EXAMINER'S AMENDMENT

Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 07 December 2021 has been entered.
By the above submission, Claims 1, 6, 9, 14, 17, and 20-23 have been amended.  No claims have been added or canceled.  Claims 1-4, 6-11, 14, 15, 17, 18, and 20-23 are currently pending in the present application.

Response to Amendment

The amendments to the specification do not fully comply with the provision of 37 CFR 1.121(b)(1)(i) that replacement paragraphs must unambiguously identify the location to replace a paragraph.  On page 2 of the present response, the paragraph number of the replacement paragraph does not match the paragraph number in the instruction, which is not an unambiguous identification of the paragraph to be replaced.  A replacement paragraph is included in the examiner’s amendment set forth below.
The amendments to the claims do not fully comply with the requirement of 37 CFR 1.121(c)(2) that all amended claims include markings indicating the changes made relative to the immediate prior version of the claims.  At least Claim 9 appears to include text that was added without being marked with underlining as required, and also includes text, shown in strikethrough as deleted, which was not previously present in the claim.  For purposes of compact prosecution, the claims have been treated as though they were fully compliant with 37 CFR 1.121.  If any of the unmarked amendments were not intended, Applicant must promptly submit an amendment under 37 CFR 1.312 or 37 CFR 1.114 to correct any unintended amendments.

Examiner’s Amendment

An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
The application has been amended as follows: 






IN THE SPECIFICATION:
Please REPLACE Paragraphs [0036] with the following replacement paragraphs:

[0036] As used in the present disclosure, the term "computer" is intended to encompass any suitable processing device.  For example, client 170, lifecycle operations system 102, and intrusion detection system 130 may be any computer or processing device such as, for example, a blade server, general-purpose personal computer (PC), MAC®, workstation, UNIX-based workstation, embedded system or any other suitable device.  Moreover, although FIG. 1 illustrates particular components as a single element, those components may be implemented using a single system or more than those illustrated, as well as computers other than servers, including a server pool or variations that include distributed computing.  In other words, the present disclosure contemplates computers other than general purpose computers, as well as computers without conventional operating systems.  Client 170 may be any system which can request data, execute an application, and/or interact with the intrusion detection system 130 and/or the lifecycle operations system 102.  The client 170, in some instances, may be a desktop system, a client terminal, or any other suitable device, including a mobile device, such as a smartphone, tablet, smartwatch, or any other mobile computing device.  In general, each illustrated component may be adapted to execute any suitable operating system, including Linux, UNIX, WINDOWS, MAC OS®, JAVATM, ANDROIDTM, WINDOWS PHONE OS, iOSTM, [[or]] and any other real-time OS.


IN THE CLAIMS:
Please REPLACE Claims 1, 6, 9, 14, 17, and 20 with the following amended claims:

1.	A computer-implemented method performed by one or more processors, the method comprising:
monitoring, by an intrusion detection system, a secured environment comprising at least one component, the secured environment associated with a lifecycle operations manager responsible for managing lifecycle operations associated with the at least one component in the secured environment;
obtaining, by the intrusion detection system, one or more log files associated with operations of each of the at least one component;
obtaining, by the intrusion detection system, log files associated with lifecycle operations executed by the lifecycle operations manager on at least one respective component of the at least one component in the secured environment;
accessing, by the intrusion detection system, a lifecycle-based context associated with the lifecycle operations manager, wherein the lifecycle-based context stores contextual information associated with the lifecycle operations, wherein the lifecycle operations are executed by the lifecycle operations manager on the at least one respective component of the at least one component in the secured environment;
pre-filtering, by the intrusion detection system and based on the contextual information stored in the lifecycle based context, the log files to identify at least one potentially malicious action prior to determining whether a malicious action exists in the  
determining, by the intrusion detection system and based on the pre-filtered log files, whether a violation of at least one particular malicious action rule from a malicious action rules set is associated with one or more of the lifecycle operations associated with the lifecycle-based context; and
in response to determining that the violation of the at least one particular malicious action rule is associated with the one or more of the lifecycle operations associated with the lifecycle-based context:
identifying a particular mitigation action associated with the violation of the at least one particular malicious action rule, wherein the particular mitigation action includes one or more countermeasure actions that are to be taken by the intrusion detection system in response to the violation, and
performing the particular mitigation action by the intrusion detection system.

6.	The method of claim 1, wherein the particular mitigation action includes at least one of presenting a warning to a responsible entity and automatic triggering of at least one electronic countermeasure corresponding to the violation of the at least one particular malicious action rule.  

9.	An intrusion detection system comprising:
at least one processor; and

monitoring, by [[an]] the intrusion detection system, a secured environment comprising at least one component, the secured environment associated with a lifecycle operations manager responsible for managing lifecycle operations associated with the at least one component in the secured environment;
obtaining, by the intrusion detection system, one or more log files associated with operations of each of the at least one component;
obtaining, by the intrusion detection system, log files associated with lifecycle operations executed by the lifecycle operations manager on at least one respective component of the at least one component in the secured environment;
accessing, by the intrusion detection system, a lifecycle-based context associated with the lifecycle operations manager, wherein the lifecycle-based context stores contextual information associated with the lifecycle operations, wherein the lifecycle operations are executed by the lifecycle operations manager on the at least one respective component of the at least one component in the secured environment;
pre-filtering, by the intrusion detection system and based on the contextual information stored in the lifecycle based context, the log files to identify at least one potentially malicious action prior to determining whether a malicious action 
determining, by the intrusion detection system and based on the pre-filtered log files, whether a violation of at least one particular malicious action rule from a malicious action rules set is associated with one or more of the lifecycle operations associated with the lifecycle-based context; and
in response to determining that the violation of the at least one particular malicious action rule is associated with the one or more of the lifecycle operations associated with the lifecycle-based context:
identifying a particular mitigation action associated with the violation of the at least one particular malicious action rule, wherein the particular mitigation action includes one or more countermeasure actions that are to be taken by the intrusion detection system in response to the violation, and
performing the particular mitigation action by the intrusion detection system.  
 
14.	The system of claim 9, wherein the particular mitigation action includes at least one of presenting a warning to a responsible entity and automatic triggering of at least one electronic countermeasure corresponding to the violation of the at least one particular malicious action rule.  


monitoring, by an intrusion detection system, a secured environment comprising at least one component, the secured environment associated with a lifecycle operations manager responsible for managing lifecycle operations associated with the at least one component in the secured environment;
obtaining, by the intrusion detection system, one or more log files associated with operations of each of the at least one component;
obtaining, by the intrusion detection system, log files associated with lifecycle operations executed by the lifecycle operations manager on at least one respective component of the at least one component in the secured environment;
accessing, by the intrusion detection system, a lifecycle-based context associated with the lifecycle operations manager, wherein the lifecycle-based context stores contextual information associated with the lifecycle operations, wherein the lifecycle operations are executed by the lifecycle operations manager on the at least one respective component of the at least one component in the secured environment;
pre-filtering, by the intrusion detection system and based on the contextual information stored in the lifecycle based context, the log files to identify at least one potentially malicious action prior to determining whether a malicious action exists in the log files, wherein pre-filtering includes removing data from the log files that is not associated with particular entries in the lifecycle-based context; Filed: August 1, 2017Page: 1ofl8
determining, by the intrusion detection system and based on the pre-filtered log files, whether a violation of at least one particular malicious action rule from a malicious 
in response to determining that the violation of the at least one particular malicious action rule is associated with the one or more of the lifecycle operations associated with the lifecycle-based context:
identifying a particular mitigation action associated with the violation of the at least one particular malicious action rule, wherein the particular mitigation action includes one or more countermeasure actions that are to be taken by the intrusion detection system in response to the violation, and
performing the particular mitigation action by the intrusion detection system.  

20.	The computer-readable medium of claim 17, wherein the particular mitigation action includes at least one of presenting a warning to a responsible entity and automatic triggering of at least one electronic countermeasure corresponding to the violation of the at least one particular malicious action rule, and
wherein the malicious action rule set is evaluated by the intrusion detection system, wherein each malicious action rule defines at least one pattern defining a potential malicious action associated with one or more monitored activities occurring in association with the secured environment.


Allowable Subject Matter

The claims have been amended as above to correct minor typographical errors and to clarify antecedent basis in certain dependent claims.
Claims 1-4, 6-11, 14, 15, 17, 18, and 20-23 are allowed.
The following is an examiner’s statement of reasons for allowance:
Independent Claim 1 is directed to a method that includes an intrusion detection system monitoring a secured environment associated with a lifecycle operations manager responsible for managing lifecycle operations associated with at least one component in the secured environment; obtaining log files associated with operations of each component and log files associated with lifecycle operations executed by the lifecycle operations manager on at least one component; accessing a lifecycle-based context associated with the lifecycle operations manager, where the context stores contextual information associated with the lifecycle operations; pre-filtering the log files based on the contextual information to identify at least one potentially malicious action prior to determining whether a malicious action exists in the log files, where the pre-filtering includes removing data from the log files that is not associated with particular entries in the context; determining based on the pre-filtered log files whether a violation of at least one malicious action rule is associated with lifecycle operations associated with the context; and in response to determining a violation, identifying and performing a mitigation action including countermeasures to be taken in response to the violation.  Independent Claim 9 is directed to a system having functionality corresponding to the 
The closest prior art, Kashyap, Ahmed, and Kirubanandam, generally disclose a method that includes an intrusion detection system monitoring a secured environment including at least one component and associated with a lifecycle operations manager; obtaining log files associated with operations of the components and log files associated with lifecycle operations; determining whether activities documented in the log files indicate violation of at least one particular malicious action rule from a rule set; accessing a lifecycle-based context storing contextual information; and triggering a mitigation action including countermeasure actions to be taken by the intrusion detection system in response to the violation.  The cited art also discloses determining whether a violation of a malicious action rule is associated with a lifecycle operation stored in a context, where lifecycle operations are executed on a computer system, application, or component.  Additionally, Petersen et al, US Patent 8543694, generally discloses pre-filtering log messages, and Mehta et al, US Patent 10075462, and Thomas et al, US Patent Application Publication 2017/0178025, generally disclose filtering log entries.  However, none of the cited art, alone or in combination, clearly teaches or suggests pre-filtering log files based on contextual information stored in a lifecycle based context as required by the amended independent claims, in combination with the other claimed limitations.  Therefore, the claims are allowable over the cited prior art.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably 

Conclusion
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:30am-6:00pm, Eastern Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 

/Zachary A. Davis/Primary Examiner, Art Unit 2492