DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending.
This Action is Non-Final.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 23 December 2024 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5-9, 11-17, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Weizman et al. (US 20250371136) in view of Liu et al. (US 20230130115).
As per claims 1, 7, 13, 14, and 17, Weizman et al. discloses a system comprising at least one processor and a memory, the memory of the computer system storing instructions that when executed by the at least one processor of the computer system cause the computer system (see Fig. 8) to perform a method of scanning a codebase to identify dependencies on vulnerable cloud resources, the method comprising: identifying a plurality of trusted cloud resources that are accessible over a computer network; receiving a codebase from a codebase repository; scanning the codebase for a reference to one or more cloud resources that are accessible over the computer network; for each referenced cloud resource that is referenced in the codebase, comparing the referenced cloud resource to an inventory of trusted cloud resources (see paragraphs [0061]-[0065] where trusted resources are those with a common owner and untrusted resources are those no longer owned by the same owner) and flagging/detecting the referenced cloud resource as an untrusted cloud resource responsive to determining that the referenced cloud resource is not one of the plurality of trusted cloud resources; and for each untrusted cloud resource, detecting that the untrusted cloud resource is vulnerable to being exploited by a cyberattack (see paragraphs [0086]-[0087], and [0100]).
Weizman et al. fails to explicitly disclose determining that a subdomain of the untrusted cloud resource cannot be resolved into an Internet Protocol (IP) address by a Domain Name System (DNS) server and that the subdomain of the untrusted cloud resource can be registered with a cloud service provider.
However, Liu et al. teaches determining that a subdomain of the untrusted cloud resource cannot be resolved into an Internet Protocol (IP) address by a Domain Name System (DNS) server and that the subdomain of the untrusted cloud resource can be registered with a cloud service provider (see paragraphs [0035]-[0036] and [0052]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art, to include the subdomain dangling detection of Liu et al. in the Weizman et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to ensure provide additional checks thereby reducing false-positive results.
As per claims 2, 3, 8, 9, 15, and 16, the modified Weizman et al. and Liu et al. system discloses raising an alert responsive to detecting that the untrusted cloud resource is vulnerable to being exploited by a cyberattack, wherein raising the alert includes sending a notification to an administrator and/or another computer (see Weizman et al. paragraphs [0046] [0071], [0084], and [0100] and Liu et al. paragraph [0052]).
As per claims 5, 6, 11, 12, 19, and 20, the modified Weizman et al. and Liu et al. system discloses the plurality of trusted cloud resources is hosted on a cloud computing platform, wherein the plurality of trusted cloud resources is identified on the cloud computing platform by a Cloud Security Posture Management (CSPM) tool that is hosted on the cloud computing platform (see Weizman et al. paragraphs [0029] and [0086]and Fig. 1).
Claims 4, 10, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Weizman et al. and Liu et al. system as applied to claims 1, 7, and 17 above, and further in view of de Preez et al. (US 20250310367).
As per claims 4, 10, and 18, the modified Weizman et al. and Liu et al. system fails to explicitly disclose the codebase repository is a version control platform.
However, de Preez et al. teaches a system that detects subdomain hijacking and includes a version control codebase repository (see paragraphs [0024], [0043], [0067], and [0079]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the version control codebase repository of de Preez et al. in the modified Weizman et al. and Liu et al. system.
Motivation to do so would have been to allow the system to check repositories that are used by multiple developers thereby improving the security of distributed systems.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the remaining references put forth on the PTO-892 form are directed to subdomain hijacking.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875. The examiner can normally be reached Monday-Thursday 7:30am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached at (571) 270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Michael Pyzocha/ Primary Examiner, Art Unit 2409