NETWORK BASED BLOCKING THREAT INTELLIGENCE SYSTEM AND METHODS

§101 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-20 are pending in this application. Information Disclosure Statement The information disclosure statement (IDS) submitted on 05/21/2024. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35. USC. 101 because the claimed invention is directed to an abstract idea without significantly more. The claims recite steps of receiving/analyzing/modifying/distributing security rules (i.e. access control lists of identifiers) and monitoring threats to issue warnings which is a mental process of method of organizing human activity (i.e., security rule management). Generic routers, processors, memory, and conventional blocking do not integrate the abstract idea into a practical application or add an inventive concept. See Alice Corp. v. CLS Bank Int’l, 573 U.S. 208(2014); Elec. Power Grp., LLC v. Alstom S.A., 830 F.3d 1350 (Fed. Cir. 2016). In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-5, 8-13 and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Yang et al. (US 2014/0379915 A1) (hereinafter, “Yang”) in view of Bechtolsheim et al. (US 6,377,577 B1) (hereinafter, “Bechtolsheim”). As to claim 1, Yang discloses a method, comprising: receiving an access control list (“… a method comprises receiving, from a router, information associated with network traffic having been received by the router; determining an access control list policy for the network traffic based on the information;” -e.g., see, [0014]; see also: “… the centralized ACL management server 12 can return to the communication and control module 36 in operation 40 policy values 42 that describe an access control list policy determined by the ACL management server 12 based on the information 38 from the router 14.” -e.g., see, [0020]; herein, the management server receives network traffic information and uses it to determine the ACL policy); modifying the access control list … (“The policy handler 130 in the communication module 70 can format the policy decision 110 into router policy values 132 describing the access control list policy 110, wherein the message distributor 134 can send the message containing the router policy values 132 to the router 14.” -e.g., see, [0026]; herein, policy value/ACL is formatted/modified); and providing the modified access control list to the first router (“The policy handler 130 in the communication module 70 can format the policy decision 110 into router policy values 132 describing the access control list policy 110, wherein the message distributor 134 can send the message containing the router policy values 132 to the router 14.” -e.g., see, [0026]; herein, This corresponds to the claimed “providing the modified access control list to the first router” because the server sends the optimized policy values/ACL to the router for implementation). Yang doesn’t explicitly disclose determining a capability of a first router; modifying the access control list based at least in part on the capability of the first router. However, in an analogous art, Bechtolsheim discloses determining a capability of a first router (“The ACL entered for recording in the CAM can be optimized to reduce the number of separate entries in the CAM; - e.g., see, col. 2, lines 51-58; herein, the optimization is performed specifically for the router’s CAM hardware); modifying the access control list based at least in part on the capability of the first router (“The ACL entered for recording in the CAM can be optimized to reduce the number of separate entries in the CAM, such as by combining entries which are each special cases of a more general access control specifier.” -e.g., see, col. 2, lines 51-58; herein, the ACL is optimized/reduced in size to fit the specific router’s CAM capacity; see also: “When an access control list is translated for entry into the access control memory, it is optimized to reduce the number of separate entries that are used. Thus, an access control list with N separate access control entries is translated into a set of access control specifiers 211 that can be smaller or larger than N, depending on the effect of optimization.” -e.g., see, col. 5, lines 33-38). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Yang to incorporate the teaching of Bechtolsheim in order to ensure efficient deployment of ACLs within device constraints, which is a known and predictable optimization. As to claim 2, Yang in view of Bechtolsheim discloses the method of claim 1, Bechtolsheim further discloses wherein modifying the access control list comprises reducing a number of items on the access control list based at least in part on identifying a maximum capacity of the first router for the access control list (“The ACL entered for recording in the CAM can be optimized to reduce the number of separate entries in the CAM” -e.g., see, col. 2, lines 54-58 and “When an access control list is translated for entry into the access control memory, it is optimized to reduce the number of separate entries that are used.” -e.g., see, col. 5, lines 33-38). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Yang to incorporate the teaching of Bechtolsheim in order to ensure efficient deployment of ACLs within device constraints, which is a known and predictable optimization. As to claim 3, Yang in view of Bechtolsheim discloses the method of claim 1, Bechtolsheim further discloses wherein the capability of the first router is based at least in part on an identifier of the first router, one or more other access control lists stored on the first router, or a combination thereof (“The ACL entered for recording in the CAM can be optimized to reduce the number of separate entries in the CAM, such as by combining entries which are each special cases of a more general access control specifier.” -e.g., see, col. 2, lines 51-58; herein, the optimization is performed for the specific router’s CAM hardware and considers existing entries; Thus, reads on the limitation; see also: “When an access control list is translated for entry into the access control memory, it is optimized to reduce the number of separate entries that are used. Thus, an access control list with N separate access control entries is translated into a set of access control specifiers 211 that can be smaller or larger than N, depending on the effect of optimization.” -e.g., see, col. 5, lines 33-38). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Yang to incorporate the teaching of Bechtolsheim in order to ensure efficient deployment of ACLs within device constraints, which is a known and predictable optimization. As to claim 4, Yang in view of Bechtolsheim discloses the method of claim 1, Yang further discloses comprising: receiving an update to the access control list; and updating the modified access control list of the first router based at least in part on the update to the access control list (“The ACL management module 56 can maintain the life cycle of ACLs 62 based on the statistics data collected by the ACL module 26. The access control lists 62 generated by the ACL module 26 are applied to the inbound and outbound interfaces 20.” -e.g., see, [0020]; see also: “Particular embodiments use a cloud based architecture to dynamically create/delete/manage access control lists (ACLs) that manage admission control policies for network traffic generated by user devices (e.g., personal computers, intelligent tablet devices, intelligent mobile phones, etc.), and also generate ACL recommendations for network administrators.” -e.g., see, [0015]; herein, the system receives updates via statistics and pushes dynamic updates to the router’s modified ACL). As to claim 5, Yang in view of Bechtolsheim discloses the method of claim 1, Yang further discloses comprising: determining that the first router has received at least a threshold number of threat communications associated with identifiers in the access control list and not in the modified access control list; and reporting a warning communication based at least in part on determining that the first router has received at least the threshold number of threat communications associated with identifiers in the access control list and not in the modified access control list (“… the ACL module 26 can collect all statistics data on generated access control lists (ACLs) 62. The ACL management module 56 can maintain the life cycle of ACLs 62 based on the statistics data collected by the ACL module 26. The access control lists 62 generated by the ACL module 26 are applied to the inbound and outbound interfaces 20. … the event of receiving the packet is recorded by the ACL module 26 based on updating ACL statistics associated with the corresponding ACL 62, for example tracking hit count and generating traffic statistics based on the live traffic relative to the ACLs 62.” -e.g., see, [0020]; see also: “If in operation 104a a condition is set with the chosen rule (e.g., "if ACL has no hit counts for 30 days, then delete"), then append the condition value in operation 104b to the best matched rule and send in operation 160 the policy 110 to the communication module 70.” -e.g., see, [0028]; herein, the system monitors hit counts on traffic matching the full ACL but not blocked by the reduced local version and issues warnings when condition/thresholds are met). As to claim 8, Yang in view of Bechtolsheim discloses the method of claim 1, Yang further discloses wherein the first router is configured to block an incoming communication based at least in part on the incoming communication comprising an identifier that is listed on the modified access control list (“The access control lists 62 generated by the ACL module 26 are applied to the inbound and outbound interfaces 20. Network traffic 28 from the interface 20 can be analyzed with respect to the ACL maintained in the ACL module 26” -e.g., see, [0020]; herein, traffic is analyzed and blocked as per the ACL). As to claim 9, Yang in view of Bechtolsheim discloses the method of claim 1, Yang further discloses wherein the first router is configured to block an outgoing communication based at least in part on the outgoing communication comprising an identifier that is listed on the modified access control list (“The access control lists 62 generated by the ACL module 26 are applied to the inbound and outbound interfaces 20. Network traffic 28 from the interface 20 can be analyzed with respect to the ACL maintained in the ACL module 26” -e.g., see, [0020]; herein, the router uses the modified ACL to block outgoing traffic matching listed identifiers). As to claim 10, Yang discloses a method, comprising: determining a first access control list (“… a method comprises receiving, from a router, information associated with network traffic having been received by the router; determining an access control list policy for the network traffic based on the information;” -e.g., see, [0014]; see also: “… the centralized ACL management server 12 can return to the communication and control module 36 in operation 40 policy values 42 that describe an access control list policy determined by the ACL management server 12 based on the information 38 from the router 14.” -e.g., see, [0020]; herein, the management server receives network traffic information and uses it to determine the ACL policy); … implementing the second access control list at a first router (“The policy handler 130 in the communication module 70 can format the policy decision 110 into router policy values 132 describing the access control list policy 110, wherein the message distributor 134 can send the message containing the router policy values 132 to the router 14.” -e.g., see, [0026]); determining that the first router has received at least a threshold number of threat communications associated with identifiers in the first access control list and not in the second access control list (“… the ACL module 26 can collect all statistics data on generated access control lists (ACLs) 62. The ACL management module 56 can maintain the life cycle of ACLs 62 based on the statistics data collected by the ACL module 26. The access control lists 62 generated by the ACL module 26 are applied to the inbound and outbound interfaces 20. … the event of receiving the packet is recorded by the ACL module 26 based on updating ACL statistics associated with the corresponding ACL 62, for example tracking hit count and generating traffic statistics based on the live traffic relative to the ACLs 62.” -e.g., see, [0020]); and taking a mitigation action based at least in part on determining that the first router has received at least the threshold number of threat communications associated with identifiers in the first access control list and not in the second access control list (“If in operation 104a a condition is set with the chosen rule (e.g., "if ACL has no hit counts for 30 days, then delete"), then append the condition value in operation 104b to the best matched rule and send in operation 160 the policy 110 to the communication module 70.” -e.g., see, [0028]; herein, the system monitors hit counts on traffic matching the full ACL but not blocked by the reduced local version and issues warnings when condition/thresholds are met). Yang doesn’t explicitly disclose determining a second access control list that is a subset of the first access control list; However, in an analogous art, Bechtolsheim discloses determining a second access control list that is a subset of the first access control list (“The ACL entered for recording in the CAM can be optimized to reduce the number of separate entries in the CAM, such as by combining entries which are each special cases of a more general access control specifier.” -e.g., see, col. 2, lines 51-58; see also: “When an access control list is translated for entry into the access control memory, it is optimized to reduce the number of separate entries that are used. Thus, an access control list with N separate access control entries is translated into a set of access control specifiers 211 that can be smaller or larger than N, depending on the effect of optimization.” -e.g., see, col. 5, lines 33-38). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Yang to incorporate the teaching of Bechtolsheim in order to ensure efficient deployment of ACLs within device constraints, which is a known and predictable optimization. As to claim 11, Yang in view of Bechtolsheim discloses the method of claim 10, Yang further discloses wherein taking the mitigation action comprises reporting a warning communication (“A notification 108 also can be sent by the APM 76 to the management platform 78, enabling a network administrator (112 of FIG. 1) to approve, reject, or modify the recommendation generated by the APM 76.” -e.g., see, [0024]). As to claim 12, Yang in view of Bechtolsheim discloses the method of claim 11, Yang discloses wherein the warning communication comprises an option to upgrade a security setting (“… a proposed access control list policy, and submit a recommendation specifying the proposed access control list policy to a network administrator for confirmation.” -e.g., see, [0015]). As to claim 13, Yang in view of Bechtolsheim discloses the method of claim 11, Yang further discloses wherein the warning communication comprises an option to remove one or more lowest risk score identifiers from the second access control list and add, to the second access control list, the identifiers associated with the received threat communications in the first access control list and not in the second access control list ([0020], [0021]; herein, administrator options for policy adjustment, including swapping lowest-priority entries for higher ones based on statistics). A to claim 15, Yang in view of Bechtolsheim discloses the method of claim 10, Bechtolsheim further discloses wherein implementing the second access control list at the first router is based at least in part on a capability of the first router (“The ACL entered for recording in the CAM can be optimized to reduce the number of separate entries in the CAM” -e.g., see, col. 2, lines 51-58; herein, implementation of the reduced (e.g., second) ACL is based on the router’s CAM capability). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Yang to incorporate the teaching of Bechtolsheim in order to ensure efficient deployment of ACLs within device constraints, which is a known and predictable optimization. As to claim 16, Yang in view of Bechtolsheim discloses the method of claim 10, Yang further discloses wherein the identifiers comprise internet protocol addresses, port numbers, protocol types, or a combination thereof (“An incoming packet 140 is disassembled by a packets disassemble component 142 which can retrieve basic information such as Internet protocol (IP) addresses including source address, destination address, source and destination TCP/UDP ports, timestamps, etc. A database query component 144 can format the information retrieved by the packets disassemble component 142 in order to query the database 84.” -e.g. see, [0027]; see also: “The packet analysis engine 74 can forward the query result 96 to the ACL policy module (APM) 76. A rule matching process 98 in the APM 76 can identify the best access control list policy based on a correlation relative to stored access control list policies;” -e.g. see, [0023]). As to claim 17, it is rejected using the similar rationale as for the rejection of claim 1. Yang further discloses a system, comprising: a processor; and a memory operatively connected to the processor and storing instructions that, when executed by the processor … (“… the processor circuit including a reserved portion of processor memory for storage of application state data and application variables that are modified by execution of the executable code by a processor circuit. A memory circuit can be implemented” -e.g., see, [0031]), As to claim 18, Yang in view of Bechtolsheim discloses the system of claim 17, Bechtolsheim further discloses wherein modifying the access control list comprises reducing a number of items on the access control list based at least in part on identifying that the first router is not capable of storing the full access control list (“The ACL entered for recording in the CAM can be optimized to reduce the number of separate entries in the CAM” -e.g., see, col. 2, lines 54-58 and “When an access control list is translated for entry into the access control memory, it is optimized to reduce the number of separate entries that are used.” -e.g., see, col. 5, lines 33-38). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Yang to incorporate the teaching of Bechtolsheim in order to ensure efficient deployment of ACLs within device constraints, which is a known and predictable optimization. As to claim 19, it is rejected using the similar rationale as for the rejection of claim 5. Claims 6-7, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Yang in view Bechtolsheim as applied to claims 1, 10 and 17 above, and further in view of Etheridge (US 7,188,164 B1). As to claim 6, Yang in view of Bechtolsheim discloses the method of claim 1, Yang in view of Bechtolsheim doesn’t explicitly disclose further comprising: determining a remainder of the access control list, the remainder comprising identifiers on the access control list but not on the modified access control list; and providing the remainder of the access control list to a second router, wherein the second router is upstream from the first router. However, in an analogous art, Etheridge discloses determining a remainder of the access control list, the remainder comprising identifiers on the access control list but not on the modified access control list; and providing the remainder of the access control list to a second router, wherein the second router is upstream from the first router (“The paradigm ACL for each non-homogenous network device is then merged with each other paradigm ACL to create a common paradigm ACL which can be distributed to each non-homogenous router device to provide common filtering across all of the routers.” -e.g., see, col. 3, lines 17-21; see also, Fig. 2; herein, the full paradigm ACL is split and the reminder/difference is provided to the upstream second router). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Yang and Bechtolsheim to incorporate the teaching of Etheridge in order to achieve scalable, efficient threat blocking without router overload. As to claim 7, Yang in view of Bechtolsheim and Etheridge discloses the method of claim 6, Etheridge further discloses wherein the modified access control list comprises intra-network identifiers and the remainder of the access control list comprises inter-network identifiers (“The present invention is enabled by identifying the router devices in the network path such as a gateway to a LAN or other such router devices as may be encountered in protecting a particular portion of the inter-networked system. Each identified router device can be compared to each other router device in the system to determine the variation in ACL format and content to determine the number of non-homogenous formats in use in the system. Each ACL format is then analyzed to determine which discrete packet fields are used for filtering and a paradigm set of packet fields which are common to all identified ACL formats is created.” -e.g., see, col. 3, lines 3-20). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Yang and Bechtolsheim to incorporate the teaching of Etheridge in order to achieve scalable, efficient threat blocking without router overload. As to claim 14, Yang in view of Bechtolsheim discloses the method of claim 10, Yang in view of Bechtolsheim discloses doesn’t explicitly disclose comprising: implementing a third access control list at a second router, the third access control list comprising a difference between the first access control list and the second access control list. However, in an analogous art, Etheridge discloses implementing a third access control list at a second router, the third access control list comprising a difference between the first access control list and the second access control list (“The paradigm ACL for each non-homogenous network device is then merged with each other paradigm ACL to create a common paradigm ACL which can be distributed to each non-homogenous router device to provide common filtering across all of the routers.” -e.g., see, col. 3, lines 17-21; see also, Fig. 2; herein, the reminder/difference is implemented as the third ACL on the second router). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Yang and Bechtolsheim to incorporate the teaching of Etheridge in order to achieve scalable, efficient threat blocking without router overload. As to claim 20, it is rejected using the similar rationale as for the rejection of claim 6. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Ranjan et al. (US 2021/0359997 A1) teaches modifying ACL deployment based on device capability, wherein Ranjan teaches “obtaining a processed access control list configuration” and determine whether to program a TCAM profile based on device constraints including available memory space in a TCAM of a network device and further teaches programming the TCAM profile when the potential TCAM profile passes the test. -e.g., see, claim 1, abstract, [0027], [0028] of Ranjan. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256. The examiner can normally be reached Mon-Fri; 9:00am-5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. SUMAN DEBNATH Patent Examiner Art Unit 2495 /S.D/Examiner, Art Unit 2495 /JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495