DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments filed on 04/18/2022 with respect to 103 rejection for independent claims have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made Prvulovic (2018/0012020) in view of Venkataramani (2017/0154181).
 
                                          Claim Interpretation
3. The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims 13-16 and 18 in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:

(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 

Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 

Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 

Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

Claim Rejections - 35 USC § 103
4. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


5. Claim(s) 1, 3-4,6-7, 9-10,12-13, 15-16,18-19, 21-22 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Prvulovic (US Pub.No.2018/0012020) in view of Venkataramani (US Pub.No.2017/0154181).

6. Regarding claims 1,7,13 and 19 Prvulovic teaches an apparatus, a non-transitory computer-readable medium and a method,  for detecting side channel attacks, the apparatus comprising: memory; instructions in the apparatus; and at least one processor to execute the instructions to cause the at least one processor to: generate a representation of cache access activities, that including a first bin corresponding to a first cache set and a second bin corresponding to a second cache set (Figs.5-7, Para:0005 and Para:0023 teaches detecting statistics or patterns of detected cache misses within a predicted software block over a plurality of occurrences and performing a statistical test or a pattern matching algorithm on the detected statistics or patterns of the detected cache misses to determine a likelihood of a valid execution of the software block; and determining, in response to the statistical test or pattern matching algorithm indicating that the detected cache misses are highly unlikely in a valid execution of the software block, that an anomaly exists);

 apply a machine learning model to the at least one statistic to identify an attempt to perform a side channel attack (Figs.4, 7, Para: 0007 and Para: 0136 teaches applying machine learning model);

 perform multiple hypothesis testing to determine a probability of the cache access activities being benign (Para:0018  and Para:0137-0140 teaches the multi-hypothesis testing that include selecting likely software blocks executed by the monitored device based on a current software trace; calculating, based on the HW/SW interaction model, distance metrics between the one or more signals and expected one or more signals produced by the monitored device by executing the selected software blocks; calculating, based on the calculated distance metrics, probabilities of matches with the selected software blocks; performing multi-hypothesis matching to update the current software trace to include one or more predicted software blocks of the likely software blocks; and determining, based on the multi-hypothesis matching, if an anomaly occurred);

 cause, in response to the machine learning model processor identifying that the at least one statistic is indicative of the side channel attack and the probability not satisfying a similarity threshold, the performance of a responsive action to mitigate the side channel attack (Par: 0141-0143 and Para: 0146 teaches based on the multi-hypothesis matching, the analyzer processor creates a confidence threshold and decides whether an anomaly has occurred. Para: 0098-0098 teaches performing a responsive action to mitigate the side channel attack);

and train the machine learning model based on an attack histogram representative of cache access activities performed during the side channel attack (Para: 0007 and Para: 0077 teaches the machine learning model trainer to train the machine learning model based on the graph (histogram shown in figs.5-6) representation of cache activities).

Prvulovic teaches all the above claimed limitations but does not expressly teach the generated histogram representing cache access activities, includes a first bin corresponding to a first cache set and a second bin corresponding to a second cache set; determine at least one statistic based on the histogram.

Venkataramani teaches the generated histogram representing cache access activities, includes a first bin corresponding to a first cache set and a second bin corresponding to a second cache set; determine at least one statistic based on the histogram (Figs.6-8 and Para:0075 teaches the system 100 detects burst patterns, by reading the hardware histogram buffer and checking for burst patterns. From left to right in the histogram, threshold density is the first bin which is smaller than the preceding bin, and equal or smaller than the next bin. If there is no such bin, then the bin at which the slope of the fitted curve becomes gentle is considered as the threshold density. Threshold density denotes the presence of second significant distribution in the event density histogram. If the event train has burst patterns, there will be two distinct distributions: (1) one where the mean of event densities is below 1.0 showing the non-bursty periods, and (2) one where the mean is above 1.0 showing the bursty periods present in the right tail of the event density histogram. There can be many distributions. The presence of three or more indicates that the Trojan/spy are communicating using multiple encoding mechanisms. Each burst distribution beyond the first one shows a specific communication protocol using a certain burst (event density). The presence of more than one simply means that the Trojan/spy are communicating using multiple such burst distributions).
Therefore, it would have been obvious to one of the ordinary skill in the art at the time of invention to modify the teachings of Prvulovic to include the generated histogram representing cache access activities, includes a first bin corresponding to a first cache set and a second bin corresponding to a second cache set; determine at least one statistic based on the histogram as taught by Venkataramani such a setup would yield a predictable result of detecting side-channel exploits.

7. Regarding claims 3, 9, 15 and 21 Prvulovic teaches the apparatus, the non-transitory computer-readable medium and the method, wherein the at least one processor is further to perform the multiple hypothesis testing using a Kolmogorov-Smimov test (Para: 0148 teaches performing Kolmogorov-Smimov test).

8. Regarding claims 4, 10, 16 and 22 Prvulovic teaches the apparatus, the non-transitory computer-readable medium and the method, the at least one processor is further to train the machine learning model based on a benign histogram representative of benign cache access activities (Para: 0007 and Para: 0077 teaches the machine learning model trainer to train the machine learning model).

9. Regarding claims 6, 12, 18 and 24 Prvulovic teaches the apparatus, the non-transitory computer-readable medium and the method, the at least one processor is further to sample a cache state of a processor, the histogram generator to generate the histogram based on the sampled cache state (Para: 0035, Para: 0116 and Para: 0146 teaches sample a cache state of a processor).

10. Claims 2, 8, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Prvulovic (US Pub.No.2018/0012020) in view of Venkataramani (US Pub.No.2017/0154181)
as applied to claims 1,7, 13 and 19 above and further in view of Khorrami (US Pub.No.2019/0340392).

11.    Regarding claims 2, 8, 14 and 20 Prvulovic in view of Venkataramani teaches all the above claimed limitations but does not expressly teach the apparatus, the non-transitory computer-readable medium and the method, wherein the machine learning model is implemented by a support vector machine.

Khorrami teaches the apparatus, the non-transitory computer-readable medium and the method, wherein the machine learning model is implemented by a support vector machine (Para: 0083 and Para: 0131 teaches the machine learning model is implemented by a support vector machine).

Therefore, it would have been obvious to one of the ordinary skill in the art at the time of invention to modify the teachings of Prvulovic in view of Venkataramani to include the machine learning model is implemented by a support vector machine as taught by Khorrami such a setup would yield a predictable result of anomaly detection using normal light-weight machine learning algorithms.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEREENA T CATTUNGAL whose telephone number is (571)270-0506.  The examiner can normally be reached on Mon-Fri: 7:30 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/DEREENA T CATTUNGAL/Primary Examiner, Art Unit 2431