Threat signature scoring

DETAILED ACTION In a communication received on 8 December 2025, amended claims 1,6-8,13,15-17 and 19-20 and canceled claim 14. Claims 1-3, 5-9, 11, 13 and 15-20 are pending. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments with respect to claim(s) 1, 6-8, 13, 15-17 and 19-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 3, 5, 6, 8, 11 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sutherland et al. (US 2013/0081140 A1) in view of Schneider et al. (US 7,685,271 B1), and Tedesco (US 11,522,773 B1), and further in view of Suzuki et al. (US 2019/0342209 A1). With respect to claim 1, Sutherland discloses: a method for generating a plurality of threat signatures (i.e., IPS filters/rules are generated as a collection in Sutherland, ¶0097, ¶0124), the method comprising: receiving at an interface a first plurality of threat signatures (i.e., receiving updates to existing IPS filters and new IPS filters in Sutherland, ¶0113) Sutherland discloses calculating a score constituting a measure of the level of performance of the IPS filter (¶0108, ¶0111). Sutherland do(es) not explicitly disclose the following. Schneider, in order to improve resource management by measuring CPU usage during execution of the rule (col. 7 lines 35-48), discloses: calculating, using one or more processors executing instructions stored on memory, cost associated with each of the first plurality of threat signatures (i.e., measuring CPU utilization required to execute rules in Schneider, col. 7 lines 35-48). Based on Sutherland in view of Schneider, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Schneider to improve upon those of Sutherland in order to improve resource management by measuring CPU usage during execution of the rule. Sutherland discloses performance testing is performed by a quality assurance module (¶0100). Sutherland and Schneider do(es) not explicitly disclose the following. Tedesco, in order to dedicate CPUs for special tasks with unwanted interruption such as cache pollution and task-switching caused by kernel scheduling (col. 15 lines 7-22), discloses: isolating an inspection engine in a portion of a physical central processing unit (CPU) core in which no other user processors are executing (i.e., isolcpus is a kernel boot parameter that modifies the kernel behavior such as kernel scheduling in Tedesco, col. 15 lines 7-22) by modifying kernel code of the physical CPU core (i.e., using a kernel boot parameter isolating the CPU from unwanted interruption to perform packet-capture and analysis; user modifying kernel behavior fundamentally equivalent to modifying kernel code in line with the skills of one of ordinary skill in the art in Tedesco, col. 15 lines 7-22). Based on Sutherland in view of Schneider, and further in view of Tedesco, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Tedesco to improve upon those of Sutherland in order to dedicate CPUs for special tasks with unwanted interruption such as cache pollution and task-switching caused by kernel scheduling. Tedesco discloses using a kernel boot parameter isolating the CPU from unwanted interruption to perform packet-capture and analysis (col. 15 lines 7-22). Sutherland, Schneider, and Tedesco do(es) not explicitly disclose the following. Suzuki, in order to improve rule handling by evaluating the processing of load on rules and generate handling based on that load (¶0009), discloses: measuring, using the isolated inspection engine, a first amount of packets relayed in network traffic from scanning the network traffic without using the first signature (i.e., evaluating an application requirement, each application requirement acquires the amount of packets processed by the device during the predetermined time period in Suzuki, ¶0083); measuring, using the isolated inspection engine, a second amount of packets relayed in the network traffic from scanning the network traffic using the first signature (i.e., evaluates more than one amounts of packet processing per requirement; a secondary amount of packets processed by another requirement during the same time period in Suzuki, ¶0083); determining a difference between the first amount of packets relayed and the second amount of packets relayed, wherein the cost is based on the determined difference; (i.e., CPU utilization of the transfer device is evaluated as a difference in performance of different cases in which the requirements are compared in different ordering based on the amount of packets processed for each application requirement / rule; processing rules can be compared and measured by throughput to rank them in a table in Suzuki, ¶0080, ¶0106). Based on Sutherland in view of Schneider and Tedesco, and further in view of Suzuki, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Suzuki to improve upon those of Tedesco in order to improve rule handling by evaluating the processing of load on rules and generate handling based on that load. Sutherland discloses comparing performance level scores with one or more prevention thresholds (¶0027, ¶0144-0145). Sutherland, Schneider, and Tedesco do(es) not explicitly disclose the following. Suzuki, in order to improve resource management by measuring and comparing processing load for searching profile tables (¶0008), discloses: comparing the cost to a baseline cost associated with a baseline profile or protocol (i.e., performance profiles of the rules are used to evaluate a processing order of the rules based on the processing load in Suzuki, ¶0060, ¶0082-0083). Based on Sutherland in view of Schneider and Tedesco, and further in view of Suzuki, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Suzuki to improve upon those of Sutherland in order to improve resource management by measuring and comparing processing load for searching profile tables. Sutherland discloses providing confidence scores sent along with the IPS filter, scoring for IPS filters may be adjusted, downstream filter treatment is based on comparisons of the scores to thresholds (¶0009, ¶0128, ¶0144). Sutherland, Schneider, and Tedesco do(es) not explicitly disclose the following. Suzuki, in order to improve rule handling by evaluating the processing of load on rules and generate handling based on that load (¶0009), discloses: adding, using the one or more processors, a signature score to each of the first plurality of threat signatures based on the comparison of the cost to the baseline cost associated with the baseline profile or protocol (i.e., rule table sets rules in an order based on calculated processing load; the ordering is functionally a ranking in which the rule table indicates and records that ranking for processing by the corresponding transfer devices in Suzuki, ¶0083-0084). Based on Sutherland in view of Schneider and Tedesco, and further in view of Suzuki, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Suzuki to improve upon those of Sutherland in order to improve rule handling by evaluating the processing of load on rules and generate handling based on that load. Lastly, Sutherland further discloses: transmitting the plurality of threat signatures including signature scores to a computing device configured for scanning network activity. (i.e., filter rules and corresponding confidence scores are sent along to remote sites in order to deploy the rules accordingly in Sutherland, ¶0071, ¶0128, ¶0113). With respect to claim 3, Sutherland discloses performance testing is performed by a quality assurance module (¶0100). Sutherland and Schneider do(es) not explicitly disclose the following. Tedesco, in order to dedicate CPUs for special tasks with unwanted interruption such as cache pollution and task-switching caused by kernel scheduling (col. 15 lines 7-22), discloses: the method of claim 1 wherein the cost associated with the threat signature is represented as: an amount of time taken to inspect the test case, or an average amount of time taken to process a unit of test cases. (i.e., yielding an average per-packet processing time in Tedesco, ¶0070). Based on Sutherland in view of Schneider, and further in view of Tedesco, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Tedesco to improve upon those of Sutherland in order to dedicate CPUs for special tasks with unwanted interruption such as cache pollution and task-switching caused by kernel scheduling. With respect to claim 5, Tedesco discloses using a kernel boot parameter isolating the CPU from unwanted interruption to perform packet-capture and analysis (col. 15 lines 7-22). Sutherland, Schneider, and Tedesco do(es) not explicitly disclose the following. Suzuki, in order to improve rule handling by evaluating the processing of load on rules and generate handling based on that load (¶0009), discloses: the method of claim 1 wherein isolating the inspection engine includes isolating the inspection engine in an entirety of the CPU core in which no other user processes are executing (i.e., using a kernel boot parameter isolating the CPU from unwanted interruption to perform packet-capture and analysis in Tedesco, col. 15 lines 7-22). Based on Sutherland in view of Schneider and Tedesco, and further in view of Suzuki, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Suzuki to improve upon those of Tedesco in order to improve rule handling by evaluating the processing of load on rules and generate handling based on that load. With respect to claim 6, Sutherland discloses providing confidence scores sent along with the IPS filter, scoring for IPS filters may be adjusted, downstream filter treatment is based on comparisons of the scores to thresholds (¶0009, ¶0128, ¶0144). Sutherland, Schneider, and Tedesco do(es) not explicitly disclose the following. Suzuki, in order to improve rule handling by evaluating the processing of load on rules and generate handling based on that load (¶0009), discloses: the method of claim 1 further comprising modifying the threat signature based on the comparison of the cost to the baseline cost associated with the baseline profile or protocol (i.e., rule table sets rules in an order based on calculated processing load; the ordering is functionally a ranking in which the rule table indicates and records that ranking for processing by the corresponding transfer devices in Suzuki, ¶0083-0084). Based on Sutherland in view of Schneider and Tedesco, and further in view of Suzuki, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Suzuki to improve upon those of Sutherland in order to improve rule handling by evaluating the processing of load on rules and generate handling based on that load. With respect to claim 8, the limitation(s) of claim 8 are similar to those of claim(s) 1. Therefore, claim 8 is rejected with the same reasoning as claim(s) 1. With respect to claim 11, the limitation(s) of claim 11 are similar to those of claim(s) 3. Therefore, claim 11 is rejected with the same reasoning as claim(s) 3. With respect to claim 17, the limitation(s) of claim 17 are similar to those of claim(s) 1. Therefore, claim 17 is rejected with the same reasoning as claim(s) 1. Claim(s) 2, 7, 9, 13, 15-16 and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sutherland et al. (US 2013/0081140 A1) in view of Schneider et al. (US 7,685,271 B1), and Tedesco (US 11,522,773 B1) and Suzuki et al. (US 2019/0342209 A1), and further in view of Jakobsson et al. (US 11,102,244 B1). With respect to claim 2, Sutherland discloses calculating a score constituting a measure of the level of performance of the IPS filter (¶0108, ¶0111). Sutherland, Schneider, Tedesco, and Suzuki do(es) not explicitly disclose the following. Jakobsson, in order to management of resources and reducing computational burden (col. 66 lines 45-63), discloses: the method of claim 1 further comprising: selecting a second plurality of threat signatures from the first plurality of threat signatures for storage at the computing device (i.e., maintaining list of active signatures characterized by higher associated scores for a particular organization in Jakobsson, col. 70 lines 52-67 and col. 71 lines 10-20), wherein the selection of the second plurality of signatures is based on: the signature scores of the first plurality of threat signatures (i.e., maintaining list of active signatures characterized by higher associated scores for a particular organization in Jakobsson, col. 70 lines 52-67 and col. 71 lines 10-20); and random access memory (RAM) available for storage in the computing device (i.e., the app[roach is sensitive to cache sizes corresponding to storage space; cache being storage memory suitable for temporary and fast use in Jakobsson, col 66 lines 5-55) transmitting the selection of the second plurality of threat signatures to the computing device (i.e., updating centralized scores for signatures in a database, the database further used by gateways/servers for detecting signatures in Jakobsson, col. 79 lines 10-45). Based on Sutherland in view of Schneider, Tedesco and Suzuki, and further in view of Jakobsson, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Jakobsson to improve upon those of Sutherland in order to management of resources and reducing computational burden. With respect to claim 7, Sutherland discloses calculating a score constituting a measure of the level of performance of the IPS filter (¶0108, ¶0111). Sutherland, Schneider, Tedesco, and Suzuki do(es) not explicitly disclose the following. Jakobsson, in order to management of resources and reducing computational burden (col. 66 lines 45-63), discloses: the method of claim 1 wherein the signature score is further based on at least one of CVSS score, vulnerability type (i.e., attacks can be classified based on a taxonomy including technical classification of the payload as URL, attachment, BEC attack in Jakobsson, col. 14 lines 56 to col. 15 line 30), exploited in the wild, existence of published exploit, CVE year, telemetry statistics, TALOS category, vendor, or threat recency (i.e., conditional updates on recent activity for signature matched within a time period col. 71 lines 50-60; associating a score with a signature represents false negative/positive rates, cost of evaluation and other attributes in order to provide more context for signatures in Jakobsson, col. 71 lines 61-67). Based on Sutherland in view of Schneider, Tedesco and Suzuki, and further in view of Jakobsson, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Jakobsson to improve upon those of Sutherland in order to management of resources and reducing computational burden. With respect to claim 9, the limitation(s) of claim 9 are similar to those of claim(s) 2. Therefore, claim 9 is rejected with the same reasoning as claim(s) 2. With respect to claim 13, Sutherland discloses calculating a score constituting a measure of the level of performance of the IPS filter (¶0108, ¶0111). Sutherland, Schneider, Tedesco, and Suzuki do(es) not explicitly disclose the following. Jakobsson, in order to management of resources and reducing computational burden (col. 66 lines 45-63), discloses: the system of claim 8 wherein the signature score of a threat signature is a weighted average of a plurality of metadata attributes added to the threat signature (i.e., type of threat, likelihood of victimization, and expected losses are attributes associated with the signature which can be weighted and used to modify the score using any arithmetic and logical operation in Jakobsson, col. 71 lines 30-60). Based on Sutherland in view of Schneider, Tedesco and Suzuki, and further in view of Jakobsson, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Jakobsson to improve upon those of Sutherland in order to management of resources and reducing computational burden. With respect to claim 15, Sutherland discloses calculating a score constituting a measure of the level of performance of the IPS filter (¶0108, ¶0111). Sutherland, Schneider, Tedesco, and Suzuki do(es) not explicitly disclose the following. Jakobsson, in order to management of resources and reducing computational burden (col. 66 lines 45-63), discloses: the system of claim 11 wherein the baseline cost is generated from a baseline signature (i.e., generating a benefit score based on a signature for a threat, the scores can be compared based on the trigger rate of the signatures because a baseline can be any the lowest benefit score signature to compare to in Jakobsson, col. 66 lines 22-37). Based on Sutherland in view of Schneider, Tedesco and Suzuki, and further in view of Jakobsson, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Jakobsson to improve upon those of Sutherland in order to management of resources and reducing computational burden. With respect to claim 16, Sutherland discloses calculating a score constituting a measure of the level of performance of the IPS filter (¶0108, ¶0111). Sutherland, Schneider, Tedesco, and Suzuki do(es) not explicitly disclose the following. Jakobsson, in order to management of resources and reducing computational burden (col. 66 lines 45-63), discloses: the system of claim 11 wherein the one or more processors are further configured to modify the threat signature based on the comparison of the cost to the baseline cost (i.e., updating and modification of signatures is based on the cost of evaluation because of a need to optimize the use of signatures, the signature scores can be compared to a threshold therefore previous signatures to determine utilization of a particular signature in Jakobsson, col. 71 lines 10-23, col. 71 line 63 to col. 72 line 1-4). Based on Sutherland in view of Schneider, Tedesco and Suzuki, and further in view of Jakobsson, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Jakobsson to improve upon those of Sutherland in order to management of resources and reducing computational burden. With respect to claim 18, the limitation(s) of claim 18 are similar to those of claim(s) 2. Therefore, claim 18 is rejected with the same reasoning as claim(s) 2. With respect to claim 19, Sutherland discloses calculating a score constituting a measure of the level of performance of the IPS filter (¶0108, ¶0111). Sutherland, Schneider, Tedesco, and Suzuki do(es) not explicitly disclose the following. Jakobsson, in order to management of resources and reducing computational burden (col. 66 lines 45-63), discloses: the method of claim 17 wherein the signature score of a threat signature is a weighted average of a plurality of metadata attributes added to the threat signature (i.e., type of threat, likelihood of victimization, and expected losses are attributes associated with the signature which can be weighted and used to modify the score using any arithmetic and logical operation in Jakobsson, col. 71 lines 30-60). Based on Sutherland in view of Schneider, Tedesco and Suzuki, and further in view of Jakobsson, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Jakobsson to improve upon those of Sutherland in order to management of resources and reducing computational burden. With respect to claim 20, Sutherland discloses calculating a score constituting a measure of the level of performance of the IPS filter (¶0108, ¶0111). Sutherland, Schneider, Tedesco, and Suzuki do(es) not explicitly disclose the following. Jakobsson, in order to management of resources and reducing computational burden (col. 66 lines 45-63), discloses: the method of claim 17 further comprising modifying the threat signature based on the comparison of the cost to the baseline cost associated with the baseline profile or protocol (i.e., updating and modification of signatures is based on the cost of evaluation because of a need to optimize the use of signatures, the signature scores can be compared to a threshold therefore previous signatures to determine utilization of a particular signature in Jakobsson, col. 71 lines 10-23, col. 71 line 63 to col. 72 line 1-4). Based on Sutherland in view of Schneider, Tedesco and Suzuki, and further in view of Jakobsson, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Jakobsson to improve upon those of Sutherland in order to management of resources and reducing computational burden. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHERMAN L LIN whose telephone number is (571)270-7446. The examiner can normally be reached Monday through Friday 9:00 AM - 5:00 PM (Eastern). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon Hwang can be reached on 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. Sherman Lin 3/19/2026 /S. L./Examiner, Art Unit 2447 /JOON H HWANG/Supervisory Patent Examiner, Art Unit 2447