Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 2/24/2025 was filed after the mailing date of the application on 2/13/2025. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Double Patenting
Claims 1 is rejected on the ground of non statutory double patenting as being unpatentable over claims 1 and 35 of U.S. Patent No. 12058149. Although the claims at issue are not identical, they are not patentably distinct from each other because the limitations in each claim set relate to the same concept.
19/053,077
US Patent 12,058,149
A method of investigating a target host computer, the method using an investigation system comprising a computer system with a computer processor coupled to a system memory and programmed with computer readable instructions, the investigation system being remote to the target host computer, the method using at least one investigative module, wherein the at least one investigative module includes an agentless computer program comprising computer readable instructions to perform at least one investigative function on a host computer, the at least one investigative function relating to at least one data form, return investigation data relating to the at least one investigative function, the investigation data including at least one data form attribute relating to the at least one data form, and wherein the method includes:
performing a reference computer investigation of a reference host computer, the computer investigation including: (i) the investigation system establishing a connection between the investigation system and the reference host computer, and (ii) the investigation system sending the at least one investigative module to the reference host computer, the at least one investigative module performing the at least one investigative function and returning reference investigation data
performing a target computer investigation of the target host computer, the target computer investigation including: (i) the investigation system establishing a connection between the investigation system and the target host computer, and (ii) the investigation system sending the at least one investigative module to the target host computer, the at least one investigative module performing the at least one investigative function and returning comparison investigation data:
comparing a reference data fingerprint to a comparison data fingerprint to determine if said reference and comparison data fingerprints are identical; and wherein said reference data fingerprint includes at least two data form attributes of the reference investigation data; and wherein said comparison data fingerprint includes at least two corresponding data form attributes of the comparison investigation data
A method of investigating a remote host computer by using an investigation system remote to the remote host computer, the investigation system including at least one computer system with a computer processor coupled to a system memory and programmed with computer-readable instructions, the method comprising:
the investigation system establishing a connection with the remote host computer; the investigation system sending a first investigative module to the remote host computer, the first investigative module configured to run on the remote host computer to perform at least one investigative function to investigate the remote host computer to ascertain if the remote host computer has any data or process, collectively referred to as data forms, with suspicious data form attributes, wherein the first investigative module is an agentless computer program, being thus capable of running on the remote host computer without requiring a software agent on the remote host computer; the investigation system sending a second investigative module to the remote host computer, the second investigative module including data utilizable by the first investigative module, the data comprising instructions for the first investigative module to perform the at least one investigative function; the remote host computer running at least the first investigative module; and causing at least the first investigative module to be removed from the remote host computer; wherein the first investigative function is performable by the remote host computer running the first investigative module without any connection between the investigation system and the remote host computer.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Hussain (US Patent 10,778,539) in view of Carvey (NPL, Perl Scripting for Window Security) and in view of Bliner (US Patent Pub. 20250245684).
As per claim 1: A method of investigating a target host computer, the method using an investigation system comprising a computer system with a computer processor coupled to a system memory and programmed with computer readable instructions, the investigation system being remote to the target host computer (See Hussain; Col 20, lines 20-29; In a distributed computing environment, such as the one included in the service provider network 102, a fleet of VM instances and/or servers may have workflow or processes executed thereon to manage resources. For instance, a patch may need to be installed on each VM instance and/or resource at a particular time), performing a reference computer investigation of a reference host computer, the computer investigation including: (i) the investigation system establishing a connection between the investigation system and the reference host computer, and (ii) the investigation system sending the at least one investigative module to the reference host computer, the at least one investigative module performing the at least one investigative function and returning reference investigation data (See Hussain; the updated infrastructure template represents the current/live state, or snapshot, of the computing resource stack after the out of band changes have been made. For instance, the user(s) 122 may track changes made, and/or utilize the configuration difference notification, to determine how to create the updated infrastructure template that represents the current/live state of the computing resource stack 104).
However Hussain does not specifically disclose the method using at least one investigative module, wherein the at least one investigative module includes an agentless computer program comprising computer readable instructions to perform at least one investigative function on a host computer, the at least one investigative function relating to at least one data form, return investigation data relating to the at least one investigative function, the investigation data including at least one data form attribute relating to the at least one data form, and wherein the method includes (See Carvey, Page 15; the script is executed over a connection, runs its “investigative function” (e.g. querying running processes or registry keys), pulls specific data form attributes (like a process name or file path), return that data, and exits without leaving a permanent system agent behind):
performing a target computer investigation of the target host computer, the target computer investigation including: (i) the investigation system establishing a connection between the investigation system and the target host computer, and (ii) the investigation system sending the at least one investigative module to the target host computer, the at least one investigative module performing the at least one investigative function and returning comparison investigation data (See Carvey, Page 15; the script is executed over a connection, runs its “investigative function” (e.g. querying running processes or registry keys), pulls specific data form attributes (like a process name or file path), return that data, and exits without leaving a permanent system agent behind):
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Hussain and Carvey in it’s entirety, to modify the technique of Hussain for resolving discrepancies that occur to interrelated computing resources from computing resource drift by adopting Carvey's teaching for Perl Scripting for window security. The motivation would have been to improve drift detection.
However, Hussain and Carvey do not specifically disclose comparing a reference data fingerprint to a comparison data fingerprint to determine if said reference and comparison data fingerprints are identical; and wherein said reference data fingerprint includes at least two data form attributes of the reference investigation data; and wherein said comparison data fingerprint includes at least two corresponding data form attributes of the comparison investigation data (See Bliner; Paragraph 60; one or more database(s) 120 may be present and configured to store a plurality of information including, but not limited to, training data used to train the various behavioral/predictive models described herein, a plurality of user data (e.g., user baseline “fingerprint”, demographic data, historical response/behavior data, etc.), campaign data (e.g., campaign parameters such as objectives, target audience, baseline questions, subject, etc.), business outcome data (when available) and various other data).
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains, having the teachings of Hussain, Carvey and Bliner in it’s entirety, to modify the technique of Hussain for resolving discrepancies that occur to interrelated computing resources from computing resource drift by adopting Bliner's teaching for behavioral data collection. The motivation would have been to improve drift detection.
As per claim 2: The method of claim 1, wherein the reference host computer is the target host computer (See Hussain; Col 20, lines 20-29; In a distributed computing environment, such as the one included in the service provider network 102, a fleet of VM instances and/or servers may have workflow or processes executed thereon to manage resources. For instance, a patch may need to be installed on each VM instance and/or resource at a particular time).
As per claim 3: The method of claim 1, wherein:
(i) said reference data fingerprint comprises a hash of the at least two data form attributes of the reference investigation data (see Bliner; claim 1; parse the behavioral data to identify a first dataset associated with one or more baseline questions and a second dataset associated with one or more non-baseline questions; process the first dataset to establish a behavioral baseline; process the second dataset through a trained behavioral model to generate a model result; compare the behavioral baseline to the model result; and predict a behavioral attribute of the user based on the comparison of the behavioral baseline to the model result), and
(ii) said comparison data fingerprint comprises a hash of the at least two corresponding data form attributes of the comparison investigation data (See Carvey; Page 60 hashes).
As per claim 4: The method of claim 1, wherein at least one of:
(i) said reference data fingerprint is comprised of a combination or concatenation of the at least two data form attributes of the reference investigation data (see Bliner; claim 1; parse the behavioral data to identify a first dataset associated with one or more baseline questions and a second dataset associated with one or more non-baseline questions; process the first dataset to establish a behavioral baseline; process the second dataset through a trained behavioral model to generate a model result; compare the behavioral baseline to the model result; and predict a behavioral attribute of the user based on the comparison of the behavioral baseline to the model result), and
(ii) said comparison data fingerprint is comprised of a combination or concatenation of the at least two data form attributes of the comparison investigation data (see Bliner; Paragraph 11-12, the behavioral data comprises trajectory data, the trajectory data comprising mouse or finger trajectory data, directional changes, and micro-movement data; the behavioral data comprises timing data, the timing data comprising response time, dwell time, hover time, and transition time).
As per claim 5: The method of claim 4, wherein:
(i) said reference data fingerprint comprises a hash of the combination or concatenation of the at least two data form attributes of the reference investigation data (see Bliner; Paragraph 11-12, the behavioral data comprises trajectory data, the trajectory data comprising mouse or finger trajectory data, directional changes, and micro-movement data; the behavioral data comprises timing data, the timing data comprising response time, dwell time, hover time, and transition time), (See Carvey; Page 60 hashes) and
(ii) said comparison data fingerprint comprises a hash of the combination or concatenation of the at least two corresponding data form attributes of the comparison investigation data (see Bliner; Paragraph 11-12, the behavioral data comprises trajectory data, the trajectory data comprising mouse or finger trajectory data, directional changes, and micro-movement data; the behavioral data comprises timing data, the timing data comprising response time, dwell time, hover time, and transition time), (See Carvey; Page 60 hashes).
As per claim 6: The method of claim 1, wherein at least one of said data fingerprints is comprised of one of the following:
(i) the corresponding at least two data form attributes (see Bliner; Paragraph 11-12, the behavioral data comprises trajectory data, the trajectory data comprising mouse or finger trajectory data, directional changes, and micro-movement data; the behavioral data comprises timing data, the timing data comprising response time, dwell time, hover time, and transition time), (See Carvey; Page 60 hashes);
(ii) combination or concatenation of the corresponding at least two data form attributes;
(iii) hash of the corresponding at least two data form attributes; and
(iv) hash of the combination or concatenation of the corresponding at least two data form attributes.
As per claim 7: The method of claim 1, wherein multiple reference computer investigations are performed to create multiple reference data fingerprints, each of said multiple reference data fingerprints representing a different set or collation of multiple data form attributes (Col 15, lines 20-24; he displayed differences 310 may highlight several different types of configuration drift that have occurred from the expected or baseline configuration settings 306 compared to the current configuration settings 308) (see Bliner; Paragraph 78; A user profile may or may not store (in database 120) user demographic data, baseline “fingerprint” data, historical response data, and/or the like. In other embodiments, platform may not store any data and may instead, collect, process, and analyze the data before removing the data from the platform. The data associated with the non-baseline questions may be analyzed by the behavior model(s) and compared against the baseline fingerprint as part of the process to determine the user's behavior).
As per claim 8: The method of claim 1, wherein the at least one investigative module includes a first investigate module and a second investigative module, the second investigative module including data readable by the first investigative module, the data including instructions or data necessary for the first
investigative module to perform the at least one investigative function (See Carvey, page 44 Core controller/engine (first module) that dynamically loads parameters, scripts or configuration data files to execute targeted commands (second module)).
As per claim 9: The method of claim 8, wherein the second investigative module comprises data including an identifier of an investigative function to run, and one or more parameters for the at least one investigative function (See Carvey, page 44 Core controller/engine (first module) that dynamically loads parameters, scripts or configuration data files to execute targeted commands (second module)).
As per claim 10: The method of claim 8, wherein the second investigative module comprises one or more functions, executable by the first investigative module (See Carvey, page 44 Core controller/engine (first module) that dynamically loads parameters, scripts or configuration data files to execute targeted commands (second module)).
As per claim 11: The method of claim 1, wherein at least one of the data fingerprints comprises a hash of a subset of the investigation data or a hash of the entirety of the investigation data (see Bliner; Paragraph 11-12, the behavioral data comprises trajectory data, the trajectory data comprising mouse or finger trajectory data, directional changes, and micro-movement data; the behavioral data comprises timing data, the timing data comprising response time, dwell time, hover time, and transition time), (See Carvey; Page 60 hashes).
As per claim 12: The method of claim 1, wherein the data fingerprints include hashes representing the investigation data or subset thereof (See Bliner; Paragraph 60; store a plurality of information including, but not limited to, training data used to train the various behavioral/predictive models described herein, a plurality of user data (e.g., user baseline “fingerprint”, demographic data, historical response/behavior data, etc.), campaign data (e.g., campaign parameters such as objectives, target audience, baseline questions, subject, etc.), business outcome data (when available) and various other data).
As per claim 13: The method of claim 1, wherein the at least one investigative module performs at least one of:
(i) hashing of the at least two data form attributes of the reference investigation data to produce the reference data fingerprint (see Bliner; Paragraph 11-12, the behavioral data comprises trajectory data, the trajectory data comprising mouse or finger trajectory data, directional changes, and micro-movement data; the behavioral data comprises timing data, the timing data comprising response time, dwell time, hover time, and transition time), (See Carvey; Page 60 hashes), and
(ii) hashing of the at least two data form attributes of the comparison investigation data to produce the comparison data fingerprint.
As per claim 14: The method of claim 1, wherein the investigation system stores data records, the data records including a record including:
(i) at least one of the data fingerprints, (ii) an identifier of the corresponding host computer (see Bliner; Paragraph 11-12, the behavioral data comprises trajectory data, the trajectory data comprising mouse or finger trajectory data, directional changes, and micro-movement data; the behavioral data comprises timing data, the timing data comprising response time, dwell time, hover time, and transition time), (See Carvey; Page 60 hashes), and (iii) an identifier of the at least one investigative module run to produce the at least one of the data fingerprints.
As per claim 15: The method of claim 1, wherein the computer investigations include using multiple different investigative modules performing corresponding second investigation functions, each of said multiple different investigative modules returning corresponding second data fingerprints that are collected by the investigation system (Col 15, lines 20-24; he displayed differences 310 may highlight several different types of configuration drift that have occurred from the expected or baseline configuration settings 306 compared to the current configuration settings 308) (see Bliner; Paragraph 78; A user profile may or may not store (in database 120) user demographic data, baseline “fingerprint” data, historical response data, and/or the like. In other embodiments, platform may not store any data and may instead, collect, process, and analyze the data before removing the data from the platform. The data associated with the non-baseline questions may be analyzed by the behavior model(s) and compared against the baseline fingerprint as part of the process to determine the user's behavior).
As per claim 16: The method of claim 1, wherein the investigation system produces a single data fingerprint representing the investigation data returned by multiple different investigative modules, the single data fingerprint being a representation of the combination of all, or part, of the investigation data returned by the multiple different investigative modules (Col 15, lines 20-24; he displayed differences 310 may highlight several different types of configuration drift that have occurred from the expected or baseline configuration settings 306 compared to the current configuration settings 308) (see Bliner; Paragraph 78; A user profile may or may not store (in database 120) user demographic data, baseline “fingerprint” data, historical response data, and/or the like. In other embodiments, platform may not store any data and may instead, collect, process, and analyze the data before removing the data from the platform. The data associated with the non-baseline questions may be analyzed by the behavior model(s) and compared against the baseline fingerprint as part of the process to determine the user's behavior).
As per claim 17: The method of claim 1, wherein the at least one investigative module is configured to generate multiple reference data fingerprints, each of the multiple reference data fingerprints corresponding to a different subset of the reference investigation data (See Bliner; Paragraph 60; one or more database(s) 120 may be present and configured to store a plurality of information including, but not limited to, training data used to train the various behavioral/predictive models described herein, a plurality of user data (e.g., user baseline “fingerprint”, demographic data, historical response/behavior data, etc.), campaign data (e.g., campaign parameters such as objectives, target audience, baseline questions, subject, etc.), business outcome data (when available) and various other data).
As per claim 18: The method of claim 17, wherein the reference data fingerprint is a first data fingerprint, wherein the investigation system stores the multiple reference data fingerprints for each subset of the reference investigation data, including at least:
(i) the first reference data fingerprint of a first subset of the reference investigation data (see Bliner; Paragraph 11-12, the behavioral data comprises trajectory data, the trajectory data comprising mouse or finger trajectory data, directional changes, and micro-movement data; the behavioral data comprises timing data, the timing data comprising response time, dwell time, hover time, and transition time), (See Carvey; Page 60 hashes), and
(ii) a second reference data fingerprint of a second subset of the reference investigation data, wherein said first and second subsets are different.
As per claim 19: The method of claim 18, wherein the second subset may be a superset of the first subset (see Bliner; Paragraph 114; e behavioral data is parsed into a first subset of data and a second subset of data at step 1103. In various implementations, the first subset of data may comprise behavioral data corresponding to baseline/benchmark questions which may be placed at the beginning of each web-based survey by the API. The second subset of data may comprise behavioral data corresponding to non-baseline or “real” survey questions).
As per claim 20: The method of claim 19, wherein the subsets of the reference investigation data correspond to at least one of: different data forms; and different sets of data form attributes (Col 15, lines 20-24; he displayed differences 310 may highlight several different types of configuration drift that have occurred from the expected or baseline configuration settings 306 compared to the current configuration settings 308) (see Bliner; Paragraph 78; A user profile may or may not store (in database 120) user demographic data, baseline “fingerprint” data, historical response data, and/or the like. In other embodiments, platform may not store any data and may instead, collect, process, and analyze the data before removing the data from the platform. The data associated with the non-baseline questions may be analyzed by the behavior model(s) and compared against the baseline fingerprint as part of the process to determine the user's behavior).
Relevant Prior Art References
The following prior art is cited as being of interest to the claimed invention but has not been applied in any of the current rejections.
Tav et al.- US Patent Publication 2022/0357937- the prior art teaches techniques for agentless installation for building deployments.
Marwah et al.- US Patent Pub. 2023/0032678 - the prior art teaches techniques for abnormality detection in log entry collection.
Chickering et al.- US Patent Pub. 2014/0123217 - the prior art teaches techniques for
provisioning layer three access through enforcement point for agentless devices.
Kumar et al.- US Patent Pub. 11,115,272 - the prior art teaches techniques for
Detecting configuration drift
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANTHONY D BROWN whose telephone number is (571)270-1472. The examiner can normally be reached 730-330pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached at 5712705440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ANTHONY D BROWN/Primary Examiner, Art Unit 2408