detection with Drissi's workload migration. 3. Browne teaches away from sandboxing and migration. Drissi does not address process-level countermeasures against cache side-channel attacks. 4. The combination does not result in the claimed invention. Even if Browne and Drissi were combined (they should not be), the resulting system would still not: migrate the same running process, maintain execution state, isolate the process from the first computing location, or break access to information at the first computing location.”. The Examiner respectfully disagrees and arguments is not persuasive because Browne and Drissi are analogous art and are from the same field of endeavor and it would be reasonable to combine to migrate the process from one virtual machine to another virtual machine in order to isolate the first computing location from the second computing location. Browne reference uses corrective action manager 326 for corrective actions including killing a process associated with a suspecius applications activity (see par. 33 and element 422 of fig. 4. Drissi is used to teach the migration limitation (initiating an attack countermeasure by migrating the process to execute in a second computing location isolated from the first computing location, thereby breaking access to information at the first computing location). The combination does result in the claimed invention which is “migrating the process to execute in a second computing location isolated from the first computing location, thereby breaking access to information at the first computing location.”. In the claimed invention there is no recitation of limitations that suggest migrate the same running process, maintain execution state. The Applicant argument regarding (remark page 9): “D. Neither Browne nor Drissi Teaches the Claimed Process Migration Countermeasure Claim 1 requires: "migrating the process ... to a second computing location isolated from the first computing location, thereby breaking access to information at the first computing location." No cited reference teaches (along or in combination): migrating a process (not workload, VM, or application), preserving execution state, isolating the migrated process from its prior data, breaking its access to the first location, or silently continuing execution after mitigation… Browne does not teach monitoring a process at all… Browne cannot satisfy the first limitation of claim 1 ("monitoring a process being executed from a first computing location")…”. The Examiner respectfully disagrees and arguments is not persuasive because there is no recitation of limitations that suggest preserving execution state, isolating the migrated process from its prior data, or silently continuing execution after mitigation. Drissi does teaches the claimed process migration countermeasure. (See Drissi Col.9 lines037-45: “Implementing (initiating) at least one of the suggested actions or countermeasures (the process) can comprise performing moving target actions including at least one of migrating an application or a workload and rebuilding a software image; performing a quarantine action; and performing a scaling back action. The moving target actions can comprise changing IP addresses, and migrating an application or a workload can comprise migrating the application or workload from one virtual machine (the first computing location) to another virtual machine.”). Browne does teaches monitoring a process (see Browne par.0027: “The core activity monitor 302 is configured to receive activity (process) counter data from a monitored computing device 102, such as LLC 206 data, memory bandwidth data, or other activity data from the resource manager 210 of the computing device 102. The core activity monitor 302 is further configured to determine whether suspicious core activity exists based on the activity counter data."). Browne does satisfy the first limitation of claim 1 "monitoring a process being executed from a first computing location" (see Browne par.0027: “The core activity monitor 302 is configured to receive activity (process) counter data from a monitored computing device 102 (first computing location), such as LLC 206 data, memory bandwidth data, or other activity data from the resource manager 210 of the computing device 102. The core activity monitor 302 is further configured to determine whether suspicious core activity exists based on the activity counter data."). Conclusion: Browne in view of Drissi disclose all the limitations of claim 1, therefore the teaching of Browne in view of Drissi renders claim 1 before the filing date of the claimed invention obvious. See detailed rejection below. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-2, 18-19, 21 are rejected under 35 U.S.C. 103 as being unpatentable over Browne et al. (US-20190042739-A1, hereafter Browne), in further view of Drissi et al. (US-9129108-B2, hereafter Drissi). Regarding claim 1, Browne discloses a method, comprising: (see fig 4 and par. 0035: “the analytics server 104 may execute a method 400 for cache side channel attack detection and mitigation.”), monitoring a process being executed from a first computing location on a computing device for a trigger indicating a potential attack; (see Browne fig 3 and par. 0021: “the computing devices 102 and the analytics server 104 may be configured to transmit and receive data with each other and/or other devices of the system 100.”. Par. 0027: “The core activity monitor 302 is configured to receive activity counter data from a monitored computing device 102, such as LLC 206 data, memory bandwidth data, or other activity data from the resource manager 210 of the computing device 102. The core activity monitor 302 is further configured to determine whether suspicious core activity exists based on the activity counter data.”), detecting the trigger indicating the potential attack; (see Browne fig 4 and par. 0036: “In block 406, the analytics server 104 receives analytics counter data from the monitored computing device 102. The analytics counter data may be embodied as any performance monitoring or resource management counter data that may be indicative of an active cache side channel attack. For example, the analytics counter data may be indicative of last-level cache (LLC) 206 occupancy, LLC 206 cache misses, memory bandwidth used, or other performance characteristics.”. Par. 0037: “In block 408, the analytics server 104 identifies suspicious core activity based on the activity counter data. Suspicious core activity is indicative of an active cache side channel attack and may include abnormal levels of LLC 206 occupancy, LLC 206 misses, memory bandwidth consumed, or other abnormal resource usage.” Par. 0038: “In block 414, the analytics server 104 identifies suspicious application activity based on the detection process.”), and Browne appear to be silence however Drissi teaches responsive to detecting the trigger indicating the potential attack: (see Drissi Col 9. lines 15-27: “Method steps and computer program operations comprise operating the secure governing data processing system to monitor operation of at least one governed data processing system to detect a deviation from modeled user and governed data processing system behavior and, upon detecting a deviation from the modeled behavior, taking proactive action to mitigate an occurrence of potential adverse result of an occurrence of a cyber-security threat. Taking proactive action can be accomplished by taking some action or instituting some counter-measure prior to having actual knowledge of a cause of the deviation from the modeled behavior, in order to disturb any malicious activity before it starts.”). initiating an attack countermeasure by migrating the process to execute in a second computing location isolated from the first computing location, thereby breaking access to information at the first computing location. (See Drissi Col.9 lines037-45: “Implementing at least one of the suggested actions or countermeasures can comprise performing moving target actions including at least one of migrating an application or a workload and rebuilding a software image; performing a quarantine action; and performing a scaling back action. The moving target actions can comprise changing IP addresses, and migrating an application or a workload can comprise migrating the application or workload from one virtual machine to another virtual machine or from one CPU to another CPU.” Examiner interpret the migration of one virtual machine as the first computing location and another virtual machine as the second computing location). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne teaching “computing device for exploit detection and correction, the computing device comprising: a core activity monitor to (i) receive activity data from a monitored computing device and (ii) determine whether suspicious core activity exists based on the activity data, wherein the suspicious core activity is indicative of a cache side channel attack:”, (see Browne par. 0057), with Drissi teaching “Command and Control 102: In this step or process the proactive ( and reactive) decisions, made in the Decision Support step 104, are transformed into actions that are adapted to the governed system 200 and executed within the governed system 200. These actions may include fine-grained isolation and quarantine; server image rejuvenation and or a fast workload migration to another CPU or VM. In particular, the embodiments of the invention may include some or all of the following in order to execute the proactive command and control actions: perform 'moving target' actions (e.g., by moving applicants and/or data to another real or virtual platform); randomization of IP addresses; migrate VMs; rebuild server images (rejuvenation); take proactive and reactive; quarantine actions; migrate workloads and/or scale-back based on resource availability.”, (see Drissi Col.7 lines 35-49). Regarding claim 2, Browne in view of Drissi teach the method of claim 1, Browne further teaches wherein the monitoring is performed, by a monitor system, within a secure environment. (See Browne fig 1 and par. 0026: “embodiment, the analytics server 104 establishes an environment 300 during operation. environment 300 includes a core activity monitor 302, an application activity monitor 304, and a corrective action manager 306. The various components of the environment 300 may be embodied as hardware, firmware, software, or a combination.”). Regarding claim 18, Browne discloses a computing device, comprising: (see Browne par. 0014: “computing devices 102 in communication with an analytics server 104.”.), a processor; (see Browne par. 0015: “a processor 120.”.), a memory; (see Browne par. 0015: “Memory 124.”.), instructions stored on the memory that when executed by the processor direct the computing device to: (see Browne par. 0012: “The disclosed embodiments may also be implemented as instructions carried by or stored on one or more transitory or non-transitory machine-readable (e.g., computer-readable) storage media, which may be read and executed by one or more processors.”.), monitor a process being executed from a first computing location on the computing device for a trigger indicating a potential attack; (see Browne fig 3 and par. 0021: “the computing devices 102 and the analytics server 104 may be configured to transmit and receive data with each other and/or other devices of the system 100.”. Par. 0027: “The core activity monitor 302 is configured to receive activity counter data from a monitored computing device 102, such as LLC 206 data, memory bandwidth data, or other activity data from the resource manager 210 of the computing device 102. The core activity monitor 302 is further configured to determine whether suspicious core activity exists based on the activity counter data.”.), detect the trigger indicating the potential attack; (see Browne fig 4 and par. 0036: “In block 406, the analytics server 104 receives analytics counter data from the monitored computing device 102. The analytics counter data may be embodied as any performance monitoring or resource management counter data that may be indicative of an active cache side channel attack. For example, the analytics counter data may be indicative of last-level cache (LLC) 206 occupancy, LLC 206 cache misses, memory bandwidth used, or other performance characteristics.”. Par. 0037: “In block 408, the analytics server 104 identifies suspicious core activity based on the activity counter data. Suspicious core activity is indicative of an active cache side channel attack and may include abnormal levels of LLC 206 occupancy, LLC 206 misses, memory bandwidth consumed, or other abnormal resource usage.” Par. 0038: “In block 414, the analytics server 104 identifies suspicious application activity based on the detection process.”.), and Browne appear to be silence however Drissi teaches responsive to detecting the trigger indicating the potential attack: (see Drissi Col 9. lines 15-27: “Method steps and computer program operations comprise operating the secure governing data processing system to monitor operation of at least one governed data processing system to detect a deviation from modeled user and governed data processing system behavior and, upon detecting a deviation from the modeled behavior, taking proactive action to mitigate an occurrence of potential adverse result of an occurrence of a cyber-security threat. Taking proactive action can be accomplished by taking some action or instituting some counter-measure prior to having actual knowledge of a cause of the deviation from the modeled behavior, in order to disturb any malicious activity before it starts.”). initiating an attack countermeasure by migrating the process to execute in a second computing location isolated from the first computing location, thereby breaking access to information at the first computing location. (See Drissi Col.9 lines 037-45: “Implementing at least one of the suggested actions or countermeasures can comprise performing moving target actions including at least one of migrating an application or a workload and rebuilding a software image; performing a quarantine action; and performing a scaling back action. The moving target actions can comprise changing IP addresses, and migrating an application or a workload can comprise migrating the application or workload from one virtual machine to another virtual machine or from one CPU to another CPU.” Examiner interpret the migration of one virtual machine as the first computing location and another virtual machine as the second computing location). Same motivation statement as claim 1 apply to combine the teaching of Drissi. Regarding claim 19, Browne in view of Drissi teach the computing device of claim 18, wherein the computing device monitors the process within a secure environment. (See Browne fig 1 and par. 0026: “embodiment, the analytics server 104 establishes an environment 300 during operation. environment 300 includes a core activity monitor 302, an application activity monitor 304, and a corrective action manager 306. The various components of the environment 300 may be embodied as hardware, firmware, software, or a combination.”). Regarding claim 21 Browne in view of Drissi teach the method of claim 1, Drissi further teaches wherein the countermeasure to migrate the process moves the process from one CPU core to another CPU core. (see Drissi Col.9 lines 44-45: “Implementing at least one of the suggested actions or countermeasures can comprise performing moving target actions including at least one of migrating an application or a workload and rebuilding a software image…migrating the application or workload from one virtual machine to another virtual machine or from one CPU to another CPU”). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne and Drissi teaching of method claim 1 with Drissi teaching “the governing system 100 makes use of the modeling and analytics results, combined with configurability of the governed system 200, to provide guidance and insights concerning 'best' decisions for proactively preventing cyber-attacks. These decisions can involve the use of system quarantine, workload migration (to another CPU or VM), a rebuild of server images”, (see Drissi Col.7 lines 19-25). Claims 3, 4, 6, 8 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Browne et al. (US-20190042739-A1, hereafter Browne), in view of Drissi et al. (US-9129108-B2, hereafter Drissi), in further view Bignon et al. (US-20140223556-A1, Bignon hereafter). Regarding claim 3, Browne in view of Drissi teach the method of claim 2, Browne in view of Drissi do not explicitly teach however Bignon teaches wherein migrating the process to execute in the second computing location isolated from the first computing location is performed by a migration entity separate from the monitor system. (See Bignon par. 0053-0055: “step E2, the local security machine 12-1 sends to the migration module 13-1 of the supervisor 13 an alarm message informing it that the virtual machine VMll is under attack. Step E3 of receiving the alarm message, the migration module 13-1 receives the alarm message sent during the preceding step. Step E4, the migration module 13-1 triggers a migration of the virtual machine VMll from the host server 11-1 toward the optimized security system OSS. With this aim, the migration module 13-1 triggers the hot migration functionality. This triggering causes the movement of the virtual machine VMll from the host server 11-1 toward the optimized security system OSS.”.).). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne and Drissi teaching of method claim 2 with Bignon teaching “the supervisor 13 is adapted for supervising all the clusters and the optimized security system OSS, for controlling the creation, activation and liberation of virtual machines on a host server of a cluster, for consulting the load of each of the servers of the cluster 11, as well as that of the hosted virtual machines, etc.”, (see Bignon par. 0048). Regarding claim 4, Browne in view of Drissi teach the method of claim 1, Browne in view of Drissi fail to explicitly teach however, Bignon explicitly teaches wherein initiating the attack countermeasure includes notifying a migration entity to perform the migration of the process from the first computing location to execute in the second computing location. (See Bignon par. 0053-0055: “step E2, the local security machine 12-1 sends to the migration module 13-1 of the supervisor 13 an alarm message informing it that the virtual machine VMll is under attack. Step E3 of receiving the alarm message, the migration module 13-1 receives the alarm message sent during the preceding step. Step E4, the migration module 13-1 triggers a migration of the virtual machine VMll from the host server 11-1 toward the optimized security system OSS. With this aim, the migration module 13-1 triggers the hot migration functionality. This triggering causes the movement of the virtual machine VMll from the host server 11-1 toward the optimized security system OSS.”). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne and Drissi teaching of method claim 1 with Bignon teaching “the supervisor 13 is adapted for supervising all the clusters and the optimized security system OSS, for controlling the creation, activation and liberation of virtual machines on a host server of a cluster, for consulting the load of each of the servers of the cluster 11, as well as that of the hosted virtual machines, etc.”, (see Bignon par. 0048). Regarding claim 6, Browne in view of Drissi in further view of Bignon teach the method of claim 4, Bignon further teaches wherein the migration entity is an operating system. (See Bignon par. 0063-0064: “The supervisor 13 is an IT server which conventionally comprises: a microprocessor 13-2, or CPU (Central Processing Unit), intended to load instructions into memory, to execute them, and to carry out operations.” Par. 0074: “The communication interfaces 13-4, the supervision module 13-5, the migration module 13-1 and its component means are preferably software modules comprising software instructions for executing the steps of the attack detection and protection method described previously.”.). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne Drissi, and Bignon teaching of method claim 4 with Bignon teaching “a computer program containing instructions for the implementation of the method of attack detection and protection such as described previously, when this program is executed by a processor of the supervisor device.”, (see Bignon par. 0076). Regarding claim 8, Browne in view of Drissi in further view of Bignon teach the method of claim 4, wherein the migration entity migrates the process to a new host system in response to the trigger indicating that the potential attack is a manipulation or inspection of a co-tenant in a cloud host. Based on the recited alternative by the applicant examiner chose wherein the migration entity migrates the process to a new host system in response to the trigger indicating that the potential attack is an inspection of a co-tenant in a cloud host. (See Bignon par. 0023: “the attack detection message originates from a local security virtual machine, co-tenant of the virtual machine on the host server, said message being transmitted following the detection by the local security virtual machine of an attack against the virtual machine.”. par. 0025: “the method according to the invention comprises a step of detecting that the virtual machine has been subject to a number of migrations from a first host server toward a second host server greater than a threshold value during a set time period.”. par. 0031-0038: “a module for migrating a virtual machine of a set of virtual machines hosted by a first host server, from said first host server toward a security server of a security system, characterized in that it comprises: means for triggering a migration, arranged for triggering a migration of the virtual machine from the first host server toward the security server, an optimized security system comprising at least one security server hosting a set of virtual security machines.”.). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne Drissi, and Bignon teaching of method claim 4 with Bignon teaching “the method according to the invention, a virtual machine under attack is migrated toward an environment dedicated to security, adapted for treating the attack. Without this migration toward an environment dedicated to security, a virtual machine under attack would risk being subject to several successive migrations, or causing successive migrations of co-tenant virtual machines, without the attack being treated at the end of it all, which would penalize the whole architecture in terms of performance, and thus penalize all the clients.”, (see Bignon par. 0013). Regarding claim 17, Browne in view of Drissi teach the method of claim 1, Browne in view of Drissi do not explicitly teach however, Bignon teaches wherein the second computing location is a virtual machine environment with a same runtime configuration as the computing device. (See Bignon par.0006: “When a virtual machine is migrated toward another host server, it retains the same identifying characteristics, namely the same IP address, the same MAC address, etc. Par. 0046: “the local security machine 12-1 is adapted for detecting attacks against virtual machines hosted by the host server 11-1, or abnormal behavior of these machines. With this aim, the local security machine 12-1 uses part of the resources of the host server 11-1, in the same way as the other active virtual machines hosted by this server. The local security machine 12-1 is adapted for supervising the consumption of resources and the traffic bound for the virtual machines hosted by the host server 11-1, for analyzing the fields of the IP datagrams circulating at the level of the host server 11-1, for deducing information on attacks against virtual machines hosted by the host server 11-1, and for detecting abnormal consumption of resources by virtual machines.”.). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne and Drissi teaching of method claim 1 with Bignon teaching “migration is restrictive: the target host server must have access to the same sub-network as the source server, be based on the same type of CPU (Central Processing Unit), have access to the same storage medium, etc. These restrictions reduce the possibilities of migrations that risk always affecting the same host servers, and in the same way, the co-tenant virtual machines.”, (see Bignon par. 007). Claims 5 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Browne et al. (US-20190042739-A1, hereafter Browne), in view of Drissi et al. (US-9129108-B2, hereafter Drissi), in view Bignon et al. (US-20140223556-A1, Bignon hereafter), in further view of Wang et al. (US-20230098117-A1 hereafter Wang). Regarding claim 5, Browne in view of Drissi in further view of Bignon teach the method of claim 4, Browne in view of Drissi in further view of Bignon appear to be silence however Wang teaches wherein the migration entity migrates the process to a CPU core that does not share data with the computing device in response to the trigger indicating that the potential attack is a transient execution attack. (See Wang par. 0025: “aspects of the present disclosure may be applied or adapted for use in hardware-based attacks, including side channel attacks, and other contexts.” Par.0042: “Nested Page Faults (NPFs) may be triggered by the hardware during the NPT walk. According to the NPF event, the hypervisor can grab useful information that could reflect the behavior of a program and, therefore, leak sensitive information, including the gPA of the NPT and the NPF error code. This forms a well-known controlled-channel attack, which compromises SEV's confidentiality and integrity.” Par.0089: “One key to bypassing the hardware-enforced TLB flush is to reserve the attacker process's TLB entries on one CPU core and then to migrate the vCPU to another CPU core. The internal context switch between the victim process and the attacker process is then performed on the second CPU core, which automatically flushes all TLB entries on the second logical core. Because the hypervisor isolates the first CPU core to prevent other processes from evicting its TLB entries, the TLB entries of the attacker processes are hence preserved.”). Examiner construed the hypervisor as the migration entity that migrate one CPU core to another CPU core used on a hardware attack such as side channel attack (transient attack). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne in view of Drissi in further view of Bignon teaching of claim 4 with the disclosure of Wang the motivation would have been to isolates the first CPU core to another CPU to preserve attacker process and perform the analysis on the attack. Regarding claim 7, Browne in view of Drissi in further view of Bignon teach the method of claim 4, Browne in view of Drissi in further view of Bignon appear to be silence however Wang teaches wherein migration entity migrates the process to a CPU core that does not share data with the computing device in response to the trigger indicating that the potential attack is a side channel attack on a storage device including the data. (See Wang par. 0025: “aspects of the present disclosure may be applied or adapted for use in hardware-based attacks, including side channel attacks, and other contexts.” Par.0042: “Nested Page Faults (NPFs) may be triggered by the hardware during the NPT walk. According to the NPF event, the hypervisor can grab useful information that could reflect the behavior of a program and, therefore, leak sensitive information, including the gPA of the NPT and the NPF error code. This forms a well-known controlled-channel attack, which compromises SEV's confidentiality and integrity.” Par.0089: “One key to bypassing the hardware-enforced TLB flush is to reserve the attacker process's TLB entries on one CPU core and then to migrate the vCPU to another CPU core. The internal context switch between the victim process and the attacker process is then performed on the second CPU core, which automatically flushes all TLB entries on the second logical core. Because the hypervisor isolates the first CPU core to prevent other processes from evicting its TLB entries, the TLB entries of the attacker processes are hence preserved.”) Examiner construed the hypervisor as the migration entity that migrate one CPU core to another CPU core. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne in view of Drissi in further view of Bignon teaching of claim 4 with the disclosure of Wang the motivation would have been to isolates the first CPU core to another CPU to preserve attacker process and perform the analysis on the side channel attack. Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Browne et al. (US-20190042739-A1, hereafter Browne), in view of Drissi et al. (US-9129108-B2, hereafter Drissi), in view Bignon et al. (US-20140223556-A1, Bignon hereafter), in further view of Northup et al. (US-8813240-B1, hereafter Northup). Regarding claim 9, Browne in view of Drissi in further view of Bignon teach the method of claim 8, Browne in view of Drissi in further view of Bignon fail to explicitly teach however, Northup explicitly teaches wherein the migration entity is a hypervisor (see Northup Col 4 lines 1-8: “The hardware virtualization module 110 can be associated with a virtual machine monitor 112 (e. g., a hypervisor). The virtual machine monitor 112 can manage the execution of the virtual machines 114 and 116 executed on the physical machine 100. The virtual machine monitor 112 can migrate or relocate the virtual machines 114 and 116 from the physical machine 100 to a different physical machine.”.). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne in view of Drissi in further view of Bignon teaching of the method claim 8 with Northup teaching “a virtual machine monitor 112 (e. g., a hypervisor). The virtual machine monitor 112 can manage the execution of the virtual machines 114 and 116 executed on the physical machine 100., (see Northup Col 4 lines 2-5). Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Browne et al. (US-20190042739-A1, hereafter Browne), in view of Drissi et al. (US-9129108-B2, hereafter Drissi), in view Bignon et al. (US-20140223556-A1, Bignon hereafter), in further view of Roberts et al. (EP-1302854-B1 Roberts). Regarding claim 10, Browne in view of Drissi in further view of Bignon teach the method of claim 4, Browne in view of Drissi in further view of Bignon appear to be silence however Roberts teaches wherein the migration entity migrates the process to an instrumented CPU core in response to the trigger indicating that the process has tripped a tripwire. (See Roberts Par.0103: “The action generator 310 (migration entity) then causes the appropriate action to be taken within the end-point application 306. This may be a single action, several actions, or one or more specific actions which are determined not only by the triggering of the tripwire but also by the data within the information stream, for example arriving at the appropriate location or locations in the memory 308”, par.0127:“The tripwire unit 3 is associated with a system controller 352 connected to a host bus 307a and the input/output bus 307b. Such an arrangement allows tripwire operations to inform applications of any characteristic data transfer to or from any device in the computer system. This includes hardware devices, such as the disk controller 351 and the network interface card 350, and, in the case of a system employing several CPUs, enables an application running on one of the CPUs to synchronize on a data transfer to or from an application running on another of the CPUs.”. Examiner interpret that once the tripwire is tripped it enable the appropriate action of transferring an running application to another CPU (instrumented CPU core). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne in view of Drissi, in further view of Bignon teaching of method claim 4 with Roberts teaching “tripwires may be implemented at other points in a system as illustrated by tripwire units 2 to 5 in Figure 29. The system comprises a disk controller 351 connected to an input/output bus 307b and the tripwire unit 2 is implemented as part of the disk controller 351. Such an arrangement allows tripwire operations to inform applications of any characteristic data transfer to or from the disk controller 351 Such an arrangement is particularly useful where the controller 351 is able to transfer data to and from a non-contiguous memory region corresponding to user-level buffers of an application.”, (see Roberts par.0126). Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Browne et al. (US-20190042739-A1, hereafter Browne), in view of Drissi et al. (US-9129108-B2, hereafter Drissi), in view Bignon et al. (US-20140223556-A1, Bignon hereafter), in view of Roberts et al. (EP-1302854-B1 Roberts), in further view Browne2 et al. (US-20180285563-A1 hereafter Browne2). Regarding claim 11, Browne in view of Drissi, Bignon and Roberts teach the method of claim 10, Browne in view of Drissi, Bignon and Roberts appear to be silence however Browne2 teaches further comprising executing the process on the instrumented CPU core to determine the information the process is targeting. (See Browne2 par. 0045: “a monitoring daemon 160 may be executed by a CPU/core of system 100 that is separate from CPUs/cores 130-1 to 130-4 included in compute resources provisioned or allocated to VMs 110-1 to 110-N. Although, in some examples, monitoring daemon 160 may be executed by the same CPUs/cores allocated to VMs 110-1 to 110-N. Also, monitoring daemon 160 may be on same or different computing platform as other elements of system 100 and as such, CPU/core 130-N may also be respectively located on the same or different computing platform. As shown in FIG. 1, the separate CPU/core to execute monitoring daemon 160 is shown as CPU/core 130-N. As described in more detail below, monitoring daemon 160 may include logic and/or features to receive data and/or performance monitoring interrupts (PMIs) to determine sample fingerprints for target workloads processed by VNF app(s) 110-1 to 110-N executed by VMs 110-1 to 110-N. Logic and/or features of monitoring daemon 116 may then compare the sample fingerprints with respective fingerprint references associated with respective behavior models to determine a deviation from normal and/or expected behavior.”). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne in view of Drissi, Bignon, and Roberts teaching of method claim 10 with Browne2 teaching “when using a deviation value methodology, if a deviation value generated by comparison feature 324 is above a threshold, report logic 330 may indicate to a management entity that possible problems need to be addressed by the management entity. This type of indication may just be an alert that possible issues exist and need to be further investigated.”, (see Browne2 par.0036). Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Browne et al. (US-20190042739-A1, hereafter Browne), in view of Drissi et al. (US-9129108-B2, hereafter Drissi), in further view Bignon et al. (US-20140223556-A1, Bignon hereafter), in further View Durham et al. (US-20190042799-A1,hereafter Durham). Regarding claim 12, Browne in view of Drissi in further view of Bignon teach the method of claim 4, Browne in view of Drissi in further view of Bignon fail teach however Durham teaches wherein the migration entity migrates the process to a CPU core in response to the trigger indicating that the process has accessed memory with a pointer having a tag that does not match the tag on the memory. (See Durham par. 0031: “the CPU 112 writes the data 132 for the physical address 134 location, the pointer security circuitry 126 may define, insert, or identify one or more memory tags 142 in the physical address 134, to associate with the cached data 132 to reduce the likelihood of a successful side channel attack. The one or more memory tags 142 embedded within the physical address 134 may include one or more of the identification tag 144, the encryption tag 146, the small object tag 148, and/or the bound distance tag 150.”, par. 0032: “pointer security circuitry 126 may be configured to use the one or more memory tags142 from the virtual address of the new data 128, from the cached data 132 and physical address, and from the encrypted data 138 to identify data corruption, memory address corruption, address manipulation, use after free, or otherwise unauthorized changes to address pointers within the CPU 112.”.). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne in view of Drissi in further view of Bignon teaching of claim 4 with Durham teaching “this example includes the elements of example 10, wherein the identification tag is a first identification tag, wherein the operations further include: receive a request to access the memory address pointer; receive a second identification tag associated with the request to access the memory address pointer; compare the first identification tag to the second identification tag; and deny access to the request to access the memory address pointer, if the first identification tag mismatches the second identification tag.”, (see Durham par. 0115 Claims 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Browne et al. (US-20190042739-A1, hereafter Browne), in view of Drissi et al. (US-9129108-B2, hereafter Drissi), in further view Striem-Amit et al. (US-10043010-B1, Striem-Amit hereafter). Regarding claim 13, Browne in view of Drissi teach the method of claim 1, Browne in view of Drissi appear to be silence however Striem-Amit teaches wherein the second computing location is a sandbox environment. (See Striem-Amit Col.2 lines: 45-49: “a process can be migrated to a sandbox from an environment within the computer at any moment during the runtime of the process. After migration, the process can be subjected to extensive analysis and study to detect whether it is malicious. Col.3 lines 10-13: “each of the sandbox machines 110(1), . . . , 110(N) is a machine separate from the computer 120 and connected to the computer 120 over the network 180.”). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne and Drissi teaching of method claim 1 with Striem-Amit teaching “The method also includes executing the set of instructions on the first electronic machine. The method further includes performing a migration operation to migrate the set of processes on the first electronic machine to a second electronic machine distinct from the first electronic machine, the set of processes causing the second electronic machine to produce”, (see Striem-Amit Col.1 lines:41-48). The motivation to combine would have been to performing a comparison operation on the first output and the second output to produce a comparison result. Regarding claim 14, Browne in view of Drissi teach the method of claim 1, Browne in view of Drissi appear to be silence however Striem-Amit teaches further comprising after migrating the process to the second computing location, instrumenting the process and executing the process in the second computing location to determine information the potential attack is targeting. (See Striem-Amit Col.3 lines 44-61 : “process migration manager 120 is configured to migrate the application process 112 from a first machine, e.g., sandbox machine 110(1) to a second sandbox machine, e.g., sandbox machine 110(N)…. the process migration manager 130 is configured to migrate the application process 112 in response to some specified event. For example, such an event may be the passage of a specified amount of time. The event may occur with a specified probability distribution over time.”, Col.4 lines: 9-43: “A result of running the application process 112 on the machine 110(1) is an application output 114(1). One example of such an application output 114(1) may be a measure of an activity level of the process 112 as it runs on the sandbox machine 110(1)…. the application output comparison manager 140 can be configured to detect known malicious activity. Such malicious activity is well studied in the art and can include buffer overflows, out of memory access, resource utilization, disk access, access to protected files, access to honeypot files, rate limitations, connection to suspicious IP addresses, and the like.”). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne and Drissi teaching of method claim 1 with Striem-Amit teaching “conventional sandboxing techniques in which malicious applications can evade detection, improved techniques involve migrating processes running applications from a first sandbox to a second sandbox. Along these lines, when a computer that is being”, (see Striem-Amit Col.2 lines 27-34). Claims 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Browne et al. (US-20190042739-A1, hereafter Browne), in view of in view of Drissi et al. (US-9129108-B2, hereafter Drissi), in view of Striem-Amit et al. (US-10043010-B1, Striem-Amit hereafter), in further view of Soryal et al. (US-20240202324-A1 hereafter Soryal). Regarding claim 15, Browne in view of Drissi and Striem-Amit teach the method of claim 14, Browne in view of Drissi and Striem-Amit fail to teach however Soryal teaches further comprising performing an event trace capture on the process while the process executes in the second computing location to identify features of an event stream performed by the process. (See Soryal par. 0059: “processing system initiates the sensor function migration process by sending a request to surrounding sensor devices to request for sensor function migration, i.e., to host one or more sensor functions of the affected sensor device. The broadcast message may include one or more of: the identity of sensor device 210, the core sensor function(s) of sensor device 210 to be migrated, the hardware and software requirements for the migration ( e.g., computing power of the processor, power requirement, memory storage requirement, sensing capability of the sensor device, current OS version requirement, and so on), par. 0062: “once the sensor function migration process has occurred and has been completed, it may be necessary to inform a centralized system, e.g., server 104 or server 116 or even a user (e.g., user 139, user 159 or user of device 114) of the sensor function migration. The reporting may include various information, e.g., ID and/or location of the affected sensor device, the ID and/or location of the hosting sensor device, the time that the migration occurred, the steps taken (if any, such as self-testing, resetting, and the like) prior to the migration, the nature of the anomaly (e.g., if the sensor device was not taking measures, if the sensor device was not sending measures as expected, if the sensor device was sending the measures to the wrong recipient, and the like).”.). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne Drissi and Striem-Amit teaching of claim 14 with Soryal teaching “sensor devices that have the ability to monitor their core function(s) to detect an anomaly. For example, performance evaluations may comprise the evaluation of the accuracy of the sensor devices performing their core sensor function(s) such as the collection of data, e.g., taking measurements of external metrics via one or more sensors, use of the collected data to predict one or more future events (e.g., predicting a breach event of a restricted area, predicting a shortage event of at least one item, predicting a potential failure event, predicting a potential degradation event of a service, etc. .) and/or use of the collected data to execute one or more assigned tasks (e.g., transmitting the collected data to a remote entity such as a remote application server, initiating an alarm signal, sending a report, etc., (see Soryal Par. 0014). The motivation to combine would have been to benefits of the present sensor device core function migration provide a robust mechanism to minimize the disruption that may be caused by a malicious attack of the sensor devices, (see Soryal par.0023). Regarding claim 16, Browne in view of Drissi, Striem-Amit in further view of Soryal teach the method of claim 15, Striem-Amit further teaches wherein the second computing location is a sandbox environment. (See Striem-Amit Col.2 lines: 45-49: “a process can be migrated to a sandbox from an environment within the computer at any moment during the runtime of the process. After migration, the process can be subjected to extensive analysis and study to detect whether it is malicious. Col.3 lines 10-13: “each of the sandbox machines 110(1), . . . , 110(N) is a machine separate from the computer 120 and connected to the computer 120 over the network 180.”). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Browne in view of Drissi, Striem-Amit and in further view of Soryal teaching of claim 14 with Striem-Amit teaching “The method also includes executing the set of instructions on the first electronic machine. The method further includes performing a migration operation to migrate the set of processes on the first electronic machine to a second electronic machine distinct from the first electronic machine, the set of processes causing the second electronic machine to produce”, (see Striem-Amit Col.1 lines:41-48). The motivation to combine would have been to performing a comparison operation on the first output and the second output to produce a comparison result. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Wei et al. (US-20190243990-A1) Method involves executing an operating system on a first processing core selected from among processing cores in the computing system, translating virtual addresses in a first virtual address space of an application received from the first processing core using a first set of page tables that maps an entire user address space of the application and an entire kernel address space of the operating system to a physical memory shared by the processing cores, executing the application on a second processing core selected from among processing cores in the computing system, and translating virtual addresses in a second virtual address space of the application received from the second processing core using a second set of page tables. The process page tables remain constant within each processing core, the translation lookaside buffers associated with each processing core are not flushed during context switches, and the performance penalties associated with flushing the translation lookaside buffers do not arise while at the same time mitigating the risks of the meltdown vulnerability that page table isolation provides. Rosenberg et at. (US-20210160254-A1) The method involves making a determination to cause the initiation of a live migration of a first process executing on a first computing device to a second computing device by a processor device. he migration in conjunction with electronic security attacks, assume that the computing device determines that performance metric value of the computing device has an undesirable value, and based on this, makes a determination to cause the initiation of a live migration of the process to a target computing device, such as the computing device. The method eliminates or greatly reduces service disruption. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUILIO MUNGUIA whose telephone number is (571)270-5277. The examiner can normally be reached M-F 9:30AM - 5:00PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on M-F 7:00am - 3:30pm. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /DUILIO MUNGUIA/Examiner, Art Unit 2497 /ELENI A SHIFERAW/ Supervisory Patent Examiner, Art Unit 2497