DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-10 are pending and have been examined.
Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. KR10-2021-0162305, filed on November 23, 2021.
Claim Objections
Claim 6 is objected to because the claim recites import feature value and it should read “important feature value” instead. Appropriate correction is required.
Drawing Objections
The drawings are objected to because Fig. 6 is objected to because the description for the figure recites "Enter shap into ragne [...]", but "ragne" should read "range". Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-10 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Regarding Claim 1, the claim recites "A valuable alert screening method", but "valuable" is relative terminology and the specification fails to provide a definition of what "valuable" is. The claim also recites "important features", but "important" is also relative terminology and there is no explicit definition for what is considered an "important feature". For these reasons, the claim is rendered indefinite. For purposes of examination, "A valuable alert screening method" will be construed as "An alert screening method", "important features" will be construed as the features for analysis, and "range group" will be construed as the result of performing range processing, as described in claim 1.
Regarding Claim 2, the claim contains the trademark/trade name "Python". Where a trademark or trade name is used in a claim as a limitation to identify or describe a particular material or product, the claim does not comply with the requirements of 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph. See Ex parte Simpson, 218 USPQ 1020 (Bd. App. 1982). The claim scope is uncertain since the trademark or trade name cannot be used properly to identify any particular material or product. A trademark or trade name is used to identify a source of goods, and not the goods themselves. Thus, a trademark or trade name does not identify or describe the goods associated with the trademark or trade name. In the present case, the trademark/trade name is used to identify/describe software programming libraries and, accordingly, the identification/description is indefinite.
Regarding Claims 3-9, the dependent claims inherit the deficiencies of their respective parent claims and are likewise rejected.
Regarding Claim 10, the term "more additional review", is a relative term which renders the claim indefinite. The term “more additional review” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. Therefore, the claim is considered indefinite. For purposes of examination, the claim limitation will be construed as alerting that the suspicion score has increased.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-10 are rejected under 35 U.S.C.101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1: Claims 1-10 are directed to a process.
With respect to claim 1:
2A Prong 1: The claim recites an abstract idea. Specifically:
detecting malicious threat (Mathematical concept & mental process – detecting a malicious threat involves mathematical calculations and can be practically performed in the human mind – see MPEP § 2106.04(a)(2))
generating explainable artificial intelligence (XAI) explainability (Mathematical concept – generating an XAI explainability involves mathematical calculations – see MPEP § 2106.04(a)(2)(I))
and selecting important features based on summary plot (Mental process – selecting important features based on a summary plot can be practically performed in the human mind, or by a human using a pen and paper as a physical aid – see MPEP § 2106.04(a)(2)(III))
performing range processing based on data distribution of important features selected for analysis without bias (Mathematical concept & mental process – performing range processing based on data distribution involves mathematical calculations and can be practically performed in the human mind, or by a human using a pen and paper as a physical aid – see MPEP § 2106.04(a)(2))
calculating a SHAP value average and standard deviation of each range group (Mathematical concept – calculating a SHAP value average and standard deviation involves mathematical calculations – see MPEP § 2106.04(a)(2)(I))
to determine suspicion and reliability of the test data (Mathematical concept & mental process – determining suspicion and reliability of the test data involves mathematical calculations and/or can be practically performed in the human mind, or by a human using a pen and paper as a physical aid – see MPEP § 2106.04(a)(2))
making prediction (Mental process– making a prediction can be practically performed in the human mind – see MPEP § 2106.04(a)(2)(II))
calculating a SHAP value of the test data (Mathematical concept – calculating a SHAP value involves mathematical calculations – see MPEP § 2106.04(a)(2)(I))
to calculate FOS for each important feature of the test data (Mathematical concept – calculating a FOS involves mathematical calculations – see MPEP § 2106.04(a)(2)(I))
calculating a suspicion score for each data by aggregating the FOS after calculating the FOS for each feature (Mathematical concept – calculating a suspicion score involves mathematical calculations – see MPEP § 2106.04(a)(2)(I))
2A Prong 2: The additional elements recited in the claim do not integrate the abstract idea into a practical application, individually or in combination.
Additional elements:
generating an artificial intelligence (AI) model based on training data for prediction of test data (Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f).)
by using an AI model explainer and the training data; (Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f).)
and then storing them (Mere data gathering – see § MPEP2106.05(g).)
by using an AI model generated in advance after feature processing in the same way as the training data at the time of inputting the test data (Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f).)
by using the test data and the AI model explainer generated in advance (Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f).)
loading feature outlier score (FOS) calculation information (Mere data gathering – see § MPEP2106.05(g).)
2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception.
Additional elements:
generating an artificial intelligence (AI) model based on training data for prediction of test data (Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f).)
by using an AI model explainer and the training data; (Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f).)
and then storing them (Simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception (WURC)- see MPEP § 2106.05(d)(ll)(iv) storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015); OIP Techs., 788 F.3d at 1363, 115 USPQ2d at 1092-93;)
by using an AI model generated in advance after feature processing in the same way as the training data at the time of inputting the test data (Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f).)
by using the test data and the AI model explainer generated in advance (Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f).)
loading feature outlier score (FOS) calculation information (Simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception (WURC)- see MPEP § 2106.05(d)(ll)(i) - Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information).)
Therefore, the claim is ineligible.
With respect to claim 2:
2A Prong 1: The claim recites an abstract idea. Specifically:
selecting the important features (Mental process – selecting important features can be practically performed in the human mind, or by a human using a pen and paper as a physical aid – see MPEP § 2106.04(a)(2)(III))
a shapley additive explanations (SHAP) value is calculated by using the training data in the AI model explainer (Mathematical concept – calculating a SHAP value involves mathematical calculations – see MPEP § 2106.04(a)(2)(I))
and 10 important features analyzable on the basis of analyst's knowledge are selected out of the 20 features (Mental process – selecting important features on the basis of analyst’s knowledge is an evaluation that can be practically performed in the human mind, or by a human using a pen and paper as a physical aid – see MPEP § 2106.04(a)(2)(III))
2A Prong 2: The additional elements recited in the claim do not integrate the abstract idea into a practical application, individually or in combination.
Additional elements:
an AI model explainer is generated through libraries in Python (Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f).)
a summary plot is generated through the calculated SHAP value, top 20 important features is generated in the summary plot (Adding insignificant extra-solution activity to the judicial exception – see § MPEP2106.05(g).)
top 20 important features is generated in the summary plot (Adding insignificant extra-solution activity to the judicial exception – see § MPEP2106.05(g).)
2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception.
Additional elements:
an AI model explainer is generated through libraries in Python (Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f).)
a summary plot is generated through the calculated SHAP value, top 20 important features is generated in the summary plot (Simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception (WURC) - see § MPEP 2106.05(d)(II)) - Presenting offers and gathering statistics, OIP Techs., 788 F.3d at 1362-63, 115 USPQ2d at 1092-93)
top 20 important features is generated in the summary plot (Simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception (WURC) - see § MPEP 2106.05(d)(II)) - Presenting offers and gathering statistics, OIP Techs., 788 F.3d at 1362-63, 115 USPQ2d at 1092-93)
Therefore, the claim is ineligible.
With respect to claim 3:
2A Prong 1: The claim recites an abstract idea. Specifically:
wherein the performing of the range processing, a range group is generated by adding the SHAP value to the range group when the number of data corresponding to a unique value for each important feature is counted and satisfies a setting condition. (Mathematical concept – performing the range processing involves mathematical calculations – see MPEP § 2106.04(a)(2)(I))
Additionally, the claim does not recite any new additional elements that would amount to an integration of the abstract idea into a practical application (individually or in combination) or significantly more than the judicial exception.
Therefore, the claim is ineligible.
With respect to claim 4:
2A Prong 2: The additional elements recited in the claim do not integrate the abstract idea into a practical application, individually or in combination.
Additional elements:
wherein the range is generated through the unique value of the feature (Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f).)
2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception.
Additional elements:
wherein the range is generated through the unique value of the feature (Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f).)
Therefore, the claim is ineligible.
With respect to claim 5:
2A Prong 2: The additional elements recited in the claim do not integrate the abstract idea into a practical application, individually or in combination.
Additional elements:
wherein a range, average, and standard deviation for each important feature are stored in the FOS calculation information. (Mere data gathering – see § MPEP2106.05(g).)
2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception.
Additional elements:
wherein a range, average, and standard deviation for each important feature are stored in the FOS calculation information. (Simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception (WURC)- see MPEP § 2106.05(d)(ll)(iv) storing and retrieving information in memory, Versata Dev. Group, Inc. v. SAP Am., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015); OIP Techs., 788 F.3d at 1363, 115 USPQ2d at 1092-93;)
Therefore, the claim is ineligible.
With respect to claim 6:
2A Prong 1: The claim recites an abstract idea. Specifically:
wherein in the loading of the FOS calculation information, each import feature value of each data of the test data is compared to the range stored in the FOS calculation information, and then FOS=abs(CDF−0.5)*2 is calculated by using information of the corresponding group and a SHAP value of test data. (Mathematical concept – the FOS calculation involves mathematical calculations and the claim recites a mathematical formula – see MPEP § 2106.04(a)(2)(I))
Additionally, the claim does not recite any new additional elements that would amount to an integration of the abstract idea into a practical application (individually or in combination) or significantly more than the judicial exception.
Therefore, the claim is ineligible.
With respect to claim 7:
2A Prong 1: The claim recites an abstract idea. Specifically:
wherein a score representing a degree of abnormality for each important feature is calculated to determine reliability and suspicion of FOS AI model prediction. (Mathematical concept – calculating a degree abnormality score to determine reliability and suspicion involves mathematical calculations – see MPEP § 2106.04(a)(2)(I))
Additionally, the claim does not recite any new additional elements that would amount to an integration of the abstract idea into a practical application (individually or in combination) or significantly more than the judicial exception.
Therefore, the claim is ineligible.
With respect to claim 8:
2A Prong 1: The claim recites an abstract idea. Specifically:
wherein in the calculating of the suspicion score, there is FOS for each important feature of each data, and when the FOS is above a setting threshold, the feature determines that the prediction of the AI model is suspicious, and when the FOS is below the threshold, the feature determines that the prediction of the AI model is reliable. (Mathematical concept & mental process – calculating the suspicion score by evaluating if the FOS score is above or below a setting threshold involves mathematical calculations and/or can be practically performed in the human mind – see MPEP § 2106.04(a)(2))
Additionally, the claim does not recite any new additional elements that would amount to an integration of the abstract idea into a practical application (individually or in combination) or significantly more than the judicial exception.
Therefore, the claim is ineligible.
With respect to claim 9:
2A Prong 1: The claim recites an abstract idea. Specifically:
wherein after the suspicion and reliability about the AI model prediction for each important feature are determined, a suspicion score is calculated by counting the number of suspicious features. (Mathematical concept & mental process – calculating a suspicion score by counting the number of suspicious features involves mathematical calculations and/or can be practically performed in the human mind– see MPEP § 2106.04(a)(2)(I))
Additionally, the claim does not recite any new additional elements that would amount to an integration of the abstract idea into a practical application (individually or in combination) or significantly more than the judicial exception.
Therefore, the claim is ineligible.
With respect to claim 10:
2A Prong 1: The claim recites an abstract idea. Specifically:
[…] the data is screened as data requiring more additional review. (Mental process – screening data as requiring more additional review can be practically performed in the human mind, or by a human using a pen and paper as a physical aid – see MPEP § 2106.04(a)(2)(III))
2A Prong 2: The additional elements recited in the claim do not integrate the abstract idea into a practical application, individually or in combination.
Additional elements:
wherein as the calculated suspicion score gets higher (Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f).)
2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception.
Additional elements:
wherein as the calculated suspicion score gets higher. (Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea – see MPEP 2106.05(f).)
Therefore, the claim is ineligible.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim 1 is rejected under 35 U.S.C. 103 as being unpatentable over Das ("DDoS Explainer using Interpretable Machine Learning") in view of Weerts ("A Human-Grounded Evaluation of SHAP for Alert Processing"), Vuppalapati ("Machine Learning and Artificial Intelligence for Agricultural Economics"), Garreau ("Looking deeper into LIME"), and Goldberg ("Explaining and Aggregating Anomalies to Detect Insider Threats"), hereafter Das, Weerts, Vuppalapati, Garreau, and Goldberg respectively.
Regarding Claim 1, Das teaches:
A valuable alert screening method for detecting malicious threat, comprising:
generating explainable artificial intelligence (XAI) explainability […] by using an AI model explainer and the training data; (Das [pg. 4, section IV. METHOD: DDOS EXPLAINER MODEL] teaches: "That’s why, we use two interpretable machine learning techniques to build the explainer models and after comparing these two explainer models, the best performing model generates the appropriate explanation of the detected DDoS attacks which improves the trustworthiness of the decision-making process to the security experts. [...] As mentioned earlier, we have used two IML models, namely LIME and SHAP to develop the explainer models from the training dataset. Each explainer model generates the explanations for training, testing and verification data separately where the prediction for these data instances are obtained from DDoS detection phase." Das [pg. 7, section VI. RESULTS AND DISCUSSION] teaches: "On the other hand, Fig. 4 shows the SHAP explanation with important features and a confidence score of 40.83." Additionally, Table II on page 5 teaches the average likelihood of scores using SHAP for the training data." Examiner's note: under BRI, "generating explainable artificial intelligence (XAI) explainability" can be interpreted as the explainer model generating the explanations, the "AI model explainer" is the SHAP model, which when applied to the training dataset generates SHAP explanations.)
making prediction by using an AI model generated in advance after feature processing in the same way as the training data at the time of inputting the test data; (Das [pg.4, section B. SHapley Additive exPlanations (SHAP)] teaches: “[…] feed the dataset to the data preprocessing phase to produce ML model acceptable preprocessed data. From the preprocessed data, the ensemble supervised ML framework classifies them and generates various models using different modeling algorithm.” Das [pg. 5, section B. SHapley Additive exPlanations (SHAP)] teaches: “Here, we have used verification dataset to mimic the real-time data that can go through the best performing supervised pre-trained model and the model distinguishes the DDoS and Benign traffic.” Additionally, Das [pg. 3, Fig. 2] teaches the best performing Supervised Model making predictions and the data preprocessing for feature selection prior to the model making predictions (e.g. DDoS vs Benign). Therefore, "after feature processing" can be interpreted as the data preprocessing described in Fig. 2 of the Das reference, and “generated in advance” can be interpreted as ensemble supervise framework that builds the model prior to making a prediction.)
calculating a SHAP value of the test data by using the test data and the AI model explainer generated in advance. (Das [pg. 4, section IV. METHOD: DDOS EXPLAINER MODEL] teaches: "Each explainer model generates the explanations for training, testing and verification data separately where the prediction for these data instances are obtained from DDoS detection phase. [...] As mentioned earlier, we have used two IML models, namely LIME and SHAP to develop the explainer models from the training dataset." Das [pg. 7, section VI. RESULTS AND DISCUSSION] teaches: "On the other hand, Fig. 4 shows the SHAP explanation with important features and a confidence score of 40.83." Examiner's note: Das teaches generating SHAP explanations (i.e., SHAP values) for testing data. Fig. 4 on page 6 of the Das reference also teaches the SHAP value as input into a formula for plotting the values. Additionally, Das explicitly teaches developing the SHAP model from the training dataset, and thus the explainer models are generated in advanced (i.e., prior to calculating the SHAP value).)
Das is not relied upon for teaching:
generating an artificial intelligence (AI) model based on training data for prediction of test data;
[…] and selecting important features based on summary plot […]
performing range processing based on data distribution of important features selected for analysis without bias;
calculating a SHAP value average and standard deviation of each range group […]
[…] and then storing them to determine suspicion and reliability of the test data;
loading feature outlier score (FOS) calculation information to calculate FOS for each important feature of the test data; and
calculating a suspicion score for each data by aggregating the FOS after calculating the FOS for each feature.
However, Weerts teaches: generating an artificial intelligence (AI) model based on training data for prediction of test data; (Weerts [pg. 5, section 5.2 Experiment Details] teaches: "we have split the data set into a training and test set and trained a random forest classifier." Examiner’s note: a classifier is a type of artificial intelligence (AI) model.)
[…] and selecting important features based on summary plot […] (Weerts [pg. 2, section 3 Hypotheses] teaches: "[...] the SHAP explanation may point the domain expert towards important feature values they would not have considered without being exposed to the explanation. [...] Because SHAP explanations reveal which feature values are relevant for the model’s decision, they can be used to determine whether the model’s explanation is reasonable given domain knowledge." Additionally, Weerts [pg. 3, Figure 1] teaches a SHAP values plot, and under BRI, the "summary plot" can be interpreted as Figure 1 of the Weerts reference.)
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Das and Weerts before them, to include Weerts' splitting of data set into a training and test set and training a classifier and using relevant features to determine whether a model's explanations are reasonable in Das' DDoS explainer. One would have been motivated to make such a combination in order for the classifier to make correct predictions that agree with human intuition (Weerts [pg. 5, section 5.3 Results of Experiment 2]).
Das in view of Weerts is not relied upon for teaching:
performing range processing based on data distribution of important features selected for analysis without bias;
calculating a SHAP value average and standard deviation of each range group […]
[…] and then storing them to determine suspicion and reliability of the test data;
loading feature outlier score (FOS) calculation information to calculate FOS for each important feature of the test data; and
calculating a suspicion score for each data by aggregating the FOS after calculating the FOS for each feature.
However, Vuppalapati teaches: performing range processing based on data distribution of important features selected for analysis without bias; (Vuppalapati [pg. 137, Binning] teaches: "Binning or grouping data (sometimes called quantization) is an important tool in preparing numerical data for machine learning modeling and is applicable in the following scenarios:
A column of continuous numbers has too many unique values to model effectively, so you automatically or manually assign the values to groups, to create a smaller set of discrete ranges.
Replace a column of numbers with categorical values that represent specific ranges.
A dataset has a few extreme values, all well outside the expected range, and these values have an outsized influence on the trained model.
[...] Each bin represents a specific degree of intensity and hence a specific range of continuous numeric values fall into it." Vuppalapati [pg. 138, Adaptive Binning] teaches: "In adaptive binning, as the name implies, data distribution itself decides bin ranges. Quantile-based binning is a good strategy to use for adaptive binning. Quantiles are specific values or cut points which help in partitioning the continuous valued distribution of a specific numeric field into discrete contiguous bins or intervals. Thus, q-Quantiles help in partitioning a numeric attribute into q equal partitions." Examiner's note: A person having ordinary skill in the art would recognize that the process of binning mitigates the influence on the trained model when all or few values in the dataset are well outside the expected range, and thus reducing the influence of these values on the outputs of the trained model for explainability (i.e., analysis without bias), as disclosed in the Vuppalapati reference. This binning technique can be applied to the calculated SHAP explanations (i.e., SHAP values) from Das.)
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Das, Weerts, and Vuppalapati before them, to include Vuppalapati's binning technique based on the data distribution itself for deciding bin ranges in Das/Weerts' DDoS explainer. One would have been motivated to make such a combination in order to handle scenarios where a dataset having extreme values could have a lot of influence on the trained model and its prediction (Vuppalapati [pg. 137, Binning]).
Das in view of Weerts and Vuppalapati is not relied upon for teaching:
calculating a SHAP value average and standard deviation of each range group […]
[…] and then storing them to determine suspicion and reliability of the test data;
loading feature outlier score (FOS) calculation information to calculate FOS for each important feature of the test data; and
calculating a suspicion score for each data by aggregating the FOS after calculating the FOS for each feature.
However, Garreau teaches: calculating a SHAP value average and standard deviation of each range group […] (Garreau [pg. 8, Figure 2] teaches: "[...] then the means and standard deviation for each bin (red cross is the mean)." Examiner's note: the combination of Das, Weerts, and Vuppalapati teaches a binning technique based on the data distribution for determining bin ranges, in which we assign the values (i.e., SHAP values or explanations) to groups. A person having ordinary skill in the art could apply Garreau's mean and standard deviation calculations to Das/Weerts/Vuppalapati's values in bins, which are the SHAP explanations (i.e., SHAP values) according to a distribution, as taught above in claim limitation 1 (j).)
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Das, Weerts, Vuppalapati, and Garreau before them, to include Garreau's mean and standard deviation calculations for bins in Das/Weerts/Vuppalapati's DDoS explainer. One would have been motivated to make such a combination in order to design better interpretability methods of explainable models that yield predictions close from empirical results (Garreau [pg. 30, section 5. Conclusion]).
Das in view of Weerts, Vuppalapati, and Garreau are not relied upon for teaching: but Goldberg teaches: […] and then storing them to determine suspicion and reliability of the test data; (Goldberg [pg. 4, A. Single Feature Outlier Scores] teaches: "This section explains how we calculate single feature outlier scores. […] We compute an outlier score using the cumulative distribution function (CDF) of the logistic distribution with mean and variance of this population. This score is normalized to [0, 1] and is easily compared with other features’ scores." Goldberg [pg. 1, section II. THE PRODIGAL SYSTEM] teaches: "PRODIGAL’s unsupervised anomaly detection ensemble […]and develop the detectors (D) for the period of analysis; examples of D include: Top 5, 1 Day; Top 10, 3 Days; Top 50, and 4 Days. We denote a detector with thresholds
τ
1
and
τ
2
as D(
τ
1
,
τ
2
). 3) Data: We used 21 months of test data [...]." Examiner's note: under BRI, "storing them (i.e., mean and standard deviation for each bin) to determine suspicion [...] of the test data" can be interpreted as having the mean and variance of the population in order to compute the feature outlier score to subsequently determine the degree of anomalousness (i.e. suspicion). A person of ordinary skill would recognize that in order to determine the degree of anomalousness, you would need to have access the mean and standard deviation results, and thus must be stored and accessible by the feature outlier score calculation process. Furthermore, "to determine [...] reliability of the test data" can be interpreted as the calculated degree of anomalousness being below the rank cutoffs
τ
1
and
τ
2
.)
loading feature outlier score (FOS) calculation information to calculate FOS for each important feature of the test data; and (Goldberg [pg. 4, A. Single Feature Outlier Scores] teaches: "This section explains how we calculate single feature outlier scores. […] We compute an outlier score using the cumulative distribution function (CDF) of the logistic distribution with mean and variance of this population. This score is normalized to [0, 1] and is easily compared with other features’ scores." Examiner’s note: under BRI, “loading feature outlier score (FOS) calculation information” can be interpreted as applying the values needed to the formula in order to calculate the FOS. Goldberg teaches calculating the FOS, and therefore must apply the respective values to the formula in order to perform the calculation.)
calculating a suspicion score for each data by aggregating the FOS after calculating the FOS for each feature. (Goldberg [pg. 4, A. Single Feature Outlier Scores] teaches: "PRODIGAL’s unsupervised anomaly detection ensemble combines scores from multiple diverse detectors into single user-day scores each month, resulting in a ranked and scored list of user-days ordered by the degree of anomalousness." Examiner's note: under BRI, "calculating a suspicion score" can be interpreted as the resulting ranked and scored list ordered by degree of anomalousness (i.e., suspicion). This result is obtained by combining scores from multiple diverse detectors (i.e., for each data by aggregating the FOS).)
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Das, Weerts, Vuppalapati, Garreau, and Goldberg before them, to include Goldberg's feature outlier calculation and degree of anomalousness calculation in Das/Weerts/Vuppalapati/Garreau's DDoS explainer. One would have been motivated to make such a combination in order to help analysts discriminate between malicious and legitimate activities with similar high anomaly detection scores (Goldberg [pg. 8, section V. CONCLUSIONS AND ONGOING RESEARCH]).
Claims 2-5 and 8-10 are rejected under 35 U.S.C. 103 as being unpatentable over Das in view of Weerts, Vuppalapati, Garreau, and Goldberg as applied to claim 1 above, and further in view of Sarhan (“"Evaluating Standard Feature Sets Towards Increased Generalisability and Explainability of ML-based Network Intrusion Detection"), hereafter Sarhan.
Regarding Claim 2, Das in view of Weerts, Vuppalapati, Garreau, and Goldberg teaches the elements of claim 1 as outlined above. Das in view of Weerts, Vuppalapati, Garreau, and Goldberg also teaches:
The valuable alert screening method of claim 1, wherein in the generating of the XAI explainability and selecting the important features, an AI model explainer is generated through libraries in Python (Das [pg. 2, Table I] teaches: "Similarities and dissimilarities of LIME and SHAP methods […] Both of them have python libraries for implementation and additive in nature." Examiner's note: a person having ordinary skill in the art would recognize that an AI model explainer, such as SHAP, can be implemented by using Python libraries. Additionally, the "selecting the important features" is taught by Weerts [pg. 2, section 3 Hypotheses] and Weerts [pg.3, Figure 1] as outlined above in claim 1.)
a shapley additive explanations (SHAP) value is calculated by using the training data in the AI model explainer (Das [pg. 4, section IV. METHOD: DDOS EXPLAINER MODEL] teaches: "That’s why, we use two interpretable machine learning techniques to build the explainer models and after comparing these two explainer models, the best performing model generates the appropriate explanation of the detected DDoS attacks which improves the trustworthiness of the decision-making process to the security experts. [...] As mentioned earlier, we have used two IML models, namely LIME and SHAP to develop the explainer models from the training dataset. Each explainer model generates the explanations for training, testing and verification data separately where the prediction for these data instances are obtained from DDoS detection phase." Das [pg. 7, section VI. RESULTS AND DISCUSSION] teaches: "On the other hand, Fig. 4 shows the SHAP explanation with important features and a confidence score of 40.83." Additionally, Table II on page 5 teaches the average likelihood of scores using SHAP for the training data." Examiner's note: under BRI, "a shapley additive explanations (SHAP)" can be interpreted as the explainer model generating the explanations, the "AI model explainer" is the SHAP model, which when applied to the training dataset generates (i.e., calculates) SHAP explanations.)
a summary plot is generated through the calculated SHAP value (Weerts [pg. 2, section 3 Hypotheses] teaches: "[...] the SHAP explanation may point the domain expert towards important feature values they would not have considered without being exposed to the explanation. [...] Because SHAP explanations reveal which feature values are relevant for the model’s decision, they can be used to determine whether the model’s explanation is reasonable given domain knowledge." Additionally, Weerts [pg. 3, Figure 1] teaches a SHAP values plot, and under BRI, the "summary plot" can be interpreted as Figure 1.)
However, Das in view of Weerts, Vuppalapati, Garreau, and Goldberg is not relied upon for teaching, but Sarhan teaches: top 20 important features is generated in the summary plot, (Sarhan [pg. 3, section 2 Related Work] teaches: "Finally, the top 20 important features for each attack type used in the global explanation are listed and comprehensively analysed via related works in the paper.")
and 10 important features analyzable on the basis of analyst's knowledge are selected out of the 20 features. (Sarhan [pg. 9, section 5.2 Results] teaches: "The top 10 features of the NetFlow and CICFlowMeter feature sets are displayed in Figures 3 and 4 respectively. The features (y-axis) are ranked based on their mean Shapley values (x-axis) across the whole test data samples used to evaluate the ML models." Sarhan [pg. 8, section 5 Explainable ML-based NIDS] teaches: "On the other hand, invaluable features that contain a limited number of security events and should be omitted from datasets are also located. […] This helps in troubleshooting the errors caused by the wrong predictions of the model, as it allows security experts to analyse the values of the influencing features that result in a miss-classification." Examiner's note: Sarhan teaches various examples in which a smaller number of important features, such as 10 features, from the top 20 influencing features are selecting.)
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Das, Weerts, Vuppalapati, Garreau, Goldberg, and Sarhan before them, to include Sarhan's top influencing feature selection for expert analysis in Das/Weerts/Vuppalapati/Garreau/Goldber's DDoS explainer. One would have been motivated to make such a combination in order to remove invaluable features and allows security experts to analyse the values of the influencing features that result in a miss-classification (Sarhan [pg. 8, section 5 Explainable ML-based NIDS]).
Regarding Claim 3, Das in view of Weerts, Vuppalapati, Garreau, Goldberg, and Sarhan teaches the elements of claim 2 as outlined above. Das in view of Weerts, Vuppalapati, Garreau, Goldberg, and Sarhan also teaches:
The valuable alert screening method of claim 2, wherein in the performing of the range processing, a range group is generated by adding the SHAP value to the range group when the number of data corresponding to a unique value for each important feature is counted and satisfies a setting condition. (Vuppalapati [pg. 137, Binning] teaches: "Binning or grouping data (sometimes called quantization) is an important tool in preparing numerical data for machine learning modeling and is applicable in the following scenarios: A column of continuous numbers has too many unique values to model effectively, so you automatically or manually assign the values to groups, to create a smaller set of discrete ranges. Replace a column of numbers with categorical values that represent specific ranges. A dataset has a few extreme values, all well outside the expected range, and these values have an outsized influence on the trained model. [...] Each bin represents a specific degree of intensity and hence a specific range of continuous numeric values fall into it (i.e., satisfies a setting condition)." Vuppalapati [pg. 138, Adaptive Binning] teaches: "In adaptive binning, as the name implies, data distribution itself decides bin ranges. Quantile-based binning is a good strategy to use for adaptive binning. Quantiles are specific values or cut points which help in partitioning the continuous valued distribution of a specific numeric field into discrete contiguous bins or intervals. Thus, q-Quantiles help in partitioning a numeric attribute into q equal partitions." Examiner’s note: the “SHAP value” can be interpreted as the continuous numeric values that fall into the specific range, which can be the SHAP explanations described taught above in claim 1 by Das [pg. 4, section IV. METHOD: DDOS EXPLAINER MODEL].)
Regarding Claim 4, Das in view of Weerts, Vuppalapati, Garreau, Goldberg, and Sarhan teaches the elements of claim 3 as outlined above. Das in view of Weerts, Vuppalapati, Garreau, Goldberg, and Sarhan also teaches:
The valuable alert screening method of claim 3, wherein the range is generated through the unique value of the feature. (Vuppalapati [pg. 137, Binning] teaches: "Binning or grouping data (sometimes called quantization) is an important tool in preparing numerical data for machine learning modeling and is applicable in the following scenarios: A column of continuous numbers has too many unique values to model effectively, so you automatically or manually assign the values to groups, to create a smaller set of discrete ranges. Replace a column of numbers with categorical values that represent specific ranges. A dataset has a few extreme values, all well outside the expected range, and these values have an outsized influence on the trained model. [...] Each bin represents a specific degree of intensity and hence a specific range of continuous numeric values fall into it." Vuppalapati [pg. 138, Adaptive Binning] teaches: "In adaptive binning, as the name implies, data distribution itself decides bin ranges. Quantile-based binning is a good strategy to use for adaptive binning. Quantiles are specific values or cut points which help in partitioning the continuous valued distribution of a specific numeric field into discrete contiguous bins or intervals. Thus, q-Quantiles help in partitioning a numeric attribute into q equal partitions." Examiner's note: under BRI, "range is generated through the unique value of the feature" can be interpreted as the assigning unique values to groups or bins, and the ranges of the bins are decided by the data distribution itself.)
Regarding Claim 5, Das in view of Weerts, Vuppalapati, Garreau, Goldberg, and Sarhan teaches the elements of claim 2 as o