Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-10, 13 and 18-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-5, 8-10, 12-13 and 18-20 of U.S. Patent No. 11,711,398
Instant Application
U.S. Patent No. 11,711,398
1.A method, comprising:
receiving data from edge nodes of a private network at an external service,
wherein the edge nodes of the private network comprise physical devices of the private network and virtual services provided to the private network by third-party providers;
detecting a security event in the private network from analyzing the received data at the external service; and
generating an output from the external service in response to detecting the security event that at least in part facilitates remediating the security event at one or more of the edge nodes of the private network.
2. The method of claim 1, wherein the data comprises a data stream.
3. The method of claim 1, wherein the data comprises sampled data.
4. The method of claim 1, wherein the data comprises flow data.
5. The method of claim 1, wherein the data comprises log data.
6. The method of claim 1, wherein data from different edge nodes comprises
different sampling rates.
7. The method of claim 1, wherein the external service provides security operations
for the private network.
8. The method of claim 1, wherein the external service facilitates defending the
private network from threats and attacks.
9. The method of claim 1, wherein the external service comprises a distributed intrusion detection and prevention system.
10. The method of claim 1, wherein the output is generated by a rules engine of the external service that is configured to map the detected security event to an action.
13. The method of claim 1, wherein the output comprises a routing filter or block list.
18. The method of claim 1, further comprising providing a portal to the external service that is accessible to an operator of the private network
19. A system, comprising: one or more databases of an external service that is external to a private network configured to store data associated with the private network; and one or more processors of the external service configured to: receive data from edge nodes of the private network,
wherein the edge nodes of the private network comprise physical devices of the private network and virtual services provided to the private network by third-party providers;
detect a security event in the private network from analyzing the received data at the external service; and generate an output from the external service in response to detecting the security event that at least in part facilitates remediating the security event at one or more of the edge nodes of the private network.
20. A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: receiving data from edge nodes of a private network
at an external service, wherein the edge nodes of the private network
comprise physical devices of the private network and virtual services provided to the private network by third-party providers;
detecting a security event in the private network from analyzing the received data at the external service; and generating an output from the external service in response to detecting the security event that at least in part facilitates remediating the security event at one or more of the edge nodes of the private network.
A method, comprising:
receiving data from edge nodes of a private network at an external service that is external to the private network, wherein the data comprises sampled packet data that includes information defining communication sessions but not packet payload information, wherein the external service provides a synthetic border for the private network that unifies edge nodes of the private network comprising physical devices of the private network and virtual services provided to the private network by external third-party providers, and wherein the external service is configured to automatically adjust sampling rates of data received from the edge nodes of the private network via communication with the edge nodes of the private network; analyzing the received data at the external service; detecting from analyzing the data a security event in the private network; and automatically generating an output from the external service in response to detecting the security event that facilitates remediating the security event at least at one or more of the edge nodes of the private network.
2.The method of claim 1, wherein the data comprises a data stream.
1, wherein the data comprises sampled packet data
4. The method of claim 1, wherein the data comprises flow data.
5. The method of claim 1, wherein the data comprises log data.
3. The method of claim 1, wherein data from different edge nodes comprises different sampling rates.
8. The method of claim 1, wherein the external service provides security operations for the private network.
9. The method of claim 1, wherein the external service facilitates defending the private network from threats and attacks.
10. The method of claim 1, wherein the external service comprises a distributed intrusion detection and prevention system.
12. The method of claim 1, wherein the output is generated by a rules engine of the external service that is configured to map the detected security event to an action.
13. The method of claim 1, wherein the output comprises a routing filter or block list.
18. The method of claim 1, further comprising providing a portal to the external service that is accessible to an operator of the private network.
19. A system, comprising: one or more databases of an external service that is external to a private network configured to store data associated with the private network; and one or more processors of the external service configured to: receive data from edge nodes of the private network, wherein the data comprises sampled packet data that includes information defining communication sessions but not packet payload information, wherein the external service provides a synthetic border for the private network that unifies edge nodes of the private network comprising physical devices of the private network and virtual services provided to the private network by external third-party providers, and wherein the external service is configured to automatically adjust sampling rates of data received from the edge nodes of the private network via communication with the edge nodes of the private network;
analyze the received data at the external service; detect from analyzing the data a security event in the private network; and automatically generate an output from the external service in response to detecting the security event that facilitates remediating the security event at least at one or more of the edge nodes of the private network.
20. A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: receiving data from edge nodes of a private network,
wherein the computer program product is associated with an external service that is external to the private network,
wherein the data comprises sampled packet data that includes information defining communication sessions but not packet payload information, wherein the external service provides a synthetic border for the private network that unifies edge nodes of the private network
comprising physical devices of the private network and virtual services provided to the private network by external third-party providers, and wherein the external service is configured to automatically adjust sampling rates of data received from the edge nodes of the private network via communication with the edge nodes of the private network; analyzing the received data at the external service; detecting from analyzing the data a security event in the private network; and automatically generating an output from the external service in response to detecting the security event that facilitates remediating the security event at least at one or more of the edge nodes of the private network.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1-2, 4, 7-15 and 17-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Hadden et al. – hereinafter Hadden (US 2016/0072836) .
As per claim 1, Hadden discloses a method, comprising:
receiving data from edge nodes of a private network at an external service, (; ([0032]; The network cloud 26 can be a private network; [0053]; In step 406, a data security incident is detected, e.g., a data networking device such as a router 34 or firewall 36 in ACME Company's corporate network 70 detects data associated with a significant increase in download activity for a specific file, and sends data associated with the incident in messages to the ACME IM 102-1. Fig. 4: item 406)
wherein the edge nodes of the private network comprise physical devices of the private network and ([0032] The enterprise network 131 of each organization includes a number of devices. These include computing devices, database systems, and data networking devices such as routers 34 firewalls 36 and configuration servers 63, in examples. The enterprise network 131 typically connects to the network cloud 26 via a firewall 36 device.)
virtual services provided to the private network by third-party providers; ([0031] IM(s) 102-1, 102-2, and 102-3 manage the incident response for enterprise networks 131 of exemplary organizations ACME Company, BigCorp, and CamCorp, respectively. The enterprise network 131 of ACME Company is shown. The application server 140 provides security and mutual exclusion of the data for each IM 102. Each IM 102 communicates with its associated enterprise network 131 over a network cloud 26.; [0032] The enterprise network 131 of each organization includes a number of devices. These include computing devices, database systems, and data networking devices such as routers 34 firewalls 36 and configuration servers 63, in examples. The enterprise network 131 typically connects to the network cloud 26 via a firewall 36 device.)
detecting a security event in the private network from analyzing the received data at the external service; and (([0056] In step 412, the ACME IM 102 detects creation of the incident object 121 and optionally creation of IAs 120 associated with the incident, and parses their contents to identify any included data resources (e.g. IP addresses and the md5 hash for the downloaded file) within the incident object 121, and creates IAs 120 for the data resources identified within the incident object 121… Then, in step 414, the ACME IM 102-1 issues queries to first level TIS(s) 20 configured in the TIS configuration repository 128, to determine whether the IAs 120 (e.g. md5 hash for downloaded file and/or IP addresses of downloaded packets) for the incident object 121 are identified as known threats. Fig. 4: items 412, 414)
generating an output from the external service in response to detecting the security event that at least in part facilitates remediating the security event at one or more of the edge nodes of the private network; ([0061]; According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131; The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432. Fig. 5; items 430, 432)
As per claim 2, Hadden discloses the method of claim 1, wherein the data comprises a data stream. ([0053] In step 406, a data security incident is detected, e.g., a data networking device such as a router 34 or firewall 36 in ACME Company's corporate network 70 detects data associated with a significant increase in download activity for a specific file (data stream), and sends data associated with the incident in messages to the ACME IM 102-1)
As per claim 4, Hadden discloses the method of claim 1, wherein the data comprises flow data. ([0053];ACME Company's corporate network 70 detects data associated with a significant increase in download activity for a specific file, and sends data associated with the incident in messages to the ACME IM 102-1.)
As per claim 7, Hadden discloses the method of claim 1, wherein the external service provides security operations for the private network. ([0061]; According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131; The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432. Fig. 5; items 430, 432)
As per claim 8, Hadden discloses the method of claim 1, wherein the external service facilitates defending the private network from threats and attacks. ([0055], [0061]-[0062]; Fig. 4: items 414, 416; Fig. 5: items 428, 430, 432, 434)
As per claim 9, Hadden discloses the method of claim 1, wherein the external service comprises a distributed intrusion detection and prevention system. ([0061]; According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131; The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432. Fig. 5; items 430, 432)
As per claim 10, Hadden discloses the method of claim 1, wherein the output is generated by a rules engine of the external service that is configured to map the detected security event to an action. ([0042] The rules engine 178 generates a list of tasks 192 for an IM 102 or IRT personnel 172 to execute in response to data security incidents. The tasks 192 include recommended actions that should be taken to provide an incident response to the data security incidents.)
As per claim 11, Hadden discloses the method of claim 1, wherein the output facilitates modifying routing at one or more of the edge nodes of the private network. ([0061]; According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432, in one example.)
As per claim 12, Hadden discloses the method of claim 1, wherein the output facilitates modifying a corresponding security policy at one or more of the edge nodes of the private network ([0061]; According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432, in one example.)
As per claim 13, Hadden discloses the method of claim 1, wherein the output comprises a routing filter or block list. ([0061]; According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432, in one example.)
As per claim 14, Hadden discloses the method of claim 1, wherein the external service facilitates blocking threats or attacks post detection. ([0061]; According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432, in one example.)
As per claim 15, Hadden discloses the method of claim 1, further comprising storing the received data at the external service. ([0045]; The IM 102 parses the incident object 121, identifies IP address 1.1.1.1 as a data resource, and creates an IA 120 for the identified IP address data resource (e.g. 1.1.1.1) and saves the IA 120 to the incident database 122.)
As per claim 17, Hadden discloses the method of claim 1, further comprising tagging the received data with metadata at the external service.( [0064] Returning to FIG. 4, in step 440, the ACME IM 102 queries the second level TIS(s) 30 configured in the TIS configuration repository 128, to obtain metadata and usage data for the identified IAs 120 within the incident object 121, and augments the IAs 120 with the obtained query results.)
As per claim 18, Hadden discloses the method of claim 1, further comprising providing a portal to the external service that is accessible to an operator of the private network.( [0034] Personnel typically associated with an Incident Response Team (“IRT”) 172 access the IM 102 via the browser 150. The browser 150, in one example, presents a graphical user interface (GUI) application for managing and interacting with the IM 102.)
As per claims 19-20, please see the discussion under claim 1 as similar logic applies.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Hadden (US 2016/0072836) in view of Strub et al. – hereinafter Strub (US 9,794,272)
As per claim 3, Hadden discloses the method of claim 1. Hadden fails to disclose wherein the data comprises sampled data. Strub discloses wherein the data comprises sampled data. (Col 2 line 47 – Col 3 line 5; In some embodiments, the method comprises performing the monitoring using a first criteria, and, if the determining step determines that data in the traffic is indicative of a malicious threat, performing the monitoring according to a second criteria, different from the first criteria. The first and second criteria may include first and second rates at which received data traffic is sampled to produce the information, where the second sampling rate is higher than the first sampling rate.)
It would have been obvious for the teachings of Hadden modified before the effective filing date of the invention so that the IP flow session data is sent to the ACME as sampled data because this would have allowed the ACME system to make sure that the data traffic is not indicative of a malicious threat and reduce the internal memory
Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Hadden (US 2016/0072836) in view of Doron et al. – hereinafter Doron (US 2019/0182291) – provisional 62/597215.
As per claim 5, Hadden discloses the method of claim 1. Hadden fails to disclose wherein the data comprises log data. Doron discloses wherein the data comprises log data. (provisional 62/597215; [0056] Batch processing includes processing high volumes of data including groups of data each collected over a period of time.)
It would have been obvious for the teachings of Hadden to be modified before the effective filing date of the invention so that the IP flow session data that is sent to the ACME is sent as a batched data which is logged or collected over a period of time as taught by Doron. The motivation would have been to allow for uniform processing of comparable data from different sources. (Doron, provisional 62/597215; [0039])
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Hadden (US 2016/0072836) in view of Tagore (US 9,246,828)
As per claim 6, Hadden discloses the method of claim 1. Hadden fails to disclose wherein data from different edge nodes comprises different sampling rates.
Tagore discloses wherein data from different edge nodes comprises different sampling rates. (( Col 2 lines 5-17; the method further comprises processing, with a flow controller within the service card of the network device, the subset of the inbound packets to generate flow records. In response to a change in the current packet rate at which the inbound packets are received at the interface, the flow controller adjusts the current sampling rate at which the forwarding circuit samples the inbound packets received at the interface. Col 2 lines 37-46; system 10 having a number of network elements (“E” in FIG. 1) 14A-14E, hereafter network elements 14. As shown in FIG. 1, each network element 14 generates traffic flow records and transmits the traffic flow records to flow collector 16. Network elements 14 may comprise dedicated computers, specialized devices, or virtual machines providing network services, such as network routers, gateways, switches, firewalls, hubs, servers, VPN appliances or other network devices that forward or otherwise provide services to traffic flows.; Col 2 lines 47-58; Network 6 may represent any type of packet-switched network, such as a service provider network, a customer network, an access network, a local area network (LAN))
It would have been obvious before the effective filing date of the invention for the combined teachings of Hadden to be modified so that the ACME IM adjust the sampling rates by configuring the edge nodes by adjusting the sampling rate of the edge nodes, such as routers, gateways firewalls, and switches, in the private company ACME Company's corporate. This would have been beneficial to improve the efficiencies and reduce the resources usages of the nodes in the private network.
Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Hadden (US 2016/0072836) in view of Hasan (US 2017/0214701)
As per claim 16, Hadden discloses the method of claim 1. Hadden fails to disclose further comprising indexing the received data for searchability at the external service.
Hasan discloses comprising indexing the received data for searchability at the external service. ([0006]; (e) Security Behavior, which stores and indexes events and their security responses and traits, wherein the response comprises block/approval decisions; [0233]; Events and their security responses and traits are stored and indexed for future queries.)
It would have been obvious before the earliest effective date for the teachings of Hadden to be modified so that the security data is indexed for searchability. This would have enabled administrator to refine security policies to the private network.
Conclusion
The prior art made of record and not relied upon is considered pertinent toapplicant's disclosure. See PTO-892 form.
Any inquiry concerning this communication or earlier communications from theexaminer should be directed to Chirag R Patel whose telephone number is (571)272-7966. The examiner can normally be reached on Monday to Friday from 9:00AM to 6:00PM. If attempts to reach the examiner by telephone are unsuccessful, theexaminer's supervisor, Glenton Burgess, can be reached on 571-272-3949. The fax phone number for the organization where this application or proceedingis assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status informationfor published applications may be obtained from either Private PAIR or PublicPAIR. Status information for unpublished applications is available throughPrivate PAIR only. For more information about the PAIR system, seehttp://pairdirect.uspto.gov. Should you have questions on access to the PrivatePAIR system, contact the Electronic Business Center (EBC) at 866-217-9197(toll free).
/Chirag R Patel/
Primary Examiner, Art Unit 2454