DETAILED ACTION
Claims 1-20 are presented for examination.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The Information Disclosure Statement(s) submitted by applicant on 02/26/2026 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used. Please visit http://www.uspto.gov/forms/. The filing date of the application will determine what form should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 8, and 15 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,142,353.
Although the conflicting claims are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant application is substantially similar in nature of U.S. Patent No. 10,142,353. Please see the table below:
Instant Application
U.S. Patent No. 10,142,353
1. A method for responding to attacks on a datacenter, comprising:
receiving sensor data from a plurality of sensor processes executing in a datacenter, the sensor data including network data describing one or more network flows within the datacenter;
determining whether an attack is occurring based at least in part on comparing the received sensor data to data corresponding to a baseline operation of the datacenter; and
in response to determining the attack is occurring, modifying a security policy of the datacenter.
7. A method executed within a datacenter, comprising:
receiving, a first packet log from a first sensor and a second packet log from a second sensor, the first packet log and the second packet log describing packets that are captured by the respective sensors; determining that the first packet log and the second packet log describes a connection between two endpoints in a datacenter; describing any connections within the first packet log and the second packet log in a flow log; and sending the flow log to an analytics module determining a status of the datacenter, using any connections in the flow log;
detect an attack that originated from within the datacenter from at least the determined status of the datacenter; and
modify, in response to the detected attack, a security policy of the datacenter.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent Application No. 18/436,185.
Although the conflicting claims are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant application is substantially similar in nature but broader in scope than U.S. Patent Application No. 18/436,185.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. US 11528283 B2.
Although the conflicting claims are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant application is substantially similar in nature but broader in scope than U.S. Patent No. 11528283.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. US 11936663.
Although the conflicting claims are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant application is substantially similar in nature but broader in scope than U.S. Patent No. 11936663.
This is a nonstatutory double patenting rejection .
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims1-20 are rejected under 35 U.S.C. 103 as being unpatentable over in view of Sultan et al. (US Patent No, 9438618) (Hereinafter Sultan) in view of Engel et al. (US Patent Application No. 20140165207) (Hereinafter Engel).
As per claim 1, Sultan discloses a method for responding to attacks on a datacenter, comprising:
mapping, for one or more distributed applications, a baseline application
dependency, the baseline application dependency (col 2, lines 7-15, a graph may be generated based on the measurements and/or configuration information of the distributed computing system.) defining component processes of a
given distributed application and interactions between the component processes (col 2, lines 1-15, The generated graph may include a set of nodes representing elements (also referred to as resources or components) of the distributed computing system, with edges between the nodes indicating the relationships between the nodes.), the component processes hosted in a virtualized computing environment (col 2, lines 7-15, virtual computing systems. The distributed computing system may further include one or more computing network environments. The set of introspection points may be determined based on identifying characteristics that are accessible at the individual introspection points of the set of introspection points (e.g., network internet protocol addresses, encryption or decryption keys, software library versions, process names and identifiers, virtual machine identities, etc.). At the individual introspection points, the identifying characteristics may be measured, and a graph may be generated based on the measurements and/or configuration information of the distributed computing system. The generated graph may include a set of nodes representing elements (also referred to as resources or components) of the distributed computing system, with edges between the nodes indicating the relationships between the nodes.);
determining whether an attack is occurring based at least in part on
comparing the received sensor data to data corresponding to the baseline application
dependency for the one or more distributed applications (col 2, lines 16-28, evaluating rules using the graph, One or more rules may be evaluated against the graph.. from the graph data, it may be determined that credentials used to access a certain resource have greater privileges than actually used.) ; and
in response to determining the attack is occurring, automatically
modifying a security policy of the datacenter (col 2, lines 16-28, the system may perform a security action, such as notifying an appropriate entity of the rule violation or automatically modifying a security policy to constrain the privileges).
Sultan teaches distributed computing system including multiple introspection point collecting characteristics .. introspection points, gathering network protocol addresses process names and virtual machine identities (col 1, lines 61-67, col 2. Lines 1-15).
Sultan does not explicitly disclose receiving sensor data from a plurality of sensor processes executing in a datacenter, the sensor data including network data describing one or more network flows within the datacenter.
However, Engel discloses receiving sensor data from a plurality of sensor processes executing in a datacenter (para 15, collecting raw data from at least one probe sensor), the sensor data including network data describing one or more network flows within the datacenter (para 79, data center; para 74, raw data" relates to packets, traffic data, flow data, logs, queries and network protocols) .
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sultan and Engel. The motivation would have been to improve threat detection accuracy in distributed computing environments.
As per claim 2, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Engel discloses wherein the sensor data further includes operations data describing a software state of at least one host in the datacenter (fig 3, para 17, 37,creating meta data interpreted as managing software state) .
As per claim 3, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Engel discloses wherein a machine learning process is used to determine the baseline application dependency (para 27, machine learning algorithms for creating statistical behavioral models). Sultan discloses the baseline application
dependency (col 2, lines 16-28, evaluating rules using the graph, One or more rules may be evaluated against the graph.. from the graph data, it may be determined that credentials used to access a certain resource have greater privileges than actually used.)
As per claim 4, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Engel discloses wherein a machine learning process is used to determine whether the attack is occurring (para 27, machine learning algorithms for creating statistical behavioral models).
As per claim 5, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Engel discloses wherein the sensor data includes an indication of active or previously active processes executing on an operating system on at least one host in the datacenter (para 83, which are software components may be installed on computers where collection of network data is not possible. For example, communication between multiple Virtual Machines).
As per claim 6, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Engel discloses wherein the sensor data includes at least one of a of a memory and a status of an I/O device (fig 4, para 72, associating collected data to entities).
As per claim 7, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Engel discloses wherein, in response to the modifying of the security policy of the datacenter, traffic to at least one host in the datacenter is blocked.
Claims 8-14, claims are rejected for the same reasons and motivations as claims 1-7, above.
Claims 15-20, claims are rejected for the same reasons and motivations as claims 1-5 and 7, above.
Response to Arguments
Applicant's arguments filed 01/22/2026 have been fully considered but they are not persuasive, therefore rejections to claims 1-20 is maintained
In response to Applicant’s arguments against the references individually, one cannot show non-obviousness by attacking references individually where the rejections are based on combinations of references. In this case Sultan discloses mapping, for one or more distributed applications, a baseline application
dependency, the baseline application dependency (col 2, lines 7-15, a graph may be generated based on the measurements and/or configuration information of the distributed computing system.) defining component processes of a
given distributed application and interactions between the component processes (col 2, lines 1-15, The generated graph may include a set of nodes representing elements (also referred to as resources or components) of the distributed computing system, with edges between the nodes indicating the relationships between the nodes.), the component processes hosted in a virtualized computing environment (col 2, lines 7-15, virtual computing systems. The distributed computing system may further include one or more computing network environments. The set of introspection points may be determined based on identifying characteristics that are accessible at the individual introspection points of the set of introspection points (e.g., network internet protocol addresses, encryption or decryption keys, software library versions, process names and identifiers, virtual machine identities, etc.). At the individual introspection points, the identifying characteristics may be measured, and a graph may be generated based on the measurements and/or configuration information of the distributed computing system. The generated graph may include a set of nodes representing elements (also referred to as resources or components) of the distributed computing system, with edges between the nodes indicating the relationships between the nodes.);
determining whether an attack is occurring based at least in part on
comparing the received sensor data to data corresponding to the baseline application
dependency for the one or more distributed applications (col 2, lines 16-28, evaluating rules using the graph, One or more rules may be evaluated against the graph.. from the graph data, it may be determined that credentials used to access a certain resource have greater privileges than actually used.) ; and
in response to determining the attack is occurring, automatically
modifying a security policy of the datacenter (col 2, lines 16-28, the system may perform a security action, such as notifying an appropriate entity of the rule violation or automatically modifying a security policy to constrain the privileges).
Sultan further teaches distributed computing system including multiple introspection point collecting characteristics .. introspection points, gathering network protocol addresses process names and virtual machine identities (col 1, lines 61-67, col 2. Lines 1-15).
Engel discloses receiving sensor data from a plurality of sensor processes executing in a datacenter (para 15, collecting raw data from at least one probe sensor), the sensor data including network data describing one or more network flows within the datacenter (para 79, data center; para 74, raw data" relates to packets, traffic data, flow data, logs, queries and network protocols) .
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sultan and Engel. The motivation would have been to improve threat detection accuracy in distributed computing environments.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD A SIDDIQI whose telephone number is (571)272-3976. The examiner can normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MOHAMMAD A SIDDIQI/Primary Examiner, Art Unit 2493