Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statements (IDS) submitted on February 21, 2025, April 11, 2025, and July 11, 2025 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the examiner.
Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(4) because reference character “224” has been used to designate both HTL Mechanism and Apply Resolutions. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Specification
Applicant is reminded of the proper language and format for an abstract of the disclosure.
The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.
The language should be clear and concise and should not repeat information given in the title. It should avoid using phrases which can be implied, such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc. In addition, the form and legal phraseology often used in patent claims, such as “means” and “said,” should be avoided.
The abstract of the disclosure is objected to because it contains phrases which can be implied such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc. A corrected abstract of the disclosure is required and must be presented on a separate sheet, apart from any other text. See MPEP § 608.01(b).
The disclosure is objected to because it contains an embedded hyperlink and/or other form of browser-executable code. Applicant is required to delete the embedded hyperlink and/or other form of browser-executable code; references to websites should be limited to the top-level domain name without any prefix such as http:// or other browser-executable code. See MPEP § 608.01.
Claim Objections
Claims 3-6, 8, 10, 12-18, and 20 objected to because of the following informalities:
Claim 3, lines 1-2, “the knowledge base” lacks proper antecedent basis.
Claim 6, line 4, after “a zero trust system”, “resources” should be deleted.
Claim 8, line 1, “the configuration” lacks proper antecedent basis.
Claim 10, line 3, “the configuration” lacks proper antecedent basis.
Claim 12, line 1, replace “further comprising” with --wherein the operations further comprise--.
Claim 13, line 2, “the knowledge base” lacks proper antecedent basis.
Claim 15, line 1, replace “further comprising” with --wherein the operations further comprise--.
Claim 16, line 4, “a zero trust system”, “resources” should be deleted.
Claim 17, line 1, replace “further comprising” with --wherein the operations further comprise--.
Claim 18, line 1, replace “further comprising” with --wherein the operations further comprise--. Lines 1-2, “the configuration” lacks proper antecedent basis.
Claim 20, line 1, replace “further comprising” with --wherein the operations further comprise--. Line 3, “the configuration” lacks proper antecedent basis.
Claims 4-6 and 14-16 depend on the rejected claims and inherit the same issues.
Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Step 1: Is the claim to a process, machine, manufacture, or composition of matter?
Yes.
Claims 1-10 are directed to a process and claims 11-20 are directed to an article of manufacture.
Claims 1 and 11 recite:
performing a first phase of a configuration hardening system to generate a knowledge graph that stores container configuration structure information that is enriched with threat intelligence data; and
performing a second phase of the configuration hardening system by:
retrieving configuration information of a container orchestration system;
scanning the configuration information and identifying a misconfiguration;
identifying a resolution to the misconfiguration;
screening the resolution with a human in the loop (HITL) mechanism;
applying the resolution in accordance with an output of the HILT mechanism; and
implementing the resolution in the configuration information of the container orchestration system.
Step 2A, Prong I: Does the claim recite an abstract idea, law of nature, or natural phenomenon?
Yes, an abstract idea.
The “preforming” limitations above, as claimed and under broadest reasonable interpretation (BRI), are a mental process that covers performance of the limitation in the mind. For example, “preforming” in the context of this claim encompasses encompass a human mind carrying out the function through observation, evaluation judgment and /or opinion, or even with the aid of pen and paper.
The “scanning” limitation above, as claimed and under broadest reasonable interpretation (BRI), is a mental process that covers performance of the limitation in the mind. For example, “scanning” in the context of this claim encompasses the person making a judgment.
The “identifying” limitation above, as claimed and under broadest reasonable interpretation (BRI), is a mental process that covers performance of the limitation in the mind. For example, “identifying” in the context of this claim encompasses the person making a judgment.
The “screening” limitation above, as claimed and under broadest reasonable interpretation (BRI), is a mental process that covers performance of the limitation in the mind. For example, “screening” in the context of this claim encompasses the person making a judgment.
Step 2A, Prong II: Does the claim recite additional elements that integrate the judicial exception into a practical application?
No.
The “retrieving” limitation above, as claimed and under (BRI), is an additional element that is insignificant extra-solution activity. For example, “retrieving” in the context of this claim encompasses mere data gathering. See MPEP 2106.05(g).
The “applying” limitation above, as claimed and under BRI, is an additional element that is mere instructions to apply an exception. For example, “applying” in the context of this claim encompasses applying the resolution as a result of the screening. See MPEP 2106.05(f)
The “implementing” limitation above, as claimed and under BRI, is an additional element that is mere instructions to apply an exception. For example, “implementing” in the context of this claim encompasses implementing the resolution as a result of the identification. See MPEP 2106.05(f).
Additionally, one or more of the claims recite the following additional elements:
A non-transitory storage medium (claim 11)
instructions (claim 11)
one or more hardware processors (claim 11)
container configuration structure information (claims 1 and 11)
threat intelligence data (claims 1 and 11)
These additional elements are recited at a high level of generality (i.e., as generic computer components) such that they amount to no more than linking the judicial exception to a technological environment. Accordingly, these additional elements do not integrate the abstract idea(s) into a practical application because they do not impose any meaningful limits on practicing the abstract idea(s).
Step 2B: Does the claim recite additional elements that amount to significantly more than the judicial exception?
No.
With regard to the “retrieving” limitation above, per MPEP 2106.05(d)(II), the courts have recognized the following computer function as well-understood, routine, and conventional functions when they are claimed in a merely generic manner (e.g., at a high level of generality) or as insignificant extra-solution activity:
i. Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610, 118 USPQ2d 1744, 1745 (Fed. Cir. 2016) (using a telephone for image transmission); OIP Techs., Inc., v. Amazon.com, Inc., 788 F.3d1359, 1363, 115 USPQ2d 1090, 1093 (Fed. Cir. 2015) (sending messages over a network); buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355, 112 USPQ2d 1093, 1096 (Fed. Cir. 2014) (computer receives and sends information over a network); but see DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245, 1258, 113 USPQ2d 1097, 1106 (Fed. Cir. 2014) ("Unlike the claims in Ultramercial, the claims at issue here specify how interactions with the Internet are manipulated to yield a desired result‐‐a result that overrides the routine and conventional sequence of events ordinarily triggered by the click of a hyperlink." (emphasis added)).
With regard to the “applying” and “implementing” limitations above, per MPEP 2106.05(f)(1) the recitation of claim limitations that attempt to cover any solution to an identified problem with no restriction on how the result is accomplished and no description of the mechanism for accomplishing the result, does not integrate a judicial exception into a practical application or provide significantly more because this type of recitation is equivalent to the words "apply it".
As discussed above with respect to integration of the abstract idea(s) into a practical application, the aforementioned additional elements amount to no more than components comprising mere instructions to apply the exception or links the judicial exception to a technological environment. Mere instructions to apply an exception using generic computer components or linking the judicial exception.
Claims 2 and 12 recite:
further comprising continually performing the first phase and the second phase.
Step 2A, Prong I: Does the claim recite an abstract idea, law of nature, or natural phenomenon?
Yes, the abstract ideas of claims 1 and 11 respectively.
The “preforming” limitation above, as claimed and under broadest reasonable interpretation (BRI), is a mental process that covers performance of the limitation in the mind. For example, “preforming” in the context of this claim encompasses encompass a human mind carrying out the function through observation, evaluation judgment and /or opinion, or even with the aid of pen and paper.
Step 2A, Prong II: Does the claim recite additional elements that integrate the judicial exception into a practical application?
No.
Claims 3 and 13 recite:
wherein the resolution is identified from the knowledge base and is included in the threat intelligence data.
Step 2A, Prong I: Does the claim recite an abstract idea, law of nature, or natural phenomenon?
Yes, the abstract ideas of claims 1 and 11 respectively.
Step 2A, Prong II: Does the claim recite additional elements that integrate the judicial exception into a practical application?
No.
Claims 4 and 14 recite:
wherein the resolution comprises a patch.
Step 2A, Prong I: Does the claim recite an abstract idea, law of nature, or natural phenomenon?
Yes, the abstract ideas of claims 3 and 13 respectively.
Step 2A, Prong II: Does the claim recite additional elements that integrate the judicial exception into a practical application?
No.
One or more of the claims recite the following additional elements:
• a patch (claims 4 and 14)
These additional elements are recited at a high level of generality (i.e., as generic computer components) such that they amount to no more than linking the judicial exception to a technological environment. Accordingly, these additional elements do not integrate the abstract idea(s) into a practical application because they do not impose any meaningful limits on practicing the abstract idea(s).
Step 2B: Does the claim recite additional elements that amount to significantly more than the judicial exception?
No.
As discussed above with respect to integration of the abstract idea(s) into a practical application, the aforementioned additional elements amount to no more than employing generic computer functions to execute an abstract idea, even when limiting the use of the idea to one particular environment. Mere linking the judicial exception to a technological environment using generic computer components cannot provide an inventive concept.
Claims 5 and 15 recite:
further comprising performing patch screening, wherein the patch screening identifies the resolution.
Step 2A, Prong I: Does the claim recite an abstract idea, law of nature, or natural phenomenon?
Yes, the abstract ideas of claims 3 and 13 respectively.
The “preforming” limitation above, as claimed and under broadest reasonable interpretation (BRI), is a mental process that covers performance of the limitation in the mind. For example, “preforming” in the context of this claim encompasses encompass a human mind carrying out the function through observation, evaluation judgment and /or opinion, or even with the aid of pen and paper.
Step 2A, Prong II: Does the claim recite additional elements that integrate the judicial exception into a practical application?
No.
Claims 6 and 16 recite:
wherein the resolution is one of:
automatically apply the patch of a modified version of the patch provided by the HITL mechanism;
do not apply the patch and allocate resources of a zero trust system resources to surveil the container orchestration system for exploits associated with the misconfiguration;
ignore a vulnerability associated with the misconfiguration without providing the patch or allocating the resources of the zero trust system; or
proceed under specific conditions.
Step 2A, Prong I: Does the claim recite an abstract idea, law of nature, or natural phenomenon?
Yes, the abstract ideas of claims 1 and 11 respectively.
Step 2A, Prong II: Does the claim recite additional elements that integrate the judicial exception into a practical application?
No.
One or more of the claims recite the following additional elements:
a modified version of the patch (claims 6 and 16)
resources (claims 6 and 16)
a zero trust system resources (claim 6 and 16)
the container orchestration system (claim 6 and 16)
These additional elements are recited at a high level of generality (i.e., as generic computer components) such that they amount to no more than linking the judicial exception to a technological environment. Accordingly, these additional elements do not integrate the abstract idea(s) into a practical application because they do not impose any meaningful limits on practicing the abstract idea(s).
Step 2B: Does the claim recite additional elements that amount to significantly more than the judicial exception?
No.
As discussed above with respect to integration of the abstract idea(s) into a practical application, the aforementioned additional elements amount to no more than employing generic computer functions to execute an abstract idea, even when limiting the use of the idea to one particular environment. Mere linking the judicial exception to a technological environment using generic computer components cannot provide an inventive concept.
Claims 7 and 17 recite:
further comprising acting to implement the resolution when prepared.
Step 2A, Prong I: Does the claim recite an abstract idea, law of nature, or natural phenomenon?
Yes, the abstract ideas of claims 1 and 11 respectively
Step 2A, Prong II: Does the claim recite additional elements that integrate the judicial exception into a practical application?
No.
The “acting to implement” limitation above, as claimed and under BRI, is an additional element that is mere instructions to apply an exception. For example, “acting to implement” in the context of this claim encompasses applying the resolution as a result of the identification. See MPEP 2106.05(f).
Step 2B: Does the claim recite additional elements that amount to significantly more than the judicial exception?
No.
With regard to the “acting to implement” limitation above, per MPEP 2106.05(f)(1) the recitation of claim limitations that attempt to cover any solution to an identified problem with no restriction on how the result is accomplished and no description of the mechanism for accomplishing the result, does not integrate a judicial exception into a practical application or provide significantly more because this type of recitation is equivalent to the words "apply it".
Claims 8 and 18 recite:
further comprising storing the configuration in a configuration database.
Step 2A, Prong I: Does the claim recite an abstract idea, law of nature, or natural phenomenon?
Yes, the abstract ideas of claims 1 and 11 respectively.
Step 2A, Prong II: Does the claim recite additional elements that integrate the judicial exception into a practical application?
No.
The “storing” limitation above, as claimed and under (BRI), is an additional element that is insignificant extra-solution activity. For example, “storing” in the context of this claim encompasses storing data. See MPEP 2106.05(g).
Step 2B: Does the claim recite additional elements that amount to significantly more than the judicial exception?
No.
With regard to the “storing” limitation above, per MPEP 2106.05(d)(II), the courts have recognized the following computer function as well-understood, routine, and conventional functions when they are claimed in a merely generic manner (e.g., at a high level of generality) or as insignificant extra-solution activity:
iv. Storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015); OIP Techs., 788 F.3d at 1363, 115 USPQ2d at 1092-93.
Claims 9 and 19 recite:
wherein the resolution is determined by following a byzantine fault protocol.
Step 2A, Prong I: Does the claim recite an abstract idea, law of nature, or natural phenomenon?
Yes, the abstract ideas of claims 1 and 11 respectively.
Step 2A, Prong II: Does the claim recite additional elements that integrate the judicial exception into a practical application?
No.
One or more of the claims recite the following additional elements:
a byzantine fault protocol (claims 9 and 19)
These additional elements are recited at a high level of generality (i.e., as generic computer components) such that they amount to no more than linking the judicial exception to a technological environment. Accordingly, these additional elements do not integrate the abstract idea(s) into a practical application because they do not impose any meaningful limits on practicing the abstract idea(s).
Step 2B: Does the claim recite additional elements that amount to significantly more than the judicial exception?
No.
As discussed above with respect to integration of the abstract idea(s) into a practical application, the aforementioned additional elements amount to no more than employing generic computer functions to execute an abstract idea, even when limiting the use of the idea to one particular environment. Mere linking the judicial exception to a technological environment using generic computer components cannot provide an inventive concept.
Claims 10 and 20 recite:
further comprising retrieving the container configuration structure information and the threat intelligence data, wherein applying the resolution includes mapping the configuration to a configuration structure of the container orchestration system
Step 2A, Prong I: Does the claim recite an abstract idea, law of nature, or natural phenomenon?
Yes, the abstract ideas of claims 1 and 11 respectively.
The “mapping” limitation above, as claimed and under broadest reasonable interpretation (BRI), is a mental process that covers performance of the limitation in the mind. For example, “mapping” in the context of this claim encompasses encompass a human mind carrying out the function through observation, evaluation judgment and /or opinion, or even with the aid of pen and paper.
Step 2A, Prong II: Does the claim recite additional elements that integrate the judicial exception into a practical application?
No.
The “retrieving” limitation above, as claimed and under (BRI), is an additional element that is insignificant extra-solution activity. For example, “retrieving” in the context of this claim encompasses mere data gathering. See MPEP 2106.05(g).
The “applying” limitation above, as claimed and under BRI, is an additional element that is mere instructions to apply an exception. For example, “applying” in the context of this claim encompasses applying the resolution as a result of the screening. See MPEP 2106.05(f)
One or more of the claims recite the following additional elements:
a configuration structure (claims 10 and 20)
the container orchestration system (claims 10 and 20)
These additional elements are recited at a high level of generality (i.e., as generic computer components) such that they amount to no more than linking the judicial exception to a technological environment. Accordingly, these additional elements do not integrate the abstract idea(s) into a practical application because they do not impose any meaningful limits on practicing the abstract idea(s).
Step 2B: Does the claim recite additional elements that amount to significantly more than the judicial exception?
No.
With regard to the “retrieving” limitation above, per MPEP 2106.05(d)(II), the courts have recognized the following computer function as well-understood, routine, and conventional functions when they are claimed in a merely generic manner (e.g., at a high level of generality) or as insignificant extra-solution activity:
i. Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610, 118 USPQ2d 1744, 1745 (Fed. Cir. 2016) (using a telephone for image transmission); OIP Techs., Inc., v. Amazon.com, Inc., 788 F.3d1359, 1363, 115 USPQ2d 1090, 1093 (Fed. Cir. 2015) (sending messages over a network); buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355, 112 USPQ2d 1093, 1096 (Fed. Cir. 2014) (computer receives and sends information over a network); but see DDR Holdings, LLC v. Hotels.com, L.P., 773 F.3d 1245, 1258, 113 USPQ2d 1097, 1106 (Fed. Cir. 2014) ("Unlike the claims in Ultramercial, the claims at issue here specify how interactions with the Internet are manipulated to yield a desired result‐‐a result that overrides the routine and conventional sequence of events ordinarily triggered by the click of a hyperlink." (emphasis added)).
With regard to the “applying” limitation above, per MPEP 2106.05(f)(1) the recitation of claim limitations that attempt to cover any solution to an identified problem with no restriction on how the result is accomplished and no description of the mechanism for accomplishing the result, does not integrate a judicial exception into a practical application or provide significantly more because this type of recitation is equivalent to the words "apply it".
As discussed above with respect to integration of the abstract idea(s) into a practical application, the aforementioned additional elements amount to no more than employing generic computer functions to execute an abstract idea, even when limiting the use of the idea to one particular environment. Mere linking the judicial exception to a technological environment using generic computer components cannot provide an inventive concept.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 3, 7-8, 10-11, 13, 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Haque et al. (“KGSecConfig: A Knowledge Graph Based Approach for Secured Container Orchestrator Configuration” (from IDS filed on February 21, 2025), hereinafter “Haque”) in view of Lecroart (U.S. Patent Application Publication No. US 20250111095 A1).
With regard to claim 1, Haque discloses:
A method comprising:
performing a first phase of a configuration hardening system to generate a knowledge graph that stores container configuration structure information (i.e. “configuration information, e.g., arguments, options, descriptions, and default options”) that is enriched with threat intelligence data (i.e. “security configuration concepts”) (“To address the above identified problem, we propose to build a KG for Secured Configuration (KGSecConfig) that provides a fundamental support for automatic security configuration of CO.”, page 2, left column, fifth paragraph, “In this module, we used different adapters to extract the configuration information, e.g., arguments, options, descriptions, and default options, from official documentation of diverse orchestrators, tools, platforms and built a configuration corpus with the extracted information. Then we applied our schema as shown in Fig. 1 to the configuration corpus to develop KGConfig.”, page 3, right column, second paragraph, “The purpose of this module is to realize and extract configuration concepts from security configuration documents to mitigate data overload barrier. We proposed four main classes for security configuration concepts as (i) ‘statement’ concept describes to perform a security configuration task (e.g., Ensure that the ‘–authorization-mode’ argument includes ‘RBAC’); (ii) ‘goal’ concept describes the reason behind the security configuration task (e.g., ‘RBAC’ ensures fine-grained control over the operations...cluster, ‘RBAC’ restricts unauthorized access...server); (iii) ‘action’ concept describes the actionable steps to implement the task (e.g., Edit the API server pod specification file...node); and (iv) ‘other’ concept describes the rest of sentences in the document (e.g., In this article, we will take a deep dive into key Kubernetes security configurations and the recommended best practices).”, page 4, right column, first full paragraph, “In summary, the input of this module is a security configuration document and the output is the sentences classified according to the four configuration concepts. Once we identified the classified sentences, we considered all the concepts except ‘other’ concept for updating the initial KGConfig.” page 5, left column, first full paragraph-second dull paragraph, fig. 7); and
performing a second phase of the configuration hardening system (“Our KGSecConfig can be utilized for various downstream configuration tasks, such as automated misconfiguration mitigation and interpretation of secured configuration options which can increase the understanding of the reason of enabling/disabling particular arguments.”, page 2, left column, sixth paragraph-right column, first paragraph, “We leveraged our KGSecConfig to identify and mitigate the threat actors automatically, as shown in Fig. 10.”, page 8, right column, third paragraph, fig 10) by:
retrieving configuration information of a container orchestration system (“In this module, we used different adapters to extract the configuration information, e.g., arguments, options, descriptions, and default options, from official documentation of diverse orchestrators, tools, platforms and built a configuration corpus with the extracted information.”, page 3, right column, second paragraph, “Kubernetes [1] (container orchestrator)”, page 5, right column, second paragraph);
scanning the configuration information and identifying a misconfiguration (“A Compliance Parse Tree (CPT) as shown in Fig. 10(b) was built to tokenize configuration argument and its options, where the root of the tree is the configuration file type, e.g., ‘Deployment’, non-leaf nodes are arguments, and leaf nodes are options. We developed a compliance checker using subgraph matching [68] whose aim is to compare CPT with our KGSecConfig for possible misconfiguration detection.”, page 8, right column, third paragraph);
identifying a resolution to the misconfiguration (“Our KGSecConfig also has the capability to automatically mitigate the misconfiguration by replacing (e.g., replacing ‘Always’ option with ‘IfNotPresent’ in ‘imagePullPolicy’ argument) or adding (e.g., adding ‘allowPrivilegeEscalation’ argument with ‘false’ option) secured argument and corresponding options as a node or set of nodes as shown in green circles in Fig. 10(c) by using the knowledge in KGSecConfig”, page 8, right column, fifth paragraph-page 9, left column, first paragraph);
implementing the resolution in the configuration information of the container orchestration system (“Our KGSecConfig also has the capability to automatically mitigate the misconfiguration by replacing (e.g., replacing ‘Always’ option with ‘IfNotPresent’ in ‘imagePullPolicy’ argument) or adding (e.g., adding ‘allowPrivilegeEscalation’ argument with ‘false’ option) secured argument and corresponding options as a node or set of nodes as shown in green circles in Fig. 10(c) by using the knowledge in KGSecConfig”, page 8, right column, fifth paragraph-page 9, left column, first paragraph, “We built a secured configuration knowledge graph with Kubernetes, Docker, Azure, and VMWare using KGSecConfig, which provide essential configuration knowledge, such as implementation details and reasoning. We demonstrated how KGSecConfig can be utilized for various downstream tasks, such as automated misconfiguration mitigation, inconsistency identification, and configuration hot-spot visualization.”, page 10, right column, third paragraph).
Haque does not disclose however, Lecroart discloses:
screening the resolution (i.e. “the recommendation”) with a human in the loop (HITL) mechanism (“generating a recommendation for correcting a configuration file of an item of infrastructure of a computing environment within which services run, said infrastructure having been deployed automatically from said configuration file”, para [0046], “In this case, a request to update the configuration file on the basis of the recommendation to correct the configuration file is submitted in E8 for evaluation by a person, for example a security specialist or a computer code developer.”, para [0112]);
applying the resolution in accordance with an output of the HILT mechanism (“An evaluation outcome is received in E9. Two cases are possible (E10):”, para [0116], “In the first case (E10), the request to update the configuration file SCP in accordance with the recommendation RECO is accepted. This means that the recommendation RECO has been assessed as providing all the elements for full remediation of the anomaly.”, para [0117], “The configuration file SCP is then updated at E11. In one example, the source code of the configuration file SCP stored in the IaC repository RPY is replaced by the file corrected in accordance with the recommendation RECO.”, para [0118]); and
Both the systems of Haque and Lecroart deal with misconfigured configuration. It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine Haque in view of Lecroart to improve reliability.
With regard to claim 3, Haque as modified discloses the method of claim1.
Haque further discloses:
wherein the resolution (i.e. “arguments”) is identified from the knowledge base and is included in the threat intelligence data (i.e. “‘goal’ concepts”) (“Our KGSecConfig can correlate the encapsulated knowledge (e.g., ‘goal’ concepts associated with arguments of kube api server and the query ‘restrict unauthorized access to kube api-server’) and return the mitigation approach by providing necessary arguments and options (e.g., ‘–anonymous-auth’ will be ‘false’ and ‘–authorization-mode’ will be ‘RBAC’) for restricting the unauthorized access.”, page 9, right column, second paragraph).
With regard to claim 7, Haque as modified discloses the method of claim 1.
Haque does not disclose however, Lecroart discloses:
further comprising acting to implement the resolution when prepared (“In this case, a request to update the configuration file on the basis of the recommendation to correct the configuration file is submitted in E8 for evaluation by a person, for example a security specialist or a computer code developer.”, para [0112], “An evaluation outcome is received in E9. Two cases are possible (E10):”, para [0116], “In the first case (E10), the request to update the configuration file SCP in accordance with the recommendation RECO is accepted. This means that the recommendation RECO has been assessed as providing all the elements for full remediation of the anomaly.”, para [0117], “The configuration file SCP is then updated at E11.”, para [0118]).
Both the systems of Haque and Lecroart deal with misconfigured configuration. It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine Haque in view of Lecroart to improve reliability.
With regard to claim 8, Haque as modified discloses the method of claim 1.
Haque does not disclose however, Lecroart discloses:
further comprising storing the configuration in a configuration database (“In one example, the source code of the configuration file SCP stored in the IaC repository RPY is replaced by the file corrected in accordance with the recommendation RECO”, para [0118]).
Both the systems of Haque and Lecroart deal with misconfigured configuration. It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine Haque in view of Lecroart to improve scalability.
With regard to claim 10, Haque as modified discloses the method of claim1.
Haque further discloses:
further comprising retrieving the container configuration structure information and the threat intelligence data (“In this module, we used different adapters to extract the configuration information, e.g., arguments, options, descriptions, and default options, from official documentation of diverse orchestrators, tools, platforms and built a configuration corpus with the extracted information.”, page 3, right column, second paragraph, “The purpose of this module is to realize and extract configuration concepts from security configuration documents to mitigate data overload barrier.”, page 4, right column, first paragraph) wherein applying the resolution includes mapping the configuration (i.e. “secured argument and corresponding options“) to a configuration structure (i.e. “a node or a set of nodes”) of the container orchestration system (“Our KGSecConfig also has the capability to automatically mitigate the misconfiguration by replacing (e.g., replacing ‘Always’ option with ‘IfNotPresent’ in ‘imagePullPolicy’ argument) or adding (e.g., adding ‘allowPrivilegeEscalation’ argument with ‘false’ option) secured argument and corresponding options as a node or set of nodes as shown in green circles in Fig. 10(c) by using the knowledge in KGSecConfig”, page 8, right column, fifth paragraph-page 9, left column, first paragraph, “We built a secured configuration knowledge graph with Kubernetes, Docker, Azure, and VMWare using KGSecConfig, which provide essential configuration knowledge, such as implementation details and reasoning. We demonstrated how KGSecConfig can be utilized for various downstream tasks, such as automated misconfiguration mitigation, inconsistency identification, and configuration hot-spot visualization.”, page 10, right column, third paragraph).
With regard to claim 11, the limitations except those addressed below are rejected using the mapping from analogous claim 1.
Haque does not disclose however, Lecroart discloses:
A non-transitory storage medium having stored therein instructions that are executable by one or more hardware processors to perform operations (“the computer-readable storage medium is non-transitory”, para [0177], “instructions stored in a computer-readable information storage medium and/or in the memory 120 so that, when the instructions are executed by the processor, the device 100 performs one or more or all of the steps”, para [0174]) comprising:
Both the systems of Haque and Lecroart deal with misconfigured configuration. It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine Haque in view of Lecroart to improve reliability.
With regard to claim 13, Haque as modified discloses the non-transitory storage medium of claim 11.
The remaining limitations are rejected using the mapping from analogous claim 3.
With regard to claim 17, Haque as modified discloses the non-transitory storage medium of claim 11.
The remaining limitations are rejected using the mapping from analogous claim 7.
With regard to claim 20, Haque as modified discloses the non-transitory storage medium of claim 11.
The remaining limitations are rejected using the mapping from analogous claim 10.
Claims 4-6 and 14-16 are rejected under 35 U.S.C. 103 as being unpatentable over Haque and Lecroart as applied to claims 3 and 13 above, and further in view of Guo et al. (U.S. Patent Application Publication No. US 12518023 B1, hereinafter “Guo”).
With regard to claim 4, Haque as modified discloses the method of claim 3.
Haque as modified does not disclose however, Guo discloses:
wherein the resolution comprises a patch (“execute the remediation rule to generates patches to mitigate an insecure configuration.”, col 3, lines 55-56).
Both the systems of Haque as modified and Guo deal with misconfigured configuration. It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine Haque in view of Guo to improve scalability.
With regard to claim 5, Haque as modified discloses the method of claim 3.
Haque as modified does not disclose however, Guo discloses:
further comprising performing patch screening, wherein the patch screening identifies the resolution (“The initial template and/or configuration may be patched and then provided to the validation service 128 to determine whether or not the remediation action performed by the fixer service 124 has cured the initially identified vulnerability.”, col 12, lines 63-66).
Both the systems of Haque as modified and Guo deal with misconfigured configuration. It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine Haque in view of Guo to improve security.
With regard to claim 6, Haque as modified discloses the method of claim 5.
Haque does not disclose however, Lecroart discloses:
wherein the resolution is one of:
proceed under specific conditions (“In this case, a request to update the configuration file on the basis of the recommendation to correct the configuration file is submitted in E8 for evaluation by a person, for example a security specialist or a computer code developer.”, para [0112], (“An evaluation outcome is received in E9. Two cases are possible (E10):”, para [0116], “In the first case (E10), the request to update the configuration file SCP in accordance with the recommendation RECO is accepted. This means that the recommendation RECO has been assessed as providing all the elements for full remediation of the anomaly.”, para [0117], “The configuration file SCP is then updated at E11.”, para [0118], “In a second case (E10), the evaluator rejects the update request. One reason for this may be that the recommendation RECO does not allow for total remediation of the anomaly. According to one or more embodiments, the evaluator manually corrects the recommendation RECO.”, para [0120]).
Both the systems of Haque and Lecroart deal with misconfigured configuration. It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine Haque in view of Lecroart to improve reliability.
With regard to claim 14, Haque as modified discloses the non-transitory storage medium of claim 13.
The remaining limitations are rejected using the mapping from analogous claim 4.
With regard to claim 15, Haque as modified discloses the non-transitory storage medium of claim 13.
The remaining limitations are rejected using the mapping from analogous claim 5.
With regard to claim 16, Haque as modified discloses the non-transitory storage medium of claim 15.
The remaining limitations are rejected using the mapping from analogous claim 6.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Mahajan ("Detection, Analysis and Countermeasures for Container based Misconfiguration using Docker and Kubernetes") discloses “Steps Incurred to get the secured Deployment of containers: 1. Deploy container with possible configuration settings as required by the user. 2. Check the configurations against the configuration check model for possible any misconfigurations. 3. If the model gives any notification for required reconfigurations, then apply it and re-deploy container. 4. If model does not need to reconfigure then the deployed container is assumed to be secured.” (Mahajan, page 5, left column, first paragraph).
Andreina (U.S. Patent Application Publication No. US 20230229569 A1) discloses “Byzantine Fault Tolerance (BFT) protocols are a family of protocols that aim at achieving consensus between multiple participants that do not trust another, even in case of presence of adversaries.” (Andreina, para [0003]).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SELENA SABAH NAHRA whose telephone number is (571)272-6115. The examiner can normally be reached Monday-Thursday 7:00 AM -5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hyung Sough can be reached at (571) 272-6799. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/S.S.N./Examiner, Art Unit 2192
/S. SOUGH/SPE, Art Unit 2192