DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/22/2025 has been entered.
Information Disclosure Statement
The 11/21/2025 IDS document has been considered by the examiner.
Response to Amendment / Arguments
Regarding claims rejected for Double Patenting:
Applicant’s amendment is considered to have overcome the rejection. Accordingly, the rejection has been withdrawn.
Regarding claims rejected under 35 USC 112(b):
Applicant’s amendment is considered to have overcome the rejection. Accordingly, the rejection has been withdrawn.
Regarding claims rejected under 35 USC 103:
Applicant’s arguments in view of the amended claim language have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. Specifically, Petersen-Doppke does not teach “wherein gathering objects includes: receiving a unified query concerning the one or more security-relevant subsystems and distributing at least a portion of the unified query to each of the one or more security-relevant subsystems, resulting in distribution of a plurality of queries to the one or more security-relevant subsystems.” However, upon further consideration, a new ground(s) of rejection is made in view of Roturier (US 10,418,036 B1).
Claim Objections
Claims 1, 10, and 19 are objected to because of the following informalities: they recite “that have provided data to destination IP address,” which is missing an article before “destination IP address.” Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-5, 7, 10-14, 16, 19-23, and 25 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Independent claims 1, 10, and 19 each recite “distributing at least a portion of the unified query to each of the one or more security-relevant subsystems, resulting in distribution of a plurality of queries to the one or more security-relevant subsystems,” which renders the respective claims indefinite because it is not clear how to interpret distributing “a plurality of queries to the one or more security-relevant subsystems” in the case of the “one or more security-relevant subsystems” being exactly one security-relevant subsystem and “at least a portion” being exactly one portion. For instance, [00162]-[00164] of the instant specification concerning unified queries discloses that “Unified query 262 may then be parsed to form plurality of queries 264, wherein a specific query… may be defined for each of the plurality of security-relevant subsystems and provided to the appropriate security-relevant subsystems.” It is important that a person of ordinary skill in the art be able to interpret the metes and bounds of the claims so as to understand how to avoid infringement. In this case, it is not clear how a plurality of queries are distributed as a result of distributing a single portion to a single security-relevant subsystem.
The dependent claims do not rectify this issue and are therefore likewise rejected with their respective parent independent claims.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-2, 4-5, 7, 10-11, 13-14, 16, 19-20, 22-23, and 25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Petersen (US 9,384,112 B2) in view of Doppke (US 10,567,415 B2) and Roturier (US 10,418,036 B1).
Regarding claim 1, Petersen discloses: A computer-implemented method, executed on a computing device, comprising:
monitoring, by one or more security-relevant subsystems, respective activity of the one or more security-relevant subsystems with respect to a computing platform to identify suspect activity within the computing platform, wherein the one or more security-relevant subsystems include one or more of CDN (Content Delivery Network) systems; DAM (Database Activity Monitoring) systems; UBA (User Behavior Analytics) systems; MDM (Mobile Device Management) systems; IAM (Identity and Access Management) systems; DNS (Domain Name Server) systems, antivirus systems, operating systems, data lakes; data logs; security-relevant software applications; security-relevant hardware systems; and resources external to the computing platform; detecting the security event within the computing platform based upon the identified suspect activity;
Refer to at least Col. 1, Ll. 64-Col. 2, Ll. 5, Col. 9, Ll. 61-67, and Col. 13, Ll. 19-27 of Petersen with respect to sources such as firewalls, intrusion detection systems, security devices, and so forth.
detecting the security event within the computing platform based upon the identified suspect activity;
Refer to at least Col. 25, Ll. 1-14 and Ll. 54-67 of Petersen with respect to identifying suspect activity as security events.
rendering a threat mitigation user interface that identifies objects within a computing platform in response to the security event,
Refer to at least Col. 10, Ll. 1-41 of Petersen with respect to log messages and events. At least Ll. 31-41 discuss examples such as improper logins, attacks, errors, and so forth.
Refer to at least FIG. 17-18, FIG. 23, and Col. 24, Ll. 50-65 of Petersen with respect to an exemplary dashboard / GUI for viewing the logs / events.
including gathering objects within the computing platform in response to the security event from a plurality of sources associated with the computing platform, thus defining objects within the computing platform,
Refer to at least Col. 13, Ll. 19-24, Col. 25, Ll. 56-67, Col. 26, Ll. 44-67, and Col. 33, Ll. 28-35 of Petersen with respect to collecting logs from one or more log sources as they concern alarms.
enabling a third-party (the instant specification, e.g., [00113] and [00153] defines a third party as comprising a user / owner / operator) to select one or more objects within the threat mitigation user interface when conducting an investigation of the security event, thus defining one or more selected objects;
Refer to at least Col. 28, Ll. 67-Col. 29, Ll. 4 and Col. 25, Ll. 28-36 of Petersen with respect to a user being able to “drill down” information by, e.g., clicking on the information within the GUI.
rendering an inspection window that defines object information concerning the one or more selected objects, this defining one or more objects reviewed by the third party; and
Refer to at least FIG. 19, FIG. 27-31, Col. 25, Ll. 26-40, and Col. 30, Ll. 27-Col. 31, Ll. 67 of Petersen with respect to, e.g., launching a pop-up window with more information responsive to the drilling down.
rendering an action list that defines targeted actions based, at least in part, upon the object information;
Refer to at least FIG. 28, Col. 7, Ll. 51-53, Col. 30, Ll. 55-59, and Col. 31, Ll. 21-67 of Petersen with respect to a drop-down menu presenting a number of actions that may be taken to the user.
monitoring the one or more objects reviewed by the third party when conducting the investigation of the security event.
Refer to at least Col. 33, Ll. 16-Col. 34, Ll. 4 of Petersen with respect to allowing an administrator to monitor for, e.g., specific data transfers and to automatically collect associated information. The administrator can use any user interfaces or dashboards for monitoring.
Although Petersen discloses presenting a number of actions that might be taken, it is not clear whether it discloses: suggesting additional actions to be taken by the third party concerning the investigation of the security event, the additional actions including one or more of additional objects to be reviewed by the third party when conducting the investigation of the security event and additional artifacts to be gathered by the third party when investigating the security event. Petersen further does not fully specify: wherein the object information includes one or more of: total quantity of data provided to a destination IP address; and a list of all devices within the computing platform that have provided data to destination IP address; wherein gathering objects includes: receiving a unified query concerning the one or more security-relevant subsystems and distributing at least a portion of the unified query to each of the one or more security-relevant subsystems, resulting in distribution of a plurality of queries to the one or more security-relevant subsystems. However, Petersen in view of Doppke discloses: wherein the object information includes one or more of:
total quantity of data provided to a destination IP address; and
Refer to at least FIG. 3-4A, Col. 4, Ll. 51-54, Col. 5, Ll. 10-17, Col. 7, Ll. 16-46, Col. 8, Ll. 14-32, and Col. 9, Ll. 7-34 of Doppke with respect to traffic volume metrics and user selections for the threat monitoring GUI, where the user selections can include “destination IP address; one or more traffic characteristics, such as volume or other metrics; and one or more policy characteristics.” Further, “[t]he graphic display is based on the user selections that were received, such as to display data associated with a selected time window, a selected protected host 104 or external host 106 or group of hosts.” Finally, the “volumetric data can be associated with total traffic flow in either direction, inbound or outbound, to or from the protected network 108, or can be associated with particular protected hosts 104 or external hosts 114 or groups of such hosts.”
a list of all devices within the computing platform that have provided data to destination IP address;
suggesting additional actions to be taken by the third party concerning the investigation of the security event, the additional actions including one or more of additional objects to be reviewed by the third party when conducting the investigation of the security event and additional artifacts to be gathered by the third party when investigating the security event.
Refer to at least 446 in FIG. 4C and Col. 13, Ll. 16-32 of Doppke with respect to a menu bar with interactive display elements that can be activated to perform a variety of tasks. The tasks include viewing additional alerts and events.
The teachings of Doppke likewise concern graphical user interfaces for network security monitoring and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Petersen to further implement additional visualizations and GUI elements (e.g., a visualization of total traffic for a selectable destination IP address) for at least the purpose discussed in Col. 1, Ll. 51-63 of Doppke (i.e., helping analysts with improved tools to better present information conducive to recognition of relationships and associations concerning network traffic).
Petersen-Doppke does not disclose: wherein gathering objects includes: receiving a unified query concerning the one or more security-relevant subsystems and distributing at least a portion of the unified query to each of the one or more security-relevant subsystems, resulting in distribution of a plurality of queries to the one or more security-relevant subsystems. However, Petersen-Doppke in view of Roturier discloses: wherein gathering objects includes: receiving a unified query concerning the one or more security-relevant subsystems and distributing at least a portion of the unified query to each of the one or more security-relevant subsystems, resulting in distribution of a plurality of queries to the one or more security-relevant subsystems.
Refer to at least the abstract, FIG. 3, Col. 5, Ll. 30-34, Col. 5, Ll. 47-Col. 6, Ll. 2, and Col. 9, Ll. 23-34 of Roturier with respect to a unified conversational agent query by a client being used to generate search queries to a plurality of incident analysis systems.
The teachings of Roturier likewise concern graphical user interfaces for computer security monitoring, and are considered to be within the same the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Petersen-Doppke to further implement unified conversational agent functionality for user queries for at least the reasons specified in Col. 1, Ll. 37-59 and Col. 4, Ll. 54-Col. 5, Ll. 8 of Roturier (i.e., making it easier for users to look up information from disparate security incident analysis systems having different APIs and syntax, thereby improving an analyst’s security workflow).
Regarding claim 2, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations concerning a pop-up window).
Regarding claim 4, Petersen-Doppke-Roturier discloses: The computer-implemented method of claim 1 further comprising: enabling the third-party to select a portion of the object information rendered within the inspection window, thus defining a selected portion.
Refer to at least FIG. 19, FIG. 27, FIG. 29-30, and Col. 25, Ll. 26-40, and Col. 30, Ll. 27-Col. 31, Ll. 67 of Petersen with respect to GUI elements within the pop-up windows and additionally being able to drill down within the pop-up windows; with respect to a second pop-up window responsive to edits within the first.
Regarding claim 5, it is rejected for substantially the same reasons as claim 4 above (i.e., the citations).
Regarding claim 7, Petersen-Doppke-Roturier discloses: The computer-implemented method of claim 6 wherein detecting the security event within the computing platform based upon identified suspect activity includes: monitoring a plurality of sources to identify suspect activity within the computing platform.
Refer to at least Col. 12, Ll. 67-Col. 13, Ll. 27 with respect to collecting log data from a variety of sources.
Regarding independent claim 10, it is substantially similar to independent claim 1 above, and is therefore likewise rejected (i.e., the citations).
Regarding claims 11, 13-14, and 16, they are substantially similar to claims 2 and 4-7 above, and are therefore likewise rejected.
Regarding independent claim 19, it is substantially similar to independent claim 1 above, and is therefore likewise rejected (i.e., the citations).
Regarding claims 20, 22-23, and 25, they are substantially similar to claims 2 and 4-7 above, and are therefore likewise rejected.
Claim(s) 3, 12, and 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Petersen-Doppke-Roturier as applied to claims 1-2, 4-5, 7, 10-11, 13-14, 16, 19-20, 22-23, and 25 above, and further in view of Van Brink (US 2015/0207804 A1).
Regarding claim 3, Petersen-Doppke-Roturier does not specify: wherein the inspection window is a slide out inspection window. However, Petersen-Doppke-Roturier in view of Van Brink discloses: wherein the inspection window is a slide out inspection window.
Refer to at least FIG. 2, [0036], and [0057] of Van Brink with respect to a slide-out window element.
The teachings of Petersen-Doppke-Roturier and the relied-upon teachings of Van Brink concern graphical user interfaces for security and are considered to be combinable.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Petersen-Doppke-Roturier such that its pop-up windows may be implemented via a slide-out element because the substitution of one known element for another would have yielded predictable results to one of ordinary skill in the art at the time (i.e., see [0057] of Van Brink stating the equivalence between use of a pop-up window or a slide-out element). Further, an advantage of using a slide-out element may have been to more efficiently utilize screen space (e.g., the user would not have to deal with finding, opening, and closing pop-ups).
Regarding claims 12 and 21, they are substantially similar to claim 3 above, and are therefore likewise rejected.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432
/V.S/Examiner, Art Unit 2432