DETAILED ACTION
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
This Office Action is in response to the communication filed on 8/5/2025.
Claims 2-4 have been canceled.
Claims 1 and 11-12 have been amended.
Claims 1 and 5-12 are pending for consideration.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.
Response to Arguments
Applicant’s arguments with respect to claim(s) 1 and 5-12 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 5-6 and 10-12 are rejected under 35 U.S.C. 103 as being unpatentable over Stolte et al. (US 10691796) (hereinafter Stolte) in view of Sajja et al. (US 12321396) (hereinafter Sajja).
Regarding claim 1, Stolte discloses an analysis apparatus comprising: a memory storing instructions (Stolte: paragraph (128), “Many of the above-described features and applications are implemented as software processes that are specified as a set of instructions recorded on a computer readable storage medium (also referred to as computer readable medium). When these instructions are executed by one or more processing unit(s) (e.g., one or more processors, cores of processors, or other processing units), they cause the processing unit(s) to perform the actions indicated in the instructions”); and one or more processors configured to execute the instructions to:
collect historical information on an operational history for a program executed in a system to be analyzed (Stolte: paragraphs (23) and (44), “Tools and processes 425-480 collect data for authentication, access, and proxy events for different applications. The security related data in some embodiments is collected by directing a set of machine-executable processes to examine the operating environment of the applications while the applications are executing…the event data is stored and the stored data 405 is then used by security risk determination subsystem 325 for analyzing and identifying the security risks 330. In other embodiments, security related data is analyzed and the security risks 330 are identified as the event data is collected while the applications are executing on the computer system.”);
add to the historical information, external information obtained from an information resource other than an information processing apparatus that executes the program (Stolte: paragraphs (47) and (48), “(47) The process then combines and correlates (at 510) the received security related data using a common data model. For instance, the data integration and correlation component 482 in FIG. 4 maps the security related raw data 405 into a common model”… “The method them determines (at 520) application security risks by analyzing the correlated data regarding the indicators of attack and application related issues. For instance, application event analysis component 490 in FIG. 4 analyzes the correlated data regarding the indicators of attack and configuration issues to identify application security issues and risks”); and
perform a risk determining processing for determining based on preset determining condition, whether to involve security risk in the historical information to which the external information is added (Stolte: paragraphs (47-49), “application event analysis component 490 in FIG. 4 analyzes the correlated data regarding the indicators of attack and configuration issues to identify application security issues and risks 497. The event data regarding application security issues and risks includes adding or removing security checkpoints for different applications, the configuration and the current version of the applications, the configuration of computers in the computer system, and collected indicators of attacks and compromise.”… “the identified security issues and risks 330 in FIG. 4 are stored for further analysis”).
Stolte does not explicitly disclose the following limitations which are disclosed by Sajja, the external information comprising geographical information indicating a geographical element for a data route, logical information indicating a logical element indicating a logical structure for the data route, and functional information indicating a functional element for a function of the data route (Sajja: paragraphs (36), (56) and (69), “Machine data can include system logs, network packet data, sensor data, application program data, error logs, stack traces, system performance data, etc. In general, machine data can also include performance data, diagnostic information, and many other types of data that can be analyzed to diagnose performance problems, monitor user interactions, and to derive other insights”…“a monitoring component 112 may be configured to collect device performance information by monitoring one or more client device operations, or by making calls to an operating system and/or one or more other applications executing on a client device 102 for performance information. Device performance information may include, for instance, a current wireless signal strength of the device, a current connection type and network carrier, current memory performance information, a geographic location of the device, a device orientation, and any other information related to the operational state of the client device”; and paragraphs (36), (146-147) (289), “the “clientip” field has been extracted from all the events comprising the “clientip” field where the source type is “access_combined,” the query search engine can then execute the field criteria by performing the compare operation to filter out the events where the “clientip” field equals “127.0.0.1.”); and perform, by classifying into the geographical element, the logical element and the functional element, the historical information to which the external information is added, a risk determining processing (Sajja: paragraphs (41), (147), (368-369) and (373), “In the data intake and query system, machine data are collected and stored as “events”. An event comprises a portion of machine data and is associated with a specific point in time.”… “detecting “notable events” that are likely to indicate a security threat. A notable event represents one or more anomalous incidents, the occurrence of which can be identified based on one or more events (e.g., time stamped portions of raw machine data) fulfilling pre-specified and/or dynamically-determined (e.g., based on machine-learning) criteria defined for that notable event. Examples of notable events include the repeated occurrence of an abnormal spike in network usage over a period of time, a single occurrence of unauthorized access to system, a host communicating with a server on a known threat list, and the like.”).
Stolte and Sajja are analogous art because they are from the same field of endeavor, data protection. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Stolte and Sajja before him or her, to modify the system of Stolte to include an external information comprising geographical information, logical information, and functional information and classifying into the geographical element, the logical element and the functional element, the historical information to which the external information is added of Sajja. The suggestion/motivation for doing so would have been to facilitate analysis of a performance data by a developer of the client application or other users (Sajja: paragraph (63)).
Regarding claim 11, the claim 11 discloses a method claim that is substantially equivalent to the apparatus of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 11 and rejected for the same reasons.
Regarding claim 12, the claim 12 discloses a medium claim that is substantially equivalent to the apparatus of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 12 and rejected for the same reasons.
Regarding claim 5, Stolte as modified discloses wherein the external information includes information disclosed on internet (Stolte: paragraphs (4)-(5), “(4) The event data in some embodiments is collected by directing a set of machine-executable processes to examine the operating environment of the applications while the applications are executing. Different processes such as security information and event management (SEIM), data loss prevention (DLP), and cloud access security brokers (CASB) are utilized to identify and collect event data. These processes collect data for authentication, access, and proxy events. The event data in some embodiments is stored and the stored data is then used to analyze and identify the security events. In other embodiments, event data is analyzed as the event data is collected while the applications are executing on the computer system.”).
Regarding claim 6, Stolte as modified discloses wherein the external information includes information stored on the information resource included in an inner network that is accessible to an intermediate network separated from internet by a firewall and that is not accessible from the intermediate network (Stolte: paragraphs (19), (37-40) and (103), “The flaws also include weaknesses or lack of protection mechanisms such as firewalls or antivirus for accessing the applications.”… “collect authentication and access related data. Examples of security threat prevention tools include endpoint protection tools 425, security information and event management (SIEM) tools 430, data loss prevention (DLP) tools 435, cloud access security brokers (CASB) tools 440, threat intelligence data collection tools 450, antivirus software 455, and firewall”).
Regarding claim 10, Stolte as modified discloses an analysis system comprising the analysis apparatus according to claim 1 (Stolte: paragraphs (23) and (44), “Tools and processes 425-480 collect data for authentication, access, and proxy events for different applications. The security related data in some embodiments is collected by directing a set of machine-executable processes to examine the operating environment of the applications while the applications are executing…the event data is stored and the stored data 405 is then used by security risk determination subsystem 325 for analyzing and identifying the security risks 330. In other embodiments, security related data is analyzed and the security risks 330 are identified as the event data is collected while the applications are executing on the computer system.”).
Claim(s) 7-9 are rejected under 35 U.S.C. 103 as being unpatentable over Stolte in view of Saffa, and further in view of Mahaffey et al. (US 20160099963) (hereinafter Mahaffey).
Regarding claim 7, Stolte in view of Saffa does not explicitly disclose the following limitation which is disclosed by Mahaffey, wherein the historical information is a data flow graph indicating a data route for exchange by the system to be analyzed (Mahaffey: paragraphs 0144-0145, “The security status information includes an overall mobile device security state as well as additional information about specific detected security events. The security event information is presented in various forms including: charts, graphs, graphical displays and text.”).
Stolte in view of Saffa and Mahaffey are analogous art because they are from the same field of endeavor, data management. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Stolte in view of Saffa and Mahaffey before him or her, to modify the system of Stolte in view of Saffa to include a historical information is a data flow graph indicating a data route for exchange by a system to be analyzed of Mahaffey. The suggestion/motivation for doing so would have been to remediate or investigate issues as early as possible (Mahaffey: paragraph 0007).
Regarding claim 8, Stolte in view of Saffa does not explicitly disclose the following limitation which is disclosed by Mahaffey, wherein the historical information is information on system call invoked by the program (Mahaffey: paragraphs 0141, 0143, 0147 and 0426, “the local security component on the mobile device can identify security events by analyzing files or data stored on the device, messages such as function or system calls between components on the device, or network data flowing into or out of the device for security events.”).
Stolte in view of Saffa and Mahaffey are analogous art because they are from the same field of endeavor, data management. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Stolte in view of Saffa and Mahaffey before him or her, to modify the system of Stolte in view of Saffa to include a historical information is information on system call invoked by a program of Mahaffey. The suggestion/motivation for doing so would have been to remediate or investigate issues as early as possible (Mahaffey: paragraph 0007).
Regarding claim 9, Stolte in view of Saffa does not explicitly disclose the following limitation which is disclosed by Mahaffey, wherein the historical information is information obtained by snapshotting the system to be analyzed during execution of the program (Mahaffey: paragraphs 0722 and 0819, “metadata may include, for example, a title of the application, a description of the application, a textual description, a graphical description (e.g., screenshots of the application—jpeg file format, png file format, gif file format),”).
Stolte in view of Saffa and Mahaffey are analogous art because they are from the same field of endeavor, data management. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Stolte in view of Saffa and Mahaffey before him or her, to modify the system of Stolte in view of Saffa to include a historical information is information obtained by snapshotting a system to be analyzed during execution of a program of Mahaffey. The suggestion/motivation for doing so would have been to remediate or investigate issues as early as possible (Mahaffey: paragraph 0007).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740. The examiner can normally be reached Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/TRANG T DOAN/Primary Examiner, Art Unit 2431