DETAILED ACTION
In a communication received on 22 September 2025, the applicants canceled claims 6 and 16 and amended claims 1 and 11.
Claims 1-4, 7-14, 17-20 are pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments with respect to claim(s) 1 and 11 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-4, 7-14, and 17-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gaber et al. (US 2022/0405386 A1) in view of Scherman et al. (US 2018/0124073 A1) and Parandehgheibi et al. (US 2016/0359680 A1), and further in view of Machlica et al. (US 2017/0134404 A1).
With respect to claim 1, Gaber discloses: a method for detecting a network attack based on a fusion feature vector (i.e., prediction using an ensemble model based on receiving feature data from at least two sources in Gaber, ¶0002), comprising:
extracting feature vectors (i.e., receiving trained model set data and lists of features from any number of model source nodes; obtaining any amount or type of feature such as malicious file content based on input such as file size, a range of data in Gaber, ¶0015, ¶0032)
generating fusion feature vectors based on the extracted feature vectors (i.e., merging output of individual ML models to produce a feature vector to train the ensemble model in Gaber, ¶0016, ¶0022); and
performing training using the generated fusion feature vectors. (i.e., ensemble model is trained on the merged feature vector based on output of multiple individual models with their own feature list in Gaber, ¶0015, ¶0016, ¶0022, ¶0023); and
detecting the network attack based on at least one of the generated fusion feature vectors, (i.e., different models to detect cyber-attacks; prediction results in Machlica, ¶0018, ¶0056).
Gaber discloses receiving trained model set data and lists of features from any number of model source nodes; obtaining any amount or type of feature such as malicious file content based on input such as file size, a range of data (¶0015, ¶0032). Gaber do(es) not explicitly disclose the following. Scherman, in order to identify specific benign or malicious users with attack models trained with netflow data/metrics (¶0024), discloses: corresponding to a preset unit time from network traffic (i.e., collecting netflow information such as destination of incoming and outgoing flows and/or combined flows; metrics of network traffic may be represented as a tuple and further divided by timeframes in Scherman, ¶0015, ¶0033), and
data included in each element of the two-dimensional feature set is represented as SF(w,i)xY, wherein X is set equal to a first n packets in each flow, (i.e., rule to use a communication of X packets in size for examining netflow in Scherman, ¶0033, ¶0026),
x is a packet number (i.e., average size/time of packets metrics in Scherman, ¶0017, ¶0033).
Based on Gaber in view of Scherman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Scherman to improve upon those of Gaber in order to identify specific benign or malicious users with attack models trained with netflow data/metrics.
Gaber discloses merging output of individual ML models to produce a feature vector to train the ensemble model (¶0016, ¶0022). Gaber and Scherman do(es) not explicitly disclose feature vectors extracted corresponding to a unit of time, including flow statistics. Parandehgheibi, in order to improve the understanding of node's behavior with greater accuracy by evaluating across different domains when evaluating network entities (¶0019), discloses:
wherein the feature vectors (i.e., feature vectors can be fused into a monolithic feature vector to be received by a machine learning algorithm in Parandehgheibi, ¶0082, ¶0083)
include a first feature vector, a second feature vector, and a third feature vector (i.e., extracting from the raw data collected the corresponding process feature vectors, host feature vectors, and flow feature vectors in Parandehgheibi, ¶0082)
extracted from a flow set within the preset unit time (i.e., retaining a dataset for defined periods of time anywhere from minutes to years, with more complete datasets retained for flows identified as anomalous, in Parandehgheibi, ¶0034),
wherein the third feature vector is generated based on a feature set representing features of the flow set within the preset unit time (i.e., the collectors characterize identified traffic flows and store datasets of data according to defined periods of time in Parandehgheibi, ¶0034),
and wherein the features of the flow set include statistics information on protocols. (i.e., multi-domain data includes collection of flow data including protocol type, class of service, aggregate packet data, number of packets/bytes for a flow in Parandehgheibi, ¶0094).
Based on Gaber in view of Scherman, and further in view of Parandehgheibi, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Parandehgheibi to improve upon those of Gaber in order to improve the understanding of a node's behavior with greater accuracy by evaluating across different domains when evaluating network entities.
Gaber discloses merging output of individual ML models to produce a feature vector to train the ensemble model (¶0016, ¶0022). Gaber, Scherman, and Parandehgheibi do(es) not explicitly disclose the following. Machlica, in order to improve detection according to analyzing and classifying computed from proxy log fields (¶0015), discloses:
the generating the fusion feature vectors includes using common variables present in the first feature vector, the second feature vector and the third feature vector (i.e., algorithm selects input vectors and constructs new data matrix in Machlica, ¶0041, ¶0044), and
generating a two-dimensional feature set (X * Y) for each of flows in a time window (i.e., T is the number of proxy logs in time window; hierarchical extraction algorithm of column vectors in a time window in Machlica, ¶0041, ¶0044)
data included in each element of the two-dimensional feature set is represented as SF(w, i)xy (i.e., vectors and elements are denoted A=[a1, … ak] as a matrix in Machlica, ¶0040), where
SF(w, i)xy is a y-th feature value of packet x of flow i in window w, (i.e., proxy logs within a time window in Machlica, ¶0041)
SF is a sequence feature, (i.e., building features representing traffic behavior corresponding to a hierarchy in Machlica, ¶0016, ¶0041)
w is a time window number, (i.e., proxy logs in time window t in Machlica, ¶0041, ¶0043)
i is a flow number, (i.e., P is the number of flows of user to domain in Machlica, ¶0045)
y is a feature number, (i.e., n dimensional column vector of attributes in Machlica, ¶0041)
w and i are among the common variables common to at least two of the first feature vector, the second feature vector and the third feature vector (i.e., time window t and repeatedly selecting vectors and construct matrix in Machlica, ¶0041, ¶0044),
and the at least two of the first feature vector, the second feature vector and the third feature vector are fused using the common variables. (i.e., select input vectors from subset of columns construct new data matrix from selected vectors in Machlica, ¶0044).
Based on Gaber in view of Scherman and Parandehgheibi, and further in view of Machlica, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Machlica to improve upon those of Gaber in order to improve detection according to analyzing and classifying computed from proxy log fields.
With respect to claim 2, Gaber discloses aggregating of models and corresponding feature data from distinct participants in order to train an ensemble model form the individual model outputs into a merged feature vector, the inputs can be any suitable feature of the relevant problem such as cyber-attacks (¶0021-0023, ¶0032). Gaber do(es) not explicitly disclose the following. Scherman, in order to identify specific benign or malicious users with attack models trained with netflow data/metrics (¶0024), discloses: the method of claim 1, wherein
the first feature vector is extracted from each packet in the network traffic (i.e., collect metrics of netflows including packet sizes of the flows in Scherman, ¶0023), and
the second feature vector is extracted from respective flows in the network traffic (i.e., collecting flow-level metrics including flags, number of flows, to and from targets or destinations in Scherman, ¶0023).
Based on Gaber in view of Scherman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Scherman to improve upon those of Gaber in order to identify specific benign or malicious users with attack models trained with netflow data/metrics.
With respect to claim 3, Gaber discloses an individual ML model outputs prediction based on acquiring any type or category of feature relevant for prediction, ML model output are features merged into a feature vector and classifying the union of the subsets of individual models features (¶0022, ¶0023, ¶0032). Gaber do(es) not explicitly disclose the following. Scherman, in order to identify specific benign or malicious users with attack models trained with netflow data/metrics (¶0024), discloses: the method of claim 2, wherein the first feature vector is generated based on a feature set representing features of a preset number of packets for each of the flows (i.e., determining a ratio of TCP flags from the respective packets of the flow; a preset number of packets is suggested by dividing the tuple into a timeframe and an average time between packets as collected characteristics in Scherman, ¶0017, ¶0023, ¶0033).
Based on Gaber in view of Scherman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Scherman to improve upon those of Gaber in order to identify specific benign or malicious users with attack models trained with netflow data/metrics.
With respect to claim 4, Gaber discloses an individual ML model outputs prediction based on acquiring any type or category of feature relevant for prediction, ML model output are features merged into a feature vector and classifying the union of the subsets of individual models features (¶0022, ¶0023, ¶0032). Gaber do(es) not explicitly disclose the following. Scherman, in order to identify specific benign or malicious users with attack models trained with netflow data/metrics (¶0024), discloses: the method of claim 3, wherein the second feature vector is generated based on a feature set representing features of the flows in the network traffic (i.e., flow level features such as duration, direction, determining inbound/outbound, state, flags; aggregating the metrics for flows over client devices and cloud servers in Scherman, ¶0023, ¶0024).
Based on Gaber in view of Scherman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Scherman to improve upon those of Gaber in order to identify specific benign or malicious users with attack models trained with netflow data/metrics.
With respect to claim 7, Gaber discloses features correspond to any type or category of information relevant for ML model prediction context, an important feature being a feature that is statistically significant impact on the result of the ML model (¶0032, ¶0034). Gaber do(es) not explicitly disclose the following. Scherman, in order to identify specific benign or malicious users with attack models trained with netflow data/metrics (¶0024), discloses: the method of claim 3, wherein features of a packet include
a size of the packet (i.e., packet sizes of the flow in Scherman, ¶0023),
a size of an IP packet header (i.e., determine several bits of header for flags to identify features of the communication in Scherman, ¶0017),
an inter-arrival time (i.e., time between requests and communications in Scherman, ¶0023),
a direction of the packet (i.e., metrics include a flow direction to/from malicious party in Scherman, ¶0023),
an inter-arrival time according to the direction of the packet (i.e., time between requests, determining the flow direction to/from, analyzing inbound and outbound separately in Scherman, ¶0023), and
a flag value of the packet (i.e., TCP flags corresponding to the type of communication in Scherman, ¶0017, ¶0023).
Based on Gaber in view of Scherman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Scherman to improve upon those of Gaber in order to identify specific benign or malicious users with attack models trained with netflow data/metrics.
With respect to claim 8, Gaber discloses features correspond to any type or category of information relevant for ML model prediction context, an important feature being a feature that is statistically significant impact on the result of the ML model (¶0032, ¶0034). Gaber do(es) not explicitly disclose the following. Scherman, in order to identify specific benign or malicious users with attack models trained with netflow data/metrics (¶0024), discloses: the method of claim 4, wherein the features of the flows include
basic flow information (i.e., flow information and groupings of IP packets by source and destination in Scherman, ¶0021),
flow duration (i.e., time between communications of TCP/IP communications flows in Scherman, ¶0023),
a flow direction (i.e., determining communication direction to/from inbound/outbound of malicious users in Scherman, ¶0023),
a flow state (i.e., changes in TCP flags of incoming and outgoing flows in Scherman, ¶0023), and
a number of packets (i.e., number of packets suggested by performing an average of packet sizes as part of feature data collected in Scherman, ¶0023, ¶0024).
Based on Gaber in view of Scherman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Scherman to improve upon those of Gaber in order to identify specific benign or malicious users with attack models trained with netflow data/metrics.
With respect to claim 9, Gaber discloses features correspond to any type or category of information relevant for ML model prediction context, an important feature being a feature that is statistically significant impact on the result of the ML model (¶0032, ¶0034). Gaber do(es) not explicitly disclose the following. Scherman, in order to identify specific benign or malicious users with attack models trained with netflow data/metrics (¶0024), discloses: the method of claim 1, wherein the features of the flow set further include
a number of flows (i.e., number of incoming and outgoing flows from the cloud service and client device in Scherman, ¶0023),
variety of destination IP addresses (i.e., metrics gathered for flows from client device to all servers in Scherman, ¶0023), and
statistical information on flows in the flow set (i.e., average packet sizes of flows, aggregated flow metrics averaged over the servers in Scherman, ¶0023, ¶0024).
Based on Gaber in view of Scherman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Scherman to improve upon those of Gaber in order to identify specific benign or malicious users with attack models trained with netflow data/metrics.
With respect to claim 10, Gaber discloses features correspond to any type or category of information relevant for ML model prediction context, an important feature being a feature that is statistically significant impact on the result of the ML model (¶0032, ¶0034). Gaber do(es) not explicitly disclose the following. Scherman, in order to identify specific benign or malicious users with attack models trained with netflow data/metrics (¶0024), discloses: the method of claim 8, wherein the basic flow information includes a source IP address, a source port, a destination IP address, a destination port, and protocol information (i.e., IP flow packet information includes groupings of packets that share source, destination, addresses and protocol; SYN flags correspond to port information and is a known attack vector in scanning ports to attack in Scherman, ¶0021, ¶0023).
Based on Gaber in view of Scherman, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Scherman to improve upon those of Gaber in order to identify specific benign or malicious users with attack models trained with netflow data/metrics.
With respect to claim 11, the limitation(s) of claim 11 are similar to those of claim(s) 1. Therefore, claim 11 is rejected with the same reasoning as claim(s) 1.
With respect to claim 12, the limitation(s) of claim 12 are similar to those of claim(s) 2. Therefore, claim 12 is rejected with the same reasoning as claim(s) 2.
With respect to claim 13, the limitation(s) of claim 13 are similar to those of claim(s) 3. Therefore, claim 13 is rejected with the same reasoning as claim(s) 3.
With respect to claim 14, the limitation(s) of claim 14 are similar to those of claim(s) 4. Therefore, claim 14 is rejected with the same reasoning as claim(s) 4.
With respect to claim 17, the limitation(s) of claim 17 are similar to those of claim(s) 7. Therefore, claim 17 is rejected with the same reasoning as claim(s) 7.
With respect to claim 18, the limitation(s) of claim 18 are similar to those of claim(s) 8. Therefore, claim 18 is rejected with the same reasoning as claim(s) 8.
With respect to claim 19, the limitation(s) of claim 19 are similar to those of claim(s) 9. Therefore, claim 19 is rejected with the same reasoning as claim(s) 9.
With respect to claim 20, the limitation(s) of claim 20 are similar to those of claim(s) 10. Therefore, claim 20 is rejected with the same reasoning as claim(s) 10.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHERMAN L LIN whose telephone number is (571)270-7446. The examiner can normally be reached Monday through Friday 9:00 AM - 5:00 PM (Eastern).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon Hwang can be reached on 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Sherman Lin
3/7/2026
/S. L./Examiner, Art Unit 2447
/JOON H HWANG/Supervisory Patent Examiner, Art Unit 2447