DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
The Examiner acknowledges Applicant’s summary of claim amendments on pages 8-10 of the remarks filed 03/19/2026.
Applicant's arguments, see page 11, filed 03/19/2026, with respect to the priority to the filing date of the Indian Application No. IN202211025523 have been fully considered but they are not persuasive.
Applicant readily admits that, “The Indian application is substantively identical to the present specification. It contains the same written description, figures, and detailed embodiments, including disclosure of [Applicant paraphrasing of claim elements omitted].” The Examiner respectfully submits that the later-filed application must be an application for a patent for an invention which is also disclosed in the prior application (the parent or original nonprovisional application or provisional application). The disclosure of the invention in the parent application and in the later-filed application must be sufficient to comply with the requirements of 35 U.S.C. 112(a) or the first paragraph of pre-AIA 35 U.S.C. 112, except for the best mode requirement. See Transco Products, Inc. v. Performance Contracting, Inc., 38 F.3d 551, 32 USPQ2d 1077 (Fed. Cir. 1994).
In the Non-Final Rejection mailed 12/23/2025, the Examiner stated that the disclosure of the prior-filed application, Application No. IN202211025523, fails to provide adequate support in the manner provided by 35 U.S.C. 112(a), for at least the reasons of the prior filed application only disclosing generic components that are not sufficient to perform the claimed functions, and to see the rejections under 35 U.S.C. § 112(a) below. It is clear that the prior-filed application contains the same written description deficiencies as the instant application as issue, and Applicant readily agrees to the fact that “The Indian application is substantively identical to the present specification. It contains the same written description, figures, and detailed embodiments”. Therefore, if the current application contains persistent written description issues, and the Examiner and the Applicant both submit that the disclosures are substantially identical; then the Examiner respectfully submits that the prior filed application fails to provide adequate support in the manner provided by 35 U.S.C. 112(a) for at least the same reasons, and the pending application is not entitled to the priority date.
Furthermore, the Examiner has not identified any claim limitation that is supported in the present application, and unsupported in the Indian application. In fact, since the Applicant reiterates that “the disclosures are identical”, it is clear that the Indian application fails to provide adequate written description support for at least the same reasons as the rationales presented in the 35 U.S.C. § 112(a) written description rejections presented below.
Applicant’s arguments, see pages 11-15, filed 03/19/2026, with respect to the rejection of claims 1-7, 10-17, and 20 under 35 U.S.C. § 101 have been fully considered. The rejection of claims 1-7, 10-17, and 20 under 35 U.S.C. § 101 has been withdrawn in response to independent claims 1 and 11 being amended to include “updating a block list at the distributed enforcement nodes to block subsequent network transactions to the identified domain”.
Applicant's arguments, see pages 16-21, filed 03/19/2026, with respect to the rejection of claims 1-7, 10-17, and 20 under 35 U.S.C. § 112(a) have been fully considered but they are not persuasive.
Applicant first argues that there is sufficient support for the limitation “analyzing the relationship graph to detect one or more previously undetected anomalies”.
The Examiner respectfully disagrees.
The claimed analysis now recites, “analyzing the relationship graph by assigning a vertex score based on at least the beaconing behavior score and the anomaly score, and identifying one or more domains as anomalous when the vertex score exceeds a threshold”. There are still remaining written description issues within the amended claim limitation. There is insufficient written description for the claimed “based on at least the beaconing behavior score and the anomaly score” upon which the vertex score is “assigned” based on. Applicant argues that “graph scoring/analysis is expressly disclosed” in paragraph [0095], and that paragraphs [0091-0093] “provide concrete computation definitions for the beaconing behavior score, user-agent anomaly score, and URL anomaly score”. However, paragraph [0095] only discloses that the “contextual relationship graph analysis can utilize graph analysis techniques, including but not limited to Bayesian networks, to assign scores to each vertex in the relationship graph. The relationship graph encompasses all stages of the attack. It is also possible to analyze the graphs based on the evolution of the vertices and the edges, i.e., looking at different graphs over successive time periods”; paragraphs [0091-0093] only states on a high level that the calculation of the beaconing behavior score, the user-agent anomaly score, and the URL anomaly score is based on various factors and input variables, without actually disclosing the algorithm used to calculate the said scores or how such factors are used in such calculations. The beaconing behavior, user-agent anomaly, and URL anomaly scores are all described in that what the scores are “based on” is recited, but the originally filed disclosure is silent with regard to the actual algorithms used to calculate the scores. Contrary to Applicant’s arguments, there is no “concrete computation” disclosed whatsoever, and instead the originally filed disclosure merely mentions a collection of various inputs, and then arriving at the desired results of obtaining the respective scores, without disclosing how the inventor achieved the score calculation that is integral to the claimed invention.
Furthermore, the Examiner submits that there has never been a requirement made for source code as of the current record. For computer-implemented inventions, the determination of the sufficiency of disclosure will require an inquiry into the sufficiency of both the disclosed hardware and the disclosed software due to the interrelationship and interdependence of computer hardware and software. The critical inquiry is whether the disclosure of the application relied upon reasonably conveys to those skilled in the art that the inventor had possession of the claimed subject matter as of the filing date. As in MPEP 2161.01 (I), "The description requirement of the patent statute requires a description of an invention, not an indication of a result that one might achieve if one made that invention." It is not enough that one skilled in the art could write a program to achieve the claimed function because the specification must explain how the inventor intends to achieve the claimed function to satisfy the written description requirement. See, e.g., Vasudevan Software, Inc. v. MicroStrategy, Inc., 782 F.3d 671, 681-683, 114 USPQ2d 1349, 1356, 1357 (Fed. Cir. 2015).
Applicant next argues that there is sufficient support for the limitation “calculating a beaconing behavior score on each vertex of the relationship graph”.
The Examiner respectfully disagrees.
Applicant first attests that paragraph [0091] of the originally filed disclosure “provides the calculation inputs and structure: for each user accessing a domain, form the GET/POST request/response size time series, compute the coefficient of variation on identified time series, and apply the output of a gradient-boosted trees model trained on those time series. That is written description of possession of the scoring approach”. The Examiner respectfully traverses and submits that there is simply no structure disclosed as argued, and the originally filed disclosure does not reasonably convey to those skilled in the art that the inventor had possession of the claimed subject matter as of the filing date. Paragraph [0091] clearly states in part, “The calculation of beaconing behavior score is as follows. For each user accessing the domain, we look at the time series of the GET/POST request and response sizes to and from the domain. Then the beaconing behavior score is calculated based on the following factors: (1) the coefficient of variation of the GET response size time series; (2) the coefficient of variation of the POST request size time series; and (3) the output of a gradient-boosted trees model trained on those two time series”. The originally filed disclosure is silent with respect to how the score is actually calculated, it is only described that “the beaconing behavior score is calculated based on the following factors”, while conveniently omitting how the inventor intended to achieve the desired result of calculating the beaconing behavior score. There are a myriad of possible solutions for determining a “beaconing behavior score” based on these inputs, but the originally filed disclosure is silent with respect to even a single method regarding how the score is actually calculated. Said otherwise, paragraph [0091] describes that the claimed “calculating a beaconing behavior score on each vertex of the relationship graph” is performed by using a black-box implementation, that takes the aforementioned inputs, and then arrives at the desired result of preferably obtaining a beaconing behavior score, while remaining silent upon how such a score is calculated. There is no disclosure of an algorithm or steps/procedures taken regarding what the calculation actually comprises, only restating in the result that it is based upon these factors. Original claims may lack written description when the claims define the invention in functional language specifying a desired result but the specification does not sufficiently describe how the function is performed or the result is achieved. For software, this can occur when the algorithm or steps/procedure for performing the computer function are not explained at all or are not explained in sufficient detail (simply restating the function recited in the claim is not necessarily sufficient). In other words, the algorithm or steps/procedure taken to perform the function must be described with sufficient detail so that one of ordinary skill in the art would understand how the inventor intended the function to be performed. See MPEP §§ 2161.01, 2163.02, and 2181, subsection IV.
The Examiner acknowledges the remarks on page 18 enumerating that, “Computing a coefficient of variation is a well-understood statistical operation (standard deviation divided by mean)” (emphasis added). The Examiner also respectfully submits the fact that Applicant has already admitted on the record in the remarks filed 10/14/2025 (see page 12) that “the term ‘coefficient of variation’ is a well-established statistical concept” and “the operation is routine”; and Applicant has admitted in the remarks filed 05/06/2025 (see pages 11-14) that the same coefficient of variation of a request/response time series limitation comprises what is apparently conventional or well known to one of ordinary skill in the art and need not be disclosed in detail.
The Examiner further acknowledges the remarks on page 18 stating that the claimed invention uses the “typical machine learning training process” described in paragraph [0047] of the originally filed disclosure. The Examiner also respectfully submits the fact that Applicant has already admitted on the record in the remarks filed 05/06/2025 (see pages 11-14) that the same one model output of a gradient-boosted trees model trained on the time series limitation comprises what is apparently conventional or well known to one of ordinary skill in the art and need not be disclosed in detail. However, the Examiner respectfully disagrees that the mere recitation of “a typical machine learning training process” and “the output of a gradient-boosted trees model trained on those two time series” does not adequately demonstrate possession of the claimed the intended function of obtaining a model that is trained on the series and utilize the model to preferably calculate a beaconing behavior score.
Applicant next argues that the limitation “(i) computing a coefficient of variation of a GET response size time series, (ii) computing a coefficient of variation of a POST request time size series” is not new matter. The Examiner agrees and withdraws this rejection in view of paragraph [0091] of the originally filed disclosure.
Applicant then argues that the limitation “wherein multiple types of relationships are combined to improve a signal-to-noise ratio in anomaly detection” is adequately supported by the originally filed disclosure.
The Examiner respectfully disagrees.
Applicant relies upon paragraphs [0076-0080], [0087], and [0094] to provide support for the claim limitation at issue. Paragraphs [0076-0080] gives examples of relationship types, paragraph [0087] states that the relationship graph is based on network transaction patterns, the graph may be a directed graph, and that weights on each edge are based on a relationship that includes any of various factors; and paragraph [0094] recites, “The contextual relationship graph process 850 can further include, prior to the detecting, other known relationships between domains as presented in the previous section, such as IP-based relationship, ASN-based relationship, registration-based relationship, and redirecting-based relationship. Each of these relationships, if being considered alone, often gives weak suspicious signals. However, combining all of them together yields much higher signal to noise ratio”. The originally filed disclosure is silent with respect to how the multiple types of relationships are supposedly “combined to improve a signal-to-noise ratio in anomaly detection”. A generic statement of desired results does not indicate possession of an algorithm that improves a signal-to-noise ratio in anomaly detection as claimed.
Applicant next argues that the limitation “analyzing the graph over the plurality of time periods to identify evolving attack stages” is adequately supported by the originally filed disclosure.
The Examiner respectfully disagrees.
Applicant relies upon paragraphs [0095], [0004], [0007], [0067-0074], and [0083] for allegedly providing support for the claimed graph analysis over time to identify “evolving attack stages”. As Applicant states on page 20 of the remarks, paragraph [0095] states in part, “The relationship graph encompasses all stages of the attack. It is also possible to analyze the graphs based on the evolution of the vertices and the edges, i.e., looking at different graphs over successive time periods. This would give a view of different ways of attacks, for example” without disclosing how the relationship graph analysis preferably achieves encompassing “all stages of the attack”, and a generic statement reading “It is also possible to analyze the graphs based on the evolution of the vertices and the edges, i.e., looking at different graphs over successive time periods” does not demonstrate possession of a computer and the algorithm necessary to achieve the claimed “analyzing the graph over the plurality of time periods to identify evolving attack stages” simply by the disclosure stating that such an action is “possible”. The disclosed “looking at different graphs over successive time periods” does not reasonably indicate to one of ordinary skill in the art that the inventor had possession of an analysis that is capable of identifying evolving attack stages.
Furthermore, the remaining relied upon paragraphs do not demonstrate possession of the claim limitation at issue. Paragraph [0004] is a part of the background which refers to the Lockheed Martin™ kill chain which is the work of another described as “an industry model”, and the MITRE ATT&CK® model; paragraph [0007] only makes the assertion “it is possible to go backwards in time and analyze the patter [sic] using the relationship graphs” without disclosing any steps/algorithm for achieving the desired results of the claimed analysis; paragraphs [0067-0074] refer to a generic “Kill chain model”, that upon further consideration, is “an example kill chain model” as depicted in Figure 7 that is never referred to again in the context of performing an analysis to identify evolving attack stages; and paragraph [0083] only recites “Of note, the aforementioned relationship graphs are determined with data obtained after the attack is detected. As mentioned herein, it would be advantageous to look back to see what was going on with the compromised victim and other potential victims” without disclosing any steps/algorithms for achieving the desired results of the claimed analysis.
Lastly, the amended independent claims do not provide any “concrete mechanism by which successive graphs can be analyzed to identify evolving attack stages” as Applicant argues as none of the amended limitations even make reference to any specific analysis over time or analysis “to identify evolving attacks stages”.
Applicant then argues that the limitation “creating a relationship graph based on detecting an attack on one or more users” is adequately supported by the originally filed disclosure.
The Examiner respectfully disagrees.
Claims 4 and 14 are not limited to any particular attack detection method, and the claims require that the relationship graph is created “based on detecting an attack on one or more users”. Therefore, there must be disclosure sufficient to demonstrate that the inventor had possession of a method/steps/algorithm that is capable of detecting an attack on one or more users. Applicant alleges that such an attack detection algorithm “is expressly contemplated in the disclosed workflow”, and “the disclosure repeatedly discusses the premise that ‘once an attack is detected’ the system builds and analyzes relationship graphs to investigate”. Furthermore, Applicant argues that the originally filed disclosure contains “detailed cloud security architecture includes multiple threat prevention and detection engines (e.g., malware, intrusion prevention, DNS security, sandboxing, etc.) that inherently detect attacks” (underline added). The Examiner respectfully finds these arguments unpersuasive as none of the paragraphs relied upon by the Applicant reasonably demonstrate possession of the actual attack detection, and even paragraphs [0022-0025] which disclose an example “network diagram of a cloud-based system 100 offering security as a service” and a list of example tools (of which Applicant argues that a listing of tools “inherently detect attacks” allegedly conveys possession), it is never disclosed how the inventor actually achieves “detecting an attack on one or more users” that the creation of the relationship graph is predicated upon within the claims and the originally filed disclosure.
For computer-implemented inventions, the determination of the sufficiency of disclosure will require an inquiry into the sufficiency of both the disclosed hardware and the disclosed software due to the interrelationship and interdependence of computer hardware and software. The critical inquiry is whether the disclosure of the application relied upon reasonably conveys to those skilled in the art that the inventor had possession of the claimed subject matter as of the filing date. As in MPEP 2161.01 (I), "The description requirement of the patent statute requires a description of an invention, not an indication of a result that one might achieve if one made that invention." It is not enough that one skilled in the art could write a program to achieve the claimed function because the specification must explain how the inventor intends to achieve the claimed function to satisfy the written description requirement. See, e.g., Vasudevan Software, Inc. v. MicroStrategy, Inc., 782 F.3d 671, 681-683, 114 USPQ2d 1349, 1356, 1357 (Fed. Cir. 2015).
Applicant lastly argues that the limitation “detecting an anomaly score on each vertex of a relationship score” is adequately supported by the originally filed disclosure.
The Examiner respectfully disagrees.
Applicant argues that paragraphs [0092-0093] “provides explicit calculation procedures for user-agent anomaly score and URL anomaly score”. The Examiner respectfully submits that this is not true, as in pages 22-23 of the Non-Final Rejection mailed 12/23/2025 already discussed these same paragraphs and indicated that these paragraphs do not disclose how the anomaly score is “detected” as claimed, nor do they provide adequate support for its calculation.
Here there are two concurrent issues. First, the claims are unamended as of the current record, and recite in part, “prior to analyzing the relationship graph, detecting an anomaly score on each vertex of a relationship score”. The Examiner respectfully submits that the originally filed disclosure is silent with respect to how the inventor achieves per se “detecting an anomaly score” as explicitly claimed. Secondly, paragraphs [0092-0093] straightforwardly fail to disclose how the anomaly score is calculated as only what the calculations are “based on”, but are silent with respect to how the inventor preferably achieves the desired result of calculating an anomaly score on each vertex of the relationship graph. It is not enough that one skilled in the art could write a program to achieve the claimed function because the specification must explain how the inventor intends to achieve the claimed function to satisfy the written description requirement. See, e.g., Vasudevan Software, Inc. v. MicroStrategy, Inc., 782 F.3d 671, 681-683, 114 USPQ2d 1349, 1356, 1357 (Fed. Cir. 2015).
Here, paragraphs [0092-0093] disclose that the user-agent anomaly score is “calculated based on the fraction of users that did not use their top user-agents to access that domain” without disclosing how the score is actually calculated, nor how the user’s top agents are identified “by looking at the whole transaction history of that user”; and that the URL anomaly score is calculated “based on two factors: (1) the DGA score output by a DGA detection model, indicating whether the domain is DGA-generated; and (2) the URL path suspicious score indicating whether the sub-paths of the URL were commonly seen in known malicious activities” without disclosing how the score is actually calculated, nor how the DGA detection model calculates its outputted score, nor how the “URL path suspicious score” is calculated.
For computer-implemented inventions, the determination of the sufficiency of disclosure will require an inquiry into the sufficiency of both the disclosed hardware and the disclosed software due to the interrelationship and interdependence of computer hardware and software. The critical inquiry is whether the disclosure of the application relied upon reasonably conveys to those skilled in the art that the inventor had possession of the claimed subject matter as of the filing date. As in MPEP 2161.01 (I), "The description requirement of the patent statute requires a description of an invention, not an indication of a result that one might achieve if one made that invention."
Applicant's arguments, see pages 21-23, filed 03/19/2026, with respect to the rejection of claims 1-7, 10-17, and 20 under 35 U.S.C. § 112(b) have been fully considered but they are not persuasive.
Applicant first argues that the terms “coefficient of variation of a HTTP GET response size time series” and “coefficient of variation of a HTTP POST request time series” are definite.
The Examiner respectfully disagrees.
Applicant first makes the conclusory assertion that the rejection made under 35 U.S.C. § 112(b) does not establish indefiniteness. The Examiner appreciates Applicant’s opinion, but the Examiner respectfully disagrees as neither the claims nor the specification provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention with regard to applying the coefficient of variation to a time series. This is because in the general field of statistics (as Applicant agrees the coefficient of variation is a statistical measure), the coefficient of variation is a measure of dispersion within a set of continuous data, in the realm of descriptive statistics. Meanwhile, a time series per se as claimed; is a series of data points indexed (or listed or graphed) in time order (examples such as heights of ocean tides or counts of sunspots), typically analyzed to achieve for example forecasting, signal detection, machine learning, or anomaly detection. Applicant attempts to circumnavigate the issue by arguing “A time series is simply an ordered collection of data values indexed in time; computing a coefficient of variation over the values in a time series is a straightforward application of the standard coefficient-of-variation computation to that dataset. Nothing about this renders the scope uncertain”. Neither this newly presented argument, nor the contents of paragraph [0091] explain how the coefficient of variation can be applied to a time series per se as claimed. Applicant attempts to allege that the calculation is “standard”, however Applicant ignores the plain language of the claims reciting two “time series” which is a series of data points listed in time order, and thus a set of discrete data. A coefficient of variation is a measure of dispersion within a set of continuous data. Applicant’s arguments and the originally filed disclosure are silent with respect to how the coefficient of variation is applied to the time series. The Examiner is not sure how to ascertain the broadest reasonable interpretation of the claim limitation at issue because the technique recites “coefficient of variation” which is applied to continuous data, yet the response/request size time series are sets of discrete data. Therefore, it still remains unclear how a coefficient of variation can be used to analyze time series data as currently claimed.
Applicant next argues that the GET and POST antecedent basis rejections regarding a mismatch and issue regarding undefined acronyms have been resolved by amending to include “HTTP GET” and HTTP POST”.
The Examiner respectfully disagrees.
Amended claims 1 and 11 still refer to a “HTTP POST request time size series” on lines 22 and 20 respectively; and then refer to a differently claimed “HTTP POST request size time series” on lines 24 and 22 respectively. The terms “time” and “size” have been transposed between the two recitations, and thus there still remains a mismatch in antecedent bases.
Applicant then argues that the dependent claims do not fall together accordingly under 35 U.S.C. § 112(b).
The Examiner respectfully disagrees.
As addressed above, there are remaining issues under 35 U.S.C. § 112(b) within the independent claims and therefore the dependent claims are rejected for having dependence upon rejected claims under § 112(b).
Applicant's arguments, see pages 23-29, filed 03/19/2026, with respect to the rejection of claims 1-7, 10-17, and 20 under 35 U.S.C. § 103 have been fully considered but they are not persuasive.
Applicant first argues that the Patterson reference does not teach the limitation “wherein a first domain and a second domain are connected by an edge when at least a predefined number of users access both the first domain and the second domain within a predefined time window” nor the currently amended Jaccard similarity coefficient limitation in amended independent claims 1 and 11.
The Examiner respectfully disagrees.
Applicant argues that Patterson does not teach “defining an edge between two domains based on multi-user co-access within a time window as the relationship predicate”. The Examiner finds this argument unpersuasive as the claim does not require “multi-user co-access within a time window as the relationship predicate” as argued. The claim recites in part, “wherein the relationship graph includes vertices for domains and edges for transactions by users between the domains having one or more transactions in the time period, the relationship graph defining a transaction pattern, wherein a first domain and a second domain are connected by an edge when at least a predefined number of users access both the first domain and the second domain within a predefined time window”. Under the broadest reasonable interpretation (BRI), the underlined portion of the above amended limitation appears to be a redundant recitation of the claim limitations that come before it. The claim already recites that the relationship graph includes vertices for domains and edges for transactions by users between the domains having one or more transactions in the time period; thus, it follows that two domains would be connected by an edge if users between the domains have one or more (which meets the newly claimed “a predefined number”) transactions in the time period (which meets the newly claimed “predefined time window”). Therefore, Patterson disclosing graphs that can contain nodes as assets or IP addresses and “edges of the graph model can be weighted quantities of the number of log entries that include a particular source IP address and destination IP address” and the fact that the tracked assets may comprise domains (Patterson [0082]), Patterson still renders obvious this amended claim limitation.
With respect to the newly recited Jaccard similarity coefficient, the Examiner defers to the rejection below as a response to this argument incorporating newly discovered prior art to render obvious this claim limitation.
Applicant next argues that the combination of Patterson, Stowe, and Anachi does not teach the limitation “calculating a beaconing behavior score on each vertex of a relationship graph, wherein the beaconing behavior score is calculated by (i) computing a coefficient of variation of a HTTP GET response size time series (ii) computing a coefficient of variation of a HTTP POST request time size series and (iii) applying an output of a gradient-boosted trees model trained on the HTTP GET response size time series and the HTTP POST request size time series”.
The Examiner respectfully disagrees.
In the Non-Final Rejection mailed 12/23/2025, the limitation at issue was mapped to the Stowe reference at Fig. 11A-11E, Col. 39 lines 35-50, Col. 40 lines 14-54, and Col. 42 lines 27-48; and to the Anachi reference at paragraphs [0085-0086]. As discussed above, Applicant attempts to simultaneously argue that the claimed coefficients of variation are a “a well-understood statistical operation” when arguing possession of the claimed invention; while also arguing that the same “well-understood statistical operation” is not obvious over Stowe explicitly teaching computing a beaconing behavior score for a plurality of connection pair series (connection pair time-series of IP addresses or domains) using a mean, variance, or a variance divided by a mean. The Examiner finds this argument unpersuasive as it pertains to an argument regarding routine optimization (of which, the Examiner notes that the definition of a standard deviation also comprises the square root of the variance) as it is clear that it is not inventive to discover the optimum or workable ranges achievable by routine experimentation using a process that even the Applicant describes as “a well-understood statistical operation”. Furthermore, Applicant’s argument of “at minimum, the rejection does not provide the required articulated mapping to the amended HTTP-specific features” is unpersuasive as no “HTTP-specific features” are claimed or disclosed aside from GET/POST request response sizes.
With regard to the Anachi reference, Applicant argues that the Anachi reference does not train a gradient-boosted trees model “on the specific pair of HTTP GET response size time series and HTTP POST request size time series, nor where Anachi teaches using that model output as one factor among the specifically recited coefficient-of-variation features to calculate a per-domain beaconing behavior score in a relationship-graph vertex-scoring pipeline”.
The Examiner respectfully disagrees.
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). The combination was made with Patterson in view of Stowe, and further in view of Anachi. Applicant already attests on the record that the gradient boosted trees model uses a “typical machine learning training process”. Therefore, Anachi teaching a supervised machine learning model (gradient-boosted trees model is a supervised machine learning model) used to predict malware beaconing renders obvious the limitation at issue.
Applicant then argues that there no “specific rationale for adopting the particular claimed graph relationship predicate (multi-user co-access within a time window), the particular edge weighting metric (Jaccard similarity), or the particular HTTP time-series feature set and training data used by the gradient-boosted trees model, nor do they explain why these particular choices would be made together as claimed”.
The Examiner respectfully disagrees.
In response to applicant's argument that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning. But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper. See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971). The Examiner respectfully reminds the Applicant that the references are analogous if they are related in the field and reasonably pertinent to the problem.
In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). In this case, Applicant’s dismissal of the Examiner’s rationale is improper as the rationales are explicitly taught by the Stowe reference to “enable an analyst to block particular domains determined to be related to beaconing malware” (Stowe Col. 44 line 14-21), and further to quickly identify evidence of malware beaconing as discussed by Anachi (Anachi [0082]) and these rationales recognize at least the improvement to the security of the system as a motivation.
Applicant next argues that the Patterson reference does not teach the “block list updates at distributed enforcement nodes are not taught in the manner claimed”.
The Examiner respectfully disagrees.
The Examiner first notes that the claimed “enforcement nodes” are recited at a high level of generality such that they amount to data gathering per se by generic computing devices. Secondly, in the Non-Final Rejection mailed 12/23/2025, the limitation “wherein the steps further include adding domains based on the relationship graph and the previously undetected anomalies to a blocked list, wherein the blocked list defines malicious domains to prevent subsequent access” of previous claims 5 and 15 was rendered obvious by the Head reference and will be presented in the rejection below (as Applicant readily admits on pages 28-29 of the remarks that Head teaches blocklists).
Applicant then argues that Patterson does not render obvious the relationships of claims 2 and 12.
The Examiner respectfully disagrees.
Applicant alleges without evidence that the cited portion is insufficient and Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Applicant next argues that Patterson does not render obvious the limitation “and analyzing the relationship graph over the plurality of time periods to identify evolving attack stage” of claims 3 and 13.
The Examiner respectfully disagrees.
Applicant argues that Patterson does not teach identifying “evolving attack stages”. In response to applicant's argument that Patterson does not teach “to identify evolving attack stages”, a recitation of the intended use of the claimed invention must result in a structural difference between the claimed invention and the prior art in order to patentably distinguish the claimed invention from the prior art. If the prior art structure is capable of performing the intended use, then it meets the claim.
Applicant then argues that the combination of references do not render obvious the user-agent anomaly score, DGA output, and URL-path suspicious score.
The Examiner respectfully disagrees.
The Examiner first submits that there are persistent written description issues regarding these claim limitations. Secondly, Stowe teaching at least users being monitored on which domains they access renders obvious the claimed “user-agent anomaly score”, Head teaching at least DGA detection renders obvious the claimed and wholly unsupported “based on a Domain Generation Algorithm (DGA) model output”, and Patterson teaching at least producing network event graphs that can be queried and contain extracted features such as analytics that include URLS renders obvious the claimed and wholly unsupported “URL-path suspicious score”.
Applicant lastly argues that the rejection of claims 4-7 and 14-17 under 35 U.S.C. § 103 are not well founded for having depended upon allegedly allowable claims.
The Examiner respectfully disagrees.
Since applicant does not give any further explanation as to how the previously cited art differentiates from the claimed invention other than alleging dependence upon an allegedly allowable claim, the examiner defers to the rejection below as a response to this argument.
Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Applicant has not complied with one or more conditions for receiving the benefit of an earlier filing date under 35 U.S.C. 119(d) as follows:
The later-filed application must be an application for a patent for an invention which is also disclosed in the prior application (the parent or original nonprovisional application or provisional application). The disclosure of the invention in the parent application and in the later-filed application must be sufficient to comply with the requirements of 35 U.S.C. 112(a) or the first paragraph of pre-AIA 35 U.S.C. 112, except for the best mode requirement. See Transco Products, Inc. v. Performance Contracting, Inc., 38 F.3d 551, 32 USPQ2d 1077 (Fed. Cir. 1994).
The disclosure of the prior-filed application, Application No. IN202211025523, fails to provide adequate support or enablement in the manner provided by 35 U.S.C. 112(a) or pre-AIA 35 U.S.C. 112, first paragraph for one or more claims of this application. In particular, the prior-filed application’s specification fails to provide adequate support because it only discloses generic components and provides no description of sufficient that performs the claimed functions, see rejections under 35 U.S.C. 112(a) below.
Specification
The use of the term Lockheed Martin™, MITRE ATT&CK ®, Shodan™, GitHub®, AWS®, Facebook™, LinkedIn®, PageRank™, which are trade names or marks used in commerce, has been noted in this application. The terms should be accompanied by the generic terminology; furthermore, the term should be capitalized wherever it appears or, where appropriate, include a proper symbol indicating use in commerce such as ™, SM , or ® following the term.
Although the use of trade names and marks used in commerce (i.e., trademarks, service marks, certification marks, and collective marks) are permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as commercial marks.
The disclosure is objected to because of the following informalities:
Paragraph [0007] contains a typo, “patter” should read “pattern”.
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1-7, 10-17, and 20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Regarding Claims 1 and 11:
Independent claims 1 and 11 recite “analyzing the relationship graph by assigning a vertex score based on at least the beaconing behavior score and the anomaly score, and identifying one or more domains as anomalous when the vertex score exceeds a threshold”. The specification only discloses generic “computing components” [00101] and (Fig. 3), as part of the cloud-based system of FIGS. 1 and 2, but provides no description of sufficiently definite that performs the claimed functions/steps. There is no description of a processor and programming sufficient to perform the functions, which would be required to support the claimed specialized functions.
The non-provisional specification fails to provide written description support for the claim limitation, and the claim relies upon the further wholly unsupported beaconing behavior and anomaly scores. The non-provisional specification describes [0086] “analyzing the relationship graph to detect previously undetected suspicious anomalies” and in [0095], “The contextual relationship graph analysis (step 854) can utilize graph analysis techniques, including but not limited to Bayesian networks, to assign scores to each vertex in the relationship graph. The relationship graph encompasses all stages of the attack. It is also possible to analyze the graphs based on the evolution of the vertices and the edges, i.e., looking at different graphs over successive time periods. This would give a view of different ways of attacks, for example.”
However, there is no disclosure of how such techniques that would be suitable for performing the analyzing function using the wholly unsupported beaconing behavior and anomaly scores. Thus, the scope of the claims is not reasonably commensurate with the specification.
Independent claims 1 and 11 recite “calculating a beaconing behavior score on each vertex of the relationship graph, wherein the beaconing behavior score is calculated by (i) computing a coefficient of variation of a GET response size time series, (ii) computing a coefficient of variation of a POST request time size series, and (iii) applying an output of a gradient-boosted trees model trained on the GET response size time series and the POST request size time series”.
The limitations in question do not satisfy the written description requirement under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph. The specification does not describe the limitation in sufficient detail so that one of ordinary skill in the art would recognize that the applicant had possession of the claimed invention. The only support for determining a beaconing behavior score is in paragraph [0091] of the disclosure.
Paragraph [0091] recites “The contextual relationship graph process 850 can further include, prior to the detecting, the beaconing behavior score on each vertex (domain) of the graph. The calculation of beaconing behavior score is as follows. For each user accessing the domain, we look at the time series of the GET/POST request and response sizes to and from the domain. Then the beaconing behavior score is calculated based on the following factors: (1) the coefficient of variation of the GET response size time series; (2) the coefficient of variation of the POST request size time series; and (3) the output of a gradient-boosted trees model trained on those two time series.”
The specification is silent with regard to how such a beaconing score is calculated, only the intended function that the calculation is based on the coefficient of variation of the GET/POST request time series and the output of a gradient-boosted trees model trained on the series. There is no disclosure of an algorithm or steps/procedures taken regarding what the calculation actually comprises, only that it is based upon these factors. The specification does not provide adequate disclosure for what the coefficient of variation of the GET/POST request time series is and the specification does not disclose how the inventor intended to obtain the coefficient of variation. Similarly, the output of a gradient-boosted trees model trained on the time series is not adequately supported in the specification because it fails to describe how the inventor intended to obtain a gradient-boosted trees model trained on the series (simply stating that the model is “trained on those two series” in the disclosure is insufficient because it lacks any steps/procedures or algorithms to perform the intended function of obtaining a model that is trained on the series) and utilize the model to calculate a beaconing behavior score.
Regarding the claimed “coefficient of variation”, the claim limitation is only nominally mentioned in paragraph [0091] of the disclosure as seen above. There is no disclosure regarding what the coefficient of variation comprises with respect to the GET response time series and POST request time series per se mentioned. Paragraph [0091] fails to adequately describe the steps/procedures/algorithm on how the inventor intended to achieve applying a coefficient of variation (which measures a dispersion within a set of continuous data) to a timer series per se (a set of discrete data) as claimed. Therefore, the specification is not commensurate with the full scope of the claims. Regarding the claimed “one model output of a gradient-boosted trees model”, there is no disclosure regarding how the gradient-boosted trees model achieves the desired result of providing a basis to calculate the beaconing behavior score, nor is there any disclosure regarding how the model is trained. The claim describes that the model is trained, yet the disclosure is silent about this training process being performed outside of a “typical machine learning process” nominally mentioned in paragraph [0047] with no explanation of how the claimed model is capable of achieving the specialized claim function of being suitable for calculating a beaconing behavior score as currently claimed.
In MPEP 2161.01, "computer-implemented functional claim language must still be evaluated for sufficient disclosure under the written description". And MPEP 2161.01(I) "generic claim language in the original disclosure does not satisfy the written description requirement if it fails to support the scope of the genus claimed." For computer-implemented inventions, the determination of the sufficiency of disclosure will require an inquiry into the sufficiency of both the disclosed hardware and the disclosed software due to the interrelationship and interdependence of computer hardware and software. The critical inquiry is whether the disclosure of the application relied upon reasonably conveys to those skilled in the art that the inventor had possession of the claimed subject matter as of the filing date.
As in MPEP 2161.01 (I), "The description requirement of the patent statute requires a description of an invention, not an indication of a result that one might achieve if one made that invention."). It is not enough that one skilled in the art could write a program to achieve the claimed function because the specification must explain how the inventor intends to achieve the claimed function to satisfy the written description requirement. See, e.g., Vasudevan Software, Inc. v. MicroStrategy, Inc., 782 F.3d 671, 681-683, 114 USPQ2d 1349, 1356, 1357 (Fed. Cir. 2015).
AS in MPEP 2161.01 “For instance, generic claim language in the original disclosure does not satisfy the written description requirement if it fails to support the scope of the genus claimed. Ariad, 598 F.3d at 1349-50, 94 USPQ2d at 1171 ("[A]n adequate written description of a claimed genus requires more than a generic statement of an invention’s boundaries.") (citing Eli Lilly, 119 F.3d at 1568, 43 USPQ2d at 1405-06); Enzo Biochem, Inc. v. Gen-Probe, Inc., 323 F.3d 956, 968, 63 USPQ2d 1609, 1616 (Fed. Cir. 2002) (holding that generic claim language appearing in ipsis verbis in the original specification did not satisfy the written description requirement because it failed to support the scope of the genus claimed); Fiers v. Revel, 984 F.2d 1164, 1170, 25 USPQ2d 1601, 1606 (Fed. Cir. 1993) (rejecting the argument that "only similar language in the specification or original claims is necessary to satisfy the written description requirement").”
“The Federal Circuit has explained that a specification cannot always support expansive claim language and satisfy the requirements of 35 U.S.C. 112 "merely by clearly describing one embodiment of the thing claimed." LizardTech v. Earth Resource Mapping, Inc., 424 F.3d 1336, 1346, 76 USPQ2d 1731, 1733 (Fed. Cir. 2005). The issue is whether a person skilled in the art would understand applicant to have invented, and been in possession of, the invention as broadly claimed. In LizardTech, claims to a generic method of making a seamless discrete wavelet transformation (DWT) were held invalid under 35 U.S.C. 112, first paragraph, because the specification taught only one particular method for making a seamless DWT and there was no evidence that the specification contemplated a more generic method. "[T]he description of one method for creating a seamless DWT does not entitle the inventor . . . to claim any and all means for achieving that objective." LizardTech, 424 F.3d at 1346, 76 USPQ2d at 1733.”
Claims 1 and 11 also recite the limitation “prior to analyzing the relationship graph, calculating an anomaly score on each vertex of the relationship graph, the anomaly score including (i) a user-agent anomaly score based on a fraction of users not using their top user-agents to access a domain, and (ii) a Uniform Resource Locator (URL) anomaly score based on a Domain Generation Algorithm (DGA) model output and a URL-path suspicious score”. There is no support in the disclosure regarding how the inventor intended to perform these various claimed functionalities. The algorithm or steps/procedures for these claimed functions is not explained at all or is not explained in sufficient detail (simply restating the function recited in the claim is not necessarily sufficient) so that one of ordinary skill in the art would recognize that the applicant had possession of the claimed invention. Paragraphs [0092-0093] are the only support to be found for these claim limitations, yet they do not actually disclose how the claimed anomaly score is actually calculated, and only that it is “based upon” a user-agent anomaly score, URL anomaly score, DGA model output, and URL-path. Furthermore, there is no disclosure regarding how the inventor intended the claimed invention to determine/figure out the “top user-agents” of any user or users other than a generic statement of “by looking at the whole transaction history of that user” in paragraph [0092] of the original disclosure. It is not enough that one skilled in the art could write a program to achieve the claimed function because the specification must explain how the inventor intends to achieve the claimed function to satisfy the written description requirement. See, e.g., Vasudevan Software, Inc. v. MicroStrategy, Inc., 782 F.3d 671, 681-683, 114 USPQ2d 1349, 1356, 1357 (Fed. Cir. 2015).
Amended claims 1 and 11 recite “identifying one or more domains as anomalous when the vertex score exceeds a threshold”. This amended claim limitation constitutes new matter and will be rejected on the ground that it recites elements without support in the original disclosure. See Waldemar Link, GmbH & Co. v. Osteonics Corp., 32 F.3d 556, 559, 31 USPQ2d 1855, 1857 (Fed. Cir. 1994); Vas-Cath Inc. v. Mahurkar, 935 F.2d 1555, 1560, 19 USPQ2d 1111, 1114 (Fed. Cir. 1991)(A written-description question often arises when an applicant, after filing a patent application, subsequently adds "new matter" not present in the original application.); In re Rasmussen, 650 F.2d 1212, 211 USPQ 323 (CCPA 1981). There is no disclosure of identifying a domain as anomalous when a “vertex score exceeds a threshold”.
Regarding Claims 2 and 12:
Claims 2 and 12 recite the limitation “wherein multiple types of relationships are combined to improve a signal-to-noise ratio in anomaly detection”. The specification is silent with regard to how the inventor intended to perform such a combination that achieves the desired result. Paragraphs [0092-0093] of the originally filed disclosure merely restates the desired result of the claim without sufficiently describing how the function is performed. Original claims may lack written description when the claims define the invention in functional language specifying a desired result but the specification does not sufficiently describe how the function is performed or the result is achieved. For software, this can occur when the algorithm or steps/procedure for performing the computer function are not explained at all or are not explained in sufficient detail (simply restating the function recited in the claim is not necessarily sufficient). In other words, the algorithm or steps/procedure taken to perform the function must be described with sufficient detail so that one of ordinary skill in the art would understand how the inventor intended the function to be performed. See MPEP §§ 2161.01, 2163.02, and 2181, subsection IV.
Regarding Claims 3 and 13:
Claims 3 and 13 recite the limitation “analyzing the graph over the plurality of time periods to identify evolving attack stages”. There is no support in the disclosure regarding how the inventor intended to perform graph analysis “over the plurality of time period” capable of achieving the desired result of “to identify evolving attack stages”. The algorithm or steps/procedures for these claimed functions is not explained at all or is not explained in sufficient detail (simply restating the function recited in the claim is not necessarily sufficient) so that one of ordinary skill in the art would recognize that the applicant had possession of the claimed invention. The originally filed disclosure merely repeats the claim language, makes generic statements that “it is possible to go backwards in time and analyze the patter [sic] using the relationship graphs” in paragraph [0007], or relies upon the Lockheed Martin™ kill chain which is the work of another described as “an industry model”, and the MITRE ATT&CK® model in paragraph [0004] of the background.
Regarding claims 4 and 14:
Claims 4 and 14 recite the limitation “creating a relationship graph based on detecting an attack on one or more users”. The specification is silent with regard to how such detection actually takes place. The only support for detecting an attack on one or more users is within paragraph [0009], which comprises only a recitation of claim language.
Regarding claims 10 and 20:
Claims 10 and 20 recite the limitation “detecting an anomaly score on each vertex of a relationship score”. The specification is silent with regard to how such detection actually takes place. Paragraph [0009] fails to provide support for this limitation as it comprises only a recitation of claim language. Paragraphs [0092-0093] recite: “The contextual relationship graph process 850 can further include, prior to the detecting, the user-agent anomaly score on each vertex (domain) of the graph. The calculation of user-agent anomaly score is as follows. For each user accessing the domain, we identify the user's top user-agents by looking at the whole transaction history of that user, then we identify whether the user used the top user-agents to access that domain. The user- agent anomaly score of the domain is calculated based on the fraction of users that did not use their top user-agents to access that domain. [0093] The contextual relationship graph process 850 can further include, prior to the detecting, the URL anomaly score on each vertex (domain) of the graph. The URL anomaly score is calculated based on two factors: (1) the DGA score output by a DGA detection model, indicating whether the domain is DGA-generated; and (2) the URL path suspicious score indicating whether the sub-paths of the URL were commonly seen in known malicious activities”. The disclosure is silent with regard to how the anomaly score is “detected” as claimed, nor does it provide adequate support for its calculation whatsoever other than providing what the score is “based on”.
The dependent claims fall accordingly.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-7, 10-17, and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
The terms “coefficient of variation of a HTTP GET response size time series” and “coefficient of variation of a HTTP POST request size time series” in claims 1 and 11 are terms which render the claims indefinite. The terms “coefficient of variation of a HTTP GET response size time series” and “coefficient of variation of a HTTP POST request size time series” are not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. These terms are not defined within the disclosure, nor would one of ordinary skill in the art be appraised of the scope of what these terms may comprise. The term “coefficient of variation” only appears in paragraph [0091] of the disclosure referring to “the coefficient of variation of the GET response size time series” and “the coefficient of variation of the POST request size time series” without any further explanation. It is unclear how a coefficient of variation can be used to analyze time series data per se as currently claimed and the Examiner is not sure how to ascertain the broadest reasonable interpretation of the claim limitation at issue because the technique recites “coefficient of variation” which is applied to continuous data, yet the response/request size time series are sets of discrete data. Therefore, it still remains unclear how a coefficient of variation can be used to analyze time series data as currently claimed.
The term “a fraction of users not using their top user-agents to access a domain” in claims 1 and 11 is a relative term which renders the claim indefinite. The term “a fraction” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. Neither the claims nor the specification reasonably convey to one of ordinary skill in the art what would comprise “a fraction of users”
Claims 1 and 11 recite the limitations “HTTP POST request time size series” on lines 22 and 20 respectively; and then refer to a differently claimed “HTTP POST request size time series” on lines 24 and 22 respectively. The terms “time” and “size” have been transposed between the two recitations.
Claims 5-6 and 15-16 recite the limitation "the previously undetected anomalies". There is insufficient antecedent basis for these limitations in the claims.
The dependent claims fall accordingly.
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.
The following is a quotation of pre-AIA 35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA 35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.
Claims 10 and 20 are rejected under 35 U.S.C. 112(d) or pre-AIA 35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.
Dependent claim 10 recites in whole “The non-transitory computer-readable medium of claim 1, wherein the steps further include: prior to the analyzing the relationship graph, detecting an anomaly score on each vertex of the relationship graph, the anomaly score including (i) a user-agent anomaly score based on a fraction of users not using their top user-agents to access a domain, and (ii) a Uniform Resource Locator (URL) anomaly score based on a Domain Generation Algorithm (DGA) model output and a URL-path suspicious score”. This fails to further to limit the claim that it depends upon because independent claim 1 already includes all of the limitations of dependent claim 10, and claim 10 does not further limit claim 1.
Dependent claim 20 recites substantially the same content as claim 10, and fails to further limit independent claim 11 for the same rationales set forth for claim 10.
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-7, 10-17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Patterson et. al. (US Publication No. US 2018/0069885 A1) hereinafter Patterson in view of Chen et. al. (US Patent No. US 10,614,071 B1) hereinafter Chen, further in view of Stowe et. al. (US Patent No. US 10,264,014 B2) hereinafter Stowe, further in view of Anachi; Rajini B. (US Publication No. US 2019/0089725 A1) hereinafter Anachi, further in view of Head, JR. et. al. (US Publication No. US 2022/0060498 A1) hereinafter Head.
Regarding Claim 1 and 11:
Claim 1. Patterson discloses Patterson discloses a non-transitory computer-readable medium comprising instructions that, when executed, cause one or more processors to perform steps of (Patterson [0017], [0033], [0090]): receiving network transaction data for a plurality of users monitored by a cloud-based system (Patterson Fig. 2, [0028-0029] the SIEM “can generate, track, or monitor log data related to events or information about computing activities that occur within network 100 (e.g., Domain Name System (DNS) traffic)”), wherein the network transaction data is gathered via inline cloud-based monitoring at distributed enforcement nodes positioned between users, the internet, and cloud services (Patterson Fig. 1, [0022-0029]); creating a relationship graph based on the plurality of user's network transactions for a time period (Patterson [0040-0042] “a graph network or model, with nodes representing, for example, computing assets 104a/b/c or users 102, and edges representing, for example, specific log entries that include parameters about network activity of certain nodes”, [0045-0046] time period can be made to any desire), wherein the relationship graph includes vertices for domains and edges for transactions by users between the domains having one or more transactions in the time period, (Patterson [0040-0046] graph can contain nodes as assets or IP addresses and “edges of the graph model can be weighted quantities of the number of log entries that include a particular source IP address and destination IP address”, [0082] an asset can be a domain) the relationship graph defining a transaction pattern (Patterson Fig. 4 graph database storage 412 and 414; [0078-0079] “Network event graphs are stored in GDB 412 and/or GDB 414 in a graph format. These graph databases 412/414 can be queried in the form of a graph to determine communication patterns between various nodes of network 100. In some implementations, queries are submitted directly to GDB 412, 414, however, as noted above, a user can query the databases through a separate terminal that couples to data analysis device 112. In various implementations, results or answers that are responsive to a query are provided by the graph database 412, 414 that receives the submitted query/question. In some implementations, GDB 412 is a GPU accelerated graph database and is a distinct database relative to GDB 414. GPU accelerated GDB 412 can be used, or configured, to perform accelerated graphical analysis relative to the GDB 414. For example, GDB 412 can utilize faster graphical processing functions to produce network event graphs that have a smaller sample size of node/network event data when compared to a sample size of event data used by GDB 414.” ) wherein a first domain and a second domain are connected by an edge when at least a predefined number of users access both the first domain and the second domain within a predefined time window (Patterson [0040-0046] graph can contain nodes as assets or IP addresses and “edges of the graph model can be weighted quantities of the number of log entries that include a particular source IP address and destination IP address”, [0082] an asset can be a domain); and prior to analyzing the relationship graph, assigning a weight to each edge (Patterson [0040] and [0080] edges “can represent, for example, specific log entries including parameters or features associated with network activity of certain nodes… The edges of the graph model can be weighted quantities of the number of log entries that include a particular source IP address and destination IP address”)… prior to analyzing the relationship graph, calculating an anomaly score on each vertex of the relationship graph (Patterson Fig. 6 risk scores based on proximity to compromised node, [0087-0088]), … (ii) a Uniform Resource Locator (URL) anomaly score (Patterson [0073] stream analytics device 404 utilizes URLs) … and a URL-path suspicious score (Patterson [0073] stream analytics device 404 utilizes URLs); analyzing the relationship graph by assigning a vertex score based on at least the beaconing behavior score and the anomaly score, and identifying one or more domains as anomalous when the vertex score exceeds a threshold (Patterson [0019] and [0053-0054] thresholds in time series analysis contemplated; [0042-0048] “graph analytic measures can be used to identity or detect users 102 or computing assets 104 (source/destination IP) that have engaged in network activity that exceeds a threshold level of activity (e.g., attempts to access certain files/resource above a threshold, sending/receiving data packets above a threshold, etc.”).
Patterson does not explicitly disclose based on a relationship strength in the time period between two domains, the relationship strength comprising a Jaccard similarity coefficient between (i) a first set of users accessing a first domain and (ii) a second set of users accessing a second domain, calculating a beaconing behavior score on each vertex of the relationship graph, wherein the beaconing behavior score is calculated by (i) computing a coefficient of variation of a HTTP GET response size time series, (ii) computing a coefficient of variation of a HTTP POST request time size series, and (iii) applying an output of a gradient-boosted trees model trained on the HTTP GET response size time series and the HTTP POST request size time series; … the anomaly score including (i) a user-agent anomaly score based on a fraction of users not using their top user-agents to access a domain, … based on a Domain Generation Algorithm (DGA) model output … and responsive to identifying a domain as anomalous, updating a block list at the distributed enforcement nodes to block subsequent network transactions to the identified domain.
Chen teaches based on a relationship strength in the time period between two domains, the relationship strength comprising a Jaccard similarity coefficient between (i) a first set of users accessing a first domain and (ii) a second set of users accessing a second domain (Chen Col. 21 lines 59-60 and Col. 22 lines 6-14, domains tracked, scored, and thresholds used to compute data that a customer might need when reviewing; Col. 23 line 63 through Col. 24 line 38 “Each hour after bootstrap, a new snapshot is taken (i.e., data collected about a datacenter in the last hour is processed) and information from the new snapshot is merged with existing data to create and (as additional data is collected/processed) maintain a cumulative graph. The cumulative graph (also referred to herein as a cumulative PType graph and a polygraph) is a running model of how processes behave over time. Nodes in the cumulative graph are PType nodes, and provide information such as a list of all active processes and PIDs in the last hour, the number of historic total processes, the average number of active processes per hour, the application type of the process (e.g., the CType of the PType), and historic CType information/frequency. Edges in the cumulative graph can represent connectivity and provide information such as connectivity frequency. The edges can be weighted (e.g., based on number of connections, number of bytes exchanged, etc.). Edges in the cumulative graph (and snapshots) can also represent transitions… One approach to determining commonality is, for any two nodes that are members of a given CmdType (described in more detail below), comparing internal neighbors and calculating a set membership Jaccard distance. The pairs of nodes are then ordered by decreasing similarity (i.e., with the most similar sets first). For nodes with a threshold amount of commonality (e.g., at least 66% members in common), any new nodes (i.e., appearing in the snapshot's graph but not the cumulative graph) are assigned the same PType identifier as is assigned to the corresponding node in the cumulative graph. For each node that is not classified (i.e., has not been assigned a PType identifier), a network signature is generated (i.e., indicative of the kinds of network connections the node makes, who the node communicates with, etc.)”; Chen Col. 24 lines 53-62 “Changes to the cumulative graph (e.g., a new PType or a new edge between two PTypes) can be used (e.g., at 1806) to detect anomalies (described in more detail below). Two example kinds of anomalies that can be detected by platform 102 include security anomalies (e.g., a user or process behaving in an unexpected manner) and devops/root cause anomalies (e.g., network congestion, application failure, etc.). Detected anomalies can be recorded and surfaced (e.g., to administrators, auditors, etc.), such as through alerts which are generated at 1808 based on anomaly detection”).
Chen does not explicitly teach calculating a beaconing behavior score on each vertex of the relationship graph, wherein the beaconing behavior score is calculated by (i) computing a coefficient of variation of a HTTP GET response size time series, (ii) computing a coefficient of variation of a HTTP POST request time size series, and (iii) applying an output of a gradient-boosted trees model trained on the HTTP GET response size time series and the HTTP POST request size time series; … the anomaly score including (i) a user-agent anomaly score based on a fraction of users not using their top user-agents to access a domain, … based on a Domain Generation Algorithm (DGA) model output … and responsive to identifying a domain as anomalous, updating a block list at the distributed enforcement nodes to block subsequent network transactions to the identified domain.
Stowe teaches calculating a beaconing behavior score on each vertex of the relationship graph (Stowe Fig. 11A-11E, Col. 40 line 14-54 beaconing score is computed for the various connection pair series including variance and mean which are well known statistical analysis techniques; Col. 42 line 27-48 malicious beaconing score criteria enumerated), wherein the beaconing behavior score is calculated by (i) computing a coefficient of variation of a HTTP GET response size time series (Applicant admitted prior art; Stowe Fig. 11A-11E, Col. 39 lines 35-50 “Then, for each set, a time series may be generated that represents each point in time that the same or a similar connection is made between a particular internal IP address and external IP address or domains. Each of the time series may span a particular time period. For example, each time series may span a number of days, weeks, months, or years. Thus, a connection pair time-series (or simply “connection pair series” or “connection series”), may indicate multiple connections made between a particular internal and external IP address (or domain or other device identifier) and/or a periodicity or other pattern indicating when the connections were made. The internal-external connection pairs may be plotted along each time series for the particular time period”; Col. 40 line 14-54 beaconing score is computed for the various connection pair series including variance and mean which are well known statistical analysis techniques; Col. 42 line 27-48 malicious beaconing score criteria enumerated; Col. 44 line 45 through Col. 45 line 12 applying data analysis system to malware user-agent detection), (ii) computing a coefficient of variation of a HTTP POST request time size series (Applicant admitted prior art; Stowe Fig. 11A-11E, Col. 39 lines 35-50 time series; Col. 40 line 14-54 beaconing score is computed for the various connection pair series including variance and mean which are well known statistical analysis techniques; Col. 42 line 27-48 malicious beaconing score criteria enumerated)… the anomaly score including (i) a user-agent anomaly score based on a fraction of users not using their top user-agents to access a domain (Stowe Col. 41 lines 9-23 “Examples of data entities that may be clustered include, but are not limited to: users (for example, persons having accounts on particular computer systems), internal IP addresses, internal IP addresses that connect to external domains, internal computer systems, internal computer systems that connect to external domains, external IP addresses, external domains, external IP addresses associated with external domains, other data feed data entities (for example, data entities drawn from public and/or private whitelists or blacklists, such as data entities representing known bad domains, known good domains, known bad IP addresses, and the like), host-based events (such as, for example, virus scan alerts and/or logged events, intrusion prevention system alerts and/or logged events, and the like), and the like.”),
Stowe does not explicitly teach and (iii) applying an output of a gradient-boosted trees model trained on the HTTP GET response size time series and the HTTP POST request size time series; … based on a Domain Generation Algorithm (DGA) model output … and responsive to identifying a domain as anomalous, updating a block list at the distributed enforcement nodes to block subsequent network transactions to the identified domain.
Anachi teaches and (iii) applying an output of a gradient-boosted trees model trained on the HTTP GET response size time series and the HTTP POST request size time series (Applicant admitted prior art; Anachi [0085-0086] supervised machine learning model explicitly taught to discover beaconing malware behavior; gradient-boosted trees model is a supervised machine learning model).
Anachi does not explicitly teach based on a Domain Generation Algorithm (DGA) model output … and responsive to identifying a domain as anomalous, updating a block list at the distributed enforcement nodes to block subsequent network transactions to the identified domain.
Head teaches based on a Domain Generation Algorithm (DGA) model output (Head [0362], [0367-0373]) … and responsive to identifying a domain as anomalous, updating a block list at the distributed enforcement nodes to block subsequent network transactions to the identified domain (Head [0096] “If any pair of devices are compromised and for example assigned to an IP overlay network to communicate directly, this direct communication is blocked by the control node. This provides a security advantage as many classes of covert communications between local devices is invisible and not controlled on current networks. In addition, the unauthorized or compromised attempt is detected and docketed by the control node. In some embodiments, this compromised attempt may be used to build a block list, blacklist, or the like. In some further embodiments, this compromise attempt may be used as a training example to the AI algorithm to enable further improvements in detecting compromised attempts. This blocking method in accordance with the invention not only applied to the Internet Protocol (IP), but all protocols and bare Ethernet frames as well”; [0145-0146] monitor can stop the communication in real-time and create or add to the block list).
It would have been obvious to one having ordinary skill in the art at before the time the invention was effective filed to combine the relationship graph disclosed by Patterson with the commonality calculation using Jaccard distance as taught by Chen. The motivation for this combination would be to improve security by detecting anomalies using the changes in the cumulative network graph, which is recognized by Chen (Chen Col. 24 lines 53-62 “Changes to the cumulative graph (e.g., a new PType or a new edge between two PTypes) can be used (e.g., at 1806) to detect anomalies (described in more detail below). Two example kinds of anomalies that can be detected by platform 102 include security anomalies (e.g., a user or process behaving in an unexpected manner) and devops/root cause anomalies (e.g., network congestion, application failure, etc.). Detected anomalies can be recorded and surfaced (e.g., to administrators, auditors, etc.), such as through alerts which are generated at 1808 based on anomaly detection”.
It would have been further obvious to combine the relationship graph disclosed by Patterson with the Jaccard calculation of Chen, further with the calculation of a beaconing behavior score taught by Stowe. The motivation for this combination would be to “enable an analyst to detect and proactively remove an item of malware from various computer systems…” and to “enable an analyst to block particular domains determined to be related to beaconing malware, and/or [take] other step[s] to protect [an] internal network from attack” as explicitly taught by Stowe (Stowe Col. 44 line 14-21).
It would have been further obvious to combine the relationship graph disclosed by Patterson, the Jaccard calculation of Chen, the calculation of a beaconing behavior score taught by Stowe, further with the supervised learning model taught by Anachi. The motivation for this combination would be to quickly identify evidence of malware beaconing as discussed by Anachi (Anachi [0082]).
It would have been further obvious to combine the relationship graph disclosed by Patterson, the Jaccard calculation of Chen, the calculation of a beaconing behavior score taught by Stowe, the supervised learning model taught by Anachi, further with the DGA model and blocklisting as taught by Head. The motivation for this combination would be to improve security by “detecting and stopping exfiltration” by looking at whether or not distinct DNS FQDNs/hostnames are large and do not repeat as evidence of DGA (Head [0369]) and to ensure that the compromise does not spread to the whole network using the blocklists as discussed by Head (Head [0145]).
Claim 11 recites substantially the same content as claim 1, and is therefore rejected by the rationale set forth for claim 1.
Regarding Claim 2 and 12:
Claim 2. The combination of Patterson, Chen, Stowe, Anachi, and Head further teaches the non-transitory computer-readable medium of claim 1 (Patterson [0017], [0033], [0090]), wherein weights on each edge are based on a relationship strength in the time period between two domains where the relationship includes any of malware, Internet Protocol IP addresses, Autonomous System Number ASN, registration, and redirects, and wherein multiple types of relationships are combined to improve a signal-to-noise ratio in anomaly detection (Patterson [0040] and [0080] “The edges of the graph model can be weighted quantities of the number of log entries that include a particular source IP address and destination IP address”; [0043] and [0049-0055] time series and time periods; [0073] stream analytics device 404 combines multiple desired pieces of information or features in order to analyze).
Claim 12 recites substantially the same content as claim 2, and is therefore rejected by the rationale set forth for claim 2.
Regarding Claim 3 and 13:
Claim 3. The combination of Patterson, Chen, Stowe, Anachi, and Head further teaches the non-transitory computer-readable medium of claim 1 (Patterson [0017], [0033], [0090]), wherein the steps further include creating the relationship graph for each of a plurality of time periods (Patterson [0043-0045] time windows described each can have produced a “a new set of graph analytics metrics”, [0046] time period can be made to any desire, [0069] analysis can be done in real time); and analyzing the relationship graph over the plurality of time periods to identify evolving attack stages (Patterson [0043-0048] “graph analytic measures can be used to identity or detect users 102 or computing assets 104 (source/destination IP) that have engaged in network activity that exceeds a threshold level of activity (e.g., attempts to access certain files/resource above a threshold, sending/receiving data packets above a threshold, etc.”).
Claim 13 recites substantially the same content as claim 3, and is therefore rejected by the rationale set forth for claim 3.
Regarding Claim 4 and 14:
Claim 4. The combination of Patterson, Chen, Stowe, Anachi, further teaches the non-transitory computer-readable medium of claim 1 (Patterson [0017], [0033], [0090]), wherein the steps further include creating the relationship graph (Patterson [0040-0042]).
Patterson, Chen, Stowe, and Anachi do not explicitly teach a non-transitory medium including a step based on detecting an attack on one or more users, wherein the relationship graph encompasses at least one stage of the attack lifecycle.
Head teaches a non-transitory medium including the step based on detecting an attack on one or more users (Applicant admitted prior art;), wherein the relationship graph encompasses at least one stage of the attack lifecycle (Head [0260] “the present invention is readily adaptable to new threats, with AI and machine learning for example, through the use of one or more active monitors/controllers/filters to continuously monitor internet traffic and updating its database of filters including blocklists, approve lists, ownership lists, geolocation lists, and so on, thereby thwarting or stopping new malicious attacks, threats, requests, queries, etc., as they come on line.”; [0108] “As described herein, obtaining visibility in a network is enabled with the present invention, where all communication is monitored. Thus, systems and methods for recognizing many security issues and removing such issues, including security breaches in real-time, are provided, as described with respect to the following unique features of the invention”).
It would have been further obvious to one having ordinary skill in the art at before the time the invention was effective filed to combine the relationship graph disclosed by Patterson, the Jaccard calculation of Chen, the calculation of a beaconing behavior score taught by Stowe, the supervised learning model taught by Anachi, further with the attack detection taught by Head.
The motivation for this combination would be although Patterson does not explicitly disclose creating a graph in response to detecting an attack, in paragraph [0068-0069] Patterson emphasizes the importance of determining in real-time whether “a particular node in the graph has communicated with another node that was previously infected with malicious program code” (Patterson [0069]).
Claim 14 recites substantially the same content as claim 4, and is therefore rejected by the rationale set forth for claim 4.
Regarding Claim 5 and 15:
Claim 5. The combination of Patterson, Chen, Stowe, Anachi, and Head further teaches the non-transitory computer-readable medium of claim 1 (Patterson [0017], [0033], [0090]), wherein the steps further include adding domains based on the relationship graph and the previously undetected anomalies to a blocked list, wherein the blocked list defines malicious domains to prevent subsequent access (Head [0096] “If any pair of devices are compromised and for example assigned to an IP overlay network to communicate directly, this direct communication is blocked by the control node. This provides a security advantage as many classes of covert communications between local devices is invisible and not controlled on current networks. In addition, the unauthorized or compromised attempt is detected and docketed by the control node. In some embodiments, this compromised attempt may be used to build a block list, blacklist, or the like. In some further embodiments, this compromise attempt may be used as a training example to the AI algorithm to enable further improvements in detecting compromised attempts. This blocking method in accordance with the invention not only applied to the Internet Protocol (IP), but all protocols and bare Ethernet frames as well”; [0145-0146] monitor can stop the communication in real-time and create or add to the block list).
Claim 15 recites substantially the same content as claim 5, and is therefore rejected by the rationale set forth for claim 5.
Regarding Claim 6 and 16:
Claim 6. The combination of Patterson, Chen, Stowe, Anachi, and Head further teaches the non-transitory computer-readable medium of claim 5 (Patterson [0017], [0033], [0090]) wherein the steps further include: labeling the previously undetected domains as suspicious for use in training a model to detect suspicious domains, the labeling providing supervised training data for future detection models (Anachi [0086] “As in the Behavior layer, algorithms in the Areas of Concern layer generally belong to the Semi-Supervised or Supervised Learning families; each Area of Concern data object will contain one or more Behavior data objects, and possibly one or more Event objects; and each will contain additional human-readable metadata that describes the Area of Concern, its significance, and possible remediations or paths of investigation. The labeled data that is used to train the learning algorithms in the Areas of Concern layer represents the cumulative knowledge of experienced network defenders who know how skilled and determined attackers move toward their objectives after they have gained a foothold inside the network”).
Claim 16 recites substantially the same content as claim 6, and is therefore rejected by the rationale set forth for claim 6.
Regarding Claim 7 and 17:
Claim 7. The combination of Patterson, Chen, Stowe, Anachi, further teaches the non-transitory computer-readable medium of claim 1 (Patterson [0017], [0033], [0090]), … storing log data for the network transaction data (Patterson [0041] logs are stored, [0049] can be queried).
Patterson, Chen, Stowe, and Anachi do not explicitly teach a non-transitory medium wherein the steps further include prior to the receiving network transaction data, monitoring the plurality of users via inline traffic inspection the cloud-based system.
Head teaches a non-transitory medium wherein the steps further include prior to the receiving network transaction data via inline traffic inspection, monitoring the plurality of users via the cloud-based system (Head [0260], [0274] “recognize real-time flow changes and other patterns of behavior which show attempted hacking, scanning, password guessing, a known login being used from other than its normal place, and many other more sophisticated patterns”; [0278] “Inserting the inline network monitoring device before the first network switch can beneficially prevent any network traffic from bypassing the audit”).
It would have been further obvious to one having ordinary skill in the art at before the time the invention was effective filed to combine the relationship graph disclosed by Patterson, the Jaccard calculation of Chen, the calculation of a beaconing behavior score taught by Stowe, the supervised learning model taught by Anachi, further with the system-wide monitoring as taught by Head.
The motivation for this combination would be although Patterson does not explicitly disclose the practice of monitoring system-wide, Patterson understands the value of performing real-time analysis and querying (Patterson [0069-0070]), and the monitoring taught by Head would further that goal.
Claim 17 recites substantially the same content as claim 7, and is therefore rejected by the rationale set forth for claim 7.
Regarding Claim 10 and 20:
Claim 10. The combination of Patterson, Chen, Stowe, Anachi, and Head further teaches the non-transitory computer-readable medium of claim 8 (Patterson [0017], [0033], [0090]), wherein the steps further include prior to the analyzing the relationship graph, detecting an anomaly score on each vertex of the relationship graph, (Applicant admitted prior art; Patterson Fig. 6 risk scores based on proximity to compromised node, [0087-0088]) the anomaly score including (i) a user-agent anomaly score based on a fraction of users not using their top user-agents to access a domain (Stowe Col. 41 lines 9-23 “Examples of data entities that may be clustered include, but are not limited to: users (for example, persons having accounts on particular computer systems), internal IP addresses, internal IP addresses that connect to external domains, internal computer systems, internal computer systems that connect to external domains, external IP addresses, external domains, external IP addresses associated with external domains, other data feed data entities (for example, data entities drawn from public and/or private whitelists or blacklists, such as data entities representing known bad domains, known good domains, known bad IP addresses, and the like), host-based events (such as, for example, virus scan alerts and/or logged events, intrusion prevention system alerts and/or logged events, and the like), and the like.”), and (ii) a Uniform Resource Locator (URL) anomaly score (Patterson [0073] stream analytics device 404 utilizes URLs) based on a Domain Generation Algorithm (DGA) model output (Head [0362], [0369-0373]) and a URL-path suspicious score (Patterson [0073] stream analytics device 404 utilizes URLs).
Claim 20 recites substantially the same content as claim 10, and is therefore rejected by the rationale set forth for claim 10.
Conclusion
The prior art made of record in the submitted PTO-892 Notice of References Cited and not relied upon is considered pertinent to applicant’s disclosure.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MIGUEL A LOPEZ whose telephone number is (703)756-1241. The examiner can normally be reached 8:00AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.A.L./ Examiner, Art Unit 2496
/JORGE L ORTIZ CRIADO/ Supervisory Patent Examiner, Art Unit 2496