Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1 – 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims of U.S. Patent No. 12113814. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims at issue of the instant application are obvious over the already issued patent without any distinguishing embodiments per se. For instance: independent claim 1 conveys that: upon receiving an event about a file, a series of hashes are calculated concurrently for the file reading thread to check if they satisfy a security rule and if so, the file is quarantined – which is similar to the issued patent’s independent claim 1. The same is true for other claims per se.
Instant App. 18883054
Patent #: 12113814
1. A method, comprising: receiving, at an endpoint detection and response (EDR) module at a user device, a notification of an event at the user device; upon determining, by the EDR module, that the event is associated with a file stored at the user device, instantiating, by the EDR module, a sequential file reading thread associated with the file; upon receiving file data from the sequential file reading thread by a plurality of hash functions at the EDR module, generating a plurality of file hash values by calculating a plurality of hash functions concurrently for the sequential file reading thread; and quarantining the file upon determining, by the EDR module, that one or more file hash values of the plurality of file hash values satisfies a security rule.
2. The method of claim 1, further comprising: instantiating, by an event tracer module at the user device, an event tracer tree that is associated with the file; generating, by the event tracer module, an event tracer tree root node that is associated with the file; receiving, by the event tracer module, new event data associated with the file, the new event data being associated with a file system event at the user device; routing, by the event tracer module, the new event data to an event handler based on a determined event type of the new event data, wherein the determined event type indicates that a change has been made to the file; generating, by the event tracer module, a new node in the event tracer tree based on the new event data; and resolving, by the event tracer module, a file system discrepancy at the user device using the event tracer tree, the file system discrepancy having been caused by the file system event.
3. The method of claim 2, wherein generating the plurality of file hash values comprises: resolving, by the event tracer module, the file system discrepancy while a hash function of the plurality of hash functions is generating a respective file hash value.
4. The method of claim 1, further comprising: generating each file hash value of the plurality of file hash values by a respective hash function that is associated with a parent node of an event tracer tree; wherein: a first child node of the event tracer tree is associated with the file for a first location of the file in a file system at the user device; a second child node of the event tracer tree is associated with the file in a second location in the file system at the user device after the file has been moved from the first location to the second location; and the method further comprises: upon determining, by the event tracer tree, that the hash function is awaiting additional data from the file, receiving the additional data from the file, using the event tracer tree and the second child node.
5. The method of claim 1, further comprising: identifying, by the EDR module, a plurality of files in a file system at the user device to be scanned; for each identified file, instantiating, by the EDR module, a respective additional sequential file reading thread; and upon receiving file data from each associated sequential file reading thread by the plurality of hash functions at the EDR module, generating file hash values of the plurality of file hash values by calculating the plurality of hash functions concurrently for each additional sequential file reading thread.
6. The method of claim 5, wherein: each additional sequential file reading thread buffers in respective file data asynchronously from an associated hash function.
7. The method of claim 5, further comprising: determining, by the EDR module, if the user device is offline; and upon determining, by the EDR module, that the user device is offline, performing a rule-based local storage scan using the plurality of file hash values.
8. The method of claim 5, wherein: each sequential file reading thread is instantiated by the EDR module as a low-priority thread.
9. The method of claim 1, wherein the quarantining the file further comprises: encrypting, by the EDR module, the file; and storing, by the EDR module, the encrypted file in a quarantine file system directory at the user device.
10. The method of claim 1, further comprising: receiving, from a remote management platform, a plurality of security rules at the EDR module at the user device; subscribing, by the EDR module, to one or more event types at the user device; wherein the notification of the event at the user device corresponded to one of the subscribed event types; and the plurality of security rules comprises the security rule that the file hash value satisfied.
11. The method of claim 10, further comprising: subscribing, by the EDR module, to another event type at the user device; receiving, at the EDR module, another notification corresponding to the other subscribed event type; upon determining, by the EDR module, that the event is associated with a process, determining, by the EDR module, that the process satisfies another security rule of the plurality of security rules; upon determining, by the EDR module, that the process satisfies the other security rule, preventing the process from executing at the user device; and reporting to the remote management platform that the execution of the process has been prevented.
12. A method, comprising: receiving, from a remote management platform, a plurality of security rules at an endpoint detection and response (EDR) module at a user device; subscribing, by the EDR module, to one or more event types at the user device; receiving, at the EDR module, a notification of an event corresponding to one of the subscribed event types; upon determining, by the EDR module, that the event is associated with a file stored at the user device, instantiating, by an event tracer module, an event tracer tree that is associated with the file; generating, by the EDR module, a file hash value for the file using the event tracer tree; and upon determining, by the EDR module, that the file hash value satisfies a security rule, quarantining the file.
13. The method of claim 12, further comprising: generating, by the event tracer module, an event tracer tree root node that is associated with the file; receiving, by the event tracer module, new event data associated with the file, the new event data being associated with a file system event at the user device; routing, by the event tracer module, the new event data to an event handler based on a determined event type of the new event data, wherein the determined event type indicates that a change has been made to the file; generating, by the event tracer module, a new node in the event tracer tree based on the new event data; and resolving, by the event tracer module, a file system discrepancy at the user device using the event tracer tree, the file system discrepancy having been caused by the file system event.
14. The method of claim 13, wherein generating the file hash value for the file using the event tracer tree comprises: resolving, by the event tracer module, the file system discrepancy while a hash function is generating the file hash value.
15. The method of claim 12, further comprising: generating the file hash value by a hash function that is associated with a parent node of the event tracer tree; wherein: a first child node of the event tracer tree is associated with the file for a first location of the file in a file system at the user device; a second child node of the event tracer tree is associated with the file in a second location in the file system at the user device after the file has been moved from the first location to the second location; and the method further comprises: upon determining, by the event tracer tree, that the hash function is awaiting additional data from the file, receiving the additional data from the file, using the event tracer tree and the second child node.
16. The method of claim 12, further comprising: identifying, by the EDR module, a plurality of files in a file system at the user device to be scanned; for each identified file, instantiating, by the EDR module, a respective sequential file reading thread; and upon receiving file data from each associated sequential file reading thread by a plurality of hash function threads at the EDR module, generating a plurality of file hash values by calculating a plurality of hash functions concurrently for each sequential file reading thread.
17. The method of claim 16, wherein: each sequential file reading thread buffers in respective file data asynchronously from an associated hash function.
18. The method of claim 16, further comprising: determining, by the EDR module, if the user device is offline; and upon determining, by the EDR module, that the user device is offline, performing a rule-based local storage scan using the plurality of file hash values.
19. The method of claim 12, further comprising: providing, by the management platform, a user interface to an administrator device that is remote from the management platform and the user device, the user interface providing a plurality of configuration setting options; and receiving, by the user interface, an indication of a selected configuration setting of the plurality of configuration setting options; wherein the plurality of security rules is identified, at the EDR module, based on the selected configuration setting.
20. The method of claim 12, further comprising: subscribing, by the EDR module, to another event type at the user device; receiving, at the EDR module, another notification corresponding to the other subscribed event type; upon determining, by the EDR module, that the event is associated with a process, determining, by the EDR module, that the process satisfies another security rule of the plurality of security rules; upon determining, by the EDR module, that the process satisfies the other security rule, preventing the process from executing at the user device; and reporting to the remote management platform that the execution of the process has been prevented.
(Currently Amended) A method, comprising: receiving, from a remote management platform, a plurality of security rules at an endpoint detection and response (EDR) module at a user device; subscribing, by the EDR module, to one or more event types at the user device; receiving, at the EDR module, a notification of an event corresponding to one of the subscribed event types;
upon determining, by the EDR module, that the event is associated with a file stored at the user device, instantiating, by an event tracer module, an event tracer tree that is associated with the file; identifying, by the EDR module, a plurality of files in a file system at the user device to be scanned;
for each identified file, instantiating, by the EDR module, a respective sequential file reading thread; upon receiving file data from each associated sequential file reading thread by a plurality of hash function threads at the EDR module, generating a plurality of file hash values by calculating a plurality of hash functions concurrently for each sequential file reading thread; generating, by the EDR module, a file hash value of the plurality of file hash values for the file using the event tracer tree; upon determining, by the EDR module, that the file hash value satisfies a security rule, quarantining the file; and reporting to a management platform that the file has been quarantined.
(Original) The method of claim 1, further comprising: generating, by the event tracer module, an event tracer tree root node that is associated with the file; receiving, by the event tracer module, new event data associated with the file, the new event data being associated with a file system event at the user device; routing, by the event tracer module, the new event data to an event handler based on a determined event type of the new event data, wherein the determined event type indicates that a change has been made to the file;
generating, by the event tracer module, a new node in the event tracer tree based on the new event data; and
resolving, by the event tracer module, a file system discrepancy at the user device using the event tracer tree, the file system discrepancy having been caused by the file system event.
(Original) The method of claim 2, wherein generating a file hash value for the file using the event tracer tree comprises: resolving, by the event tracer module, the file system discrepancy while a file hash process is generating the file hash value.
(Currently Amended) The method of claim 1, wherein: the file hash value is generated by a file hash process that is associated with a parent node of the file tracer tree; a first child node of the file tracer tree is associated with the file for a first location of the file in [[a]] the file system at the user device; a second child node of the file tracer tree is associated with the file in a second location in the file system at the user device after the file has been moved from the first location to the second location; and the method further comprises: upon determining, by the file tracer tree, that the file hash process is awaiting additional data from the file, receiving the additional data from the file, using the file tracer tree and the second child node.
(Canceled).
(Currently Amended) The method of claim [[5]] 1, wherein:
each sequential file reading thread buffers in respective file data asynchronously from an associated hash function thread of the plurality of hash function threads.
(Currently Amended) The method of claim [[5]] 1, further comprising:
determining, by the EDR module, if the user device is offline; and
upon determining, by the EDR module, that the user device is offline, performing a rule-based local storage scan using the plurality of file hash values.
(Currently Amended) The method of claim [[5]] 1, wherein: each sequential file reading thread is instantiated by the EDR module as a low-priority thread.
(Original) The method of claim 1, wherein quarantining the file comprises:
encrypting, by the EDR module, the file; and storing, by the EDR module, the encrypted file in a quarantine file system directory at the user device.
(Original) The method of claim 1, further comprising: providing, by the management platform, a user interface to an administrator device that is remote from the management platform and the user device, the user interface providing a plurality of configuration setting options; and receiving, by the user interface, an indication of a selected configuration setting of the plurality of configuration setting options;
wherein the plurality of security rules are identified, at the EDR module, based on the selected configuration setting.
(Original) The method of claim 1, further comprising:
subscribing, by the EDR module, to another event type at the user device;
receiving, at the EDR module, another notification corresponding to the other subscribed event type; upon determining, by the EDR module, that the event is associated with a process, determining, by the EDR module, that the process satisfies another security rule of the plurality of security rules; upon determining, by the EDR module, that the process satisfies the other security rule, preventing the process from executing at the user device; and
reporting to the remote management platform that the execution of the process has been prevented.
(Currently Amended) A method, comprising: subscribing, by an endpoint detection and response (EDR) module at a user device, to one or more events at the user device; receiving, at device; upon determining, by the EDR module, that the event is associated with a file stored at the user device, instantiating, by an event tracer module, an event tracer tree that is associated with the file; generating, by the event tracer module, an event tracer tree root node that is associated with the file;
receiving, by the event tracer module, new event data associated with the file, the new event data being associated with a file system event at the user device;
routing, by the event tracer module, the new event data to an event handler based on a determined event type of the new event data, wherein the determined event type indicates that a change has been made to the file; generating, by the event tracer module, a new node in the event tracer tree based on the new event data; resolving, by the event tracer module, a file system discrepancy at the user device using the event tracer tree, the file system discrepancy having been caused by the file system event; generating, by the EDR module, a file hash value for the file using the event tracer tree; and upon determining, by the EDR module, that the file hash value satisfies a security rule received from a remote management platform, quarantining the file.
(Canceled).
(Currently Amended) The method of claim [[13]] 12, wherein generating a file hash value for the file using the event tracer tree comprises: resolving, by the event tracer module, the file system discrepancy while a file hash process is generating the file hash.
(Original) The method of claim 12, wherein: the file hash value is generated by a file hash process that is associated with a parent node of the file tracer tree; a first child node of the file tracer tree is associated with the file at a first location of the file of a file system at the user device; a second child node of the file tracer tree is associated with the file in a second location in the file system after the file has been moved from the first location to the second location; and
the method further comprises: upon determining, by the file tracer tree, that the file hash process is awaiting additional data from the file, receiving the additional data from the file, using the file tracer tree and the second child node.
(Original) The method of claim 12, further comprising: identifying, by the EDR module, a plurality of files in a file system of the user device to be scanned; for each identified file, instantiating, by the EDR module, a respective sequential file reading thread; and upon receiving file data from each associated sequential file reading thread by a plurality of hash functions at the EDR module, generating a plurality of file hash values by calculating a plurality of hash functions concurrently for each sequential file reading thread.
(Original) The method of claim 16, wherein: each sequential file reading thread buffers in file data asynchronously from an associated hash function thread.
(Original) The method of claim 16, wherein: each sequential file reading thread is instantiated by the EDR module as a low-priority thread.
(Original) The method of claim 12, wherein quarantining the file comprises:
encrypting, by the EDR module, the file; and storing, by the EDR module, the encrypted file in a quarantine file system directory at the user device.
(Original) The method of claim 12, further comprising: subscribing, by the EDR module, to another event type at the user device;
receiving, at the EDR module, another notification corresponding to the other subscribed event type; upon determining, by the EDR module, that the event is associated with a process, determining, by the EDR module, that the process satisfies another security rule; upon determining, by the EDR module, that the process satisfies the other security rule, preventing the process from executing at the user device; and reporting to a management platform that the execution of the process has been prevented.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 1 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bhatia et al (US 20240146746), Bha and Prabhu et al (US 11,397,808), Pra.
Claim 1: Bha teaches a method, comprising: receiving, at an endpoint detection and response (EDR) module at a user device, a notification of an event at the user device; ([037] the system aggregator receives events from connected endpoints. [021, Figs. 1 & 2] automated threat handler code block 200 inside block 113 at the user endpoint is the Endpoint Detection and Response (EDR) system).
upon determining, by the EDR module, that the event is associated with a file stored at the user device, instantiating, by the EDR module, a sequential file reading thread associated with the file; ([03] In response to receipt of an alert from the EDR system, the body of the alert is analyzed to automatically detect one or more “observables” in the alert... [023] Processing circuitry implements multiple processor threads. Representative observables include high-risk hashes, encoded commands, ... , and the like (i.e., a sequential file reading thread)).
and quarantining the file upon determining, by the EDR module, that one or more file hash values of the plurality of file hash values satisfies a security rule. ([037-38] ...based on predefined rules in the rules library... comparing real time data to historical data and established baselines to identify suspicious activity, aberrant end-user activity, and anything that might indicate a cybersecurity incident or threat. [042] The set of one or more observables (the value of a hash, high-risk hashes) identified in the alert body are evaluated...).
Bha is silent on upon receiving file data from the sequential file reading thread by a plurality of hash functions at the EDR module, generating a plurality of file hash values by calculating a plurality of hash functions concurrently for the sequential file reading thread;
But analogous art Pra teaches upon receiving file data from the sequential file reading thread by a plurality of hash functions at the EDR module, generating a plurality of file hash values by calculating a plurality of hash functions concurrently for the sequential file reading thread; (C16L65-67, C17L22-29, 50-57: spatial context indicates where a particular edge of the activity is happening, based on hashes of attributes of the activity… the tag applied to an edge of an execution graph is one of a tag based on threat intelligence internet protocol (IP), a tag based on threat intelligence file hash. These tags shall be hashes, IoCs, asset tags, etc. Using the tag based on threat intelligence file hash, the tag engine can associate file hashes to threat activities such as phishing, botnets, or malware... The tag engine can determine a tag based on threat intelligence file hash using VirusTotal™ products; C11L41-42: when the conditions of a rule are satisfied, the matching behavior is marked as an IoC…).
Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Bha to include the idea of computing hashes for file to detect threats as taught by Daw so that armed with a clear visualization of a security posture spanning an entire enterprise environment, security analysts can observe all weaknesses that an attack has taken advantage of, and use this information to bolster defenses in a meaningful way (C4L35-39).
Claim(s) 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bha and Pra as applied to claims above, and further in view of Kienow et al (US 12316648), Kie.
Claim 9: the combination of Bha and Pra teaches the method of claim 1, but analogous art Kie teaches wherein the quarantining the file further comprises: encrypting, by the EDR module, the file; and storing, by the EDR module, the encrypted file in a quarantine file system directory at the user device. (Kie: Fig. 6: The security measure involves encrypting unencrypted data, providing safeguards to protect the data, quarantining the data and/or assets associated with the data, implementing scans to detect malicious activity, or the like).
Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Bha and Pra to include the idea of encrypt and store quarantine file as taught by Kie so that users therefore be more inclined to focus their efforts to safeguard highly valuable data (in terms of value to threat actors) and assets associated with said highly valuable data (C12L27-30).
Claim(s) 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bha and Pra as applied to claims above, and further in view of Edwards et al (US 20220318377), Ed.
Claim 10: the combination of Bha and Pra teaches the method of claim 1, further comprising: but analogous art Ed teaches receiving, from a remote management platform, a plurality of security rules at the EDR module at the user device; subscribing, by the EDR module, to one or more event types at the user device; wherein the notification of the event at the user device corresponded to one of the subscribed event types; and the plurality of security rules comprises the security rule that the file hash value satisfied. (Ed: [0147] Local network contracts with or subscribe to a security services provider, which provides security services, updates, antivirus definitions, patches, products, and services. security services provider includes a threat intelligence capability such as the global threat intelligence database provided. Security services provider updates its threat intelligence database by analyzing new candidate malicious objects as they appear on client networks and characterizing them as malicious or benign).
Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Bha and Pra to include the idea of subscribe to receive rules as taught by Ed so that events can be captured and improved by widely monitoring the real actor [083].
Claim(s) 12, 19, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bha, Pra and Ed.
Claim 12: Bha teaches a method, comprising: receiving, from a remote management platform, a plurality of security rules at an endpoint detection and response (EDR) module at a user device; upon determining, by the EDR module, that the event is associated with a file stored at the user device, instantiating, by an event tracer module, an event tracer tree that is associated with the file; and upon determining, by the EDR module, that the file hash value satisfies a security rule, quarantining the file. ([037] the system aggregator receives events from connected endpoints. [021, Figs. 1 & 2] automated threat handler code block 200 inside block 113 at the user endpoint is the Endpoint Detection and Response (EDR) system; [03] In response to receipt of an alert from the EDR system, the body of the alert is analyzed to automatically detect one or more “observables” in the alert... [023] Processing circuitry implements multiple processor threads. Representative observables include high-risk hashes, encoded commands, ... , and the like (i.e., a sequential file reading thread); [037-38] ...based on predefined rules in the rules library... comparing real time data to historical data and established baselines to identify suspicious activity, aberrant end-user activity, and anything that might indicate a cybersecurity incident or threat. [042] The set of one or more observables (the value of a hash, high-risk hashes) identified in the alert body are evaluated... Remediation involves automated threat response, threat isolation and remediation, and support for threat hunting...).
Analogous art Pra teaches generating, by the EDR module, a file hash value for the file using the event tracer tree; (Pra: C16L65-67, C17L22-29, 50-57: spatial context indicates where a particular edge of the activity is happening, based on hashes of attributes of the activity… the tag applied to an edge of an execution graph is one of a tag based on threat intelligence internet protocol (IP), a tag based on threat intelligence file hash. These tags shall be hashes, IoCs, asset tags, etc. Using the tag based on threat intelligence file hash, the tag engine can associate file hashes to threat activities such as phishing, botnets, or ma! ware... The tag engine can determine a tag based on threat intelligence file hash using VirusTotal™ products; C11L41-42: when the conditions of a rule are satisfied, the matching behavior is marked as an IoC…).
Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Bha to include the idea of computing hashes for file to detect threats as taught by Daw so that armed with a clear visualization of a security posture spanning an entire enterprise environment, security analysts can observe all weaknesses that an attack has taken advantage of, and use this information to bolster defenses in a meaningful way (C4L35-39).
The combination of Bha and Pra is silent on subscribing, by the EDR module, to one or more event types at the user device; receiving, at the EDR module, a notification of an event corresponding to one of the subscribed event types;
But analogous art Ed teaches subscribing, by the EDR module, to one or more event types at the user device; receiving, at the EDR module, a notification of an event corresponding to one of the subscribed event types; (Ed: [0147] Local network contracts with or subscribe to a security services provider, which provides security services, updates, antivirus definitions, patches, products, and services. security services provider includes a threat intelligence capability such as the global threat intelligence database provided. Security services provider updates its threat intelligence database by analyzing new candidate malicious objects as they appear on client networks and characterizing them as malicious or benign).
Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Bha and Pra to include the idea of subscribe to receive rules as taught by Ed so that events can be captured and improved by widely monitoring the real actor [083].
Claim 19: the combination of Bha, Pra and Ed teaches the method of claim 12, further comprising: providing, by the management platform, a user interface to an administrator device that is remote from the management platform and the user device, the user interface providing a plurality of configuration setting options; and receiving, by the user interface, an indication of a selected configuration setting of the plurality of configuration setting options; wherein the plurality of security rules is identified, at the EDR module, based on the selected configuration setting. (Bha: C15L23-67, Figs. 12 – 13: the posture engine is a logical interface that exposes a distributed execution graph to a user through one or more APIs and enables the user to operate on the graph. The policy engine allows an organization/enterprise to create, monitor, and enforce rules about how network resources and data reflected by the graph can be accessed. The posture engine in communication with the policy engine receives and interprets the user operations or controls on the graph, and output and/or visualize an operation result (a processed graph, a notification) based on processing the user operations or controls. The posture engine also provides instructions and/or options that guide the user to operate on the graph (via one or more user interfaces) … the user can operate on the graph using an "if this then that" (IFTTT) approach. An IFTT rule used for automatically tagging an edge/behaviour can be created based on user input. The posture engine allows the user to edit the execution graph based on the IFTT approach. Upon receiving and processing the user operation(s) on the graph, the posture engine outputs a graph. In the graph, the /root/.ssh/authorized keys file of node on the graph is removed, based on a user operation of tagging the edge as malicious).
Claim 20: the combination of Bha, Pra and Ed teaches the method of claim 12, further comprising: subscribing, by the EDR module, to another event type at the user device; receiving, at the EDR module, another notification corresponding to the other subscribed event type; upon determining, by the EDR module, that the event is associated with a process, determining, by the EDR module, that the process satisfies another security rule of the plurality of security rules; upon determining, by the EDR module, that the process satisfies the other security rule, preventing the process from executing at the user device; and reporting to the remote management platform that the execution of the process has been prevented. (Ed: [0147, Fig. 12A-12B-13] Local network contracts with or subscribe to a security services provider, which provides security services, updates, antivirus definitions, patches, products, and services. security services provider includes a threat intelligence capability such as the global threat intelligence database provided. Security services provider updates its threat intelligence database by analyzing “new candidate malicious objects” as they appear on client networks and characterizing them as malicious or benign; [277-282] Security agent can compile these data into a report, which groups certain actions by their common responsible actor… Remediation report includes, any remedial actions that may need to be taken responsive to the actions or actors identified in report).
Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Bha and Pra to include the idea of subscribe to receive rules as taught by Ed so that events can be captured and improved by widely monitoring the real actor [083].
Allowable Subject Matter
Claims 2 – 8, 11, 13 – 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8.30am-4.30pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached at (571) 272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BADRINARAYANAN /Primary Examiner, Art Unit 2494.