DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments, see page 9, filed 10/28/2025, with respect to the objections to the specification and the drawings have been fully considered. The objections of the specification and the drawings have been withdrawn.
Applicant's arguments, see pages 9-10, filed 10/28/2025, with respect to the interpretation of claims 4-7 under 35 U.S.C. § 112(f) have been fully considered but they are not persuasive.
Applicant attests that the amended claim limitations “discloses sufficient structure in the form of specific algorithms and logic”.
The Examiner respectfully disagrees.
The “specific algorithms and logic” are not sufficient structure as Applicant alleges, as there is no corresponding structure for the units themselves in performing the claimed function. In the amended claims, the various units are all “configured to” perform various claimed functions, and the “algorithms and logic” Applicant refers to are the claimed functions and not the structure used to perform the said functions. The originally filed disclosure is deficient in that it does not disclose or clearly link any sufficient structure to perform the various recited functions in the claims. The amended claims currently recite terms that are generic placeholders (various “units”) used as substitutes for the word “means” or “step”, the generic placeholders are modified by functional language (“configured to…”), and the generic placeholders are not modified by sufficient structures, materials, or acts sufficient for performing the claimed functions. The “specific algorithms and logic” applicant alleges that are “structure”, are in fact the claimed functions that the “units” (generic placeholders) are being configured to do or perform. Therefore, the interpretation of claims 4-7 under 35 U.S.C. § 112(f) will be maintained.
Applicant’s arguments, see pages 10-11, filed 10/28/2025, with respect to the rejection of claims 1-7 under 35 U.S.C. § 112(b) have been fully considered, but they are not persuasive.
Applicant first attests that the limitation “meaningful words” has been clearly and objectively defined by the claim amendments “anchored in its function of identifying true or false positives”.
The Examiner respectfully disagrees.
The relevant amended claim limitation reads, “wherein the meaningful words include at least one of a word or a pattern of the word for the true positive or false positive for the security events”. This limitation appears to be a literal translation into English from a foreign document, and is not written in idiomatic English. The phrase “at least one of a word or a pattern of the word for the true positive or false positive for the security events” is not grammatically correct. It is unclear how “a word” or “a pattern of the word” can be used with the preposition “for” to modify the noun “the true positive or false positive”, and it is further unclear what modification the second “for” does to the noun “the security events”.
Applicant next attests that the limitation “quantifying security events” is no longer ambiguous as the “quantifying” has been defined as producing a specific output.
The Examiner respectfully disagrees.
The claim limitation reads “quantifying security events in the true positive group and security events in the false positive group; based on the labeled each security event for generating a vector for the each security event” in claim 1. This still does not define what the act of “quantifying” comprises because in light of the specification it is not possible to determine whether the claim term corresponds to a specialized claim function, or whether the term corresponds to the ordinary and customary meaning of “quantifying” (as in counting the number of something). There is no clarification provided by the amendment as it is unclear what part of the claim limitation is “based on the labeled each security event for generating a vector for the each security event” in independent claim 1 because of the semicolon (;) before the word “based”, the quantifying step has not been defined because stating what the quantifying is based on does not define or clarify what “quantify[ing] security events” means.
The Examiner respectfully notes that the remaining 112(b) rejections made in the Non-Final Rejection mailed 07/28/2025 have not been responded to with regard to the limitations that invoke 35 U.S.C. § 112(f), but fail to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. These rejections are maintained below.
Applicant’s arguments, see page 11, filed 10/28/2025, with respect to the rejection of claims 1-7 under 35 U.S.C. § 112(a) have been fully considered, but they are not persuasive.
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims are supported by the originally filed disclosure. The Examiner presented a prima facie case of the claims failing to comply with the written description requirement in the Non-Final Rejection mailed 07/28/2025. Applicant’s reply is non-responsive as the Applicant merely states that the specification, allegedly, “clearly describes” the limitations at issue with conclusory statements, “This demonstrates that the inventor was in possession of the specific means for carrying out these functions at the time of filing. Regarding the "label classification unit," it is presented not as an isolated abstract step, but as an integral part of a concrete, holistic process. The function of the label classification unit is to generate the initial labeled data sets that serve as the necessary input for the subsequent, and highly specific, quantification step performed by the event quantification unit. The invention, when viewed as a whole as it must be, describes an organically linked process where the output of the classification unit is functionally and structurally coupled to the input of the quantification unit. This demonstrates a complete and possessed invention.” Applicant has not pointed out the specific identified deficiencies in the Examiner’s presented written description rejection, nor has Applicant particular pointed out where the alleged support can be found in the originally filed disclosure. There is simply no disclosure regarding how the inventor intended to have these generic placeholder units implemented or configured to perform the intended claimed functions, and it is currently evident that the prima facie case of lacking written description is proper as the Applicant is unable to particularly point out the deficiencies in the written description rejection. The rejection will be maintained.
Applicant’s arguments, see page 12, filed 10/28/2025, with respect to the rejections of claims 1-3 and 7 under 35 U.S.C. § 101 have been fully considered, but they are not persuasive.
Applicant attests that the claimed invention is not directed to an abstract idea without significantly more.
The Examiner respectfully disagrees.
Applicant argues that the claimed method allegedly “addresses a specific technological problem: the inability of human personnel to realistically analyze the exponentially increasing volume of security events generated by modern computer networks, as detailed in the background of the specification”. The Examiner respectfully submits that processing security data is not a specific technological problem, and is recited in the claims at a high level of generality and amounts to mere data gathering, which is a form of insignificant extra-solution activity. See MPEP 2106.05(g). Insignificant extra-solution activity and mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.
Applicant next argues that the claimed “technological solution” “is rooted in computer technology”.
The Examiner respectfully disagrees.
The claimed steps of generating a vector for each security event and using a cosine similarity are limitations as amended, under the broadest reasonable interpretation, covers performance of the limitations in the human mind and are broad enough to encompass performance by a human using pen and paper. Applicant alleges that the claims are not directed to an abstract idea because of the recited “specific technical features”, however, the Examiner respectfully submits that the broadest reasonable interpretation of generating a vector can be performed by a human using a pen and paper by, for example, using one-hot encoding with the security events; and cosine similarity is merely a well-known data analysis technique that is the dot product of the vectors divided by the product of their lengths, which can be calculated using a pen and paper. The “specific technical features” Applicant allegedly adds by amendment do no more than further add more abstract ideas that can further be performed by a human using a pen and paper. The conclusory statement of “vast datasets involved in cybersecurity” does not preclude the abstract ideas from being performed by a human using pen and paper.
Applicant’s arguments, see pages 12-14, filed 10/28/2025, with respect to the rejections of claims 1-7 under 35 U.S.C. § 102(a)(1) have been fully considered. Upon further consideration, a new ground(s) of rejection is made in view of newly discovered prior art in response to the greatly amended claims.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are:
“an event classification unit configured to classify security events into one or more groups”, “a word extraction unit configured to extract meaningful words from at least one security event in each of the classified groups”, “a label classification unit configured to label each security event as a true positive group or a false positive group based on the extracted meaningful words”, “an event quantification unit configured to quantify security events in the true positive group and security events in the false positive group based on the labeled each security event for generating a vector for the each security event”, “a similarity measurement unit configured to measure a similarity of a new security event based on the quantified security events in the true positive group and the quantified security events in the false positive group and a cosine similarity” and “a label determination unit configured to label the new security event as the true positive group or the false positive group based on the measured similarity and thresholds” in claim 4.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1-7 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Regarding Claims 1, 4, and 7:
Independent claim 4 recites the limitations “a label classification unit configured to label each security event as a true positive group or a false positive group based on the extracted meaningful words”, “an event quantification unit configured to quantify security events in the true positive group and security events in the false positive group based on the labeled each security event for generating a vector for the each security event”, “a similarity measurement unit configured to measure a similarity of a new security event based on the quantified security events in the true positive group and the quantified security events in the false positive group and a cosine similarity”, and “a label determination unit configured to label the new security event as the true positive group or the false positive group based on the measured similarity and thresholds”. The limitations in question do not satisfy the written description requirement under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph. The specification does not describe the limitation in sufficient detail so that one of ordinary skill in the art would recognize that the applicant had possession of the claimed invention. There is no disclosure regarding how the inventor intended to configure the “label classification unit”, the “event quantification unit”, the “similarity measurement unit”, and the “label determination unit” to perform the various specialized claim functions. For example, there is no disclosure regarding how the label classification unit is configured to label security events as true positives or false positives, outside of stating that it “may” do so in paragraphs [255-259] of the originally filed disclosure. Additionally, there is no disclosure regarding how the event quantification unit is configured to quantify the security events outside of a generic recitation of using the various units of figures 1-4 independently or in combination, nor is there any description of what the quantification actually comprises. There is no disclosure regarding how the inventor intended to configure the similarity measurement unit to measure a similarity of a new security event based on the true and false positive groups outside of a generic recitation of using the various units of figures 1-4 independently or in combination, nor is there any description of what the similarity measurement actually comprises. Further, there is no disclosure how the label determination unit is configured to label new security events based on the operation of the similarity measurement unit.
In MPEP 2161.01, "computer-implemented functional claim language must still be evaluated for sufficient disclosure under the written description". And MPEP 2161.01(I) "generic claim language in the original disclosure does not satisfy the written description requirement if it fails to support the scope of the genus claimed." For computer-implemented inventions, the determination of the sufficiency of disclosure will require an inquiry into the sufficiency of both the disclosed hardware and the disclosed software due to the interrelationship and interdependence of computer hardware and software. The critical inquiry is whether the disclosure of the application relied upon reasonably conveys to those skilled in the art that the inventor had possession of the claimed subject matter as of the filing date.
As in MPEP 2161.01 (I), "The description requirement of the patent statute requires a description of an invention, not an indication of a result that one might achieve if one made that invention."). It is not enough that one skilled in the art could write a program to achieve the claimed function because the specification must explain how the inventor intends to achieve the claimed function to satisfy the written description requirement. See, e.g., Vasudevan Software, Inc. v. MicroStrategy, Inc., 782 F.3d 671, 681-683, 114 USPQ2d 1349, 1356, 1357 (Fed. Cir. 2015).
AS in MPEP 2161.01 “For instance, generic claim language in the original disclosure does not satisfy the written description requirement if it fails to support the scope of the genus claimed. Ariad, 598 F.3d at 1349-50, 94 USPQ2d at 1171 ("[A]n adequate written description of a claimed genus requires more than a generic statement of an invention’s boundaries.") (citing Eli Lilly, 119 F.3d at 1568, 43 USPQ2d at 1405-06); Enzo Biochem, Inc. v. Gen-Probe, Inc., 323 F.3d 956, 968, 63 USPQ2d 1609, 1616 (Fed. Cir. 2002) (holding that generic claim language appearing in ipsis verbis in the original specification did not satisfy the written description requirement because it failed to support the scope of the genus claimed); Fiers v. Revel, 984 F.2d 1164, 1170, 25 USPQ2d 1601, 1606 (Fed. Cir. 1993) (rejecting the argument that "only similar language in the specification or original claims is necessary to satisfy the written description requirement").”
“The Federal Circuit has explained that a specification cannot always support expansive claim language and satisfy the requirements of 35 U.S.C. 112 "merely by clearly describing one embodiment of the thing claimed." LizardTech v. Earth Resource Mapping, Inc., 424 F.3d 1336, 1346, 76 USPQ2d 1731, 1733 (Fed. Cir. 2005). The issue is whether a person skilled in the art would understand applicant to have invented, and been in possession of, the invention as broadly claimed. In LizardTech, claims to a generic method of making a seamless discrete wavelet transformation (DWT) were held invalid under 35 U.S.C. 112, first paragraph, because the specification taught only one particular method for making a seamless DWT and there was no evidence that the specification contemplated a more generic method. "[T]he description of one method for creating a seamless DWT does not entitle the inventor . . . to claim any and all means for achieving that objective." LizardTech, 424 F.3d at 1346, 76 USPQ2d at 1733.”
The same reasoning applies for independent claims 1 and 7 with regard to the limitation “labeling each security event as a true positive group or a false positive group based on the extracted meaningful words”, “quantifying security events in the true positive group and security events in the false positive group”, “measuring a similarity of a new security event based on the quantified security events in the true positive group and the quantified security events in the false positive group and a cosine similarity”, and “labeling the new security event as the true positive group or the false positive group based on the measured similarity and thresholds”.
Furthermore, claims 1, 4, and 7 further recite with regards to measuring similarity, the limitation “and a cosine similarity”. There is no support in the originally filed disclosure with regard to the measuring the similarity being based on “the quantified security events” and a cosine similarity. The only recitation of a cosine similarity in the originally filed disclosure is found in paragraph [264] which states that the similarity measurement unit 20005 “may use, for example, cosine similarity”. There is no support in the originally filed disclosure for the similarity measurement unit basing a similarity measurement on both the quantified security events and a cosine similarity as claimed.
Independent claims 1, 4, and 7 recite “wherein the vector represents a statistical importance of the each of the security events”. This amended claim limitation constitutes new matter and will be rejected on the ground that it recites elements without support in the original disclosure. See Waldemar Link, GmbH & Co. v. Osteonics Corp., 32 F.3d 556, 559, 31 USPQ2d 1855, 1857 (Fed. Cir. 1994); Vas-Cath Inc. v. Mahurkar, 935 F.2d 1555, 1560, 19 USPQ2d 1111, 1114 (Fed. Cir. 1991)(A written-description question often arises when an applicant, after filing a patent application, subsequently adds "new matter" not present in the original application.); In re Rasmussen, 650 F.2d 1212, 211 USPQ 323 (CCPA 1981).
The dependent claims fall together accordingly.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-7 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
The terms “meaningful words” and “quantify security events” in independent claims 1, 4, and 7 is a relative term which renders the claim indefinite. The terms “meaningful words” and “quantify security events” are not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. The specification only gives examples of what may comprise “meaningful words” in the context of a security event (the phrase “for example” is the only guidance provided by the originally filed disclosure), but the actual scope of the claimed term “meaningful” is not discernable by one of ordinary skill in the art. Additionally, the terms “quantify security events” and “quantifying security events” renders the independent claims indefinite because in light of the specification it is not possible to determine whether the claim term corresponds to a specialized claim function, or whether the term corresponds to the ordinary and customary meaning of “quantifying” (as in counting the number of something).
Claim limitations “an event classification unit configured to classify security events into one or more groups”, “a word extraction unit configured to extract meaningful words from at least one security event in each of the classified groups”, “a label classification unit configured to label each security event as a true positive group or a false positive group based on the extracted meaningful words”, “an event quantification unit configured to quantify security events in the true positive group and security events in the false positive group based on the labeled each security event for generating a vector for the each security event”, “a similarity measurement unit configured to measure a similarity of a new security event based on the quantified security events in the true positive group and the quantified security events in the false positive group and a cosine similarity” and “a label determination unit configured to label the new security event as the true positive group or the false positive group based on the measured similarity and thresholds” in claim 4 invoke 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The structure described in the specification does not perform the entire function in the claim as the disclosed structure is insufficient to support the various specialized claim functions. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph.
Applicant may:
(a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph;
(b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either:
(a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claim 1 lines 8-10 reads “quantifying security events in the true positive group and security events in the false positive group; based on the labeled each security event for generating a vector for the each security event”. It is currently unclear what in the claim is “based on the labeled each security event” as there is a semicolon (‘;’) that breaks up the claim limitation.
The claims are generally narrative and indefinite, failing to conform with current U.S. practice. They appear to be a literal translation into English from a foreign document and are replete with grammatical and idiomatic errors. Claims 1, 4, and 7 recite “wherein the meaningful words include at least one of a word or a pattern of the word for the true positive or false positive for the security events”. This limitation appears to be a literal translation into English from a foreign document, and is not written in idiomatic English. The phrase “at least one of a word or a pattern of the word for the true positive or false positive for the security events” is not grammatically correct. It is unclear how “a word” or “a pattern of the word” can be used with the preposition “for” to modify the noun “the true positive or false positive”, and it is further unclear what modification the second “for” does to the noun “the security events”.
Claims 1, 4 and 7 recite the limitation "and thresholds". There is insufficient antecedent basis for this limitation in the claim.
Dependent claims fall together accordingly.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-3 and 7 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Regarding Claim 1:
Under the 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”), effective January 7, 2019, independent claim 1 is directed to an abstract idea without being significantly more nor being integrated into a practical application. The claimed invention processes security data, classifies security events into one or more groups, extracts meaningful words from the security events, labels each security event as a true or false positive based on the extracted meaningful words, quantifies the security events in the true/false positive groups, creates a vector for each security event, measures the similarity of a new security event to those events in the true/false positive groups and a cosine similarity, and labelling the new event based on the measured similarity and thresholds. The claim limitations identified above, as drafted, under the broadest reasonable interpretation, covers performance of the limitations in the human mind and are broad enough to encompass performance by a human using pen and paper. Except for the processing security data language in the preamble of independent claim 1, which does no more than generally link the use of the judicial exception to a particular technological environment or field of use. Furthermore, the claimed labelling the new event based on the measured similarity are recited at a high level of generality and amounts to a form of insignificant extra-solution activity, and the claimed vector generation and cosine similarity are calculations that may be performed in the human mind using a pen and paper.
This judicial exception is not integrated into a practical application. The limitations of processing security data are recited at a high level of generality and amounts to mere data gathering, which is a form of insignificant extra-solution activity. See MPEP 2106.05(g). Insignificant extra-solution activity and mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.
Accordingly, independent claim 1 is directed to an abstract idea.
Therefore, independent claim 7 is rejected under 35 U.S.C. § 101 as being directed to non-statutory subject matter for the same reasons identified above for independent claim 1. The additional generically recited computer elements beyond the abstract idea, taken both individually and as a combination, in independent claim 7, does not integrate the judicial exception into a practical application.
Thus, claims 1-3 and 7 are rejected under 35 U.S.C. § 101 as being directed to non-statutory subject matter as the claims do not contain any element or combination of elements that is sufficient enough to ensure that the patent in practice amounts to significantly more than a patent upon the ineligible concept itself.
Dependent claim 2 does not contain any element or combination of elements sufficient to incorporate the abstract idea into a practical application because basing event quantification on a term frequency-inverse document frequency algorithm, under the broadest reasonable interpretation, covers performance of the limitations in the human mind and are broad enough to encompass performance by a human using pen and paper; utilizing the TF-IDF algorithm to quantify events in the true positive or false positive groups may be performed in the human mind using a pen and paper.
Dependent claim 3 does not contain any element or combination of elements sufficient to incorporate the abstract idea into a practical application because it only enumerates that the similarity of claim 2 is a first and second similarity, and it describes what the first and second similarity are based upon.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-7 are rejected under 35 U.S.C. 103 as being unpatentable over Song et. al. (US Publication No. US 2018/0309772 A1) hereinafter Song, in view of Lee et. al. (US Publication No. US 2018/0191761 A1) hereinafter Lee.
Regarding Claims 1, 4, and 7:
Claim 4. Song discloses a device configured to process security data (Song [0141-0146]), the device comprising: an event classification unit configured to classify security events into one or more groups (Song Fig. 2, [0046] “The security event automatic verification equipment according to one embodiment of the present invention can provide a threshold-based security event automatic verification technique. More specifically, it may statistically analyze and classify features of security events”); a word extraction unit configured to extract meaningful words from at least one security event in each of the classified groups (Song Fig. 2 and 4 strings clearly enumerated that are words, [0050-0052], [0063]); a label classification unit configured to label each security event as a true positive group or a false positive group based on the extracted meaningful words (Song Fig. 2 and 4, [0054]); an event quantification unit configured to quantify security events in the true positive group and security events in the false positive group (Song Fig. 2 and 4-5, [0053], and [0065] number of security events)… a similarity measurement unit configured to measure a similarity of a new security event based on the quantified security events in the true positive group and the quantified security events in the false positive group (Song [0066] similarity is measured by comparing a sample to an actual attack “The security event automatic verification equipment according to one embodiment of the present invention may check a character string belonging to a payload of a packet of a security event to compare the character string belonging to the payload of the packet of the security event with an actual attack or a character string associated with a normal signal”)… and a label determination unit configured to label the new security event as the true positive group or the false positive group based on the measured similarity and thresholds (Song [0063-0066] criteria of a true/false positive enumerated “According to one embodiment of the present invention, the number of security events caused by a specific source IP address can be used for comparing with a threshold when malware download and malware infection are analyzed.”), wherein the meaningful words include at least one of a word or a pattern of the word for the true positive or false positive for the security events (Song Fig. 2 and 4 strings clearly enumerated, [0050-0052], [0063]).
Song does not explicitly disclose based on the labeled each security event for generating a vector for the each security event… and a cosine similarity; … and wherein the vector represents a statistical importance of the each of the security events.
Lee teaches based on the labeled each security event for generating a vector for the each security event (Lee Fig. 1 and 3-5, [0031-0036] “Then, an event vector is generated at step S1500 based on the event coincidence statistics generated at step S1400. Here, at step S1500, the event vector is generated through data normalization of the event coincidence statistics. Also, at step S1500, the event vector may be generated through data normalization through which a TF-IDF value is calculated from the event coincidence statistics”, [0050])… and a cosine similarity (Lee [0056] “The long-term event correlation analysis unit calculates a cosine similarity between the event vector of the data set including the event that is currently being analyzed and the event vectors of the case in which erroneous detection occurred and of the case in which an intrusion threat was correctly detected in order to acquire the correlation therebetween, and sorts past event vectors having similarity greater than a preset threshold. Then, based on the distribution of true-positive data and false-positive data in the sorted events, the intrusion threat determination unit determines whether the event currently being analyzed was detected correctly or erroneously.”); … and wherein the vector represents a statistical importance of the each of the security events (Lee [0031-0036] “Here, at step S1500, the event vector is generated through data normalization of the event coincidence statistics”, [0050].
It would have been obvious to one having ordinary skill in the art before the time the invention was effectively filed to combine the security event verification technique disclosed by Song with the cyberthreat security event analysis techniques taught by Lee. The motivation for this combination would be to improve security by automatically determining when an intrusion threat occurs and to reduce the number of events that need to be analyzed manually as taught by Lee (Lee [0059]).
Claims 1 and 7 recite substantially the same content and are therefore rejected under the same rationales. Song further discloses a method of processing security data (Song [0141-0143]). Song further discloses a computer-readable storage medium configured to store a program for processing security data and performing operations (Song [0141-0146]).
Regarding Claims 2 and 5:
Claim 5. The combination of Song and Lee further teaches the device of claim 4 (Song [0141-0146]), wherein the security events in the true positive group and the security events in the false positive group are quantified based on a Term Frequency-Inverse Document Frequency (TF- IDF) algorithm (Lee Figs 5-6 TF-IDF clearly taught, [0034], [0055-0056]).
Claim 2 recites substantially the same content and is therefore rejected under the same rationales.
Regarding Claims 3 and 6:
Claim 6. The combination of Song and Lee further teaches the device of claim 4 (Song [0141-0146]), wherein the similarity of the new security event comprises a first similarity and a second similarity (Song [0065-0067]), wherein the first similarity is a similarity between the new security event and the security events in the true positive group (Song [0065-0067]), and wherein the second similarity is a similarity between the new security event and the security events in the false positive group (Song [0065-0067]).
Claim 3 recites substantially the same content and is therefore rejected under the same rationales.
Conclusion
The prior art made of record in the submitted PTO-892 Notice of References Cited and not relied upon is considered pertinent to applicant’s disclosure.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MIGUEL A LOPEZ whose telephone number is (703)756-1241. The examiner can normally be reached 8:00AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.A.L./ Examiner, Art Unit 2496
/JORGE L ORTIZ CRIADO/ Supervisory Patent Examiner, Art Unit 2496