Process-Aware Identity Firewall

§101 §102 §103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This is a non-final office action in response to applicant’s communication filed on 3/15/2024. Claims 1-21 are pending and being considered. Priority Acknowledgment is made of applicant's claim for foreign priority based on an application filed in Republic of India on 10/2/2023. It is noted, however, that applicant has not filed a certified copy of the IN202341066036 application as required by 37 CFR 1.55. Specification The disclosure is objected to because of the following informalities: Para. [0022] lines 5, 8, “distributed firewall engine 119A/119B” may read “distributed firewall engine 118A/118B”. Similarly, Para. [0023] line 4. Appropriate correction is required. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 5, 7, 12, 14, 19, 21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 5 line 1 recites “the connection establishment”. There is insufficient antecedent basis for this limitation in the claim. Similarly claim 12, 19. Claims 6, 13, 20 depend on claim 5, 12, 19 respectively, therefore are also rejected for the same reason set forth above. Claim 7 line 2 recites “the MPS instance”. There is insufficient antecedent basis for this limitation in the claim. Similarly claim 14, 21. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 15-21 are rejected under 35 USC § 101 because the claimed invention is directed to non-statutory subject matter. The claims are not statutory as they are drawn as a whole to a software per se. Claim 15 recites a computer system, comprising “a virtualized computing instance”, and “a firewall engine”, which can be interpreted as software per se, under the broadest reasonable interpretation in light of applicant’s Specification. The claim does not fall within at least one of the four categories of patent eligible subject matter because the claim is directed to software(s). To overcome the above concern, applicant is suggested to include at least one hardware component in the system claim. Claims 16-21 depend on claim 15, therefore are also rejected for the same reason set forth above. Examiner Notes Examiner cites particular paragraphs, columns and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-4, 8-11, 15-18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Patil et al (US20200236086A1, hereinafter, “Patil”). Regarding claim 1, Patil teaches: A method for a first computer system to implement a process-aware identity firewall (Patil, discloses methods and systems for score-based dynamic firewall rule enforcement in a software-defined networking (SDN) environment, see [Abstract]), wherein the method comprises: based on network event information, detecting a request for a virtualized computing instance supported by the first computer system to access a resource from a second computer system (Refer to Fig. 3 at 310 or Fig. 4 at 405, and [0034] At 405 and 410 in FIG. 4, in response to detecting a login event (see 510 in FIG. 5) associated with user 191 logging into VM1 131, host-A 110A may generate and send event information associated with login event 510 to SDN manager 184. Examiner notes, in this case, User device is the second computer system, and VM 131 may be the first computer system); obtaining (a) identity information identifying a user or a user device associated with the virtualized computing instance and (b) process information associated with a process that initiates the request to access the resource (e.g., [0026] A “score associated with a user” may be assigned to the user (e.g., user 191/192), a virtualized computing instance or endpoint (e.g., VM 131/134) associated with the user (i.e., “identity information”), an application or process associated with the user (e.g., APP 141/144) (i.e., “process information associated with a process”), … And Fig. 3 at 320, or Fig. 4 at 420, and [0034] The “event information” (see 415 in FIG. 4) may include any suitable information associated login event 510 and user 191, such as user ID=X, event type=login, IP address=IP1 (i.e., identity information), etc. And [0036] At 420 in FIG. 4, in response to receiving the event information associated with login event 510, SDN manager 184 identifies group=doctor and score=100 associated with user ID=X (see also 270 in FIG. 2). Score=100 may be a maximum score indicating the highest level of trustworthiness or reputation associated with user 191); mapping the identity information, the network event information and the process information to an identity firewall rule that includes at least (a) a first parameter that is mappable to the identity information, (b) a second parameter that is mappable to the network event information and (c) a third parameter that is mappable to the process information (See Fig. 2, Identity information 270 and Set of firewall rules 280. Examiner notes, the network Parameter(s) and Destination may be interpreted as second parameter that is mappable to the network event information. And [0026] According to mapping information (see 270), group=doctor includes members such as first user 191 (see 271) and second user 192 (see 272) (i.e., first parameter). A set of score-based firewall rules (see 280) may be configured for group=doctor such that they are applicable to both users 191-192. As used herein, the term “score” may refer generally to a measurable level of trust or reputation that may be used for firewall rule enforcement. For example, a higher score may be assigned to one user who is more trustworthy or reputable compared to another user who is suspected to be malicious (i.e., third parameter). And Fig. 4, [0038] At 425 in FIG. 4, SDN manager 184 identifies a set of firewall rules that is applicable to user 191. Referring also to FIG. 2, firewall rules 281-286 are identified to be applicable to group=doctor, and therefore to user 191. In practice, block 425 may involve agent 151 sending group and user information to DFW engine 118A, which may then identify firewall rules 281-286 based on group-to-firewall-policy mapping information); and applying the identity firewall rule to allow or block the request to access the resource, thereby controlling access to the resource based on the identity information, the network event information, and the process information (Fig. 3 at 330 or 360, or Fig. 4 at 460 or 465, e.g., [0040] At 440, 445 and 450 in FIG. 4, in response to detecting a packet requesting access to a resource from VM1 131, DFW engine 118A identifies a firewall rule that is applicable to the packet… At 460-465, host-A 110A reports event information associated with action=allow or block to SDN manager 184). Regarding claim 8, claim 8 is a computer-readable storage medium claim that encompasses limitations similar to those limitations of the method claim 1. Therefore, claim 8 is rejected with the same rationale as applied against claim 1. In addition, Patil teaches a non-transitory computer-readable storage medium that includes a set of instructions which, in response to execution by a processor of a computer system, cause the processor to perform a method of process-aware identity firewall (Patil, discloses methods and systems for score-based dynamic firewall rule enforcement in a software-defined networking (SDN) environment, see [Abstract]. And see [0058] for processor and computer-readable medium). Regarding claim 15, claim 15 is a computer system claim that encompasses limitations similar to those limitations of the method claim 1. Therefore, claim 15 is rejected with the same rationale as applied against claim 1. In addition, Patil teaches a computer system, comprising a virtualized computing instance, and a firewall engine (Patil, discloses methods and systems for score-based dynamic firewall rule enforcement in a software-defined networking (SDN) environment, see [Abstract]. And see Fig. 1, e.g., DFW Engine 118A, 118B). Regarding claim 2, similarly claim 9, claim 16, Patil teaches the method of claim 1, the non-transitory computer-readable storage medium of claim 8, the computer system of claim 15, Patil further teaches: wherein mapping the identity information to the identity firewall rule comprises: mapping the identity information to the first parameter that specifies at least one of the following: a user identifier (ID) or username associated with the user, a group associated with the user and a domain name associated with the user (See Fig. 2 Identity information 270 where User ID and Group). Regarding claim 3, similarly claim 10, claim 17, Patil teaches the method of claim 1, the non-transitory computer-readable storage medium of claim 8, the computer system of claim 15, Patil further teaches: wherein mapping the process information to the identity firewall rule comprises: mapping the process information to the third parameter that specifies at least one of the following: a process hash associated with the process, a process score associated with the process, process tree information associated with the process, and security information associated with the process (See Fig. 2 Identity information 270 where VM/APP is mapped with Score). Regarding claim 4, similarly claim 11, claim 18, Patil teaches the method of claim 3, the non-transitory computer-readable storage medium of claim 10, the computer system of claim 17, Patil further teaches: wherein applying the identity firewall rule comprises one of the following: determining whether to allow or block the request based on the process hash associated with the process; determining whether to allow or block the request by comparing the process score with a threshold specified by the identity firewall rule; determining whether to allow or block the request based on the process tree information specifying at least the process and a parent process; and determining whether to allow or block the request based on whether the security information specifies a signed certificate required by the identity firewall rule (e.g., [0040] At 440, 445 and 450 in FIG. 4, in response to detecting a packet requesting access to a resource from VM1 131, DFW engine 118A identifies a firewall rule that is applicable to the packet. For example, the matching firewall rule may be identified based on packet characteristics (e.g., header information) and/or identity information associated with user 191. At 455, if the score associated with user 191 satisfies a predetermined threshold, an action specified by the firewall rule will be performed. At 460-465, host-A 110A reports event information associated with action=allow or block to SDN manager 184 (i.e., determining whether to allow or block the request by comparing the process score with a threshold specified by the identity firewall rule)). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 5-6, 12-13, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Patil as applied above to claim 1, 8, 15 respectively, in view of Singh et al (US20220021686A1, hereinafter, “Singh”). Regarding claim 5, similarly claim 12, claim 19, Patil teaches the method of claim 1, the non-transitory computer-readable storage medium of claim 8, the computer system of claim 15, While Patil teaches the main concept of the claimed invention, but does not specifically teach the following, in the same field of endeavor Singh teaches: wherein detecting the connection establishment comprises: obtaining the network event information from a guest introspection engine supported by the virtualized computing instance (Singh, discloses security threat detection based on process information, see [Abstract]. And [0040] At 430 in FIG. 4, DFW engine 118A may interact with guest introspection agent 201 on VM1 131 to obtain process information associated with BOT-1 501. One approach may include DFW engine 118A generating and sending a request for process information 520 based on the identification information (e.g., VM name or ID, process name or ID, etc.). Any suitable process information associated with BOT-1 501 may be requested, including process binary information (see 520 in FIG. 5), process memory information (to be discussed using FIG. 6), etc. Guest introspection agent 201 may respond with file path(s) or link(s) to the process information. For example, a file event handler may be called whenever a file request is intercepted on VM1 131. Based on the file request associated with a particular file event type, the file event handler may read file content from VM1 131 using any suitable application programming interface (API) calls), wherein the network event information includes at least one of the following: source address information or source port number associated with the virtualized computing instance, destination address information or destination port number associated with the second computer system (e.g., [0038] To improve defense against botnet, at 410 in FIG. 4, DFW engine 118A may intercept an egress packet (see 510) from VM1 131 to destination=DNS resolver 508. Through interception, the forwarding of egress packet 510 towards its destination may be paused or blocked until cleared by DFW engine 118A. In the example in FIG. 5, egress packet 510 may be a DNS query for DNS resolver 508 to resolve a domain name (e.g., www.xyz.com) into an IP address associated with C&C center 507). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Singh in the score-based dynamic firewall rule enforcement of Patil by having DFW engine interacting with guest introspection agent on VM to obtain process information. This would have been obvious because the person having ordinary skill in the art would have been motivated to map the process information to determine security threat associated with the process information (Singh, [Abstract], [0035]-[0042]). Regarding claim 6, similarly claim 13, claim 20, Patil-Singh combination teaches the method of claim 5, the non-transitory computer-readable storage medium of claim 12, the computer system of claim 19, Singh further teaches: wherein obtaining the process information comprises: in response to receiving the network event information, obtaining the process information from (a) the malware protection service (MPS) instance that is capable of obtaining the process information from the guest introspection engine or (b) the guest introspection engine itself (Singh, [0040] At 430 in FIG. 4, DFW engine 118A may interact with guest introspection agent 201 on VM1 131 to obtain process information associated with BOT-1 501. One approach may include DFW engine 118A generating and sending a request for process information 520 based on the identification information (e.g., VM name or ID, process name or ID, etc.). Any suitable process information associated with BOT-1 501 may be requested, including process binary information (see 520 in FIG. 5), process memory information (to be discussed using FIG. 6), etc. Guest introspection agent 201 may respond with file path(s) or link(s) to the process information. For example, a file event handler may be called whenever a file request is intercepted on VM1 131). Same motivation as presented in claim 5, 12, 19 respectively would apply. Claims 7, 14, 21 are rejected under 35 U.S.C. 103 as being unpatentable over Patil as applied above to claim 1, 8, 15 respectively, in view of Yavo et al (US20220210168A1, hereinafter, “Yavo”). Regarding claim 7, similarly claim 14, claim 21, Patil teaches the method of claim 1, the non-transitory computer-readable storage medium of claim 8, the computer system of claim 15, While Patil teaches the main concept of the claimed invention, but does not specifically teach the following, in the same field of endeavor Yavo teaches: wherein applying the identity firewall rule comprises: generating and sending one or more alerts to the MPS instance or a threat intelligence service to facilitate at least one of the following: extended detection and response (XDR), network detection and response (NDR) and endpoint detection and response (EDR) (Yavo, discloses systems and methods fir detection of compromised devices by leveraging context from EDR agent, see [Abstract]/[0004] A security incident alert is generated by the EDR agent by proactively collecting data regarding the incident. Identification of a device coupled to a private network as potentially being compromised by a security service of a Managed Security Service Provider (MSSP) protecting the private network is facilitated by the EDR agent transmitting the security incident alert to the security service via a security agent of the multiple endpoint security agents corresponding to the security service). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Yavo in the score-based dynamic firewall rule enforcement of Patil by facilitating EDR agent transmitting the security incident alert to the security service. This would have been obvious because the person having ordinary skill in the art would have been motivated for synergistic cooperation/ communication among multiple network security agents for efficient detection of compromised devices (Yavo, [Abstract], [0002]). Citation of References The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action: Dhanasekar et al (US20220210127A1) discloses methods and systems for attribute-based firewall rule enforcement. Ratnasingham (US20190245830A1) discloses method for software-defined Networking (SDN) controller of data center with application-aware firewall policy enforcement. Zhou et al (US20160156591A1) discloses a context-aware distributed firewall scheme. Chanda et al (US20200014662A1) discloses system and method for context based firewall service for agentless machines. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975. The examiner can normally be reached on M-F: 8:30AM - 5:30PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MICHAEL M LEE/Primary Examiner, Art Unit 2436