DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office Action is in response to Application 17269905 filed on 06/20/2023. Claims 1, 8, and 14 are independent claims. Claims 1-19 have been examined and are pending in this application. This Office Action is made Non-Final.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 02/19/2021 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Specification
The disclosure is objected to because of the following informalities: Specification Summary missing. Appropriate correction is required. See MPEP § 608.01(a).
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are: “monitoring part [] monitor” recited in claims 1, 5, 8, 12, 14, and 18; “process creation part [] create” recited in claims 1, 8, and 14; “cluster assignment part [] determine” recited in claims 1, 3-4, 8, 11, 14, and 17; “access information clustering part [] accessed” recited in claims 1, 8, and 14; “access information state tracking part [] determine” recited in claims 1, 8, and 14; “ransomware detection part [] determine” recited in claims 1, 8, and 14;
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 14-19 are rejected under 35 U.S.C. 101 because as being directed to non-statutory subject matter.
Regarding claims 14, claims 14 recites “a recording medium;” The specification does not explicitly define what type of recording medium is claimed. At most, the specification does not explicitly exclude transitory/propagated medium from the claimed recording medium. Under a recent precedential opinion, the scope of the recited “recording medium” encompasses transitory media such as signals or carrier waves, where, as here the Specification does not limit the computer readable storage medium to non-transitory forms. See Ex parte Mewherter, 107 USPQ2d 1857, 1862 (PTAB 2013) (precedential) (holding recited machine-readable storage medium ineligible under § 35 U.S.C. 101 since it encompassed transitory media)). Therefore, the claims are directed to non-statutory subject matter. The Examiner respectfully suggests that the claims be amended to either “A non-transitory computer readable storage medium” or “a computer readable storage device” to make the claim statutory under 35 USC 101; (emphasis added).
Regarding Claims 15-19; Claims 15-19 are also rejected under 35 U.S.C. 101 because as being directed to non-statutory subject matter for the same reasons.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 8, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Nguyen et al. (“Nguyen,” EP 3716110 A1, published 9/30/2020) in view of AGRANONIK et al. ("AGRANONIK,” US 20210406368, filed on 06/30/2020).
Regarding Claim 1;
Nguyen discloses a multiprocess clustering-based ransomware attack detection device, comprising (par 0012; each of one or more monitored computing devices is equipped with a security agent (e.g., a service or daemon process) to monitor events on that device [] perform this filtering based on behavior, permitting the detection of previously-unknown threats; par 0014; performing security analyses, e.g., for stream-analysis or malware-detection applications):
an event monitoring part configured to monitor whether a clustering event is generated in response to a process creation request and information access (par 0016; monitored computing device and can include detecting an event, e.g., an action of interest (Aol), committed or triggered by an object (i.e., a function, module, process, or thread) executed by the monitored computing device; par 0070; detect activity at monitored computing device 104 and determine corresponding event record(s) 240. Examples of detection are discussed below. In some examples, communications module 232 can transmit event record(s) 240 determined by detection module 224, e.g., to cluster);
a process creation part configured to create a process when the clustering event is generated in response to the process creation request (par 0016; monitored computing device and can include detecting an event, e.g., an action of interest (Aol), committed or triggered by an object (i.e., a function, module, process, or thread) executed by the monitored computing device; par 0070; detect activity at monitored computing device 104 and determine corresponding event record(s) 240. Examples of detection are discussed below. In some examples, communications module 232 can transmit event record(s) 240 determined by detection module 224, e.g., to cluster);
a cluster assignment part configured to determine whether the created process is a parent process, and to assign an unused cluster identification (ID) when the created process is the parent process or assign a cluster ID assigned to the parent process of the created process when the created process is not the parent process, and to cluster processes related to a cluster having the cluster ID (par 0115; monitored computing device 104 sends event records 240 to cluster 106 representing process-launch sub-events [] a process ID (PID) of the launched process, and a process ID (PPID) of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes. Cluster 106 can receive a process-launch sub-event and determine the number of processes in the chain beginning with the launched process and ending with the root process; par 0132; Event 302 can be associated with a first cluster identifier 330, and event 304 can be associated with a second cluster identifier);
an access information clustering part configured to cluster information accessed by any process of the cluster, and to add the information to an information set for the cluster (par 0115; a process ID of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes. Cluster 106 can receive a process-launch sub-event and determine the number of processes in the chain beginning with the launched process and ending with the root process; par 0097; computing device(s) 102 can add data to an event or trigger additional event(s) based on the event data received from monitored computing device(s));
an access information state tracking part configured to determine whether any process among the processes clustered for the cluster accesses the information within the cluster, to detect access to the information by the any process as generation of inspection target information, and to obtain an information change count and an information damage count of the cluster related to the detected inspection target information (par 0115; a process ID of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes. Cluster 106 can receive a process-launch sub-event and determine the number of processes in the chain beginning with the launched process and ending with the root process; par 0132; Event 302 can be associated with a first cluster identifier 330, and event 304 can be associated with a second cluster identifier; par 0133; the security subsystem 250 can determine that the first event 302 is associated with a security violation based at least in part on the first cluster identifier 330 matching the second cluster identifier 332, i.e., that first event 302 is in the same cluster [i.e., in parent process, the second cluster identifier number should be larger than first cluster identifier number. If the identifier number is the same, then the count either changed or damage] as dirty second event); and
a ransomware detection part configured to determine the process as ransomware when the information change count and the information damage count and to exit the processes of the cluster into which the process is clustered (par 0115; fig. 3; a process ID of the parent of the launched process; par 0133; the security subsystem 250 can determine that the first event 302 is associated with a security violation based at least in part on the first cluster identifier 330 matching the second cluster identifier 332, i.e., that first event 302 is in the same cluster as dirty second event [i.e., in parent process, the second cluster identifier number should be larger than first cluster identifier number. If the identifier number is the same, then the count either changed or damage]; par 0016; detect that an event is related to a security violation based at least in part on analyzing command lines associated with that event [] blocking an object associated with the event).
Nguyen discloses information change count and the information damage count as recited above, but do not explicitly disclose count exceed respective threshold values.
However, in an analogous art, AGRANONIK discloses threat detection system/method that includes:
count exceed respective threshold values (AGRANONIK: par 0034; a sequence of events is generated based on the parent and child relationships of the process data [] compares the output from scoring model to an alert threshold to determine whether the alert threshold is exceeded (or satisfied). Based on whether the alert threshold is exceeded, an alert sent to another client, machine, computer, application programming interface, and/or system indicating that the data analyzed is potentially malicious).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of AGRANONIK with the method/system of Nguyen to include count exceed respective threshold values. One would have been motivated to train deep learning model that takes a sequence of ordered signals as input to generate a score that indicates whether the sequence is malicious or benign. Initially, process data is collected from a client. After the data is collected, a virtual process tree is generated based on parent and child relationships associated with the process data (AGRANONIK: abstract).
Regarding Claim 8;
This Claim recites a method that perform the same steps as device of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.
Regarding Claim 14;
This Claim recites a recording medium that perform the same steps as device of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.
Claims 2-7, 9-13, and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Nguyen et al. (EP 3716110 A1) in view of AGRANONIK et al. (US 20210406368), and further in view of ZHU et al. (“ZHU,” CN 110598410 A, published on 12/20/2019).
Regarding Claim 2;
The combination of Nguyen and AGRANONIK disclose the device of claim 1,
Nguyen discloses an initialization part configured to initialize, when a system starts, cluster IDs of an initial process and a daemon process and a service process created by the initial process (Nguyen: par 0115; a process ID of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes [] with the root process; par 0132; Event 302 can be associated with a first cluster identifier 330, and event 304 can be associated with a second cluster identifier).
The combination of Nguyen and AGRANONIK disclose service process created by the initial process as recited above, but do not explicitly disclose initial process to 0, to initialize an unused cluster set (FreeC) so that the unused cluster set includes all cluster IDs except only a cluster ID of 0, and to initialize a used cluster set (AssignedC) so that the used cluster set includes only the cluster ID of 0.
However, in an analogous art, ZHU discloses determining method of the malicious process system/method that includes:
initial process to 0, to initialize an unused cluster set (FreeC) so that the unused cluster set includes all cluster IDs except only a cluster ID of 0, and to initialize a used cluster set (AssignedC) so that the used cluster set includes only the cluster ID of 0 (ZHU: page 5, par 6; parent process indication information may be the parent process identifier PID, wherein the parent process is a call process function to create a certain process creating process. sub-process of the process may be referred to as a parent process; page 7; par 6; process the preset is the process A and the process D, then the malicious value of process sequence may be from initial 0 server is updated to 1, if assuming preset of the malicious process is process A and process B and process C and process D, then the malicious value of process sequence may be server is updated to 2 by the initial value 0. wherein the malicious process in the first process may be a normal process).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of ZHU with the method/system of Nguyen and AGRANONIK to include initial process to 0, to initialize an unused cluster set (FreeC) so that the unused cluster set includes all cluster IDs except only a cluster ID of 0, and to initialize a used cluster set (AssignedC) so that the used cluster set includes only the cluster ID of 0. One would have been motivated to parent process corresponding to the indication information and process based on process of ordering operation instruction information to process to obtain the process sequence after ordering (ZHU: abstract).
Regarding Claim 3;
The combination of Nguyen and AGRANONIK the device of claim 1,
Nguyen discloses wherein the cluster assignment part is configured to obtain and assign the cluster ID following a latest assigned cluster ID in an unused cluster set when the cluster ID of the parent process of the created process, and assign the cluster ID to the created process, and add the created process to a cluster set having the cluster ID to cluster the created process and the processes related thereto into one cluster (Nguyen: par 0115; fig. 9; a process ID of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes [] with the root process; par 0132; Event 302 can be associated with a first cluster identifier 330, and event 304 can be associated with a second cluster identifier; par 0208; the clustering subsystem 248 can cluster the events 906 of the plurality 908 of events based at least in part on the plurality of event vectors 914 to assign each event 906(k) to a cluster 932(c) of a plurality of clusters 932(1 )-932(C)).
The combination of Nguyen and AGRANONIK disclose assigned cluster ID in an unused cluster set when the cluster ID of the parent process of the created as recited above, but do not explicitly disclose the parent process of the created process is 0, or obtain the cluster ID of the parent process when the cluster ID of the parent process is not 0.
However, in an analogous art, ZHU discloses determining method of the malicious process system/method that includes:
the parent process of the created process is 0, or obtain the cluster ID of the parent process when the cluster ID of the parent process is not 0 (ZHU: page 5, par 6; parent process indication information may be the parent process identifier PID, wherein the parent process is a call process function to create a certain process creating process. sub-process of the process may be referred to as a parent process; page 7; par 6; process the preset is the process A and the process D, then the malicious value of process sequence may be from initial 0 server is updated to 1, if assuming preset of the malicious process is process A and process B and process C and process D, then the malicious value of process sequence may be server is updated to 2 by the initial value 0. wherein the malicious process in the first process may be a normal process).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of ZHU with the method/system of Nguyen and AGRANONIK to include the parent process of the created process is 0, or obtain the cluster ID of the parent process when the cluster ID of the parent process is not 0. One would have been motivated to parent process corresponding to the indication information and process based on process of ordering operation instruction information to process to obtain the process sequence after ordering (ZHU: abstract).
Regarding Claim 4;
The combination of Nguyen, AGRANONIK, and ZHU disclose the device of claim 3,
Nguyen wherein the cluster assignment part is configured to calculate a unique cluster ID value to be used, by performing modular arithmetic on a sum of a latest cluster ID value and an incremental value (A) when the cluster ID of the parent process is 0 (Nguyen: par 0115; fig. 9; a process ID of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes [] with the root process; par 0208; the clustering subsystem 248 can cluster the events 906 of the plurality 908 of events based at least in part on the plurality of event vectors 914 to assign each event 906(k) to a cluster 932(c) of a plurality of clusters 932(1 )-932(C)).
ZHU further discloses cluster ID of the parent process is 0 (ZHU: page 5, par 6; parent process indication information may be the parent process identifier PID, wherein the parent process is a call process function to create a certain process creating process. sub-process of the process may be referred to as a parent process; page 7; par 6; process the preset is the process A and the process D, then the malicious value of process sequence may be from initial 0).
The motivation is the same that of claim 3 above.
Regarding Claim 5;
The combination of Nguyen, AGRANONIK, and ZHU disclose the device of claim 3,
Nguyen discloses wherein the access information clustering part comprises: a process access information acquisition part configured to acquire information accessed when access to the information is generated by any process in the cluster set having the cluster ID through the event monitoring part (Nguyen: par 0216; the security subsystem 250 or interface module 230 can associate each event 906 of the first cluster 932(C) (determined at operation 934) of events with the tag 938 (a "tagging" operation). For example, event records 112 associated with the event 906 of the first cluster 932(C) can be modified or updated to include data of the tag); and an access information cluster addition part configured to add the acquired information to a cluster information set for the cluster ID (Nguyen: par 0115;; a process ID of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes [] with the root process; par 0132; Event 302 can be associated with a first cluster identifier 330, and event 304 can be associated with a second cluster identifier; par 0208; the clustering subsystem 248 can cluster the events 906 of the plurality 908 of events based at least in part on the plurality of event vectors 914 to assign each event 906(k) to a cluster 932(c) of a plurality of clusters 932(1 )-932(C); par 0216; the security subsystem 250 or interface module 230 can associate each event 906 of the first cluster 932(C) (determined at operation 934) of events with the tag 938 (a "tagging" operation). For example, event records 112 associated with the event 906 of the first cluster 932(C) can be modified or updated to include data of the tag).
Regarding Claim 6;
The combination of Nguyen, AGRANONIK, and ZHU disclose the device of claim 5,
Nguyen discloses wherein the access information state tracking part comprises: an inspection target determination part configured to determine whether any process among the processes clustered for the cluster accesses information within the cluster, and to detect access to the information by another process as generation of inspection target information (Nguyen: par 0115;; a process ID of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes [] with the root process; par 0216; the first cluster 932(C) (determined at operation 934) of events with the tag 938 (a "tagging" operation). For example, event records 112 associated with the event 906 of the first cluster 932(C) can be modified or updated to include data of the tag; par 0133; the security subsystem 250 can determine that the first event 302 is associated with a security violation based at least in part on the first cluster identifier 330 matching the second cluster identifier 332, i.e., that first event 302 is in the same cluster as dirty second event); an information change tracking part configured to obtain, when generation of the inspection target information is detected, the information change count of the inspection target information for the processes of the cluster into which the process that has generated the inspection target information is clustered (Nguyen: par 0115;; a process ID of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes [] with the root process; par 0133; the security subsystem 250 can determine that the first event 302 is associated with a security violation based at least in part on the first cluster identifier 330 matching the second cluster identifier 332, i.e., that first event 302 is in the same cluster as dirty second event); and an information damage tracking part configured to obtain the information damage count of the inspection target information for the processes of the cluster (Nguyen: par 0115;; a process ID of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes [] with the root process; par 0133; the security subsystem 250 can determine that the first event 302 is associated with a security violation based at least in part on the first cluster identifier 330 matching the second cluster identifier 332, i.e., that first event 302 is in the same cluster as dirty second event).
Regarding Claim 7;
The combination of Nguyen, AGRANONIK, and ZHU the device of claim 6,
Nguyen discloses wherein the information is data and a file (Nguyen: par 0007; determining whether a session is associated with a security violation based on data from multiple events).
Regarding Claim 9;
This Claim recites a method that perform the same steps as device of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.
Regarding Claim 10;
The combination of Nguyen, AGRANONIK, and ZHU disclose the method of claim 9,
wherein the cluster assignment stage comprises: determining, in a parent process existence determination step, whether the parent process of the created process exists (Nguyen: par 0115; monitored computing device 104 sends event records 240 to cluster 106 representing process-launch sub-events [] a process ID (PID) of the launched process, and a process ID (PPID) of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes. Cluster 106 can receive a process-launch sub-event and determine the number of processes in the chain beginning with the launched process and ending with the root process); obtaining and assigning, in a new cluster assignment step, the cluster ID following a latest assigned cluster ID in the unused cluster set when the parent process does not exist (Nguyen: par 0115; monitored computing device 104 sends event records 240 to cluster 106 representing process-launch sub-events [] a process ID (PID) of the launched process, and a process ID (PPID) of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes. Cluster 106 can receive a process-launch sub-event and determine the number of processes in the chain beginning with the launched process and ending with the root process; par 0132; Event 302 can be associated with a first cluster identifier 330, and event 304 can be associated with a second cluster identifier); obtaining, in a parent process cluster assignment step, the cluster ID of the parent process when the parent process of the created process exists, and assigning the cluster ID of the parent process to the created process (Nguyen: par 0115; fig. 9; a process ID of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes [] with the root process; par 0132; Event 302 can be associated with a first cluster identifier 330, and event 304 can be associated with a second cluster identifier; par 0208; the clustering subsystem 248 can cluster the events 906 of the plurality 908 of events based at least in part on the plurality of event vectors 914 to assign each event 906(k) to a cluster 932(c) of a plurality of clusters 932(1 )-932(C)); and adding, in a process clustering step after assignment of the cluster, the created process to a cluster set having the cluster ID, and clustering the created process and the processes related thereto (Nguyen: par 0115; monitored computing device 104 sends event records 240 to cluster 106 representing process-launch sub-events [] a process ID (PID) of the launched process, and a process ID (PPID) of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes. Cluster 106 can receive a process-launch sub-event and determine the number of processes in the chain beginning with the launched process and ending with the root process; par 0132; Event 302 can be associated with a first cluster identifier 330, and event 304 can be associated with a second cluster identifier; 0208; the clustering subsystem 248 can cluster the events 906 of the plurality 908 of events based at least in part on the plurality of event vectors 914 to assign each event 906(k) to a cluster 932(c) of a plurality of clusters 932(1 )-932(C)).
Regarding Claim 11;
This Claim recites a method that perform the same steps as device of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.
Regarding Claim 12;
This Claim recites a method that perform the same steps as device of Claim 5, and has limitations that are similar to Claim 5, thus are rejected with the same rationale applied against claim 5.
Regarding Claim 13;
This Claim recites a method that perform the same steps as device of Claim 6, and has limitations that are similar to Claim 6, thus are rejected with the same rationale applied against claim 6.
Regarding Claim 15;
This Claim recites a recording medium that perform the same steps as method of Claim 9, and has limitations that are similar to Claim 9, thus are rejected with the same rationale applied against claim 9.
Regarding Claim 16;
The combination of Nguyen, AGRANONIK, and ZHU disclose The recording medium of claim 15,
Nguyen discloses wherein the cluster assignment stage comprises: obtaining, in a parent process cluster ID acquisition step, the cluster ID of the parent process of the created process (par 0115; monitored computing device 104 sends event records 240 to cluster 106 representing process-launch sub-events [] a process ID (PID) of the launched process, and a process ID (PPID) of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes. Cluster 106 can receive a process-launch sub-event and determine the number of processes in the chain beginning with the launched process and ending with the root process; par 0132; Event 302 can be associated with a first cluster identifier 330, and event 304 can be associated with a second cluster identifier); obtaining and assigning, in a new cluster assignment step, the cluster ID following a latest assigned cluster ID in the unused cluster set (par 0115; monitored computing device 104 sends event records 240 to cluster 106 representing process-launch sub-events [] a process ID (PID) of the launched process, and a process ID (PPID) of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes. Cluster 106 can receive a process-launch sub-event and determine the number of processes in the chain beginning with the launched process and ending with the root process; par 0132; Event 302 can be associated with a first cluster identifier 330, and event 304 can be associated with a second cluster identifier); assigning, in a parent process cluster assignment step, the cluster ID of the parent process to the created process (par 0115; monitored computing device 104 sends event records 240 to cluster 106 representing process-launch sub-events [] a process ID (PID) of the launched process, and a process ID (PPID) of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes. Cluster 106 can receive a process-launch sub-event and determine the number of processes in the chain beginning with the launched process and ending with the root process; par 0132; Event 302 can be associated with a first cluster identifier 330, and event 304 can be associated with a second cluster identifier); and adding, in a process clustering step after assignment of the cluster, the created process to a cluster set having the cluster ID, and clustering the created process and the processes related thereto (par 0115; monitored computing device 104 sends event records 240 to cluster 106 representing process-launch sub-events [] a process ID (PID) of the launched process, and a process ID (PPID) of the parent of the launched process. Cluster 106 uses the PID and PPID to record relation 45 ships between processes. Cluster 106 can receive a process-launch sub-event and determine the number of processes in the chain beginning with the launched process and ending with the root process; par 0132; Event 302 can be associated with a first cluster identifier 330, and event 304 can be associated with a second cluster identifier; ; par 0208; the clustering subsystem 248 can cluster the events 906 of the plurality 908 of events based at least in part on the plurality of event vectors 914 to assign each event 906(k) to a cluster 932(c) of a plurality of clusters 932(1 )-932(C)).
ZHU further discloses when the cluster ID of the parent process is 0 (ZHU: page 5, par 6; parent process indication information may be the parent process identifier PID, wherein the parent process is a call process function to create a certain process creating process. sub-process of the process may be referred to as a parent process; page 7; par 6; process the preset is the process A and the process D, then the malicious value of process sequence may be from initial 0 server is updated to 1, if assuming preset of the malicious process is process A and process B and process C and process D, then the malicious value of process sequence may be server is updated to 2 by the initial value 0. wherein the malicious process in the first process may be a normal process); when the cluster ID of the parent process of the created process is not 0 (ZHU: page 5, par 6; parent process indication information may be the parent process identifier PID, wherein the parent process is a call process function to create a certain process creating process. sub-process of the process may be referred to as a parent process; page 7; par 6; process the preset is the process A and the process D, then the malicious value of process sequence may be from initial 0 server is updated to 1, if assuming preset of the malicious process is process A and process B and process C and process D, then the malicious value of process sequence may be server is updated to 2 by the initial value 0. wherein the malicious process in the first process may be a normal process).
The motivation is the same that of claim 15 above.
Regarding Claim 17;
This Claim recites a recording medium that perform the same steps as method of Claim 11, and has limitations that are similar to Claim 11, thus are rejected with the same rationale applied against claim 11
Regarding Claim 18;
This Claim recites a recording medium that perform the same steps as method of Claim 12, and has limitations that are similar to Claim 12, thus are rejected with the same rationale applied against claim 12.
.
Regarding Claim 19;
This Claim recites a recording medium that perform the same steps as method of Claim 13, and has limitations that are similar to Claim 13, thus are rejected with the same rationale applied against claim 13.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644. The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/C.W./Examiner, Art Unit 2439
/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439