DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1. This action is in response to the communication filed on August 8, 2024. Claims 1-25 were originally received for consideration. No preliminary amendments for the claims have been received.
Information Disclosure Statement
2. Initialed and dated copies of Applicant’s IDS (form 1449), received on August 8, 2024 and January 14, 2025, are attached to this Office Action.
Allowable Subject Matter
3. Claims 6, 11, 19, and 24 are not rejected under section 103, but are still subject to the double patenting and 112 rejections provided below.
Double Patenting
4. The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-25 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-23 of U.S. Patent No. 11,916,926. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the ‘926 Patent anticipate the claims of the present application. Claim 1 is mapped below as a representative claim and the ‘926 Patent is mapped to disclose that all the limitations are anticipated by the ‘926 patent. Independent claims 13 and 14 disclose analogous limitations to claim 1 and therefore are also anticipated by the claims of the ‘926 Patent.
Present Application
U.S. Patent No. 11,916,926
1. A method for detecting potential lateral movement in a cloud computing environment, comprising:
detecting a private encryption key including a first hash value of a public key;
detecting a certificate including a second hash value of a public key, the detected certificate associated with a workload in the cloud computing environment;
generating in a security database:
a representation of the private encryption key, a representation of the certificate, and a representation of the workload, wherein the representation of the workload is associated to the representation of the certificate;
associating the representation of the private key and the representation of the certificate, in response to determining a match between the first hash value and the second hash value; and
determining that the workload is potentially compromised, in response to receiving an indication that an element of the public key is compromised.
1. A method for detecting potential lateral movement in a cloud computing environment, comprising:
detecting a private encryption key including a first hash value of a public key;
detecting a certificate including a second hash value of another public key, the detected certificate associated with a workload in the cloud computing environment;
generating in a security database:
a representation of the private encryption key, a representation of the certificate, and a representation of the workload, wherein the representation of the workload is associated to the representation of the certificate;
associating the representation of the private key and the representation of the certificate, in response to determining a match between the first hash value and the second hash value;
determining that the workload is potentially compromised, in response to receiving an indication that an element of the public key is compromised;
generating a lateral movement simulation in response to indicating that the workload is simulated as compromised; and
tagging the workload with a compromised simulation indicator.
The claims of the present application are all anticipated by the claims of the ‘926 Patent. Claim 2 of the present application is analogous to claim 2 of ‘926, claim 3 is analogous to claim 3 of ‘926, claim 4 is analogous to claim 4 of ‘926, claim 5 is analogous to claim 5 of ‘926, claim 6 is analogous to claim 6 of ‘926, claim 7 is analogous to claim 7 of ‘926, claim 8 is analogous to claim 8 of ‘926, claim 9 is analogous to claim 9 of ‘926, claim 10 is anticipated by claim 1 of ’926 (generating a lateral movement simulation in response to indicating that the workload is simulated as compromised), claim 12 is anticipated by claim 11 of ‘926, claim 13 is anticipated by claim 12 of ‘926, claim 14 is anticipated by claim 14 of ‘926, claim 15 is anticipated by claim 14 of ‘926, claim 16 is anticipated by claim 15 of ‘926, claim 17 is anticipated by claim 16 of ‘926, claim 18 is anticipated by claim 17 of ‘926, claim 19 is anticipated by claim 18 of ‘926, claim 20 is anticipated by claim 19 of ‘926, claim 21 is anticipated by claim 20 of ‘926, claim 22 is anticipated by claim 21 of ‘926, claim 23 is anticipated by claim 13 of ‘926, claim 24 is anticipated by claim 22 of ‘926 and claim 25 is anticipated by claim 23 of ‘926. Therefore, a Terminal Disclaimer is required.
Claim Rejections - 35 USC § 112
5. Claims 1-25 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 13 and 14 all disclose detecting a private encryption key including a first hash value of a public key and a second hash value of a public key. It is unclear whether this “public key” is the same or a different public key. If it is the same public key, the second instance should be preceded by “the” and if it is a different public key, it should be differentiated from the first public key by using words such as “another”, “second”, “different”, etc.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
6. Claim(s) 1-5, 7-9, 12-18, 20-22, and 25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ruiz (U.S. Patent Pub. No. US 2021/0051137) in view of Delpont et al. (U.S. Patent 11,606,378) further in view of Thomas et al. (U.S. Patent 11,184,392).
Regarding claim 1, Ruiz discloses:
A method for detecting potential lateral movement in a cloud computing environment, comprising:
detecting a private encryption key including a first hash value of a public key (paragraph 0022-0023: the cloud service provider system may receive the public key with the selected cloud service components including identifying the VM);
generating in a security database: a representation of the private encryption key, a representation of the certificate, and a representation of the workload, wherein the representation of the workload is associated to the representation of the certificate (paragraph 0039-0041: mapping table maps the IP address of a VM provisioned with a public key of the corresponding private key);
associating the representation of the private key and the representation of the certificate, in response to determining a match between the first hash value and the second hash value (paragraph 0039-0041: mapping table maps the IP address of a VM provisioned with a public key of the corresponding private key).
Ruiz does not explicitly disclose determining that workload is potentially compromised, in response to receiving an indication that an element of the public key is compromised. In an analogous art, Delpont discloses lateral movement detection for SSH connections (column 6, lines 30-37) and generating paths to evaluate possible lateral movement paths of a possible attack once in a network (column 7, lines 24-31). It would have been obvious to use the information of the mapping entry table of Ruiz to populate the connection graphs of Delpont to provide lateral movement detection and compromise detection to provide valuable information that can be used to limit the damage caused by the attack and/or prevent future attacks (Delpont: column 2, lines 60-64).
The combination of Ruiz and Delpont does not explicitly disclose the use of certificates for included the hashes of the public key. In an analogous art, Thomas discloses that the key vault is provisioned so that a public key stored in the key vault is signed by a certificate or into a certificate chain (column 35, lines 20-33). It would have been obvious to one of ordinary skill in the art to use a certificate in the system of Ruiz-Delpont so that the keys can be externally validated by a trusted third party (column 35, lines 30-33).
Claim 2 is rejected as applied above in rejecting claim 1. Furthermore, Ruiz discloses:
The method of claim 1, further comprising: inspecting the workload to detect the certificate (paragraph 0022-0023: the cloud service provider system may receive the public key with the selected cloud service components including identifying the VM).
Claim 3 is rejected as applied above in rejecting claim 1. Furthermore, Ruiz discloses:
The method of claim 1, wherein the element of the public key is the private key (paragraphs 0039-0040: private key is mapped to a VM in a mapping table).
Claim 4 is rejected as applied above in rejecting claim 1. Furthermore, Ruiz discloses:
The method of claim 1, wherein the element of the public key is the certificate (paragraphs 0039-0040: private key is mapped to a VM in a mapping table).
Claim 5 is rejected as applied above in rejecting claim 1. Furthermore, Ruiz discloses:
The method of claim 1, further comprising:
detecting a representation of a second workload in the security database which is connected to the representation of the certificate (paragraphs 0039-0040: private key is mapped to a VM in a mapping table); and
determining that the second workload is a potentially compromised workload in response to detecting the connection between the representation of the certificate and the representation of the second workload (paragraphs 0039-0040: private key is mapped to a VM in a mapping table).
Claim 7 is rejected as applied above in rejecting claim 1. Furthermore, Thomas discloses:
The method of claim 1, further comprising:
determining that a certificate expiration date of the certificate has lapsed (column 35, lines 20-33: certificate).
Claim 8 is rejected as applied above in rejecting claim 1. Furthermore, Thomas discloses:
The method of claim 1, further comprising: determining that a certificate expiration date will lapse within a predefined time (column 35, lines 20-33: certificate).
Claim 9 is rejected as applied above in rejecting claim 1. Furthermore, Ruiz discloses:
The method of claim 1, further comprising:
inspecting the workload for a cybersecurity risk (paragraph 0022-0023: the cloud service provider system may receive the public key with the selected cloud service components including identifying the VM).
Claim 12 is rejected as applied above in rejecting claim 1. Furthermore, Ruiz discloses:
The method of claim 1, further comprising: querying the security database to detect a representation of a second resource in the cloud computing environment, wherein the representation of the second resource is associated with a representation of a second private key, and further associated with a representation of a certificate having a wildcard (paragraph 0039-0041: mapping table maps the IP address of a VM provisioned with a public key of the corresponding private key).
Regarding claim 13, Ruiz discloses:
A non-transitory computer-readable medium storing a set of instructions for detecting potential lateral movement in a cloud computing environment, the set of instructions comprising:
one or more instructions that, when executed by one or more processors of a device, cause the device to:
detect a private encryption key including a first hash value of a public key (paragraph 0022-0023: the cloud service provider system may receive the public key with the selected cloud service components including identifying the VM);
generate in a security database: a representation of the private encryption key, a representation of the certificate, and a representation of the workload, wherein the representation of the workload is associated to the representation of the certificate (paragraph 0039-0041: mapping table maps the IP address of a VM provisioned with a public key of the corresponding private key);
associate the representation of the private key and the representation of the certificate, in response to determining a match between the first hash value and the second hash value (paragraph 0039-0041: mapping table maps the IP address of a VM provisioned with a public key of the corresponding private key).
Ruiz does not explicitly disclose determining that workload is potentially compromised, in response to receiving an indication that an element of the public key is compromised. In an analogous art, Delpont discloses lateral movement detection for SSH connections (column 6, lines 30-37) and generating paths to evaluate possible lateral movement paths of a possible attack once in a network (column 7, lines 24-31). It would have been obvious to use the information of the mapping entry table of Ruiz to populate the connection graphs of Delpont to provide lateral movement detection and compromise detection to provide valuable information that can be used to limit the damage caused by the attack and/or prevent future attacks (Delpont: column 2, lines 60-64).
The combination of Ruiz and Delpont does not explicitly disclose the use of certificates for included the hashes of the public key. In an analogous art, Thomas discloses that the key vault is provisioned so that a public key stored in the key vault is signed by a certificate or into a certificate chain (column 35, lines 20-33). It would have been obvious to one of ordinary skill in the art to use a certificate in the system of Ruiz-Delpont so that the keys can be externally validated by a trusted third party (column 35, lines 30-33).
Regarding claim 14, Ruiz discloses:
A system for detecting potential lateral movement in a cloud computing environment comprising:
a processing circuitry (paragraph 0054: processor);
a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to:
detect a private encryption key including a first hash value of a public key (paragraph 0022-0023: the cloud service provider system may receive the public key with the selected cloud service components including identifying the VM);
generate in a security database: a representation of the private encryption key, a representation of the certificate, and a representation of the workload, wherein the representation of the workload is associated to the representation of the certificate (paragraph 0039-0041: mapping table maps the IP address of a VM provisioned with a public key of the corresponding private key);
associate the representation of the private key and the representation of the certificate, in response to determining a match between the first hash value and the second hash value (paragraph 0039-0041: mapping table maps the IP address of a VM provisioned with a public key of the corresponding private key).
Ruiz does not explicitly disclose determining that workload is potentially compromised, in response to receiving an indication that an element of the public key is compromised. In an analogous art, Delpont discloses lateral movement detection for SSH connections (column 6, lines 30-37) and generating paths to evaluate possible lateral movement paths of a possible attack once in a network (column 7, lines 24-31). It would have been obvious to use the information of the mapping entry table of Ruiz to populate the connection graphs of Delpont to provide lateral movement detection and compromise detection to provide valuable information that can be used to limit the damage caused by the attack and/or prevent future attacks (Delpont: column 2, lines 60-64).
The combination of Ruiz and Delpont does not explicitly disclose the use of certificates for included the hashes of the public key. In an analogous art, Thomas discloses that the key vault is provisioned so that a public key stored in the key vault is signed by a certificate or into a certificate chain (column 35, lines 20-33). It would have been obvious to one of ordinary skill in the art to use a certificate in the system of Ruiz-Delpont so that the keys can be externally validated by a trusted third party (column 35, lines 30-33).
Claim 15 is rejected as applied above in rejecting claim 14. Furthermore, Ruiz discloses:
The system of claim 14, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to:
inspect the workload to detect the certificate (paragraph 0022-0023: the cloud service provider system may receive the public key with the selected cloud service components including identifying the VM).
Claim 16 is rejected as applied above in rejecting claim 14. Furthermore, Ruiz discloses:
The system of claim 14, wherein the element of the public key is the private key (paragraphs 0039-0040: private key is mapped to a VM in a mapping table).
Claim 17 is rejected as applied above in rejecting claim 14. Furthermore, Ruiz discloses:
The system of claim 15, wherein the element of the public key is the certificate (paragraphs 0039-0040: private key is mapped to a VM in a mapping table).
Claim 18 is rejected as applied above in rejecting claim 14. Furthermore, Ruiz discloses:
The system of claim 14, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to:
detect a representation of a second workload in the security database which is connected to the representation of the certificate (paragraphs 0039-0040: private key is mapped to a VM in a mapping table); and
determine that the second workload is a potentially compromised workload in response to detecting the connection between the representation of the certificate and the representation of the second workload (paragraphs 0039-0040: private key is mapped to a VM in a mapping table).
Claim 20 is rejected as applied above in rejecting claim 14. Furthermore, Thomas discloses:
The system of claim 15, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to:
determine that a certificate expiration date of the certificate has lapsed (column 35, lines 20-33: certificate).
Claim 21 is rejected as applied above in rejecting claim 14. Furthermore, Thomas discloses:
The system of claim 15, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to:
determine that a certificate expiration date will lapse within a predefined time (column 35, lines 20-33: certificate).
Claim 22 is rejected as applied above in rejecting claim 14. Furthermore, Ruiz discloses:
The system of claim 15, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to:
inspect the workload for a cybersecurity risk (paragraph 0022-0023: the cloud service provider system may receive the public key with the selected cloud service components including identifying the VM).
Claim 25 is rejected as applied above in rejecting claim 14. Furthermore, Ruiz discloses:
The system of claim 15, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to:
query the security database to detect a representation of a second resource in the cloud computing environment, wherein the representation of the second resource is associated with a representation of a second private key, and further associated with a representation of a certificate having a wildcard (paragraph 0039-0041: mapping table maps the IP address of a VM provisioned with a public key of the corresponding private key).
Claim(s) 10 and 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ruiz (U.S. Patent Pub. No. US 2021/0051137) in view of Delpont et al. (U.S. Patent 11,606,378) further in view of Thomas et al. (U.S. Patent 11,184,392) in further in view of Schrecker et al. (U.S. Patent 8,595,822).
Claim 10 is rejected as applied above in rejecting claim 1. Furthermore, the combination of Ruiz, Delpont and Thomas do not explicitly disclose generating a lateral movement simulation in response to indicating that the workload is simulated as compromised. In ana analogous art, Schrecker discloses simulating attacks and recording the results of the attack (column 3, lines 51 – column 4, line 4). It would have been obvious to perform the simulation of Schrecker to improve the scan controller operation (Schrecker: column 3, lines 51-62).
Claim 23 is rejected as applied above in rejecting claim 14. Furthermore, the combination of Ruiz, Delpont and Thomas do not explicitly disclose generating a lateral movement simulation in response to indicating that the workload is simulated as compromised. In ana analogous art, Schrecker discloses simulating attacks and recording the results of the attack (column 3, lines 51 – column 4, line 4). It would have been obvious to perform the simulation of Schrecker to improve the scan controller operation (Schrecker: column 3, lines 51-62).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KAVEH ABRISHAMKAR whose telephone number is (571)272-3786. The examiner can normally be reached M-F 9-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached at 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KAVEH ABRISHAMKAR/
02/04/2026Primary Examiner, Art Unit 2494