DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 1-8, 10-17, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Langton et al. (U.S. Patent Application Publication No. 2017/0250995, hereinafter “Langton”) in view of Gula et al. (U.S. Patent Application Publication No. 2014/0007241, hereinafter “Gula”).
Claims 1 and 10:
Langton discloses an apparatus comprising:
at least one processor (§ 0025, Lines 7-8; Device 300 may include a processor 320); and
at least one memory storing instructions that, when executed by the at least one processor (§ 0025, Lines 7-8; Device 300 may include a memory 330), cause the apparatus at least to:
receive an indication of at least one network condition from at least one client device (§ 0020, Lines 1-3; Security device 220 may detect a suspicious behavior relating to (e.g., originating from, destined to, associated with, etc.) client device 210 and may obtain suspect objects from client device 210 based on detecting the suspicious behavior);
determine at least one risk level associated with the at least one client device according to the at least one received network condition (§ 0020, Lines 8-10; Security device 220 may test the suspect object to determine whether the one or more suspect objects are malicious), wherein the at least one risk level is further determined based upon at least one of the following:
security scanner information (See citation above. Security device 220 may test (or “scan”) the suspect object to determine whether the one or more suspect objects are malicious); or
an aggregated risk of a plurality of client devices running together as an application; and
wherein the at least one network condition comprises at least one of the following:
vulnerability information and related exploitability information regarding software running on the at least one client device;
at least one indication of whether at least one port of the at least one client device is exposed to the public internet;
at least one protocol exploit;
at least one protocol misconfiguration;
at least one indication of abnormal requests received by the at least one client device (§ 0012, Lines 3-10; The security device may detect suspicious activity, such as network traffic provided to or received from a malicious source and/or a malicious destination by the client devices, network port scanning performed by or related to the client devices, malicious requests from one of the client devices to another one of the client devices, an anomalous signal provided or received by one of the client devices, or the like); or
at least one indication of criticality and sensitivity of at least one application running on the at least one client device; and
transmit at least one instruction to the at least one client device to perform at least one action associated with resolving the at least one risk level (§ 0020, Lines 10-12; Security device 220 may take remedial actions based on determining that a suspect object is malicious), wherein the at least one action comprises at least one of the following:
disabling at least one security group;
automatically updating the at least one client device with at least one software update;
running at least one action script configured to remove or stop services from running on the at least one client device;
disabling the at least one client device on a network;
changing a configuration on the at least one client device (§ 0050, Lines 4-8; Security device 220 and/or administrator device 250 may cause client device 210 to provide a notification to a user of client device 210, to quarantine a malicious object, to delete a malicious object, to run malware remediation software, or the like);
applying at least one rule in at least one firewall or at least one web application firewall;
enforcing at least one security group in a cloud environment; or
requesting at least one software update on the at least one client device.
Langton does not appear to disclose determining, by the network entity, accessibility of the at least one client device to a public internet using a network topology indicating a network path traversal.
Gula discloses a method for simulating attack paths (§ 0073, Lines 2-3) that determines accessibility of the at least one device to a public internet using a network topology indicating a network path traversal (§ 0077, Lines 6-9 and 11-13; The report may list the attack paths in an order from highest to lowest severity based on a type associated with the remote client IP addresses that could potentially exploit the host (i.e., IP addresses that can be exploited remotely may have a higher severity in the report than internal IP addresses that have no vulnerabilities). The attack paths listed in the report may include a critical severity level to represent exploits from remotely visible servers).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Langton’s security device by integrating Gula’s method for simulating attack paths in order to identify potential weak points in a network that may be exploited (Gula, § 0073, Lines 3-4).
The method of claim 1 is implemented by the apparatus of claim 10 and is therefore rejected with the same rationale.
Claims 2 and 11:
Langton in view of Gula further discloses wherein the at least one memory and the instructions, when executed by the at least one processor, further cause the apparatus at least to:
poll the at least one client device to determine whether the client device has been exposed to the public internet;
determine whether the at least one client device has been exposed to a public internet based upon at least one application programming interface (API);
determine a status of the at least one client device based upon at least one cloud API;
receive a feed from a security scanner or software indicating software vulnerabilities based upon at least one of an application, service, or operation system run by the at least one client device (Langton, § 0055, Lines 7 and 11-12; Security device 220 may obtain suspect objects related to recently installed applications) (Also see Fig. 5B, Element 525);
assess a network path to the at least one client device via a public network; or
transmit at least one alert indicating received runtime privilege changes implemented on the at least one client device.
Claims 3 and 12:
Langton in view of Gula further discloses wherein the at least one network condition further comprises:
at least one indication of abnormal traffic patterns detected on the at least one client device (Langton, § 0012, Lines 3-10; The security device may detect suspicious activity, such as network traffic provided to or received from a malicious source and/or a malicious destination by the client devices, network port scanning performed by or related to the client devices, malicious requests from one of the client devices to another one of the client devices, an anomalous signal provided or received by one of the client devices, or the like).
Claims 4 and 13:
Langton in view of Gula further discloses wherein the at least one risk level is further determined based upon at least one of the following:
threat intelligence information received from at least one other network entity (Langton, § 0046, Lines 6-10; Security device 220 may determine whether the suspect object is malicious based on testing the suspect object, looking up the suspect object in a database of malicious objects, providing the suspect object to another device for testing, or the like).
Claims 5 and 14:
Langton in view of Gula further discloses wherein the at least one action further comprises at least one of the following:
transmitting at least one alert to at least one operator indicating at least one issue to be resolved (Langton, § 0050, Lines 4-8; Security device 220 and/or administrator device 250 may cause client device 210 to provide a notification to a user of client device 210, to quarantine a malicious object, to delete a malicious object, to run malware remediation software, or the like).
Claims 6 and 15:
Langton in view of Gula further discloses wherein the at least one network condition comprises at least one of a software version number, intrusion occurrence, vulnerability scan (Langton, § 0034, Lines 3-4; Security device 220 may detect a suspicious activity related to client device 210) (Langton, § 0037, Lines 1-3; Security device 220 may detect the suspicious activity by monitoring client device 210), or last update date/time.
Claims 7 and 16:
Langton in view of Gula further discloses wherein the risk level is at least partially based on a position of the at least one client device within a network (Langton, § 0012, Lines 1-2; A security device may provide security services to client devices on a customer network) (Langton, § 0013, Lines 1-4; A network administrator may need to ensure that the customer network is secure and may accordingly test the suspect objects to determine whether the suspect objects are malicious) or accessibility to the public internet.
Claims 8 and 17:
Langton in view of Gula further discloses wherein the at least one memory and the instructions, when executed by the at least one processor, further cause the apparatus at least to:
designate the at least one client device with a first predetermined risk categorization (Langton, § 0020, Lines 8-10; Security device 220 may test the suspect object to determine whether the one or more suspect objects are malicious).
Claim 19:
Langton discloses an apparatus comprising:
means (§ 0025, Lines 7-10; Device 300 may include a bus 310, a processor 320, a memory 330, a storage component 340, an input component 350, an output component 360, and a communication interface 370) for receiving an indication of at least one network condition from at least one client device (§ 0020, Lines 1-3; Security device 220 may detect a suspicious behavior relating to (e.g., originating from, destined to, associated with, etc.) client device 210 and may obtain suspect objects from client device 210 based on detecting the suspicious behavior);
means (§ 0025, Lines 7-10; Device 300 may include a bus 310, a processor 320, a memory 330, a storage component 340, an input component 350, an output component 360, and a communication interface 370) for determining at least one risk level associated with the at least one client device according to the at least one received network condition (§ 0020, Lines 8-10; Security device 220 may test the suspect object to determine whether the one or more suspect objects are malicious), wherein the at least one risk level is further determined based upon at least one of the following:
security scanner information (See citation above. Security device 220 may test (or “scan”) the suspect object to determine whether the one or more suspect objects are malicious); or
an aggregated risk of a plurality of client devices running together as an application; and
wherein the at least one network condition comprises at least one of the following:
vulnerability information and related exploitability information regarding software running on the at least one client device;
at least one indication of whether at least one port of the at least one client device is exposed to the public internet;
at least one protocol exploit;
at least one protocol misconfiguration;
at least one indication of abnormal requests received by the at least one client device (§ 0012, Lines 3-10; The security device may detect suspicious activity, such as network traffic provided to or received from a malicious source and/or a malicious destination by the client devices, network port scanning performed by or related to the client devices, malicious requests from one of the client devices to another one of the client devices, an anomalous signal provided or received by one of the client devices, or the like); or
at least one indication of criticality and sensitivity of at least one application running on the at least one client device; and
means (§ 0025, Lines 7-10; Device 300 may include a bus 310, a processor 320, a memory 330, a storage component 340, an input component 350, an output component 360, and a communication interface 370) for transmitting at least one instruction to the at least one client device to perform at least one action associated with resolving the at least one risk level (§ 0020, Lines 10-12; Security device 220 may take remedial actions based on determining that a suspect object is malicious), wherein the at least one action comprises at least one of the following:
disabling at least one security group;
automatically updating the at least one client device with at least one software update;
running at least one action script configured to remove or stop services from running on the at least one client device;
disabling the at least one client device on a network;
changing a configuration on the at least one client device (§ 0050, Lines 4-8; Security device 220 and/or administrator device 250 may cause client device 210 to provide a notification to a user of client device 210, to quarantine a malicious object, to delete a malicious object, to run malware remediation software, or the like);
applying at least one rule in at least one firewall or at least one web application firewall;
enforcing at least one security group in a cloud environment; or
requesting at least one software update on the at least one client device.
Langton does not appear to disclose determining, by the network entity, accessibility of the at least one client device to a public internet using a network topology indicating a network path traversal.
Gula discloses a method for simulating attack paths (§ 0073, Lines 2-3) that determines accessibility of the at least one device to a public internet using a network topology indicating a network path traversal (§ 0077, Lines 6-9 and 11-13; The report may list the attack paths in an order from highest to lowest severity based on a type associated with the remote client IP addresses that could potentially exploit the host (i.e., IP addresses that can be exploited remotely may have a higher severity in the report than internal IP addresses that have no vulnerabilities). The attack paths listed in the report may include a critical severity level to represent exploits from remotely visible servers).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Langton’s security device by integrating Gula’s method for simulating attack paths in order to identify potential weak points in a network that may be exploited (Gula, § 0073, Lines 3-4).
Claim 20:
Langton in view of Gula further discloses:
means for polling the at least one client device to determine whether the client device has been exposed to the public internet;
means for determining whether the at least one client device has been exposed to a public internet based upon at least one application programming interface (API);
means for determining a status of the at least one client device based upon at least one cloud API;
means (Langton, § 0025, Lines 7-10; Device 300 may include a bus 310, a processor 320, a memory 330, a storage component 340, an input component 350, an output component 360, and a communication interface 370) for receiving a feed from a security scanner or software indicating software vulnerabilities based upon at least one of an application, service, or operation system run by the at least one client device (Langton, § 0055, Lines 7 and 11-12; Security device 220 may obtain suspect objects related to recently installed applications) (Also see Langton, Fig. 5B, Element 525);
means for assessing a network path to the at least one client device via a public network; or
means for transmitting at least one alert indicating received runtime privilege changes implemented on the at least one client device.
Response to Arguments
Applicant’s arguments, see page 12, filed01/23/2026, with respect to claims 7 and 16 have been fully considered and are persuasive. The rejection of claims 7 and 16 under 35 USC 112(b) has been withdrawn.
Applicant's arguments filed 01/23/2026 have been fully considered but they are not persuasive:
Applicant argues on pages 17-18 that Gula does not disclose the determining further comprising determining, by the network entity, accessibility of the at least one client device to a public internet using a network topology indicating a network path traversal according to at least one firewall rule. The examiner disagrees. In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e., “according to at least one firewall rule”) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Applicant further argues on pages 18-20 that Langton does not disclose the claimed “risk level”, “network condition”, and “action”. The examiner disagrees and specific citations for how Langton discloses each of the argued limitations are found in the rejection of claims 1, 10, and 19.
For these reasons, the rejection of claims 1-8, 10-17, and 19-20 is respectfully maintained.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NAM T TRAN whose telephone number is (408)918-7553. The examiner can normally be reached Monday-Friday 7AM-3PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise can be reached at 571-272-3865. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/NAM T TRAN/Primary Examiner, Art Unit 2455