Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. NZ792206, filed on September 9, 2022.
Response to Arguments
Applicant's arguments filed September 25, 2025 have been fully considered but they are not persuasive.
Applicant states, in page 1 of the remarks, that claims 2, 3, and 14 have been canceled, and that claims 1, 4-13, and 15-18 are pending in the application, with claims 1 and 13 being independent claims.
In page 1 of the remarks, the disclosure of the Specification is objected to as it contains embedded hyperlinks beyond top-level domains and hyperlinks with 'https://' prefixes and/or other form of browser-executable code. Applicant has amended the Specification to omit hyperlinks that exceeded top-level domains, and omits the 'https://' that had previously appeared with the top-level domains. Applicant has also voluntarily converted federally registered trademarks to all capital letters followed by the statutory ® symbol, and has amended one U.S. publication number to include a forward slash after the four digit year prefix. Applicant has requested withdrawal of the Specification objection. Examiner has withdrawn the Specification objection accordingly.
In page 1 of the remarks, claims 1-18 were objected to for inclusion of italicized words and the use of acronym "SSH" without writing our the words in the first occurrence. Applicant has converted all font to regular typeface, without the use of strikeouts and underlining. In the independent claims 1 and 13, Applicant has written out the words corresponding to acronym "SSH" preceding the first appearance of the acronym. Accordingly, Applicant respectfully requests the withdrawal of the claim objections. Examiner has withdrawn the claim objections accordingly.
In page 1 of the remarks, claims 3, 6, 8, 14-15, and 17 were rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter. Applicant has cancelled claims 2, 3, and 14, while mistakenly stating that claim 4 has been cancelled, amended claims 5, 8, and 15 to omit 'any combination, iteration, or permutation of the above', and amended claims 17 to omit 'i.e.'. As a result, Application requests withdrawal of the rejections of claims 3, 6, 8, 14, 15, and 17 under 112(b). Examiner has withdrawn the rejections for claims 3, 8, 14, and 17 as a result of the amendments, as well as claims 6 and 15. However, upon review of the amended claims, claims 6, and 15 have raised issues, as claim 6 states ‘a record’ in lines 2-3, and it is unclear if both terms that appear for a first and second table are the same ‘record’ or are different from each other. Similar issues are also present for ‘an SSH key’ in dependent claim 15, as it is unclear if it is the same ‘SSH keys’ present in independent claim 13, or a different ‘SSH key’ from claim 13. As a result, claims 6 and 15 remain rejected under 112(b), but for different reasons than what both claims were initially rejected for, those being the ‘and/or’ wording in claim 6, which has been removed, and the claim limitation of 'any combination, iteration, or permutation of the above' for claim 15, which has been amended to not be present in the claims.
In page 2 of the remarks, Applicant states that claims 1-4, 7, 12-14, 16, and 18 were rejected under 35 U.S.C. 102(a)(1) as being anticipated by Rowland, US Publication No. 20210058412 ("Rowland-1"). Claims 5 and 15 were rejected under 35 U.S.C. 103 as being unpatentable over Rowland-1 in view of Brennan et al. US Patent No. 8782800 ("Brennan"). Also rejected under 103 are claim 6 as being unpatentable over Rowland-1 in view of Muddu et al. US Patent No. 10419463 ("Muddu"), claims 9-11 as being unpatentable over Rowland-1 in view of Rowland et al. US Publication No. 20030196123 ("Rowland-2"), further in view of Ylonen US Publication No. 20150222604 ("Ylonen"), and claims 8 and 17 as being unpatentable over Rowland-1 in view of Rowland-2, and Krasnyansky US Publication No. 20210383334 ("Krasnyansky").
Furthermore, in page 2 of the remarks, Applicant has stated that the rejections under §§ 102 and 103, with Applicant stating that independent claims 1 and 13 have been amended to clearly distinguish Applicant's claimed invention over the prior art, and submits that the present claims are in condition for allowance. Applicant states that Rowland-1 does not disclose or suggest the method of investigating a remote host computer by using an agentless investigation system, of the amended claims. Applicant highlights paragraphs [0339]-[0343] of Rowland-1 in page 3 of the remarks, and states that per paragraph [0343] of Rowland-1, the prior art describes investigating SSH keys in terms of detecting presence of an 'authorized_keys' file, in other words, whether the file is present or not. Furthermore, Applicant states that in page 4 of the remarks, an 'orphaned' key file is one in which the key file is present in an inactive user's directory, such as per Appendix A "looks for inactive accounts with valid ssh login keys in their home directory", and a 'malicious' key is one in which there is an authorized_keys file in a user's directory where that user should not have one, e.g., the example given in Rowland-1 was a database user called 'database' where the database's user directory has an authorized_keys file. Applicant states that there is no disclosure or suggestion in Rowland-1 of reading any authorized_keys file, locating keys within the files, retrieving the key and location, or performing any monitoring of the SSH keys, which were from now cancelled claims 2 and 3. Applicant then states that the method of investigating a remote host computer by using an agentless investigation system of amended claim 1 is not disclosed, suggested, or rendered obvious by Rowland-1 taken alone or in combination with any of the other prior art of record, and believes that claim 1 is patentable, along with the dependent claims 4-12. The same also applies to independent claim 13 and dependent claims 15-18, with monitoring SSH keys over time (claims 5 and 15) and space (claims 8 and 17) being enhanced for SSH key investigation capabilities. Examiner disagrees with the Applicant's arguments regarding independent claim 1 and the now cancelled claims 2 and 3, with the limitations present in claims 2 and 3 now present and integrated into claim 1. Examiner maintains that the limitations present in claim 1 for ‘and return investigation data relating to the SSH key, the investigation data including’, ‘a user account data’, and ‘at least one host computer identifier’ are maintained, as Rowland-1 discloses the aforementioned claim limitations in paragraphs [0343], [0379], and [0385], with Examiner maintaining the rejections, as the investigation data contains information relating to ‘user account data’ and ‘at least one host computer identifier’. As for the limitations of ‘read the at least one file and determine […]’, ‘the SSH key, retrieved from the content’, and ‘a location identifier of the SSH key in the content’. Examiner states that Rowland-1 does not disclose the limitations recited of reading, retrieving the SSH key, and a location identifier of the SSH key. However, upon review of the prior art of record, it appears that the reference of Ylonen teaches the aforementioned limitations that Rowland-1 does not fully disclose by itself, through paragraphs [0229]-[0233] of Ylonen corresponding to the claim limitations above, including ‘SSH configuration file is parsed and identity keys are enumerated, corresponding to a file being read and determining if it includes an SSH key of the Applicant’ and ‘Fig. 19, block 1904, public key is extracted from an SSH configuration file’ in paragraphs [0233] of Ylonen, and ‘reading locations of keys from the SSH configuration file’ for the keys in paragraph [0229] of the Applicant. As a result of a new ground of rejection for the independent claim 1 in response to the amendments made, Examiner now rejects claim 1 as being unpatentable over Rowland-1 in view of Ylonen. The same rationale applies for claims 4, 7, 12-13, 16, and 18. Furthermore, all other claims present in the application have been adjusted to reflect the new grounds of rejection. As a result, Examiner sets a new ground of rejection for claims 1, 4, 7, 12-13, 16, and 18, previously rejected under 35 U.S.C. 102, now rejected under 35 U.S.C. 103 over Rowland-1 in view of Ylonen.
Claim Rejections - 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 6 and 15 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
In claim 6, the term “a record” in claim 6, line 3 is associated with a second table with a relation to the SSH key, when the use of ‘a record’ in line 2 of the claim is utilized in a first table with ‘a record’ containing the SSH key. The use of ‘a record’ for the second table raises issues as to whether the singular term ‘a record’ is referring to a record that is the same between a first and second tables, or another type of ‘record’ that is newly described in accordance with a second table. Examiner recommends that Applicant amend the claim to clear up potential confusion of the use of the term ‘a record’.
In claim 15, the term “an SSH key” is utilized through claim 15, in lines 4-11, when the use of ‘a Secure Shell (SSH) key is stated in independent claim 13 as at least one authentication token in lines 9-11 of claim 13. The use of ‘an SSH key’ throughout claim 15 raises issues as to whether ‘an SSH key’ in the dependent claim 15 is the same ‘SSH key’ described in the independent claim 13, or a different ‘SSH key’ that was not described before in the claims. Examiner recommends that Applicant amend the claim to clear up potential confusion of the use of the term ‘an SSH key’.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 12 and 18 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Applicant has not pointed out where the new (or amended) claim is supported, nor does there appear to be a written description of the claim limitation ‘at least one investigative module […] to perform the investigative function independent of the investigation system, without requiring a connection to the investigation system’ in claim 12 in the application as filed. As a result, this amended claim limitation falls is considered new matter, as the Applicant does not particularly point out where support for the limitation appears in the Specification of the Applicant, nor does it appear anywhere in the Specification of the Applicant.
Claim 18 contains similar claim limitations amended as in claim 12 above, and as a result, is also rejected for the same reasons as claim 12 above.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 4, 7, 12-13, 16, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Rowland-1 (US 20210058412 A1) in view of Ylonen (US 20150222604 A1).
Regarding claim 1, Rowland-1 discloses ‘a method of investigating a remote host computer by using an agentless investigation system, the investigation system including a computer system with a computer processor coupled to a system memory and programmed with computer readable instructions, the method comprising’ ([0048] Investigation system is agentless. [0049] Investigation system is remote to the host computer. [0042] Investigation system includes a computer system with a processor coupled to a system memory and programmed with computer readable instructions.):
‘establishing a connection with the host computer’ ([0043] Establishing a connection with a host computer.);
‘and sending at least one agentless investigative module to the host computer, the at least one investigative module configured to run on the host computer to perform at least one investigative function on the host computer’ ([0044] Sending at least one investigative module to the host computer, and the investigative module is configured to run on the host computer to perform at least one investigate function on the host computer.);
‘wherein the investigative function includes an investigation of the host computer to ascertain if there are any user accounts of the host computer that have data forms including at least one authentication token in the form of a Secure Shell (SSH) key’ ([0137] Investigation function of investigation modules includes investigating host computer to ascertain if there are any users or user accounts on host computer that have4 data form attributes differing from a predefined integrity status, and paragraph [0138] states that examples of suspicious user data form attributes include authentications tokens that can include SSH authentication keys in paragraph [0146].);
‘and wherein the investigative module is configured to’ ([0343] Investigative module 3 is configured to investigate a host computer 2 to search for a disabled user with a valid authorized_keys file in their home directory, in which it is described in paragraph [0339] that SSH allows for public or private key access if a user chooses to put their public key in a file called authorized_keys under their home directory, wherein the authorized_keys file can correspond to the SSH public key of the applicant. Afterwards, the investigation module will return investigation data that indicates that authorized_keys file is suspicious, collecting the investigation data in the process.):
‘locate at least one file’ ([0343] Investigative module 3 is configured to investigate a host computer 2 to search for a disabled user with a valid authorized_keys file in their home directory.);
‘and return investigation data relating to the SSH key, the investigation data including’ ([0343] Afterwards, the investigation module will return investigation data that indicates that authorized_keys file is suspicious, collecting the investigation data in the process.):
‘a user account data’ ([0379] Data that is investigated on is analyzed on a host computer 2, as the data can reveal file locations, user account details, and other confidential information, as stated in paragraph [0380].);
‘at least one host computer identifier’ ([0385] Fig. 5 shows a method of operation for an investigation system, as stated in the description of paragraph [0242], and in block b of Fig. 5, one can add a ghost computer by IP address, IP list, or another similar mechanism, to which the IP address or IP list can correspond to a host computer identifier.).
Rowland-1 does not appear to disclose, but Ylonen teaches the limitations of ‘read the at least one file and determine if content in the at least one file includes an SSH key’ (Ylonen [0233] SSH configuration file is parsed and identity keys are enumerated, corresponding to a file being read and determining if it includes an SSH key of the Applicant, in combination with Rowland-1’s authorized_keys file in paragraphs [0339] and [0343], teaches this limitation of the Applicant.);
‘the SSH key, retrieved from the content’ (Ylonen [0233] Fig. 19, block 1904, public key is extracted from an SSH configuration file, and reading corresponding SSH public key file. SSH keys are mentioned in paragraph [0230] of Ylonen.);
‘a location identifier of the SSH key in the content’ (Ylonen [0229] Location of user’s key is determined by reading and parsing an SSH configuration file on the host.);
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Rowland-1 and Ylonen before them, to include Ylonen’s ‘read the at least one file and determine if content in the at least one file includes an SSH key’, ‘the SSH key, retrieved from the content’, ‘a location identifier of the SSH key in the content’ in Rowland-1’s method performing ‘investigating a remote host computer by using an agentless investigation system’. One would have been motivated to make such a combination to increase efficiency by having information relating to an SSH key in an SSH configuration file for faster processing and simplifying the process of obtaining the keys in the SSH configuration file and their location in the file, as taught by Ylonen [0229] and [0233].
Regarding claim 4, Rowland-1 in view of Ylonen teach the limitations of claim 1 as described above. Rowland-1 also discloses the limitations of ‘wherein the investigation system determines user accounts and host computers associated with SSH keys retrieved in the investigation data’ ([0343] Investigation module 3 detects a disabled user with valid authorized_keys file in their home directory. [0381] Data can reveal user account details, and user account details correspond to user accounts associated with SSH public keys found in an investigation. [0433] Control server 5 collects host computer information and encrypted SSH credentials, wherein host computer information corresponds to host computers associated with SSH public keys of the applicant. In Appendix A, after paragraph [0538], "looks for inactive accounts with valis ssh login keys in their home directory" is a part of Investigative Module Functions.).
Regarding claim 7, Rowland-1 in view of Ylonen teach the limitations of claim 1 as described above. Rowland-1 also discloses the limitations of ‘wherein the investigation system comprises one or more databases for storing data including at least one of’ ([0223] “The control server optionally includes, or has access to, a database for storing data such as,”):
‘data form attributes of the host computer’ ([0223] “data form attributes of the host computer”);
‘users and scanning nodes’ ([0223] “users and scanning nodes”);
‘investigative modules’ ([0223] “investigative modules”);
‘investigation data’ ([0223] “results from the investigative modules and other data”, and paragraph [0219] states that investigation data indicates results of at least one investigative module’s investigation on the host computer, is sent to control server via scanning node, where ‘other data’ and investigation data correspond to the limitation of the applicant.);
‘results from the investigative modules’ ([0223] “results from the investigative modules”).
Regarding claim 12, Rowland-1 in view of Ylonen teach the limitations of claim 1 as described above. Rowland-1 also discloses the limitations of ‘wherein the at least one investigative module is configured to run on the host computer to perform the investigative function independent of the investigation system, without requiring a connection to the investigation system’ ([0059] At least one investigative module may be configured to run on the host computer independently from the investigation system. [0041] At least one investigative module does not require a software agent on the host computer to run when the investigation system is agentless, corresponding to an investigative module not requiring a connection to the investigation system of the Applicant.).
Regarding claim 13, Rowland-1 discloses ‘An agentless investigation system for investigating a remote host computer, the investigation system including a including a database and a computer system with a computer processor coupled to a system memory and programmed with computer readable instructions, executable to perform the following procedures:’ ([0045] “An investigation system for investigating a host computer, the investigation system including a database and a computer system with a computer processor coupled to a system memory and programmed with computer readable instructions executable to perform the following procedures;“):
‘establish a connection with the host computer’ ([0043] Establishing a connection with a host computer.);
‘and send at least one agentless investigative module to the host computer, the at least one investigative module configured to run on the host computer to perform at least one investigative function on the host computer’ ([0044] Sending at least one investigative module to the host computer, and the investigative module is configured to run on the host computer to perform at least one investigate function on the host computer.);
‘wherein the investigative function includes an investigation of the host computer to ascertain if there are any user accounts of the host computer that have data forms including at least one authentication token in the form of an SSH public key’ ([0137] Investigation function of investigation modules includes investigating host computer to ascertain if there are any users or user accounts on host computer that have4 data form attributes differing from a predefined integrity status, and paragraph [0138] states that examples of suspicious user data form attributes include authentications tokens that can include SSH authentication keys in paragraph [0146].);
‘and wherein the investigative module is configured to locate the SSH public key and collect investigation data corresponding to the SSH public key’ ([0343] Investigative module 3 is configured to investigate a host computer 2 to search for a disabled user with a valid authorized_keys file in their home directory, in which it is described in paragraph [0339] that SSH allows for public or private key access if a user chooses to put their public key in a file called authorized_keys under their home directory, wherein the authorized_keys file can correspond to the SSH public key of the applicant. Afterwards, the investigation module will return investigation data that indicates that authorized_keys file is suspicious, collecting the investigation data in the process.).
‘locate at least one file’ ([0343] Investigative module 3 is configured to investigate a host computer 2 to search for a disabled user with a valid authorized_keys file in their home directory.);
‘and return investigation data relating to the SSH key, the investigation data including’ ([0343] Afterwards, the investigation module will return investigation data that indicates that authorized_keys file is suspicious, collecting the investigation data in the process.):
‘a user account data’ ([0379] Data that is investigated on is analyzed on a host computer 2, as the data can reveal file locations, user account details, and other confidential information, as stated in paragraph [0380].);
‘at least one host computer identifier’ ([0385] Fig. 5 shows a method of operation for an investigation system, as stated in the description of paragraph [0242], and in block b of Fig. 5, one can add a ghost computer by IP address, IP list, or another similar mechanism, to which the IP address or IP list can correspond to a host computer identifier.).
Rowland-1 does not appear to disclose, but Ylonen teaches the limitations of ‘read the at least one file and determine if content in the at least one file is, or relates to, an SSH key’ ([0233] SSH configuration file is parsed, corresponding to a file being read and determining if it includes an SSH key of the Applicant, in combination with Rowland-1’s authorized_keys file in paragraphs [0339] and [0343] of Rowland-1, teaches this limitation of the Applicant.);
‘the SSH key, retrieved from the content’ ([0233] Fig. 19, block 1904, public key is extracted from an SSH configuration file, and reading corresponding SSH public key file. SSH keys are mentioned in paragraph [0230] of Ylonen.);
‘a location identifier of the SSH key in the content’ (Ylonen [0229] Location of user’s key is determined by reading and parsing an SSH configuration file on the host.);
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Rowland-1 and Ylonen before them, to include Ylonen’s ‘read the at least one file and determine if content in the at least one file includes an SSH key’, ‘the SSH key, retrieved from the content’, ‘a location identifier of the SSH key in the content’ in Rowland-1’s method performing ‘investigating a remote host computer by using an agentless investigation system’. One would have been motivated to make such a combination to increase efficiency by having information relating to an SSH key in an SSH configuration file for faster processing and simplifying the process of obtaining the keys in the SSH configuration file and their location in the file, as taught by Ylonen [0229] and [0233].
Regarding claim 16, Rowland-1 in view of Ylonen teach the limitations of claim 13 as described above. Rowland-1 also discloses the limitations of ‘comprising one or more databases for storing data including at least one of’ ([0223] “The control server optionally includes, or has access to, a database for storing data such as,”):
‘data form attributes of the host computer’ ([0223] “data form attributes of the host computer”);
‘users and scanning nodes’ ([0223] “users and scanning nodes”);
‘investigative modules’ ([0223] “investigative modules”);
‘investigation data’ ([0223] “results from the investigative modules and other data”, and paragraph [0219] states that investigation data indicates results of at least one investigative module’s investigation on the host computer, is sent to control server via scanning node, where ‘other data’ and investigation data correspond to the limitation of the applicant.);
‘results from the investigative modules’ ([0223] “results from the investigative modules”).
Regarding claim 18, Rowland-1 in view of Ylonen teach the limitations of claim 13 as described above. Rowland-1 also discloses the limitations of ‘wherein the at least one investigative module is configured to run on the host computer to perform the investigative function independent of the investigation system, without requiring a connection to the investigation system’ ([0059] At least one investigative module may be configured to run on the host computer independently from the investigation system. [0041] At least one investigative module does not require a software agent on the host computer to run when the investigation system is agentless, corresponding to an investigative module not requiring a connection to the investigation system of the Applicant.).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Rowland-1 in view of Ylonen, Brennan et al. (US 8782800 A1), hereinafter Brennan.
Regarding claim 5, Rowland-1 in view of Ylonen teach the limitations of claim 1 as described above. Rowland-1 also discloses ‘wherein the investigation system is configured to store temporal information with the investigation data the temporal information comprising timestamps of when the investigation data includes at least one of’ ([0497] Collecting and storing forensic data off the host computer 2 is important, wherein forensic data corresponds to investigation data for the applicant. In paragraphs [0498] and [0500], when investigative module returns data indicating a problem, the data is presented as part of a UI, the data may include information such as timestamps, wherein the timestamps correspond to temporal information with the investigation data from the investigative module.):
Rowland-1 in view of Ylonen does not appear to fully disclose, but Brennan teaches ‘the first occurrence of the SSH key’ (D2: In section [Col. 13, lines 20-23] of Brennan, Fig. 2, server in the system includes an antibody database 36 that is used primarily to keep track of file scan histories and states for each of the files, and the field of 'First Analysis' in [Col. 13, lines 51] of Brennan is the first time a file is scanned or analyzed, corresponding to the first occurrence of a file. Combined with paragraph [0384] of Rowland-1, wherein SSH credentials are stored in a server database 7, wherein SSH credentials correspond to the SSH key of the applicant.);
‘the first occurrence of the SSH key for a given host computer or user account’ (In the field of 'First Analysis' in [Col. 13, lines 51] of Brennan is the first time a file is scanned or analyzed, corresponding to the first occurrence of a file, and combined with paragraph [0384] of Rowland-1 of a host computer being added in conjunction with SSH login for a host computer, corresponds to an occurrence of a given host computer of the applicant.);
‘the first occurrence of the SSH key for a given authentication key file or location in the authentication key file’ (In the field of 'First Analysis' in [Col. 13, lines 51] of Brennan is the first time a file is scanned or analyzed, corresponding to the first occurrence of a file, and combined with Appendix A of Rowland-1 containing the function of "looks for inactive accounts with valid ssh login keys in their home directory", corresponds to an occurrence of an SSH key for a given authentication key file of the applicant.);
‘subsequent occurrences of the SSH key’ (In section [Col. 13, lines 20-23] of Brennan, Fig. 2, server in the system includes an antibody database 36 that is used primarily to keep track of file scan histories and states for each of the files, and the field of "Analysis Results" can constitute a result of other analyses, which corresponds to occurrences of an SSH key, in [Col. 13, lines 49-50] of Brennan is all the times a file is scanned or analyzed, corresponding to the first occurrence of a file. Combined with paragraph [0384] of Rowland-1, wherein SSH credentials are stored in a server database 7, wherein SSH credentials correspond to the SSH key of the applicant.);
‘subsequent occurrences of the SSH key for a given host computer or user account’ (In the field of 'Analysis Results' in [Col. 13, lines 49-50] of Brennan all the times a file is scanned or analyzed, corresponding to the other occurrences of a file, and combined with paragraph [0384] of Rowland-1 of a host computer being added in conjunction with SSH login for a host computer, corresponds to an occurrence of a given host computer of the applicant.);
‘subsequent occurrences of the SSH key for a given authentication key file or location in the authentication key file’ (In the field of 'Analysis Results' in [Col. 13, lines 49-50] of Brennan is all the times a file is scanned or analyzed, corresponding to the other occurrences of a file, and combined with Appendix A of Rowland-1 containing the function of "looks for inactive accounts with valid ssh login keys in their home directory", corresponds to an occurrence of an SSH key for a given authentication key file of the applicant.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Rowland-1, Ylonen, and Brennan before them, to include Brennan’s ‘wherein the investigation system is configured to store temporal information with the investigation data the temporal information comprising timestamps of when the investigation data includes’ in Rowland-1’s method performing ‘investigating a remote host computer by using an agentless investigation system’. One would have been motivated to make such a combination to increase efficiency by having various fields to display more information for a user to see timestamps alongside the various information seen in a file, as stated by Brennan [Col. 13, line 23-Col. 14, line 21].
Regarding claim 15, Rowland-1 in view of Ylonen teach the limitations of claim 13 as described above, and similarly, claim 15 is directed to systems that correspond substantially to the method of claim 5, and is rejected by a similar rationale.
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Rowland-1 in view of Ylonen, further in view of Muddu et al. (US 10419463 B2), hereinafter Muddu.
Regarding claim 6, Rowland-1 in view of Ylonen teach the limitations of claim 1 as described above. Rowland-1 in view of Ylonen does not appear to fully disclose, but Muddu also teaches ‘wherein the investigation data is stored in the database in records in at least a first table and a second table, the first table including a record containing the SSH key and the second table containing a record with a relation to the SSH key and data corresponding to at least one of the host computer and user’ ([Col. 95, lines 52-57] of Muddu, in Fig. 63, a usage relationship 6330 (shown as '6320' in the figure) contains a 'Usage Relationship' showing two sets of dots, the ones on the left corresponding to users (6341, 6342, etc), and a second set represents network devices (6351, 6352, etc), with a first set of users corresponding to a first table, and a second set corresponds to a second table of the applicant. In combination with a server database 7 of Rowland-1 storing SSH keys in one location as stated in paragraph [0438], and combined with the users of Muddu's usage relationship 6330 with SSH keys of Rowland-1, a relation between SSH keys and data corresponding to a host computer and user is taught.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Rowland-1, Ylonen, and Muddu before them, to include Muddu’s ‘wherein the investigation data is stored in the database in records in at least a first table and a second table, the first table including records containing the SSH keys and the second table containing records with a relation to the SSH keys and data corresponding to the host computer and/or user’ in Rowland-1’s method performing ‘investigating a remote host computer by using an agentless investigation system’. One would have been motivated to make such a combination to increase efficiency by establishing sets with relations to each other to establish relationships between user and devices, as taught by Muddu [Col. 59, lines 59-63].
Claims 9-11 are rejected under 35 U.S.C. 103 as being unpatentable over Rowland-1 in view of Ylonen, further in view of Rowland et al. (US 20030196123 A1), hereinafter Rowland-2.
Regarding claim 9, Rowland-1 in view of Ylonen teach the limitations of claim 1 as described above. Rowland-1 does not appear to fully disclose, but Rowland-2 and Ylonen also teach ‘wherein after retrieving the investigation data from the host computer, the investigation system is configured to update records in the database with a tag indicating an SSH key has been removed if the SSH key pre-existed in the database but was not found in the investigation data’ (In claim 11 of Rowland-2, investigation data is invalid can correspond to not including all the information present as stated in paragraph [0055] of Rowland-2. In paragraph [0707] of Ylonen, a management system checks a key, and also checks if it exists, or if any exist, if multiple keys exist. In combination with finding investigation data in paragraphs [0055]-[0056] and in Fig. 6 of Rowland-2, when investigation data is stored, findings of it are stored after first finding it, the investigation data can be updated. Also in combination of storing SSH keys in a database of Rowland-1 in paragraph [0438], when data is updated as stated in Rowland-2, it can indicate that a key is not found in the investigation data, and the combination of references teach the limitation of claim 9 of the applicant.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Rowland-1, Ylonen, and Rowland-2 before them, to include Ylonen’s and Rowland-2’s ‘wherein after retrieving the investigation data from the host computer, the investigation system is configured to update records in the database with a tag indicating an SSH key has been removed if the SSH key pre-existed in the database but was not found in the investigation data’ in Rowland-1’s method performing ‘investigating a remote host computer by using an agentless investigation system’. One would have been motivated to make such a combination to increase efficiency by having an existence for keys be confirmed for a host computer to determine further measures that need to be taken for each account, as stated in Ylonen [0214], and seeing if investigation data is found to have a reference to previous investigation data found in a system cache and a database, as taught by Rowland-2 [0054]-[0055].
Regarding claim 10, Rowland-1, Ylonen, and Rowland-2 teach the limitations of claims 1 and 9 as recited above. Rowland-1 does not appear to fully disclose, but Rowland-2 and Ylonen also teach ‘comprising adding a new record in the database relating to the SSH key indicating the SSH Key is removed and to be excluded in further investigation data from subsequent investigations’ (In paragraph [0054]-[0055] of Rowland-2, Fig. 6, at step 612, investigation data is reported back to the invention of Rowland-2, and as stated in paragraph [0707] of Ylonen, a management system checks a key, and also checks if it exists, or if any exist, if multiple keys exist. These findings are stored in a database of SSH keys in Rowland-1 stated in paragraph [0438], overriding previous information, and corresponding to adding a new record of a key being removed. When investigation data is found again, it is decided in steps 606 and 608 of Rowland-2 to access the investigation data that was done, and report it again, which teaches the limitation of an SSH key being excluded in further investigation of the applicant.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Rowland-1, Ylonen, and Rowland-2 before them, to include Ylonen’s and Rowland-2’s ‘comprising adding a new record in the database relating to the SSH key indicating the SSH Key is removed and to be excluded in further investigation data from subsequent investigations’ in Rowland-1’s method performing ‘investigating a remote host computer by using an agentless investigation system’. One would have been motivated to make such a combination to increase efficiency by having an existence for keys be confirmed for a host compuiter to determine further measures that need to be taken for each account, as stated in Ylonen [0214], and seeing if investigation data is found to have a reference to previous investigation data found in a system cache and a database, as taught by Rowland-2 [0054]-[0055].
Regarding claim 11, Rowland-1, Ylonen, and Rowland-2 teach the limitations of claims 1, and 9-10 as recited above. Rowland-1 does not appear to fully disclose, but Ylonen also teach ‘comprising the step of the investigation system reading the investigation data and for each SSH key included in the investigation data performing a query of the database to determine if the SSH key is already present in the database’ ([0480] Control server 5 queries a database 7 with results from investigative modules, which is the investigation data stated in paragraph [0343] of Rowland-1, which includes the authorized_keys file findings regarding SSH keys stated in paragraph [0343] of Rowland-1. Paragraph [0438] states that SSH keys are stored in one location. In conjunction with Ylonen stating that in paragraph [0707] of Ylonen, a management system checks a key, and also checks if it exists, or if any exist, if multiple keys exist, teach the limitations of claim 11 of the applicant.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Rowland-1, Ylonen, and Rowland-2 before them, to include Ylonen’s ‘comprising the step of the investigation system reading the investigation data and for each SSH key included in the investigation data performing a query of the database to determine if the SSH key is already present in the database’ in Rowland-1’s method performing ‘investigating a remote host computer by using an agentless investigation system’. One would have been motivated to make such a combination to increase efficiency by having an existence for keys be confirmed for a host computer to determine further measures that need to be taken for each account, as stated in Ylonen [0214].
Claims 8, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Rowland-1, in view of Ylonen, further in view of Brennan, Ylonen, Rowland-2, and Krasnyansky (US 20210383334 A1).
Regarding claim 8, Rowland-1 in view of Ylonen teach the limitations of claim 1 as described above. Rowland-1 also discloses ‘wherein the investigation system comprises a query system for querying the investigation data, wherein the query system is configured to return query results including at least one of’ ([0474]-[0475] Fig. 10, where results are returned from investigation modules to control server via scanning nodes, wherein the scanning nodes correspond to the query system of the applicant, as it returns results via a query from control server in paragraph [0480].):
‘an SSH key that matches an SSH key stored in a table or database containing SSH keys that match a predetermined designation;’ ([0146] "Authentication tokens that can allow users to login when a casual review would make it seem like they cannot (e.g. orphaned or malicious SSH authentication keys.)", and when combined with paragraph [0384] of Rowland, wherein SSH credentials are stored in a server database 7, wherein SSH credentials correspond to the SSH key of the applicant, wherein the credentials have a predetermined designation, such as being malicious or orphaned/abandoned.);
‘SSH keys with timestamps within a predetermined timeframe’ ([0453] Time window determines a timeframe of an investigation to obtain the results, including SSH keys, and in paragraphs [0498] and [0500], when investigative module returns data indicating a problem, the data is presented as part of a UI, the data may include information such as timestamps, which can be included in SSH keys that were found.);
‘user accounts related to SSH Keys that are related to a predetermined host computer’ ([0433] "the control server 5 collects the host computer information and encrypted SSH credentials and packages it into an order manifest", where SSH credentials, corresponding to SSH keys, are related to a predetermined host computer.);
‘host computers related to SSH Keys that are related to a predetermined user account’ (Appendix A, a function states "looks for inactive accounts with valid ssh login keys in their home directory", which ssh keys are related to a predetermined user account.);
Rowland-1 discloses the previous limitations of claim 8. Rowland-1 in view of Ylonen does not appear to fully disclose, but Brennan also teaches ‘duplicate SSH keys, including SSH keys that occur more than once in a table in the database, or are related to multiple user accounts, host computers or authentication key files’ (In [Col. 24, lines 55-61] of Brennan, a count of host many hosts contain at least one copy of a file is stated, and when combined with the SSH keys in paragraph [0384] of Rowland, wherein SSH credentials are stored in a server database 7, wherein SSH credentials correspond to the SSH key of the applicant, teaches the limitation of SSH keys being related to multiple host computers.);
‘all occurrences of an SSH key’ (In [Col. 13, lines 49-50] of Brennan, the property of "Analysis Results" can constitute a result of other analyses, which corresponds to occurrences of an SSH key.);
‘all occurrences of an SSH key related to a user account, user account type, host computer, or host computer type’ (In the field of 'Analysis Results' in [Col. 13, lines 49-50] of Brennan all the times a file is scanned or analyzed, corresponding to the other occurrences of a file, and combined with paragraph [0384] of a host computer being added in conjunction with SSH login for a host computer, corresponds to an occurrence of a given host computer of the applicant.);
‘all SSH keys related to a user account, user account type, host computer, or host computer type;’ ([Col. 13, lines 49-50] Property of "Analysis Results" can constitute a result of other analyses, which corresponds to occurrences of an SSH key.);
Rowland-1 and Brennan discloses the previous limitations of claim 8. Rowland-1, Ylonen, and Brennan do not appear to fully disclose, but Rowland-2 also teaches ‘SSH keys that are present in the investigation data and recorded in the database as removed or were previously marked as removed’ (Claim 11 of Rowland-2 assesses whether investigation data for a target host exists in a location in a storage location of the invention of the inventor Rowland-2, and if it is present in storage, and is valid, then a process ends. Investigation data being valid is a result of a cache entry time still being valid, corresponding to an SSH key being marked as removed. In combination with Rowland-1 stating that investigation data contains information about SSH keys in paragraph [0343] of Rowland-1, teaches the limitation of claim 8.);
Rowland-1 and Brennan discloses the previous limitations of claim 8. Rowland-1, Ylonen, Brennan, and Rowland-2 do not appear to fully disclose, but Krasnyansky also teaches ‘user accounts that have a predetermined 'threshold' number of related SSH keys’ (Claim 1 of Krasnyansky states that a "user account holds the threshold number of secret keys").
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Rowland-1, Ylonen, Brennan, Rowland-2 and Krasnyansky before them, to teach the limitations of Brennan, Rowland-2, and Krasnyansky in Rowland-1’s method performing ‘investigating a remote host computer by using an agentless investigation system’. One would have been motivated to make such a combination to increase efficiency by having various fields to display more information for a user to see timestamps alongside the various information seen in a file, as stated by Brennan [Col. 13, line 23-Col. 14, line 21], seeing if investigation data is found to have a reference to previous investigation data found in a system cache and a database, w3hich can include keys that were part of the investigation data of Rowland-1, as taught by Rowland-2 [0054]-[0055], and by determining that a user h