DETAILED ACTION
This action is in response to arguments/amendments filed 6/6/2022. Claims 1-8 10, 11 and 13-21 were received for consideration and are under consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
A) Applicant’s arguments with respect to the rejection(s) of amended claim(s) 1 and 11 and 18 under 102 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Browne et al (US 2019/0042739) in view of Herdrich et al (US 2017/0094377).
B) Applicant’s arguments with respect to the rejection(s) of amended claim(s) 18 under 102 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Browne et al (US 2019/0042739) in view of Kantacki et al (US 2019/0042454).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 6-8, 10, 11, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Browne et al (US 2019/0042739) in view of Herdrich et al (US 2017/0094377).
With respect to claim 1 Browne teaches a method for identifying a cache timing channel attack based on cache occupancy, the method comprising: 
monitoring cache occupancy for a set of application processes operating in a processor to produce cache occupancy data over a period of time (see Brown paragraph 0037 i.e. the analytics server 104 identifies suspicious core activity based on the activity counter data. Suspicious core activity is indicative of an active cache side channel attack and may include abnormal levels of LLC 206 occupancy, LLC 206 misses, memory bandwidth consumed, or other abnormal resource usage); and 
analyzing the cache occupancy data to identify a potential cache timing channel attack (see Brown figure 4 and paragraph 0038 i.e. In block 412, the analytics server 104 deploys a detection process to the monitored computing device 102. The detection process may be embodied as a specialized software process or other process that monitors for suspicious application activity indicative of a cache side channel attack).
Brown does not teach wherein monitoring the cache occupancy for the set of application processes comprises, during each of a plurality of time windows, reading cache occupancy for each of a plurality of application domains.
Herdrich teaches wherein monitoring the cache occupancy for the set of application processes comprises, during each of a plurality of time windows, reading cache occupancy for each of a plurality of application domains (see Herdricjh paragraph  0115 i.e. periodically detecting application performance for an application executing on the computing platform, responsive to periodically receiving the performance monitoring event codes, to generate at least one curve relating application performance to at least one of memory bandwidth and cache occupancy for the computing platform).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown in view of Herdrich to have periodically detecting application performance for an application executing on the computing platform by periodically receiving the performance monitoring event codes such as memory bandwidth and cache occupancy to generate at least one curve relating application performance as a way to monitor the application performance with respect to cache occupancy (see Herdrich paragraph 0087). Therefore one would have been motivated to have periodically receiving the performance monitoring event codes such as memory bandwidth and cache occupancy.

	
With respect to claim 2 Browne teaches the method of claim 1, further comprising: partitioning cache access between a pair of application processes involved in the potential cache timing channel attack (see Brown paragraph 0041 i.e. In block 424, in some embodiments the computing device 102 may kill a process associated with the suspicious application or otherwise terminate a currently executing suspicious application. In block 426, in some embodiments the computing device 102 may delete an executable image or other files associated with the suspicious application. In block 428, in some embodiments the computing device 102 may reset, reboot, or otherwise restart. Resetting the computing device 102 may cause the caches and other volatile memory of the computing device 102 to be reset and thus may defeat certain cache side channel attacks. In some embodiments, in block 430 the computing device 102 may restrict resource usage such as memory bandwidth or LLC 206 occupancy for a process associated with the suspicious application using the resource manager 210 of the computing device 102. Restricting resource usage may prevent or reduce the severity of certain cache side-channel attacks, for example by preventing the malicious process from forcing the LLC 206 to be flushed and/or by reducing the rate that a malicious process can attempt to read unauthorized memory).

With respect to claim 6 Browne teaches the method of claim 1, wherein monitoring the cache occupancy comprises using a cache occupancy monitor provided by the processor (see Brown figure 2 and paragraph 0046 i.e. The platform resource manager 210 counters may be indicative of, for example, cache occupancy in the LLC 206 and memory bandwidth used. As described above, the resource manager 210 may provide LLC 206 and memory bandwidth data for the primary applications as well as for all processes executed by the computing device 102).

With respect to claim 7 Browne teaches the method of claim 6, wherein the cache occupancy monitor provided by the processor is a built-in cache monitoring infrastructure of the processor for at least one of observing performance or improving application runtime (see Brown figure 2 and paragraph 0046 i.e. The platform resource manager 210 counters may be indicative of, for example, cache occupancy in the LLC 206 and memory bandwidth used. As described above, the resource manager 210 may provide LLC 206 and memory bandwidth data for the primary applications as well as for all processes executed by the computing device 102).

With respect to claim 8 Browne teaches the method of claim 1, wherein the method is performed on an operating system in communication with the processor (see Brown paragraph 0017, 0034 and 0040).

With respect to claim 10 Browne teaches the method of claim 9, but does not disclose wherein analyzing the cache occupancy data comprises observing patterns of cache occupancy for one or more application domain pairs of the plurality of application domains over the plurality of time windows.
Herdrich teaches wherein analyzing the cache occupancy data comprises observing patterns of cache occupancy for one or more application domain pairs of the plurality of application domains over the plurality of time windows (see Herdricjh paragraph  0115 i.e. periodically detecting application performance for an application executing on the computing platform, responsive to periodically receiving the performance monitoring event codes, to generate at least one curve relating application performance to at least one of memory bandwidth and cache occupancy for the computing platform).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown in view of Herdrich to have periodically detecting application performance for an application executing on the computing platform by periodically receiving the performance monitoring event codes such as memory bandwidth and cache occupancy to generate at least one curve relating application performance as a way to monitor the application performance with respect to cache occupancy (see Herdrich paragraph 0087). Therefore one would have been motivated to have periodically receiving the performance monitoring event codes such as memory bandwidth and cache occupancy.

With respect to claim 11 Browne teaches a method for identifying a cache timing channel attack, the method comprising: 
receiving cache occupancy data for a set of application domains occupying a cache in a processor (see Brown paragraph 0037 i.e. the analytics server 104 identifies suspicious core activity based on the activity counter data. Suspicious core activity is indicative of an active cache side channel attack and may include abnormal levels of LLC 206 occupancy, LLC 206 misses, memory bandwidth consumed, or other abnormal resource usage); 
performing a pair-wise analysis of the set of application domains based on the cache occupancy data (see Brown figure 4, 6, paragraph 0037 and 0047 i.e. In block 608, the analytics server 104 identifies suspicious core activity based on the activity counter data. As described above, suspicious core activity is indicative of a cache side channel attack and may include abnormal levels of LLC 206 occupancy, LLC 206 misses, memory bandwidth consumed, or other abnormal resource usage. In block 610, the analytics server 104 compares activity counters for the primary applications to activity counters for all processes executed by the computing device 102. Increased resource usage (e.g., increased LLC 206 occupancy, memory bandwidth, and/or LLC 206 cache misses) for the entire computing device 102 while resource usage for the primary applications does not increase may indicate the presence of a cache side channel attack); and 
identifying a potential cache timing channel attack from the pair-wise analysis (see Brown figure 4 and paragraph 0037-0038 i.e. In block 412, the analytics server 104 deploys a detection process to the monitored computing device 102. The detection process may be embodied as a specialized software process or other process that monitors for suspicious application activity indicative of a cache side channel attack).
Brown does not teach performing a pair-wise analysis of the set of application domains over a plurality of time windows.
Herdrich teaches performing a pair-wise analysis of the set of application domains over a plurality of time windows (see Herdricjh paragraph  0115 i.e. periodically detecting application performance for an application executing on the computing platform, responsive to periodically receiving the performance monitoring event codes, to generate at least one curve relating application performance to at least one of memory bandwidth and cache occupancy for the computing platform).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Brown in view of Herdrich to have periodically detecting application performance for an application executing on the computing platform by periodically receiving the performance monitoring event codes such as memory bandwidth and cache occupancy to generate at least one curve relating application performance as a way to monitor the application performance with respect to cache occupancy (see Herdrich paragraph 0087). Therefore one would have been motivated to have periodically receiving the performance monitoring event codes such as memory bandwidth and cache occupancy.

With respect to claim 14 Browne teaches the method of claim 11, wherein performing the pair-wise analysis of the set of application domains comprises: computing a pair of cache occupancy traces for each pair of application domains based on changes in cache occupancy; and finding gain-loss swing patterns mirrored between the pair of cache occupancy traces for each pair of application domains (see Browne paragraph 0041 i.e. In block 424, in some embodiments the computing device 102 may kill a process associated with the suspicious application or otherwise terminate a currently executing suspicious application. In block 426, in some embodiments the computing device 102 may delete an executable image or other files associated with the suspicious application. In block 428, in some embodiments the computing device 102 may reset, reboot, or otherwise restart. Resetting the computing device 102 may cause the caches and other volatile memory of the computing device 102 to be reset and thus may defeat certain cache side channel attacks. In some embodiments, in block 430 the computing device 102 may restrict resource usage such as memory bandwidth or LLC 206 occupancy for a process associated with the suspicious application using the resource manager 210 of the computing device 102. Restricting resource usage may prevent or reduce the severity of certain cache side-channel attacks, for example by preventing the malicious process from forcing the LLC 206 to be flushed and/or by reducing the rate that a malicious process can attempt to read unauthorized memory).

Claim(s) 3 is/are rejected under 35 U.S.C. 103 as being unpatentable over Browne et al (US 2019/0042739) in view of Herdrich et al (US 2017/0094377) in view of Kantacki et al (US 2019/0042454).
With respect to claim 3 Browne teaches the method of claim 2, but does not disclose wherein: partitioning the cache access between the pair of application processes involved in the potential cache timing channel attack comprises assigning at least one of the pair of application processes to a separate class of service (CLOS); and each CLOS has a predefined cache ways accessible to a corresponding application process.
Kantacki teaches wherein: partitioning the cache access between the pair of application processes involved in the potential cache timing channel attack comprises assigning at least one of the pair of application processes to a separate class of service (CLOS); and each CLOS has a predefined cache ways accessible to a corresponding application process (see Kantacki paragraph 0020 i.e. In some examples, the shared access to shared LLC 144 by CPU/cores 142-1 to 142-n may be allocated to various CLOS and the various CLOS may be assigned to VMs 130-1 to 130-n, VNF App(s) 132-1 to 132-n, guest OSs 134-1 to 134-n, host OS 111 or infrastructure (Infra) processes 117. The various CLOS may reflect how shared LLC 144 is partitioned to enable CPU/cores 142-1 to 142-n to support various workloads fulfilled by VMs 130-1 to 130-n, VNF App(s) 132-1 to 132-n, guest OSs 134-1 to 134-n, host OS 111 or Infra processes 117. The partitioning of shared LLC 144 may be based on, but is not limited to, such cache allocation technologies as Intel® Cache Allocation Technology (CAT). For example, Intel® CAT may use separate CLOS as a resource control tag via which VMs 130-1 to 130-n, VNF App(s) 132-1 to 132-n, guest OSs 134-1 to 134-n, host OS 111 or Infra processes 117 may be grouped and each CLOS may in turn have associated resource capacity bitmasks (CBMs) indicating how much of shared LLC 144 (e.g., number of cache ways) can be used by each CLOS).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Browne in view of Kantacki to have partitioning the cache using Cache Allocation Technology (CAT) that enables dynamic cache partitioning for applications. With CAT, caches can be configured to have several different partitions on cache ways, called Classes of Service (CLOS). Therefore one would have been motivated to have used Intel® Resource Director Technology (RDT) allow for monitoring usage and allocation of processor cache that is mainly focused on defining cache classes of service (CLOS) and how to use bit masks such as capacity bitmasks (CBMs) to partition the processor cache to support the CLOS (See Kantacki paragraph 0014).

Claims 4 and 5 are rejected under 35 U.S.C. 103 as being unpatentable over Browne et al (US 2019/0042739) in view of Herdrich et al (US 2017/0094377) in view of Cammarota et al (US 2018/0046808).
With respect to claim 4 Browne teaches the method of claim 2, but does not disclose wherein partitioning the cache access between the pair of application processes involved in the potential cache timing channel attack comprises partitioning the cache access temporarily.
Cammarota teaches wherein partitioning the cache access between the pair of application processes involved in the potential cache timing channel attack comprises partitioning the cache access temporarily (see Cammarota paragraph 0037 i.e. Side-channel attacks can utilize cache timing and cache miss behavior to deduce information about other software that is utilizing the cache 115. One technique that can be used to randomize the cache usage is to randomly select a partition into which to store data in the cache 115. In this approach, the cache can be segmented into a plurality of partitions and each partition may include one or more cache lines. The particular partition used can be randomly selected and a mapping of which data has be stored at in which partition can be maintained by the cache controller of the cache 115 and 0040 i.e. The cache can be set to operate in a standard operating mode responsive to an instruction indicating that execution of the portion of software requiring data protection has completed (stage 225). The program code can include an instruction that indicates to that that execution of the portion of software requiring side-channel attack protection is about to be completed the processor 105. The instruction can call program code that that is stored in a trusted portion 140 of the memory 110 of the computing device 100 which can be configured to change the operation of the cache 115 from the randomized operating mode back to the standard operating mode for the cache).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Browne in view of Cammarota to have partitioning the cache access temporarily as a way to mitigating side-channel attacks on a cache (See Cammarota paragraph 0002). 

With respect to claim 5 Browne teaches the method of claim 2 but does not disclose, wherein partitioning the cache access between the pair of application processes involved in the potential cache timing channel attack comprises partitioning the cache access until at least one of the pair of application processes finishes execution.
Cammarota teaches wherein partitioning the cache access between the pair of application processes involved in the potential cache timing channel attack comprises partitioning the cache access until at least one of the pair of application processes finishes execution (see Cammarota paragraph 0037 i.e. Side-channel attacks can utilize cache timing and cache miss behavior to deduce information about other software that is utilizing the cache 115. One technique that can be used to randomize the cache usage is to randomly select a partition into which to store data in the cache 115. In this approach, the cache can be segmented into a plurality of partitions and each partition may include one or more cache lines. The particular partition used can be randomly selected and a mapping of which data has be stored at in which partition can be maintained by the cache controller of the cache 115 and 0040 i.e. The cache can be set to operate in a standard operating mode responsive to an instruction indicating that execution of the portion of software requiring data protection has completed (stage 225). The program code can include an instruction that indicates to that that execution of the portion of software requiring side-channel attack protection is about to be completed the processor 105. The instruction can call program code that that is stored in a trusted portion 140 of the memory 110 of the computing device 100 which can be configured to change the operation of the cache 115 from the randomized operating mode back to the standard operating mode for the cache).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Browne in view of Cammarota to have partitioning the cache access temporarily as a way to mitigating side-channel attacks on a cache (See Cammarota paragraph 0002). 

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Browne et al (US 2019/0042739) in view of Herdrich et al (US 2017/0094377) in view of Waldspurger et al (US 2016/0140052).
With respect to claim 13 Browne teaches the method of claim 12, but does not disclose wherein a window size of the plurality of time windows is user controllable.
Waldspurger teaches wherein a window size of the plurality of time windows is user controllable (See Waldspurger paragraph 0109 i.e. The monitor 500 may also be included to allow a system administrator to communicate various parameters to the analysis system 300 to change the threshold T, the modulus P, the selection of client(s) to analyze, etc. Other parameters that an administrator might want to set and adjust in the sampling module might be how often sampling and MRC-construction should be done. Typical times might be on the order of minutes or even hours, but the decision could also be based on a large enough (determined by the administrator) change in the number and/or type of clients that need to share the cache).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Browne in view of Waldspurger to have the time windows of the cache monitor is user controllable by the administrator as a way to for the administrator to adjust how often sampling and MRC-construction should be done.

Claims 18-21 are rejected under 35 U.S.C. 103 as being unpatentable over Browne et al (US 2019/0042739) in view of Kantacki et al (US 2019/0042454).
With respect to claim 18 Browne a system for defense against timing channel attacks, the system comprising: 
a cache occupancy monitor configured to produce cache occupancy data tracking a number of cache blocks occupied by each of a plurality of application processes (see Brown paragraph 0037 i.e. the analytics server 104 identifies suspicious core activity based on the activity counter data. Suspicious core activity is indicative of an active cache side channel attack and may include abnormal levels of LLC 206 occupancy, LLC 206 misses, memory bandwidth consumed, or other abnormal resource usage); and 
an occupancy pattern analyzer configured to analyze the cache occupancy data to identify a potential cache timing channel attack (see Brown figure 4 and paragraph 0038 i.e. In block 412, the analytics server 104 deploys a detection process to the monitored computing device 102. The detection process may be embodied as a specialized software process or other process that monitors for suspicious application activity indicative of a cache side channel attack).
Brown does not teach a cache partition manager configured to partition cache access between a pair of application processes involved in the potential cache timing channel attack by assigning at least one of the pair of application processes to a separate cache partition, wherein each cache partition has a predefined cache ways accessible to a corresponding application process.
Kantacki teaches a cache partition manager configured to partition cache access between a pair of application processes involved in the potential cache timing channel attack by assigning at least one of the pair of application processes to a separate cache partition, wherein each cache partition has a predefined cache ways accessible to a corresponding application process (see Kantacki paragraph 0020 i.e. In some examples, the shared access to shared LLC 144 by CPU/cores 142-1 to 142-n may be allocated to various CLOS and the various CLOS may be assigned to VMs 130-1 to 130-n, VNF App(s) 132-1 to 132-n, guest OSs 134-1 to 134-n, host OS 111 or infrastructure (Infra) processes 117. The various CLOS may reflect how shared LLC 144 is partitioned to enable CPU/cores 142-1 to 142-n to support various workloads fulfilled by VMs 130-1 to 130-n, VNF App(s) 132-1 to 132-n, guest OSs 134-1 to 134-n, host OS 111 or Infra processes 117. The partitioning of shared LLC 144 may be based on, but is not limited to, such cache allocation technologies as Intel® Cache Allocation Technology (CAT). For example, Intel® CAT may use separate CLOS as a resource control tag via which VMs 130-1 to 130-n, VNF App(s) 132-1 to 132-n, guest OSs 134-1 to 134-n, host OS 111 or Infra processes 117 may be grouped and each CLOS may in turn have associated resource capacity bitmasks (CBMs) indicating how much of shared LLC 144 (e.g., number of cache ways) can be used by each CLOS).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Browne in view of Kantacki to have partitioning the cache using Cache Allocation Technology (CAT) that enables dynamic cache partitioning for applications. With CAT, caches can be configured to have several different partitions on cache ways, called Classes of Service (CLOS). Therefore one would have been motivated to have used Intel® Resource Director Technology (RDT) allow for monitoring usage and allocation of processor cache that is mainly focused on defining cache classes of service (CLOS) and how to use bit masks such as capacity bitmasks (CBMs) to partition the processor cache to support the CLOS (See Kantacki paragraph 0014).

With respect to claim 19 Browne teaches the system of claim 18, wherein the cache occupancy monitor is deployed on a combination of firmware and management layers operating on a processor (see Brown paragraph 0017, 0034 and 0040).

With respect to claim 20 Browne teaches the system of claim 19, wherein the occupancy pattern analyzer is deployed on an operating system operating on the processor (see Brown figure 2 and paragraph 0046 i.e. The platform resource manager 210 counters may be indicative of, for example, cache occupancy in the LLC 206 and memory bandwidth used. As described above, the resource manager 210 may provide LLC 206 and memory bandwidth data for the primary applications as well as for all processes executed by the computing device 102).

With respect to claim 21 Browne teaches the system of claim 18, further comprising a way allocation manager to partition access to the cache blocks for a pair of application processes involved in the potential cache timing channel attack (see Browne paragraph 0041 i.e. In block 424, in some embodiments the computing device 102 may kill a process associated with the suspicious application or otherwise terminate a currently executing suspicious application. In block 426, in some embodiments the computing device 102 may delete an executable image or other files associated with the suspicious application. In block 428, in some embodiments the computing device 102 may reset, reboot, or otherwise restart. Resetting the computing device 102 may cause the caches and other volatile memory of the computing device 102 to be reset and thus may defeat certain cache side channel attacks. In some embodiments, in block 430 the computing device 102 may restrict resource usage such as memory bandwidth or LLC 206 occupancy for a process associated with the suspicious application using the resource manager 210 of the computing device 102. Restricting resource usage may prevent or reduce the severity of certain cache side-channel attacks, for example by preventing the malicious process from forcing the LLC 206 to be flushed and/or by reducing the rate that a malicious process can attempt to read unauthorized memory).

Allowable Subject Matter
Claims 15-17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
With respect to claim 15 the prior are does not teach the method of claim 14, wherein finding the gain-loss swing patterns mirrored between the pair of cache occupancy traces comprises taking a product zi based on the formula:

    PNG
    media_image1.png
    70
    327
    media_image1.png
    Greyscale

where

    PNG
    media_image2.png
    76
    181
    media_image2.png
    Greyscale

where xi,j and yi,j are jth occupancy samples in an ith window for a first application domain and a second application domain, respectively, in each pair of application domains.
Claims 16-17 are objected to based on their dependency from claim 15.

Prior Art Not Used in Rejection
	Qi et al (US 2009/0010424) titled “System and Methods for Side-Channel Attack Prevention”.
	Sebot et al (US 2008/0155679) titled “Mitigating Branch Prediction and Other Timing Based Side Channel Attacks” teaches to provide hardware protection against timing based side channel attacks, a processor's microarchitecture enables an OS to determine which applications have the privilege to read timestamp and performance counters.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        
/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492