DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-8, 13, 15, 19-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Lamothe-Brassard (Pub. No. US 2018/0181750).

As per claim 1, Lamothe-Brassard discloses a computing apparatus, comprising: a hardware platform comprising a processor and a memory; and instructions encoded within the memory (…see a computer analysis system uses telemetry tree to create historical database…telemetry tree may represent a collection of telemetry data point…having hash of telemetry data…see par. 34, 40) to instruct the processor to: trace, for a plurality of actions having different direct parent actors, a common responsible parent actor, wherein the instructions determine that the common responsible parent actor caused or directed the plurality of actions (…each node of the nodes may have one or more child nodes…the child nodes indicate telemetry types initiated or used by the parent node…for example, a root node in the telemetry tree may represent an initial system process for the first computer…(analyzing is interpreted as tracing; telemetry tree has parent node and grandparent nodes: interpreted as parent actors; system process by the root node is interpreted as common parent actor initiating actions…) computer analysis system generates a root relationship value, RV, for an edge…the response message may cause the first computer to terminate a process/all processes…see par. 36-42, 73-74); compile a report of the plurality of actions, wherein the actions are grouped by the common responsible parent actor (…the computer analysis system may determine relationship values for the nodes in the telemetry tree and generate relationship values (interpreted as compile/generating report)…that includes information for all of the nodes on the path between root and child nodes …the root node/parent node (interpreted as common responsible actor) may have one or more child nodes, such as webbrowser process…each of the child nodes of the root node were initialized by the root node…the root node may be for a root or initial process executed on the first computer during a boot process (the processes between parent and child nodes are interpreted as the actions grouped by the parent node)…see par. 34-42); send the report to a machine or human analysis agent (see par. 64); responsive to the report, receive from the analysis agent a remedial action; and execute the remedial action (see par. 72-74).



As per claim 15, Lamothe-Brassard discloses a computing security system, comprising: a computing endpoint, comprising a hardware platform, and operational software to execute on the hardware platform (see par. 130); a security agent configured to protect the operational software, including analyzing a plurality of actions having different direct actors, identifying a common responsible actor for the plurality of actions (…each node of the nodes may have one or more child nodes…the child nodes indicate telemetry types initiated or used by the parent node…for example, a root node in the telemetry tree may represent an initial system process for the first computer…(analyzing is interpreted as tracing; telemetry tree has parent node and grandparent nodes: interpreted as parent actors; system process by the root node is interpreted as common parent actor initiating actions…) computer analysis system generates a root relationship value, RV, for an edge…the response message may cause the first computer to terminate a process/all processes…see par. 36-42, 73-74), and generating a report in which the plurality of actions are grouped by the common responsible actor (…the computer analysis system may determine relationship values for the nodes in the telemetry tree and generate relationship values (interpreted as compile/generating report)…that includes information for all of the nodes on the path between root and child nodes …the root node/parent node (interpreted as common responsible actor) may have one or more child nodes, such as webbrowser process…each of the child nodes of the root node were initialized by the root node…the root node may be for a root or initial process executed on the first computer during a boot process (the processes between parent and child nodes are interpreted as the actions grouped by the parent node)…see par. 34-42); and a system analyzer configured to analyze the report, infer an intent of the common responsible actor, and according to the inferred intent, provide a remediation to the computing endpoint (see par. 72-74).


As per claim 19, Lamothe-Brassard discloses one or more tangible, non-transitory computer-readable storage media having stored thereon executable instructions to: enumerate on a computing system a plurality of actions and targets (see par. 138); identify for the actions responsible parent actors that directed or caused the actions, the responsible parent actors being different from direct actors that directly performed the actions (…each node of the nodes may have one or more child nodes…the child nodes indicate telemetry types initiated or used by the parent node…for example, a root node in the telemetry tree may represent an initial system process for the first computer…(analyzing is interpreted as tracing; telemetry tree has parent node and grandparent nodes: interpreted as parent actors; system process by the root node is interpreted as common parent actor initiating actions…) computer analysis system generates a root relationship value, RV, for an edge…the response message may cause the first computer to terminate a process/all processes…see par. 36-42, 73-74); compile an action report wherein actions are grouped by their responsible parent actors (…the computer analysis system may determine relationship values for the nodes in the telemetry tree and generate relationship values (interpreted as compile/generating report)…that includes information for all of the nodes on the path between root and child nodes …the root node/parent node (interpreted as common responsible actor) may have one or more child nodes, such as webbrowser process…each of the child nodes of the root node were initialized by the root node…the root node may be for a root or initial process executed on the first computer during a boot process (the processes between parent and child nodes are interpreted as the actions grouped by the parent node)…see par. 34-42); derive from the action report a remedial security action to remedy a responsible parent actor; and execute the remedial security action (see par. 72-74).


As per claim 2, Lamothe-Brassard discloses wherein the report further associates the plurality of actions with their direct parent actors (see par. 34-42).


As per claim 3, Lamothe-Brassard discloses wherein the report further associates the plurality of actions with their targets (see par. 34-42).


As per claim 4, Lamothe-Brassard discloses wherein determining that the common responsible parent actor caused or directed the actions comprises determining that the common responsible parent actor is a living off the land binary (lolbin) or a living off the land binary and script (lolbas). (see identify anomalous parent-child process chains and hunt for living off the land attack…see par. 29-30)


As per claim 5, Lamothe-Brassard discloses wherein determining that the common responsible parent actor caused or directed the actions further comprises iteratively examining next-level direct parent actors (Filar: see par. 51-52).


As per claim 6, Lamothe-Brassard discloses wherein iteratively examining next-level direct parent actors comprises iterating until a parent is found that is not a lolbin or lolbas (Filar: see par. 39-40).


As per claim 7, Lamothe-Brassard discloses wherein iteratively examining next-level direct parent actors comprises iterating until a parent is found that is a well-known process (Filar: see par. 53).


As per claim 8, Lamothe-Brassard discloses wherein iteratively examining next-level direct parent actors comprises iterating until a parent is found that is a system process (Filar: see par. 35, 60).


As per claim 13, Lamothe-Brassard discloses wherein a responsible parent actor includes a process that created or changed a system startup script (Lamothe-Brassard: see par. 36). 


As per claim 20, Lamothe-Brassard discloses wherein the action report further associates the plurality of actions with their direct parent actors (Lamothe-Brassard: see par. 34-42).




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 9-12, 14, 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Lamothe-Brassard (Pub. No. US 2018/0181750) in view of Filar et al (Pub. No. US 2022/0100857).

As per claim 9, Lamothe-Brassard does not explicitly disclose wherein determining that the common responsible parent actor caused or directed the actions further comprises iteratively inspecting direct parent actors in a hierarchy until a condition is met. However Filar discloses wherein determining that the common responsible parent actor caused or directed the actions further comprises iteratively inspecting direct parent actors in a hierarchy until a condition is met (…see element 206 is fig.2 the hierarchy graph…is generated, the maliciousness is a calculated score…associated with a parent-child process chain…the community detection module can perform score calculation for every node in the graph by iterating through each community…the community detection module can perform a maximum function across all the anomaly scores for nodes in a given community…if the returned value is >=a specified threshold, the community is deemed malicious and set aside for user review…see par. 39, 51-52). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Filar in Lamothe-Brassard for including the above limitations because one ordinary skill in the art would recognize it would further improve detection of malicious activity in the context of computing processes and more specifically parent-child process chains…see Filar, par. 14-15.


As per claim 10, the combination of Lamothe-Brassard and Filar discloses wherein the condition is finding an actor that is a well-known or system process (Filar: see par. 52-53). The motivation for claim 10 is the same motivation as in claim 9 above.


As per claim 11, the combination of Lamothe-Brassard and Filar discloses wherein a responsible parent actor includes a process that created or changed a system registry value (Filar: see par. 21, 56). The motivation for claim 11 is the same motivation as in claim 9 above.


As per claim 12, the combination of Lamothe-Brassard and Filar discloses wherein a responsible parent actor includes a process that created or changed a system configuration file (Filar: see par. 60). The motivation for claim 12 is the same motivation as in claim 9 above.


As per claim 14, the combination of Lamothe-Brassard and Filar discloses wherein a responsible parent actor includes a process that created or changed a scheduled task (Filar: see par. 21). The motivation for claim 14 is the same motivation as in claim 9 above.


As per claim 16, the combination of Lamothe-Brassard and Filar discloses wherein the system analyzer is configured to be augmented by human input or feedback (Filar: see par. 59-60). The motivation for claim 16 is the same motivation as in claim 9 above.


As per claim 17, the combination of Lamothe-Brassard and Filar discloses wherein the system analyzer comprises a machine learning or artificial intelligence system (Filar: see par. 61, 64). The motivation for claim 17 is the same motivation as in claim 9 above.


As per claim 18, the combination of Lamothe-Brassard and Filar discloses wherein the system analyzer is configured to receive a pre-trained model (Filar: see par. 53-55). The motivation for claim 18 is the same motivation as in claim 9 above.




Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to providing responsible parent process identification.

Li et al (Pub. No. US 2021/0064751); “Provenance-Based Threat Detection Tools and Stealthy Malware Detection”;
-Teaches an anomaly detection of the neural network that can be trained to recognize benign nodes and/or edges…see par. 76.


Chen (Pub. No. US 2019/0272375); “Trust Model for Malware Classification”;

-Teaches malicious object may include a fileless attack or a living off the land attack…once malicious object gains access to client device, it may try to perform work such as social engineering of user, a hardware-based attack on client device, modifying storage, modifying client application, or gaining access to home resources…see par. 152.



Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHAZAL B SHEHNI whose telephone number is (571)270-7479. The examiner can normally be reached Mon-Fri 9am-5pm PCT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GHAZAL B SHEHNI/Primary Examiner, Art Unit 2499