DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s argument, see Remarks, filed 07/28/2024, with respect to the rejection(s) of independent claims 64, 79 and 82 under 35 USC § 102 has been fully considered, but are not persuasive.
On page 7/9 of the Remarks the Applicant argues, “Applicant respectfully denies that Teal discloses the claimed "kernel space firewall". Reviewing Teal Figure 17, kernel space 1702 is clearly identified. Firewall 1706 appears to lie between user space 1704 and network 1708, and appears to be clearly separated from kernel space 1702.”. The Examiner respectfully disagrees.
First, the claimed limitation “based on the asynchronous monitoring, create one or more firewall rules for a kernel-mode firewall; and cause the kernel-mode firewall to enforce the one more firewall rules.” doesn’t explicitly recite the firewall solely operating/executing in a kernel space, and thus “kernel-mode” may refer to the firewall utilizing functions from the kernel to operate (i.e., the configurations and properties of the firewall). Second, Figure 17 of Teal doesn’t necessarily place the firewall in user space, as paragraph [0292] is explicit that it’s the applications 1710, 1720, 1730, and 1740 in user space, as “Software that protects the endpoint against malicious activity may execute in the user space 1702, such as an antivirus system 1710, a network management system 1720, a file protection system 1730, and a remediation system 1740.”, further supported by paragraph [0326] as “FIG. 19 shows a method for controlling a firewall. This may include using any of the systems or methods described herein, such as those using the kernel driver and caches described above, e.g., on an endpoint with an operating system that supports a kernel space and a user space”, which appears supported by claim 66 that states the “kernel-mode firewall” may be “an operating system native firewall”. Thus, because Teal’s firewall utilizes kernel-space to function, and is not expressly disclosed as executing within user-space, the Examiner did not find the Applicant’s argument persuasive, and hence the rejection of the claims under 35 USC § 102 is maintained.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 64-67, 69-70 and 79-83 are rejected under 35 U.S.C. 102 (a)(1) as being anticipated by US-PGPUB No. 2021/0342461 A1 to Teal.
Regarding claim 64:
Teal discloses:
One or more tangible, non-transitory computer-readable storage media having stored thereon executable instructions (¶15: “computer executable code embodied in a non-transitory computer-readable medium”) to provide a security application (¶292: “Software that protects the endpoint against malicious activity may execute in the user space 1704, such as … a network management system 1720, …”), the security application to:
within a non-kernel space (see Fig. 17, User Space 1704), asynchronously monitor (¶162: “… monitoring tools 424, … may be deployed in response IOCs 422 collected by the IOC collector 426.”) network activity of a network- enabled application (¶295: “The network management system 1720 may mediate network communications between processes executing in the user space 1704 and external resources available through the network 1708. This may, for example, include monitoring network traffic to and from the endpoint,”, ¶306: “security-related application or process executing in the user space 1704”);
based on the asynchronous monitoring, create one or more firewall rules for a kernel- mode firewall (¶295: “configuring the firewall 1706 according to … potential threats, …”, ¶301: “… the process cache may usefully store information … This information may, for example, be usefully provided to a … firewall”, see also Fig. 17, the firewall being able to access information in the process cache- kernel-mode.); and
cause the kernel-mode firewall to enforce the one more firewall rules (¶301: “… the process cache may usefully store information … This information may, for example, be usefully provided to a … firewall …”).
Regarding claim 65:
Teal discloses:
The one or more tangible, non-transitory computer-readable media of claim 64, wherein the non-kernel space is userspace (see Fig. 17, User Space 1704).
Regarding claim 66:
Teal discloses:
The one or more tangible, non-transitory computer-readable media of claim 64, wherein the kernel-mode firewall is an operating system native firewall or third-party firewall (¶292: “The firewall 1706 may be a hardware firewall, a software firewall, … the firewall 1706 may be on the endpoint, on a gateway between the endpoint and an external network, or at any other physical or logical location where the firewall 1706 can monitor and control network traffic to and from the endpoint.”).
Regarding claim 67:
Teal discloses:
The one or more tangible, non-transitory computer-readable media of claim 64, wherein the security application is not tightly integrated with the kernel-mode firewall (¶295: “The network management system 1720 may mediate network communications between processes executing in the user space 1704 and external resources available through the network 1708. This may, for example, include monitoring network traffic to and from the endpoint, labeling network traffic flows, and so forth.”, Note: ¶295 teaches the network management system 1720 can monitor network traffic without the need for the firewall 1706, thus not tightly integrated).
Regarding claim 69:
Teal discloses:
The one or more tangible, non-transitory computer-readable media of claim 67, wherein the security application communicates with the kernel-mode firewall only via a published interface definition (¶108: “The interface between the threat management facility 100 and the enterprise facility 102, …”, see also Fig. 1, and claim 18: “a communication interface of the threat management facility [that] transmits the firewall rule to a firewall of the enterprise network.”).
Regarding claim 70:
Teal discloses:
The one or more tangible, non-transitory computer-readable media of claim 64, wherein asynchronously monitoring behavior of the networked application comprises subscribing to domain name system (DNS) query events from a local operating system (¶185: “Network traffic 622 from the process 620 may be monitored and logged by a traffic monitor 624 on the endpoint 602. The traffic monitor 624 may, for example, logs a time and a source of each network request from the endpoint 602.”).
Regarding claims 79-80:
Claims 79-80 substantially recite the same limitations as claims 64-65, respectively, in the form of a method implementing the corresponding functionality. Therefore, they are rejected by the same rationale.
Regarding claim 81:
Teal discloses:
The computer-implemented software method of claim 79, wherein the one or more firewall rules are static firewall rules (¶108: “The administration facility 134 may configure policy rules that determine interactions, such as developing rules for accessing applications, as in who is authorized …”).
Regarding claim 82:
Teal discloses:
A computing device (see Fig. 2, Computing Device 210), comprising:
a processor circuit (see Fig. 2, Processor 212) and a memory (see Fig. 2, Memory 214);
an operating system (¶15: “an operating system of an endpoint that includes a kernel space for operating system functions and a user space …”) comprising a kernel space (see Fig. 17, Kernel Space 1702) and a non-kernel space (see Fig. 17, User Space 1704); and
instructions encoded within the memory to instruct the processor circuit to provide a security application (¶15: “… includes computer executable code embodied in a non-transitory computer-readable medium …”), the security application to:
In addition to the above limitations, claim 82 substantially recites the same limitations as claim 64 in the form of a device to realize the corresponding functionality. Therefore, it is rejected by the same rationale.
Regarding claim 83:
Claim 83 substantially recites the same limitations as claim 67 in the form of a device to realize the corresponding functionality. Therefore, it is rejected by the same rationale.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim 68 is rejected under 35 U.S.C. 103 as being unpatentable over Teal, and further in view of US-PGPUB No. 2015/0281180 A1 to Raman et al. (hereinafter “Raman”)
Regarding claim 68:
Teal discloses the one or more tangible, non-transitory computer-readable media of claim 67, but does not explicitly teach the following limitation taught by Raman:
wherein the security application is sourced from a vendor different from a vendor that sourced the kernel-mode firewall (Raman, ¶10: “the firewall SVM is provided by one vendor (e.g., a firewall vendor), while the firewall rule engine is provided by another vendor.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Teal to incorporate the system architecture of implementing a firewall provided by one vendor, and a firewall rules engine provided by a different user, as disclosed by Raman, such modification would enable the system to enhance security by providing a more flexible security posture, and offers the potential benefit of diversifying security measures, preventing a single vendor's vulnerability from compromising the entire system.
Claims 71-72 is rejected under 35 U.S.C. 103 as being unpatentable over Teal, and further in view of US-PGPUB No. 2016/0134653 A1 to Vallone et al. (hereinafter “Vallone”)
Regarding claim 71:
Teal discloses the one or more tangible, non-transitory computer-readable media of claim 64, but does not explicitly teach the following limitation taught by Vallone:
wherein the security application is to determine, within less than approximately five seconds, a firewall action for the network-enabled application (Vallone, ¶18: “ensure that the expected characteristic is triggered and that any responses … occur within one or more predefined service levels (e.g., a firewall closing a TCP port after two seconds of detecting illicit activity).”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Teal to incorporate the functionality of the method to provide validation feedback associated with the progress and/or result of the instruction's execution to ensure that the expected characteristic is triggered and that any responses occur within one or more predefined service levels, as disclosed by Vallone, such modification would enable the system to minimize the damage that might be caused by any illicit activity.
Regarding claim 72:
The combination of Teal and Vallone discloses:
The one or more tangible, non-transitory computer-readable media of claim 71, wherein the security application is to create a firewall rule to block an ongoing network operation for the network-enabled application, upon determining that the network-enabled application performs a malicious activity (Vallone, ¶20-22: “if analysis indicates that the target is vulnerable to a cyberattack … is at or near a defined threshold (e.g., … service level three, indicating a critical vulnerability), the technology can automatically update the target network′ monitoring capabilities … [0022] … create … firewall rules fail the target network so that network traffic is routed to a safe, failover network;”).
The same motivation which is applied to claim 71 with respect to Vallone applies to claim 72.
Claim 73 is rejected under 35 U.S.C. 103 as being unpatentable over Teal, and further in view of US-PGPUB No. 2017/0237749 A1 to Wood
Regarding claim 73:
Teal discloses the one or more tangible, non-transitory computer-readable media of claim 64, but does not explicitly teach the following limitation taught by Wood:
further comprising instructions for a browser plugin to monitor browser activity (Wood, ¶24: “a web traffic analysis system to determine the identity of the open web address, the identity of the at least one connection of the open web address, or the identity of both. The web traffic analysis system includes a browser plugin,”, p-135: “The system [next] checks to see if the subdomain matches an open URL 402, i.e., a web address that is open within the browser app. A browser plugin can be used to transmit open and closed web addresses.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Teal to incorporate the functionality of the system to implement a browser plugin to transmit open and closed web addresses by a browser app, as disclosed by Wood, such modification would enable the system to gather information (opened links, websites, etc.) that can be used to trace activities.
Claim 74 is rejected under 35 U.S.C. 103 as being unpatentable over Teal, US-PGPUB No. 2020/0314061 A1 to Uchikawa, and further in view of Wood
Regarding claim 74:
Teal discloses the one or more tangible, non-transitory computer-readable media of claim 64, but does not explicitly teach the following limitation taught by Uchikawa:
wherein the instructions are further to determine that the network-enabled application does not use an operating system (OS)-provided domain name system (DNS) client […], and block network access for the network-enabled application (Uchikawa, ¶57-60: “In S501, the communication application 1010 requests the OS standard DNS client 1021 used for the network 1 (300) to perform DNS name resolution. … the communication application 1010 determines whether name resolution is successful on the basis of the result of DNS name resolution performed by the OS standard DNS client 1021 in response to the request. … If the name resolution has failed, the process proceeds to S504. … the communication application 1010 displays an error. For example, the communication application 1010 outputs a message indicating that communication has failed or outputs an error sound.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Teal to incorporate the functionality of the communication application to determine whether name resolution is successful on the basis of the result of DNS name resolution performed by an OS standard DNS client in response to a request to the OS standard DNS client, as disclosed by Uchikawa, such modification would enable the system to block non-OS standard DNS client requests that would compromise the security of the system.
The combination of Teal and Uchikawa does not explicitly disclose the following limitation taught by Wood:
[…] and is not a web browser (Wood, ¶40: “a firewall to block data packets transmitted between at least one application/destination pair, wherein the at least one application/destination pair includes one of the at least one non-browser applications communicating with one of the at least one remote host addresses that is the destination of the at least one application/destination pair.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Teal and Uchikawa to incorporate the functionality of the method determine a non-browser application is communicating with a remote host address, as disclosed by Wood, such modification would enable the system to filter browser applications that could potentially be malicious.
Claim 75 is rejected under 35 U.S.C. 103 as being unpatentable over Teal, and further in view of US-PGPUB No. 2024/0129275 A1 to Van Oort
Regarding claim 75:
Teal discloses the one or more tangible, non-transitory computer-readable media of claim 64, but does not explicitly teach the following limitation taught by Van Oort:
wherein the instructions are to create a firewall rule to block specific domains or internet protocol (IP) addresses for the network-enabled application (Van Oort, ¶219: “… create an inbound firewall rule (box 160) that blocks inbound traffic from either a CIDR block of IP addresses, or range of IP addresses, … a range of IP addresses can be specified as a range; 192.168.1.15-192.168.1.57.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Teal to incorporate the system configuration to create an inbound firewall rule that blocks inbound traffic from a range of IP addresses, as disclosed by Van Oort, such modification allows for the proactive defense against malicious activity by blocking entire networks or groups of IP addresses known to be associated with harmful activities.
Claims 76-78 are rejected under 35 U.S.C. 103 as being unpatentable over Teal, US-PGPUB No. 2018/0007088 A1 to Kuznetsov et al. (hereinafter “Kuznetsov”), and further in view of US-PGPUB No. 2024/0106861 A1 to Ahn et al. (hereinafter “Ahn”)
Regarding claim 76:
Teal discloses the one or more tangible, non-transitory computer-readable media of claim 64, but does not explicitly teach the following limitation taught by Kuznetsov:
wherein creating the one or more firewall rules comprises determining that multiple domain names resolve to a common internet protocol (IP) address (Kuznetsov, ¶06: “determining whether any two of the domain names … were resolved to a common IP address”),
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Teal to incorporate the functionality of the method to determine whether any two domain names resolve to a common IP address, as disclosed by Kuznetsov, such modification would enable the system to determine if a legitimate reason exists for the two domain names to resolve to the common IP address, which would be an indication of DNS hijacking if there is no legitimate reason for the two domain names to resolve to the common IP address.
The combination of Teal and Kuznetsov does not explicitly disclose the following limitation taught by Ahn:
and applying a first rule to a first domain of the IP address (Ahn, ¶108: “… the traffic routing and monitoring platform 102 may identify, based on the first traffic routing rules, that traffic should be allowed to access the IP address requested by the first identity embedded DNS query request.”), and a second rule to a second domain of the IP address (Ahn, ¶132: “… the traffic routing and monitoring platform 102 may identify, based on the second traffic routing rules, that traffic directed to the IP address requested by the second identity embedded DNS query request should be blocked …”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Teal to incorporate the functionality of the traffic routing and monitoring platform to identify, based on traffic routing rules, an action to perform with regard to an identity embedded DNS query request, as disclosed by Ahn, such modification would enable the system to either block or allow network traffic to an IP address based on routing rules.
Regarding claim 77:
The combination of Teal, Kuznetsov and Ahn discloses:
The one or more tangible, non-transitory computer-readable media of claim 76, wherein the first rule is to block the IP address (Ahn, ¶108: “… traffic should be allowed to access the IP address requested by the first identity embedded DNS query request.”), and the second rule is to allow the IP address (Ahn, ¶132: “… traffic directed to the IP address requested by the second identity embedded DNS query request should be blocked …”).
The same motivation which is applied to claim 76 with respect to Ahn applies to claim 77.
Regarding claim 78:
The combination of Teal, Kuznetsov and Ahn discloses:
The one or more tangible, non-transitory computer-readable media of claim 77, wherein the instructions are to apply the first rule after determining that a most recent DNS query that resolved to the IP address was for the first domain (Ahn, ¶108: “… traffic should be allowed to access the IP address requested by the first identity embedded DNS query request.”), and apply the second rule after determining that the most recent DNS query that resolved to the IP address was for the second domain (Ahn, ¶132: “… traffic directed to the IP address requested by the second identity embedded DNS query request should be blocked …”).
The same motivation which is applied to claim 76 with respect to Ahn applies to claim 78.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William R. Korzuch can be reached at (571)272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491
/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491