Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments filed 12/17/2025 have been fully considered and are moot in view of the new grounds of rejection presented herein.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 1-3, 5-8, 13, 15, 21-22, and 42-43 are rejected under 35 U.S.C. 103 as being unpatentable over US 20200204574 to Christian in view of US 6,651,099 to Dietz in view of US 20230283621 to Techentin.
Regarding claim 1, Christian teaches an endpoint agent configured, when executed on an endpoint device at a termination point of data exchange of a local network, to:
access via a local traffic access function of the endpoint device network traffic local to the endpoint device, the local network traffic comprising (¶ 52-53, monitoring of local traffic):
copies of all outgoing packets sent from a network interface of the endpoint device to a packet-switched network and carrying in their payloads outbound payload data generated by one or more processes executed on the endpoint device, and copies of all incoming packets received at the network interface from the packet- switched network and carrying in their payloads inbound payload data intended for the one or more processes executed on the endpoint device (¶ 39, 53, copy of all outgoing and incoming data packets);
extract network traffic telemetry from the headers and the payloads of the copies of the outgoing and incoming packets, the extracted network traffic telemetry including header data of the incoming and outgoing packets (¶ 39-41, extracting data from headers and payloads of copies of packets), and
additionally summarizing the outbound and inbound payload data of the outgoing and incoming packets (¶ 5, 37, 47-49),
transmit, to a cybersecurity service, a series of network telemetry records identifying all new network flows observed by the endpoint agent, and containing the extracted network traffic telemetry that includes the header data and summarizes the payload data for use in performing a cybersecurity threat analysis (pg. 229-230, transmitting of summary reports identifying network flows for threat analysis).
Christian fails to teach, but Dietz teaches:
wherein said extracting comprises processing each packet to determine whether the packet constitutes the start of a network flow or pertains to an existing network flow (abstract, col. 6:15-30).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the teachings of Dietz. The motivation to do so is that the teachings of Dietz would have been advantageous in terms of facilitating packet classification and flow progress (Dietz, col. 4:40-67).
Christian fails to teach but Techentin teaches: generating a summary in the form of structured metadata (¶ 4, 108).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the teachings of Techentin. The motivation to do so is that the teachings of Techentin would have been advantageous in terms of facilitating the succinct characterization of data transmissions (Techentin, ¶ 4).
Regarding claim 2, 43,
Christian teaches:
additionally monitor local activity by the processes at the endpoint device, and associate the series of network telemetry records with endpoint data about the local activity (¶ 40, 43, combining data records and behavior data).
Regarding claim 3,
Christian teaches:
match an incident of local activity by one of the processes with at least one packet of the incoming and/or outgoing packets, and thereby obtain one or more pieces of endpoint data related to the at least one packet, wherein at least one network telemetry record of the series of summary records is associated with the pieces of endpoint data, the at least one network telemetry record pertaining to the at least one packet with which the incident of local activity has been matched, wherein the one or more pieces of endpoint data optionally comprise details of the process and/or details of a parent process (¶ 39-43, session and behavior data associated with endpoint data packets).
Regarding claim 5,
Christian teaches:
perform said matching based on: a local timing of the incident of local activity and a local timing the at least one packet, and/or header information of the at least one packet and corresponding information obtained via said monitoring of local activity (¶ 39-43, 61-62, matching based on header information data records and behavior data; linking data records and behavior data; matching access privileges of user in association with packets).
Regarding claim 6,
Christian fails to teach, but Dietz teaches:
wherein the incident of local activity is one of the processes establishing a flow, the at least one network telemetry record identifying the flow and containing information about the process that established the flow (abstract, col. 10:23-67, col. 11:1-27). Motivation to include the teachings of Dietz is the same as presented above.
Regarding claim 7,
Christian teaches:
wherein the incident of local activity is one of the processes accessing a file and the at least one network telemetry record contains information about the file (¶ 39, matching packets to file).
Regarding claim 8,
Christian teaches:
determine a user account associated with at least one packet of the incoming and/or outgoing packets, and associate at least one network telemetry record of the series of network telemetry records with user information of the user account, the at least one network telemetry record pertaining to the at least one packet (¶ 61-62, matching access privileges of user in association with packets).
Regarding claim 13,
Christian teaches:
wherein the local traffic access function is provided by a network activity application programming interface (API) of an operating system of the endpoint device (¶ 39-43, 61-62; 116, API), the endpoint agent configured to access the incoming and outgoing packets via the network activity API (¶ 79-43, 61-62; ¶ 116, API);
wherein the endpoint agent is configured to obtain, via the operating system of the endpoint device, a piece of endpoint data associated with one or more network packets of the incoming and/or outgoing packets, wherein at least one network telemetry record of the series of network telemetry records pertains to the one or more network packets with which the piece of endpoint data is associated, and the endpoint agent is configured to augment or enrich the at least one network telemetry record with the piece of endpoint data, or link at least one of the network telemetry records with at least one other record containing the piece endpoint data and transmitted from the endpoint device to the cybersecurity service (¶ 40, 43, 61-62, linking data records and behavior data; matching access privileges of user in association with packets).
Regarding claim 15,
Christian teaches:
wherein the piece of endpoint data: comprises details of a process of the one or more processes that received and/or generated the one or more network packets, comprises details of a parent process of the one or more processes, the parent process being a parent of another process of the one or more processes that received and/or generated the one or more network packets, or user information of a user account associated with the one or more network packets, or information about a file associated with the one or more network packets (¶ 21, 38-39, 43, file information).
Regarding claim 21,
Christian teaches:
wherein the series of network telemetry records is generated independently of any local threat detection performed at the endpoint device (¶ 121, fig. 3, independent generation of records, e.g. protocol information).
Claim 22 is addressed by similar rationale as claim 1.
Regarding claim 42,
Christian teaches:
wherein the associating is performed by augmenting or enriching at least one of the network telemetry records with endpoint data or by linking at least one of the network telemetry records with at least one other record containing the endpoint data (¶ 40, 43, 61-62, linking data records and behavior data; matching access privileges of user in association with packets).
CONCLUSION
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RYAN J JAKOVAC whose telephone number is (571)270-5003. The examiner can normally be reached on 8-4 PM EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A. Louie can be reached on 572-270-1684. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/RYAN J JAKOVAC/Primary Examiner, Art Unit 2445