Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-11, 15-18, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Rubin US 2021/0243208 in view of King US 8,839,435

As per claims 1, 15, 18 Rubin teaches A method comprising: storing a plurality of log records, by an intrusion detection engine, in a secure log store hosted in a management system of a computing system, wherein the plurality of log records are generated corresponding to a plurality of milestone actions performed during invocation of an operation on the management system; monitoring, by the intrusion detection engine, the plurality of log records stored in the secure log store; analyzing, by the intrusion detection engine, the plurality of log records based on a rule-set defined in the management system to detect a security intrusion in the management system; and performing a security action, by the intrusion detection engine, in response of detecting the security intrusion [0025][0045][0051]-[0053][0055][0057][0063][0072][0074][0075][0076] (teaches detection of lateral movement attacks by correlating a plurality of log records, monitoring said records, and identifying by the IDS an operation that is security sensitive, lateral movement, obtaining credentials/ credential exfiltration and performing a security action by 

King teaches identifying, by the intrusion detection engine, whether the operation is a security sensitive operation, wherein the security sensitive operation belongs to a predefined set of a plurality of operations that are performed on the management system; in response of identifying that the operation is the security sensitive operation,  (Column 3 lines 33-42; Column 6 lines 1-11; Column 7 lines 45-60) (teaches that the security sensitive operation is a privilege escalation which may be unauthorized and an attack detection is based on logs)

It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the privilege escalation of King with the intrusion detection of Rubin because it increases the security of the system.
As per claims 2, 16 Rubin teaches The method of claim 1, wherein storing the plurality of log records further comprises receiving, by the intrusion detection engine, the plurality of log records from the management system. [0052][0053] (plurality of log sources including SIEM)As per claim 3. Rubin teaches The method of claim 1, wherein the secure log store is separate from an audit log repository of the management system. [0053] (teaches a plurality of log storage locations)As per claim 4. King teaches The method of claim 1, wherein the security sensitive operation 


Claims 12, 13, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Rubin US 2021/0243208 in view of King US 8,839,435 in view of Liu US 2016/0217283

As per claim 12. Liu teaches The method of claim 1, wherein performing the security action comprises alerting a logged-in administrator at an instant to recover the management system before the operation is committed on the management system. [0010] (teaches alerting an admin)
Rubin teaches sending an alarm, alert, or notification of compromise and remedy but fails to teach that the alarm is sent to an administrator. [0050] [0258]
It would have been obvious to one of ordinary skill in the art to use the administrator of Liu with the previous combination because it ensures an immediate response to an attack.
As per claims 13, 19 Liu teaches The method of claim 1, wherein the management system comprises a baseboard management controller of the computing system. [0010]
Claim 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Rubin US 2021/0243208 in view of King US 8,839,435 in view of Heard US 7,437,752
As per claim 14. Heard teaches The method of claim 1, wherein the secure log store is protected using a security control. (Column 11 lines 32-52)  (teaches logs are secure and encrypted)
It would have been obvious at the time the invention was filed to use the security control of Heard with the previous art because it increases the security of the data logs to prevent tampering.



Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439