Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-19 and 21 are pending.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Response to Arguments
Applicant’s arguments with respect to the prior rejections have been considered but are moot in view of the new grounds of rejection, particularly the application of the Carley reference.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-3, 6, 7,12-15,18, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Dods (US Pat. 10,972,508) in view of Keller et al (US Pub. No. 2016/0098561), hereafter, “Keller,” and Carley (US Pub. No. 2008/0072291).
As to claim 1, Dods discloses a method of managing security for an endpoint device, the method comprising:
making, by a management controller of the endpoint device that operates as a separate and independent computing device from the endpoint device, an identification that an intrusion event has occurred for the endpoint device (column 3, lines 17-45; particularly, “In some implementations, malicious behavior, such as a cyberattack, malware, and/or the like, may be caused by a bad actor (e.g., a network intruder) based on compromising one of the endpoint devices (e.g., a compromised endpoint device). In some implementations, one or more network devices may identify the malicious behavior. As further shown in FIG. 1A, and by reference number 105, the security platform may receive, from the one or more network devices, information identifying the malicious behavior by the compromised endpoint device associated with the network.”)
performing, by the management controller, a forensic analysis of the intrusion event to obtain a forensic report, the forensic report indicating an impact of the intrusion event on hardware components of the endpoint device, and the forensic analysis being performed, at least in part, by snooping communication (column 4, line 47-column 5, line 14, particularly, “As shown in FIG. 1D, and by reference number 125, the security platform may process the traffic associated with the compromised endpoint device, the endpoint device information, and the network device information, with a machine learning model, to generate a security policy to isolate the malicious behavior.”); and
performing, by the management controller and based on a policy keyed at least a portion of the forensic report, an action set to remediate an impact of the intrusion event on the hardware components of the endpoint device (column 4, line 47-column 5, line 14, particularly, “As shown in FIG. 1D, and by reference number 125, the security platform may process the traffic associated with the compromised endpoint device, the endpoint device information, and the network device information, with a machine learning model, to generate a security policy to isolate the malicious behavior.”).
However, Dods does not explicitly disclose the forensic analysis being performed, at least in part, by snooping communication between the hardware components of the endpoint device.
But, Keller discloses a forensic report indicating an impact of an intrusion event on hardware components of the endpoint device the forensic analysis being performed, at least in part, by snooping communication between the hardware components of the endpoint device (Fig. 4 and [0057], particularly, “Many exemplary embodiments operate by analyzing the unintended or intended emissions of a microelectronic device, phenomenology that is causally dependent on its internal circuitry and programming. Malicious circuitry resulting from hardware or software modifications such as hardware Trojans emit well-defined signatures that are detected by identifying characteristic signature elements associated with altered or additional functionality inserted into the IC.” See also, [0163])
Therefore it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Dods and Keller in order to be able to more closely monitor the operations of entities in a network so as to provide a higher level of security.
But, Dods and Keller do not explicitly disclose the management controller is physically installed within the endpoint device and still operates as a separate and independent computing device from the endpoint device.
However, Carley discloses making, by a management controller that is physically installed within the endpoint device and that operates as a separate and independent computing device from the endpoint device, an identification that an intrusion event has occurred for the endpoint device (Fig. 2, [0027]-[0029], [0042], particularly, “A primary function of the SMACC is to provide for the separation of management data from user data both within the device being managed and while the management information is in transit. Within the device, the SMACC sets up a separate processor for receiving management information and interacting with the control functions of the device.”)
Therefore it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Dods and Keller with Carley in order to provide for the secure management of devices without requiring additional devices taking up additional rack space by embedding the necessary hardware and software for secure management of the device in the device to be managed (Carley, [0016]).
As to claims 12 and 17, they are rejected by a similar rationale by that set forth in claim 1’s rejection.
As to claims 2, 13, and 18, the teachings of Dods, Keller, and Carley as combined for the same reasons set forth in claim 1’s rejection further disclose making the identification that an intrusion event has occurred comprises obtaining, by the management controller, an intrusion alert from a tamper detection device of the endpoint device (Keller, [0163]).
As to claims 3, 14, and 19, the teachings of Dods, Keller, and Carley as combined for the same reasons set forth in claim 1’s rejection further disclose the tamper detection device comprises at least one device selected from a list of devices consisting of: an intrusion detector (Keller, [0163]-[0164); a general-purpose input/output (GPIO) tamper detector; and a serial communication tamper detector.
As to claim 6, the teachings of Dods, Keller, and Carley as combined for the same reasons set forth in claim 1’s rejection further disclose providing, by the management controller and via an out of band communication channel, the forensic report to a remote server (Fig. 4 and Carley, [0050]).
As to claim 7, the teachings of Dods, Keller, and Carley as combined for the same reasons set forth in claim 1’s rejection further disclose performing the action set comprises: providing, by the management controller, the forensic report to a startup management entity of the endpoint device to cause the startup management entity to revert impact of the intrusion event on the hardware components (Keller, [0057]).
Claims 4, 5, 16, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Dods, Keller, and Carley in view of Malinowski et al (US Pub. No. 2016/0378103), hereafter, “Malinowski.”
As to claims 4 and 16, the teachings of Dods and Keller disclose the parent claim but do not disclose the forensic report comprises: an identifier for a first hardware component of the hardware components impacted by the intrusion event; and a list of identified modifications made to the first hardware component during the intrusion event, the list being based at least in part on the snooped communications.
However, Malinowski discloses a forensic report comprises: an identifier for a first hardware component of the hardware components impacted by the intrusion event; and a list of identified modifications made to the first hardware component during the intrusion event, the list being based at least in part on the snooped communications (Fig. 3, [0013]-[0014], and [0050]).
Therefore it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Dods and Keller with Malinowski in order provide more information to users so as they can more easily diagnosis and mange their respective systems.
As to claims 5 and 16, the teachings of Dods, Keller, Carley, and Malinowski as combined for the same reasons set forth in claim 4’s rejection further disclose performing the action set comprises at least one action selected from a list of actions consisting of: disabling the first hardware component; depowering the first hardware component; and reversing the identified modifications (Keller, [0057]).
Allowable Subject Matter
Claims 8-11 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS J DAILEY whose telephone number is (571)270-1246. The examiner can normally be reached 9:30am-6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571-270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THOMAS J DAILEY/ Primary Examiner, Art Unit 2458