Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1-19 are pending. Claims 1 8-11, 18 and 19 have been amended.
In light of Applicant’s amendment objections of claims 8, 9, 18 and 19 have been withdrawn.
Information Disclosure Statement PTO-1449
The Information Disclosure Statements submitted by applicant on 09-17-2025, 10-17-2025, 11-04-2025 and 11-26-2025 have been considered. Please see attached PTO-1449.
Response to Arguments
Applicant's arguments filed 11-26-2025 have been fully considered but they are not persuasive.
Applicant with respect to rejection of claim under 35 USC 101, asserts “The framework of the MPEP does not ask whether a toy version of the claim, as the Office Action alludes, can be performed in the human mind, but rather in this example - can the human mind practically detect an identifier of a cloud entity in a cloud log which includes a plurality of records generated by a cloud computing environment? The answer is no. Can the human mind practically detect a node in a security graph which includes a representation of a cloud computing environment? Again, the answer is no. Cloud computing environments are well known to be beyond what a human mind is capable of retaining in memory, and certainly beyond the capability of pen and paper. Finally, the human mind is not capable of initiating actions in a computing environment, let alone initiating a mitigation action in a cloud computing environment”.
In response examiner submits that detection of an identifier in a cloud log is a form of data collection and data analysis which is abstract idea. Claim does not specify how the detection is technically performed or how it improves functionality of a computer. A human could receive a cloud log including identifiers of an entity on a piece of paper and detect/identify an identifier of an entity written on the piece of paper. Detecting a node in a security graph based on the identifier amounts to receiving data (identifier), analyzing/matching the data and identifying corresponding information (detecting a node) in a data structure. This is a form of data analysis and information organization which could be performed by a human. A human could look at a record/graph and detect a node by using the identifier. Initiating a mitigation action based on the cybersecurity threat amounts to analyzing information and applying decision to initiate an action. Such activity could be performed conceptually by a human administrator monitoring a system and deciding to mitigate an issue ( based on the cyberthreat). Additionally, merely saying “in the cloud computing environment” does not meaningfully limit the abstract idea. The cloud computing environment as claimed does not change an operation of computer nor define a specific cloud architecture, it is merely stating where the abstract idea happens. Therefore, the abstract idea is not integrated into a practical application.
Applicant with respect to rejections of claim under 35 USC 103 asserts that “In Mazumder, the protectible entities are generating the log of Mazumder. Therefore, the log of Mazumder is not a cloud log which includes a plurality of records generated by a cloud computing environment, as the claim recites, but rather a plurality of logs that are each generated by a single protectible entity. A protectible entity is not a cloud computing environment”.
In response examiner submits that the claim broadly calls for “a cloud log”. Applicant’s claim simply does not place any limitation on what the cloud log is or how the cloud log could be different than other types of network log. Therefore the limitation has been interpreted broadly, but reasonably.
It is noted that in the process of claim examination, claims are given their broadest reasonable interpretation. Further, while claims are examined in light of the specification, limitation are not read to the claim from the specification.
Mazumder discloses generating a first, second and Mth logs by plurality of protectable entities 102A-102M. The generated logs are obtained directly or indirectly from the protectable entities 102A-102M by automatic graph-based detection logic to detect security threat (paragraph [0023], [0025]). Mazumder furthermore discloses each graph node of the association graph represents an entity ( for example, a cloud subscription ) from a plurality of entities or an event from a plurality of events (paragraph [0039]). Thus, based on broadest reasonable interpretation, Muzumder teaching would apply to cloud log and environment.
Applicant asserts that in Mazumder “the graph is generated based on the log and events...then there is no need to detect an identifier of a cloud entity in the cloud log and then detect a node in the graph based on the identifier of the cloud entity”.
It is noted that the claim does not place any limitation on how the node is detected other than being detected based identifier or as what a security graph is or includes other than including a representation of cloud environment. Muzumder (paragraph [0039]) discloses, each graph node associated with graph represents an entity from a plurality of entities. Example of entity includes but is not limited to, user, IP address, client, Etc., which are interpreted as identifiers of the nodes detected in the security graph.
Applicant asserts that “Mazumder does not teach that a mitigation action is initiated in a cloud computing environment, and certainly not that the mitigation action is based on a cybersecurity threat”.
Examiner respectfully disagrees. Muzumder (paragraph [0020]) discloses, by using graph to automatically detect potential security threats, an amount of time and/or assets consumed to detect the potential security threats and/or to respond to the negative impacts that result from those security (cyber security) threats may be reduced. Therefore, Muzumder clearly discloses initiating a mitigation based on the cybersecurity threat.
Although Muzumder does not explicitly state the mitigation action is initiated in the cloud computing environment, Muzumder reasonably implies such an environment, because as note previously, Mazumder discloses each graph node of the association graph represents an entity (for example, a cloud subscription ) from a plurality of entities or an event from a plurality of events.
Additionally, it is noted that claim labels the computing environment as cloud computing environment without specifying any cloud-specific structural component or operation. Labeling the computing environment as a “cloud” computing environment does not impose a meaningful structural or operational limitation beyond specifying a known environment of use, and does meaningfully narrow the scope of the claim. Therefore, absent any recited structural or operational limitations specific to cloud infrastructure, any known network environment could reasonably be interpreted as encompassing a “cloud computing environment”, since the claim does not distinguish the labeled cloud computing environment form other known network environments in any meaningful way.
Applicant asserts that in Pereira “it is clear that the IP address of Pereira is not a cloud entity, and the tree of Pereira is not the security graph of the claim”.
Examiner respectfully disagrees. The claim does not limit the claimed node or cloud node to a specific type of entity. Under the broadest reasonable interpretation a node could be any data element within a graph. Pereira discloses IP address tree including IP addresses tree including (figure 1, IP address tree 120). Pereira discloses, determining if the IP address is included in the tree/graph by looking up each IP address using in-memory IP address tree and generating descriptive information about the threat posed by IP address or any other suitable information (column 24, lines 1-24). As such, Pereira’s teaching is functionally equivalents to the limitation of the claim.
Claim Rejections - 35 USC § 101
835 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
The claims when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance, are directed to abstract idea. Claim 1 for example, recites a method and, therefore, is a process.
The claim recites the limitation of “…detecting an identifier of a cloud entity in a cloud log…detecting a first node in a security graph based on the identifier…generating CDR event in response to determining from the security graph that the first node is associated with a cyber security threat; and initiating a mitigation action …”. These limitations, under broadest reasonable interpretation are directed performance of the limitation in a human mind. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, the claim encompasses a human simply detecting/identifying an identifier of cloud entity from a cloud log written for example on a piece of paper, and detecting/identifying a node based on the identifier by looking at a paper showing a graph that includes the nodes associated with cybersecurity threat, in response to determining from the graph that first node associated with a cybersecurity threat, generating a CDR event on a piece of paper, and initiating a mitigation action. Thus, the claim recites a mental process when analyzed under step 2A prong 1.
Claim is further analyzed in step 2A prong 2, to evaluate whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by identifying whether there are any additional elements recited in the claim beyond the judicial exception, and evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. However, the remaining limitation (“cloud computing environment”) appears to be generic computer environment/functions which do not constitute meaningful limitations that would amount to significantly more than the abstract idea. The combination of these additional element is no more than generic computer functions. Thus, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limitations on practicing the abstract idea.
Claim is additionally analyzed under Step 2B to evaluates whether the claim as a whole amount to significantly more than the recited exception, whether any additional element, or combination of additional elements, adds an inventive concept to the claim. When claims evaluated under step 2B, it is no more than what is well-understood, routine, conventional activity in the field. The specification does not provide any indication anything other than a generic computer component. The mere detecting an identifier of a cloud entity in a cloud log…detecting a node in a security graph …generating CDR event…and initiating a mitigation action …” is a well-understood, routing and conventional function when it is claimed in a merely generic manner as it is here.
Independent claims 10 and 11 include limitations similar to the limitations of claim 1 and are rejected under 35 U.S.C. 101 as being directed to abstract idea for the same reasons discussed above with respect to claim 1.
Dependent claims 2-9 and 12-19 do not cure the deficiency of the independent claims and are directed to abstract idea when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance
Information Disclosure Statement PTO-1449
The Information Disclosure Statement submitted by applicant on 07/29/2025, 05/19/2025, 01/16/2025, 11/06/2024, 09/06/2024, 08/13/2024, 07/19/2024, 06/03/2024, 04/11/2024, 12/20/2023, 11/07/2023, 10/26/2023, 06/23/2023 and 01/31/2023 have been considered. Please see attached PTO-1449.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-19 are rejected under 35 U.S.C. 103 as being unpatentable over Mazumder et al. (US Publication No.2023/0102103), hereinafter Mazumder, in view of Pereira et al. (US Patent No. 10,887,333), hereinafter Pereira.
As per claims 1, 10 and 11, Mazumder discloses a method for detecting a cloud detection and response (CDR) event from a cloud log, comprising: detecting an identifier of a cloud entity in a cloud log (p[0022], “each of the protectable entity 102 A-102 M may be a processing system, and application, a service, a client, a user (e.g., a user ID)”, p [0023], a log entry may indicate an action that is performed on the protectable entity by protectable entity”; p[0025], “the automatic graph-based detection logic 108 analyzes the logs and event 104A-104M, which are obtained directly or indirectly form the protectable entity 102A-102M, to detect security threats”), wherein the cloud log includes a plurality of records generated by a cloud computing environment (p[0023], “The protectable entities 102A-102M are configured to generate logs (a.k.a. log data) and/or events (e.g., security alerts). For instance, a first protectable entity 102A is shown to generate first logs and events 104A; a second protectable entity 102B is shown to generate second logs and events 104B; and an Mth protectable entity 102M is shown to generate Mth logs and events 104M”); detecting a first node in a security graph based on the identifier of the cloud entity, wherein the security graph includes a representation of the cloud computing environment( p[0026], “The automatic graph-based detection logic 108 identifies patterns in the Bayesian network. Each pattern includes at least one connection. Each connection is between a respective pair of network nodes”, p[0039], “each graph node of the association graph represents an entity from a plurality of entities or an event from a plurality of events. Examples of an entity include but are not limited to a user, an internet protocol (IP) address, an alert, a host (e.g., client host), a virtual machine (VM), a file, a cloud subscription, and a domain controller”); and initiating a mitigation action in the cloud computing environment based on the cybersecurity threat (p[0020],“techniques may prevent the negative impacts of the potential security threats from occurring in which case the amount of time and/or assets consumed to respond to the negative impacts may be avoided”, paragraph [0039], implies cloud computing environment).
Mazumder does not explicitly disclose, but in an analogous art, Pereira discloses, generating a CDR event in response to determining from the security graph that the first node is associated with a cybersecurity threat (column 23 lines 6-11, “process 700 can look up each IP address using an in-memory IP address tree to determine whether the IP address is represented in the tree”, column 24, lines 1-24, “descriptive information about the threat potentially posed by the IP address (and/or any other suitable information) can be stored in connection with the IP address in the in-memory IP address tree. As another example, descriptive information about the threat potentially posed by the IP address (and/or any other suitable information) can be stored in a database ( e.g., threat intelligence database 118)”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Mazumder with Pereira. This would have been obvious because one of ordinary skill in the art would have been motivated to provide information about detected threat and malicious activity.
As per claim 2 and 12, Pereira furthermore discloses detecting the identifier of the cloud entity in a record of the cloud log; detecting the identifier of the cloud entity in a record of a second cloud log; and generating the CDR event in response to determining that the record of the cloud log and the record of the second log indicate together a cybersecurity threat (column 23, lines 58-65, “identify specific threat information associated with the IP address that was submitted by the user and/o that is universal treat that is common to all user of the threat intelligence system”, column 7, lines 50-59, universal IP addresses are universal to all (i.e., second, third, etc.) users acquired from any suitable source, which corresponds to record of a second cloud log).
The motivation is similar to the motivation provided in claim 1.
As per claims 3 and 13, Pereira furthermore discloses, parsing each record of the plurality of records to detect a predetermined data field; and detecting the identifier of the cloud entity based on a value of the predetermined data field (column 11, line 64-column 12, line 14, “threat intelligence service 110 can use a network accessible services system to parse the log information 122. For example, threat intelligence service 110 can provide one or more portions of log information 122 to the network… log information 122 can be formatted as a string of comma separated values, where each value corresponds to an IP address (or other identifying information) to be analyzed”).
The motivation is similar to the motivation provided in claim 1.
As per claims 4 and 14, Pereira furthermore discloses applying a policy to the cloud entity, wherein the policy includes a conditional rule (column 13, lines 23-32, “threat intelligence service 110 can create and/or update a set of network security rules (sometimes referred to as a security group) associated with one or more physical and/or virtual network interfaces ( e.g., by submitting a request to an API associated with a service that provides computing device 102, such as a compute service) used by
computing device 102 (and/or any other suitable computing devices associated with the user) to block communication to and/or from the IP address using a network interface using the security group”).
The motivation is to regulate communication in accordance with rules and policies, providing protection against attacks and ensuring secure operation.
As per claims 5 and 15, Pereira furthermore discloses generating the CDR event further in response to determining that the cloud entity is in violation of the applied policy (column 23, line 58-column 24, line 11, if the IP address form the log information matches an IP address in IP address tress, the process 700 identifies specific threat information associated with the IP address submitted by the user, a descriptive information about the threat stored for example in a database).
The motivation is similar to the motivation provided in claim 1.
As per claims 6 and 16, Pereira furthermore discloses, generating a query based on an attribute of the cloud entity; and executing the query on the security graph (column 24, line 66- column 25, line 44, “receive a request from a user to cancel their access to the threat intelligence service. In such an example, the request can serve as a request to remove all user-specific threat information submitted by the user…remove the threat information associated with the user for source(s) associated with the request…the IP address for which there is now no longer associated threat information can be removed from the in-memory IP address tree entirely”).
The motivation is to allow access customization in accordance with user’s desire and request.
As per claims 7 and 17, Mazumder furthermore discloses, detecting a node representing the cybersecurity threat, wherein the node representing the cybersecurity threat is connected to a node representing the cloud entity (paragraph [0051], “a connection between the first network node and a third network node representing "network communication with a malicious machine detected" ).
As per claims 8 and 18, Mazumder furthermore discloses, wherein the cybersecurity threat is any one of: a vulnerability, a misconfiguration, a public exposure detection, a vulnerability detection, a database exposure, a code vulnerability, an endpoint detection, a malware detection, a misconfiguration detection, a lateral movement detection, an exposed secret, and any combination thereof (p[0005], a potential security threat is a malicious action or event, corresponding to malware detection).
As per claims 9 and 19, Pereira furthermore discloses, initiating the mitigation action to include any one of: revoking network access to a resource, revoking network access from a resource, modifying a permission of a principal, generating a ticket corresponding to the alert in a ticketing system, initiating an instruction to update a software on a resource, and a combination thereof (column 13, lines 46-49, “threat intelligence service 110 can suspend access by an account used to submit an API call from a suspected malicious IP address and/or otherwise revoke access by the account”).
The motivation is similar to achieve the predictable result of providing protection against malicious activities.
References Cited, Not Used
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Ahn, (US Publication No.2021/0203761) discloses, a computing system may identify packets received by a network device from a host located in a first network and may generate log entries corresponding to the packets received by the network device. The computing system may identify packets transmitted by the network device to a host located in a second network and may generate log entries
corresponding to the packets transmitted by the network device. Utilizing the log entries corresponding to the packets received by the network device and the log entries corresponding to the packets transmitted by the network device, the computing system may correlate the packets transmitted by the network device with the packets received by the network device.
Sheriff et al. (US Publication No.2023/0208855) discloses, a method comprises: receiving, by a
process, an executed function flow of a daisy chained serverless function-as-a-service (FaaS) function, the executed function flow having been injected with a particular trace identifier in response to an initial event trigger and span identifiers having been injected by each service that was executed; generating, by the process, a serverless flow graph associated with the particular trace identifier based on linking a path of serverless functions according to correlation of the span identifiers between the serverless functions;
performing, by the process, a trace-based analysis of the serverless flow graph through comparison to a baseline of expectation; detecting, by the process, one or more anomalies in the serverless flow graph according to the trace-based analysis; and mitigating, by the process, the one or more anomalies in the serverless flow graph.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437