DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1. This action is in response to the communication filed on August 8, 2024. Claims 1-21 were originally received for consideration. No preliminary amendments for the claims have been received.
2. Claims 1-21 are currently pending consideration.
Information Disclosure Statement
2. Initialed and dated copies of Applicant’s IDS (form 1449), received on August 8, 2024 and January 14, 2025, are attached to this Office Action.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
3. Claims 1-21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-23 of U.S. Patent No. 12,095,777. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the ‘777 Patent anticipate or render obvious the claims of the present application.
Present Application
U.S. Patent 12,095,777
1. A method for detecting lateral movement based on an exposed cryptographic network protocol (CNP) key in a cloud computing environment, comprising:
inspecting a first workload for a first CNP key, the first CNP key associated with a value of a second CNP key;
detecting in a security database a representation of the second CNP key;
detecting in the security database a representation of a second workload connected to the representation of a third CNP key; and
generating a lateral movement path, the lateral movement path including an identifier of the second workload, in response to detecting that the representation of the third CNP key is connected to the representation of the second CNP key.
2. The method of claim 1, further comprising: determining that the value of the second CNP key associated with the first CNP key matches a hash value represented in the security database by a second CNP key node.
3. The method of claim 2, further comprising: determining that the hash value of the second CNP key associated with the first CNP key matches the value of the second CNP key.
4. The method of claim 3, further comprising: connecting in the security database the representation of the first CNP key to the representation of the second CNP key in response to determining that value of the second CNP key associated with the first CNP key matches the hash value.
5. The method of claim 1, further comprising: detecting that the first CNP key is stored as any one of: cleartext, and plaintext.
6. The method of claim 1, wherein the first CNP key is stored in any one of: a PKCS format, and an OpenSSH format.
7. The method of claim 1, further comprising: detecting a user account identifier in the first CNP key; generating a user representation representing the user account in the security database; and connecting the user representation to the representation of the first CNP key.
8. The method of claim 1, wherein the second workload is exposed to a network external to the cloud computing environment.
9. The method of claim 1, further comprising: determining that the first CNP key is exposed.
10. The method of claim 1, further comprising: determining that the lateral movement path is a confirmed lateral movement path in response to detecting a vulnerability on any one of: the first workload, the second workload, and any combination thereof.
11. A non-transitory computer-readable medium storing a set of instructions for detecting lateral movement based on an exposed cryptographic network protocol (CNP) key in a cloud computing environment, the set of instructions comprising: one or more instructions that, when executed by one or more processors of a device, cause the device to: inspect a first workload for a first CNP key, the first CNP key associated with a value of a second CNP key; detect in a security database a representation of the second CNP key; detect in the security database a representation of a second workload connected to the representation of a third CNP key; and generate a lateral movement path, the lateral movement path including an identifier of the second workload, in response to detecting that the representation of the third CNP key is connected to the representation of the second CNP key.
12. A system for detecting lateral movement based on an exposed cryptographic network protocol (CNP) key in a cloud computing environment comprising: a processing circuitry; a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: inspect a first workload for a first CNP key, the first CNP key associated with a value of a second CNP key; detect in a security database a representation of the second CNP key; detect in the security database a representation of a second workload connected to the representation of a third CNP key; and generate a lateral movement path, the lateral movement path including an identifier of the second workload, in response to detecting that the representation of the third CNP key is connected to the representation of the second CNP key.
13. The system of claim 12, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: determine that the value of the second CNP key associated with the first CNP key matches a hash value represented in the security database by a second CNP key node.
14. The system of claim 13, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: determine that the hash value of the second CNP key associated with the first CNP key matches the value of the second CNP key.
15. The system of claim 14, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: connect in the security database the representation of the first CNP key to the representation of the second CNP key in response to determining that value of the second CNP key associated with the first CNP key matches the hash value.
16. The system of claim 12, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: detect that the first CNP key is stored as any one of: cleartext, and plaintext.
17. The system of claim 12, wherein the first CNP key is stored in any one of: a PKCS format, and an OpenSSH format.
18. The system of claim 12, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: detect a user account identifier in the first CNP key; generate a user representation representing the user account in the security database; and connect the user representation to the representation of the first CNP key.
19. The system of claim 12, wherein the second workload is exposed to a network external to the cloud computing environment.
20. The system of claim 12, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: determine that the first CNP key is exposed.
21. The system of claim 12, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: determine that the lateral movement path is a confirmed lateral movement path in response to detecting a vulnerability on any one of: the first workload, the second workload, and any combination thereof.
1. A method for detecting lateral movement based on an exposed cryptographic network protocol (CNP) key in a cloud computing environment, comprising:
inspecting a first workload for a private CNP key, the private CNP key associated with a hash of a public CNP key;
detecting in a security database a representation of the public CNP key;
detecting in the security database a representation of a second workload connected to the representation of a second private CNP key; and
generating a lateral movement path, the lateral movement path including an identifier of the second workload, in response to detecting that the representation of the second private CNP key is connected to the representation of the public CNP key.
2. The method of claim 1, further comprising: determining that the hash of the public CNP key associated with the private CNP key matches a public key hash represented in the security database by a public CNP key node.
3. The method of claim 2, further comprising: determining that the hash of the public CNP key associated with the private CNP key matches the public CNP key hash.
4. The method of claim 3, further comprising: connecting in the security database the representation of the private CNP key to the representation of the public CNP key in response to determining that hash of the public CNP key associated with the private CNP key matches the public CNP key hash.
5. The method of claim 1, further comprising: detecting that the private CNP key is stored as any one of: cleartext, and plaintext.
6. The method of claim 1, wherein the workload is any one of: a virtual machine, a software container, a serverless function, and any combination thereof.
7. The method of claim 1, wherein the workload is a secure shell (SSH) server deployed in a cloud computing environment.
8. The method of claim 1, wherein the private CNP key is stored in any one of: a PKCS format, and an OpenSSH format.
9. The method of claim 1, further comprising: detecting a user account identifier in the private CNP key; generating a user representation representing the user account in the security database; and connecting the user representation to the representation of the private CNP key.
10. The method of claim 1, wherein the second workload is exposed to a network external to the cloud computing environment.
11. The method of claim 1, further comprising: determining that the private CNP key is exposed.
12. A non-transitory computer-readable medium storing a set of instructions for detecting lateral movement based on an exposed cryptographic network protocol (CNP) key in a cloud computing environment, the set of instructions comprising: one or more instructions that, when executed by one or more processors of a device, cause the device to: inspect a first workload for a private CNP key, the private CNP key associated with a hash of a public CNP key; detect in a security database a representation of the public CNP key; detect in the security database a representation of a second workload connected to the representation of a second private CNP key; and generate a lateral movement path, the lateral movement path including an identifier of the second workload, in response to detecting that the representation of the second private CNP key is connected to the representation of the public CNP key.
13. A system for detecting lateral movement based on an exposed cryptographic network protocol (CNP) key in a cloud computing environment comprising: a processing circuitry; a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: inspect a first workload for a private CNP key, the private CNP key associated with a hash of a public CNP key; detect in a security database a representation of the public CNP key; detect in the security database a representation of a second workload connected to the representation of a second private CNP key; and generate a lateral movement path, the lateral movement path including an identifier of the second workload, in response to detecting that the representation of the second private CNP key is connected to the representation of the public CNP key.
14. The system of claim 13, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: determine that the hash of the public CNP key associated with the private CNP key matches a public key hash represented in the security database by a public CNP key node.
15. The system of claim 14, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: determine that the hash of the public CNP key associated with the private CNP key matches the public CNP key hash.
16. The system of claim 15, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: connect in the security database the representation of the private CNP key to the representation of the public CNP key in response to determining that hash of the public CNP key associated with the private CNP key matches the public CNP key hash.
17. The system of claim 13, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: detect that the private CNP key is stored as any one of: cleartext, and plaintext.
18. The system of claim 13, wherein the workload is any one of: a virtual machine, a software container, a serverless function, and any combination thereof.
19. The system of claim 13, wherein the workload is a secure shell (SSH) server deployed in a cloud computing environment.
20. The system of claim 13, wherein the private CNP key is stored in any one of: a PKCS format, and an OpenSSH format.
21. The system of claim 13, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: detect a user account identifier in the private CNP key; generate a user representation representing the user account in the security database; and connect the user representation to the representation of the private CNP key.
22. The system of claim 13, wherein the second workload is exposed to a network external to the cloud computing environment.
23. The system of claim 13, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to: determine that the private CNP key is exposed.
The claims of the ‘777 Patent render anticipate claims 1-9 and 11-20 of the present application. The only difference between the claims (bolded portion of independent claims) is that the ‘777 patent discloses a private CNP key as the present application’s first CNP key, a public CNP key as the present application’s second CNP key, and a second private CNP key as the present application’s third CNP key. Also, the present application discloses a value of a second CNP key while the ‘777 Patent discloses a hash. The hash, private keys and public keys are narrow versions of the value, first CNP, second CNP and third CNP and therefore are disclosed by the ‘777 Patent. Therefore, the claims 1-9 and 11-20 are broader versions of the ‘777 Claims described and the claims are therefore anticipated by the claims of the ’777 patent.
The dependent claims are all explicitly disclosed by the ‘777 as mapped above except for the determining that the lateral movement path is a confirmed lateral movement path in response to detecting a vulnerability on any one of the first workload, the second workload, and any combination thereof Claims 10, and 21). However, this determination is merely restating the independent claims and the claim which detect the lateral movement and dependent claims 10-11 which disclose determining that the workloads and keys are exposed. Therefore, claims 10 and 21 are rendered obvious in light of the claims 10 and 11.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KAVEH ABRISHAMKAR whose telephone number is (571)272-3786. The examiner can normally be reached M-F 9-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached at 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KAVEH ABRISHAMKAR/
03/06/2026Primary Examiner, Art Unit 2494