AUTOMATED SECURITY ANALYSIS AND RESPONSE OF CONTAINER ENVIRONMENTS

§101 §103 §112

Detailed Action This communication is in respond to applicant's claims filed on 10/02/2024. Claims 1-7 and 11-20 are pending. Claims 8-10 are cancelled. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statements (IDS) submitted on 05/16/2025 and 10/02/2024 appear to be compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the examiner. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-7, 11-15, and 16-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claims 1, 11, and 16 recite the limitation “key events linked to same processes, users, files, network connections of events highlighted by the malicious or the suspicious indicators”. It is unclear whether the “same processes, users, files, network connections” are all required elements for the “key event”, or rather candidate elements that may singularly or in combination amount to the “key event”. Thus, claim 1 is rejected. Claims 11 and 16 are also rejected for similar reasoning as they recite similar limitations. The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claim and have not resolved the deficiencies. Therefore, they are rejected based on the same rationale as applied to their parent claims above. Claim Interpretation For the purposes of examination, the examiner construes the limitation “key events linked to same processes, users, files, network connections of events highlighted by the malicious or the suspicious indicators” to mean “key events linked to same processes, users, files, or network connections of events highlighted by the malicious or the suspicious indicators”. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 16-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claim 16 recites a system comprising a data acquisition system and a data analysis system, each of which may be interpreted as software according to Applicant’s Specification. Computer programs claimed as computer listings per se, i.e., the descriptions or expressions of the programs are not physical "things". They are neither computer components nor statutory processes, as they are not "acts" being performed. Such claimed computer programs do not define any structural and functional interrelationships between the computer program and other claimed elements of a computer, which permit the computer program's functionality to be realized. M.P.E.P. 2601.1 Section I states, “Since a computer program is merely a set of instructions capable of being executed by a computer, the computer program itself is not a process and USPTO personnel should treat a claim for a computer program, without the [non-transitory] computer-readable medium needed to realize the computer program’s functional-ity, as nonstatutory functional descriptive material.” Claims 16-20 do not provide the non-transitory computer-readable medium needed to realize the program’s functional-ity and as such are not limited to statutory subject matter and are therefore non-statutory. It is suggested by Examiner that the system claim be amended to require hardware, such as a “CPU”, "hardware memory" in order to remove any non-statutory embodiments from the claim scope. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) (1-4 & 7), (11-13), (16-19) is/are rejected under 35 U.S.C. 103 as being unpatentable over MILLS (US 20140082513 A1), hereafter MILLS, in view of MARTIN (US 20180004942 A1), hereafter MARTIN. Regarding claim 1, MILLS teaches: A computer security method for analyzing a plurality of data sets for remediating security incidents in a cloud-based response system (MILLS [0004] “In accordance with the disclosed subject matter, systems, methods, and non-transitory computer-readable media provide for context-sensitive interactive logging.”, [0027] A wide variety of actions can be associated with one or more log entries. For example, the actions can include… causing a user to be logged out; causing a user to change his or her password on next login…activating security measures in a secured data center [0042] “Firewall 107 may provide security features, access control, authentication, spam protection, port blocking/port mapping, address mapping, active intrusion detection, and/or other features for the enterprise network.”, [0076] “In some embodiments, log server 601 can reside in a data center and form a node in a cloud computing infrastructure… A log server 601 in the cloud can be managed using a management system.”), the computer security method comprises: retrieving logs of data from a computer network(MILLS [0062] “The administrative user can access the interactive log by requesting a global timeline (i.e., unfiltered but ordered by time), a user timeline (i.e., filtered to retrieve only log entries of a particular user)… If the administrative user accesses the interactive log, all log entries corresponding to the requested filters may be retrieved from the relevant database…”); parsing the logs of data (MILLS [0045] “In some embodiments, log server 104 may include a log file or database for providing basic logging functionality for an application. These log entries may then be parsed by log server”) and filtering the logs of data into the plurality of data sets(MILLS [0006] “the plurality of log entries can be filtered based on information in the at least one category of data selectable by the user at the administrative user console; and responsive to a selection of the at least one category of data from the administrative user console, filter the plurality of log entries for display.”, [0024] “The disclosed logging system also allows filtering based on the above data categories. When an administrative user chooses to view only log entries that match a specified filter, all entries that do not match the filter can be hidden. This allows for simple viewing of logs that pertain only to a specific user, for example, or a particular server or device.”), wherein the filtering of the logs of data includes: creating an event timeline of the computer network (MILLS [0062] “The administrative user can access the interactive log by requesting a global timeline (i.e., unfiltered but ordered by time), a user timeline (i.e., filtered to retrieve only log entries of a particular user), a device timeline (only for a particular device), or an application timeline (only for a particular application).”) ;and generating, based on a result of the identification of whether the data from the logs of data is accessed by the unauthorized computing system, a set of suggested tasks, wherein each suggested task of the set of suggested tasks represents techniques for isolating a host connected to the computer network if the data has been compromised (MILLS [0032] “After one or more log entries is associated with an action, the action may be presented together with the one or more log entries to the administrative user… the association is stored in a storage system, such as a database, and the stored association is used to provide the log entry and each of its associated actions when the administrative user chooses to retrieve the log entry at a later date. There may be one action, more than one action, or no actions associated with a given log entry… In some embodiments, a button may be shown next to one or more log entries;”, [0051] “In some embodiments, context-specific actions can be presented to the administrative user as selectable buttons located adjacent to the log entry that provides the relevant context. For example, button 210, "Increase User's quota to 10 GB," is a context-specific action that is relevant to the logged event "User is running out of disk space (98% of 5 GB)." If a given user is running out of disk space, and the administrative user has the proper authority, the administrative user can resolve the potential issue of the user running out of disk space by increasing the amount of disk space allotted to the user (e.g., the user's disk space quota).”). Further regarding claim 1, MILLS teaches the limitations previously demonstrated, however does not appear to explicitly teach the following limitations demonstrated by MARTIN: creating an event timeline of the computer network by; identifying: known events based on malicious or suspicious indicators on the logs of data(MARTIN [0018] “The system can apply new threat intelligence to a network accounting log of the network to detect cyber attacks already present on a machine within the network. Threat intelligence for a particular security threat can define: an actor; tools, techniques, processes (TTPs) of the actor; and indicators of compromise (IOCs) for such an attack…IOCs for a particular cyber attack can also specify: unusual (outbound) network traffic; unusual privileged user account activity; log-in anomalies; increases in database read volume; suspicious registry or system file changes;”, [0022] “Upon receipt of this new threat intelligence information for Red Gang 13, the system adds this new threat intelligence information to an existing threat corpus of threat intelligence of known threats and automatically scans the network event buffer for elements that match IOCs defined in the threat corpus.”, [0054] “The system can additionally or alternatively implement pattern-matching techniques to calculate a degree of temporal alignment between singular network events in the network accounting log and threat elements defined in the new threat intelligence that may suggest presence of the newly-identified security threat on the network now or in the past. In one example, threat intelligence for a newly-identified security threat defines an attack pattern, including a relative timeline of one or more initial infiltration, command and control, reconnaissance, and lateral movement stages of a cyber attack.”), key events linked to same processes, users, files, network connections of events highlighted by the malicious or the suspicious indicators(MARTIN [0023] “[0023] Separately and upon receipt of this new threat intelligence information for Red Gang 13, the system automatically scans the compressed log file for common elements between the compressed log file and the new threat intelligence information in Block S130, such as for an element in the compressed log file that indicates that a computer on the network previously connected to IP address 88.6.14.33 or previously connected to mwindowsupdate5.com.”), incident events with a time period matching the known events and the key events (MARTIN [0023] “However, if the system finds one or more common elements between the compressed log file and the new threat intelligence in Block S130, the system can determine that an attack by Red Gang 13 on the credit union's internal network is possible…”), and primary events from the known events, key events, and incident events (MARTIN [0023] “…the system can then scan the network accounting log—containing original, uncompressed network event data—for a group or cluster of event records that may confirm such an attack by Red Gang 13 on the internal network in Block S140.”, [0068] “Similarly, the system can execute attack-type specific processes based on threat intelligence for a confirmed cyber attack type.” The confirmed attacks are mapped to primary events.); analyzing using a data analysis system (MARTIN [0017] “The system can interface with an Information Sharing and Analysis Center (“ISAC”) to access an ISAC database containing definitions for a current set of known security threats (or “threat intelligence”)… In particular, as newly-identified security threats and cyber attacks are identified by members of the ISAC or by external entities on behalf of the ISAC, the ISAC can add new threat intelligence pertaining to these newly-identified security threats and cyber attacks to the ISAC database. The ISAC database can then distribute updated threat intelligence to related entities, including the system. Alternatively, the system can regularly pull threat intelligence updates from the ISAC database, such as once per day.”), the event timeline of the computer network from the plurality of data sets to identify whether data from the logs of data is accessed by an unauthorized computing system (MARTIN [0023] “the system can then scan the network accounting log—containing original, uncompressed network event data—for a group or cluster of event records that may confirm such an attack by Red Gang 13 on the internal network in Block S140. In particular, the system can implement pattern matching techniques in Block Size S140 to identify various elements in the network accounting log that match IOC values contained in the new threat intelligence, such as a combination of common external IP address, MAC address, hostname, URL, and event sequence or timeline between the network accounting log and the new threat intelligence.”, [0026] “In particular, new events occurring at computers within the network may be scanned for possible security threats in real-time or in near real-time by other detection mechanisms—such as external intrusion detection systems (IDS) or intrusion prevention systems (IPS)”), wherein the primary events are associated with the unauthorized computing system (MARTIN [0023] “the system can then scan the network accounting log—containing original, uncompressed network event data—for a group or cluster of event records that may confirm such an attack by Red Gang 13 on the internal network in Block S140.”); Since MILLS and MARTIN are from the same field of endeavor as both are directed to secure memory log functions, which is within the same field of endeavor as the claimed invention, it would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to modify and combine the teachings of MILLS and MARTIN by incorporating the teachings of MARTIN into MILLS. The motivation to combine is to improve network security logging functions and verification thereof. (MILLS [AB]; MARTIN [AB]). Regarding claim 2, MILLS-MARTIN teaches: The computer security method for analyzing a plurality of data sets for remediating security incidents in a cloud-based response system as recited in claim 1, further comprises presenting the set of suggested tasks on a user interface ([0005] “configured to…identify at least one action associated with the logging event… format an interactive display page, for display at the administrative user console, containing the log entry, wherein the interactive display page displays the logging event and the associated action in proximity to the logging event, and wherein the associated action can be selectable by an administrative user at the administrative user console, and responsive to a selection of the associated action from the administrative user console, initiate the associated action.”, [0053] “For example, log entry 214, "User sent request for login to email server," has no appropriate action next to it. In other cases, an action may be associated with more than one log entry. The action may be displayed next to each of the log entries or alternatively may be displayed next to only one log entry.”, ). Regarding claim 3, MILLS-MARTIN teaches: The computer security method for analyzing a plurality of data sets for remediating security incidents in a cloud-based response system as recited in claim 1, wherein identifying if the network has been accessed by the unauthorized computing system includes the computing system modifying, deleting and/or acquiring data to the network without authorization(MILLS [0042] “Firewall 107 may provide security features, access control, authentication, spam protection, port blocking/port mapping, address mapping, active intrusion detection, and/or other features for the enterprise network.”, MARTIN [0015] “The system can additionally or alternatively interface with external intrusion detection systems and/or intrusion prevention systems that both detect network events and compare these network events to known threat intelligence to detect such known threats on the network substantially in real-time.)”, [0018] “The system can apply new threat intelligence to a network accounting log of the network to detect cyber attacks already present on a machine within the network… For example, threat intelligence for a particular cyber attack performed by an actor can include TTPs that specify one or more of: attack patterns; malware; exploits; kill chains; tools; infrastructure; victim targeting; malicious code; tunneling; viruses or worms; keyloggers; spyware; malicious rootkits; etc.”). Regarding claim 4, MILLS-MARTIN teaches: The computer security method for analyzing a plurality of data sets for remediating security incidents in a cloud-based response system as recited in claim 1, further comprises suggesting a set of tasks to a user, wherein the set of tasks includes executing a wizard, evaluating an enrichment to one or more log events, or managing a task using an auto- suggest technique(MILLS [0030] “In some embodiments, the log server may automatically learn which log entries should be associated with which actions by automatically recording administrative actions taken by the administrative user.” MARTIN [0024] “Upon confirmation of sufficient match between various elements in the network accounting log and in the new threat intelligence, the system can execute one or more actions to handle the threat on the internal network in Block S150, such as by automatically: issuing an alert that can be combined with other alerts to trigger human involvement; prompting human security personnel at an external security operation center (or “SOC”) to begin an investigation into the threat; and/or quarantining one or more compromised computers within the network.”). Regarding claim 7, MILLS-MARTIN teaches: The computer security method for analyzing a plurality of data sets for remediating security incidents in a cloud-based response system as recited in claim 1, further comprises identifying risks associated with the computer system, wherein the set of suggested tasks include predefined tasks including installing an anti-virus, disconnecting the unauthorized computing system and/or other remediations in response to the risks(MARTIN [0042] “A firewall 107 may be present in some embodiments, where a firewall is a network device that separates network 106 from the public Internet. Firewall 107 may provide security features, access control, authentication, spam protection, port blocking/port mapping, address mapping, active intrusion detection, and/or other features for the enterprise network.”, MILLS [0016] “Blocks of the method S100 can be executed by a remote computer system (e.g., a remote server) that remotely collects and stores network traffic data occurring on a network and compares these data to new threat intelligence … in order to asynchronously identify possible security threats and to prompt security personnel (e.g., a security analyst) to selectively investigate such possible security threats.”, [0024] “Upon confirmation of sufficient match between various elements in the network accounting log and in the new threat intelligence, the system can execute one or more actions to handle the threat on the internal network in Block S150, such as by automatically… quarantining one or more compromised computers within the network.”). Regarding claims (11-13) and (16-19), claims 11-13 and 16-19 recite substantially similar limitations as claims (1-2 & 7) and (1-4) respectively, in the embodiment of “A non-transitory computer-readable medium comprising instructions that are executable by a processing device for causing the processing device to perform operations” and “A cloud-based response system for analyzing data for remediating security incidents in a cloud environment,” such as taught by MILLS-MARTIN(MILLS [0009] “In another embodiment, a non-transitory computer-readable medium is provided, the medium having executable instructions operable to, when executed by a computing device, cause the computing device to”, [0020] “Systems, methods, and non-transitory computer-readable media are provided for a context-sensitive, interactive log system.”). Claims (5-6), (14-15), and (20) are rejected under 35 U.S.C. 103 as being unpatentable over MILLS-MARTIN in further view of BERGER (US 11757907 B1), hereafter BERGER. Regarding claim 5, MILLS-MARTIN teaches the limitations previously demonstrated, however does not appear to explicitly teach the following limitations demonstrated by BERGER: The computer security method for analyzing a plurality of data sets for remediating security incidents in a cloud-based response system as recited in claim 1, wherein the primary events are presented with a signal that can indicate a vulnerability associated with a computing system of the computer network(BERGER column 5 lines 48-59 “Illustratively, the vulnerability user interface may be an interactive display that summarizes the vulnerabilities detected across the network, provides detailed information regarding individual vulnerabilities, and allows presentation at various degrees of granularity between these extremes. For example, the vulnerability user interface may include color-coded severity indicators and display objects that represent groups of vulnerabilities (e.g., groups of devices that each exhibit a particular vulnerability or set of vulnerabilities). A user may activate an individual display object to obtain more information about the group of devices/vulnerabilities that the display object represents.”), a prediction associated with the vulnerability (BERGER column 40 lines 39-49 “At block 1925, the cybersecurity AI/ML service 1742 may generate output data from the threat prediction model 1808A using the input data. Illustratively, the output data may include probabilities of particular threats being experienced by the target network based on the input data provided to the model 1808A. For example, the threat prediction model 1808A may produce probabilities for each possible threat that the model has been trained to analyze, probabilities for the n highest-probability threats that the model 1808A has produced for the target network, the highest-probably threat, or the like.), and a remediation for the vulnerability (BERGER column 40 lines 50-57 “At block 1930, the cybersecurity AI/ML service 1742 may provide information regarding the determined threats. The information may identify the highest-probability threat(s), the probabilities, recommended remediations, some combination thereof, etc. Illustratively, the information regarding the determined threats may be presented in any of a variety of modalities, such as: text-based and/or graphic-based presentations via a GUI;”). Since MILLS-MARTIN and BERGER are from the same field of endeavor as both are directed to secure memory log functions, which is within the same field of endeavor as the claimed invention, it would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to modify and combine the teachings of MILLS-MARTIN and BERGER by incorporating the teachings of BERGER into MILLS-MARTIN. The motivation to combine is to improve network security logging functions and verification thereof. (MILLS [AB]; MARTIN [AB]). Regarding claim 6, MILLS-MARTIN in further view of BERGER teaches: The computer security method for analyzing a plurality of data sets for remediating security incidents in a cloud-based response system as recited in claim 5, wherein the signal is generated using natural language processing (BERGER column 49 lines 30-36 “In some embodiments, other methods of input, output, and interactivity may be used. Illustratively, the cybersecurity assessment system 120 may provide automatic natural language dialogs instead of—or in addition to—any of the graphical user interfaces and other user-facing input/output methods described herein.”, column 49 lines 44-54 “The automated natural language dialogs may leverage data regarding assessments, solutions, threats, remediations, recommendations, and the like to guide users. For example, automated natural language dialogs may be used instead of—or in addition to—other user interfaces for performing audits of cybersecurity framework compliance, obtaining results of automated threat analysis generated using machine learning models, obtaining remediation recommendations generated using machine learning models, provisioning and maintaining the ongoing operation of cybersecurity services, and the like.). Regarding claims (14-15) and (20), claims (14-15) and (20) recite substantially similar limitations as claims (5-6) and (5) respectively, in the embodiments of “A non-transitory computer-readable medium comprising instructions that are executable by a processing device for causing the processing device to perform operations” and “A cloud-based response system for analyzing data for remediating security incidents in a cloud environment,” such as taught by MILLS-MARTIN in view of BERGER (MILLS [0009] “In another embodiment, a non-transitory computer-readable medium is provided, the medium having executable instructions operable to, when executed by a computing device, cause the computing device to”, [0020] “Systems, methods, and non-transitory computer-readable media are provided for a context-sensitive, interactive log system.”). Conclusion The prior art made of record and not relied upon is considered pertinent to the applicant’s disclosure: Chauhan; Vijay US 9363149 B1 Management Console For Network Security Investigations ([AB] “Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.”) Chauhan; Vijay US 9516052 B1 Timeline Displays Of Network Security Investigation Events ([AB] “Techniques and mechanisms are disclosed that enable network security analysts and other users to efficiently conduct network security investigations and to produce useful representations of investigation results. As used herein, a network security investigation generally refers to an analysis by an analyst (or team of analysts) of one or more detected network events that may pose internal and/or external threats to a computer network under management. A network security application provides various interfaces that enable users to create investigation timelines, where the investigation timelines display a collection of events related to a particular network security investigation. A network security application further provides functionality to monitor and log user interactions with the network security application, where particular logged user interactions may also be added to one or more investigation timelines.”) Beraldo dos Santos; Yves A. US 20170364431 A1 Efficiently Debugging Software Code ([AB] “A mechanism is provided for efficiently debugging software code. A set of modified log files associated with the software code is presented to a software debugging user. Responsive to receiving an indication from the software debugging user to tag a portion of a modified log file of the set of modified log files with a tag, the portion of the modified log file is tagged such that the tag of the portion of the modified log file is utilized in debugging the software code. The tag of the portion of the modified log file is propagated to a plurality of other software debugging users who are viewing the modified log file.”) Wainer; Douglas George US 11777970 B1 Granular And Prioritized Visualization Of Anomalous Log Data ([AB] “Disclosed herein are methods, systems, and processes for granular and prioritized visualization of anomalous log data. Log data that includes several logs is accessed. A unique identifier is generated for each log by generating a single hash for one or more fields in each log. Based on the hashing, the several logs are converted into a series of unique identifiers. A timestamp for each log in the series of unique identifiers is appended to generate a list of timestamps for each unique identifier in the series of unique identifiers. The list of timestamps for each unique identifier is overlayed on a time series graph in a graphical user interface (GUI).”) Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kamryn Gillespie whose telephone number is 703-756-5498. The examiner can normally be reached on Monday through Thursday from 9am to 6pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached on (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /K.J.G./Examiner, Art Unit 2408 /LINGLAN EDWARDS/Supervisory Patent Examiner, Art Unit 2408