DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in reply to papers filed on 2025-10-23. Claims 1-21 are pending. Claims 1, 11, 21 is/are independent.
Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 2025-10-23 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto.
Claim Objections
Claim(s) 21 is/are objected to because of the following informalities: The examiner suggests the following corrections:
Claims 9, 19:
Amend the claim to read, in part, as follows "threat management computer system is a cloud-based system that includes "
Claim 21:
Amend the claim to read, in part, as follows "the computer readable program code being executable by one or more processors of a threat management computer system to cause the threat management computer system to perform"
35 U.S.C. § 101
35 U.S.C. § 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim(s) 21 is/are rejected under 35 U.S.C. § 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because it is directed to a "one or more computer readable storage media" that may include transitory signals. Nothing in Applicant's specification clearly excludes a transitory signal from being included in the term "one or more computer readable storage media". Indeed, several passages state that computer readable storage media may be non-transitory, implying that they may not be as well. This rejection could be overcome by amending the claim to read, in part, "one or more non-transitory computer readable storage media".
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR § 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement.
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR § 3.73(b).
Claim(s) 1, 2, 21 is/are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over the claim(s) of U.S. Patent 10972431 (App 15945346). The table below sets forth exemplary claim(s).
App 18757996 (Instant Application)
U.S. Patent 10972431 (App 15945346 )
1. A method for responding to a threat with host isolation comprising: receiving, by one or more processors of a threat management computer system, endpoint health information for a plurality of endpoints of a monitored network system managed by the threat management computer system; identifying, by the one or more processors of the threat management computer system, a threat associated with the monitored network system; identifying, by the one or more processors of the threat management computer system, a known device identifier or user identification associated with an endpoint of the plurality of endpoints that is responsible for the threat; propagating, by the one or more processors of the threat management computer system, a global isolation of the endpoint across network devices of the monitored network system, wherein the global isolation is configured to block the device identifier or user identification associated with the endpoint that is responsible for the threat.
Patented claim 13 (reproduced herein for convenience) discloses all of the limitations of the instant claim.
13. A method for managing endpoints, the method comprising: registering an endpoint to an enterprise network; determining a network adapter profile for the endpoint, the network adapter profile including a plurality of media access control identifiers for a plurality of network adapters used by the endpoint for network communications; detecting a compromised state of the endpoint at a threat management facility of an enterprise network; and blocking network communications from all of the network adapters in the network adapter profile for the endpoint at one or more firewalls remote from the endpoint in the enterprise network.
2. The method of claim 1, further comprising: identifying, by the one or more processors of the threat management computer system, the known device identifier associated with the endpoint of the plurality of endpoints that is responsible for the threat; and propagating, by the one or more processors of the threat management computer system, the global isolation of the endpoint across network devices of the monitored network management system, wherein the global isolation is configured to block the device identifier associated with the endpoint that is responsible for the threat.
Patented claim 13 (reproduced herein for convenience) discloses all of the limitations of the instant claim.
21. A computer program product comprising: one or more computer readable storage media having computer readable program code collectively stored on the one or more computer readable storage media, the computer readable program code being executed by one or more processors of a threat management computer system to cause the threat management computer system to perform a method for responding to a threat with host isolation comprising: receiving, by the one or more processors of the threat management computer system, endpoint health information for a plurality of endpoints of a monitored network system managed by the threat management computer system; identifying, by the one or more processors of the threat management computer system, a threat associated with the monitored network system; identifying, by the one or more processors of the threat management computer system, a known device identifier or user identification associated with an endpoint of the plurality of endpoints that is responsible for the threat; propagating, by the one or more processors of the threat management computer system, a global isolation of the endpoint across network devices of the monitored network system, wherein the global isolation is configured to block the device identifier or user identification associated with the endpoint that is responsible for the threat.
Patented claim 1 (reproduced herein for convenience) discloses all of the limitations of the instant claim.
1. A computer program product for managing endpoints comprising non-transitory computer executable code embodied on a non-transitory computer readable medium that, when executing one or more computing devices, performs the steps of: registering an endpoint to an enterprise network, wherein registering includes ensuring that the endpoint is compliant with a security policy for the enterprise network; determining a network adapter profile for the endpoint, the network adapter profile including a plurality of media access control identifiers for a plurality of network adapters used by the endpoint for network communications; detecting a compromised state of the endpoint at a threat management facility of an enterprise network, wherein the compromised state brings the endpoint out of compliance with the security policy; and blocking network communications from all of the network adapters in the network adapter profile for the endpoint at one or more firewalls remote from the endpoint in the enterprise network.
Claim(s) 1, 2, 21 is/are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over the claim(s) of U.S. Patent 11616758 (App 15945291). The table below sets forth exemplary claim(s).
App 18757996 (Instant Application)
U.S. Patent 11616758 (App 15945291 )
1. A method for responding to a threat with host isolation comprising: receiving, by one or more processors of a threat management computer system, endpoint health information for a plurality of endpoints of a monitored network system managed by the threat management computer system; identifying, by the one or more processors of the threat management computer system, a threat associated with the monitored network system; identifying, by the one or more processors of the threat management computer system, a known device identifier or user identification associated with an endpoint of the plurality of endpoints that is responsible for the threat; propagating, by the one or more processors of the threat management computer system, a global isolation of the endpoint across network devices of the monitored network system, wherein the global isolation is configured to block the device identifier or user identification associated with the endpoint that is responsible for the threat.
Patented claim 5 (reproduced herein for convenience) discloses all of the limitations of the instant claim.
5. A method for operating a network device that couples a subnet including a plurality of endpoints to an enterprise network, the method including: receiving a notification of a detection of a compromised one of the plurality of endpoints on the subnet from a threat management facility separated from the compromised one of the plurality of endpoints by the network device that performs a network address translation for the subnet, the threat management facility using a different address space than the plurality of endpoints, wherein the notification received at the network device from the threat management facility outside the subnet includes an identifier for the compromised one of the plurality of endpoints using a subnet address for the compromised one of the plurality of endpoints within the subnet, the subnet address provided in a heartbeat message to the threat management facility by one of the plurality of endpoints on the subnet using a control channel between the one of the plurality of endpoints on the subnet and the threat management facility outside the subnet; in response to the notification, blocking traffic between the compromised one of the plurality of endpoints and the enterprise network outside the subnet; and directing one or more of the plurality of endpoints on the subnet that are managed by the threat management facility to stop network communications on the subnet with the compromised one of the plurality of endpoints while maintaining network communications on the subnet with other ones of the plurality of endpoints.
2. The method of claim 1, further comprising: identifying, by the one or more processors of the threat management computer system, the known device identifier associated with the endpoint of the plurality of endpoints that is responsible for the threat; and propagating, by the one or more processors of the threat management computer system, the global isolation of the endpoint across network devices of the monitored network management system, wherein the global isolation is configured to block the device identifier associated with the endpoint that is responsible for the threat.
Patented claim 5 (reproduced herein for convenience) discloses all of the limitations of the instant claim.
21. A computer program product comprising: one or more computer readable storage media having computer readable program code collectively stored on the one or more computer readable storage media, the computer readable program code being executed by one or more processors of a threat management computer system to cause the threat management computer system to perform a method for responding to a threat with host isolation comprising: receiving, by the one or more processors of the threat management computer system, endpoint health information for a plurality of endpoints of a monitored network system managed by the threat management computer system; identifying, by the one or more processors of the threat management computer system, a threat associated with the monitored network system; identifying, by the one or more processors of the threat management computer system, a known device identifier or user identification associated with an endpoint of the plurality of endpoints that is responsible for the threat; propagating, by the one or more processors of the threat management computer system, a global isolation of the endpoint across network devices of the monitored network system, wherein the global isolation is configured to block the device identifier or user identification associated with the endpoint that is responsible for the threat.
Patented claim 1 (reproduced herein for convenience) discloses all of the limitations of the instant claim.
1. A computer program product comprising computer executable code embodied on a non-transitory computer readable medium that, when executing on one or more processors of a network translation device that couples a subnet including a plurality of endpoints to an enterprise network, causes the network translation device to perform the steps of: translating address information between a first routing prefix for the subnet and a second routing prefix for a network external to the subnet; receiving a notification of a detection of a compromised one of the plurality of endpoints on the subnet from a threat management facility separated from the compromised one of the plurality of endpoints by the network translation device, the threat management facility using a different address space than the plurality of endpoints, wherein the notification received at the network translation device from the threat management facility outside the subnet includes an identifier for the compromised one of the plurality of endpoints using a subnet address for the compromised one of the plurality of endpoints within the subnet, the subnet address provided in a heartbeat message to the threat management facility by one of the plurality of endpoints on the subnet using a control channel between the one of the plurality of endpoints on the subnet and the threat management facility outside the subnet; in response to the notification, blocking traffic between the compromised one of the plurality of endpoints and the enterprise network outside the subnet; and directing one or more of the plurality of endpoints on the subnet that are managed by the threat management facility, other than the compromised one of the plurality of endpoints, to stop network communications on the subnet with the compromised one of the plurality of endpoints while maintaining network communications on the subnet with other endpoints.
Summary of Claim Rejections under 35 U.S.C. § 102 and § 103
The following table summarizes the rejections set forth in detail below of the claims over the prior art.
Claim No.
Nimmagadda '258
Nimmagadda '258 in view of Gladstone '495
Nimmagadda '258 in view of Spisak '319
Nimmagadda '258 in view of Thomas '719
Nimmagadda '258 in view of Official Notice
1
[Wingdings font/0xFC]
2
[Wingdings font/0xFC]
3
[Wingdings font/0xFC]
4
[Wingdings font/0xFC]
5
[Wingdings font/0xFC]
6
[Wingdings font/0xFC]
7
[Wingdings font/0xFC]
8
[Wingdings font/0xFC]
9
[Wingdings font/0xFC]
10
[Wingdings font/0xFC]
11
[Wingdings font/0xFC]
12
[Wingdings font/0xFC]
13
[Wingdings font/0xFC]
14
[Wingdings font/0xFC]
15
[Wingdings font/0xFC]
16
[Wingdings font/0xFC]
17
[Wingdings font/0xFC]
18
[Wingdings font/0xFC]
19
[Wingdings font/0xFC]
20
[Wingdings font/0xFC]
21
[Wingdings font/0xFC]
Claim Rejections - 35 U.S.C. § 102
The following is a quotation of the appropriate paragraphs of AIA 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim(s) 1-4, 11-14, 21 is/are rejected under 35 U.S.C. § 102 as being anticipated by European Patent 3544258 to Nimmagadda et al. (hereinafter "Nimmagadda '258"). Nimmagadda '258 is prior art to the claims under 35 U.S.C. § 102(a)(1).
Per claim 1 (independent):
Nimmagadda '258 discloses a method for responding to a threat with host isolation (isolates/quarantines threat endpoint throughout network via switches [Nimmagadda '258 ¶ 0036, 0078])
Nimmagadda '258 discloses receiving, by one or more processors of a threat management computer system, endpoint health information for a plurality of endpoints of a monitored network system managed by the threat management computer system (identifies threats from threat information concerning endpoints [Nimmagadda '258 ¶ 0013, 0081-0083])
Nimmagadda '258 discloses identifying, by the one or more processors of the threat management computer system, a threat associated with the monitored network system (identifies threats from threat information concerning endpoints [Nimmagadda '258 ¶ 0013, 0081-0083])
Nimmagadda '258 discloses identifying, by the one or more processors of the threat management computer system, a known device identifier or user identification associated with an endpoint of the plurality of endpoints that is responsible for the threat (identifies threat endpoint address [Nimmagadda '258 ¶ 0093, 0081-0083; Fig. 5 at 520])
Nimmagadda '258 discloses propagating, by the one or more processors of the threat management computer system, a global isolation of the endpoint across network devices of the monitored network system, wherein the global isolation is configured to block the device identifier or user identification associated with the endpoint that is responsible for the threat (identifies network nodes, e.g. switches, firewalls, to enforce remediation of threat host [Nimmagadda '258 ¶ 0092-0093; Fig. 1D; Fig. 5 at 550, 570]; isolates/quarantines threat endpoint throughout network via switches [Nimmagadda '258 ¶ 0036, 0078])
Per claim 2 (dependent on claim 1):
Nimmagadda '258 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Nimmagadda '258 discloses identifying, by the one or more processors of the threat management computer system, the known device identifier associated with the endpoint of the plurality of endpoints that is responsible for the threat (identifies network nodes, e.g. switches, firewalls, to enforce remediation of threat host [Nimmagadda '258 ¶ 0092-0093; Fig. 1D; Fig. 5 at 550, 570])
Nimmagadda '258 discloses propagating, by the one or more processors of the threat management computer system, the global isolation of the endpoint across network devices of the monitored network management system, wherein the global isolation is configured to block the device identifier associated with the endpoint that is responsible for the threat ( isolates/quarantines threat endpoint throughout network via switches [Nimmagadda '258 ¶ 0036, 0078])
Per claim 3 (dependent on claim 2):
Nimmagadda '258 discloses the elements detailed in the rejection of claim 2 above, incorporated herein by reference
Nimmagadda '258 discloses the device identifier comprises a media access control (MAC) address; and the propagating the global isolation of the endpoint across network devices of the monitored network system further comprises blocking, by the one or more processors of the threat management computer system, the device identifier by a MAC filter at a VLAN level, a LAN level and/or a port level of one or more switches of the monitored network system (filters MAC address at network nodes, e.g. switches, firewalls, to enforce remediation of threat host [Nimmagadda '258 ¶ 0092-0093; Fig. 2]; isolates/quarantines threat endpoint throughout network via switches [Nimmagadda '258 ¶ 0036, 0078] at LAN or VLAN level [Nimmagadda '258 ¶ 0034])
Per claim 4 (dependent on claim 2):
Nimmagadda '258 discloses the elements detailed in the rejection of claim 2 above, incorporated herein by reference
Nimmagadda '258 discloses blocking, by the one or more processors of the threat management computer system, the device identifier at a service set identifier (SSID) level of one or more Wi-Fi access points of the monitored network system (isolates / quarantines threat endpoint at WLAN devices [Nimmagadda '258 ¶ 0029, 0036; Fig. 1F, 1K])
Per claim 11 (independent):
Nimmagadda '258 discloses computer system comprising one or more processors; one or more computer readable storage media; computer readable code stored collectively in the one or more computer readable storage media, with the computer readable code including data and instructions to cause the one or more computer processors to perform a method (processor(s), memory, computer readable media, storage, executable instructions [Nimmagadda '258 ¶ 0060-0067])
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 12 (dependent on claim 11):
Nimmagadda '258 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 2 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 13 (dependent on claim 12):
Nimmagadda '258 discloses the elements detailed in the rejection of claim 12 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 3 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 14 (dependent on claim 12):
Nimmagadda '258 discloses the elements detailed in the rejection of claim 12 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 4 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 21 (independent):
Nimmagadda '258 discloses a computer program product comprising one or more computer readable storage media having computer readable program code collectively stored on the one or more computer readable storage media, the computer readable program code being executed by one or more processors of a threat management computer system to cause the threat management computer system to perform a method (processor(s), memory, computer readable media, storage, executable instructions [Nimmagadda '258 ¶ 0060-0067])
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Claim Rejections - 35 U.S.C. § 103
The following is a quotation of AIA 35 U.S.C. 103 that forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. § 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 5-7, 15-17 is/are rejected under 35 U.S.C. § 103 as being unpatentable over Nimmagadda '258 in view of U.S. Publication 20020194495 to Gladstone et al. (hereinafter "Gladstone '495"). Gladstone '495 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).
Per claim 5 (dependent on claim 2):
Nimmagadda '258 discloses the elements detailed in the rejection of claim 2 above, incorporated herein by reference
Nimmagadda '258 does not disclose sending, by the one or more processors of the threat management computer system, a notification to a software agent of each switch or Wi-Fi access point within the monitored network system, wherein the notification causes the software agents of the switches or Wi-Fi access points to pull a configuration change corresponding to a device identifier filter and apply the configuration change on the switch or Wi-Fi access point
Further:
Gladstone '495 discloses sending, by the one or more processors of the threat management computer system, a notification to a software agent of each switch or Wi-Fi access point within the monitored network system, wherein the notification causes the software agents of the switches or Wi-Fi access points to pull a configuration change corresponding to a device identifier filter and apply the configuration change on the switch or Wi-Fi access point (security agent 45 sends and receives notifications of updates, e.g. notifications to firewall to update rules to quarantine a particular device [Gladstone '495 ¶ 0044, 0047, 0038])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Nimmagadda '258 with the security agents on network nodes of Gladstone '495 to arrive at an apparatus, method, and product including:
sending, by the one or more processors of the threat management computer system, a notification to a software agent of each switch or Wi-Fi access point within the monitored network system, wherein the notification causes the software agents of the switches or Wi-Fi access points to pull a configuration change corresponding to a device identifier filter and apply the configuration change on the switch or Wi-Fi access point
A person having ordinary skill in the art would have been motivated to combine them at least because security agents on network nodes would have provided a robust and secure means of communicating between network nodes concerning event data and security commands. A person having ordinary skill in the art would have been further motivated to combine them at least because Gladstone '495 teaches [Gladstone '495 ¶ 0044, 0047, 0038, 0035 ] modifying a threat mitigation system [Nimmagadda '258 ¶ 0036, 0078] such as that of Nimmagadda '258 to arrive at the claimed invention; because Gladstone '495 and Nimmagadda '258 are in the same field of endeavor; because doing so constitutes use of a known technique (security agents on network nodes [Gladstone '495 ¶ 0044, 0047, 0038, 0035]) to improve similar devices and/or methods (threat mitigation system [Nimmagadda '258 ¶ 0036, 0078]) in the same way; because doing so constitutes applying a known technique (security agents on network nodes [Gladstone '495 ¶ 0044, 0047, 0038, 0035]) to known devices and/or methods (threat mitigation system [Nimmagadda '258 ¶ 0036, 0078]) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results. Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by known methods, and in this combination, each element merely performs the same function as it does separately (threat mitigation system [Nimmagadda '258 ¶ 0036, 0078] identifies nodes to isolate and implements commands via security agents on network nodes [Gladstone '495 ¶ 0044, 0047, 0038, 0035]); (3) one of ordinary skill in the art would have recognized that the results of the combination were predictable; and (4) other considerations do not overcome this conclusion.
Per claim 6 (dependent on claim 5):
Nimmagadda '258 in view of Gladstone '495 discloses the elements detailed in the rejection of claim 5 above, incorporated herein by reference
Nimmagadda '258 does not disclose receiving, by the one or more processors of the threat management computer system, a report of success or failure from one or more of the software agents
Further:
Gladstone '495 discloses receiving, by the one or more processors of the threat management computer system, a report of success or failure from one or more of the software agents (security agent 45 sends and receives notifications of status of its device [Gladstone '495 ¶ 0035, 0044, 0047])
For the reasons detailed above with respect to claim 5, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Nimmagadda '258 with the security agents on network nodes of Gladstone '495 to arrive at an apparatus, method, and product including:
receiving, by the one or more processors of the threat management computer system, a report of success or failure from one or more of the software agents
Per claim 7 (dependent on claim 6):
Nimmagadda '258 in view of Gladstone '495 discloses the elements detailed in the rejection of claim 6 above, incorporated herein by reference
Nimmagadda '258 does not disclose verifying, by the one or more processors of the threat management computer system, the status of whether the software agents of each of the switches or access points within the monitored network system successfully applied the device identifier to block the device identifier
Further:
Gladstone '495 discloses verifying, by the one or more processors of the threat management computer system, the status of whether the software agents of each of the switches or access points within the monitored network system successfully applied the device identifier to block the device identifier (security agent 45 sends and receives notifications of updates, e.g. notifications to firewall to update rules to quarantine a particular device [Gladstone '495 ¶ 0044, 0047, 0038]; security agent 45 sends and receives notifications of status of its device [Gladstone '495 ¶ 0035, 0044, 0047])
For the reasons detailed above with respect to claim 5, it would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Nimmagadda '258 with the security agents on network nodes of Gladstone '495 to arrive at an apparatus, method, and product including:
verifying, by the one or more processors of the threat management computer system, the status of whether the software agents of each of the switches or access points within the monitored network system successfully applied the device identifier to block the device identifier
Per claim 15 (dependent on claim 12):
Nimmagadda '258 discloses the elements detailed in the rejection of claim 12 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 5 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 16 (dependent on claim 15):
Nimmagadda '258 in view of Gladstone '495 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 6 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 17 (dependent on claim 16):
Nimmagadda '258 in view of Gladstone '495 discloses the elements detailed in the rejection of claim 16 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 7 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Claim(s) 8, 18 is/are rejected under 35 U.S.C. § 103 as being unpatentable over Nimmagadda '258 in view of U.S. Publication 20200092319 to Spisak et al. (hereinafter "Spisak '319"). Spisak '319 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).
Per claim 8 (dependent on claim 1):
Nimmagadda '258 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Nimmagadda '258 does not disclose alerting, by the one or more processors of the threat management computer system, a network administrator of the monitored network system of the identified threat and the identified known device identifier or user identification associated with the threat
However, Nimmagadda '258 discloses identifying, by the one or more processors of the threat management computer system, in the monitored network system of the identified threat and the identified known device identifier or user identification associated with the threat (filters MAC address at network nodes, e.g. switches, firewalls, to enforce remediation of threat host [Nimmagadda '258 ¶ 0092-0093; Fig. 2]; isolates/quarantines threat endpoint throughout network via switches [Nimmagadda '258 ¶ 0036, 0078] at LAN or VLAN level [Nimmagadda '258 ¶ 0034])
Nimmagadda '258 does not disclose receiving, by the one or more processors of the threat management computer system, approval from the network administrator to propagate the isolation of the endpoint that is responsible for the threat before the propagating
However, Nimmagadda '258 discloses receiving, by the one or more processors of the threat management computer system, instructions to propagate the isolation of the endpoint that is responsible for the threat before the propagating (filters MAC address at network nodes, e.g. switches, firewalls, to enforce remediation of threat host [Nimmagadda '258 ¶ 0092-0093; Fig. 2]; isolates/quarantines threat endpoint throughout network via switches [Nimmagadda '258 ¶ 0036, 0078] at LAN or VLAN level [Nimmagadda '258 ¶ 0034])
Further:
Spisak '319 discloses alerting, by the one or more processors of the threat management computer system, a network administrator of the monitored network system of a proposed configuration change associated with the threat (alerts admin of needed configuration change and gets approval before implementing change [Spisak '319 ¶ 0028, 0099, 0046])
Spisak '319 discloses receiving, by the one or more processors of the threat management computer system, approval from the network administrator to propagate the configuration change before the propagating (alerts admin of needed configuration change and gets approval before implementing change [Spisak '319 ¶ 0028, 0099, 0046])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Nimmagadda '258 with the administrator approval of Spisak '319 to arrive at an apparatus, method, and product including:
alerting, by the one or more processors of the threat management computer system, a network administrator of the monitored network system of the identified threat and the identified known device identifier or user identification associated with the threat
receiving, by the one or more processors of the threat management computer system, approval from the network administrator to propagate the isolation of the endpoint that is responsible for the threat before the propagating
A person having ordinary skill in the art would have been motivated to combine them at least because waiting for administrator approval before automatically implementing certain kinds of changes would allow the administrator to evaluating them in the larger context of the system and prevent the changes from accidentally breaking something else unintentionally. A person having ordinary skill in the art would have been further motivated to combine them at least because Spisak '319 teaches [Spisak '319 ¶ 0028, 0099, 0046] modifying a threat mitigation system [Nimmagadda '258 ¶ 0036, 0078] such as that of Nimmagadda '258 to arrive at the claimed invention; because Spisak '319 and Nimmagadda '258 are in the same field of endeavor; because doing so constitutes use of a known technique (administrator approval [Spisak '319 ¶ 0028, 0099, 0046]) to improve similar devices and/or methods (threat mitigation system [Nimmagadda '258 ¶ 0036, 0078]) in the same way; because doing so constitutes applying a known technique (administrator approval [Spisak '319 ¶ 0028, 0099, 0046]) to known devices and/or methods (threat mitigation system [Nimmagadda '258 ¶ 0036, 0078]) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results. Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by known methods, and in this combination, each element merely performs the same function as it does separately (threat mitigation system [Nimmagadda '258 ¶ 0036, 0078] identifies nodes to isolate and implements the change based on administrator approval [Spisak '319 ¶ 0028, 0099, 0046]); (3) one of ordinary skill in the art would have recognized that the results of the combination were predictable; and (4) other considerations do not overcome this conclusion.
Per claim 18 (dependent on claim 11):
Nimmagadda '258 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 8 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Claim(s) 9, 19 is/are rejected under 35 U.S.C. § 103 as being unpatentable over Nimmagadda '258 in view of U.S. Publication 20230114719 to Thomas et al. (hereinafter "Thomas '719"). Thomas '719 is prior art to the claims under 35 U.S.C. § 102(a)(1)'
Per claim 9 (dependent on claim 1):
Nimmagadda '258 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Nimmagadda '258 does not disclose the one or more processors of the threat management computer system is a cloud-based system includes a managed detection and response (MDR) service in communication with a data lake, the data lake is configured to receive and store activity information associated with the plurality of endpoints of the monitored network system, and the MDR service is configured to facilitate the identifying the threat associated with the monitored network system based on the activity information received and stored in the data lake
Further:
Thomas '719 discloses the one or more processors of the threat management computer system is a cloud-based system includes a managed detection and response (MDR) service in communication with a data lake, the data lake is configured to receive and store activity information associated with the plurality of endpoints of the monitored network system, and the MDR service is configured to facilitate the identifying the threat associated with the monitored network system based on the activity information received and stored in the data lake (analyzes data lake of network data to identify security events [Thomas '719 ¶ 0209, 0211, 0249, 0282, Fig. 21])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Nimmagadda '258 with the network event data lake analysis of Thomas '719 to arrive at an apparatus, method, and product including:
the one or more processors of the threat management computer system is a cloud-based system includes a managed detection and response (MDR) service in communication with a data lake, the data lake is configured to receive and store activity information associated with the plurality of endpoints of the monitored network system, and the MDR service is configured to facilitate the identifying the threat associated with the monitored network system based on the activity information received and stored in the data lake
A person having ordinary skill in the art would have been motivated to combine them at least because storing network events in a data lake for analysis permits the system to look for threat indicators in vast amounts of unprocessed data from network nodes. A person having ordinary skill in the art would have been further motivated to combine them at least because Thomas '719 teaches [Thomas '719 ¶ 0209, 0211, 0249, 0282, Fig. 21] modifying a threat mitigation system [Nimmagadda '258 ¶ 0036, 0078] such as that of Nimmagadda '258 to arrive at the claimed invention; because Thomas '719 and Nimmagadda '258 are in the same field of endeavor; because doing so constitutes use of a known technique (network event data lake analysis [Thomas '719 ¶ 0209, 0211, 0249, 0282, Fig. 21]) to improve similar devices and/or methods (threat mitigation system [Nimmagadda '258 ¶ 0036, 0078]) in the same way; because doing so constitutes applying a known technique (network event data lake analysis [Thomas '719 ¶ 0209, 0211, 0249, 0282, Fig. 21]) to known devices and/or methods (threat mitigation system [Nimmagadda '258 ¶ 0036, 0078]) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results. Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by known methods, and in this combination, each element merely performs the same function as it does separately (threat mitigation system [Nimmagadda '258 ¶ 0036, 0078] identifies nodes to isolate using network event data lake analysis [Thomas '719 ¶ 0209, 0211, 0249, 0282, Fig. 21]); (3) one of ordinary skill in the art would have recognized that the results of the combination were predictable; and (4) other considerations do not overcome this conclusion.
Per claim 19 (dependent on claim 11):
Nimmagadda '258 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 9 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Claim(s) 10, 20 is/are rejected under 35 U.S.C. § 103 as being unpatentable over Nimmagadda '258 in view of the knowledge of a person having ordinary skill in the art.
Per claim 10 (dependent on claim 1):
Nimmagadda '258 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Nimmagadda '258 discloses initiating, by the one or more processors of the threat management computer system, a request to the network devices of the monitored network system to block the device identifier or user identification associated with the endpoint that is responsible for the threat (filters MAC address at network nodes, e.g. switches, firewalls, to enforce remediation of threat host [Nimmagadda '258 ¶ 0092-0093; Fig. 2]; isolates/quarantines threat endpoint throughout network via switches [Nimmagadda '258 ¶ 0036, 0078] at LAN or VLAN level [Nimmagadda '258 ¶ 0034])
Nimmagadda '258 does not disclose verifying, by a gateway in communication with the threat management computer system, authenticity of the request before forwarding the request to network devices of the monitored network system
Further:
The Examiner takes Official Notice that it was well known and conventional in the art at the time to cryptographically verify received security commands before forwarding them and/or carrying them out. For example, U.S. Publication 20150326589 to Smith (hereinafter "Smith '589") teaches cryptographically authenticating communications with security agents on network nodes [Smith '589 ¶ 0078].
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Nimmagadda '258 with the cryptographic verification within the knowledge of a person having ordinary skill in the art to arrive at an apparatus, method, and product including:
verifying, by a gateway in communication with the threat management computer system, authenticity of the request before forwarding the request to network devices of the monitored network system
A person having ordinary skill in the art would have been motivated to combine them at least because security agents on network nodes would have provided a robust and secure means of communicating between network nodes concerning event data and security commands. A person having ordinary skill in the art would have been further motivated to combine them at least because Gladstone '495 teaches [Gladstone '495 ¶ 0044, 0047, 0038, 0035 ] modifying a threat mitigation system [Nimmagadda '258 ¶ 0036, 0078] such as that of Nimmagadda '258 to arrive at the claimed invention; because Gladstone '495 and Nimmagadda '258 are in the same field of endeavor; because doing so constitutes use of a known technique (security agents on network nodes [Gladstone '495 ¶ 0044, 0047, 0038, 0035]) to improve similar devices and/or methods (threat mitigation system [Nimmagadda '258 ¶ 0036, 0078]) in the same way; because doing so constitutes applying a known technique (security agents on network nodes [Gladstone '495 ¶ 0044, 0047, 0038, 0035]) to known devices and/or methods (threat mitigation system [Nimmagadda '258 ¶ 0036, 0078]) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results. Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by known methods, and in this combination, each element merely performs the same function as it does separately (threat mitigation system [Nimmagadda '258 ¶ 0036, 0078] identifies nodes to isolate and implements commands via security agents on network nodes [Gladstone '495 ¶ 0044, 0047, 0038, 0035]); (3) one of ordinary skill in the art would have recognized that the results of the combination were predictable; and (4) other considerations do not overcome this conclusion.
Per claim 20 (dependent on claim 11):
Nimmagadda '258 discloses the elements detailed in the rejection of claim 11 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 10 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THEODORE C PARSONS whose telephone number is (571)270-1475. The examiner can normally be reached on MTWRF 7:30-4:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from Patent Center. Status information for published applications may be obtained from Patent Center. Status information for unpublished applications is available through Patent Center for authorized users only. Should you have questions about access to Patent Center, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form.
/THEODORE C PARSONS/Primary Examiner, Art Unit 2494