Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .




Response to Arguments
Applicant’s arguments with respect to claim(s) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Examiner has incorporated Sathyanarayana US 10,242,176, to meet the claims as amended and advance prosecution. 

 Examiner asserts, however, that Applicant’s interpretation of the claim limitations is based on the narrow viewing of these limitations of the Applicant’s specification.  The Examiner must read the claim limitations with the broadest reasonable interpretation.  Examiner notes that Applicant has applied narrow meaning to terms such as “operation”, “invocation”, “management system”, “milestone action”.  
Applicant argues that Rubin discloses security logs, and network traffic logs, but that these are “not actions performed in connection with the invocation of an operation of a management system”.  Applicant argues that the claim specifies that the invocation of the operation includes an authentication process, to “access the management system”.    Examiner asserts that Rubin teaches a “management system”.  Management system is an extremely broad term and must be read as such.  Rubin teaches a security monitoring system, and a plethora of “login” activity.  Examiner interprets “login” to be “Authentication”.    Depending on the scope of the “management system”.  Rubin would clearly read on the claimed limitations, and the login activity security logs are used to detect security intrusions.   It is unclear based on the claim limitations what is being authenticated, and who or what doing accessing.
Applicant argues that Liu fails to disclose logging records corresponding to actions performed on a BMC, much less detecting a security intrusion.   
Examiner respectfully disagrees.  Liu teaches a BMC that has security logs used to Authenticate firmware updates and if this authentication fails, and indication of malicious activity is noted, and a security action may be taken.

Examiner has included Sathyanarayana to advance prosecution which Examiner believes more clearly shows more than one processor and “access to a management system”.  However, Examiner encourages Applicant to more clearly amend the claim limitations in order to reasonably interpret the limitations in light of the specification.  






The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-11, 13, 15-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sathyanarayana US 10,242,176 in view of Rubin US 2021/0243208 in view of King US 8,839,435

As per claims 1, 15, 18   Sathyanarayana teaches a first processor of a management system of a computing system, in a secure log store hosted in the management system wherein the plurality of log records are generated corresponding to a plurality of milestone actions performed during invocation of an operation on the management system, wherein the computing system comprises a second processor separate from the first processor to execute and OS of the computing system, the first processor to monitor and manage the computing system, the invocation of the operation comprises an authentication process to access the management system and the invocation of the operation comprises an invocation process to invoke the operation on the management system, and teaches the first processor detects a security intrusion and performs an action based on said detection (Column 2 lines 40-50) (teaches BMC controller as a first controller, and a host processor as a second processor)  (Column 3 lines 52 to Column 4 lines 45 Column 5 lines 34-45) (teaches a BMC on boot performing mutual authentication with an end point, the mutual authentication based on a a table or log made by the BMC, teaches failure to authenticate will result in logging the event)  (Column 9 line 45 to Column 11 line 30)  (teaches that the BMC sends discovery messages and control commands, if it is determined unauthorized commands have been sent, they are logged as a security threat, and an alert may be sent, teaches mutual authentication for access, and if authentication fails, it is logged, and access is denied, and the endpoints logged as unmanageable)


Rubin teaches A method comprising: storing a plurality of log records, by an intrusion detection engine, in a secure log store hosted in a management system of a computing system, wherein the plurality of log records are generated corresponding to a plurality of milestone actions performed during invocation of an operation on the management system; monitoring, by the intrusion detection engine, the plurality of log records stored in the secure log store; analyzing, by the intrusion detection engine, the plurality of log records based on a rule-set defined in the management system to detect a security intrusion in the management system; and performing a security action, by the intrusion detection engine, in response of detecting the security intrusion [0025][0045][0051]-[0053][0055][0057][0063][0072][0074][0075][0076] (teaches detection of lateral movement attacks by correlating a plurality of log records, monitoring said records, and identifying by the IDS an operation that is security sensitive, lateral movement, obtaining credentials/ credential exfiltration and performing a security action by isolating a computer or preventing exfiltration of data)
It would have been obvious to one of ordinary skill in the art to use Rubin with Sathyanarayana because it increases the security of the system.

King teaches identifying, by the intrusion detection engine, whether the operation is a security sensitive operation, wherein the security sensitive operation belongs to a predefined set of a plurality of operations that are performed on the management system; in response of identifying that the operation is the security sensitive operation,  (Column 3 lines 33-42; Column 6 lines 1-11; Column 7 lines 45-60) (teaches that the security sensitive operation is a privilege escalation which may be unauthorized and an attack detection is based on logs)

It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the privilege escalation of King with the intrusion detection of Rubin because it increases the security of the system.
As per claims 2, 16 Rubin teaches The method of claim 1, wherein storing the plurality of log records further comprises receiving, by the intrusion detection engine, the plurality of log records from the management system. [0052][0053] (plurality of log sources including SIEM)As per claim 3. Rubin teaches The method of claim 1, wherein the secure log store is separate from an audit log repository of the management system. [0053] (teaches a plurality of log storage locations)As per claim 4. King teaches The method of claim 1, wherein the security sensitive operation comprises one or more of operations related to adding a new user, changing security configuration of the computing system or changing password policies in the management system. (Column 3 lines 33-42; Column 6 lines 1-11; Column 7 lines 45-60) (teaches that the security sensitive operation is a privilege escalation which may be unauthorized and an attack detection is based on logs)As per claim 5. Rubin teaches The method of claim 1, wherein the invocation of the operation comprises an authentication process to access the management system and an invocation process to invoke the operation on the management system, and wherein the plurality of log records comprises: a first set of log records corresponding to a first set of the plurality of milestone actions, performed during the authentication process; and a second set of log records corresponding a second set of the plurality of milestone actions performed during the invocation process. [0045][0051]-[0053][0057][0063][0072][0074][0075][0076] (authentication/logins to computers including administrator logins and association with lateral movement and credentials)As per claim 6. Rubin teaches The method of claim 1, wherein the invocation of the operation comprises an authentication process to access the management system and an invocation process to invoke the operation on the management system, and wherein the rule-set comprises: a first rule-set comprising a first standard set of milestone actions related to the authentication process; and a second rule-set comprising a second standard set of milestone actions related to the invocation process for each operation of the plurality of operations. [0031][0032][0051][0055]  (Rulesets include transfer size, connection times, patterns of end connections; protocols used)As per claims 7, 17 Rubin teaches The method of claim 1, wherein analyzing comprises determining whether the plurality of log records follow the rule-set. [0051][0052]  ( login records compared to pattern/rule set)As per claim 8. Rubin teaches The method of claim 7, wherein analyzing comprises detecting the security intrusion in the management system in response of determining that the plurality of log records do not follow the rule-set. [0051][0052]  ( login records compared to pattern/rule set)As per claim 9. Rubin teaches The method of claim 1, wherein analyzing is performed while or immediately after completing the invocation of the operation on the management system. [0003][0005]As per claim 10. Rubin teaches The method of claim 1, wherein performing the security action comprises generating an alert to enable a recovery action to recover the management system before the operation is committed on the management system. [0076] (preventing exfiltration of data)As per claim 11. Rubin teaches The method of claim 1, wherein performing the security action comprises performing a recovery action, by the intrusion detection system to recover the management system before the operation is committed on the management system. [0076] (preventing exfiltration of data)

As per claims 13, 19 Sathyanarayana teaches The method of claim 1, wherein the management system comprises a baseboard management controller of the computing system.  (Column 2 lines 40-50)

As per claim 20. Rubin teaches The computing system of claim 18, wherein the instructions further comprises instructions executable by the processor to cause the processor to: receive another plurality of log records generated corresponding to another plurality of milestone actions performed during invocation of an operation on the computing system via the at least one central processing unit. (receiving more log records and notification of more lateral movement) [0025][0045][0051]-[0053][0055][0057][0063]
Claim 12, is/are rejected under 35 U.S.C. 103 as being unpatentable over Sathyanarayana US 10,242,176 Rubin US 2021/0243208 in view of King US 8,839,435 in view of Liu US 2016/0217283

As per claim 12. Liu teaches The method of claim 1, wherein performing the security action comprises alerting a logged-in administrator at an instant to recover the management system before the operation is committed on the management system. [0010] (teaches alerting an admin)
Rubin teaches sending an alarm, alert, or notification of compromise and remedy but fails to teach that the alarm is sent to an administrator. [0050] [0258]
It would have been obvious to one of ordinary skill in the art to use the administrator of Liu with the previous combination because it ensures an immediate response to an attack.
Claim 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sathyanarayana US 10,242,176 in view of Rubin US 2021/0243208 in view of King US 8,839,435 in view of Heard US 7,437,752
As per claim 14. Heard teaches The method of claim 1, wherein the secure log store is protected using a security control. (Column 11 lines 32-52)  (teaches logs are secure and encrypted)
It would have been obvious at the time the invention was filed to use the security control of Heard with the previous art because it increases the security of the data logs to prevent tampering.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439