NON-FINAL REJECTION, FIRST DETAILED ACTION
Procedural History and Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The application was filed in the Office on January 6, 2022 and claims priority to provisional application 63/135,583 filed on Jan. 9, 2021.
Claims 1-20 are pending and are rejected in this action.
Status of Claims
Claims 1-20 are pending and presented for examination, of which claims 1 and 13 are in independent form.
Claims 1-7, 13-19 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al., (“Muddu”), United States Patent Application Publication 2018/0367551, published Sept. 26, 2019 in view of Krishnamoorthy et al., (“Krishnamoorthy”), United States Patent Application Publication 2017/0201933, published July 13, 2017.
Claims 8, 10-12 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al., (“Muddu”), United States Patent Application Publication 2018/0367551, published Sept. 26, 2019 in view of Krishnamoorthy et al., (“Krishnamoorthy”), United States Patent Application Publication 2017/0201933, published July 13, 2017 in further view of Ferguson et al., (“Ferguson”), United States Patent Application Publication 2017/0230391, published Aug. 10, 2017.
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al., (“Muddu”), United States Patent Application Publication 2018/0367551, published Sept. 26, 2019 in view of Krishnamoorthy et al., (“Krishnamoorthy”), United States Patent Application Publication 2017/0201933, published July 13, 2017 in further view of Ferguson et al., (“Ferguson”), United States Patent Application Publication 2017/0230391, published Aug. 10, 2017 in further view of Marck et al. (“Marck”), United States Patent Application Publication 2013/0291107, published Oct. 31, 2013.
Claim Interpretation: Term Definitions, Examples
For convenience, as Applicant may be their own lexicographer, certain terms are noted here for:
[0025] The "scale" of a state of a service at a particular time (or during a particular interval of time) may, for example, represent a range (e.g., maximum range) of time over which the SSDE 406 evaluated the service's state to identify that state.
[0020] The SSDE 406 also includes a Periodicity Engine 420 and a Continuity Engine 422, which are examples of "detection engines," as that term is used herein.
[0038] If the Periodicity Engine 420 has produced state/scale data indicating that a service repeatedly occurs at a certain frequency, but the Learning Engine 424 has not found sufficient evidence that this pattern is persistent over time (e.g., over at least some minimum amount of time), then the SSDE 406 transitions into a "Continuous"supervised state 214 and assigns the Continuous state 214 to the service. Unlike a Periodic service, a Continuous service does not exhibit strong evidence of a neat, predictable pattern over time.
[0054] As described above, after collecting sufficient data, the SSDE transitions to the learning state where it begins to make use of the Periodicity Engine 420 and Continuity Engine 308 to characterize the service. In each run, the SSDE uses these engines to determine whether the service exhibits periodicity or continuity, along with the frequency or scale at which it is occurring. The SSDE's Learning Engine then checks this historical output 312 for persistence. If the SSDE repeatedly finds Periodicity or Continuity at a consistent scale, then the SSDE categorizes the service as Periodic or Continuous. If the SSDE repeatedly finds Periodicity or Continuity, but not at a consistent scale, then the SSDE characterizes the service as Continuous but Random. Finally, if the SSDE fails to find consistent Periodicity or Continuity, the SSDE will characterize the service as Non-Periodic or Non-Continuous. The Learning Engine runs over a historical dataset 312, H, of state and scale pairs, determined by the Periodicity Engine 420 and Continuity Engine 308. The Learning Engine also takes into account the current state and scale of a service … (the subsequent paragraphs describe how the consistency is determined).
Objection
The use of the term Netflow which is a trade name or a mark used in commerce, has been noted in this application. The term should be accompanied by the generic terminology; furthermore the term should be capitalized wherever it appears or, where appropriate, include a proper symbol indicating use in commerce such as ™, SM , or ® following the term.
Although the use of trade names and marks used in commerce (i.e., trademarks, service marks, certification marks, and collective marks) are permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as commercial marks.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
A.
Claims 1-7, 13-19 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al., (“Muddu”), United States Patent Application Publication 2018/0367551, published Sept. 26, 2019 in view of Krishnamoorthy et al., (“Krishnamoorthy”), United States Patent Application Publication 2017/0201933, published July 13, 2017.
As to Claim 1, Muddu teaches: A method performed by at least one computer processor executing computer program instructions stored on at least one non-transitory computer-readable medium, the method comprising:
(1) collecting service data from a service (Muddu: pars .0147-48, event data corresponding to network activity is collected);
(2) generating, based on the service data, a model of the service (Muddu: par. 0233, if the model is in a training phase, the event data that is received may be used to update the model), ;
(4) generating, based on the model of the service, a state-scale dataset comprising, for each of a plurality of time intervals, data representing a candidate state of the service during that time interval and a candidate scale of the service during that time interval (Muddu: par. 0233, as an example an authentication event and a period of time that the user is logged in is an example of a data point along with others that are then considered as part of the dataset);
(5) using a learning engine to generate, based on the state-scale dataset, a persistent state and scale of the service (Muddu: par. 0233-34, the state and scale of the event is saved as part of the training).
Muddu may not explicitly teach: (3) generating, based on the service data, binary sequence data representing, for each of a plurality of times, the presence or absence of activity of the service at that time;
(4) generating, based on the binary sequence data and the model of the service, a state-scale dataset comprising, for each of a plurality of time intervals, data representing a candidate state of the service during that time interval and a candidate scale of the service during that time interval.
Krishnamoorthy teaches in general concepts related to sharing network feedback information (Krishnamoorthy: Abstract). Specifically, Krishnamoorthy teaches that radio link failure feedback information may be generated for a network (Krishnamoorthy: par. 0052, at step[420]). This information may be mapped and generated into one more binary sequences representing the state of activity (Krishnamoorth: par. 0054 “have a length of two bits, wherein '00' indicates that the cell is not barred, '01' indicates that the cell is barred for a period of time that does not exceed the cell bar threshold, '10' indicates that the cell has been barred for a period of time that exceeds the cell bar threshold, and '11' indicates that the RLF status of the access point 120 is unknown.”):
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Muddu to utilize a binary sequence for the representation of activity as taught and suggested by Krishnamoorthy. Such a person would have been motivated to make this modification with a reasonable expectation of success to do so in order for efficient of data representation for data communication and structure movement and transfer.
As to Claim 2, Muddu and Krishnamoorthy teach the elements of claim 1.
Muddu further teaches: wherein the service comprises a network application service, and wherein the service data comprises netflow data collected from the network application service (Muddu: par. 0197, the activity may be Netflow data).
As to Claim 3, Muddu and Krishnamoorthy teach the elements of claim 1.
Muddu further teaches: wherein the model of the service comprises data representing:
a source endpoint of the service (Muddu: par. 0641, 0644 the IP address traffic origination may be captured);
a destination endpoint of the service (Muddu: par. 0641, 0644 the IP address traffic traffic destination may be captured); and
a context of the service, wherein the context describes an association between the source endpoint and the destination endpoint (Muddu: par. 0645, the beacon detection technique will distinguish between user-generated traffic and machine-generated traffic (i.e. context of association).
As to Claim 4, Muddu and Krishnamoorthy teach the elements of claim 1.
Muddu further teaches: wherein (5) comprises:
(5) (a) determining, based on the state-scale dataset, whether the service satisfies a periodicity condition (Muddu: par. 0618, feature scores are generated based on different analyses of event data; par. 0619, the feature scores are associated with a feature vector, of which timing analysis is one element; par. 0624, the timing of communications is analyzed, which includes its periodicity);
(5) (b) if the service is determined to satisfy the periodicity condition, then:
(5) (b) (i) identifying a period of the service (Muddu: par. 0624, the timing of communications is analyzed, which includes its periodicity);
(5) (b) (ii) identifying a scale at which the service satisfies the periodicity condition (Muddu: pars. 0694, the number of times (i.e. a scale) the group must occurred a threshold number periodically); and
(5) (b) (iii) determining, based on the state- scale dataset, whether the service has satisfied the periodicity condition repeatedly at a consistent scale (Muddu: pars. 0693, a periodicity criterion is determined if met); and
(5) (c) if the service is determined to have satisfied the periodicity condition repeatedly at a consistent scale, then assigning a persistent state of Periodic to the service (Muddu: par. 0233-34, the state and scale of the event is saved as part of the training).
PNG
media_image1.png
466
965
media_image1.png
Greyscale
As to Claim 5, Muddu and Krishnamoorthy teach the elements of claim 1.
Muddu further teaches: wherein (5) comprises using unsupervised learning to perform (5) (a) - (5) (c) (Muddu: par. 0276, the machine learning based CEP engine can utilize unsupervised machine learning models).
As to Claim 6, Muddu and Krishnamoorthy teach the elements of claim 4.
Muddu further teaches: wherein (5) (b) (ii) comprises evaluating the service on all possible scales to identify the scale at which the service satisfies the periodicity condition (Examiner interprets the “all possible scales” to mean at least one scale, which is satisfied by Muddu as applied).
As to Claim 7, Muddu and Krishnamoorthy teach the elements of claim 1.
Muddu further teaches: (6) after assigning a state of Periodic to the service, determining that the service no longer exhibits periodicity;
(7) in response to determining that the service no longer exhibits periodicity, assigning a state of Discontinued to the service (Muddu: par. 0696, after determining the group no longer satisfies the periodicity criterion, it is no longer anomalous (which is a label, that may correspond to Discontinued; par. 0235 the model is continuously retrained and activated and finally expired.).
As to Claim 13, it is rejected for similar reasons as claim 1. Muddhu further teaches a computer readable medium and a computer processor (Muddhu: par. 0742, [8520]).
As to Claim 14, it is rejected for similar reasons as claim 2.
As to Claim 15, it is rejected for similar reasons as claim 3.
As to Claim 16, it is rejected for similar reasons as claim 4.
As to Claim 17, it is rejected for similar reasons as claim 5.
As to Claim 18, it is rejected for similar reasons as claim 6.
As to Claim 19, it is rejected for similar reasons as claim 7.
B.
Claims 8, 10-12 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al., (“Muddu”), United States Patent Application Publication 2018/0367551, published Sept. 26, 2019 in view of Krishnamoorthy et al., (“Krishnamoorthy”), United States Patent Application Publication 2017/0201933, published July 13, 2017 in further view of Ferguson et al., (“Ferguson”), United States Patent Application Publication 2017/0230391, published Aug. 10, 2017.
As to Claim 8, Muddu and Krishnamoorthy teach the elements of claim 4.
Muddu and Krishnamoorthy may not explicitly teach: wherein (5) further comprises:
(5) (d) if the service is not determined to have satisfied the periodicity condition repeatedly at a consistent scale, then determining, based on the state-scale dataset, whether the service satisfies a continuity condition;
(5) (e) if the service is determined to satisfy the continuity condition, then:
(5) (e) (i) identifying a scale at which the service satisfies the continuity condition; and
(5) (e) (ii) determining, based on the state- scale dataset, whether the service has satisfied the continuity condition repeatedly at a consistent scale; and
(5) (f) if the service is determined to have satisfied the continuity condition repeatedly at a consistent scale, then assigning a persistent state of Continuous to the service.
Ferguson teaches in general concepts related to detection of abnormal behavior of a group or plurality of entities of a computer system(Ferguson: Abstract). Ferguson teaches, like Muddhu, that human, machine, or other activity is modeled in a network environment by ingesting data from a number of sources (Ferguson: par. 0070). Conditional probabilities may be calculated to determine if activity is user-related, including whether there is a pattern of types of work for a given time of day and the context thereof (Ferguson: pars. 0153-158, the identify of a user can be verified using various network related data. A patter of doing a certain type of work at a time in the day). The detection of anomalous user activities may be then be determined based on these conditional probabilities in part (Ferguson: par. 0159).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Muddu- Krishnamoorthy to implement a determination and identification of human (i.e. user) activity as periodic based on the time-of-day pattern determination (i.e. continuous) as taught and suggested by Ferguson. Such a person would have been motivated to make this modification with a reasonable expectation of success to do so in order for an intelligent approach to anomalous behavior detection using pattern detection of user-based activity (Ferguson: par. 0011).
As to Claim 10, Muddu, Krishnamoorthy and Ferguson teach the elements of claim 8.
Muddu further teaches: wherein (5) comprises using unsupervised learning to perform (5) (d) - (5) (f) (Muddu: par. 0276, the machine learning based CEP engine can utilize unsupervised machine learning models).
As to Claim 11, Muddu, Krishnamoorthy and Ferguson teach the elements of claim 8.
Muddu further teaches: wherein (5) (e) (ii) comprises evaluating the service on all possible scales to identify the scale at which the service satisfies the continuity condition (Examiner interprets the “all possible scales” to mean at least one scale, which is satisfied by Muddu as applied).
As to Claim 12, Muddu, Krishnamoorthy and Ferguson teach the elements of claim 8.
Muddu further teaches: (6) after assigning a state of Continuous to the service, determining that the service no longer exhibits periodicity;
(7) in response to determining that the service no longer exhibits periodicity, assigning a state of Discontinued to the service (Muddu: par. 0696, after determining the group no longer satisfies the periodicity criterion, it is no longer anomalous (which is a label, that may correspond to Discontinued. par. 0235 the model is continuously retrained and activated and finally expired.).
As to Claim 20, it is rejected for similar reasons as claim 8.
C.
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al., (“Muddu”), United States Patent Application Publication 2018/0367551, published Sept. 26, 2019 in view of Krishnamoorthy et al., (“Krishnamoorthy”), United States Patent Application Publication 2017/0201933, published July 13, 2017 in further view of Ferguson et al., (“Ferguson”), United States Patent Application Publication 2017/0230391, published Aug. 10, 2017 in further view of Marck et al. (“Marck”), United States Patent Application Publication 2013/0291107, published Oct. 31, 2013.
As to Claim 9, Muddu. Krishnamoorthy and Ferguson teach the elements of claim 8.
Muddu. Krishnamoorthy and Ferguson may not explicitly teach: wherein (5) further comprises:
(5) (g) if the service was determined to satisfy at least one of the periodicity condition and the continuity condition, but not repeatedly at a consistent scale, then assigning a persistent state of Continuous but Random to the service.
Marck teaches in general concepts related to mitigating distributed denial of service attacks on a network (Marck: Abstract). Specifically and of relevance is that Marck discusses the distinction between legitimate human user activities from malicious bot activity by considering inconsistent activity that may in fact be valid due to consideration of the activity attributes (Marck: par. 0038, “For example, given an human behavior profile indicating that potentially malicious transactions can include inconsistent attributes such as when a transaction is associated with a mobile device operating system and a mobile device browser, but the transaction is for a web site's standard HTTP web page, instead of the web site's mobile web page, and the presence in the most recent application layer forensic information of a transaction that is associated with a mobile device operating system and a mobile device browser, but that is for a web site's standard HTTP web page, HBA engine 328 can create an HBA malicious qualifier associated with the inconsistent transaction, and place the HBA malicious qualifier in HBA malicious qualifier list 334.”)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Muddu- Krishnamoorthy-Freugson to implement a determination and identification of Continuous but Random for inconsistent but recognized continuous activity as taught and suggested by Ferguson. Such a person would have been motivated to make this modification with a reasonable expectation of success to do so in order for a refined understanding and analysis of certain activity.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES T TSAI whose telephone number is (571)270-3916. The examiner can normally be reached M-F 8-5 Eastern.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Viker Lamardo can be reached on 571-270-5871. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JAMES T TSAI/Primary Examiner, Art Unit 2174