DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-3,7-10 and 14-17 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claim 1 recites, “first version of an application being certified”, “generating a first software bill of materials (SBOM) associated with the first version of the application;”, “determining that the first version of the application has been updated”, “generating a second SBOM corresponding to the second version of the application:”, and “comparing, by the processing device, the first SBOM and the second SBOM…”. The limitations of “certified”, “generating”, “determining”, “generating” and “comparing” as drafted are functions that, under their broadest reasonable interpretation, recite the abstract idea of a mental process. The limitations encompass a human mind carrying out the function through observation, evaluation, judgment and /or opinion, or even with the aid of pen and paper. Thus, this limitation recites and falls within the “Mental Processes” grouping of abstract ideas under Prong 1.
Under Prong 2, this judicial exception is not integrated into a practical application. The limitation “a processing device” is recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using generic computer, and/or mere computer components, MPEP 2106.05(f). Accordingly, the additional elements do not integrate the recited judicial exception into a practical application and the claim is therefore directed to the judicial exception.
Under Step 2B, the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of “a processing device” amounts to no more than mere instructions, or generic computer/computer components to carry out the exception. The recitation of generic computer instruction and computer components to apply the judicial exception, do not amount to significantly more, thus, cannot provide an inventive concept. Accordingly, claim 1 is not patent eligible under 35 USC 101.
Claim 2, the steps of “determining that the second version of the application is not compliant…” and “performing one or more mitigation actions” are additional steps of the abstract idea “Mental Process”. Nothing in the claimed limitations prevent them from being performed in the mind. The limitations are neither a practical application under prong 2, nor an inventive concept under step under step 2B.
Claim 3, further defines criteria to perform the mitigation actions. The additional elements are neither a practical application under prong 2, nor an inventive concept under step 2B.
Claim 7, further defines the SBOM. The additional elements are neither a practical application under prong 2, nor an inventive concept under step 2B.
Claims 8-10 and 14-17, contain similar limitations to claims 1-3 and 7. Therefore, they are rejected for the same reasons.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-3, 7-10, and 14-17 are rejected under 35 U.S.C. 102a1 as being anticipated by Schutt et al. (US 2023/0208880).
As per claim 1, Schutt et al. teaches the invention as claimed including, “A method comprising:
in response to a first version of an application being certified as compliant with a set of policies, generating a first software bill of materials (SBOM) associated with the first version of the application;
in response to determining that the first version of the application has been updated to a second version of the application, generating a second SBOM corresponding to the second version of the application; and
comparing, by a processing device, the first SBOM and the second SBOM to determine whether the second version of the application is compliant with the set of policies.”
Schutt et al. teaches automatically analyzing software packages to apply security policies, to identify the degree of different between compared packages, and to perform other operations. A first software bill of materials is processed to extract a plurality of components of the software package, wherein the first software bill of materials indicates a first hierarchy of components based on relationships between components. The first hierarchy is compared to a second hierarchy, the second hierarchy corresponding to a second software bill of materials to determine a degree of difference between the first and the second hierarchy. The degree of difference is compared to one or more threshold values. A security policy is applied with respect to the software package according to a comparison of the degree of difference (0010). Also see 0002 Two SBOMs for two versions of the same software package, such as during a software update (where one version is of a previous release) (0014). The magnitude of difference between software packages can be ascertained, which can be used to enforce fully-automated security policies that selectively grant or deny software packages access to systems (0017). Once a software package is configured as trustworthy (certified), the software package may be permitted to execute in a computing environment, may be included in a software update, may be approved to access a computer network (0018). Also see 0025-0027 and 0032. An updated software package can be compared to a previous version to determine the degree of difference between two versions. If the degree of difference is below a threshold value, then the updated version may be executed, installed, permitted to access a network and the like (0028). The examiner states that it would have been inherent to one of ordinary skill in the art that if updated software package is replacing or updating a previous version, the previous version must already be trustworthy (certified) in order to be installed and executed on the system.
As per claim 2, Schutt et al. further teaches, “The method of claim 1, further comprising:
in response to determining that the second version of the application is not compliant with the set of policies, performing one or more mitigation actions.”
The degree of different is compared to one or more threshold values. A security policy is applied with respect to the software package according to a comparison of the degree of difference (0010). The magnitude of difference between software packages can be ascertained, which can be used to enforce fully-automated security policies that selectively grant or deny software packages access to systems (0017). Also see 0032 and 0052.
As per claim 3, Schutt et al. further teaches, “The method of claim 2, wherein the one or more mitigation actions are performed based on:
an importance score of the application; an
importance score of one or more components of the second version of the application that are determined to not comply with the set of policies based on the comparison; and
changes to a dependency structure of a component of the second version of the application relative to the first version of the application.”
Each identified difference between hierarchy 200 and hierarchy 250 may contribute to an overall score that represents the degree of difference between the hierarchies. In some embodiments, different types of differences can be weighted; for example, the removal of component in hierarchy may be weighted more or less heavily than the change in dependencies of components (0040). Weights may be applied to different types of differences so that insertions, deletions, substitutions, changes in dependencies, and/or an other differences can be weighted differently. Known trusted components can be omitted while known bad components can be weighted or flagged to cause the comparison to indicate the presence of the bad components (0049-0052).
As per claim 7, Schutt et al. further teaches, “The method of claim 2, wherein each of the first and second SBOM comprises a list of components and dependencies used in a respective version of the application.”
The first software bill of materials indicates a first hierarchy of components based on relationships between components(0010).
As per claims 8-10 and 14-17, they contain similar limitations to claim 1-3 and 7. Therefore, they are rejected for the same reasons.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Schutt et al. (US 2023/0208880) and further in view of Shi (US 2023/0017989 A1).
As per claim 4, Schutt et al. teaches, if a modified software package is substantially different from the previously-approved version the modified software may be denied access by security policy module, flagged for manual inspection, and the like. However, Schutt et al. does not explicitly appear to teach, “The method of claim 2, wherein a first mitigation action of the one or more mitigation actions comprises:
migrating the second version of the application to a container; and
determining if the second version of the application can execute in a manner that is sufficiently compatible with the set of policies, wherein the first version of the application executes while it is determined if the second version of the application can execute in a manner that is sufficiently compatible with the set of policies.”
Shi et al. teaches intercepting a software update package and installing the software update in a software update sandbox instead of the intended recipient. Once the software update is installed, all behaviors of the software update are monitored and analyzed to verify that no malicious behavior of the component in the software update package (0009). The examiner states that it would be inherent that the first version to be updated would still be running, since the update package has been intercepted and has not updated the first version yet.
It would have been obvious to one of ordinary skill in the art before the effective filing date to modify Schutt et al. with Shi et al. because both teach ways of verifying compliance of an update. Schutt et al. teaches dues to a substantial degree of difference the software package is run with a limited set of permissions. Shi et al. teaches installing an update in a sandbox to monitor and analyze its behavior. This will allow Shi et al. to verify any malicious behavior prior to apply the update to production. The use of the known technique taught in Shi et al. will allow Schutt et al. to improve its update verification in a similar was as Shi et al.
As per claims 11 and 18, they contain similar limitations to claim 4. Therefore, they are rejected for similar reasons.
Claims 5-6, 12-13 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Schutt et al. (US 2023/0208880) and further in view of Lum et al. (US 11,170,105 B2).
As per claim 5, Schutt et al. further teaches, “The method of claim 2, wherein a second mitigation action of the one or more mitigation actions comprises:
executing the second version of the application with a limited set of permissions and access rights; and”
If the degree of difference is substantial, then the software package under scrutiny may be denied access to a system, or may be provided with a limited set of permissions (0052).
However, Schutt et al. does not explicitly appear to teach, “while the second version of the application executes with the limited set of permissions and access rights, determining if the second version of the application can execute in a manner that is sufficiently compatible with the set of policies.”
Lum et al. teaches, installing a update and running the software. If execution of the software update leads to anomalous behavior that does not match the information in the behavior profile, then the host terminates the software update and performs a rollback (column 9, lines 40-56).
It would have been obvious to one of ordinary skill in the art before the effective filing date to modify Schutt et al. with Lum et al. because both teach ways of verifying compliance of an update. Schutt et al. teaches dues to a substantial degree of difference the software package is run with a limited set of permissions. Lum et al. teaches monitoring the execution of a installed update to verify if it executes in a behavior that matches a behavior profile. Combining prior art elements according to known methods to yield predictable results of allowing Schutt et al. to make sure its software package running with a limited set of permissions is functioning correctly.
As per claim 6, Lum et al. further teaches, “The method of claim 5, wherein in response to determining that the second version of the application cannot execute in a manner that is sufficiently compatible with the set of policies based on the second mitigation action, performing a third mitigation action comprising: stopping execution of the second version of the application; and rolling the application back to the first version of the application.”
Lum et al. teaches, installing a update and running the software. If execution of the software update leads to anomalous behavior that does not match the information in the behavior profile, then the host terminates the software update and performs a rollback (column 9, lines 40-56).
As per claim 12-13 and 19-20, they contain similar limitations to claims 5-6 and are therefore rejected for the same reasons.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MARK A GOORAY whose telephone number is (571)270-7805. The examiner can normally be reached Monday - Friday 10:00am - 6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached at 571-272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MARK A GOORAY/Examiner, Art Unit 2199
/LEWIS A BULLOCK JR/Supervisory Patent Examiner, Art Unit 2199