REMEDIATION FOR AN ENTITY OUTSIDE A SCOPE OF AN ALERT

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendments Applicant’s arguments have been fully considered. However, upon further consideration, a new ground(s) of rejection is made in view of BARKOL (US 20120106367 A) based on the new amendments to claim 1. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 4, 6-21 are rejected under 35 U.S.C. 103 as being unpatentable over Kapoor (US 20120297488 A1) in view of Jarrett (US 20090044272 A1) in view of BARKOL (US 20120106367 A). Regarding claim 4, Kapoor teaches a non-transitory machine-readable storage medium comprising instructions that upon execution cause a system to: detect an alert generated in response to an operation on a device, the operation involving a first process and a first entity (Fig. 1. Para [0035]: when the file open notification is received, the malware protection engine 108 sets the state for the program's process (Reader.exe's process) as a "potential exploit process”.); in response to the alert, discover a second entity that is outside a scope of the alert (Fig. 1. Para [0035]- [0039]: the malware protection engine 108 sets the state for the Reader.exe's/ first entity process as a potential exploit process. If the reader program is exploited by a malicious input file, it could be noticed behaviors like dropping of such an executable file to disk/second entity and then attempting to launch it as a process.); wherein the second entity is outside the scope of the alert based on the second entity being separate from a chain of directly related entities including the first process and the first entity (Fig. 1. Para [0037]: the exploit of the reader program results in creation of a new executable file 109 /second entity on the computer system's disk 110.);and apply remediation actions (Fig. 1. Para [0044]: turning to performing remediation, possible forms of remediation include reporting telemetry (block 120) on opened documents from specifically dangerous sources to a backend service for analysis, and/or sending samples of opened documents from likely or specifically dangerous sources (block 120) to a backend service 122 for analysis. Other forms of remediation include to quarantine, block or otherwise clean opened documents and other associated processes, files and/or data sources.). Kapoor does not explicitly disclose (Perform an action) with respect to the first process, the first entity, and the second entity to address the alert. Jarrett teaches (Perform an action) with respect to the first process, the first entity, and the second entity to address the alert (Fig. 1. Claims 4-6: the actions sortable based on at least one of type of action, type of resource, and location of resources. The generation component and the sorting component form an analysis engine that facilitate remediation processes comprising a priority ordered system.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kapoor with the teachings of Jarrett to include (Perform an action) with respect to the first process, the first entity, and the second entity to address the alert in order to prevent security incidents by addressing alerts promptly. Kapoor in view of Jarrett does not explicitly disclose wherein the chain of directly related entities is a first tree branch of directly related entities, and the second entity is in a second tree branch of directly related entities, the second tree branch being different from the first tree branch. BARKOL teaches wherein the chain of directly related entities is a first tree branch of directly related entities, and the second entity is in a second tree branch of directly related entities, the second tree branch being different from the first tree branch (Para [0040]. FIG. 1: a tree related structure is the first tree 106, while another tree related structure is the second tree 108.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kapoor in view of Jarrett with the teachings of BARKOL to include wherein the chain of directly related entities is a first tree branch of directly related entities, and the second entity is in a second tree branch of directly related entities, the second tree branch being different from the first tree branch in order to perform an action based on the type of the resource and priority order to limit the spread of security breach. Regarding claim 6, Kapoor in view of Jarrett in view of BARKOL teaches the non-transitory machine-readable storage medium of claim 4, wherein the discovering of the second entity is based on detecting that the second entity is related to an artifact generated by a process that is part of a chain of directly related entities including the first process and the first entity (Kapoor Fig. 1. Para [0037]: the exploit of the reader program results in creation of a new executable file 109 (e.g., a portable executable) on the computer system's disk 110 or the like.). Regarding claim 7, Kapoor in view of Jarrett in view of BARKOL teaches the non-transitory machine-readable storage medium of claim 6, wherein the second entity is a second process, and the discovering of the second process is based on detecting that a file generated by a process that is part of chain of directly related entities including the first process and the first entity includes an image containing machine-readable instructions for the second process (Kapoor FIG. 1. Para [0037]: the exploit of the reader program results in creation of a new executable file 109 (e.g., a portable executable) on the computer system's disk 110.). Regarding claim 8, Kapoor in view of Jarrett in view of BARKOL teaches the non-transitory machine-readable storage medium of claim 4, wherein the second entity is a resource, and wherein the discovering of the resource is based on detecting that a file including an image containing machine-readable instructions for the first process is obtained from the resource (Kapoor Para [0037]. FIG. 1: the exploit of the reader program results in creation of a new executable file 109 (e.g., a portable executable) on the computer system's disk 110 or the like.). Regarding claim 9, Kapoor in view of Jarrett in view of BARKOL teaches the non-transitory machine-readable storage medium of claim 4, wherein the second entity is a second process, and wherein the discovering of the second process is based on detecting that the first process and the second process have a common parent (Kapoor Para [0035]-[0039]: For example, a.pdf reader/ parent program typically does not drop portable executable (PE) files to storage (e.g., disk) and attempt to spawn them as processes. However, if the reader program is exploited by a malicious input file, one of the most commonly noticed behaviors is the dropping of such an executable file to disk and then attempting to launch it as a process. Thus, one form of detection is to watch for "creation of PE file on disk." Such behaviors may be watched for in any subset of application programs, such as those that are the most common targets for exploits. The exploit of the reader program results in creation of a new executable file 109 (e.g., a portable executable) on the computer system's disk 110 or the like.). Regarding claim 10, Kapoor in view of Jarrett in view of BARKOL teaches the non-transitory machine-readable storage medium of claim 4, wherein the alert is in a first device, and the discovering of the second entity is by a central service (Kapoor Fig. 2. Para [0035]- [0039]: When the file open notification is received, the malware protection engine 108 sets the state for the program's process (Reader.exe's process) as a "potential exploit process”. In general, once an application program has loaded an exploit file, the program 102 tends to exhibit behaviors that are not a normal usage pattern for the program 102. For example, a.pdf reader program typically does not drop portable executable (PE) files to storage (e.g., disk) and attempt to spawn them as processes. However, if the reader program is exploited by a malicious input file, one of the most commonly noticed behaviors is the dropping of such an executable file to disk and then attempting to launch it as a process. Thus, one form of detection is to watch for "creation of PE file on disk." Such behaviors may be watched for in any subset of application programs, such as those that are the most common targets for exploits). Regarding claim 11, Kapoor in view of Jarrett in view of BARKOL teaches the non-transitory machine-readable storage medium of claim 10, wherein the central service discovers the second entity based on information collected from a plurality of devices connected to the central service (Kapoor Para [0011]. Para [0035]-[0039].). Regarding claim 12, Kapoor in view of Jarrett in view of BARKOL teaches the non-transitory machine-readable storage medium of claim 11, wherein the second entity is in a second device different from the first device (Kapoor Fig. 1. Fig. 2. Para [0035]-[0039]: In general, once an application program has loaded an exploit file, the program 102 tends to exhibit behaviors that are not a normal usage pattern for the program 102. For example, a.pdf reader program typically does not drop portable executable (PE) files to storage (e.g., disk) and attempt to spawn them as processes. However, if the reader program is exploited by a malicious input file, one of the most commonly noticed behaviors is the dropping of such an executable file to disk and then attempting to launch it as a process. Thus, one form of detection is to watch for "creation of PE file on disk." Such behaviors may be watched for in any subset of application programs, such as those that are the most common targets for exploits.). Regarding claim 13, Kapoor in view of Jarrett in view of BARKOL teaches the non-transitory machine-readable storage medium of claim 12, wherein an anomaly to be addressed by a remediation action is due to lateral movement between the first device and the second device (Kapoor Para [0044]: turning to performing remediation, possible forms of remediation include reporting telemetry (block 120) on opened documents from specifically dangerous sources to a backend service for analysis.). Regarding claim 14, Kapoor in view of Jarrett in view of BARKOL teaches the non-transitory machine-readable storage medium of claim 4, wherein the instructions upon execution cause the system to: determine a remediation action to apply based on one or more of a type of the second entity, a relationship of the second entity to entities associated with the alert, a context of the alert, and an expected remediation action directive by a user (Jarrett Para [0009]-[0011]: As such, malware and related threats are transformed to action lists, wherein each threat and its related resources are identified. Such actions can then be executed based on a priority to reduce potential conflicts and perform remediation processes in an ordered manner (as opposed to a random operation), to improve efficiency. Accordingly, malware can be removed via operations that are not necessarily customized for removal of such detected malware (e.g., a predetermined program specific to removal of the malware). In a related aspect, the sorting component of the subject innovation can prioritize actions to be performed for each resource, based on criteria such as: type of action; type of resource; dependencies among resources; location of resources (e.g., removal of child folders before parent folders); and the like. Moreover, upon execution of the actions based on such priority, feedback can be supplied to the analysis engine for evaluating result of the actions--such as actions' success or failure (e.g., due to a locked file). Based on such evaluation, the analysis engine can recommend further remedial actions.). Regarding claim 15, Kapoor in view of Jarrett in view of BARKOL teaches the non-transitory machine-readable storage medium of claim 14, wherein the context of the alert comprises any or some combination of the following: a severity of the alert, a risk of the alert, a uniqueness of an anomaly associated with the alert, and an intelligence associated with the alert (Jarrett Para [0010]-[0011]: As such, malware and related threats are transformed to action lists, wherein each threat and its related resources are identified. Such actions can then be executed based on a priority to reduce potential conflicts and perform remediation processes in an ordered manner (as opposed to a random operation), to improve efficiency. Accordingly, malware can be removed via operations that are not necessarily customized for removal of such detected malware (e.g., a predetermined program specific to removal of the malware). In a related aspect, the sorting component of the subject innovation can prioritize actions to be performed for each resource, based on criteria such as: type of action; type of resource; dependencies among resources; location of resources (e.g., removal of child folders before parent folders); and the like. Moreover, upon execution of the actions based on such priority, feed back can be supplied to the analysis engine for evaluating result of the actions--such as actions' success or failure (e.g., due to a locked file). Based on such evaluation, the analysis engine can recommend further remedial actions.). Regarding claim 16, Kapoor in view of Jarrett in view of BARKOL teaches the non-transitory machine-readable storage medium of claim 4, wherein the instructions upon execution cause the system to: confirm that remediation actions have been taken with respect to entities of an attack chain including the first process, the first entity, and the second entity (Jarrett Claim 4-6: the actions sortable based on at least one of type of action, type of resource, and location of resources. the generation component and the sorting component form an analysis engine that facilitate remediation processes, comprising a priority ordered system.). Regarding claim 17, Kapoor in view of Jarrett in view of BARKOL teaches the non-transitory machine-readable storage medium of claim 4, wherein the instructions upon execution cause the system to: determine that a primary remediation action is not possible with respect to the second entity; and in response to the determining, identify a secondary remediation action to apply against the second entity (Jarrett Claim 4-6: the actions sortable based on at least one of type of action, type of resource, and location of resources. the generation component and the sorting component form an analysis engine that facilitate remediation processes, comprising a priority ordered system.). Regarding claim 18, Kapoor in view of Jarrett in view of BARKOL teaches the non-transitory machine-readable storage medium of claim 4, wherein the instructions upon execution cause the system to: in response to the alert, determine a correct order of remediation actions to apply against entities of an attack chain including the first process, the first entity, and the second entity (Jarrett Claim 4-6: the actions sortable based on at least one of type of action, type of resource, and location of resources. the generation component and the sorting component form an analysis engine that facilitate remediation processes, comprising a priority ordered system.). As per claim 19, the claim claiming the security system corresponding to the non-transitory machine-readable storage medium claim 4 above, and they are rejected, at least for the same reasons. As per claim 20, the claim claiming the method of a security system corresponding to the non-transitory machine-readable storage medium claim 19 above, and they are rejected, at least for the same reasons. Regarding claim 21, Kapoor in view of Jarrett in view of BARKOL teaches the non-transitory machine-readable storage medium of claim 4, wherein the instructions upon execution cause the system to: detect a further alert generated in response to a further operation involving the first process and a second process (Kapoor Fig. 1. Para [0038]: the file will be scanned when closed (On-Close event). The scan results plus the file create event is sent to the malware protection engine 108 using another notification, as represented by the arrow labeled seven (7). The scan results contain information that the created file is an executable.); in response to the further alert, discover a third entity that is outside a scope of the further alert, wherein the third entity is outside the scope of the further alert based on: the further alert being raised responsive to the first process starting the second process (Kapoor Fig. 1. Para [0038]-[0039]: the file will be scanned when closed (On-Close event). The scan results plus the file create event is sent to the malware protection engine 108 using another notification, as represented by the arrow labeled seven (7). The scan results contain information that the created file is an executable. The file creation notification is used as a trigger to fire the detection operations by the malware protection engine 108 on the last stored malicious document, (which is PDFExploit.pdf), as represented by the arrow labeled eight (8).), and the third entity having an entity type different from a process (Kapoor Fig. 1. Para [0038]-[0039]: the file will be scanned when closed (On-Close event). The scan results plus the file create event is sent to the malware protection engine 108 using another notification, as represented by the arrow labeled seven (7). The scan results contain information that the created file is an executable. The file creation notification is used as a trigger to fire the detection operations by the malware protection engine 108 on the last stored malicious document, (which is PDFExploit.pdf), as represented by the arrow labeled eight (8).). Allowable Subject Matter Claim 22 objected to as being dependent upon a rejected base claim 21, but would be allowable if rewritten in independent form including all of the limitations of the base claim 21 and any intervening claims. Claims 23 objected to as being dependent upon a rejected base claim 20, but would be allowable if rewritten in independent form including all of the limitations of the base claim 20 and any intervening claims. Claims 24 objected to as being dependent upon a rejected base claim 4, but would be allowable if rewritten in independent form including all of the limitations of the base claim 4 and any intervening claims. The following is a statement of reasons for the indication of allowable subject matter: The closest prior art to the records: Iwanir (US20180034835A1) teaches detecting by a cloud service a ransomware attack on a client device is provided. The system monitors changes to files of the client device that are stored by the cloud service. The system assesses whether a change to a file appears to be malicious in that the change may be caused by ransomware. When the change to the file appears to be malicious, the system performs a countermeasure to prevent synchronization of files of the client device with other client devices and with the cloud service to prevent the propagating of files from the client device, which is undergoing a ransomware attack. However, it not discloses sending the alert to a central entity to discover the second entity that outside scope of alert. Bhatt (US 9456001 B2) teaches attack notification can include receiving security-related data from a number of computing devices that are associated with a number of entities through a communication link and analyzing a first portion of the security-related data that is associated with a first entity from the number of entities to determine whether the first entity has experienced an attack. Attack notification can include analyzing a second portion of the security-related data that is associated with a second entity from the number of entities and the first portion of the security-related data that is associated with the first entity to determine whether the second entity is experiencing the attack. Attack notification can include notifying, through the communication link, the second entity that the second entity is experiencing the attack if it is determined that the second entity is experiencing the attack. But the remaining elements were neither found through a search of the prior art nor considered obvious by the Examiner. The primary reason for the allowance of claims wherein the alert is in a first device, and the discovering of the second entity is by a central service, and wherein the central service discovers the second entity based on information collected from a plurality of devices connected to the central service, and further wherein the second entity is in a second device different from the first device is not disclosed by the prior art. This Office is unable to discern a reasonable rationale from the prior art that such features are taught, suggested, or otherwise rendered obvious to a person having ordinary skill in the art before the effective filling date of the claimed invention. Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.” Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUDY BAZNA whose telephone number is (703)756-1258. The examiner can normally be reached Monday - Friday 08:30 AM-05:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JUDY BAZNA/Examiner, Art Unit 2495 /FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495