DETAILED ACTION
Claims 1, 9 and 17 have been amended.
Claims 2, 10 and 18 have been previously cancelled.
Claims 1, 3-9, 11-17 and 19-23 are pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 02/06/26 has been entered.
Response to Arguments
Applicant’s arguments with respect to the 103 rejection of claims 1, 9 and 17 (see applicant’s remarks; pages 10 and 11) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
In particular, the examiner no longer relies upon Herbert and has introduced Shultz to disclose the amended limitation “…wherein the secondary computing system is configured to process the second request with lower priority than the first request and a timeout period”, as shown in the rejection below.
The applicant states similar reasoning as that of claims 1, 9 and 17 for dependent claims 3-7, 11-15 an 19-23 (see applicant’s remarks; pages 11 and 12). As such, the same rationale discussed above regarding claims 1, 9 and 17 applies equally as well to claims 3-7, 11-15 an 19-23.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 8, 9, 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Sathe et al. (U.S. 11,775,640 B1) in view of Shultz et al. (U.S. 2021/0037054 A1), and further in view of Diamant et al. (U.S. 2022/0414245 A1).
Regarding claims 1, 9 and 17, Sathe discloses a method comprising:
determining that a first request has been processed by a primary computing system using one or more computing services (see Sathe; column 9 lines 40-43, column 11 lines 26-40 and column 17 lines 2-7 and 15-16; Sathe discloses a computing device may transmit a request to execute a task, in which the task may be triggered for execution based on data retrieved from auxiliary services or storage services, i.e. “using one or more computing services”. The task is executed, i.e. “a first request that has been processed”, by a virtual machine instance or host computing device, i.e. “primary computing system”);
determining that processing resources used in processing the first request have exceeded a first computing threshold for the first request (see Sathe; column 17 lines 21-34, 40-44, 54-61 and column 20 lines 46-61; Sathe discloses providing a resource utilization signature that represents the amount or percentage of computing resources that were utilized during execution of the task and monitoring, i.e. “determining…”, of the utilization is threshold-based, such as if a processor utilization exceeds a threshold, i.e. “the first request have exceeded a first computing threshold”);
determining that the first request is malicious based on the determination that the processing resources exceed the first computing threshold (see Sathe; column 17 lines 21-25, column 19 lines 15-21, 63-67, column 20 lines 46-51; Sathe discloses determining the resource utilization, including a processor utilization, has exceeded a threshold, i.e. “the processing resources exceed the first computing threshold”, and detecting that the executed task corresponds to a malicious task, i.e. “the first request is malicious”);
identifying a client of the primary computing system from which the first request was received (see Sathe; column 9 lines 40-43, column 19 lines 66-67 and column 22 lines 24-26; Sathe discloses a user or other computing device may transmit the request to execute the task. And the user is notified, i.e. “identifying a client of the primary computing system…”, that the resource utilization of the submitted task corresponds to malware, i.e. “…from which the first request was received”).
While Sathe discloses “determining that the first request is malicious…”, as discussed above, Sathe does not explicitly disclose receiving a second request from the client; and routing the second request to a secondary computing system for processing using the one or more computing services, in lieu of the primary computing system, based on the determination that the first request is malicious wherein the secondary computing system is configured to process the second request with lower priority than the first request and a timeout period.
In analogous art, Shultz discloses receiving a second request from the client (see Shultz; paragraph 0037; Shultz discloses receiving subsequent requests from a client, i.e. “a second request from the client”, previously flagged as a suspicious client based on a previous client request); and
routing the second request to a secondary computing system for processing using the one or more computing services, in lieu of the primary computing system, based on the determination that the first request is malicious, wherein the secondary computing system is configured to process the second request with lower priority than the first request and a timeout period (see Shultz; paragraphs 0037, 0038, 0046 and 0055; Shultz discloses the subsequent request is isolated, in response to a previously flagged suspicious client request, i.e. “based on the determination that the first request is malicious”, by sending the subsequent request, using a given application, i.e. “using the one or more computing services”, to a quarantined server, i.e. “routing the second request to a secondary computing system” instead of a non-quarantined server, i.e. “in lieu of the primary computing system”. The request is processed in a limited manner, i.e. “with lower priority…”, compared to the first request and the amount of time, i.e. “timeout period”, is varied to process the suspicious client request).
One of ordinary skill in the art would have been motivated to combine Sathe and Shultz because they both disclose features of detection of network attacks, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to have incorporated Shultz’s isolated quarantine server into the system of Sathe in order to provide the benefit of improved security and efficiency by allowing any request from a user for a task that causes resource utilization to reach a threshold (see Sathe; column 9 lines 40-43 and column 20 lines 46-61) to be forwarded to a isolated system to prevent harmful actions on the network (see Shultz; paragraph 0012).
While both Sathe and Shultz disclose the “primary computing system”, as well as, Shultz discloses the “secondary computing system” as discussed above, the combination of Sathe and Shultz does not explicitly disclose wherein the secondary computing system comprises fewer computing resources relative to the primary computing system.
In analogous art, Diamant discloses wherein the secondary computing system comprises fewer computing resources relative to the primary computing system (see Diamant; paragraphs 0017 and 0032; Diamant discloses deploying a virtual low-interaction honeypot, i.e. “secondary computing system”. And when a request is determined to be an attack the honeypot is used. The examiner notes that, as known to one of ordinary skill in the art, low-interaction honeypots use significantly fewer resources than a primary node, i.e. “the secondary computing system comprises fewer computing resources relative to the primary computing system”).
One of ordinary skill in the art would have been motivated to combine Sathe, Shultz and Diamant because they all disclose features of detection of network attacks, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to have incorporated Diamant’s virtual low-interaction honeypot into the combined system of Sathe and Shultz in order to provide the benefit of improved cost by allowing any request from a user for a task that causes resource utilization to reach a threshold (see Sathe; column 9 lines 40-43 and column 20 lines 46-61) to be forwarded to an isolated quarantine server that simulates responses (see Shultz; paragraphs 0038 and 0040), such as, a virtual honeypot that is deployed to simulate the network stack of different operating systems and can provide arbitrary routing topologies and services for an arbitrary number of virtual systems, thereby bypassing the need of a physical honeypot which are often times too intensive and expensive (see Diamant; paragraph 0023).
Further, Sathe discloses the additional limitations of claim 9, a memory (see Sathe; column 16 lines 15-18; Sathe discloses a memory); and at least one processor coupled to the memory and configured to perform operations (see Sathe; column 16 lines 15-18; Sathe discloses a memory may contain computer program instructions a processor executes).
Further, Sathe discloses the additional limitations of claim 17, a non-transitory computer-readable medium having instructions stored thereon that, when executed by at least one computing device, cause the at least one computing device to perform operations (see Sathe; column 16 lines 20-23; Sathe discloses a non-transitory computer readable media stored an operating system that provides computer program instructions for use by the processor).
Regarding claims 8 and 16, Sathe, Shultz and Diamant disclose all the limitations of claims 1 and 9, as discussed above, and further the combination of Sathe, Shultz and Diamant clearly discloses wherein the determining that processing resources used in processing the first request have exceeded the first computing threshold for the first request comprises: receiving statistics about which processing resources were used in processing the first request based on a trace of the first request as it was processed by the first computing system (see Sathe; column 17 lines 21-34, 40-44, 54-60 and column 20 lines 46-61; Sathe discloses the resource utilization signature provides resource utilization metrics, i.e. “receiving statistics…”, such as, total amount of memory allocated, the quantity of data written/read from memory, the processor utilization and the amount of bandwidth consumed during execution of the task, i.e. “which processing resources were used in processing the first request…”and the monitoring of the utilization is threshold-based, i.e. “exceeded the first computing threshold”).
Claims 3-7, 11-15 and 19-23, are rejected under 35 U.S.C. 103 as being unpatentable over Sathe et al. (U.S. 11,775,640 B1) in view of Shultz et al. (U.S. 2021/0037054 A1), and Diamant et al. (U.S. 2022/0414245 A1) as applied to claims 1, 9 and 17 above, and further in view of Hughes (U.S. 2007/0199070 A1).
Regarding claims 3, 11 and 19, Sathe, Shultz and Diamant disclose all the limitations of claims 1, 9 and 17, as disclosed above. While Sathe discloses “determining that the first request is malicious…”, as discussed above, the combination of Sathe, Shultz and Diamant does not explicitly disclose determining that the first request comprises a first type of request from a plurality of request types.
In analogous art, Hughes discloses determining that the first request comprises a first type of request from a plurality of request types (see Hughes; paragraphs 0038, 0040 and 0041; Hughes discloses the request for services is a communication within a plurality of communications, i.e. “plurality of requests”, and identifying the nature of the request, i.e. “a first type of request from a plurality of request types”); and determining that the second request comprises the first type of request (see Hughes; paragraph 0041; Hughes discloses all future communications, i.e. “the second request”, are related to the request, i.e. “first type of request”, by the nature of the request).
One of ordinary skill in the art would have been motivated to combine Sathe, Shultz, Diamant and Hughes because they all disclose features of detection of network attacks, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to have incorporated Hughes’ isolated software environment feature into the combined system of Sathe, Shultz and Diamant in order to provide the benefit of improved security and efficiency by allowing any request from a user for a task that causes resource utilization to reach a threshold (see Sathe; column 9 lines 40-43 and column 20 lines 46-61) to be forwarded to an isolated environment so that the requested service may be emulated and thus provide the gathering of information to identify the attacker (see Hughes; paragraphs 0039 and 0040).
Regarding claims 4, 12 and 20, Sathe, Shultz, Diamant and Hughes disclose all the limitations of claims 3, 11 and 19, as disclosed above, and further the combination of Sathe, Shultz, Diamant and Hughes clearly discloses receiving a third request from the client (see Hughes; paragraph 0038; Hughes discloses a request is a communication within a plurality of communications, i.e. “a third request” out of the plurality of communications);
determining that the third request is a second type of request from the plurality of request types (see Hughes; paragraphs 0022, 0038; Hughes discloses different types of network traffic and a request is a communication within a plurality of communications and network traffic, i.e. “a third request” out of the plurality of communications. In other words, a request out of the plurality of communications may be of a type, i.e. “a second type”, out of different types); and
routing the third request to the primary computing system, in lieu of the secondary computing system, based on the determination that the third request is the second type of request and the determination that the first request is malicious (see Hughes; paragraphs 0038-0041; Hughes discloses if the request is determined to be a threat, i.e. “based on the determination that the first request is malicious”, all future communications related to the request are forwarded to an isolated software environment, i.e. “secondary computing system”. However, if the request is determined to not be a threat, i.e. “based on the determination that the third request is the second type of request”, the request is forwarded to the appropriate device, i.e. “routing the third request to the primary computing system”, for response to the request for service, and not the isolated software environment, i.e. “in lieu of the secondary computing system”).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 3, 11 and 19.
Regarding claims 5 and 13, Sathe, Shultz and Diamant disclose all the limitations of claims 1 and 9, as disclosed above. The combination of Sathe, Shultz and Diamant does not explicitly disclose determining, after the routing, that processing resources used by the secondary computing system in processing the second request are below a second computing threshold; and routing a third request received from the client to the primary computing system, in lieu of the secondary computing system, based on the determination that the second request is below the second computing threshold
In analogous art, Hughes discloses determining, after the routing, that processing resources used by the secondary computing system in processing the second request are below a second computing threshold (see Hughes; paragraphs 0021, 0034 and 0039; Hughes discloses comparing the request communication , i.e. “the second request”, at the isolated software environment, i.e. “the secondary computing system”, to determine if below a baseline, i.e. “a second computing threshold”); and
routing a third request received from the client to the primary computing system, in lieu of the secondary computing system, based on the determination that the second request is below the second computing threshold (see Hughes; paragraphs 0034 and 0038-0041; Hughes discloses if the request is determined to not be a threat and below the baseline, i.e. “based on the determination that the second request is below the second computing threshold”, the request is forwarded to the appropriate device, i.e. “routing the third request to the primary computing system”, for response to the request for service, and not the isolated software environment, i.e. “in lieu of the secondary computing system”).
One of ordinary skill in the art would have been motivated to combine Sathe, Shultz, Diamant and Hughes because they all disclose features of detection of network attacks, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to have incorporated Hughes’ isolated software environment feature into the combined system of Sathe, Shultz and Diamant in order to provide the benefit of improved security and efficiency by allowing any request from a user for a task that causes resource utilization to reach a threshold (see Sathe; column 9 lines 40-43 and column 20 lines 46-61) to be forwarded to an isolated environment so that the requested service may be emulated and thus provide the gathering of information to identify the attacker (see Hughes; paragraphs 0039 and 0040).
Regarding claims 6 and 14, Sathe, Shultz, Diamant and Hughes disclose all the limitations of claims 5 and 13, as disclosed above, and further the combination of Sathe, Shultz, Diamant and Hughes clearly discloses wherein the first computing threshold and the second computing threshold are identical (see Sathe; column 20 lines 46-51; Sathe discloses the monitoring of utilization includes threshold-based collection of resource utilization metrics; and Hughes discloses matching the baseline for the access by the request communications a; paragraph 0021).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 5 and 13.
Regarding claims 7 and 15, Sathe, Shultz and Diamant disclose all the limitations of claims 1 and 9, as disclosed above, and further Sathe discloses providing a message to a third computing system configured to receive requests from the client indicating that the first request, from the client, is malicious (see Sathe; column 19 lines 15-21, 53-58, 63-67, column 20 lines 46-51 and column 22 lines 24-26; Sathe discloses sending a notification, i.e. “providing a message”, to a device, i.e. “third computing system”, that the resource utilization of the executed requested task is a malicious task, i.e. “indicating that the first request, from the client, is malicious”).
While Sathe discloses “providing a message to a third computing system…”, as discussed above, the combination of Sathe, Shultz and Diamant does not explicitly disclose wherein the third computing system is configured to route a subsequent request received from the client to a fourth computing system responsive to receiving the message.
In analogous art, Hughes discloses wherein the third computing system is configured to route a subsequent request received from the client to a fourth computing system responsive to receiving the message (see Hughes; paragraphs 0034 and 0038-0041; Hughes discloses additional requests, i.e. “subsequent request”, are forwarded to a device, i.e. “route a subsequent request received from the client to a fourth computing system”, for response to the request for service).
One of ordinary skill in the art would have been motivated to combine Sathe, Shultz, Diamant and Hughes because they all disclose features of detection of network attacks, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to have incorporated Hughes’ isolated software environment feature into the combined system of Sathe, Shultz and Diamant in order to provide the benefit of improved security and efficiency by allowing any request from a user for a task that causes resource utilization to reach a threshold (see Sathe; column 9 lines 40-43 and column 20 lines 46-61) to be forwarded to an isolated environment so that the requested service may be emulated and thus provide the gathering of information to identify the attacker (see Hughes; paragraphs 0039 and 0040).
Regarding claims 21 and 22, Sathe, Shultz and Diamant disclose all the limitations of claims 8 and 16, as discussed above, and further Sathe clearly discloses generating, after the receiving, a secondary computing threshold based on the statistics (see Sathe; column 20 lines 46-51; Sathe discloses threshold-based monitoring of utilization metrics, i.e. “a secondary computing threshold based on statistics”);
determining that processing resources used in processing the second request have exceeded the second computing threshold (see Sathe; column 17 lines 21-34, 40-44, 54-61 and column 20 lines 46-61; Sathe discloses providing a resource utilization signature that represents the amount or percentage of computing resources that were utilized during execution of the task and monitoring, i.e. “determining…”, of the utilization is threshold-based, i.e. “the second computing threshold”, such as if a processor utilization exceeds a threshold, i.e. “processing resources…have exceeded the second computing threshold”); and
determining that the second request is malicious based on the determination that the processing resources used in processing the second request exceed the secondary computing threshold (see Sathe; column 17 lines 21-25, column 19 lines 15-21, 63-67, column 20 lines 46-51; Sathe discloses determining the resource utilization, including a processor utilization, has exceeded the threshold, i.e. “…processing the second request exceed the secondary computing threshold”, and detecting that the executed task corresponds to a malicious task, i.e. “the second request is malicious”).
While Sathe discloses “generating, after the receiving, a secondary computing threshold…”, “…the second request have exceeded the second computing threshold”, and “determining that the second request is malicious…”, as discussed above, the combination of Sathe, Shultz and Diamant does not explicitly disclose determining, after the routing, that the second request has been processed by the secondary computing system using the one or more computing services.
In analogous art, Hughes discloses determining, after the routing, that the second request has been processed by the secondary computing system using the one or more computing services (see Hughes; paragraphs 0039-0041; Hughes discloses the future communications, i.e. “second request”, that are forwarded to the isolated software environment are processed, i.e. “has been processed by the secondary computing system”).
One of ordinary skill in the art would have been motivated to combine Sathe, Shultz, Diamant and Hughes because they all disclose features of detection of network attacks, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to have incorporated Hughes’ isolated software environment feature into the combined system of Sathe, Hebert and Diamant in order to provide the benefit of improved security and efficiency by allowing any request from a user for a task that causes resource utilization to reach a threshold (see Sathe; column 9 lines 40-43 and column 20 lines 46-61) to be forwarded to an isolated environment so that the requested service may be emulated and thus provide the gathering of information to identify the attacker (see Hughes; paragraphs 0039 and 0040).
Regarding claim 23, Sathe, Shultz and Diamant disclose all the limitations of claim 17, as discussed above. While Shultz discloses “the secondary computing system”, as discussed above, the combination of Sathe, Shultz and Diamant does not explicitly disclose determining, after the routing, that processing resources used by the secondary computing system in processing the second request are below a second computing threshold; and routing a third request received from the client to the primary computing system, in lieu of the secondary computing system.
In analogous art, Hughes discloses determining, after the routing, that processing resources used by the secondary computing system in processing the second request are below a second computing threshold (see Hughes; paragraphs 0021, 0034 and 0039; Hughes discloses comparing the request communication , i.e. “the second request”, at the isolated software environment, i.e. “the secondary computing system”, to determine if below a baseline, i.e. “a second computing threshold”)
routing a third request received from the client to the primary computing system, in lieu of the secondary computing system (see Hughes; paragraphs 0034 and 0038-0041; Hughes discloses if the request is determined to not be a threat and below the baseline, i.e. “based on the determination that the second request is below the second computing threshold”, the request is forwarded to the appropriate device, i.e. “routing the third request to the primary computing system”, for response to the request for service, and not the isolated software environment, i.e. “in lieu of the secondary computing system”).
One of ordinary skill in the art would have been motivated to combine Sathe, Shultz, Diamant and Hughes because they all disclose features of detection of network attacks, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to have incorporated Hughes’ isolated software environment feature into the combined system of Sathe, Shultz and Diamant in order to provide the benefit of improved security and efficiency by allowing any request from a user for a task that causes resource utilization to reach a threshold (see Sathe; column 9 lines 40-43 and column 20 lines 46-61) to be forwarded to an isolated environment so that the requested service may be emulated and thus provide the gathering of information to identify the attacker (see Hughes; paragraphs 0039 and 0040).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Plotzeneder et al. (U.S. 2023/0328041 A1) discloses forwarding a second request to a quarantine server and optionally to one or more further computers.
Broda et al. (U.S. 2022/0191209 A1) discloses routing a second request to a deception environment.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADAM A COONEY whose telephone number is (571)270-5653. The examiner can normally be reached M-F 7:30am-5:00pm (every other Fri off).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached at 571-270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/A.A.C/Examiner, Art Unit 2458 02/11/26
/UMAR CHEEMA/Supervisory Patent Examiner, Art Unit 2458