DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No.12250234. Although the claims at issue are not identical, they are not patentably distinct from each other (see below table)
Patent No. 12250234
Ap# 19/049348
1. (Original) A system for providing an integrated security management framework for an enterprise having a plurality of endpoint devices, each endpoint device comprising a
deployed endpoint agent configured to continuously monitor and record activity on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing the detection of, and response to, any activity associated with the respective endpoint device that poses a potential security threat to the enterprise, the system comprising: a server configured to communicate and exchange data with the one or more of the
endpoint devices over a network, the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to: provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices;
provide an integrated development environment (IDE) operably coupled to
the interface; receive, from the authorized user via the interface, input comprising custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules.
A method for providing an integrated security management framework for a
plurality of endpoint devices, each endpoint device comprising a deployed
endpoint agent configured to continuously monitor and record activity on the
respective endpoint device and further execute one or more sets of detection
and response logic rules for managing the detection of, and response to, any
activity associated with the respective endpoint device that poses a potential
security threat to the endpoint device, the method comprising: configuring a server to communicate and exchange data with the one or more of the endpoint devices over a network, the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to:
provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices; provide an integrated development environment (IDE) operably coupled to the interface;
receive, from the authorized user via the interface, input comprising
custom programming language input to the IDE to write, develop, and/or
modify one or more customized sets of detection and response logic rules
to be executed by an endpoint agent; and
output, to the endpoint agent, a customized set of detection and response
logic rules.
2. (Original) The system of claim 1, wherein the system further comprises the plurality of endpoint devices.
2. The method of claim 1, wherein the input comprises custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, the one or more customized sets of detection and response logic rules to be executed by an endpoint agent.
3. (Original) The system of claim 2, wherein each response logic rule has an associated action to be performed by an endpoint device in response to an event matching the response logic rule, and wherein: each endpoint device has a learning mode in which the endpoint device sends, to the server over the network, a message comprising a copy of an event that matched the response
logic rule, metadata describing said response logic rule, and a flag indicating that the endpoint device did not execute the action associated with the response logic rule in response to the event matching the response logic rule.
3. The method of claim 1, further comprising configuring the server to receive, from an endpoint agent, security data based on execution of one or more sets of detection and response logic rules.
4. (Original) The system of claim 1, wherein the server is configured to receive, from the endpoint agent, security data based on execution of one or more sets of detection and response logic rules.
4. The method of claim 1, wherein the plurality of endpoint devices belong to an
enterprise, and the authorized user is an individual or group tasked with managing the enterprise's security posture.
5. (Original) The system of claim 1, wherein the one or more customized sets of detection and response logic rules are generated based on a custom, declarative programming language,
wherein the custom, declarative programming language is compiled, via a compiler module, into byte code, wherein the compiler module is configured to output a compiled rule set.
5. The method of claim 1, wherein the plurality of endpoint devices belong to an
enterprise, and the enterprise comprises at least one of a business entity, company, organization, and government agency.
6. (Original) The system of claim 5, wherein the customized set of detection and response logic rules outputted from the server comprises a compiled rule set embedded into an installer executable by the endpoint agent to thereby transmit the compiled rule set to the endpoint agent such that the endpoint agent executes the associated customized set of detection and response logic rules.
6. The method of claim 1, further comprising configuring the server to:
compile, into byte code, one or more customized sets of detection and response logic rules generated based on a custom, declarative programming language; and to output a compiled rule set to an endpoint agent.
7. (Original) The system of claim 1, wherein the authorized user is an individual or group tasked with managing the enterprise's security posture and the enterprise comprises at least one of a business entity, company, organization, and government agency.
7. The method of claim 1, further comprising configuring the server to:
compile the set of customized detection and response logic rules into an
installer executable by the endpoint agent and to transmit said installer to an
endpoint agent such that the endpoint agent executes the associated customized set of detection and response logic rules.
8. (Currently Amended) A non-transitory computer-readable medium having computer- executable code thereon to provide an integrated security management framework for an
enterprise having a plurality of endpoint devices, the computer-executable code, when executed by the server, causing a server to: communicate and exchange data with the one or more of one or more of the endpoint devices over a network, each endpoint device comprising a deployed endpoint agent configured to continuously monitor and record activity on the respective endpoint device
and further execute one or more sets of detection and response logic rules for managing the detection of, and response to, activity associated with the respective endpoint device that poses a potential security threat to the enterprise; provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of
at least one endpoint agent deployed on one of the one or more endpoint devices;
provide an integrated development environment (IDE) operably coupled to the interface; receive, from the authorized user via the interface, input comprising custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed
by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules.
8. The method of claim 1, wherein the customized sets of detection and response logic rules comprises at least one rule statement comprising match criteria and an associated action.
9. (Original) The non-transitory computer-readable medium of claim 8, wherein the computer- executable code further comprises code that, when executed by the server, configures the server
to receive, from an endpoint agent, security data based on execution of one or more sets of detection and response logic rules.
9. The method of claim 8, wherein the customized sets of detection and response logic rules are configured to cause an endpoint agent to: compare event data with the match criteria; and
determine an associated action to be performed by the endpoint agent based on a positive correlation of the event data with the match criteria.
10. (Original) The non-transitory computer-readable medium of claim 8, wherein the computer- executable code further comprises code that, when executed by the server, configures the server to compile a rule set of detection and response logic rules into an installer executable by the endpoint agent to thereby transmit the compiled rule set to the endpoint agent such that the
endpoint agent executes the associated customized set of detection and response logic rules.
10. The method of claim 8, wherein the associated action comprises a suppress action.
11. (Original) The non-transitory computer-readable medium of claim 8, wherein the computer-executable code further comprises code that, when executed by the server, configures the server to: compile, into byte code, one or more customized sets of detection and response logic rules generated based on a custom, declarative programming language; and to output a compiled rule set to an endpoint agent.
11. The method of claim 8, wherein the associated action comprises an alert action.
12. (Currently Amended) The non-transitory computer-readable medium of claim 8, wherein one or more of the sets the set of detection and response logic rules comprises at least one rule
statement comprising match criteria and an associated action.
12. The method of claim 8, wherein the associated action comprises a forward action.
13. (Currently Amended) The non-transitory computer-readable medium of claim 12, wherein said one or more sets the set of detection and response logic rules are configured to cause an
endpoint agent to: compare event data with the match criteria; and determine an associated action to be performed by the endpoint agent based on a positive correlation of the event data with the match criteria.
13. The method of claim 8, wherein the associated action comprises a block action.
14. (Original) The non-transitory computer-readable medium of claim 12, wherein the associated action is selected from the group consisting of a suppress action, an alert action, a forward action, a block action, a killprocess action, an isolate action, and a set action.
14. The method of claim 8, wherein the associated action comprises a killprocess action.
15. (Original) A system for providing an integrated security management framework for an enterprise having a plurality of endpoint devices, each endpoint device comprising a deployed
endpoint agent configured to continuously monitor and record activity on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing
the detection of, and response to, any activity associated with the respective endpoint device that poses a potential security threat to the enterprise, the system comprising: means for communicating with the one or more of the endpoint devices over a
network; means for providing a security management platform comprising an interface with which
an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices; means for providing an integrated development environment (IDE) operably coupled
to the interface; means for receiving, from the authorized user via the interface, input comprising custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and means for outputting, to the endpoint agent, a customized set of detection and response
logic rules.
15. The method of claim 8, wherein the associated action comprises an isolate action.
16. (Original) The system of claim 15, wherein the system further comprises the plurality of endpoint devices.
16. The method of claim 8, wherein the associated action comprises a set action.
17. (Currently Amended) The system of claim 16, wherein each response logic rule has an associated action to be performed by an endpoint device in response to an event matching the
response logic rule, and wherein:
each endpoint device has a learning mode in which the endpoint device sends, to a server the server over the network, a message comprising a copy of an event that matched the response logic rule, metadata describing said response logic rule, and a flag indicating that the endpoint device did not execute the action associated with the response logic rule in response to the event matching the response logic rule.
17. A method for providing an integrated security management framework for a
plurality of endpoint devices, each endpoint device comprising a deployed
endpoint agent configured to continuously monitor and record activity on the respective endpoint device and further execute one or more sets of detection
and response logic rules for managing the detection of, and response to, any
activity associated with the respective endpoint device that poses a potential
security threat to the endpoint device, the method comprising: providing a server to communicate and exchange data with the one or more of the endpoint devices over a network, the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to: provide a security management platform comprising an interface with
which an authorized user can interact to monitor endpoint agent activity and
manage functionality of at least one endpoint agent deployed on one of the
one or more endpoint devices; provide an integrated development environment (IDE) operably coupled to the interface;
receive, from the authorized user via the interface, input comprising custom programming language input to the IDE to write, develop, and/or modify one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules.
18. (Original) The system of claim 15, further comprising means for receiving, from the endpoint agent, security data based on execution of one or more sets of detection and response logic rules.
18. The method of claim 17, wherein the input comprises custom, declarative
programming language input to the IDE to write, develop, and/or modify, on-the-fly,
the one or more customized sets of detection and response logic rules to be executed by an endpoint agent.
19. (Currently Amended) The system of claim 15, wherein the one or more customized sets of detection and response logic rules are generated based on a custom, declarative programming
language, wherein the custom, declarative programming language is compiled, by a means for compiling, into byte code, wherein the means for compiling compiler module is configured to output a compiled rule set.
19. The method of claim 17, wherein the instructions executable by the processor further comprise instructions to cause the server to receive, from an endpoint agent, security data based on execution of one or more sets of detection and response logic rules.
20. (Original) The system of claim 15, wherein the authorized user is an individual or group tasked with managing the enterprise's security posture and the enterprise comprises at least one
of a business entity, company, organization, and government agency.
20. The method of claim 17, wherein the instructions executable by the processor
further comprise instructions to cause the server to compile the set of customized
detection and response logic rules into an installer executable by the endpoint agent
and to transmit said installer to an endpoint agent to configure the endpoint agent to execute the customized set of detection and response logic rules.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
4. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Patent No.: US 9,092,616 B2 to Kumar et al (hereafter referenced as Kumar), in view of in view of Patent No.: US 8,032,940 B1 to Dhanani, in further view of Patent No.: US 7,463,590 B2 to Mualem et al (hereafter referenced as Mualem).
Regarding claim 1, Kumar discloses “a method for providing an integrated security management framework for a plurality of endpoint devices(Tokenization of identities by Security Token Services (STS) intended to facilitate in Identity Federation and Single Sign. On (SSO) for web and Enterprise applications [Col.3/lines 21-23]), each endpoint device (inputs from network and endpoint sensors to correlate network activity, system configuration, resource utilization and application integrity [Col.4/lines 65- Col.5/lines 3]) comprising a deployed endpoint agent (endpoint trust agent [Fig.5/item 510]) configured to continuously monitor and record activity (continuous monitoring [Fig.1/item 110]) on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing the detection of(Event & Behavior correlation engine [Fig.1/item 130]), and response to, any
activity associated with the respective endpoint device that poses a potential
security threat to the endpoint device, the method comprising: configuring a server(VM is a software implementation of a machine Such as a server,[Col.8/lines 48-50]) to communicate and exchange data with the one or more of the endpoint devices over a network(remediation engine exchanges data [Fig.1/item 170]),
Kumar does not explicitly disclose “the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to: provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices;
However, Mualem in an analogous art discloses “the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to: provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices” (Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Col.19/lines 38-52]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Kumar’s method for threat identification remediation, with Mualem’s method for threat detection and response in which a network intrusion detection system (Mualem [Fig.3]) which utilizes a that Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core in order to provide additional security and data integrity.
One of ordinary skill in the art would have been motivated to combine because Kumar teaches a threat identification and remediation process comprising a security management platform comprising an interface with which an authorized user associated with the enterprise can interact to monitor endpoint agent activity via an endpoint trust agent/server, Mualem discloses a threat detection system executing one or more sets of logic rules, and both from the same field of endeavor.
Neither Kumar nor Mualem explicitly disclose “provide an integrated development environment (IDE) operably coupled to the interface; receive, from the authorized user via the interface, input comprising custom programming language input to the IDE to write, develop, and/or modify one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules.”
However, Dhanani in an analogous art discloses provide an integrated development environment (IDE) operably coupled to the interface; receive, from the authorized user via the interface(secure IDE Dhanani [Fig.4/item 200] within server 414) , input comprising custom programming language input to the IDE to write, develop, and/or modify one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules. (keystore interface security extension 206 of the IDE platform 202 is used to enable the IDE to communicate with (e.g., read and write from) with other keystore objects or components Dhanani [Col.5/lines 2-4])
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Kumar’s method for threat identification remediation, and Mualem’s method for threat detection and response in which a network intrusion detection system (Mualem [Fig.3]) which utilizes a that Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core, with Dhanani’s secured integrated development environment in order to provide additional security and data integrity.
One of ordinary skill in the art would have been motivated to combine because Kumar teaches a threat identification and remediation process comprising a security management platform comprising an interface with which an authorized user associated with the enterprise can interact to monitor endpoint agent activity via an endpoint trust agent/server, Mualem discloses a threat detection system executing one or more sets of logic rules, Dhanani discloses a process to provide a secure Integrated development environment, and all are from the same field of endeavor.
Regarding claim 2 in view of claim 1 the references combined disclose “wherein the input comprises custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, the one or more customized sets of detection and response logic rules to be executed by an endpoint agent” (multiple endpoint devices Dhanani [Fig.1]).
Regarding claim 3 in view of claim 1 the references combined disclose “further comprising configuring the server to receive, from an endpoint agent, security data based on execution of one or more sets of detection and response logic rules” (threat signature detection module in step S45 provides a library of rules Mualem[Col.6/lines 55-57])
Regarding claim 4 in view of claim 1 the references combined disclose “wherein the plurality of endpoint devices belong to an enterprise, and the authorized user is an individual or group tasked with managing the enterprise's security posture” (FIG. 9 can be used to consolidate and correlate a plurality of identity, inventory and log management systems in order to determine a reputation of a subject e.g., a user, device, transaction, service, or organization/company Mualem[Col.20/ line 64-67]).
Regarding claim 5 in view of claim 1 the references combined disclose “wherein the plurality of endpoint devices belong to an enterprise, and the enterprise comprises at least one of a business entity, company, organization, and government agency.” (FIG. 9 can be used to consolidate and correlate a plurality of identity, inventory and log management systems in order to determine a reputation of a subject e.g., a user, device, transaction, service, or organization/company Mualem[Col.20/ line 64-67]).
Regarding claim 6 in view of claim 1 the references combined disclose “further comprising configuring the server to: compile, into byte code, one or more customized sets of detection and response logic rules generated based on a custom, declarative programming language; and to output a compiled rule set to an endpoint agent” (threat detection module Mualem [Fig.3]).
Regarding claim 7 in view of claim 1 the references combined disclose “further comprising configuring the server to: compile the set of customized detection and response logic rules into an installer executable by the endpoint agent and to transmit said installer to an endpoint agent such that the endpoint agent executes the associated customized set of detection and response logic rules” (threat detection module Mualem [Fig.3]).
Regarding claim 8 in view of claim 1 the references combined disclose “ wherein the customized sets of detection and response logic rules comprises at least one rule statement comprising match criteria and an associated action” (analyzer portion Mualem [Fig.4/irwm 244]).
Regarding claim 9 in view of claim 8 the references combined disclose “ wherein the customized sets of detection and response logic rules are configured to cause an endpoint agent to: compare event data with the match criteria; and determine an associated action to be performed by the endpoint agent based on a positive correlation of the event data with the match criteria.” (threat signatures used by the threat signature detection module may utilize a generic form. For example, each signature may include: a) A set of actions to take upon a match of the signature Mualem [Col.7/lines 8-15]).
Regarding claim 10 in view of claim 8 the references combined disclose “wherein the associated action comprises a suppress action” (reject filter packet, send alert Mualem [Fig.1/item s72-s78]).
Regarding claim 11 in view of claim 8 the references combined disclose “wherein the associated action comprises an alert action” (reject filter packet, send alert Mualem [Fig.1/item s72-s78]).
Regarding claim 12 in view of claim 8 the references combined disclose “wherein the associated action comprises a forward action. (reject filter packet, send alert Mualem [Fig.1/item s72-s78]).
Regarding claim 13 in view of claim 8 the references combined disclose “wherein the associated action comprises a block action. (reject filter packet, send alert Mualem [Fig.1/item s72-s78]).
Regarding claim 14 in view of claim 8 the references combined disclose “wherein the associated action comprises a killprocess action” (reject filter packet, send alert Mualem [Fig.1/item s72-s78]).
Regarding claim 15 in view of claim 8 the references combined disclose “wherein the associated action comprises an isolate action” (reject filter packet, send alert Mualem [Fig.1/item s72-s78]).
Regarding claim 16 in view of claim 8 the references combined disclose “wherein the associated action comprises a set action” (reject filter packet, send alert Mualem [Fig.1/item s72-s78]).
Regarding claim 17, Kumar discloses “a method for providing an integrated security management framework for a plurality of endpoint devices(Tokenization of identities by Security Token Services (STS) intended to facilitate in Identity Federation and Single Sign. On (SSO) for web and Enterprise applications [Col.3/lines 21-23]), each endpoint device(inputs from network and endpoint sensors to correlate network activity, system configuration, resource utilization and application integrity [Col.4/lines 65- Col.5/lines 3]) comprising a deployed
endpoint agent (endpoint trust agent [Fig.5/item 510]) configured to continuously monitor and record activity(continuous monitoring [Fig.1/item 110]) on the respective endpoint device and further execute one or more sets of detection and response logic rules for managing the detection of(Event & Behavior correlation engine [Fig.1/item 130]),, and response to, any activity associated with the respective endpoint device that poses a potential security threat to the endpoint device, the method comprising: providing a server (VM is a software implementation of a machine Such as a server,[Col.8/lines 48-50]) to communicate and exchange data with the one or more of the endpoint devices over a network(remediation engine exchanges data [Fig.1/item 170]).
Kumar does not explicitly disclose “the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions
executable by the processor to cause the server to: provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices”
However, Mualem in an analogous art discloses “the server comprising a hardware processor coupled to non-transitory, computer-readable memory containing instructions executable by the processor to cause the server to: provide a security management platform comprising an interface with which an authorized user can interact to monitor endpoint agent activity and manage functionality of at least one endpoint agent deployed on one of the one or more endpoint devices”
(Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Col.19/lines 38-52]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Kumar’s method for threat identification remediation, with Mualem’s method for threat detection and response in which a network intrusion detection system (Mualem [Fig.3]) which utilizes a that Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core in order to provide additional security and data integrity.
One of ordinary skill in the art would have been motivated to combine because Kumar teaches a threat identification and remediation process comprising a security management platform comprising an interface with which an authorized user associated with the enterprise can interact to monitor endpoint agent activity via an endpoint trust agent/server, Mualem discloses a threat detection system executing one or more sets of logic rules, and both from the same field of endeavor.
Neither Kumar nor Mualem explicitly disclose “provide an integrated development environment (IDE) operably coupled to the interface; receive, from the authorized user via the interface, input comprising custom programming language input to the IDE to write, develop, and/or modify one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules.”
However, Dhanani in an analogous art discloses provide an integrated development environment (IDE) operably coupled to the interface (secure IDE Dhanani [Fig.4/item 200] within server 414) receive, from the authorized user via the interface, input comprising custom programming language input to the IDE to write, develop, and/or modify one or more customized sets of detection and response logic rules to be executed by an endpoint agent; and output, to the endpoint agent, a customized set of detection and response logic rules. (keystore interface security extension 206 of the IDE platform 202 is used to enable the IDE to communicate with (e.g., read and write from) with other keystore objects or components Dhanani [Col.5/lines 2-4])
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Kumar’s method for threat identification remediation, and Mualem’s method for threat detection and response in which a network intrusion detection system (Mualem [Fig.3]) which utilizes a that Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core, with Dhanani’s secured integrated development environment in order to provide additional security and data integrity.
One of ordinary skill in the art would have been motivated to combine because Kumar teaches a threat identification and remediation process comprising a security management platform comprising an interface with which an authorized user associated with the enterprise can interact to monitor endpoint agent activity via an endpoint trust agent/server, Mualem discloses a threat detection system executing one or more sets of logic rules, Dhanani discloses a process to provide a secure Integrated development environment, and all are from the same field of endeavor.
Regarding claim 18 in view of claim 17, the references combined disclose “wherein the input comprises custom, declarative programming language input to the IDE to write, develop, and/or modify, on-the-fly, the one or more customized sets of detection and response logic rules to be executed by an endpoint agent” (Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Col.19/lines 38-52]).
Regarding claim 19 in view of claim 17, the references combined disclose “wherein the instructions executable by the processor further comprise instructions to cause the server to receive, from an endpoint agent, security data based on execution of one or more sets of detection and response logic rules” ( The threat signature detection module in step S45 provides a library of rules Which evaluate every packet Mualem[Col.6/lines 56-57]).
Regarding claim 20 in view of claim 17, the references combined disclose “wherein the instructions executable by the processor further comprise instructions to cause the server to compile the set of customized detection and response logic rules into an installer executable by the endpoint agent and to transmit said installer to an endpoint agent to configure the endpoint agent to execute the customized set of detection and response logic rules” (Network Manager Daemon (or NMDs) that perform the processing of the parser and analyzer portions in this embodiment, saving, analyzing, aggregating packets from each threat detection system, and propagating information to processing routines of the IMC Core Mualem[Col.19/lines 38-52]).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached at (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL D ANDERSON/ Examiner, Art Unit 2433
/JEFFREY C PWU/ Supervisory Patent Examiner, Art Unit 2433