DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the amendments filed on 02/20/2026. Claims 1-20 are currently pending.
Response to Arguments
Applicant's arguments filed on 02/20/2026 regarding claims 1 and 11 have been fully considered, but are moot in view of the new rejections made below in response to applicant amendments.
Response to Amendment
The previous 112(b) rejections made in respect of the application have been withdrawn as in response to applicant’s amendments.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-4, 11-14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 20230004654 to Jurzak et al. (hereinafter Jurzak) in view of U.S. PGPub. No. 20050278207 to Ronnewinkel, Christopher (hereinafter Ronnewinkel) and further in view of US. PGPub. No. 20040193943 to Angelino et al. (hereinafter Angelino).
Regarding claim 1, Jurzak disloses an apparatus (¶0010, “Disclosed herein are methods and apparatus for detecting malicious re-training of an anomaly detection system…”) comprising: one or more machine learning modules (¶0021, “…In some cases, a malicious offender may be aware of machine learning or other artificial intelligence modules in a security system and, as a part of a planned attack, may influence these modules in a way that an anomaly will not be correctly identified…”), stored within one or more non-transitory computer-readable mediums (¶0087, “ an embodiment can be implemented as a computer-readable storage medium having computer-readable code stored thereon for programming a computer (e.g., comprising a processor) to perform a method as described and claimed herein. Examples of such computer-readable storage mediums include, but are not limited to, a hard disk, a CD-ROM, an optical storage device, a magnetic storage device…”), (¶0030, “The anomaly detection model training repository 115 may store machine-learning models used by machine-learning-based analysis engine 110 in performing anomaly detection, referred to herein as anomaly detection models, at various points in time…”), trained on a normal behavior of entities associated with a network and interactions between the entities (¶0050, “…new generation intrusion detection and prevention security systems may perform analytics continuously on user behavior and may apply adaptive machine learning based on user behavior patterns. A specific branch of such security systems deals with User and Entity Behavior Analytics solutions (UEBA). A typical scenario for a UEBA system may involve detection of compromised user accounts based on the behavioral analytics of a user's historical activities compared to the activity of an attacker in possession of the credentials associated with a legitimate user. The analytics behind UEBA systems may include supervised and unsupervised adaptive learning techniques aimed at dynamically building behavioral models of legitimate users. To detect malicious activity, the UEBA system analytics may, for each user session, continuously calculate a “deviation score” through a comparison of current user behavior and a historical user behavioral model for the user…”); and
an interface configured to receive a signal from an external apparatus to request and trigger an artificial intelligence based analyst investigation (¶0041-¶0042, “input/output device interfaces 245 may operate to allow machine-learning-based analysis engine 110 to receive user input, such as commands and other information usable to configure machine-learning-based analysis engine 110 for detecting anomalies based on inputs received from monitoring devices 105, or to initiate an audit of the anomaly detection process, as described in more detail below…”), (¶0012, “The machine-learning-based analysis engine includes an interface through which the machine-learning-based analysis engine receives inputs from the first monitoring device, a processor, and a memory storing program instructions. When executed by the processor, the program instructions cause the processor to perform receiving, via the interface, a first input captured by the first monitoring device, determining, based on a first anomaly detection model of the plurality of anomaly detection models, that the first input represents an object or event that should not be classified as an anomaly,…”)
and thus, trigger an autonomous response from an autonomous response module to mitigate the threat (¶0021, “security systems are increasingly utilizing machine learning techniques for automatically identifying anomalies and triggering corresponding alerts…”), (¶0078 “…As described herein, modifications may be made to the anomaly detection model or to the analysis engine in response to the detection of a malicious re-training of the anomaly detection system may improve the accuracy of the anomaly detection system and may make the anomaly detection system less susceptible to malicious re-training…”), (¶0027, “…If the analysis indicates that it is likely that a malicious re-training has taken place, actions may be taken to correctly classify the scenario as an anomaly and to trigger one or more alerts.”), see also ¶0060, FIG. 3,
wherein the interface is configured to operate with the analyser module, corresponding to hardware or software stored within the one or more non-transitory computer-readable mediums and executable by one or more processors, to cause at least the scripts trained on how to conduct the investigation (¶0039, “… In some embodiments, any or all of this information may be stored in a programmable non-volatile memory, such as in an external memory communicatively coupled to machine-learning-based analysis engine 110 through external memory interface 235. For example, in some embodiments, anomaly detection model training repository 115 may, at various times, store multiple snapshots of anomaly detection models used by machine-learning-based analysis engine 110 to determine classification results and for training of the anomaly detection system, inputs received from various monitoring devices 105, threshold values for identifying anomalies, initial classification results for various inputs, final classification results for various inputs, and/or other data accessible by program instruction 215 and used in performing the methods described herein.”, multiple snapshots of anomaly detection models used by machine-learning-based analysis engine 110 to determine classification results and for training of the anomaly detection system is interpreted as the claimed scripts), (¶0087, “ an embodiment can be implemented as a computer-readable storage medium having computer-readable code stored thereon for programming a computer (e.g., comprising a processor) to perform a method as described and claimed herein. Examples of such computer-readable storage mediums include, but are not limited to, a hard disk, a CD-ROM, an optical storage device, a magnetic storage device, a ROM (Read Only Memory), a PROM (Programmable Read Only Memory), an EPROM (Erasable Programmable Read Only Memory), an EEPROM (Electrically Erasable Programmable Read Only Memory) and a Flash memory…”), (¶0060, FIG. 3, step 314), (claim 15).
However, Jurzak does not explicitly disclose the following limitation:
wherein the interface is configured to operate with an analyzer module, cooperating with at least scripts on how to conduct an investigation,
wherein the analyzer module is configured, in response to the received signal, to evaluate a sequential chain of casual-related low level abnormalities associated with one or more of the entities, and to determine, based on analysis of causal relationship among the abnormalities, whether to aggregate the abnormalities as one or more incidents that collectively prompt generation of a notification to a human user for possible further investigation or determination of being a threat,
wherein the autonomous response module is further configurable, via the interface, by an administrative user to specify thresholds, types, and specific actions for autonomous mitigation in response to such determined incidents.
Ronnewinkel discloses wherein the interface is configured to operate with an analyzer module, cooperating with at least scripts on how to conduct an investigation (¶0020, “…The user of the computing system 102 uses the self-service system by entering one or more search terms or search attributes to obtain assistance in solving a particular problem. The computing system 106 and/or 108 analyze these search terms or attributes to automatically access a script from the script repository 110 and sends information relating to diagnosis questions to the computing system 102 using the network connection. The computing system 102 is then capable of displaying these questions to the user in a graphical user interface (GUI)…”, wherein search terms or search attributes to obtain assistance in solving a particular problem is an informal investigation or research), (¶0033, “ FIG. 4A is a screen diagram of a window 400 in a graphical user interface (GUI) that may be used to specify one or more criteria to search for a script to be used during an interaction with a customer, according to one implementation…”),
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the apparatus of Jurzak to include an interface configured to operate with scripts as disclosed by Ronnewinkel and be motivated in doing so in order to provide solutions to particular problems- Ronnewinkel ¶0020 in parts.
However, the combination of Jurzak and Ronnewinkel does not explicitly disclose the following limitation:
wherein the analyzer module is configured, in response to the received signal, to evaluate a sequential chain of casual-related low level abnormalities associated with one or more of the entities, and to determine, based on analysis of causal relationship among the abnormalities, whether to aggregate the abnormalities as one or more incidents that collectively prompt generation of a notification to a human user for possible further investigation or determination of being a threat,
wherein the autonomous response module is further configurable, via the interface, by an administrative user to specify thresholds, types, and specific actions for autonomous mitigation in response to such determined incidents.
Angelino discloses wherein the analyzer module is configured, in response to the received signal, to evaluate a sequential chain of casual-related low level abnormalities associated with one or more of the entities (¶0050-¶0051, “When multiple firewalls receive suspicious packets from the same IP address or network the criticality should increase. When one IP address or network repeatedly generates suspicious packet alarms, the alarm level should also be increased… By analyzing the packet(s) the monitoring administrator can determine if attack or probe activity is in progress or if equipment is malfunctioning or incompatible. Possible secondary response might be shunning the source IP address or network.”), (¶0107-¶0110, “…Network Intrusion Detection System (NIDS) are devices that monitor network traffic and generate alarm messages when they detect suspicious patterns in the content of the traffic. As each packet is read from the network, information from the packet is analyzed. The packet is evaluated in a logic tree to determine if the packet is part of a known attack sequence. This "attack sequence" is called an attack signature. The packet and the sequence containing the packet may also be evaluated against a model "normal traffic pattern" in order to detect anomalies.”), (¶0182, “… When a specific host on the network receives one attack or a series of attacks at low frequency, this could signal that careful reconnaissance is in progress. Better planned attacks are more likely to be successful…”), (¶0220, “The security infrastructure management system can aggregate, analyze and trend messages and alarms from host based intrusion detection systems to generate enterprise level intelligence. This multi host perspective can enhance the ability of administrators to detect successful or potentially successful attacks on the network infrastructure and network hosts.”), (¶0292, “An operator may then investigate the event by collecting data from disparate sources, analyzing it and making a determination. This rule facilitates rapid investigation by allowing the operator to quickly access all data relating to the event.”) and to determine, based on analysis of causal relationship among the abnormalities, whether to aggregate the abnormalities as one or more incidents that collectively prompt generation of a notification to a human user for possible further investigation or determination of being a threat (¶0116, “As new network services and systems are deployed, the aggregate network traffic changes over time. Each new service introduces new vulnerabilities into the network infrastructure.”), (¶0275, “The paradigm described herein teaches a correlation architecture which monitors security events from a number of different classes, aggregates these data, and identifies anomalies in the data…”), (¶0277, “…The rules describe the high level logic and structures that can be used to gain extra intelligence from the aggregate event stream. These rules define ways of presenting information that aid the operator in investigating security incidents, by aggregating and presenting information in a superior way.”), (¶0160, “As attack probability (AP) crosses predefined thresholds, the source network danger level changes proportionately. Advisory, warning and critical alarms can be generated for each threshold. AP can be a parameter used to indicate the threat level of new attacks when it is necessary to prioritize attack investigations.”), (¶0219, “HIDS periodically checks the contents and attributes of all "critical" system files. As program files change, because they were replaced or modified by an intruder or malicious user, the HIDS system detects the change and generates an alarm…”),
identification and prevention of cyber-threat (¶0051, “… By analyzing the packet(s) the monitoring administrator can determine if attack or probe activity is in progress or if equipment is malfunctioning or incompatible. Possible secondary response might be shunning the source IP address or network.”), (¶0119),
and
wherein the autonomous response module is further configurable, via the interface, by an administrative user to specify thresholds, types, and specific actions for autonomous mitigation in response to such determined incidents (¶0119, “…Once the attack is adequately determined, appropriate responses to the attack can be carried out such as applying a patch to avoid the network vulnerability, locking vulnerability report with the vendor, reconfiguring network routers, or reconfiguring the target system. However, the speed with which new attacks can be launched may make the administrator's task a daunting one.”), (¶0089, “…Only when that number exceeds a threshold should this be considered as a problem. However, Attacking system IPs should be kept historically. IPs should only be removed after a period of time elapses that is proportional to the number of attacks received. For example, if one attack is received from an IP address this IP could be removed after a twenty four hour period. But if one hundred attacks are received, this IP address could be removed after 3 months.”), (¶0090-¶0091, “…With this information administrators can shun or restrict access from these networks. A typical example might be to restrict a school lab network at the external network router after it has been determined to be the source of ongoing attack activity.”), (¶0176, “… Alarms can also be set as counts pass between different operator definable frequency thresholds. For sporadic traffic, thresholds can time expire to default levels (typically lower) so that short term trends do not obscure future alarms on frequency increases.”), (¶0083, “The present system uses both deterministic and non-deterministic spoofing rules. For example, one deterministic rule is to automatically deny any packet received by an external interface that has a source address indicating the internal network.”). see also ¶0307-¶0309 for Automatic attacker identification scanning when attack threshold is above a threshold.
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the apparatus of Jurzak and Ronnewinkel
to include autonomous response to attacks as disclosed by Angelino and be motivated in doing so in order to make the apparatus of Jurzak and Ronnewinkel to be more efficacious by having the capability to indicate the threat level of new attacks and mitigation methods-Angelino ¶0160 in parts.
Regarding claim 11, Jurzak discloses a method for a cyber-threat defense system (¶0010, “Disclosed herein are methods and apparatus for detecting malicious re-training of an anomaly detection system…”), the method comprising:
using one or more machine learning models (¶0030, “The anomaly detection model training repository 115 may store machine-learning models used by machine-learning-based analysis engine 110 in performing anomaly detection, referred to herein as anomaly detection models, at various points in time…”) that are trained on a normal behavior of entities associated with a network and interactions between the entities (¶0050, “…new generation intrusion detection and prevention security systems may perform analytics continuously on user behavior and may apply adaptive machine learning based on user behavior patterns. A specific branch of such security systems deals with User and Entity Behavior Analytics solutions (UEBA). A typical scenario for a UEBA system may involve detection of compromised user accounts based on the behavioral analytics of a user's historical activities compared to the activity of an attacker in possession of the credentials associated with a legitimate user. The analytics behind UEBA systems may include supervised and unsupervised adaptive learning techniques aimed at dynamically building behavioral models of legitimate users. To detect malicious activity, the UEBA system analytics may, for each user session, continuously calculate a “deviation score” through a comparison of current user behavior and a historical user behavioral model for the user…”);
receiving at an interface, a signal from an external apparatus to request and trigger an artificial intelligence based analyst investigation (¶0041-¶0042, “input/output device interfaces 245 may operate to allow machine-learning-based analysis engine 110 to receive user input, such as commands and other information usable to configure machine-learning-based analysis engine 110 for detecting anomalies based on inputs received from monitoring devices 105, or to initiate an audit of the anomaly detection process, as described in more detail below…”), wherein the interface is configured to operate with an analyser module, cooperating with at least one of (i) artificial intelligence models trained on how to conduct an investigation (¶0012, “The machine-learning-based analysis engine includes an interface through which the machine-learning-based analysis engine receives inputs from the first monitoring device, a processor, and a memory storing program instructions. When executed by the processor, the program instructions cause the processor to perform receiving, via the interface, a first input captured by the first monitoring device, determining, based on a first anomaly detection model of the plurality of anomaly detection models, that the first input represents an object or event that should not be classified as an anomaly,…”),
analyzer module configured to evaluate whether a sequential chain of casual-related low level abnormalities associated with one or more of the entities should be determined to be one or more incidents that collectively prompt generation of a notification to a human user for possible further investigation or determination of being a threat (¶0028, unsupervised anomaly detection techniques may operate under an assumption that the majority of instances of a detected event or object, such as a behavior of a person detected in captured video, a person, vehicle, weapon, or other property or object of value or interest detected in captured video, a sequence of interactions between persons or between a person and vehicle, weapon, or other property or object of value or interest detected in captured video, a particular sound or sequence of sounds detected in an audio recording, a particular measurement or pattern of measurements detected in data captured by a sensor, or a particular log entry or sequence of log entries captured by a server or network monitoring device, in an unlabeled data set should not be classified as anomalies and may classify as anomalies those instances that appear to be outliers compared to the majority of the instances. Supervised anomaly detection techniques typically involve training a classifier, which may involve labeling elements of a training data set as representing an anomaly or as representing a normal or typical event or object…”), (¶0078, FIG. 5, “ At 516, method 500 includes outputting a classification result indicating that the given input likely represents an anomaly, which may trigger an alert, and outputting an indication that malicious re-training of the anomaly detection models has likely occurred, which may trigger a further analysis of the malicious re-training event. For example, a notification may be provided to an owner of a facility, space, server, or network being protected using the anomaly detection system or to an operator or administrator of the anomaly detection system or any components thereof, such as any or all of the analysis engine, training repository, or monitoring devices…”), (¶0053, “When the score returned for scenario S is below the predetermined threshold when applying ML-Current, indicating that scenario S should not be classified as an anomaly, and the score returned for scenario S is below the predetermined threshold when applying ML-Snapshot, indicating that scenario S should be classified as an anomaly or has previously been classified as an anomaly, the system may perform a secondary analysis to determine whether the system was gradually re-trained so that ML-Current does not classify scenario S as an anomaly or to verify that the system correctly modified the threshold value over time in response to valid inputs.”); and
triggering an autonomous response from an autonomous response module to mitigate the threat (¶0021, “security systems are increasingly utilizing machine learning techniques for automatically identifying anomalies and triggering corresponding alerts…”), (¶0078 “…As described herein, modifications may be made to the anomaly detection model or to the analysis engine in response to the detection of a malicious re-training of the anomaly detection system may improve the accuracy of the anomaly detection system and may make the anomaly detection system less susceptible to malicious re-training…”), (¶0027, “…If the analysis indicates that it is likely that a malicious re-training has taken place, actions may be taken to correctly classify the scenario as an anomaly and to trigger one or more alerts.”), see also ¶0060, FIG. 3,
However, Jurzak does not explicitly disclose the following limitation:
wherein the interface is configured to operate with an analyzer module, cooperating with at least scripts on how to conduct an investigation,
wherein the autonomous response module is further configurable, via the interface, by an administrative user to specify thresholds, types, and specific actions for autonomous mitigation in response to such determined incidents.
Ronnewinkel discloses wherein the interface is configured to operate with an analyzer module, cooperating with at least scripts on how to conduct an investigation (¶0020, “…The user of the computing system 102 uses the self-service system by entering one or more search terms or search attributes to obtain assistance in solving a particular problem. The computing system 106 and/or 108 analyze these search terms or attributes to automatically access a script from the script repository 110 and sends information relating to diagnosis questions to the computing system 102 using the network connection. The computing system 102 is then capable of displaying these questions to the user in a graphical user interface (GUI)…”, wherein search terms or search attributes to obtain assistance in solving a particular problem is an informal investigation or research), (¶0033, “ FIG. 4A is a screen diagram of a window 400 in a graphical user interface (GUI) that may be used to specify one or more criteria to search for a script to be used during an interaction with a customer, according to one implementation…”),
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the apparatus of Jurzak to include an interface configured to operate with scripts as disclosed by Ronnewinkel and be motivated in doing so in order to provide solutions to particular problems- Ronnewinkel ¶0020 in parts.
However, the combination of Jurzak and Ronnewinkel does not explicitly disclose the following limitation:
wherein the autonomous response module is further configurable, via the interface, by an administrative user to specify thresholds, types, and specific actions for autonomous mitigation in response to such determined incidents.
Angelino discloses analyzer module configured to evaluate whether a sequential chain of casual-related low level abnormalities associated with one or more of the entities should be determined to be one or more incidents that collectively prompt generation of a notification to a human user for possible further investigation or determination of being a threat (¶0050-¶0051, “When multiple firewalls receive suspicious packets from the same IP address or network the criticality should increase. When one IP address or network repeatedly generates suspicious packet alarms, the alarm level should also be increased… By analyzing the packet(s) the monitoring administrator can determine if attack or probe activity is in progress or if equipment is malfunctioning or incompatible. Possible secondary response might be shunning the source IP address or network.”), (¶0107-¶0110, “…Network Intrusion Detection System (NIDS) are devices that monitor network traffic and generate alarm messages when they detect suspicious patterns in the content of the traffic. As each packet is read from the network, information from the packet is analyzed. The packet is evaluated in a logic tree to determine if the packet is part of a known attack sequence. This "attack sequence" is called an attack signature. The packet and the sequence containing the packet may also be evaluated against a model "normal traffic pattern" in order to detect anomalies.”), (¶0182, “… When a specific host on the network receives one attack or a series of attacks at low frequency, this could signal that careful reconnaissance is in progress. Better planned attacks are more likely to be successful…”), (¶0220, “The security infrastructure management system can aggregate, analyze and trend messages and alarms from host based intrusion detection systems to generate enterprise level intelligence. This multi host perspective can enhance the ability of administrators to detect successful or potentially successful attacks on the network infrastructure and network hosts.”), (¶0292, “An operator may then investigate the event by collecting data from disparate sources, analyzing it and making a determination. This rule facilitates rapid investigation by allowing the operator to quickly access all data relating to the event.”) and to determine, based on analysis of causal relationship among the abnormalities, whether to aggregate the abnormalities as one or more incidents that collectively prompt generation of a notification to a human user for possible further investigation or determination of being a threat (¶0116, “As new network services and systems are deployed, the aggregate network traffic changes over time. Each new service introduces new vulnerabilities into the network infrastructure.”), (¶0275, “The paradigm described herein teaches a correlation architecture which monitors security events from a number of different classes, aggregates these data, and identifies anomalies in the data…”), (¶0277, “…The rules describe the high level logic and structures that can be used to gain extra intelligence from the aggregate event stream. These rules define ways of presenting information that aid the operator in investigating security incidents, by aggregating and presenting information in a superior way.”), (¶0160, “As attack probability (AP) crosses predefined thresholds, the source network danger level changes proportionately. Advisory, warning and critical alarms can be generated for each threshold. AP can be a parameter used to indicate the threat level of new attacks when it is necessary to prioritize attack investigations.”), (¶0219, “HIDS periodically checks the contents and attributes of all "critical" system files. As program files change, because they were replaced or modified by an intruder or malicious user, the HIDS system detects the change and generates an alarm…”),
identification and prevention of cyber-threat (¶0051, “… By analyzing the packet(s) the monitoring administrator can determine if attack or probe activity is in progress or if equipment is malfunctioning or incompatible. Possible secondary response might be shunning the source IP address or network.”), (¶0119),
and
wherein the autonomous response module is further configurable, via the interface, by an administrative user to specify thresholds, types, and specific actions for autonomous mitigation in response to such determined incidents (¶0119, “…Once the attack is adequately determined, appropriate responses to the attack can be carried out such as applying a patch to avoid the network vulnerability, locking vulnerability report with the vendor, reconfiguring network routers, or reconfiguring the target system. However, the speed with which new attacks can be launched may make the administrator's task a daunting one.”), (¶0089, “…Only when that number exceeds a threshold should this be considered as a problem. However, Attacking system IPs should be kept historically. IPs should only be removed after a period of time elapses that is proportional to the number of attacks received. For example, if one attack is received from an IP address this IP could be removed after a twenty four hour period. But if one hundred attacks are received, this IP address could be removed after 3 months.”), (¶0090-¶0091, “…With this information administrators can shun or restrict access from these networks. A typical example might be to restrict a school lab network at the external network router after it has been determined to be the source of ongoing attack activity.”), (¶0176, “… Alarms can also be set as counts pass between different operator definable frequency thresholds. For sporadic traffic, thresholds can time expire to default levels (typically lower) so that short term trends do not obscure future alarms on frequency increases.”), (¶0083, “The present system uses both deterministic and non-deterministic spoofing rules. For example, one deterministic rule is to automatically deny any packet received by an external interface that has a source address indicating the internal network.”). see also ¶0307-¶0309 for Automatic attacker identification scanning when attack threshold is above a threshold.
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the apparatus of Jurzak and Ronnewinkel
to include autonomous response to attacks as disclosed by Angelino and be motivated in doing so in order to make the apparatus of Jurzak and Ronnewinkel to be more efficacious by having the capability to indicate the threat level of new attacks and mitigation methods-Angelino ¶0160 in parts.
Regarding claim 20, Jurzak discloses a non-transitory computer-readable medium including executable instructions that, when executed with one or more processors, cause a cyber -threat defense system to perform the method of claim 11 (¶0087, “an embodiment can be implemented as a computer-readable storage medium having computer-readable code stored thereon for programming a computer (e.g., comprising a processor) to perform a method as described and claimed herein. Examples of such computer-readable storage mediums include, but are not limited to, a hard disk, a CD-ROM, an optical storage device, a magnetic storage device, a ROM (Read Only Memory), a PROM (Programmable Read Only Memory), an EPROM (Erasable Programmable Read Only Memory), an EEPROM (Electrically Erasable Programmable Read Only Memory) and a Flash memory…”);
a method for a cyber-threat defense system (¶0010, “Disclosed herein are methods and apparatus for detecting malicious re-training of an anomaly detection system…”), the method comprising:
using one or more machine learning models (¶0030, “The anomaly detection model training repository 115 may store machine-learning models used by machine-learning-based analysis engine 110 in performing anomaly detection, referred to herein as anomaly detection models, at various points in time…”) that are trained on a normal behavior of entities associated with a network and interactions between the entities (¶0050, “…new generation intrusion detection and prevention security systems may perform analytics continuously on user behavior and may apply adaptive machine learning based on user behavior patterns. A specific branch of such security systems deals with User and Entity Behavior Analytics solutions (UEBA). A typical scenario for a UEBA system may involve detection of compromised user accounts based on the behavioral analytics of a user's historical activities compared to the activity of an attacker in possession of the credentials associated with a legitimate user. The analytics behind UEBA systems may include supervised and unsupervised adaptive learning techniques aimed at dynamically building behavioral models of legitimate users. To detect malicious activity, the UEBA system analytics may, for each user session, continuously calculate a “deviation score” through a comparison of current user behavior and a historical user behavioral model for the user…”);
receiving at an interface, a signal from an external apparatus to request and trigger an artificial intelligence based analyst investigation (¶0041-¶0042, “input/output device interfaces 245 may operate to allow machine-learning-based analysis engine 110 to receive user input, such as commands and other information usable to configure machine-learning-based analysis engine 110 for detecting anomalies based on inputs received from monitoring devices 105, or to initiate an audit of the anomaly detection process, as described in more detail below…”), wherein the interface is configured to operate with an analyser module, cooperating with at least one of (i) artificial intelligence models trained on how to conduct an investigation (¶0012, “The machine-learning-based analysis engine includes an interface through which the machine-learning-based analysis engine receives inputs from the first monitoring device, a processor, and a memory storing program instructions. When executed by the processor, the program instructions cause the processor to perform receiving, via the interface, a first input captured by the first monitoring device, determining, based on a first anomaly detection model of the plurality of anomaly detection models, that the first input represents an object or event that should not be classified as an anomaly,…”),
analyzer module configured to evaluate whether a sequential chain of casual-related low level abnormalities associated with one or more of the entities should be determined to be one or more incidents that collectively prompt generation of a notification to a human user for possible further investigation or determination of being a threat (¶0028, unsupervised anomaly detection techniques may operate under an assumption that the majority of instances of a detected event or object, such as a behavior of a person detected in captured video, a person, vehicle, weapon, or other property or object of value or interest detected in captured video, a sequence of interactions between persons or between a person and vehicle, weapon, or other property or object of value or interest detected in captured video, a particular sound or sequence of sounds detected in an audio recording, a particular measurement or pattern of measurements detected in data captured by a sensor, or a particular log entry or sequence of log entries captured by a server or network monitoring device, in an unlabeled data set should not be classified as anomalies and may classify as anomalies those instances that appear to be outliers compared to the majority of the instances. Supervised anomaly detection techniques typically involve training a classifier, which may involve labeling elements of a training data set as representing an anomaly or as representing a normal or typical event or object…”), (¶0078, FIG. 5, “ At 516, method 500 includes outputting a classification result indicating that the given input likely represents an anomaly, which may trigger an alert, and outputting an indication that malicious re-training of the anomaly detection models has likely occurred, which may trigger a further analysis of the malicious re-training event. For example, a notification may be provided to an owner of a facility, space, server, or network being protected using the anomaly detection system or to an operator or administrator of the anomaly detection system or any components thereof, such as any or all of the analysis engine, training repository, or monitoring devices…”), (¶0053, “When the score returned for scenario S is below the predetermined threshold when applying ML-Current, indicating that scenario S should not be classified as an anomaly, and the score returned for scenario S is below the predetermined threshold when applying ML-Snapshot, indicating that scenario S should be classified as an anomaly or has previously been classified as an anomaly, the system may perform a secondary analysis to determine whether the system was gradually re-trained so that ML-Current does not classify scenario S as an anomaly or to verify that the system correctly modified the threshold value over time in response to valid inputs.”); and
triggering an autonomous response from an autonomous response module to mitigate the threat (¶0021, “security systems are increasingly utilizing machine learning techniques for automatically identifying anomalies and triggering corresponding alerts…”), (¶0078 “…As described herein, modifications may be made to the anomaly detection model or to the analysis engine in response to the detection of a malicious re-training of the anomaly detection system may improve the accuracy of the anomaly detection system and may make the anomaly detection system less susceptible to malicious re-training…”), (¶0027, “…If the analysis indicates that it is likely that a malicious re-training has taken place, actions may be taken to correctly classify the scenario as an anomaly and to trigger one or more alerts.”), see also ¶0060, FIG. 3,
However, Jurzak does not explicitly disclose the following limitation:
wherein the interface is configured to operate with an analyzer module, cooperating with at least scripts on how to conduct an investigation,
wherein the autonomous response module is further configurable, via the interface, by an administrative user to specify thresholds, types, and specific actions for autonomous mitigation in response to such determined incidents.
Ronnewinkel discloses wherein the interface is configured to operate with an analyzer module, cooperating with at least scripts on how to conduct an investigation (¶0020, “…The user of the computing system 102 uses the self-service system by entering one or more search terms or search attributes to obtain assistance in solving a particular problem. The computing system 106 and/or 108 analyze these search terms or attributes to automatically access a script from the script repository 110 and sends information relating to diagnosis questions to the computing system 102 using the network connection. The computing system 102 is then capable of displaying these questions to the user in a graphical user interface (GUI)…”, wherein search terms or search attributes to obtain assistance in solving a particular problem is an informal investigation or research), (¶0033, “ FIG. 4A is a screen diagram of a window 400 in a graphical user interface (GUI) that may be used to specify one or more criteria to search for a script to be used during an interaction with a customer, according to one implementation…”),
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the apparatus of Jurzak to include an interface configured to operate with scripts as disclosed by Ronnewinkel and be motivated in doing so in order to provide solutions to particular problems- Ronnewinkel ¶0020 in parts.
However, the combination of Jurzak and Ronnewinkel does not explicitly disclose the following limitation:
wherein the autonomous response module is further configurable, via the interface, by an administrative user to specify thresholds, types, and specific actions for autonomous mitigation in response to such determined incidents.
Angelino discloses analyzer module configured to evaluate whether a sequential chain of casual-related low level abnormalities associated with one or more of the entities should be determined to be one or more incidents that collectively prompt generation of a notification to a human user for possible further investigation or determination of being a threat (¶0050-¶0051, “When multiple firewalls receive suspicious packets from the same IP address or network the criticality should increase. When one IP address or network repeatedly generates suspicious packet alarms, the alarm level should also be increased… By analyzing the packet(s) the monitoring administrator can determine if attack or probe activity is in progress or if equipment is malfunctioning or incompatible. Possible secondary response might be shunning the source IP address or network.”), (¶0107-¶0110, “…Network Intrusion Detection System (NIDS) are devices that monitor network traffic and generate alarm messages when they detect suspicious patterns in the content of the traffic. As each packet is read from the network, information from the packet is analyzed. The packet is evaluated in a logic tree to determine if the packet is part of a known attack sequence. This "attack sequence" is called an attack signature. The packet and the sequence containing the packet may also be evaluated against a model "normal traffic pattern" in order to detect anomalies.”), (¶0182, “… When a specific host on the network receives one attack or a series of attacks at low frequency, this could signal that careful reconnaissance is in progress. Better planned attacks are more likely to be successful…”), (¶0220, “The security infrastructure management system can aggregate, analyze and trend messages and alarms from host based intrusion detection systems to generate enterprise level intelligence. This multi host perspective can enhance the ability of administrators to detect successful or potentially successful attacks on the network infrastructure and network hosts.”), (¶0292, “An operator may then investigate the event by collecting data from disparate sources, analyzing it and making a determination. This rule facilitates rapid investigation by allowing the operator to quickly access all data relating to the event.”) and to determine, based on analysis of causal relationship among the abnormalities, whether to aggregate the abnormalities as one or more incidents that collectively prompt generation of a notification to a human user for possible further investigation or determination of being a threat (¶0116, “As new network services and systems are deployed, the aggregate network traffic changes over time. Each new service introduces new vulnerabilities into the network infrastructure.”), (¶0275, “The paradigm described herein teaches a correlation architecture which monitors security events from a number of different classes, aggregates these data, and identifies anomalies in the data…”), (¶0277, “…The rules describe the high level logic and structures that can be used to gain extra intelligence from the aggregate event stream. These rules define ways of presenting information that aid the operator in investigating security incidents, by aggregating and presenting information in a superior way.”), (¶0160, “As attack probability (AP) crosses predefined thresholds, the source network danger level changes proportionately. Advisory, warning and critical alarms can be generated for each threshold. AP can be a parameter used to indicate the threat level of new attacks when it is necessary to prioritize attack investigations.”), (¶0219, “HIDS periodically checks the contents and attributes of all "critical" system files. As program files change, because they were replaced or modified by an intruder or malicious user, the HIDS system detects the change and generates an alarm…”),
identification and prevention of cyber-threat (¶0051, “… By analyzing the packet(s) the monitoring administrator can determine if attack or probe activity is in progress or if equipment is malfunctioning or incompatible. Possible secondary response might be shunning the source IP address or network.”), (¶0119),
and
wherein the autonomous response module is further configurable, via the interface, by an administrative user to specify thresholds, types, and specific actions for autonomous mitigation in response to such determined incidents (¶0119, “…Once the attack is adequately determined, appropriate responses to the attack can be carried out such as applying a patch to avoid the network vulnerability, locking vulnerability report with the vendor, reconfiguring network routers, or reconfiguring the target system. However, the speed with which new attacks can be launched may make the administrator's task a daunting one.”), (¶0089, “…Only when that number exceeds a threshold should this be considered as a problem. However, Attacking system IPs should be kept historically. IPs should only be removed after a period of time elapses that is proportional to the number of attacks received. For example, if one attack is received from an IP address this IP could be removed after a twenty four hour period. But if one hundred attacks are received, this IP address could be removed after 3 months.”), (¶0090-¶0091, “…With this information administrators can shun or restrict access from these networks. A typical example might be to restrict a school lab network at the external network router after it has been determined to be the source of ongoing attack activity.”), (¶0176, “… Alarms can also be set as counts pass between different operator definable frequency thresholds. For sporadic traffic, thresholds can time expire to default levels (typically lower) so that short term trends do not obscure future alarms on frequency increases.”), (¶0083, “The present system uses both deterministic and non-deterministic spoofing rules. For example, one deterministic rule is to automatically deny any packet received by an external interface that has a source address indicating the internal network.”). see also ¶0307-¶0309 for Automatic attacker identification scanning when attack threshold is above a threshold.
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the apparatus of Jurzak and Ronnewinkel
to include autonomous response to attacks as disclosed by Angelino and be motivated in doing so in order to make the apparatus of Jurzak and Ronnewinkel to be more efficacious by having the capability to indicate the threat level of new attacks and mitigation methods-Angelino ¶0160 in parts.
Regarding claims 2 and 12, Jurzak in view of Ronnewinkel and further in view of Angelino discloses the apparatus according to claim 1.
Jurzak further discloses wherein the signal from the external apparatus is provided by a manual user input (¶0041, “… User input may be provided, for example, via a keyboard or keypad, soft keys, icons, or soft buttons on a touch screen of a display, a smart speaker or other type of virtual assistant that provides voice input or video input based on voice recognition or gesture recognition, a scroll ball, a mouse, buttons, and the like (not shown in FIG. 2)…”).
Regarding claims 3 and 13, Jurzak in view of Ronnewinkel and further in view of Angelino discloses the apparatus according to claim 2.
Jurzak further discloses wherein the manual user input comprises investigation instructions comprising a time period to be investigated, (¶0022-¶0023, “…The threshold value may, e.g., periodically, be set to the average of the classification scores observed over some time period… an anomaly detection system that triggers an alert when monitored doors are left open longer than a threshold time value may, periodically, set the threshold time period to the average of the amount of time that various monitored doors were left open during the last two days with an added 50% margin…”).
Regarding claims 4 and 14, Jurzak in view of Ronnewinkel and further in view of Angelino discloses the apparatus according to claim 1.
Angelino further discloses wherein the signal from the external apparatus is provided by a third-party threat intelligence component (¶0307-¶0309, “…AI Scanning can be done by a third party and the results distributed as service (see www.hexillion.com Online Utilities). The AI Scan is executed in real-time or near real time and transmitted back to the customer victim. Subsequently an email is sent to the AI Scan target with the attack packet and AI Scan time as a courtesy. Anyone who detects and shuns the scanning IP address is unlikely to have vulnerable systems…”)
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention to modify the method of Jurzak, Ronnewinkel, and Angelino to include information from third-party as disclosed by Angelino and be motivated in doing so in order to terminate the attack and eliminate the vulnerability by the third party-Angelino ¶0308 in parts.
Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 20230004654 to Jurzak et al. (hereinafter Jurzak) in view of U.S. PGPub. No. 20050278207 to Ronnewinkel, Christopher (hereinafter Ronnewinkel) and further in view of US. PGPub. No. 20040193943 to Angelino et al. (hereinafter Angelino) and further in view of U.S. PGPub. No. 20220101326 to KIM et al. (hereinafter KIM).
Regarding claims 5 and 15, Jurzak in view of Ronnewinkel and further in view of Angelino discloses the apparatus according to claim 4.
However, Jurzak in view of Ronnewinkel and further in view of Angelino does not explicitly disclose the following limitation: wherein the third party threat intelligence component provides additional data relating to behavior of the one or more entities
KIM discloses wherein the third party threat intelligence component provides additional data relating to behavior of the one or more entities (¶0498-¶0501, “The wallet crawler system can also be further configured to crawl (obtain) other exchange wallets address that interact with a user wallet. With reference to FIG. 38E, the block chain explorer application can be used to obtain past transactions of the user wallet 3829 (having an address 0Xe4c10e1b6c0c0e in short). In this example, additional exchange wallets 3833 (having an address 0X00d7f2709c7b305 in short), and 3835 (having an address 0X2c41b8e152d8fb1 in short) are identified…”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention to modify the method of Jurzak, Ronnewinkel, and Angelino to include additional information/data relating to users (entities) as disclosed by KIM and be motivated in doing so in order to analyze the unknown threat reported by user using a sandbox or distributed sandbox -KIM ¶0164 in parts.
Claims 6-10, and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 20230004654 to Jurzak et al. (hereinafter Jurzak) in view of U.S. PGPub. No. 20050278207 to Ronnewinkel, Christopher (hereinafter Ronnewinkel) and further in view of US. PGPub. No. 20040193943 to Angelino et al. (hereinafter Angelino) and further in view of U.S. PGPub. No. 20230370439 to Crabtree et al. (hereinafter Crabtree).
Regarding claims 6 and 16, Jurzak in view of Ronnewinkel and further in view of Angelino discloses the apparatus according to claim 1.
However, Jurzak in view of Ronnewinkel and further in view of Angelino does not explicitly disclose the following limitation:
further comprising: an analyser module configured to, in response to the determination of one or more incidents, generate a directed graph, using graph theory, to map the one or more incidents onto the graph to detect anomalies potentially indicative of cyber threats
Crabtree discloses an analyser module configured to, in response to the determination of one or more incidents, generate a directed graph, using graph theory, to map the one or more incidents onto the graph to detect anomalies potentially indicative of cyber threats (Fig. 10, ¶0152, “…In an initial step 1001, a web crawler 115 may passively collect activity information, which may then be processed 1002 using a DCG 155 to analyze behavior patterns. Based on this initial analysis, anomalous behavior may be recognized 1003 (for example, based on a threshold of variance from an established pattern or trend) such as high-risk users or malicious software operators such as bots. These anomalous behaviors may then be used 1004 to analyze potential angles of attack and then produce 1005 security suggestions based on this second-level analysis and predictions generated by an action outcome simulation module 125 to determine the likely effects of the change. The suggested behaviors may then be automatically implemented 1006 as needed…”). See also ¶0083, ¶0120, and ¶0149 to mention a few wherein graph theory and directed computational graph are extensively disclosed.
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention to modify the method of Jurzak, Ronnewinkel, and Angelino to include generating a directed graph, using graph theory, to map the one or more incidents onto the graph to detect anomalies potentially indicative of cyber threats as disclosed by Crabtree and be motivated in doing so in order to enable machine learning to improve operation over time as the relationship between security changes and observed behaviors and threats are observed and analyzed-¶0152 in parts.
The examiner noted that this motivation is equally applicable to claims 7 and 17.
Regarding claims 7 and 17, Jurzak in view of Ronnewinkel and further in view of Angelino and further in view of Crabtree discloses the apparatus according to claim 6.
Crabtree further discloses wherein the directed graph comprises a plurality of nodes, each node of the plurality of nodes corresponding to a respective entity of the entities, the plurality of nodes being connected by one or more edges corresponding to the one or more incidents (¶0083)
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention to modify the method of Jurzak, Ronnewinkel, Angelino, and Crabtree to include the plurality of nodes being connected by one or more edges corresponding to the one or more incidents as disclosed by Crabtree and be motivated in doing so in order to enable machine learning to improve operation over time as the relationship between security changes and observed behaviors and threats are observed and analyzed-¶0152 in parts.
Regarding claims 8 and 18, Jurzak in view of Ronnewinkel and further in view of Angelino and further in view of Crabtree discloses the apparatus according to claim 6.
Crabtree further discloses wherein the analyser module is further configured to group the one or more incidents into a meta of incidents representing a compromise linking entities in the network affected by the one or more incidents (¶0149-¶0151, “…Grouping engine 813 may be configured to gather and identify user interactions and related metrics, which may include volume of interaction, frequency of interaction, and the like. Grouping engine 813 may use graph stack service 145 and DCG module 155 to convert and analyze the data in graph format. The interaction data may then be used to split users 805a-n into a plurality of groups 816a-n. Groupings may be based on department, project teams, interaction frequency, and other metrics which may be user-defined…”), (Fig. 11, ¶0154, “According to the aspect, impact assessment of an attack may be measured using a DCG 155 to analyze a user account and identify its access capabilities 1101 (for example, what files, directories, devices or domains an account may have access to). This may then be used to generate 1102 an impact assessment score for the account, representing the potential risk should that account be compromised. In the event of an incident, the impact assessment score for any compromised accounts may be used to produce a “blast radius” calculation 1103, identifying exactly what resources are at risk as a result of the intrusion and where security personnel should focus their attention. To provide proactive security recommendations through a simulation module 125, simulated intrusions may be run 1104 to identify potential blast radius calculations for a variety of attacks and to determine 1105 high risk accounts or resources so that security may be improved in those key areas rather than focusing on reactive solutions”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention to modify the method of Jurzak, Ronnewinkel, Angelino, and Crabtree to include grouping the one or more incidents into a meta of incidents representing a compromise linking entities in the network affected by the one or more incidents as disclosed by Crabtree and be motivated in doing so in order to provide additional insight into current group dynamics so that a more accurate baseline may be established, or may provide an insight into health and mood of users-Crabtree ¶0150 in parts.
Regarding claims 9 and 19, Jurzak in view of Ronnewinkel and further in view of Angelino and further in view of Crabtree discloses the method according to claim 6.
Angelino further discloses further comprising a formatting module configured to generate a visual representation of the directed graph for display (¶0296, “View Connect correlates connections to and from a designated IP address, providing a graphical presentation of connections between internal and external IP addresses. The operator can specify an internal IP, external IP address or both, and then get a graphical presentation of what connections have been made between them.”)
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention to modify the method of Jurzak, Ronnewinke, Angelino, and Crabtree to include generation of a visual representation of the directed graph for display as disclosed by Angelino and be motivated in doing so in order to enable the operator to specify a meaningful and contextualized visualization of the connections between the internal and external IP addresses-Angelino ¶0296 in parts’
Crabtree in ¶0155-¶0156 also discloses the limitation.
Regarding claim 10, Jurzak in view of Ronnewinkel and further in view of Angelino discloses the apparatus according to claim 1.
However, Jurzak in view of Ronnewinkel and further in view of Angelino does not explicitly disclose the following limitation:
wherein the autonomous response module is configurable to know when the response module should take the autonomous actions to mitigate the cyber-threat when one or more incidents are worth of being determined as a cyber-threat, where the autonomous response module has an administrative tool, configurable through the interface, to set what autonomous actions the autonomous response module can take, including types of actions and specific actions the autonomous response module is capable of
Crabtree discloses wherein the autonomous response module is configurable to know when the response module should take the autonomous actions to mitigate the cyber-threat when one or more incidents are worth of being determined as a cyber-threat, where the autonomous response module has an administrative tool, configurable through the interface, to set what autonomous actions the autonomous response module can take, including types of actions and specific actions the autonomous response module is capable of (¶0137, “…If the threat reaches a certain level 224, the device is automatically prevented from accessing the network 225, and the system administrator is notified of the potential threat, along with contextually-based, tactical recommendations for optimal response based on potential impact 226.”), (¶0138, “… If the assessment determines that the access request represents a significant threat 244, even despite the Kerberos validation of the digital signature or validation of a AO, the access request is automatically denied 245, and the system administrator is notified of the potential threat, along with contextually-based, tactical recommendations for optimal response based on potential impact 246”.), (Fig. 10, ¶0152, “.. These anomalous behaviors may then be used 1004 to analyze potential angles of attack and then produce 1005 security suggestions based on this second-level analysis and predictions generated by an action outcome simulation module 125 to determine the likely effects of the change. The suggested behaviors may then be automatically implemented 1006 as needed. Passive monitoring 1001 then continues, collecting information after new security solutions are implemented 1006, enabling machine learning to improve operation over time as the relationship between security changes and observed behaviors and threats are observed and analyzed.”), (¶0166, “…At step 2309, the source or sources of the anomalous behavior is identified, and some corrective measures may be taken. For example, the offending device or user account may be automatically locked out of the network until a solution has been implemented. At step 2312, group members and system administrators may be notified. The system may utilize the various techniques discussed above to recommend a corrective action, or the system may take action automatically.”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant claimed invention to modify the method of Jurzak, Ronnewinkel, and Angelino to include an autonomous response to mitigate cyber-attacks as disclosed by Crabtree and be motivated in doing so in order to prevent the cyber-attack from spreading all over the network.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495
/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495
Prosecution Insights