Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification
The specification filed on November 13, 2026 is accepted.
Drawings
The drawings filed on November 13, 2026 are accepted.
Information disclosure statement
The information disclosure statement (IDS) submitted on 12/06/2024 was filed after the mailing date of the application no. 18/946705. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 2-21 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of US Patent No. 12177247. Although the claims at issue are not identical, they are not patentably distinct from each other because a later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896,225 USPQ at 651 (affirming a holding obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). “ELI LILLY AND COMPANY VBARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ONPETITION FOR REHEARING EN BANC(DECIDED: May 30, 2001).
Current application 18/946705
US Patent No. 12177247
A system comprising: a non-transitory memory;
and one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising:
determining a first one of a plurality of IP address rules of an audit based on a plurality of audit rules, wherein the plurality of IP address rules are usable to process a plurality of IP addresses in a first computing environment associated with the system, and wherein the first one of the plurality of IP address rules are usable by at least one of a plurality of computing nodes in the first computing environment;
executing the audit of the first one of the plurality of IP address rules by a computing node separate from the plurality of computing nodes in the first computing environment using the plurality of audit rules;
determining an audit result of the audit indicates that the first one of the plurality of IP address rules differs from a baseline result for a performance of the first one of the plurality of IP address rules;
removing the first one of the plurality of IP address rules from a use with the plurality of IP addresses in the first computing environment based on the audit result indicating that the first one of the plurality of IP address rules differs from the baseline result;
determining that a test of the first one of the plurality of IP address rules on the computing node separate from the plurality of computing nodes indicates that the first one of the plurality of IP address rules has returned to the baseline result;
and enabling, based on the test, the first one of the plurality of IP address rules for the use with the plurality of IP addresses in the first computing environment.
A computing system comprising: a non-transitory memory;
and one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the computing system to perform operations comprising:
receiving an IP address blocklist for a plurality of IP addresses based on a plurality of IP address blocking rules, wherein the IP address blocklist designates the plurality of IP addresses for blocking by a plurality of components of the computing system;
executing an integrity check of the IP address blocklist using a plurality of audit rules that determine whether each of the plurality of IP address blocking rules is meeting or exceeding a threshold blocking indicator for the IP address blocklist;
determining that a first one of the plurality of IP address blocking rules is meeting or exceeding the threshold blocking indicator based on the plurality of audit rules;
running the first one of the plurality of IP address blocking rules on a separate computing node from a current node utilizing the first one of the plurality of IP address blocking rules when processing the plurality of IP addresses;
determining, based on the running, that the first one of the plurality of IP address blocking rules is causing results that differ from a baseline blocking result when blocking the subset of the plurality of IP addresses; removing a subset of the plurality of IP addresses for blocking in the IP address blocklist based on the first one of the plurality of IP addresses causing the results that differ from the baseline blocking result;
executing a quarantine operation for the first one of the plurality of IP address blocking rules with the IP address blocklist, wherein the quarantine operation includes removing the first one of the plurality of IP address from use in a production computing environment;
testing, in a test computing environment separate from the production computing environment, the first one of the plurality of IP address blocking rules for a return to the baseline blocking result based on the threshold blocking indicator;
and enabling, based on the testing, the first one of the plurality of IP address blocking rules when the first one of the plurality of IP address blocking rules returns to the baseline blocking result.
10. (New) A method comprising:
determining that an IP address rule violates a requirement for identifying a set of IP addresses from a plurality of IP addresses utilizing computing services of a service provider in a production computing environment;
determining, based on an execution of the IP address rule on a computing node in a test computing environment separate from the production computing environment, that a result of identifying the set of IP addresses is inconsistent with a baseline result for the IP address rule;
executing an action with the IP address rule that prevents the IP address rule from being used for one or more uses in the production computing environment;
testing, in the test computing environment, the IP address rule for a return to the baseline result based on the requirement;
and enabling, based on the testing, the IP address rule for the one or more uses in the production computing environment
11. A method comprising:
accessing an IP address blocklist comprising IP addresses that are to be blocked when utilized with a computing system of a service provider; determining a set of the IP addresses that are identified for blocking based on an IP address blocking rule;
determining, based on the set of the IP addresses, that the IP address blocking rule violates a rule behavioral requirement when identifying the set of the IP addresses based on a first auditing rule for the IP address blocking rule;
determining, based on an execution of the IP address blocking rule on a separate computing node, that the IP address blocking rule is causing results inconsistent with a baseline blocking result when blocking the set of the IP addresses;
executing an action with at least one of the set of the IP addresses or the IP address blocking rule for the computing system of the service provider, wherein the action comprises removing the IP address blocking rule from use in a production computing environment;
testing, in a test computing environment separate from the production computing environment, the IP address blocking rule for a return to the baseline blocking result based on the rule behavioral requirement;
and enabling, based on the testing, the IP address blocking rule when the IP address blocking rule returns to the baseline blocking result.
18. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising:
determining that a rule for network address identifications in a computing environment is to be audited based on a subset of a plurality of network addresses identified by a network address rule;
determining, based on an execution of the rule on a separate computing node from the computing environment, that the rule causes a result different from a baseline result when identifying the subset of the plurality of the network addresses;
executing an audit of the rule based on one or more audit rules that are usable to determine an integrity of the rule for a performance in the computing environment; removing the network address rule from the computing environment;
testing, on the separate computing node, the rule for a return to the baseline result;
and enabling, based on the testing, the network address rule when the network address rule returns to the baseline result.
17. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising:
accessing a plurality of IP addresses for blocking from use with a computing system based on an IP address blocking rule;
determining that the plurality of IP addresses identified by the IP address blocking rule meets or exceeds a threshold number of blocked IP addresses;
determining, based on an execution of the IP address blocking rule on a separate computing node, that the IP address blocking rule is causing different results from a baseline blocking result when blocking the plurality of the IP addresses;
identifying an integrity check of the IP address blocking rule; executing the integrity check using at least one audit rule for the IP address blocking rule;
executing an action with at least one of the plurality of IP addresses or the IP address blocking rule, wherein the action comprises removing the IP address blocking rule from use in a production computing environment;
testing, in a test computing environment separate from the production computing environment, the IP address blocking rule for a return to the baseline blocking result based on the rule behavioral requirement;
and enabling, based on the testing, the IP address blocking rule when the IP address blocking rule returns to the baseline blocking result.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 2-4, 6-7, 9-13, 15-16 and 18-21 are rejected under 35 U.S.C. 103 as being unpatentable over BHATIA et al (hereinafter BHATIA) (US 20200112590) in view of LAADAN (US 20150163246).
Regarding claim 2 BHATIA teaches a system comprising: (BHATIA on [0019] teaches a system comprising);
a non-transitory memory; and one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory to cause the system to perform operations comprising: (BHATIA on [0019] teaches computer readable instructions stored in memory executed by a processor);
determining a first one of a plurality of IP address rules of an audit based on a plurality of audit rules, wherein the plurality of IP address rules are usable to process a plurality of IP addresses in a first computing environment associated with the system (BHATIA Fig 2 block 204 and text on [0057 and 0061-0067] teaches plurality of IP address rules R1-R5 for example, if rule R2 is violated, then messages from certain IP addresses, as defined by rule R2, are blocked (i.e. IP address rules for processing IP addresses). Further teaches if rule R2 is violated in the computer system for client C1, then an occurrence (e.g., a viral attack, a dedicated denial of service attack, etc.) is deemed to be occurring in the computer system for client C1, as shown by “R2>O1”. Similarly, if rule R2 is violated in the computer system for client C3, then an occurrence is deemed to be occurring in the computer system for client C3, as shown by “R2>O3”. Similarly, if rule R2 is violated in the computer system for client C4, then an occurrence is deemed to be occurring in the computer system for client C3, as shown by “R2>O4” i.e., audit rule);
and wherein the first one of the plurality of IP address rules are usable by at least one of a plurality of computing nodes in the first computing environment (BHATIA Fig 2 block 204 and text on [0057 and 0061-0067] teaches plurality of IP address rules R1-R5 for example, if rule R2 is violated, then messages from certain IP addresses, as defined by rule R2, are blocked (i.e. IP address rules for processing IP addresses). Further teaches if rule R2 is violated in the computer system for client C1, then an occurrence (e.g., a viral attack, a dedicated denial of service attack, etc.) is deemed to be occurring in the computer system for client C1, as shown by “R2>O1”. Similarly, if rule R2 is violated in the computer system for client C3, then an occurrence is deemed to be occurring in the computer system for client C3, as shown by “R2>O3”. Similarly, if rule R2 is violated in the computer system for client C4, then an occurrence is deemed to be occurring in the computer system for client C3, as shown by “R2>O4” i.e., audit rule);
executing the audit of the first one of the plurality of IP address rules by a computing node separate from the plurality of computing nodes in the first computing environment using the plurality of audit rules (BHATIA on [0115] teaches rule thresholds are predicted and sent to the AI master 714 (analogous to AI master system 214 shown in FIG. 2). That is, once the rule AI system 712 parses test conditions and engineer features, rule thresholds (i.e., what thresholds must be exceeded in the conditions of the rule) are set and then labeled, in order to train deep learning systems);
determining an audit result of the audit indicates that the first one of the plurality of IP address rules differs from a baseline result for a performance of the first one of the plurality of IP address rules (Bhatia on [0061-0066] teaches assume that rule R2 is violated based on an email being received from an untrusted (blacklisted) IP address and determine that rule R2 has been violated based on threshold and boundaries that must meet for the rule to be violated and based on rule conditions, event conditions, and behavior conditions set by the SIEM rules. See Fig 2 block 204 and text on [0053] teaches plurality of IP address blocking rules R1-R5. Rule R2 is used as an example of a rule that is being violated and/or replicated. However, it is to be understood that the processes described herein are applicable to any rule that is being violated);
removing the first one of the plurality of IP address rules from a use with the plurality of IP addresses in the first computing environment based on the audit result indicating that the first one of the plurality of IP address rules differs from the baseline result (Bhatia on [0061-0066] teaches determine that rule R2 has been violated based on threshold and boundaries that must meet for the rule to be violated and based on rule conditions, event conditions, and behavior conditions set by the SIEM rules, modifying the rule R2 when such violation. See on [0130-0131] the processor(s), in response to the new set of rules being violated, execute a security feature of the computer system in order to resolve the violation of the new set of rules. For example, a firewall may be upgraded, storage devices may be shut down, etc. in order to address the offense (violation of the new set of rules)).
determining that a test of the first one of the plurality of IP address rules on the computing node separate from the plurality of computing nodes indicates that the first one of the plurality of IP address rules (BHATIA on [0094-0098] teaches the parsing/transformation of the rule by the parse rule logic 602 also leads to a description of rule thresholds that should be used when testing the rules, as described in block 608. For example, a rule may state that if 90% of incoming emails are from unknown IP addresses, then a ticket should be issued. In this example, “90%” is the threshold of the rule that needs to be reached in order to issue a ticket.)
BHATIA fails to explicitly teach the plurality of IP address rules has returned to the baseline result and enabling, based on the test, the first one of the plurality of IP address rules for the use with the plurality of IP addresses in the first computing environment, however LAADAN from analogous art teaches
and determining that a test of the first one of the plurality of IP address rules on the computing node separate from the plurality of computing nodes indicates that the first one of the plurality of IP address rules has returned to the baseline result, (LAADAN on [0045] teaches one activation rule from the list of activation rules is selected and at least one activation condition required to be met respective of the activation rule is determined. In S240, it is checked whether the at least one activation condition is satisfied and, if so execution continues with S245; otherwise, execution continues with S250. In S245, the satisfied activation rule is added to a list of satisfied rules and then execution continues with S250);
and enabling, based on the test, the first one of the plurality of IP address rules for the use with the plurality of IP addresses in the first computing environment (LAADAN on [0045] teaches one activation rule from the list of activation rules is selected and at least one activation condition required to be met respective of the activation rule is determined. In S240, it is checked whether the at least one activation condition is satisfied and, if so execution continues with S245; otherwise, execution continues with S250. In S245, the satisfied activation rule is added to a list of satisfied rules and then execution continues with S250).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of LAADAN into the teaching of BHATIA by enabling, based on the test, the first one of the pluralities of IP address rules for the use with the plurality of IP addresses in the first computing environment. One would be motivated to do so in order to enable the activation of rule for filtering malicious network traffic based on rule satisfying predetermined condition (LAADAN [0003-0008]).
Regarding claim 3 the combination of BHATIA and LAADAN teaches all the limitations of claim 2 above, BHATIA further teaches wherein the plurality of IP address rules are usable for blocking one or more of the plurality of IP addresses based on one or more activities associated with the one or more of the plurality of IP addresses over a time period, and wherein the operations further comprise: removing a subset of the plurality of IP addresses identified for blocking by an IP address blocklist having the first one of the plurality of IP address rules based on the audit result of the audit indicating that the first one of the plurality of IP address rules differs from the baseline result (BHATIA on [0061-0066] teaches determine that rule R2 has been violated based on threshold and boundaries that must meet for the rule to be violated and based on rule conditions, event conditions, and behavior conditions set by the SIEM rules, modifying the rule R2 when such violation occurs (i.e., quarantine operation). Further teaches if rule R2 is violated, then messages from certain IP addresses, as defined by rule R2, are blocked .See on [0130-0131] the processor(s), in response to the new set of rules being violated, execute a security feature of the computer system in order to resolve the violation of the new set of rules. For example, a firewall may be upgraded, storage devices may be shut down, etc. in order to address the offense (violation of the new set of rules)).
Regarding claim 4 the combination of BHATIA and LAADAN teaches all the limitations of claim 2 above, LAADAN further teaches wherein, subsequent to the removing, the operations further comprise: executing, in a second computing environment having the computing node that is separate from the first computing environment, the test of the first one of the plurality of IP address rules for a return to the baseline result (LAADAN on [0045] teaches one activation rule from the list of activation rules is selected and at least one activation condition required to be met respective of the activation rule is determined. In S240, it is checked whether the at least one activation condition is satisfied and, if so execution continues with S245; otherwise, execution continues with S250. In S245, the satisfied activation rule is added to a list of satisfied rules and then execution continues with S250).
Regarding claim 6 the combination of BHATIA and LAADAN teaches all the limitations of claim 2 above, BHATIA further teaches wherein the plurality of audit rules are usable to audit the plurality of IP address rules based on at least one of a volume of the plurality of IP addresses identified, a change in the volume of the plurality of IP addresses identified, or a number of automated tests failed by each of the plurality of IP addresses (BHATIA on [0096] teaches the parsing/transformation of the rule by the parse rule logic 602 also leads to a description of rule thresholds that should be used when testing the rules, as described in block 608. For example, a rule may state that if 90% of incoming emails are from unknown IP addresses, then a ticket should be issued. In this example, “90%” is the threshold of the rule that needs to be reached in order to issue a ticket).
Regarding claim 7 the combination of BHATIA and LAADAN teaches all the limitations of claim 2 above, BHATIA further teaches wherein the determining the first one of the plurality of IP address rules for the audit is based on a threshold number of IP addresses blocked by the first one of the plurality of IP address rules or a periodic trigger to audit each of the plurality of IP address rules (BHATIA Fig 2 block 204 and text on [0057 and 0061-0067] teaches plurality of IP address rules R1-R5 for example, if rule R2 is violated, then messages from certain IP addresses, as defined by rule R2, are blocked (i.e. IP address rules for processing IP addresses). Further teaches if rule R2 is violated in the computer system for client C1, then an occurrence (e.g., a viral attack, a dedicated denial of service attack, etc.) is deemed to be occurring in the computer system for client C1, as shown by “R2>O1”. Similarly, if rule R2 is violated in the computer system for client C3, then an occurrence is deemed to be occurring in the computer system for client C3, as shown by “R2>O3”. Similarly, if rule R2 is violated in the computer system for client C4, then an occurrence is deemed to be occurring in the computer system for client C3, as shown by “R2>O4” i.e., audit rule).
Regarding claim 9 the combination of BHATIA and LAADAN teaches all the limitations of claim 2 above, BHATIA further teaches wherein the operations further comprise: checking an integrity of the plurality of audit rules for auditing the plurality of IP address rules (BHATIA on [0061-0066] teaches determine that rule R2 has been violated based on threshold and boundaries that must meet for the rule to be violated and based on rule conditions, event conditions, and behavior conditions set by the SIEM rules, modifying the rule R2 when such violation. See on [0130-0131] the processor(s), in response to the new set of rules being violated, execute a security feature of the computer system in order to resolve the violation of the new set of rules. For example, a firewall may be upgraded, storage devices may be shut down, etc. in order to address the offense (violation of the new set of rules)).
Regarding claim 10 BHATIA teaches a method comprising: (BHATIA on [0019] teaches a method);
determining that an IP address rule violates a requirement for identifying a set of IP addresses from a plurality of IP addresses utilizing computing services of a service provider in a production computing environment (BHATIA Fig 2 block 204 and text on [0057 and 0061-0067] teaches plurality of IP address rules R1-R5 for example, if rule R2 is violated, then messages from certain IP addresses, as defined by rule R2, are blocked (i.e. IP address rules for processing IP addresses). Further teaches if rule R2 is violated in the computer system for client C1, then an occurrence (e.g., a viral attack, a dedicated denial of service attack, etc.) is deemed to be occurring in the computer system for client C1, as shown by “R2>O1”. Similarly, if rule R2 is violated in the computer system for client C3, then an occurrence is deemed to be occurring in the computer system for client C3, as shown by “R2>O3”. Similarly, if rule R2 is violated in the computer system for client C4, then an occurrence is deemed to be occurring in the computer system for client C3, as shown by “R2>O4”);
determining, based on an execution of the IP address rule on a computing node in a test computing environment separate from the production computing environment, that a result of identifying the set of IP addresses is inconsistent with a baseline result for the IP address rule (Bhatia on [0061-0066] teaches determine that rule R2 has been violated based on threshold and boundaries that must meet for the rule to be violated and based on rule conditions, event conditions, and behavior conditions set by the SIEM rules, modifying the rule R2 when such violation occurs. See on [0130-0131] the processor(s), in response to the new set of rules being violated, execute a security feature of the computer system in order to resolve the violation of the new set of rules. For example, a firewall may be upgraded, storage devices may be shut down, etc. in order to address the offense (violation of the new set of rules). See on [0115] teaches rule thresholds are predicted and sent to the AI master 714 (analogous to AI master system 214 shown in FIG. 2). That is, once the rule AI system 712 parses test conditions and engineer features, rule thresholds (i.e., what thresholds must be exceeded in the conditions of the rule) are set and then labeled, in order to train deep learning systems);
executing an action with the IP address rule that prevents the IP address rule from being used for one or more uses in the production computing environment (Bhatia on [0061-0066] teaches determine that rule R2 has been violated based on threshold and boundaries that must meet for the rule to be violated and based on rule conditions, event conditions, and behavior conditions set by the SIEM rules, modifying the rule R2 when such violation occurs (i.e., executing an action). See on [0130-0131] the processor(s), in response to the new set of rules being violated, execute a security feature of the computer system in order to resolve the violation of the new set of rules. For example, a firewall may be upgraded, storage devices may be shut down, etc. in order to address the offense (violation of the new set of rules)).
testing, in the test computing environment, the IP address rule (BHATIA on [0094-0098] teaches the parsing/transformation of the rule by the parse rule logic 602 also leads to a description of rule thresholds that should be used when testing the rules, as described in block 608. For example, a rule may state that if 90% of incoming emails are from unknown IP addresses, then a ticket should be issued. In this example, “90%” is the threshold of the rule that needs to be reached in order to issue a ticket).
BHATIA fails to explicitly teach the plurality of IP address rules has returned to the baseline result and enabling, based on the testing, the IP address rule for the one or more uses in the production computing environment, however BHATIA from analogous art teaches
testing, in the test computing environment, the IP address rule for a return to the baseline result based on the requirement (LAADAN on [0045] teaches one activation rule from the list of activation rules is selected and at least one activation condition required to be met respective of the activation rule is determined. In S240, it is checked whether the at least one activation condition is satisfied and, if so execution continues with S245; otherwise, execution continues with S250. In S245, the satisfied activation rule is added to a list of satisfied rules and then execution continues with S250);
and enabling, based on the testing, the IP address rule for the one or more uses in the production computing environment (LAADAN on [0045] teaches one activation rule from the list of activation rules is selected and at least one activation condition required to be met respective of the activation rule is determined. In S240, it is checked whether the at least one activation condition is satisfied and, if so execution continues with S245; otherwise, execution continues with S250. In S245, the satisfied activation rule is added to a list of satisfied rules and then execution continues with S250).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of LAADAN into the teaching of BHATIA by enabling, based on the test, the first one of the pluralities of IP address rules for the use with the plurality of IP addresses in the first computing environment. One would be motivated to do so in order to enable the activation of rule for filtering malicious network traffic based on rule satisfying predetermined condition (LAADAN [0003-0008]).
Regarding claim 11 the combination of BHATIA and LAADAN teaches all the limitations of claim 10 above, BHATIA further teaches wherein the IP address rule is usable for blocking one or more of the plurality of IP addresses based on one or more activities associated with the one or more of the plurality of IP addresses over a time period, and wherein the method further comprises: removing a subset of the plurality of IP addresses identified for blocking by an IP address blocklist having the IP address rule based on the action (BHATIA on [0061-0066] teaches determine that rule R2 has been violated based on threshold and boundaries that must meet for the rule to be violated and based on rule conditions, event conditions, and behavior conditions set by the SIEM rules, modifying the rule R2 when such violation. See on [0130-0131] the processor(s), in response to the new set of rules being violated, execute a security feature of the computer system in order to resolve the violation of the new set of rules. For example, a firewall may be upgraded, storage devices may be shut down, etc. in order to address the offense (violation of the new set of rules)).
Regarding claim 12 the combination of BHATIA and LAADAN teaches all the limitations of claim 10 above, LAADAN further teaches further comprising: executing an audit of the IP address rule on the computing node in the test computing environment; and determining the result based on the executed audit (LAADAN on [0045] teaches one activation rule from the list of activation rules is selected and at least one activation condition required to be met respective of the activation rule is determined. In S240, it is checked whether the at least one activation condition is satisfied and, if so execution continues with S245; otherwise, execution continues with S250. In S245, the satisfied activation rule is added to a list of satisfied rules and then execution continues with S250).
Regarding claim 13 the combination of BHATIA and LAADAN teaches all the limitations of claim 12 above, BHATIA further teaches wherein the audit is executed using a plurality of audit rules, and wherein the plurality of audit rules are associated with at least one of a volume of the plurality of IP addresses identified by the IP address rule for blocking, a change in the volume of the plurality of IP addresses identified, or a number of automated tests failed by each of the plurality of IP addresses (BHATIA on [0096] teaches the parsing/transformation of the rule by the parse rule logic 602 also leads to a description of rule thresholds that should be used when testing the rules, as described in block 608. For example, a rule may state that if 90% of incoming emails are from unknown IP addresses, then a ticket should be issued. In this example, “90%” is the threshold of the rule that needs to be reached in order to issue a ticket).
Regarding claim 15 the combination of BHATIA and LAADAN teaches all the limitations of claim 10 above, BHATIA further teaches wherein the determining that the IP address rule violates the requirement is based on one of a threshold number of the plurality of IP addresses blocked during a rule execution of the IP address rule or a periodic trigger to audit the IP address rule (BHATIA Fig 2 block 204 and text on [0057 and 0061-0067] teaches plurality of IP address rules R1-R5 for example, if rule R2 is violated, then messages from certain IP addresses, as defined by rule R2, are blocked (i.e. IP address rules for processing IP addresses). Further teaches if rule R2 is violated in the computer system for client C1, then an occurrence (e.g., a viral attack, a dedicated denial of service attack, etc.) is deemed to be occurring in the computer system for client C1, as shown by “R2>O1”. Similarly, if rule R2 is violated in the computer system for client C3, then an occurrence is deemed to be occurring in the computer system for client C3, as shown by “R2>O3”. Similarly, if rule R2 is violated in the computer system for client C4, then an occurrence is deemed to be occurring in the computer system for client C3, as shown by “R2>O4” i.e., audit rule).
Regarding claim 16 the combination of BHATIA and LAADAN teaches all the limitations of claim 10 above, BHATIA further teaches further comprising: receiving an IP address blocklist having the IP address rule; and executing an integrity check of the IP address blocklist (BHATIA on [0061-0066] teaches determine that rule R2 has been violated based on threshold and boundaries that must meet for the rule to be violated and based on rule conditions, event conditions, and behavior conditions set by the SIEM rules, modifying the rule R2 when such violation. See on [0130-0131] the processor(s), in response to the new set of rules being violated, execute a security feature of the computer system in order to resolve the violation of the new set of rules. For example, a firewall may be upgraded, storage devices may be shut down, etc. in order to address the offense (violation of the new set of rules)).
Regarding claim 18 BHATIA teaches a non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising: (BHATIA on [0019] teaches computer readable instructions stored in memory executed by a processor);
determining that a rule for network address identifications in a computing environment is to be audited based on a subset of a plurality of network addresses identified by a network address rule (BHATIA Fig 2 block 204 and text on [0057 and 0061-0067] teaches plurality of IP address rules R1-R5 for example, if rule R2 is violated, then messages from certain IP addresses, as defined by rule R2, are blocked (i.e. IP address rules for processing IP addresses). Further teaches if rule R2 is violated in the computer system for client C1, then an occurrence (e.g., a viral attack, a dedicated denial of service attack, etc.) is deemed to be occurring in the computer system for client C1, as shown by “R2>O1”. Similarly, if rule R2 is violated in the computer system for client C3, then an occurrence is deemed to be occurring in the computer system for client C3, as shown by “R2>O3”. Similarly, if rule R2 is violated in the computer system for client C4, then an occurrence is deemed to be occurring in the computer system for client C3, as shown by “R2>O4);
determining, based on an execution of the rule on a separate computing node from the computing environment, that the rule causes a result different from a baseline result when identifying the subset of the plurality of the network addresses (Bhatia on [0061-0066] teaches determine that rule R2 has been violated based on threshold and boundaries that must meet for the rule to be violated and based on rule conditions, event conditions, and behavior conditions set by the SIEM rules, modifying the rule R2 when such violation occurs. See on [0130-0131] the processor(s), in response to the new set of rules being violated, execute a security feature of the computer system in order to resolve the violation of the new set of rules. For example, a firewall may be upgraded, storage devices may be shut down, etc. in order to address the offense (violation of the new set of rules). See on [0115] teaches rule thresholds are predicted and sent to the AI master 714 (analogous to AI master system 214 shown in FIG. 2). That is, once the rule AI system 712 parses test conditions and engineer features, rule thresholds (i.e., what thresholds must be exceeded in the conditions of the rule) are set and then labeled, in order to train deep learning systems);
executing an audit of the rule based on one or more audit rules that are usable to determine an integrity of the rule for a performance in the computing environment (BHATIA Fig 2 block 204 and text on [0057 and 0061-0067] teaches plurality of IP address rules R1-R5 for example, if rule R2 is violated, then messages from certain IP addresses, as defined by rule R2, are blocked (i.e. IP address rules for processing IP addresses). Further teaches if rule R2 is violated in the computer system for client C1, then an occurrence (e.g., a viral attack, a dedicated denial of service attack, etc.) is deemed to be occurring in the computer system for client C1, as shown by “R2>O1”. Similarly, if rule R2 is violated in the computer system for client C3, then an occurrence is deemed to be occurring in the computer system for client C3, as shown by “R2>O3”. Similarly, if rule R2 is violated in the computer system for client C4, then an occurrence is deemed to be occurring in the computer system for client C3, as shown by “R2>O4 i.e., audit rule);
removing the network address rule from the computing environment (Bhatia on [0061-0066] teaches determine that rule R2 has been violated based on threshold and boundaries that must meet for the rule to be violated and based on rule conditions, event conditions, and behavior conditions set by the SIEM rules, modifying the rule R2 when such violation occurs (i.e., quarantine operation). See on [0130-0131] the processor(s), in response to the new set of rules being violated, execute a security feature of the computer system in order to resolve the violation of the new set of rules. For example, a firewall may be upgraded, storage devices may be shut down, etc. in order to address the offense (violation of the new set of rules)).
testing, in the separate computing environment, the rule (BHATIA on [0094-0098] teaches the parsing/transformation of the rule by the parse rule logic 602 also leads to a description of rule thresholds that should be used when testing the rules, as described in block 608. For example, a rule may state that if 90% of incoming emails are from unknown IP addresses, then a ticket should be issued. In this example, “90%” is the threshold of the rule that needs to be reached in order to issue a ticket).
BHATIA fails to explicitly teach the plurality of IP address rules has returned to the baseline result and enabling, based on the testing, the IP address rule for the one or more uses in the production computing environment, however BHATIA from analogous art teaches
testing, in the separate computing environment, the rule for a return to the baseline result (LAADAN on [0045] teaches one activation rule from the list of activation rules is selected and at least one activation condition required to be met respective of the activation rule is determined. In S240, it is checked whether the at least one activation condition is satisfied and, if so execution continues with S245; otherwise, execution continues with S250. In S245, the satisfied activation rule is added to a list of satisfied rules and then execution continues with S250);
and enabling, based on the testing, the network address when the network address rule returns to the baseline result (LAADAN on [0045] teaches one activation rule from the list of activation rules is selected and at least one activation condition required to be met respective of the activation rule is determined. In S240, it is checked whether the at least one activation condition is satisfied and, if so execution continues with S245; otherwise, execution continues with S250. In S245, the satisfied activation rule is added to a list of satisfied rules and then execution continues with S250).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of LAADAN into the teaching of BHATIA by enabling, based on the test, the first one of the pluralities of IP address rules for the use with the plurality of IP addresses in the first computing environment. One would be motivated to do so in order to enable the activation of rule for filtering malicious network traffic based on rule satisfying predetermined condition (LAADAN [0003-0008]).
Regarding claim 19 the combination of BHATIA and LAADAN teaches all the limitations of claim 18 above, BHATIA further teaches removing a subset of the plurality of network addresses identified for blocking by a network address blocklist having the rule based on the audit (BHATIA on [0061-0066] teaches determine that rule R2 has been violated based on threshold and boundaries that must meet for the rule to be violated and based on rule conditions, event conditions, and behavior conditions set by the SIEM rules, modifying the rule R2 when such violation occurs (i.e., quarantine operation). Further teaches if rule R2 is violated, then messages from certain IP addresses, as defined by rule R2, are blocked .See on [0130-0131] the processor(s), in response to the new set of rules being violated, execute a security feature of the computer system in order to resolve the violation of the new set of rules. For example, a firewall may be upgraded, storage devices may be shut down, etc. in order to address the offense (violation of the new set of rules)).
Regarding claim 20 the combination of BHATIA and LAADAN teaches all the limitations of claim 19 above, BHATIA further teaches wherein the network address blocklist is utilized by a plurality of controllers, and wherein the removing the network address rule and the removing the subset of the plurality of network addresses each utilize an update to the plurality of controllers (BHATIA on [0062-0063] teaches ATDS machine learning system 206 uses the determination that rule R2 has been violated to update the profile correlator 208. That is, the details of the violation of the rule R2 by one or more of clients C1, C3, and C4 is sent to the profile correlator 208, which determines the overall effect of the violation of the rule R2, particularly as it affects one or more assets (e.g., equipment, computers, data storage, software, etc.) of the affected client from clients C1, C3, and C4. This updated information is then sent to a customer database 220).
Regarding claim 21 the combination of BHATIA and LAADAN teaches all the limitations of claim 18 above, BHATIA further teaches determining a result of the executed audit, wherein the network address rule is removed based on the result meeting or exceeding a threshold (Bhatia on [0061-0066] teaches determine that rule R2 has been violated based on threshold and boundaries that must meet for the rule to be violated and based on rule conditions, event conditions, and behavior conditions set by the SIEM rules, modifying the rule R2 when such violation occurs (i.e., quarantine operation). See on [0130-0131] the processor(s), in response to the new set of rules being violated, execute a security feature of the computer system in order to resolve the violation of the new set of rules. For example, a firewall may be upgraded, storage devices may be shut down, etc. in order to address the offense (violation of the new set of rules)).
Claims 8 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over BHATIA et al (hereinafter BHATIA) (US 20200112590) in view of LAADAN (US 20150163246) and further in view of Bowen et al (hereinafter Bowen) (US 20230051392).
Regarding claim 8 and 17 the combination of BHATIA and LAADAN teaches all the limitations of claim 2 and 10 respectively, the combination fails to explicitly teach wherein the removing the first one of the plurality of IP address rules from the use with processing the plurality of IP addresses is performed using a macro that removes the first one of the plurality of IP address rules from a list utilizable by one or more controllers for processing the plurality of IP addresses by executing a script to skip or remove code from the list, however Bowen from analogous art teaches
wherein the removing the first one of the plurality of IP address rules from the use with processing the plurality of IP addresses is performed using a macro that removes the first one of the plurality of IP address rules from a list utilizable by one or more controllers for processing the plurality of IP addresses by executing a script to skip or remove code from the list (Bowen on [0004 and 0044] teaches the design of the hierarchical macro is adjusted to remove a violation of an antenna rule based on determining that the antenna condition of the route violates the antenna rule).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Bowen into the combined teaching of BHATIA and LAADAN by enabling, removal of rules based on using hierarchical macro. One would be motivated to do so in order to activate and/or deactivate audit rule for filtering malicious network traffic based on rule satisfying predetermined condition (Bowen [0004]).
Allowable Subject matter
Claims 5 and 14 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Liu et al (US 20190182214) is directed towards anti-cracking method for a cloud host of the disclosure, the brute-force cracking can be prevented proactively in a timely manner with only very few system resources occupied.
SATO et al (US 20160239230) is directed towards the present invention relates to a storage device having an interface for receiving a normal host I/O and an interface for receiving a storage management request, and a method for maintaining the processing performance of the storage device.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522. The examiner can normally be reached 7AM-5PM EST M-TH Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached at (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MOEEN KHAN/Primary Examiner, Art Unit 2436