DETAILED ACTION
In response to communications received 4/28/2025, this is the response to applicants’ amendment. Claims 1, 3-5, 8, 12, 15, and 18 are amended. The claims 1 – 20 are pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments and/or Arguments
The applicant’s amendments (adding limitation “a computing device”) with respect to 101 rejection and arguments are fully considered. However, arguments are not persuasive because the amended limitation …sending, to a computing device, a notification message… is a process that under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer component. The mere nominal recitation of a generic computer component does not take the claim limitation out of the mental process grouping. Thus, the claim recites a mental process. Moreover, the mere recitation of a computing device is an insignificant extra-solution activity to the judicial exception does not integrate a judicial exception into a practical application or provide significantly more because this type of recitation is equivalent to the words “apply it” - see MPEP 2106.05(g). Therefore the 101 rejection is maintained. The additional element (a generic computing device) is not sufficient to amount to significantly more than the judicial exception. The 101 rejection is maintained.
The applicant’s arguments regarding the amended independent claims limitation “determining, based on network log data, that a first temporary identifier (ID) and a first static ID are associated during a first time period, wherein the first static ID uniquely identifies a first network entity and is a different type of identifier than the first temporary ID” is fully considered. While the applicant’s arguments regarding “Bengtson does not disclose "the first static ID...is a different type of identifier than the first temporary ID” is not convincing to the examiner since the network address and credentials discussed in Bengtson are not the same. However, Bengtson does not clearly disclose if the static includes both/either of the network address 110A and credentials 111a. Therefore, new ground of rejection over Bengtson in view of Furukawa US PG Pubs. 20210367957 is disclosed below.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1, 3 – 5, 8, 12, 15, and 18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Claim 1 recites “determining, based on network log data, that a first temporary identifier (ID) and a first static ID are associated during a first time period”, “determining, based on the network log data, that the first temporary ID is associated with a second network entity during a second time period”, “determining…that the second network entity is associated with malicious network activity”, and “sending, to a computing device, a notification message”.
The determining limitation, as drafted, is a process that, under its broadest reasonable interpretation (BRI) covers performance in the mind with aid of a (e.g., pen and paper), because the claims read on determination of IDs and their respective associations, and sending a notification message. There is nothing in the claims themselves that foreclose them to the analysis and determination being done in the human mind. The same requirements for these determinations (though perhaps phrased with different words) that humans in analogous situations may impose is well known. If a claim limitation, under its BRI, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “mental process” grouping of abstract ideas. See MPEP 2106.04(a)(2)(III). Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application. The additional elements beyond the abstract idea, taken both individually and as a combination, do not integrate the judicial exception into a practical application. The claim amounts to mere determination of information, which is a form of insignificant extra-solution activity. Adding insignificant extra-solution activity to the judicial exception does not integrate a judicial exception into a practical application or provide significantly more because this type of recitation is equivalent to the words “apply it” - see MPEP 2106.05(g).
The claim recites at a high level of generality the actions performed such that it amounts to no more than mere instructions to apply the exception using a generic computer element. The process behind the results of the claims is absent – only the mere idea of their outcome is recited. No actual improvements to these determinations are asserted – only the process and its resulting outcome. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. See MPEP 2106.04(d)(1). The claims are directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply the exception using a generic computer component. additionally, there is no proposed improvement to the process of determination, nor how they are carried out. The determination of malicious activity is performed without any substantive additional steps related to malicious activity. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. See MPEP 2106.05. The claim is not patent eligible.
Claim 3 recites “determining…that a second static ID that uniquely identifies the second network entity is associated with anomalous behavior and “determining…that the second network entity is associated with malicious network activity”.
The determining limitation, as drafted, is a process that, under its broadest reasonable interpretation (BRI) covers performance in the mind with aid of a (e.g., pen and paper), because the claims read on determination of IDs and their respective associations. There is nothing in the claims themselves that foreclose them to the analysis and determination being done in the human mind. The same requirements for these determinations (though perhaps phrased with different words) that humans in analogous situations may impose is well known. If a claim limitation, under its BRI, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “mental process” grouping of abstract ideas. See MPEP 2106.04(a)(2)(III). Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application. The additional elements beyond the abstract idea, taken both individually and as a combination, do not integrate the judicial exception into a practical application. The claim amounts to mere determination of information, which is a form of insignificant extra-solution activity. Adding insignificant extra-solution activity to the judicial exception does not integrate a judicial exception into a practical application or provide significantly more because this type of recitation is equivalent to the words “apply it” - see MPEP 2106.05(g).
The claim recites at a high level of generality the actions performed such that it amounts to no more than mere instructions to apply the exception using a generic computer element. The process behind the results of the claims is absent – only the mere idea of their outcome is recited. No actual improvements to these determinations are asserted – only the process and its resulting outcome. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. See MPEP 2106.04(d)(1). The claims are directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply the exception using a generic computer component. additionally, there is no proposed improvement to the process of determination, nor how they are carried out. The determination of malicious activity is performed without any substantive additional steps related to malicious activity. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. See MPEP 2106.05. The claim is not patent eligible.
Claim 4 recites “determining…that the second network entity was associated with a second static ID”.
The determining limitation, as drafted, is a process that, under its broadest reasonable interpretation (BRI) covers performance in the mind with aid of a (e.g., pen and paper), because the claims read on determination of IDs and their respective associations. There is nothing in the claims themselves that foreclose them to the analysis and determination being done in the human mind. The same requirements for these determinations (though perhaps phrased with different words) that humans in analogous situations may impose is well known. If a claim limitation, under its BRI, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “mental process” grouping of abstract ideas. See MPEP 2106.04(a)(2)(III). Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application. The additional elements beyond the abstract idea, taken both individually and as a combination, do not integrate the judicial exception into a practical application. The claim amounts to mere determination of information, which is a form of insignificant extra-solution activity. Adding insignificant extra-solution activity to the judicial exception does not integrate a judicial exception into a practical application or provide significantly more because this type of recitation is equivalent to the words “apply it” - see MPEP 2106.05(g).
The claim recites at a high level of generality the actions performed such that it amounts to no more than mere instructions to apply the exception using a generic computer element. The process behind the results of the claims is absent – only the mere idea of their outcome is recited. No actual improvements to these determinations are asserted – only the process and its resulting outcome. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. See MPEP 2106.04(d)(1). The claims are directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply the exception using a generic computer component. additionally, there is no proposed improvement to the process of determination, nor how they are carried out. The determination of malicious activity is performed without any substantive additional steps related to malicious activity. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. See MPEP 2106.05. The claim is not patent eligible.
Claim 5 recites “determining a second static ID that uniquely identifies the second network entity”, and “determining…that the second identity is associated with malicious network activity”.
The determining limitation, as drafted, is a process that, under its broadest reasonable interpretation (BRI) covers performance in the mind with aid of a (e.g., pen and paper), because the claims read on determination of IDs and their respective associations. There is nothing in the claims themselves that foreclose them to the analysis and determination being done in the human mind. The same requirements for these determinations (though perhaps phrased with different words) that humans in analogous situations may impose is well known. If a claim limitation, under its BRI, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “mental process” grouping of abstract ideas. See MPEP 2106.04(a)(2)(III). Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application. The additional elements beyond the abstract idea, taken both individually and as a combination, do not integrate the judicial exception into a practical application. The claim amounts to mere determination of information, which is a form of insignificant extra-solution activity. Adding insignificant extra-solution activity to the judicial exception does not integrate a judicial exception into a practical application or provide significantly more because this type of recitation is equivalent to the words “apply it” - see MPEP 2106.05(g).
The claim recites at a high level of generality the actions performed such that it amounts to no more than mere instructions to apply the exception using a generic computer element. The process behind the results of the claims is absent – only the mere idea of their outcome is recited. No actual improvements to these determinations are asserted – only the process and its resulting outcome. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. See MPEP 2106.04(d)(1). The claims are directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply the exception using a generic computer component. additionally, there is no proposed improvement to the process of determination, nor how they are carried out. The determination of malicious activity is performed without any substantive additional steps related to malicious activity. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. See MPEP 2106.05. The claim is not patent eligible.
Claim 8 recites “determining…that a first temporary identifier (ID) and a first static ID are associated during a first time period”, “determining…that the first temporary ID is associated with a second network entity during a second time period”, “determining…that the second network entity is associated with malicious network activity”, and “sending, to acomputingdevice, a notification message”.
The determining limitation, as drafted, is a process that, under its broadest reasonable interpretation (BRI) covers performance in the mind with aid of a (e.g., pen and paper), because the claims read on determination of IDs and their respective associations, and sending a notification message. There is nothing in the claims themselves that foreclose them to the analysis and determination being done in the human mind. The same requirements for these determinations (though perhaps phrased with different words) that humans in analogous situations may impose is well known. If a claim limitation, under its BRI, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “mental process” grouping of abstract ideas. See MPEP 2106.04(a)(2)(III). Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application. The additional elements beyond the abstract idea, taken both individually and as a combination, do not integrate the judicial exception into a practical application. The claim amounts to mere determination of information, which is a form of insignificant extra-solution activity. Adding insignificant extra-solution activity to the judicial exception does not integrate a judicial exception into a practical application or provide significantly more because this type of recitation is equivalent to the words “apply it” - see MPEP 2106.05(g).
The claim recites at a high level of generality the actions performed such that it amounts to no more than mere instructions to apply the exception using a generic computer element. The process behind the results of the claims is absent – only the mere idea of their outcome is recited. No actual improvements to these determinations are asserted – only the process and its resulting outcome. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. See MPEP 2106.04(d)(1). The claims are directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply the exception using a generic computer component. additionally, there is no proposed improvement to the process of determination, nor how they are carried out. The determination of malicious activity is performed without any substantive additional steps related to malicious activity. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. See MPEP 2106.05. The claim is not patent eligible.
Claim 12 recites “determining…that the second static ID is associated with anomalous behavior” and “determining...that the second network entity is associated with malicious network activity”.
The determining limitation, as drafted, is a process that, under its broadest reasonable interpretation (BRI) covers performance in the mind with aid of a (e.g., pen and paper), because the claims read on determination of IDs and their respective associations. There is nothing in the claims themselves that foreclose them to the analysis and determination being done in the human mind. The same requirements for these determinations (though perhaps phrased with different words) that humans in analogous situations may impose is well known. If a claim limitation, under its BRI, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “mental process” grouping of abstract ideas. See MPEP 2106.04(a)(2)(III). Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application. The additional elements beyond the abstract idea, taken both individually and as a combination, do not integrate the judicial exception into a practical application. The claim amounts to mere determination of information, which is a form of insignificant extra-solution activity. Adding insignificant extra-solution activity to the judicial exception does not integrate a judicial exception into a practical application or provide significantly more because this type of recitation is equivalent to the words “apply it” - see MPEP 2106.05(g).
The claim recites at a high level of generality the actions performed such that it amounts to no more than mere instructions to apply the exception using a generic computer element. The process behind the results of the claims is absent – only the mere idea of their outcome is recited. No actual improvements to these determinations are asserted – only the process and its resulting outcome. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. See MPEP 2106.04(d)(1). The claims are directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply the exception using a generic computer component. additionally, there is no proposed improvement to the process of determination, nor how they are carried out. The determination of malicious activity is performed without any substantive additional steps related to malicious activity. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. See MPEP 2106.05. The claim is not patent eligible.
Claim 15 recites “determining…that a network entity uniquely identified by the second static ID is associated with malicious network activity” and “sending, to a computing device, a notification message”.
The determining limitation, as drafted, is a process that, under its broadest reasonable interpretation (BRI) covers performance in the mind with aid of a (e.g., pen and paper), because the claims read on determination of IDs and their respective associations, and sending a notification message. There is nothing in the claims themselves that foreclose them to the analysis and determination being done in the human mind. The same requirements for these determinations (though perhaps phrased with different words) that humans in analogous situations may impose is well known. If a claim limitation, under its BRI, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “mental process” grouping of abstract ideas. See MPEP 2106.04(a)(2)(III). Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application. The additional elements beyond the abstract idea, taken both individually and as a combination, do not integrate the judicial exception into a practical application. The claim amounts to mere determination of information, which is a form of insignificant extra-solution activity. Adding insignificant extra-solution activity to the judicial exception does not integrate a judicial exception into a practical application or provide significantly more because this type of recitation is equivalent to the words “apply it” - see MPEP 2106.05(g).
The claim recites at a high level of generality the actions performed such that it amounts to no more than mere instructions to apply the exception using a generic computer element. The process behind the results of the claims is absent – only the mere idea of their outcome is recited. No actual improvements to these determinations are asserted – only the process and its resulting outcome. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. See MPEP 2106.04(d)(1). The claims are directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply the exception using a generic computer component. additionally, there is no proposed improvement to the process of determination, nor how they are carried out. The determination of malicious activity is performed without any substantive additional steps related to malicious activity. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. See MPEP 2106.05. The claim is not patent eligible.
Claim 18 recites “determining…that the network entity uniquely identified by the second static ID is associated with anomalous behavior” and “determining…that the network entity is associated with malicious network activity”.
The determining limitation, as drafted, is a process that, under its broadest reasonable interpretation (BRI) covers performance in the mind with aid of a (e.g., pen and paper), because the claims read on determination of IDs and their respective associations. There is nothing in the claims themselves that foreclose them to the analysis and determination being done in the human mind. The same requirements for these determinations (though perhaps phrased with different words) that humans in analogous situations may impose is well known. If a claim limitation, under its BRI, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “mental process” grouping of abstract ideas. See MPEP 2106.04(a)(2)(III). Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application. The additional elements beyond the abstract idea, taken both individually and as a combination, do not integrate the judicial exception into a practical application. The claim amounts to mere determination of information, which is a form of insignificant extra-solution activity. Adding insignificant extra-solution activity to the judicial exception does not integrate a judicial exception into a practical application or provide significantly more because this type of recitation is equivalent to the words “apply it” - see MPEP 2106.05(g).
The claim recites at a high level of generality the actions performed such that it amounts to no more than mere instructions to apply the exception using a generic computer element. The process behind the results of the claims is absent – only the mere idea of their outcome is recited. No actual improvements to these determinations are asserted – only the process and its resulting outcome. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. See MPEP 2106.04(d)(1). The claims are directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply the exception using a generic computer component. additionally, there is no proposed improvement to the process of determination, nor how they are carried out. The determination of malicious activity is performed without any substantive additional steps related to malicious activity. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. See MPEP 2106.05. The claim is not patent eligible.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bengtson et al (US 2019/0349369 A1), hereinafter Bengtson in view of Furukawa US PG Pubs. 20210367957.
Regarding Claim 1¸ Bengtson discloses “A method comprising: determining, based on network log data, that a first temporary identifier (ID) and a first static ID are associated during a first time period” (Para. 0029 describes a data log analyzer, which is used to analyze log data including network addresses and credentials (i.e., temporary ID). Para. 0033 describes how the data log includes instance identifiers and static, public-facing IP addresses (i.e., static IDs));
“wherein the first static ID uniquely identifies a first network entity” (Para. 0060 describes how temporary network addresses may be converted to static, public-facing network addresses. It is well-known in the art that an IP address may represent a network entity, which could be anything from a user device or server to a network switch or printer);
“determining, based on the network log data, that the first temporary ID is associated with a second network entity during a second time period” (Para. 0060 describes how a temporary address (i.e., example of a temporary ID) may be associated with the public-facing network address. Figure 5B shows a time diagram of the determination and association process embodied in the instant application);
“determining, based on the first temporary ID being associated with the first static ID during the first time period” (Para. 0060 and Figure 5B show that a server instance may be initialized with either static or temporary credentials, where these credentials may be a network address in an exemplary embodiment of the instant application);
“and based on the first temporary ID being associated with the second network entity during the second time period, that the second network entity is associated with malicious network activity” (Para. 0025 describes how a malicious user (i.e., malicious network entity) may potentially use a set of server credentials (i.e., temporary ID) in order to gain access of a user’s account or information);
“and sending, to a computing device, a notification message” (Para. 0010 describes how, upon determination of malicious activity, a variety of activities may be performed, such as preventing the second server instance from performing various tasks, or raising an alert to entities of the network);
“wherein the notification message indicates the second network entity is associated with malicious network activity” (Para. 0058 describes how limits to the second server instance and network address (i.e., IDs of the second network entity) may be placed upon detection of malicious activity).
Bengtson fails to explicitly teach, however Furukawa teaches the first static ID...is a different type of identifier than the first temporary (see par. 43; unique network name (static ID) and IP address (temporary) of the judgement log; see further pars. 60-62; where threat and abnormality is measured/identified using data including the unique network name and IP address from judgement log).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to have modified Bengtson to incorporate the teachings of Furukawa to accurately analyze threats and abnormalities (see pars. 67-68 and figs. 4, 8, & 16).
Regarding Claim 2, Bengtson and Furukawa teach the method, Bengtson further discloses “The method of claim 1, wherein the first time period comprises a prior time period, and wherein the second time period comprises a current time period” (Figure 5B shows a time diagram of events occurring within the system environment. Each time marker, represented by T0-T5, represents a time point where each event occurs. If T0 is a past time period, then T1-T5 represents a current time period, depending when each event is observed or occurs).
Regarding Claim 3, Bengtson and Furukawa teach the method, Bengtson further discloses “The method of claim 1, wherein determining that the second network entity is associated with the malicious network activity comprises: determining, based on the first temporary ID being associated with the first static ID during the first time period” (Para. 0029 describes a data log analyzer, which is used to analyze log data including network addresses and credentials (i.e., temporary ID). Para. 0033 describes how the data log includes instance identifiers and static, public-facing IP addresses (i.e., static IDs));
“and based on the first temporary ID being associated with the second network entity during the second time period” (Para. 0060 describes how a temporary address (i.e., example of a temporary ID) may be associated with the public-facing network address. Figure 5B shows a time diagram of the determination and association process embodied in the instant application);
“that a second static ID that uniquely identifies the second network entity is associated with anomalous behavior” (The Abstract describes how a second server instance, implied to be a second network entity, may use network addresses that may be valid within the network (i.e., potential temporary ID));
“and determining, based on the second static ID being associated with the anomalous behavior, that the second network entity is associated with the malicious network activity” (Para. 0025 describes how a malicious user (i.e., malicious network entity) may potentially use a set of server credentials (i.e., temporary ID) in order to gain access of a user’s account or information).
Regarding Claim 4, Bengtson and Furukawa teach the method, Bengtson further “The method of claim 1, wherein determining that the second network entity is associated with the malicious network activity comprises determining, based on the network log data, that the second network entity was associated with a second static ID, uniquely identifying the second network entity, during the first time period” (The Abstract describes how a second server instance, with a different network address, may request a network service during a time period. A network address may identify a network entity);
“wherein the first time period is prior to the second time period” (Figure 5B shows a time diagram of events occurring within the system environment. Each time marker, represented by T0-T5, represents a time point where each event occurs. If T0 is a past time period, then T1-T5 represents a current time period, depending when each event is observed or occurs).
Regarding Claim 5, Bengtson and Furukawa teach the method, Bengtson further discloses “The method of claim 1, wherein determining that the second network entity is associated with malicious network activity comprises: determining a second static ID that uniquely identifies the second network entity” (The Abstract describes how a second server instance, implied to be a second network entity, may use network addresses that may be valid within the network (i.e., potential temporary ID));
“and determining, based on historical network activity data associated with the second static ID, and based on the network log data, that the second network entity is associated with malicious network activity” (Para. 0025 describes how a malicious user (i.e., malicious network entity) may potentially use a set of server credentials (i.e., temporary ID) in order to gain access of a user’s account or information).
Regarding Claim 6, Bengtson and Furukawa teach the method, Bengtson further discloses “The method of claim 1, wherein the first temporary ID comprises an IP address, a domain name (DN), a fully qualified domain name (FQDN), a MAC address, a username, or an email address” (Para. 0002 describes examples of credentials, such as usernames and passwords).
Regarding Claim 7, Bengtson and Furukawa teach the method, Bengtson further discloses “The method of claim 1, wherein the first static ID comprises a universally-unique identifier (UUID)” (Para. 0050 describes the use of static IP addresses, where the information may be regional or global. IP addresses, as known in the art, are used for uniquely identifying a network entity).
Regarding Claim 8, Bengtson discloses “A method comprising: determining, based on network log data, that a first temporary identifier (ID) and a first static ID are associated during a first time period” (Para. 0029 describes a data log analyzer, which is used to analyze log data including network addresses and credentials (i.e., temporary ID). Para. 0033 describes how the data log includes instance identifiers and static, public-facing IP addresses (i.e., static IDs));
“wherein the first static ID is associated with a first network entity” (Para. 0060 describes how temporary network addresses may be converted to static, public-facing network addresses. It is well-known in the art that an IP address represents a network entity, which could be anything from a user device or server to a network switch or printer);
“determining, based on the network log data, that the first temporary ID is associated with a second network entity during a second time period” (Para. 0060 describes how a temporary address (i.e., example of a temporary ID) may be associated with the public-facing network address. Figure 5B shows a time diagram of the determination and association process embodied in the instant application);
“determining, based on historical network activity data associated with a second static ID,” (The Abstract describes how a second server instance, implied to be a second network entity, may use network addresses that may be valid within the network (i.e., potential temporary ID));
“and based on the network log data, that the second network entity is associated with malicious network activity” (Para. 0025 describes how a malicious user (i.e., malicious network entity) may potentially use a set of server credentials (i.e., temporary ID) in order to gain access of a user’s account or information);
“and sending, to a computing device, a notification message” (Para. 0010 describes how, upon determination of malicious activity, a variety of activities may be performed, such as preventing the second server instance from performing various tasks, or raising an alert to entities of the network);
“wherein the notification message indicates the second network entity is associated with malicious network activity” (Para. 0058 describes how limits to the second server instance and network address (i.e., IDs of the second network entity) may be placed upon detection of malicious activity).
Bengtson fails to explicitly teach, however Furukawa teaches the first static ID...is a different type of identifier than the first temporary (see par. 43; unique network name (static ID) and IP address (temporary) of the judgement log; see further pars. 60-62; where threat and abnormality is measured/identified using data including the unique network name and IP address from judgement log).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to have modified Bengtson to incorporate the teachings of Furukawa to accurately analyze threats and abnormalities (see pars. 67-68 and figs. 4, 8, & 16).
Regarding Claim 9, Bengtson and Furukawa teach the method, Bengtson further discloses “The method of claim 8, wherein the first static ID uniquely identifies the first network entity, and wherein the second static ID uniquely identifies the second network entity” (Para. 0060 describes how temporary network addresses may be converted to static, public-facing network addresses. It is well-known in the art that an IP address represents a network entity, which could be anything from a user device or server to a network switch or printer. The Abstract describes how a second server instance, implied to be a second network entity, may use network addresses that may be valid within the network (i.e., potential temporary ID)).
Regarding Claim 10, Bengtson and Furukawa teach the method, Bengtson further discloses “The method of claim 8, wherein the historical network activity data is indicative of the second network entity being associated with the second static ID during the first time period” (The Abstract describes how a second server instance, implied to be a second network entity, may use network addresses that may be valid within the network (i.e., potential temporary ID)).
Regarding Claim 11¸ Bengtson and Furukawa teach the method, Bengtson further discloses “The method of claim 8, wherein the first time period is prior to the second time period” (Figure 5B shows a time diagram of events occurring within the system environment. Each time marker, represented by T0-T5, represents a time point where each event occurs. If T0 is a past time period, then T1-T5 represents a current time period, depending when each event is observed or occurs).
Regarding Claim 12, Bengtson and Furukawa teach the method, Bengtson further discloses “The method of claim 8, wherein determining that the second network entity is associated with the malicious network activity comprises: determining, based on the first temporary ID being associated with the first static ID during the first time period” (Para. 0029 describes a data log analyzer, which is used to analyze log data including network addresses and credentials (i.e., temporary ID). Para. 0033 describes how the data log includes instance identifiers and static, public-facing IP addresses (i.e., static IDs));
“and based on the first temporary ID being associated with the second network entity during the second time period, that the second static ID is associated with anomalous behavior” (Para. 0025 describes how a malicious user (i.e., malicious network entity) may potentially use a set of server credentials (i.e., temporary ID) in order to gain access of a user’s account or information);
“and determining, based on the second static ID being associated with the anomalous behavior, that the second network entity is associated with the malicious network activity (Para. 0025 describes how a malicious user (i.e., malicious network entity) may potentially use a set of server credentials (i.e., temporary ID) in order to gain access of a user’s account or information).
Regarding Claim 13, Bengtson and Furukawa teach the method, Bengtson further discloses “The method of claim 8, wherein the first temporary ID comprises an IP address, a domain name (DN), a fully qualified domain name (FQDN), a MAC address, a username, or an email address” (Para. 0002 describes examples of credentials, such as usernames and passwords).
Regarding Claim 14, Bengtson and Furukawa teach the method, Bengtson further discloses “The method of claim 8, wherein the first static ID comprises a first universally-unique identifier (UUID), and wherein the second static ID comprises a second UUID” (Para. 0050 describes the use of static IP addresses, where the information may be regional or global. IP addresses, as known in the art, are used for uniquely identifying a network entity).
Regarding Claim 15¸ Bengtson discloses “A method comprising: determining, based on network log data indicating a first temporary identifier (ID) is associated with a first static ID during a first time period” (Para. 0029 describes a data log analyzer, which is used to analyze log data including network addresses and credentials (i.e., temporary ID). Para. 0033 describes how the data log includes instance identifiers and static, public-facing IP addresses (i.e., static IDs));
“and based on the network log data indicating the first temporary ID is associated with a second static ID during a second time period” (Para. 0060 describes how a temporary address (i.e., example of a temporary ID) may be associated with the public-facing network address. Figure 5B shows a time diagram of the determination and association process embodied in the instant application);
“that a network entity uniquely identified by the second static ID is associated with malicious network activity” (Para. 0025 describes how a malicious user (i.e., malicious network entity) may potentially use a set of server credentials (i.e., temporary ID) in order to gain access of a user’s account or information);
““and sending, to a computing device, a notification message” (Para. 0010 describes how, upon determination of malicious activity, a variety of activities may be performed, such as preventing the second server instance from performing various tasks, or raising an alert to entities of the network);
“wherein the notification message indicates the network entity is associated with the malicious network activity” (Para. 0058 describes how limits to the second server instance and network address (i.e., IDs of the second network entity) may be placed upon detection of malicious activity).
Bengtson fails to explicitly teach, however Furukawa teaches the first static ID...is a different type of identifier than the first temporary (see par. 43; unique network name (static ID) and IP address (temporary) of the judgement log; see further pars. 60-62; where threat and abnormality is measured/identified using data including the unique network name and IP address from judgement log).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to have modified Bengtson to incorporate the teachings of Furukawa to accurately analyze threats and abnormalities (see pars. 67-68 and figs. 4, 8, & 16).
Regarding Claim 16, Bengtson and Furukawa teach the method, Bengtson further discloses “The method of claim 15, wherein the first time period comprises a prior time period, and wherein the second time period comprises a current time period” (Figure 5B shows a time diagram of events occurring within the system environment. Each time marker, represented by T0-T5, represents a time point where each event occurs. If T0 is a past time period, then T1-T5 represents a current time period, depending when each event is observed or occurs).
Regarding Claim 17, Bengtson and Furukawa teach the method, Bengtson further discloses “The method of claim 15, wherein the first static ID uniquely identifies another network entity” (Para. 0028 describes how a set of credentials, including a network address (i.e., static ID), may be assigned to another server instance (i.e., another network entity)).
Regarding Claim 18¸ Bengtson and Furukawa teach the method, Bengtson further discloses “The method of claim 15, wherein determining that the network entity is associated with the malicious network activity comprises: determining, based on the first temporary ID being associated with the first static ID during the first time period, and based on the first temporary ID being associated with the second static ID during the second time period, that the network entity uniquely identified by the second static ID is associated with anomalous behavior and determining, based on the network entity uniquely identified by the second static ID being associated with the anomalous behavior, that the network entity is associated with the malicious network activity” (Para. 0025 describes how a malicious user (i.e., malicious network entity) may potentially use a set of server credentials (i.e., temporary ID) in order to gain access of a user’s account or information).
Regarding Claim 19, Bengtson and Furukawa teach the method, Bengtson further discloses “19. The method of claim 15, wherein the first temporary ID comprises an IP address, a domain name (DN), a fully qualified domain name (FQDN), a MAC address, a username, or an email address associated with another network entity” (Para. 0002 describes examples of credentials, such as usernames and passwords. Usernames and passwords may be used across a variety of network entities to access a single account).
Regarding Claim 20, Bengtson and Furukawa teach the method, Bengtson further discloses “The method of claim 15, wherein the first static ID comprises a universally-unique identifier (UUID) for another network entity” (Para. 0050 describes the use of static IP addresses, where the information may be regional or global. IP addresses, as known in the art, are used for uniquely identifying a network entity. IP addresses, upon expiration of a lease or at the discretion of a user, may be used for a different network identity).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
The references present in PTO-892 are cited to further demonstrate the state of the art with respect to network entity and identification tracking for a variety of network entities.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Alexandria C Rodriguez whose telephone number is (703)756-1827. The examiner can normally be reached 08:00 - 16:00 Eastern.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L Ortiz-Criado can be reached on (571)272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497
Prosecution Insights