Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/20/2022 and 12/03/2020.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Drawings
The drawings were received on 08/04/2020.  These drawings are accepted.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected 35 U.S.C. 103 as being unpatentable over Jen et al. (USPGPUB No. 2019/0303342 A1, hereinafter referred to as Jen) in view of TIng et al. (USPGPUB No. 2019/0273754 A1, hereinafter referred to as Ting). 
Referring to claim 1, Jen discloses a computer system comprising {“an k by physical layer”. 1, [0002]}: 
a central processing unit {“processor 105”, see Fig. 1, [0021]};
a memory device having secure memory {“system memory 110”, see Fig. 1, [0022]};
a PCle root complex comprising at least one root port {“ root complex, or root controller in a Peripheral Component Interconnect Express (PCIe or PCIE) interconnection hierarchy”, see Fig. 1, [0023]} and a PCle protection controller {“security module such as a TPM”, [0136]}, wherein each root port is configured to optionally connect to at least one endpoint device {“Platform Trust Technology”, [0136]}, each endpoint device designated as a secure endpoint device {“ root complex integrated endpoints”, see Fig. 1, [0025] last line} or a nonsecure endpoint device {“Endpoint devices… classified as legacy”, see Fig. 1, [0025] last 2 lines;
a system interconnect connecting the central processing unit {“switch/bridge 120”, see Fig. 1, [0025]}, the memory device, and the PCle root complex {“switch/bridge 120 routes packets/messages”, see Fig. 1, [0025]}; 
and a system memory management unit {“system memory 110”, see Fig. 1, [0025]} configured to translate addresses for direct memory access (DMA) requests {“transactions with request” (see Fig. 2, [0030]) passing over “virtual PCI-to-PCI bridge devices”, see Fig. 1, [0025]} from the at least one endpoint device {“ Endpoint devices in PCIe”, see Fig. 1, [0025] last 3 lines} before the requests are passed into the system interconnect {“components (e.g., 105, 110, 115, 120, 125, 130) illustrated in FIG. 1 can be enhanced to execute, store, and/or embody logic to implement one or more of the features described herein”, see Fig. 1, [0026] last 4 lines};
Jen does not appear to explicitly disclose wherein the PCIe protection controller is configured to control outbound traffic to protect secure endpoint devices from access from any nonsecure components of the computer system;
However, Ting discloses wherein the PCIe protection controller is configured to control outbound traffic {“Control and data paths link the intelligent controllers of multiple (or all) endpoint devices 205”, see Figs. 1 and 2, [0046] lines 1-4}} to protect secure endpoint devices from access from any nonsecure components of the computer system {“system level configuration 200”, see Fig. 2, [0043]}.
Jen and Ting are analogous because they are from the same field of endeavor, transforming bit data streams. 
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Jen and Ting before him or her, to modify Jen’s “computer system” incorporating Ting’s “API shim” and corresponding “SDK” (see Fig. 2). 
The suggestion/motivation for doing so would have been to utilize sensors monitoring the calls to the operating system using an API shim including the intelligent controllers may be configured to assess, after instructing an actuator to take a specified mitigation action, a degree of effectiveness of the mitigation action  (TIng [0020]).
Therefore, it would have been obvious to combine Ting with Jen to obtain the invention as specified in the instant claim(s).


As per claim 2, the rejection of claim 1 is incorporated and Ting discloses wherein the PCIe protection controller is configured to control outbound traffic to protect secure endpoint devices by {“Control and data paths link the intelligent controllers…” both inbound and outbound directions, see Figs. 1 and 2, [0046] lines 1-4}}:
allowing a request from a secure component {“connect and send requests”, see Figs. 1 and 2, [0008]} of the computer system {“ If the application is allowed to continue”, see Figs 1 and 2. , [0058]};
allowing the request from a nonsecure component {“makes another high-risk call”, see Figs. 1 and 2, [0058]} of the computer system if a destination of the request {“hierarchical filtering reduces the timing sensitivity”, see Figs. 1 and 2, [0058]} is a nonsecure endpoint device {“individual processes using a risk classifier”, see Figs. 1 and 2, [0058]}; and reporting the request to an access violation handler {“lock it out from being used again (of course notifying the user”, [0058]}  if the request is not allowed {“initiate a defensive action to terminate the application”, see Fig. 1 and 2, [0058]}.

As per claim 3, the rejection of claim 2 is incorporated and Ting discloses wherein the PCle protection controller is configured to use information from the system interconnect to determine  {“Classifying an application as trustworthy or untrustworthy”, see Figs. 1 and 2, [0065]} that the request originates from a secure component of the computer system {“application code corresponding to requests to”, see Figs. 3 and 4, [0066]}.

As per claim 4, the rejection of claim 2 is incorporated and Jen discloses wherein the PCle protection controller comprises an address lookup table that stores address ranges {“four transaction address spaces”, see Fig. 1, [0032]} for memory-mapped regions of each secure endpoint device {“”root complex integrated endpoints, see Fig. 1, [0025] last line}.

As per claim 5, the rejection of claim 4 is incorporated and Jen discloses wherein the PCIe protection controller is configured to use information from the address lookup table {“configuration address space”, see Fig. 1, [0032]} to determine if a destination of the request is a nonsecure endpoint device {“classified as legacy”, see Fig. 1, [0025] last 2 lines}.

As per claim 6, the rejection of claim 2 is incorporated and Ting discloses wherein the access violation handler is configured to trigger an exception for a request that is not allowed {“Some resources, such as configuration file, for example, might be opened for read-only access and then closed”, see Fig. 4, [0070]}.

As per claim 7, the rejection of claim 2 is incorporated and Ting discloses wherein the access violation handler is configured to ignore a write request that is not allowed {“Some resources, such as configuration file, for example, might be opened for read-only access and then closed”, see Fig. 4, [0070]}.

As per claim 8, the rejection of claim 1 is incorporated and Ting discloses wherein the access violation handler is configured to return a predetermined value {“normal to respond, or the server may be returning more failures”, see Fig. 4, [0072] last 4 lines} for a read request that is not allowed {“in order to access remote services”, see Fig. 4, [0072] last 4 lines}.

As per claim 9, the rejection of claim 2 is incorporated and Ting discloses wherein the PCIe protection controller is configured to dynamically set an access violation policy {access violation and enforced access “statistical model 445”, see Fig. 4, [0071]} of the access violation handler unit {“built and updated by the controller 415 during the discovery phase”, see Fig. 4, [0071]}.

As per claim 10, the rejection of claim 1 is incorporated and Ting discloses wherein the PCIe protection controller is configured to control inbound traffic to prevent access to secure memory {“Control and data paths link the intelligent controllers… ” both inbound and outbound directions, see Figs. 1 and 2, [0046] lines 1-4} by nonsecure endpoint devices by: 
determining whether an originator of an incoming request {“Each resource request…,”, see Fig. 4, [0070]} is a secure endpoint device {“is identified uniquely by the process requesting it,”, see Fig. 4, [0070]}; translating the incoming request to a secure StreamID {“session ID”, see Fig. 4, [0070]} and forwarding the secure StreamID {“As a database that is readily queried by user and by application”, see Fig. 4, [0071]} to the system memory management unit if the originator of the incoming request is a secure endpoint device {“performance characteristics of the endpoint device 400, ”, see Fig. 4, [0071]}; 
and translating the incoming request to a nonsecure StreamID {“syslog formats to commingle the event logs”, see Fig. 4, [0056]} and forwarding the nonsecure StreamID {“As a database that is readily queried by user and by application”, see Fig. 4, [0071]}  to the system memory management unit if the originator of the incoming request is a nonsecure endpoint device {“performance characteristics of the endpoint device 400” secured or otherwise, see Fig. 4, [0071]}.

As per claim 11, the rejection of claim 10 is incorporated and Ting discloses wherein the PCIe protection controller further comprises an EP_ID lookup table that {“As a database that is readily queried by user and by application”, see Fig. 4, [0071]} stores an endpoint device identity {“Each resource request is identified uniquely by the process requesting”, see Fig. 4, [0070]} for each secure endpoint device {“the owner of the process”, see Fig. 4, [0070] last 4 lines}.

As per claim 12, the rejection of claim 11 is incorporated and Ting discloses wherein the PCIe protection controller is configured to determine whether the originator of an incoming request {“certain resource requests”, see Fig. 4, [0069]} is a secure endpoint device based {“the privilege level and the ID of the user”, see Fig. 4, [0070]}, at least in part, on information from the EP_ID lookup table {“As a database that is readily queried by user and by application”, see Fig. 4, [0071]}}. 

As per claim 13, the rejection of claim 11 is incorporated and Ting discloses wherein the endpoint device identity is based, at least in part, on bus, device, and function numbers {“a namespace that includes registry keys, the user ID, the session ID, the machine name, semaphores, pipes, shared memory segments, URLs, files, external processes and device IDs”, see Fig. 4, [0070]} of the endpoint device {“the privilege level and the ID of the user”, see Fig. 4, [0070]}.

As per claim 14, the rejection of claim 13 is incorporated and Ting discloses wherein the endpoint device identity is further based on a physical port index {“pipes”, see Fig. 4, [0070]}.

As per claim 15, the rejection of claim 14 is incorporated and Ting discloses, wherein the bus, device, and function numbers are encoded in a requester ID value {“user ID”, see Fig. 4, [0070]}, and wherein the endpoint device identity is computed using bitwise operations {“modify the security token on resource requests”, see Fig. 4, [0069]} to combine the requester ID value with the physical port index {“pipes”, see Fig. 4, [0070]}.

As per claim 16, the rejection of claim 1 is incorporated and Ting discloses wherein the PCIe protection controller is dynamically configurable at runtime to designate an endpoint device as a secure endpoint device or a nonsecure endpoint device {“during the discovery phase”, see Fig. 4, [0071]}.

As per claim 17, the rejection of claim 16 is incorporated and Ting discloses wherein the PCIe protection controller is further configured to query a security configuration of the at least one endpoint device {“build up user-specific statistical models of resource usage by applications”, [0071]}.

As per claim 18, the rejection of claim 16 is incorporated and Jen discloses wherein the PCle protection controller comprises a register space that is memory-mapped to a secure address space {“different address spaces or different address ranges of the same address space,”, see Fig. 2, [0071]}, and wherein the PCle protection controller is dynamically configurable at runtime by accessing the register space {“me defined interfaces, such as PIPE, some existing status and control signals are defined based not only on the designated wire”, see Fig. 2, [0071]}.

Referring to claims 19 and 20 are independent method claims device claims reciting claim functional language corresponding to the system claim of claims 1-18, respectively, thereby rejected under the same rationale as claims 1-18 recited above.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are applicable as 103 art teaching managing components of networked devices: US 20190113973 A1, US 20180275990 A1, US 20180121381 A1, US 20170115987 A1, US 20160235324 A1, US 20160007083 A1, and US 20150199010 A1A1.
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A. BARTELS whose telephone number is (571)270-3182.  The examiner can normally be reached on Monday-Friday 9:00a-5:30pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Dr. Henry Tsai can be reached on 571-272-4176.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/C. B./
Examiner, Art Unit 2184


/HENRY TSAI/Supervisory Patent Examiner, Art Unit 2184