Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
DETAILED ACTION
Claims 1-25 are pending in this office action.
Priority
Priority claimed to US Provisional application 63/191464, filed 05/21/2021.
Information Disclosure Statement
The information disclosure statements (IDS's) submitted on 03/15/2024 and 9/9/2025 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 6-13, 22-25 are rejected under 35 U.S.C. 103 as being unpatentable over Stockdale et al. (US 2019/0251260 A1, Stockdale hereinafter), in view of Byrne (US 2020/0311280 A1).
For claim 1, Stockdale teaches a system for generating a cyberattack signature based on host level data analysis, the system comprising: a memory configured to store executable code; and a processor for cooperation with the memory (para 0087-0088); wherein the processor, in response to execution of the executable code, is configured to: apply host level data analytics to system performance data with respect to a set of internal system parameters of a host computer system that describe operation of the host computer system when known to be under a cyberattack and when known not to be under the cyberattack to find a subset of the internal system parameters and their corresponding data values that discriminatively correlate to the cyberattack (para 0041-0043, 0053 - machine level performance data taken from on-host sources (CPU usage/memory usage/disk usage/disk free space/network usage/etc. such that pre-attack when not under attack, as well as post-attack data is collected and analyzed; threat detection system built to take into account an attacker may be ‘hiding’ in a system to ensure that they avoid raising suspicion in an end user, such as by slowing their machine down; stealing CPU cycles only when the machine is active, in an attempt to defeat a relatively-simple policing process; Monitoring behaviors, rather than using predefined descriptive objects and/or signatures, means that more attacks can be spotted ahead of time and extremely subtle indicators of wrongdoing can be detected).
Stockdale further teaches implied signature generation and update based on new rules associated with system activities (para 0008, 0040). Stockdale does not appear to explicitly disclose, whereas Byrne discloses generating the cyberattack signature based on the subset of internal system parameters and their corresponding data values that are found to discriminatively correlate to the cyberattack (para 0017-0018, 0030, 0036, 0054-0055, 0092 - host’s current signature based on behavior profile comprising parameters is compared with known signature implying the host signature is generated based on the underlying system behavior parameters). Based on Stockdale in view of Byrne, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to incorporate the cyberattack signature generation and comparison based on host computer internal system parameters as taught by Byrne in the cyberattack detection system of Stockdale, in order to detect cyberattack events more accurately and efficiently and take necessary actions to prevent damages to the system, thereby making system more secure.
For claim 6, Stockdale in view of Byrne teaches the claimed subject matter as discussed above. Stockdale further teaches wherein the subset of internal system parameters include data that represents processor usage activity (para 0019, 0053, 0075).
For claim 7, Stockdale in view of Byrne teaches the claimed subject matter as discussed above in claim 6. Stockdale further teaches wherein the processor usage activity comprises processor switching activity (para 0041).
For claim 8, Stockdale in view of Byrne teaches the claimed subject matter as discussed above in claim 6. Stockdale further teaches wherein the processor usage activity comprises processor interrupt activity (para 0043 – stolen cycles implying interrupting normal CPU activity).
For claim 9, Stockdale in view of Byrne teaches the claimed subject matter as discussed above. Stockdale further teaches wherein the subset of internal system parameters include network card activity (para 0053 – network usage implies network card activity).
For claim 10, Stockdale in view of Byrne teaches the claimed subject matter as discussed above. Stockdale further teaches wherein the subset of internal system parameters include memory usage activity (para 0053).
For claim 11, Stockdale in view of Byrne teaches the claimed subject matter as discussed above in claim 10. Stockdale further teaches wherein the memory usage activity comprises RAM activity (para 0053, 0088 – memory usage wherein memory comprise RAM).
For claim 12, Stockdale in view of Byrne teaches the claimed subject matter as discussed above. Stockdale further teaches wherein the internal system parameters include power consumption (para 0019, 0051).
For claim 13, Stockdale in view of Byrne teaches the claimed subject matter as discussed above. Stockdale further teaches wherein the internal system parameters include elapsed times for processes (para 0019, 0054, 0080, 0082).
For claim 22, Stockdale in view of Byrne teaches the claimed subject matter as discussed above. Stockdale further teaches wherein the processor comprises a plurality of processors (Fig. 1; para 0022, 0035-0038 - multiple computers in the system comprising multiple processors).
For claim 23, the claim limitations are similar to those of claim 1 except claim 23 is drawn to a method for generating a cyberattack signature based on host level data analysis, the method comprising the steps as performed by the system of claim 1. Therefore claim 23 is rejected according to claim 1.
For claim 24, Stockdale in view of Byrne teaches the claimed subject matter as discussed above. Stockdale further teaches wherein the processor comprises a plurality of processors (Fig. 1; para 0022, 0035-0038 - multiple computers in the system comprising multiple processors).
For claim 25, the claim limitations are similar to those of system claim 1 except claim 25 is drawn to an article of manufacture for generating a cyberattack signature based on host level data analysis, the article of manufacture comprising: machine-readable code that is resident on a non-transitory computer-readable storage medium, wherein the code is executable by a processor to cause the processor to perform the steps as performed by the system of claim 1. Therefore claim 25 is rejected according to claim 1.
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Stockdale et al. (US 2019/0251260 A1, Stockdale hereinafter), in view of Byrne (US 2020/0311280 A1), and further in view of Sharifi Mehr (US 10,769,045 B1, hereinafter Mehr).
For claim 14, Stockdale in view of Byrne teaches the claimed subject matter as discussed above. Stockdale in view of Byrne teaches finding a subset of the internal system parameters and their corresponding performance data with or without cyberattack situations. Stockdale and Byrne do not appear to explicitly disclose, however Mehr teaches in response to execution of the executable code, is configured to apply the host level data analytics by: cloning the host computer system known to not be under the cyberattack; running the cyberattack on the cloned host computer system; and collecting attacked signature performance data from the cloned host computer system on which the cyberattack is run (col. 3 lines 22-27; col. 6 line 66 - col. 7 line 2; col. 7 lines 37-55 - resources used to create any cloned environment to simulate attack conditions or with normal conditions). Based on Stockdale in view of Byrne and Mehr, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to incorporate environment cloning mechanism based on host computer internal system parameters as taught by Mehr in the cyberattack detection system of Stockdale in view of Byrne, in order to analyze cyberattack events more effectively based on comparative approach as offered by environment cloning and simulation, thereby making attack detection more efficient.
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Stockdale et al. (US 2019/0251260 A1, Stockdale hereinafter), in view of Byrne (US 2020/0311280 A1), and further in view of Jiang (US 2008/0320594 A1).
For claim 15, Stockdale in view of Byrne teaches the claimed subject matter as discussed above. Stockdale and Byrne do not appear to explicitly disclose, however Jiang teaches wherein the host computer systems known to be under the cyberattack and known to not be under the cyberattack are Red Hat Enterprise Linux systems (para 0042, 0069, 0083, 0090, 0094, 0125).
Claims 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Stockdale et al. (US 2019/0251260 A1, Stockdale hereinafter), in view of Byrne (US 2020/0311280 A1), and further in view of Hassell et al. (US 2015/0295948 A1, Hassell hereinafter).
For claim 16, Stockdale in view of Byrne teaches the claimed subject matter as discussed above. Stockdale and Byrne do not appear to explicitly disclose, however Hassell teaches the cyberattack comprises an Nmap enumeration scan (para 0021-0022 - vulnerability scanning tools, such as Nessus or Nmap).
For claim 17, Stockdale in view of Byrne teaches the claimed subject matter as discussed above in claim 16. Stockdale further teaches wherein the cyberattack signature comprises an increase of at least two members of the group consisting of (1) activity for inbound network packets, (2) process switching per second, (3) processor usage, and (4) processor interrupts over a defined time period relative to a normal baseline for same (para 0019, 0056-0057, 0067-0068, 0086 - network traffic analysis pertaining to activity for inbound network packets; para 0041-0042 - pertaining to processor usage). Stockdale and Byrne do not appear to explicitly disclose, however Hassell teaches wherein the cyberattack signature for the Nmap enumeration scan comprises behavioral information pertaining to system attributes associated with system behavior (para 0021-0022 - vulnerability scanning tools, such as Nessus or Nmap).
For claim 18, Stockdale in view of Byrne teaches the claimed subject matter as discussed above in claim 16. Stockdale further teaches wherein the cyberattack signature comprises an increase of (1) activity for inbound network packets, (2) process switching per second, (3) processor usage, and (4) processor interrupts over the defined time period relative to the normal baseline for same (para 0019, 0056-0057, 0067-0068, 0086 - network traffic analysis pertaining to activity for inbound network packets; para 0041-0042, 0086 - pertaining to processor usage, and switching processor cycles; para 0043 – stolen cycles implying interrupting normal CPU activity). Stockdale and Byrne do not appear to explicitly disclose, however Hassell teaches wherein the cyberattack signature for the Nmap enumeration scan comprises behavioral information pertaining to system attributes associated with system behavior (para 0021-0022 - vulnerability scanning tools, such as Nessus or Nmap).
For claim 19, Stockdale in view of Byrne teaches the claimed subject matter as discussed above. Stockdale and Byrne do not appear to explicitly disclose, however Hassell teaches wherein the cyberattack comprises a Nessus enumeration scan (para 0021-0022 - vulnerability scanning tools, such as Nessus).
Allowable Subject Matter
Claims 2-5, 20-21 are objected to as being dependent upon rejected base claims, but would be allowable if incorporated in their respective base claims including all of the limitations of the base claims and all intervening parent claims.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433