Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's arguments filed 12/15/2025 have been fully considered but they are not persuasive.
Applicant amends to overcome the non-statutory subject matter (101) rejection of claims 15-20, thank you.
However, there are two 101 rejections: one rejection on claims 15-20 related to claiming transitory signals (which is overcome); and a second rejection for claiming an abstract idea without significantly more in claim 1-20. Non-Final p. 2-3. Applicant’s amendments have not overcome the second 101 rejection. Applicant has not made an argument to overcome the second 101 rejection either. Therefore, the second 101 rejection is maintained.
Applicant argues, “However, neither Choi nor EI-Moussa teaches or fairly suggests "extracting a non- overlapping set of extracted windows from a sample executable file of a labeled dataset according to a hyperparameter" as amended claim 1 recites.” Remarks 9. El-Moussa paragraph 98 teaches “As depicted in FIG. 10, the windows 1008 are generally defined to span different continuous subsets of network traffic…” A different continuous subset of network traffic is a non-overlapping window. El-Moussa paragraph 79 teaches “here multiple traffic portion definitions 526 are retrieved for a protocol, such portion definitions will constitute windows of network traffic that may overlap or occur adjacent in the flow of network traffic.” An adjacent window is a non-overlapping window, and the adjacent window is phrased as an alternative to the overlapping window. Figure 11 of El-Moussa teaches windows that don’t overlap, see below window 1110 and windows 1008.
PNG
media_image1.png
632
328
media_image1.png
Greyscale
Therefore, El-Moussa teaches non-overlapping windows.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claims recites the mental concept of extracting data, excluding high entropy data, and extracting labeled features from the data. This judicial exception is not integrated into a practical application because it is not directed to an improvement to computers or a technological field. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements of a computer or storage media are directed to generic computer parts.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 3, 5-8, 10, 12-15, 17, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US20190190926A1 to Choi et al and US20160366155A1 to El-Moussa et al.
Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over US20190190926A1 to Choi et al, US20160366155A1 to El-Moussa et al and US20190138423A1 to Agerstam et al.
Claims 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over US20190190926A1 to Choi et al, US20160366155A1 to El-Moussa et al and US20180253755A1 to Cheng et al.
Choi teaches claims 1, 8 and 15. A method comprising:
extracting a (Choi para 35 “generate, from the system log data 197 a time series 127A-127 n (FIGS. 3A and 3B) of overlapping windowed system log data 126, where each time window 127 of the overlapping windowed system log data 126 includes a respective batch of system log data 128 (FIG. 4, Block 420).” The log data in Choi fig. 3b is the sample executable file of labeled dataset. The labels are the “behavior keywords” shown in para 35 and fig. 4. The hyperparameter is “the predetermined window size, the predetermined window overlap size, and the entropy threshold T, for at least one (or each) time window 127.”)
(Choi para 36 “the entropy module 115 is configured to determine the system entropy measurements from the extracted features 111 extracted from the respective batch of system log data 128 from the at least one window 127 of the overlapping windowed system log data 126 (FIG. 4, Block 440).”)
extracting a labeled feature from the entropy(Choi para 50-51 “Extract keywords from the captured windowed batch of system log data 128 using natural language processing (FIG. 4, Blocks 420 and 430); Create a feature vector(s) “X” 111V1-111Vn from the keywords extracted from the captured windowed batch of system log data 128 (FIG. 4, Blocks 420 and 430)…”) Choi doesn’t teach excluding a subset of windows based on entropy.
However, El-Moussa teaches non-overlapping set of extracted windows… (El-Moussa paragraph 98 teaches “As depicted in FIG. 10, the windows 1008 are generally defined to span different continuous subsets of network traffic…” A different continuous subset of network traffic is a non-overlapping window. El-Moussa paragraph 79 teaches “here multiple traffic portion definitions 526 are retrieved for a protocol, such portion definitions will constitute windows of network traffic that may overlap or occur adjacent in the flow of network traffic.” An adjacent window is a non-overlapping window.) excluding at least some extracted windows among the set of extracted windows according to information entropy to derive an entropy-excluded subset of extracted windows. (El-Moussa para 103 “the window selector 958 identifies a window determined to have a greatest degree of consistent similarity of entropy measures… it is advantageous that the window selector 958 further undertakes a process of elimination of windows identified by the window selector 958 to exclude from the identification windows having entropy measures for known malicious encrypted traffic that are similar, by some predetermined degree of similarity or clustering, to entropy measures for known non-malicious traffic.”)
Choi, El-Moussa and the claims are all directed to detecting malicious data. It would have been obvious to a person having ordinary skill in the art, at the time of filing, to filter the windows and exclude windows with low entropy because “a window is not suitable for use in the detection of malicious encrypted network traffic since such a window would always exhibit consistent characteristics and the measure of entropy may stay substantially the same irrespective of the nature of a network connection.” El-Moussa para 103. Further, preventing overlapping windows avoids overfit on a temporally small set of data.
Choi teaches claims 2, 9 and 16. The method of claim 1, wherein an extracted window of the set of extracted windows comprises a sub-sequence having a length corresponding to a window size hyperparameter, (Choi para 38 “a predetermined window size…”) Choi doesn’t teach the spacing.
However, Agerstam teaches sub-sequences being spaced apart according to a window distance hyperparameter. (Agerstam para 90 “if the unit of time is milliseconds, the data collector 1014 collects three (n=3) time windows of data spaced apart by a number of specified milliseconds. If the unit of time is seconds, the data collector 1014 collects three (n=3) time windows of data spaced apart by a number of specified seconds.”)
Agerstam, Choi and the claims are all detecting anomalies in data. It would have been obvious to a person having ordinary skill in the art, at the time of filing, to use millisecond spacing “for analyzing quick changes in a scene…” Agerstam para 90.
El-Moussa teaches claims 3, 10 and 17. The method of claim 1, further comprising determining a first subset among the set of extracted windows having highest information entropy; determining a second subset among the set of extracted windows having lowest information entropy; and excluding the first subset and the second subset from the set of extracted windows. (El-Moussa para 103 “the window selector 958 identifies a window determined to have a greatest degree of consistent similarity of entropy measures… it is advantageous that the window selector 958 further undertakes a process of elimination of windows identified by the window selector 958 to exclude from the identification windows having entropy measures for known malicious encrypted traffic that are similar, by some predetermined degree of similarity or clustering, to entropy measures for known non-malicious traffic.” This process excludes all windows with entropy that are far away from the windows that El-Moussa is trying to monitor. This means that windows with “low” and “high” entropy numbers will be outside of the cluster based on distance and those windows are excluded. El-Moussa para 102 “That is to say that the relative similarity of all measures of entropy for a window can be measured, and a window having measures of entropy that are most similar overall is identified by the window selector 958.”)
El-Moussa teaches claims 4, 11 and 18. The method of claim 3, wherein extracted windows highest in information entropy and lowest in information entropy are determined according to a set (El-Moussa para 103 “embodiments of the invention employ clustering algorithms such as, inter alia, k-means algorithms, distribution-based clustering algorithms and/or density-based clustering algorithms to identify clusters of entropy measures among all entropy measures for a window.”) El-Moussa doesn’t filter out a proportion of windows.
However, Cheng filters a proportion of all extracted data. (Cheng para 61 “when a is greater than b, the quantity of clicks exceeding the threshold for the quantity of clicks (a-b) is filtered by selecting a filtering ratio according to a corresponding relationship between a value space of (a-b) and the filtering ratio.”)
Cheng, El-Moussa and the claims are all directed to anomalous activity. It would have been obvious to a person having ordinary skill in the art, at the time of filing, to take a proportion of the entropies because the distribution-based clustering almost requires a proportional filtering scheme and filtering like this separates fraudulent data from normal data.1
El-Moussa teaches claims 5, 12 and 19. The method of claim 3, wherein extracted windows highest in information entropy and lowest in information entropy are determined according to (El-Moussa para 103 “embodiments of the invention employ clustering algorithms such as, inter alia, k-means algorithms, distribution-based clustering algorithms and/or density-based clustering algorithms to identify clusters of entropy measures among all entropy measures for a window.”) El-Moussa doesn’t teach extracting a set number of windows.
However, Choi teaches a set number of windows. (Choi para 38 “and a number of data windows N…”)
El-Moussa teaches claims 6, 13 and 20. The method of claim 1, further comprising collecting the entropy-excluded subset of extracted windows into a data stream; and. (El-Moussa para 103 “the window selector 958 identifies a window determined to have a greatest degree of consistent similarity of entropy measures… it is advantageous that the window selector 958 further undertakes a process of elimination of windows identified by the window selector 958 to exclude from the identification windows having entropy measures for known malicious encrypted traffic that are similar, by some predetermined degree of similarity or clustering, to entropy measures for known non-malicious traffic.”)
wherein extracting a labeled feature comprises taking (El-Moussa para 98 “Each window can be defined by way of a start point 1010 and an end point 1012, each of the start and end points indicating a location in network traffic for a network connection such as a byte, message, segment or packet offset in network traffic, Alternatively, a start point 1010 and an extent, length or size 1014 can define a window.”) El-Moussa doesn’t teach n-grams.
However, Choi teaches n-grams. (Choi para 35 “the natural language pre-processing 300 of the natural language processing module 112 firstly tokenizes the system log data 197 … by chopping up the text messages that form the respective batch of system log data 128 into individual terms…. For example, “USA” and “U.S.A.” are treated as being equivalent, “cyber attack” and “cyber-attack”…” This shows an n=1 and n=2 n-gram, USA and cyber attack respectively.)
El-Moussa teaches claims 7 and 14. The method of claim 6, wherein the data stream comprises one or more data structures storing the entropy-excluded subset of extracted windows in order of extraction from the sample executable file, (El-Moussa para 100 “the network traffic recorder 950 can record network traffic from an earliest point in all applicable window definitions to a latest point in all applicable window definitions such that, subsequently, the particular window definitions can be used to extract subsets of the recorded traffic to store network traffic subsets 960 for each window definition.”) El-Moussa doesn’t teach arbitrary order.
However, Choi teaches extracting windows in an order arbitrary from the order of extraction. (Choi para 35 “corresponding to a respective time window 127 in the time series 127A-127 n of overlapping windowed system log data 126.”)
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Austin Hicks whose telephone number is (571)270-3377. The examiner can normally be reached Monday - Thursday 8-4 PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Mariela Reyes can be reached at (571) 270-1006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/AUSTIN HICKS/Primary Examiner, Art Unit 2142
1 Cheng para 62 “to furthest reduce the quantity of clicks of the low level fraudulent user from the quantity of clicks on the advertisement.”