Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 are presented for examination.
Notice for all Patent Application as subject to AIA
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-20 are rejected under AIA 35 U.S.C. 103 as being un-patentable over Kouznetsov (U.S. Patent Application Publication No. 2016/0156642 A1) in view of Reiter (U.S. Patent Application Publication No. 2014/0067377 A1).
As to claim 1, Kouznetsov discloses a non-transitory computer readable medium having stored thereon instructions comprising executable code that, when executed by one or more processors (figure 2, pars. 0033-0034), causes the one or more processors to: collect event information from cloud-based information system services running on at least one container using an agent (figure 3, pars. 0037-0038 & 0044-0046, collecting event information from services running on an OS using an OC object manager); generate an event file by grouping and time stamping the event information; validate the event file to produce one or more validated event collections (figure 1, pars. 0026-0027, figure 3, pars. 0047-0049, figure 4, pars. 0055-0056, generating and validating events group); serialize the one or more validated event collections into a real-time event stream (figures 3-4, pars. 0050, 0053 & 0058, serializing virtual events into real-time stream); filter the one or more validated event collections to remove redundant structured event payloads (figures 3-4, pars. 0053-0054 & 0057-0058, filtering virtual events for reducing loads); generate threat intelligence based on the filtered one or more validated event collections (figure 4, pars. 0008-0009 & 0058-0059, detecting threat based on the filtered virtual events); and generate alerts for a customer to the raw event logs (figure 1, par. 0027, producing alerts for the events).
However, Kouznetsov does not explicitly teach that generate threat intelligence from raw event logs, wherein the raw event logs are based on the filtered one or more validated event collections; and generate alerts for a customer by applying customer-specific rules to the raw event logs.
Reiter teaches that generate threat intelligence from raw event logs, wherein the raw event logs are based on the validated event collections; and generate alerts for a customer by applying customer-specific rules to the raw event logs (figure 1, pars. 0016, 0018 & 0021-0022, figure 4, pars. 0095-0097, reference teaches about determining causes of an alert from the raw event logs and generating an awareness text based on user rules).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to incorporate the teaching of Reiter as stated above with the apparatus/method of Kouznetsov for generating threat intelligence from raw event logs and generating alerts for a user by using user rules to the raw event logs because it would have improved utilization and efficiency of the system by providing situational awareness related to the alert condition to the user.
As to claim 2, Kouznetsov does not explicitly teach that identify vulnerabilities posed to cataloged assets, wherein the cataloged assets are based on the raw event logs; and generate a threat corpus based on the identified vulnerabilities and based on data from a national database of known security threats.
Reiter teaches that identify vulnerabilities posed to cataloged assets, wherein the cataloged assets are based on the raw event logs (figure 1, pars. 0031, 0033, 0043, figure 4, par. 0095, identifying causes of an alert condition based on the raw event logs); and generate a threat corpus based on the identified vulnerabilities and based on data from a national database of known security threats (figure 1, pars. 0026, 0048, figure 4, par. 0097, generating an awareness text using historical data contain information related to a previous alert condition, action taken, and result).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to incorporate the teaching of Reiter as stated above with the apparatus/method of Kouznetsov for identifying causes of an alert condition and generating an awareness text using historical data because it would have improved utilization and efficiency of the system by providing situational awareness related to the alert condition to the user.
As to claim 3, Kouznetsov discloses that the at least one container comprises a Docker container (figure 1, pars. 0024-0025, figure 3, pars. 0037-0038 & 0044-0046, OS using an OS object manager for loading and unloading events and also UIM loading and unloading events to a datalogger).
As to claim 4, Kouznetsov discloses that the collected event information comprises real-time continuous event information from an operating system kernel (figure 3, par. 0039).
As to claim 5, Kouznetsov does not teach that the alerts are generated based on a time window, frequency threshold, a system criteria, and a user criteria.
Reiter teaches that the alerts are generated based on a time window, frequency threshold, a system criteria, and a user criteria (pars. 0019, 0044, 0047, figure 7, par. 0102).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to incorporate the teaching of Reiter as stated above with the apparatus/method of Kouznetsov for generating alerts based on time, threshold, and user criteria because it would have improved utilization and efficiency of the system by providing situational awareness related to the alert condition to the user.
As to claims 6-10, they are also rejected for the same reasons set forth to rejecting claims 1-5 above, since claims 6-10 are merely method of operations for the program product for the claims 1-5, and claims 6-10 do not teach or define any new limitations than above rejected claims 1-5.
As to claims 11-15, they are also rejected for the same reasons set forth to rejecting claims 1-5 above, since claims 11-15 are merely an apparatus for the program product for the claims 1-5, and claims 11-15 do not teach or define any new limitations than above rejected claims 1-5.
As to claims 16-20, they are also rejected for the same reasons set forth to rejecting claims 1-5 above, since claims 16-20 are merely an apparatus for the program product for the claims 1-5, and claims 16-20 do not teach or define any new limitations than above rejected claims 1-5.
Additional References
The examiner as of general interest cites the following references.
Pereira et al, U.S. Patent Application Publication No. 2019/0050560 A1.
Reiter et al, U.S. Patent Application Publication No. 2016/0217133 A1.
Content Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Bharat Barot whose telephone number is (571)272-3979. The examiner can normally be reached on 7:00AM-3:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached on (571)272-5863. The fax phone number for the organization where this application or proceeding is assigned is (571)273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BHARAT BAROT/Primary Examiner, Art Unit 2453December 16, 2025