DETAILED ACTION
This action is in response to new application filed 1/28/2020 titled “SYSTEM AND METHOD FOR DEFENSE AGAINST CACHE TIMING CHANNEL ATTACKS USING CACHE MANAGEMENT HARDWARE”. Claims 1-21 were received for consideration and are under consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/04/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

(s) 1, 2, 6-8, 11, 14 and 18-21 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Browne et al (2019/0042739).
With respect to claim 1 Browne teaches a method for identifying a cache timing channel attack based on cache occupancy, the method comprising: 
monitoring cache occupancy for a set of application processes operating in a processor to produce cache occupancy data over a period of time (see Brown paragraph 0037 i.e. the analytics server 104 identifies suspicious core activity based on the activity counter data. Suspicious core activity is indicative of an active cache side channel attack and may include abnormal levels of LLC 206 occupancy, LLC 206 misses, memory bandwidth consumed, or other abnormal resource usage); and 
analyzing the cache occupancy data to identify a potential cache timing channel attack (see Brown figure 4 and paragraph 0038 i.e. In block 412, the analytics server 104 deploys a detection process to the monitored computing device 102. The detection process may be embodied as a specialized software process or other process that monitors for suspicious application activity indicative of a cache side channel attack).

With respect to claim 2 Browne teaches the method of claim 1, further comprising: partitioning cache access between a pair of application processes involved in the potential cache timing channel attack (see Brown paragraph 0041 i.e. In block 424, in some embodiments the computing device 102 may kill a process associated with the suspicious application or otherwise terminate a currently executing suspicious application. In block 426, in some embodiments the computing device 102 may delete an executable image or other files associated with the suspicious application. In block 

With respect to claim 6 Browne teaches the method of claim 1, wherein monitoring the cache occupancy comprises using a cache occupancy monitor provided by the processor (see Brown figure 2 and paragraph 0046 i.e. The platform resource manager 210 counters may be indicative of, for example, cache occupancy in the LLC 206 and memory bandwidth used. As described above, the resource manager 210 may provide LLC 206 and memory bandwidth data for the primary applications as well as for all processes executed by the computing device 102).

With respect to claim 7 Browne teaches the method of claim 6, wherein the cache occupancy monitor provided by the processor is a built-in cache monitoring infrastructure of the processor for at least one of observing performance or improving application runtime (see Brown figure 2 and paragraph 0046 i.e. The platform resource 

With respect to claim 8 Browne teaches the method of claim 1, wherein the method is performed on an operating system in communication with the processor (see Brown paragraph 0017, 0034 and 0040).

With respect to claim 11 Browne teaches a method for identifying a cache timing channel attack, the method comprising: 
receiving cache occupancy data for a set of application domains occupying a cache in a processor (see Brown paragraph 0037 i.e. the analytics server 104 identifies suspicious core activity based on the activity counter data. Suspicious core activity is indicative of an active cache side channel attack and may include abnormal levels of LLC 206 occupancy, LLC 206 misses, memory bandwidth consumed, or other abnormal resource usage); 
performing a pair-wise analysis of the set of application domains based on the cache occupancy data; and identifying a potential cache timing channel attack from the pair-wise analysis(see Brown figure 4 and paragraph 0038 i.e. In block 412, the analytics server 104 deploys a detection process to the monitored computing device 102. The detection process may be embodied as a specialized software process or 

With respect to claim 14 Browne teaches the method of claim 12, wherein performing the pair-wise analysis of the set of application domains comprises: computing a pair of cache occupancy traces for each pair of application domains based on changes in cache occupancy; and finding gain-loss swing patterns mirrored between the pair of cache occupancy traces for each pair of application domains (see Browne paragraph 0041 i.e. In block 424, in some embodiments the computing device 102 may kill a process associated with the suspicious application or otherwise terminate a currently executing suspicious application. In block 426, in some embodiments the computing device 102 may delete an executable image or other files associated with the suspicious application. In block 428, in some embodiments the computing device 102 may reset, reboot, or otherwise restart. Resetting the computing device 102 may cause the caches and other volatile memory of the computing device 102 to be reset and thus may defeat certain cache side channel attacks. In some embodiments, in block 430 the computing device 102 may restrict resource usage such as memory bandwidth or LLC 206 occupancy for a process associated with the suspicious application using the resource manager 210 of the computing device 102. Restricting resource usage may prevent or reduce the severity of certain cache side-channel attacks, for example by preventing the malicious process from forcing the LLC 206 to be flushed and/or by reducing the rate that a malicious process can attempt to read unauthorized memory).
18. A system for defense against timing channel attacks, the system comprising: 

an occupancy pattern analyzer configured to analyze the cache occupancy data to identify a potential cache timing channel attack (see Brown figure 4 and paragraph 0038 i.e. In block 412, the analytics server 104 deploys a detection process to the monitored computing device 102. The detection process may be embodied as a specialized software process or other process that monitors for suspicious application activity indicative of a cache side channel attack).

With respect to claim 19 Browne teaches the system of claim 18, wherein the cache occupancy monitor is deployed on a combination of firmware and management layers operating on a processor (see Brown paragraph 0017, 0034 and 0040).

With respect to claim 20 Browne teaches the system of claim 19, wherein the occupancy pattern analyzer is deployed on an operating system operating on the processor (see Brown figure 2 and paragraph 0046 i.e. The platform resource manager 210 counters may be indicative of, for example, cache occupancy in the LLC 206 and memory bandwidth used. As described above, the resource manager 210 may provide LLC 206 and memory bandwidth data for the primary applications as well as for all processes executed by the computing device 102).

With respect to claim 21 Browne teaches the system of claim 18, further comprising a way allocation manager to partition access to the cache blocks for a pair of application processes involved in the potential cache timing channel attack (see Browne paragraph 0041 i.e. In block 424, in some embodiments the computing device 102 may kill a process associated with the suspicious application or otherwise terminate a currently executing suspicious application. In block 426, in some embodiments the computing device 102 may delete an executable image or other files associated with the suspicious application. In block 428, in some embodiments the computing device 102 may reset, reboot, or otherwise restart. Resetting the computing device 102 may cause the caches and other volatile memory of the computing device 102 to be reset and thus may defeat certain cache side channel attacks. In some embodiments, in block 430 the computing device 102 may restrict resource usage such as memory bandwidth or LLC 206 occupancy for a process associated with the suspicious application using the resource manager 210 of the computing device 102. Restricting resource usage may prevent or reduce the severity of certain cache side-channel attacks, for example by preventing the malicious process from forcing the LLC 206 to be flushed and/or by reducing the rate that a malicious process can attempt to read unauthorized memory).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3-5, 9, 10, 12 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Browne et al (2019/0042739) in view of .
With respect to claim 3 Browne teaches the method of claim 2, but does not disclose wherein: partitioning the cache access between the pair of application processes involved in the potential cache timing channel attack comprises assigning at least one of the pair of application processes to a separate class of service (CLOS); and each CLOS has a predefined cache ways accessible to a corresponding application process.
Yao teaches wherein: partitioning the cache access between the pair of application processes involved in the potential cache timing channel attack comprises assigning at least one of the pair of application processes to a separate class of service (CLOS); and each CLOS has a predefined cache ways accessible to a corresponding application process (see Yao section II. Background C. Cache Occupancy Monitoring and Way Allocation i.e. Additionally, the CAT technology enables an agile way for partitioning the LLC ways. With CAT, caches can be configured to have several different partitions on cache ways, called Classes of Service (CLOS) [2], [10]. A hardware context, that is restricted to certain ways, can still read the data from other ways where the data resides, however, it can only allocate new cache lines in its designated ways, which means evicting cache lines from other CLOS is not possible. The default for all applications is CLOSO, where all cache ways are accessible. It is worth noting that the current version of CAT supports arbitrary runtime reconfigurations of CLOSes transparently, which essentially makes dynamic response for cache timing channels possible).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Browne in view of Yao to have partitioning the cache access temporarily using Cache Allocation Technology (CAT) that enables dynamic cache way for partitioning for applications. With CAT, caches can be configured to have several different partitions on cache ways, called Classes of Service (CLOS). A hardware context, that is restricted to certain ways, can still read the data from other ways where the data resides. Therefore one would have been motivated to have used CAT have partitioning the cache access temporarily using CAT since CAT technologies are made available only in Last Level Cache (LLC) (See Yao Section I Introduction).

	
With respect to claim 4 Browne teaches the method of claim 2, but does not disclose wherein partitioning the cache access between the pair of application processes involved in the potential cache timing channel attack comprises partitioning the cache access temporarily.
Yao teaches wherein partitioning the cache access between the pair of application processes involved in the potential cache timing channel attack comprises partitioning the cache access temporarily (see Yao section II. Background C. Cache Occupancy Monitoring and Way Allocation i.e. Additionally, the CAT technology enables an agile way for partitioning the LLC ways. With CAT, caches can be configured to have several different partitions on cache ways, called Classes of Service (CLOS) [2], [10]. A hardware context, that is restricted to certain ways, can still read the data from other ways where the data resides, however, it can only allocate new cache lines in its designated ways, which means evicting cache lines from other CLOS is not possible. The default for all applications is CLOSO, where all cache ways are accessible. It is worth noting that the current version of CAT supports arbitrary runtime reconfigurations of CLOSes transparently, which essentially makes dynamic response for cache timing channels possible).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Browne in view of Yao to have partitioning the cache access temporarily using Cache Allocation Technology (CAT) that enables dynamic cache way for partitioning for applications. With CAT, caches can be configured to have several different partitions on cache ways, called Classes of Service (CLOS). A hardware context, that is restricted to certain ways, can still read the data from other ways where the data resides. Therefore one would have been motivated to have used CAT have partitioning the cache access temporarily using CAT since CAT technologies are made available only in Last Level Cache (LLC) (See Yao Section I Introduction).

With respect to claim 5 Browne teaches the method of claim 2 but does not disclose, wherein partitioning the cache access between the pair of application processes involved in the potential cache timing channel attack comprises partitioning the cache access until at least one of the pair of application processes finishes execution.
Yao teaches wherein partitioning the cache access between the pair of application processes involved in the potential cache timing channel attack comprises partitioning the cache access until at least one of the pair of application processes finishes execution (see Yao section II. Background C. Cache Occupancy Monitoring and Way Allocation i.e. Additionally, the CAT technology enables an agile way for partitioning the LLC ways. With CAT, caches can be configured to have several different partitions on cache ways, called Classes of Service (CLOS) [2], [10]. A hardware context, that is restricted to certain ways, can still read the data from other ways where the data resides, however, it can only allocate new cache lines in its designated ways, which means evicting cache lines from other CLOS is not possible. The default for all applications is CLOSO, where all cache ways are accessible. It is worth noting that the current version of CAT supports arbitrary runtime reconfigurations of CLOSes transparently, which essentially makes dynamic response for cache timing channels possible).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Browne in view of Yao to have partitioning the cache access temporarily using Cache Allocation Technology (CAT) that enables dynamic cache way for partitioning for applications. With CAT, caches can be configured to have several different partitions on cache ways, called Classes of Service (CLOS). A hardware context, that is restricted to certain ways, can still read the data from other ways where the data resides. Therefore one would have been motivated to have used CAT have partitioning the cache access temporarily using CAT since CAT technologies are made available only in Last Level Cache (LLC) (See Yao Section I Introduction).

	With respect to claim 9 Browne teaches the method of claim 1 but does not disclose, wherein monitoring the cache occupancy for the set of application processes comprises, during each of a plurality of time windows, reading cache occupancy for each of a plurality of application domains.
Yao teaches wherein monitoring the cache occupancy for the set of application processes comprises, during each of a plurality of time windows, reading cache occupancy for each of a plurality of application domains (See Yao section V. System Design B. Occupancy Pattern Analyzer i.e. Once LLC traces are gathered, the LLC occupancy analyzer (abbreviated as analyzer) checks for any potential timing channel activity. Note that the timing channel attacks can happen within a certain period during the span of entire program execution, and hence, we adopt a window-based analysis of LLC occupancy traces. The window size can be chosen by the system administrator based on her needs: swiftness of defense vs. runtime overhead trade-offs. Assume that we have n windows (indexed by i) of raw LLC occupancy traces for a pair of application domains (D1, D2). xi and yi; (0 < i < n— 1) are the LLC occupancy sample vectors obtained by reading LLC occupancy MSRs periodically within the ith window for domains D1 and D2 respectively. We can then get the time-differentiated cache occupancy traces for each domain, denoted as Δxi,j; and Δyi,j (i.e., the LLC occupancy difference between two consecutive samples). Figure 5 shows time-differentiated LLC occupancy traces for covert and side channels that implement serial protocol with on-off encoding and parallel protocol with pulse- position encoding respectively).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Browne in view of Yao to have monitored the cache occupancy for the set of application processes during each of a plurality of time windows as a way for the analyzer focuses on finding mirror images of pulses in the two time-differentiated cache occupancy traces and capture unique patterns and filter the noise effects from surrounding cache activity to zero-out all non-negative Values that do not correspond to gain-loss swing patterns in LLC occupancy (See Yao section V. System Design B. Occupancy Pattern Analyzer). 
	

With respect to claim 10 Browne teaches the method of claim 9, but does not disclose wherein analyzing the cache occupancy data comprises observing patterns of cache occupancy for one or more application domain pairs of the plurality of application domains over the plurality of time windows.
Yao teaches wherein analyzing the cache occupancy data comprises observing patterns of cache occupancy for one or more application domain pairs of the plurality of application domains over the plurality of time windows (See Yao section V. System Design B. Occupancy Pattern Analyzer i.e. Once LLC traces are gathered, the LLC occupancy analyzer (abbreviated as analyzer) checks for any potential timing channel activity. Note that the timing channel attacks can happen within a certain period during the span of entire program execution, and hence, we adopt a window-based analysis of LLC occupancy traces. The window size can be chosen by the system administrator based on her needs: swiftness of defense vs. runtime overhead trade-offs. Assume that we have n windows (indexed by i) of raw LLC occupancy traces for a pair of application domains (D1, D2). xi and yi; (0 < i < n— 1) are the LLC occupancy sample vectors obtained by reading LLC occupancy MSRs periodically within the ith window for domains D1 and D2 respectively. We can then get the time-differentiated cache occupancy traces for each domain, denoted as Δxi,j; and Δyi,j (i.e., the LLC occupancy difference between two consecutive samples). Figure 5 shows time-differentiated LLC occupancy traces for covert and side channels that implement serial protocol with on-off encoding and parallel protocol with pulse- position encoding respectively).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Browne in view of Yao to have monitored the cache occupancy for the set of application processes during each of a plurality of time windows as a way for the analyzer focuses on finding mirror images of pulses in the two time-differentiated cache occupancy traces and capture unique patterns and filter the noise effects from surrounding cache activity to zero-out all non-negative Values that do not correspond to gain-loss swing patterns in LLC occupancy (See Yao section V. System Design B. Occupancy Pattern Analyzer). 

With respect to claim 12 Browne teaches the method of claim 11 but does not disclose, wherein the pair-wise analysis of the set of application domains is performed over a plurality of time windows.
Yao teaches wherein the pair-wise analysis of the set of application domains is performed over a plurality of time windows (See Yao section V. System Design B. Occupancy Pattern Analyzer i.e. Once LLC traces are gathered, the LLC occupancy analyzer (abbreviated as analyzer) checks for any potential timing channel activity. Note that the timing channel attacks can happen within a certain period during the span of entire program execution, and hence, we adopt a window-based analysis of LLC occupancy traces. The window size can be chosen by the system administrator based on her needs: swiftness of defense vs. runtime overhead trade-offs. Assume that we have n windows (indexed by i) of raw LLC occupancy traces for a pair of application domains (D1, D2). xi and yi; (0 < i < n— 1) are the LLC occupancy sample vectors obtained by reading LLC occupancy MSRs periodically within the ith window for domains D1 and D2 respectively. We can then get the time-differentiated cache occupancy traces for each domain, denoted as Δxi,j; and Δyi,j (i.e., the LLC occupancy difference between two consecutive samples). Figure 5 shows time-differentiated LLC occupancy traces for covert and side channels that implement serial protocol with on-off encoding and parallel protocol with pulse- position encoding respectively).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Browne in view of Yao to have monitored the cache occupancy for the set of application processes during each of a plurality of time windows as a way for the analyzer focuses on finding mirror images of pulses in the two time-differentiated cache occupancy traces and capture unique patterns and filter the noise effects from surrounding cache activity to zero-out all non-negative Values that do not correspond to gain-loss swing patterns in LLC occupancy (See Yao section V. System Design B. Occupancy Pattern Analyzer). 

With respect to claim 13 Browne teaches the method of claim 12, but does not disclose wherein a window size of the plurality of time windows is user controllable.
Yao teaches wherein a window size of the plurality of time windows is user controllable (See Yao section V. System Design B. Occupancy Pattern Analyzer i.e. Once LLC traces are gathered, the LLC occupancy analyzer (abbreviated as analyzer) checks for any potential timing channel activity. Note that the timing channel attacks can happen within a certain period during the span of entire program execution, and hence, we adopt a window-based analysis of LLC occupancy traces. The window size can be chosen by the system administrator based on her needs: swiftness of defense vs. runtime overhead trade-offs).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Browne in view of Yao to have the plurality of time windows is user controllable as a way for the administrator to set the time window based on the needs of swiftness of defense vs. runtime overhead trade-offs (See Yao section V. System Design B. Occupancy Pattern Analyzer). 

Allowable Subject Matter
Claims 15-17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
With respect to claim 15 the prior are does not teach the method of claim 14, wherein finding the gain-loss swing patterns mirrored between the pair of cache occupancy traces comprises taking a product zi based on the formula:

    PNG
    media_image1.png
    70
    327
    media_image1.png
    Greyscale

where

    PNG
    media_image2.png
    76
    181
    media_image2.png
    Greyscale

where xi,j and yi,j are jth occupancy samples in an ith window for a first application domain and a second application domain, respectively, in each pair of application domains.
Claims 16-17 are objected to based on their dependency from claim 15.

Prior Art Not Used in Rejection
	Qi et al (US 2009/0010424) titled “System and Methods for Side-Channel Attack Prevention”.
	Sebot et al (US 2008/0155679) titled “Mitigating Branch Prediction and Other Timing Based Side Channel Attacks” teaches to provide hardware protection against timing based side channel attacks, a processor's microarchitecture enables an OS to determine which applications have the privilege to read timestamp and performance counters.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        
/ARAVIND K MOORTHY/Primary Examiner, Art Unit 2492