SECURITY ASSOCIATION (SA) PLOTTING SYSTEM AND METHOD

§101 §103

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Detailed Action Office Action is in response to the reply filed by Applicant on 1/2/2026. Claims 1-20 are pending. This Office Action is Final. Response to Arguments A) Applicant argues the rejections under 35 USC 101 for an Abstract idea are improper. Examiner respectfully disagrees. Under the 2-prong analysis, Step 2A is that the claims as written could be a performed using mental steps. The steps of "correlat[ing] ..." "filter[ing] ..." and "generat[ing] a line graph" are all steps capable of being performed mentally. Step 2B, is that the claims do not contain any improvement to the current technology. It is well known thats steps being performed can be performed by any generic computing device, therefore there is no special hardware components which would be required to perform the mental steps. Lastly, there is no practical application of the limitations. The limitations essentially take log data and manipulate the data to be presented via a line graph, but the presented line graph is not applied for any practical purpose. As a result, the 35 USC 101 rejection for Abstract Idea stands. As a result the claims are still rejected under 35 USC 101 for a being an Abstract Idea. B) Applicant’s arguments with respect to claim(s) 1, 10 and 17 and have been considered but are moot because the new ground of rejection does not rely on the exact combination of references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U. S. C. 101 as being directed to non-statutory subject matter as being directed to an abstract idea without being integrated into a practical application or significantly more. Regarding claims 1, 10 and 17, the claim is directed to an abstract idea as reciting the limitations “obtain a plurality of log,” “correlate the log records,” “filter the log” and “generate a line graph.” The aforementioned steps are “mental process/mathematical calculation” as broadly interpreted said steps could be performed in the human mind. Therefore, the claim recites an abstract idea. Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that utilize determination result into a practical application. It’s noted that the claims recite additional elements (i.e., processor/memory, computing system). However, said additional elements are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of obtaining, correlating, generating or determining operation etc.,) such that it amounts no more than mere instructions to apply the exception or abstract idea using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. See US Applications 2013/0254535, 2015/0156194 and 2011/0154027. As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component. Therefore, the claim is directed to non-statutory subject matter. Regarding claims 2-9, 11-16 and 18-20; the dependent claims are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims recite an abstract idea without being integrated into a practical application or significantly more. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 2, 5-7, 9-11, 14, 15, 17, 19 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pham (US 2023/0315841) in view of Noehringer et al. (US 2002/0188871) and Mehta et al. (US 2022/0398239). As per claim 1, Pham teaches an Information Handling System (IHS) comprising: a plurality of nodes configured in a cluster (Pham, Paragraph 0020 recites “Techniques described herein provide a method to cluster large volumes of event log data into categories. Each category can include a group of similar and related event records. The categories can be generated in the form of a graph that has nodes representing different event records, and edges between the nodes representing corresponding relationships between the different event records.”); and at least one memory coupled to at least one processor, the at least one memory having program instructions stored thereon that, upon execution by the at least one processor (Pham, Paragraphs 0027-0028 recites “The computer 100 includes at least one processor 106. Although illustrated as a single processor 106 in FIG. 1, two or more processors may be used according to particular needs, desires, or particular implementations of the computer. Generally, the processor 106 executes instructions and manipulates data to perform the operations of the computer 102. The computer 100 also includes a memory 108 that holds data for the computer 102. The data can include files and computer programs, to name just a few examples. Although illustrated as a single memory 108 in FIG. 1, two or more memories may be used according to particular needs, desires, or particular implementations of the computer 102. While memory 108 is illustrated as an integral component of the computer 102, in alternative implementations, memory 108 can be external to the computer 102.”), cause the IHS to: obtain a plurality of log records associated with a plurality of Security Associations (SAs) that provide intercommunication among the nodes of the cluster, each log record including information about an event associated with its associated SA, (Pham, Paragraph 0077 recites “The system receives an event log that includes a plurality of event records (302). Each event record describes one or more events that have occurred on a computer system over a period of time.”), and generate a line graph that visually represents the SAs using a plurality of SA identifiers (SA IDs) (Pham, Paragraph 0079 recites “The system represents each normalized event record as one or more nodes in the graph (306). In some implementations, the system represents each different segment of a normalized event record as a respective node in the graph.”). But fails to teach wherein the SAs conform to an IP Security (IPsec) protocol. However, in an analogous art Noehringer wherein the SAs conform to an IP Security (IPsec) protocol (Noehringer, Paragraph 0094 recites “PSec manager 1516 may also be responsible for IPSec memory maintenance, which may include maintaining a list of available SAD entries, maintaining a hash table of active outbound SAD entries, maintaining a hash table of active inbound SAD entries, and maintaining a hash table of SPD indexes to security policy search table indexes. IPSec manager 1516 may also parse an SAD entry into a packet-processing block and a key information block and copy both blocks to memory, and update an NPU security policy search table with selectors and the associated SAD address. IPSec manager 1516 may also perform soft time lifetime tracking of IPSec outbound security associations. IPSec manager 1516 may also gather and process log entries created by IPSec engine 104 (FIG. 1) and perform path maximum transmission unit (PMTU) processing for IPSec outbound tunnels.”). It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Noehringer’s System And Method For Managing Security Packet Processing with Pham’s Event data processing because it offers the advantage of having flexibility and scalability to support various network topologies, such as site-to-site and remote access connections. And fails to teach correlate the log records according to their IP address information, the IP address information uniquely identifying each node in the cluster; filter the log records according to a criteria comprising at least one of a date/time stamp, or a SA identifier associated with each of the log records. However, in an analogous art Mehta teaches correlate the log records according to their IP address information, the IP address information uniquely identifying each node in the cluster; filter the log records according to a criteria comprising at least one of a date/time stamp, or a SA identifier associated with each of the log records (Mehta, Paragraph 0033 recites “In Step 212, following the alternative determination (in Step 206) that the confidence level(s) associated with the predicted problem component(s) (obtained in Step 204) meet or exceed the above-mentioned confidence level threshold, one or more specification files, relevant to the predicted problem component(s), is/are identified. In one embodiment of the invention, a specification file may refer to a predefined text file, associated with a given physical or logical component of a client device or the data protection system, which may specify one or more component-relevant log files, zero or more component-relevant log file filters, and/or zero or more component-relevant diagnostic tool recommendations. Each component-relevant log file may reference a log file pertinent to the given physical/logical component. Each component-relevant log file filter (if any) may reference a data attribute (e.g. problem timestamp window, client device Internet Protocol (IP) address, etc.), pertinent to the given physical/logical component, which can be used to refine relevant log file query results. Each component-relevant diagnostic tool recommendation (if any) may reference a diagnostic utility, offered via the diagnostics feature on the data protection system (described above) (see e.g., FIG. 1), which can be employed to discover diagnostic information pertinent to the given physical/logical component.”) It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Mehta’s Intelligent support bundle collection with Pham’s Event data processing because it offers the advantage of correlating data to help to triage potential data problems. As per claim 2, Pham in combination with Noehringer and Mehta teaches The IHS of claim 1, Pham further teaches wherein the program instructions, upon execution, further cause IHS to obtain the plurality of log records in response to a Data Collect (DC) event (Pham, Paragraph 0077 recites “The system receives an event log that includes a plurality of event records (302). Each event record describes one or more events that have occurred on a computer system over a period of time.”). As per claim 5, Pham in combination with Noehringer and Mehta teaches The IHS of claim 1, Pham further teaches wherein the program instructions, upon execution, further cause IHS to generate an icon proximate to a SA ID, wherein the icon represents an event that the SA experienced (Pham, Paragraph 0064 recites “The system represents each normalized event record as one or more nodes in the graph (206). In some implementations, the system represents each different segment of a normalized event record as a respective node in the graph. For example, as illustrated in FIG. 7, a file access event record having three different segments—“C:\”, “test\”, and “example.pdf” are represented by three different nodes in the graph, respectively.”). As per claim 6, Pham in combination with Noehringer and Mehta teaches The IHS of claim 5, Pham further teaches wherein the program instructions, upon execution, further cause IHS to generate the icon according to how the SA was established or torn down (Pham, Paragraph 0064 recites “The system represents each normalized event record as one or more nodes in the graph (206). In some implementations, the system represents each different segment of a normalized event record as a respective node in the graph. For example, as illustrated in FIG. 7, a file access event record having three different segments—“C:\”, “test\”, and “example.pdf” are represented by three different nodes in the graph, respectively.”). As per claim 7, Pham in combination with Noehringer and Mehta teaches The IHS of claim 5, Pham further teaches wherein the program instructions, upon execution, further cause IHS to indicate event information that the SA has encountered (Pham, Paragraph 0064 recites “The system represents each normalized event record as one or more nodes in the graph (206). In some implementations, the system represents each different segment of a normalized event record as a respective node in the graph. For example, as illustrated in FIG. 7, a file access event record having three different segments—“C:\”, “test\”, and “example.pdf” are represented by three different nodes in the graph, respectively.”). As per claim 9, Pham in combination with Noehringer and Mehta teaches The IHS of claim 1, Noehrigner further teaches wherein the program instructions are embodied as a plugin to an IPsec tool (Noehringer, Paragraph 0094 recites “PSec manager 1516 may also be responsible for IPSec memory maintenance, which may include maintaining a list of available SAD entries, maintaining a hash table of active outbound SAD entries, maintaining a hash table of active inbound SAD entries, and maintaining a hash table of SPD indexes to security policy search table indexes. IPSec manager 1516 may also parse an SAD entry into a packet-processing block and a key information block and copy both blocks to memory, and update an NPU security policy search table with selectors and the associated SAD address. IPSec manager 1516 may also perform soft time lifetime tracking of IPSec outbound security associations. IPSec manager 1516 may also gather and process log entries created by IPSec engine 104 (FIG. 1) and perform path maximum transmission unit (PMTU) processing for IPSec outbound tunnels.”). It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Noehringer’s System And Method For Managing Security Packet Processing with Pham’s Event data processing because it offers the advantage of having flexibility and scalability to support various network topologies, such as site-to-site and remote access connections. Regarding claims 10 and 17, claims 10 and 17 are directed to a method and a computing device associated with the method of claim 1. Claims 10 and 17 are of similar scope to claim 1, and are therefore rejected under similar rationale. Regarding claim 11, claim 11 is directed to a similar computing device associated with the system of claim 2 respectively. Claim 11 is similar in scope to claim 2, respectively, and are therefore rejected under similar rationale. Regarding claims 14 and 19, claims 14 and 19 are directed to a method and a computing device associated with the method of claim 5. Claims 14 and 19 are of similar scope to claim 5, and are therefore rejected under similar rationale. Regarding claims 15 and 20, claims 15 and 20 are directed to a method and a computing device associated with the method of claim 6. Claims 15 and 20 are of similar scope to claim 6, and are therefore rejected under similar rationale. Claim(s) 3, 8, 12, 16 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pham (US 2023/0315841), Noehringer et al. (US 2002/0188871) and Mehta et al. (US 2022/0398239) and in further view of Peled et al. (US 2021/0325920). As per claim 3, Pham in combination with Noehringer and Mehta teaches The IHS of claim 1, but fails to teach wherein the program instructions, upon execution, further cause IHS to extract, from the log records, at least one of a SA establishment, a SA teardown, a SA timeout, a SA keep-alive message, a SA rekey event, a SA configuration problem, a Service restart, and a node reboot event. However, in an analogous art Peled teaches (Peled, Paragraph 0093 recites “In one embodiment, the monitoring device is battery operated, wherein power consumption is minimized by operating the monitoring device 2 in a mode, in which the monitoring device 2 is sleeping most of the time and wakes up according to a predefined schedule (e.g. every 15 seconds) to send keep-alive data to the gateway 12 and sample and log detected data according to a predefined schedule (e.g. every 15 minutes) and sending data to the gateway 12. The gateway 12 uploads the data records to the cloud-based structure 20 as soon as the gateway 12 has received the data. In one embodiment, the monitoring device provides no offline logging.”). It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Peled’s Pham’s Event data processing because it offers the advantage of extracting a variety of types of data. As per claim 8, Pham in combination with Noehringer and Mehta teaches The IHS of claim 7, but fails to teach wherein the event information is indicative of at least one of a CHILD_SA rekey event, an IKE_SA rekey event, or a keep-alive message. However, in an analogous art Peled teaches wherein the event information is indicative of at least one of a CHILD_SA rekey event, an IKE_SA rekey event, or a keep-alive message (Peled, Paragraph 0093 recites “In one embodiment, the monitoring device is battery operated, wherein power consumption is minimized by operating the monitoring device 2 in a mode, in which the monitoring device 2 is sleeping most of the time and wakes up according to a predefined schedule (e.g. every 15 seconds) to send keep-alive data to the gateway 12 and sample and log detected data according to a predefined schedule (e.g. every 15 minutes) and sending data to the gateway 12. The gateway 12 uploads the data records to the cloud-based structure 20 as soon as the gateway 12 has received the data. In one embodiment, the monitoring device provides no offline logging.”). It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Peled’s Pham’s Event data processing because it offers the advantage of extracting a variety of types of data. Regarding claims 12 and 18, claims 12 and 18 are directed to a method and a computing device associated with the method of claim 3. Claims 12 and 18 are of similar scope to claim 3, and are therefore rejected under similar rationale. Regarding claim 16, claim 16 is directed to a similar computing device associated with the system of claim 8 respectively. Claim 16 is similar in scope to claim 8, respectively, and are therefore rejected under similar rationale. Claim(s) 4 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pham (US 2023/0315841), Noehringer et al. (US 2002/0188871) and Mehta et al. (US 2022/0398239) and in further view of Keshet et al. (US 2017/0149810). As per claim 4, Pham in combination with Noehringer and Mehta teaches The IHS of claim 1, but fails to teach wherein the program instructions, upon execution, further cause IHS to filter the log records according to a criteria comprising at least one of an IP address, a date/time stamp, or an SA identifier. However, in an analogous art Keshet teaches wherein the program instructions, upon execution, further cause IHS to filter the log records according to a criteria comprising at least one of an IP address, a date/time stamp, or an SA identifier (Keshet, Paragraph 0049 recites “FIG. 7 is a schematic block diagram of the system processing a request to focus on web proxy log data 1 originating from specific IP addresses. In the example illustrated by FIG. 7, an SME submits a request to focus on web proxy log data originating from specific IP addresses 402 to the system 10. This corresponds to a creation or a change of a filter to focus on a specific type of event, for example, to a focus on specific target IP addresses that have a “whois” record originating from a Chinese province where a business competitor has settled. The SME may also move specific groups of IP addresses in and out of the requested focus arbitrarily. The interaction module 5 may identify the request to focus on web proxy log data 1 originating from specific IP addresses as a request to apply a filter focused on this addresses 502.”). It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Keshet’s malware detection on web proxy log data with Pham’s Event data processing because it offers the advantage of having the flexibility of looking at particular sets of data. Regarding claim 13, claim 13 is directed to a similar computing device associated with the system of claim 4 respectively. Claim 13 is similar in scope to claim 4, respectively, and are therefore rejected under similar rationale. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. RODERICK . TOLENTINO Examiner Art Unit 2439 /RODERICK TOLENTINO/Primary Examiner, Art Unit 2439