EXTRACTION METHOD, EXTRACTION DEVICE, AND EXTRACTION PROGRAM

§101 §102 §103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments/Amendments On page 6 of the remarks, Applicant states that has revised the specification to remove "https://". Applicant respectfully requests that the objections be withdrawn. However, reamendment does cure the objection. MPEP 608.01, VII ask applicants to limit references to the top‑level domain name without any prefix such as “http:// or other browser‑executable code.” Although the MPEP wording explicitly calls out protocol prefixes (e.g., “http://”), a prefix in a top-level domain (TLD) refers to the part of a domain name that comes before the main domain name. For example, in the domain name www.example.com, "www" is a prefix, indicating that the website is part of the World Wide Web. Including “www.” is a hostname prefix/subdomain and can still be interpreted as part of a URL-like string that a browser could resolve, so it is treated that “www.virustotal.com” is browser‑executable. On page 6 of the remarks, Applicant states that the claims … “having been presently amended; and claims 8-10 having been added. Support for amended claims 1, 2.4. 6, and 7, and new claims 8- 10 can be found in the original claims. drawings. and specification as filed. No new matter has been added”. Applicant’s arguments have been fully considered but they are not persuasive. It is first to be noted, that Applicant’s point to “e.g. See, e.g., paragraphs [0045], [0064], and [0111]-[0114] of the published application; and Fig. 4” Applicant is reminded that support must be found in the originally filed specification. The amendments on the contrary adds new matter to the claims, as there is no support found on the cited portions or in the specification as filed, “receiving, by determination circuitry storing a trained machine learning model in a memory and acquiring, from the analysis engine, a history of actions taken by an analyst with respect to investigation of an indicator of compromise (IOC) included in the information on cyber security”. On page 7, with respect to the claims rejected under asserts that 35 U.S.C.112(a). Applicant respectfully submits that the rejections are overcome in light of the removal of the means-plus-function language. However, the Applicant has not provided any evidence or response as to how the amended cures the 112(a) rejections. The amendment or the portions cited fail to show adequate structure to perform the claimed function, or how such ‘acquiring” function is achieved. Applicant added new matter, not supported, and in light of the originally filed disclosure, in particular, the specification [0052]-[0059] states “The feature information extraction unit 21 functions as an extraction device having an acquisition unit and a creation unit, “acquisition unit acquires a history of actions” and later merely states “action history as described above can be easily obtained”. There is no disclosure of any particular structure, either explicitly or inherently, to perform the acquiring other than the desirable result statement that “can be easily obtained” and there is no explanation how the “analysis engine” acquired or obtained this history. In fact, nowhere in the specification the analysis engine obtains any history, this is simply not found anywhere. On page 7, Applicant argues that claims 1-7 are rejected under 35 U.S.C. 101. As discussed during the interview, the claims have been amended to include additional specific technological features. and submit that the claims are not directed to abstract mental processes that could be only performed in the mind as asserted in the Office Action. The examiner cannot concur with the Applicant’s assertions, as the rejection in the office action never stated that “to abstract mental processes that could be only performed in the mind”. Applicant then argues that “the claims recite the specific hardware of determination circuitry storing a trained machine learning model in a memory, and an analysis engine.”, mentions the 2019 PEG, states that “Claims that do not recite matter that falls within these enumerated groupings of abstract ideas should not be treated as reciting abstract ideas.” and as conclusory statement provides that “hardware in claim 1 is not an off-the-shelf general-purpose computer. The examiner cannot concur, Applicant appears to indicate that the new matter added to the claims “determination circuitry storing a trained machine learning model in a memory” is a specific hardware and that the claim do not recite matter that falls within the enumerated groupings. However, the Applicant fail to provide an explanation as to how any language of the amended claims avoids the claim to be directed to an abstract idea. The amended claims adding a determination circuitry storing a trained machine learning model in memory,” are generic computer components. In addition, the claims recite the previously indicated subject matter that falls under the indicated enumerated groupings. Merely applying a trained machine learning model to data is not enough to confer patent eligibility without more. The claim does not recite a particular machine learning architecture or a novel training method that improves computer technology. On page 7, Applicant then alleges “the Office Action does not address the specific claim language for each of the rejected claims. Thus, the Office Action does not provide a separate analysis of subject matter eligibility for each of the claims” The examiner cannot concur, and takes the argument to mean that the applicant perhaps did not notice the statements made in the office action that specifically address each claim in that all recites other forms of “creating”, with claim 5 further the specification support supports the plain meaning of “statistics” to be nothing more than by stating calculation, which uses mathematical calculations to create information. Which encompass mental choices or evaluations, and the claimed statistics performing mathematical calculations. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more under step 2A and Sept 2B. Lastly, Applicant state, “Applicants submit that the present claims do not “preempt all uses” of the alleged abstract idea.”. The examiner cannot concur, since again, Applicant simply provide conclusory statements. Furthermore, as in MPEP 2106.04, “While preemption is the concern underlying the judicial exceptions, it is not a standalone test for determining eligibility. Rapid Litig. Mgmt. v. CellzDirect, Inc., 827 F.3d 1042, 1052, 119 USPQ2d 1370, 1376 (Fed. Cir. 2016). Instead, questions of preemption are inherent in and resolved by the two-part framework from Alice Corp. and Mayo (the Alice/Mayo test referred to by the Office as Steps 2A and 2B). Synopsys, Inc. v. Mentor Graphics Corp., 839 F.3d 1138, 1150, 120 USPQ2d 1473, 1483 (Fed. Cir. 2016); Ariosa Diagnostics, Inc. v. Sequenom, Inc., 788 F.3d 1371, 1379, 115 USPQ2d 1152, 1158 (Fed. Cir. 2015). It is necessary to evaluate eligibility using the Alice/Mayo test, because while a preemptive claim may be ineligible, the absence of complete preemption does not demonstrate that a claim is eligible.” On page 8, with respect to 35 U.S.C. 102(a)(1) rejections by Mitelman (US. PGPUB 2619/0340353), Applicant submits that amended independent claims 1, 6, and 7 recite novel features not taught by the applied reference. In particular, Applicant asserts that that Mitelman fails to teach “creating IOC feature information based on information obtained from the history of actions acquired by the acquiring, wherein the creating creates the feature information based on information on an elapsed time from a point in time when the action was performed within a predetermined time window,” And that Mitelman merely describes that time lines are considered are part of data representing the current state of a security threat investigation. And that it does not describe that IOC feature information is created based on information obtained from the history of actions acquired by the acquiring, and the creating creates the IOC feature information based on information on an elapsed time from a point in time when the action was performed within a predetermined time window, as recited in Applicant’s claim. Paragraph [0021] of Mitelman does not mention a time window that is a predetermined amount of time. The examiner cannot concur with the Applicant, and it is first to be noted that “predetermined amount of time” is not recited in the claim. Turning to Mitelman, it discloses creation of feature information and use of temporal features derived from analyst actions and timelines. Mitelman describes generating data representing the current state of an investigation and extracting features from observed analyst actions taken, including timeline considerations and temporal aspects of actions since as applicant acknowledged (¶ [0021] “engine 130, … is trained by observing the actions taken by … security analysts when (emphasis added) conducting security threat investigation”, the same section discussing data gathered during the investigation, time lines considered, steps already taken, and using observed actions as training data; further as relates to ¶¶ [0031], [0033] “actions that have already been taken by the security analyst”‘, [0049] discuss deriving features and using characteristics in recommendation/training). Mitelman’s disclosure of considering timelines and using observed analyst actions to form data used by the supervised ML engine correspond to discloses creation of feature information derived from elapsed time between actions or elapsed time from an action within a predetermined time window. The description that timelines are considered and that features are constructed from observed analyst actions, as readily understood by one with ordinary skill, means that temporal features (e.g., elapsed time from a point in time when an action was performed, within a considered window ‘history” observed actions taken when conducting investigation) are created and used as IOC related feature information. Thus, Mitelman does discloses creating IOC feature information based on the acquired history and specifically discloses generating features based on elapsed times and such time windows (per ¶ [0021] and related context disclosure). Specification The disclosure is objected to because it contains an embedded hyperlink and/or other form of browser-executable code. Applicant is required to delete the embedded hyperlink and/or other form of browser-executable code; references to websites should be limited to the top-level domain name without any prefix such as http:// or other browser-executable code. See MPEP § 608.01. Claim Interpretation In this case, the applicant has broadened the interpretation of the “an extraction device” by adding structure. Now, the amended limitations of claim 1 and claim 6 does not invoke 35 U.S.C. 112(f) (i.e., determination circuitry storing a trained machined learning model in a memory) to perform the functions. Because this amended claim limitation does not invoke 35 U.S.C. 112(f), it is not limited to the structure, materials, or acts in the specification and “equivalents thereof” for performing the claimed functions. Thus, the amended claim limitation is interpreted to cover not only the disclosed technique but all ways of performing the functions/steps. includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: "an extraction device…acquiring" and "extraction device creating…" in claims 1-5. Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claim 1-5 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. I regard to claims 1 and The applicant has broadened the interpretation of the “an extraction device” by adding structure. Now, the amended limitations of claim 1 and claim 6 does not invoke 35 U.S.C. 112(f) (i.e., determination circuitry storing a trained machined learning model in a memory) to perform the functions. Because this amended claim limitation does not invoke 35 U.S.C. 112(f), it is not limited to the structure, materials, or acts in the specification and “equivalents thereof” for performing the claimed functions. Thus, the amended claim limitation is interpreted to cover not only the disclosed technique but all ways of performing the functions/steps. The Claim limitations “extracting device…acquiring a history of actions taken by an analyst with respect to investigation of an indicator of compromise (IOC) included in information on cyber security” invokes 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The specification is devoid of adequate structure to perform the claimed function. In particular, the specification [0052]-[0059] states “The feature information extraction unit 21 functions as an extraction device having an acquisition unit and a creation unit, “acquisition unit acquires a history of actions” and later merely states “action history as described above can be easily obtained”. There is no disclosure of any particular structure, either explicitly or inherently, to perform the acquiring other than the desirable result statement that “can be easily obtained”. The use of the term “extracting device” or “an acquisition unit” is not adequate structure for performing the acquiring a history of actions taken by an analyst with respect to investigation of an indicator of compromise (IOC) included in information on cyber security” because it does not describe a particular structure for performing the function. As would be recognized by those of ordinary skill in the art, the term “acquiring” can be performed in any number of ways in hardware, software or a combination of the two. The specification does not provide sufficient details such that one of ordinary skill in the art would understand which structure or structures perform(s) the claimed function. Similarly, “extracting device …creating IOC feature information on the basis of information obtained from the history of actions acquired in the acquisition step by the acquiring” invokes 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. There is no disclosure of any particular structure, either explicitly or inherently, to perform the acquiring other than the desirable result statement that “creates”. Regarding claim 2 to claim 5, other than desirable result functions of the “extraction unit for “creating”, do not cure the deficiencies identified above. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph. Applicant may: (a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph; (b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or (c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)). If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: (a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or (b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181. Regarding claim 4, claim 4 further recites “the analyst’s work pattern”. There is insufficient antecedent basis for this limitation in the claim. The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claim 1, 2 and 4-10 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. In regard to claims 1 and 6 the applicant has broadened the interpretation of the “an extraction device” for acquiring… and creating…by adding structure language. Now, the amended limitations of do not invoke 35 U.S.C. 112(f) (i.e., determination circuitry storing a trained machined learning model in a memory) to perform the functions. Because this amended claim limitation does not invoke 35 U.S.C. 112(f), it is not limited to the structure, materials, or acts in the specification and “equivalents thereof” for performing the claimed functions. Thus, the amended claim limitation is interpreted to cover not only the disclosed technique but all ways of performing the functions/steps. The amended limitations add new matter to the claims. Regarding claims 6 and 7, the claims are directed to generically “ determination circuitry” and CRM having a memory and processor and CRM soring programs that cause computer to perform a process, respectively, corresponding to the functions identified above of “acquiring a history of actions taken by an analyst with respect to investigation of an indicator of compromise (IOC) included in information on cyber security and “creating IOC feature information on the basis of information obtained from the history of actions acquired in the acquisition step by the acquiring”. The specification is still devoid of adequate description of “determination circuitry” to perform the claimed functions on acquiring and creating. The specification [0052]-[0059] merely states “The feature information extraction unit 21 functions as an extraction device having an acquisition unit and a creation unit, “acquisition unit acquires a history of actions” and later merely states “action history as described above can be easily obtained”. There is no disclosure of any particular structure, either explicitly or inherently, to perform the acquiring other than the desirable result statement that “can be easily obtained”. The use of the term “determination circuitry” is not adequate structure for performing the acquiring a history of actions taken by an analyst with respect to investigation of an indicator of compromise (IOC) included in information on cyber security” because it does not describe how the function is performed.. The specification does not provide sufficient details such that one of ordinary skill in the art would understand how the applicant intends to perform(s) the claimed function. Similarly, “…creating IOC feature information on the basis of information obtained from the history of actions acquired in the acquisition step by the acquiring”. However, the written description fails to disclose the corresponding adequate description for performing claimed functions. There is no disclosure of any particular either explicitly or inherently, to perform the acquiring and the desirable result statement that “creates”. Regrading claims 2, and 4-5, as described above, the disclosure does not provide adequate description to perform the claimed function of acquiring and creating. The specification does not demonstrate that applicant has made an invention that achieves the claimed function because the invention is not described with sufficient detail such that one of ordinary skill in the art can reasonably conclude that the inventor had possession of the claimed invention. However, the limitations in question do not satisfy the written description requirement under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph. The specification does not describe the limitation in sufficient detail so that one of ordinary skill in the art would recognize that the applicant had possession of the claimed invention. In this case the specification does not provide sufficient details to the as No algorithm or steps/procedure for performing the function are found explained at all or in sufficient detail and simply the specification restates the function recited in the claims. In MPEP 2161.01, "computer-implemented functional claim language must still be evaluated for sufficient disclosure under the written description". And MPEP 2161.01(I) "generic claim language in the original disclosure does not satisfy the written description requirement if it fails to support the scope of the genus claimed." For computer-implemented inventions, the determination of the sufficiency of disclosure will require an inquiry into the sufficiency of both the disclosed hardware and the disclosed software due to the interrelationship and interdependence of computer hardware and software. The critical inquiry is whether the disclosure of the application relied upon reasonably conveys to those skilled in the art that the inventor had possession of the claimed subject matter as of the filing date. Dependent claims 8-10 fall together accordingly. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1,2 and 4-10 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claim Interpretation: Under the broadest reasonable interpretation, the terms of the claim are presumed to have their plain meaning consistent with the specification as it would be interpreted by one of ordinary skill in the art. See MPEP 2111. Claim 1, the claim(s) recite(s) An extraction method…, comprising: receiving, …an alert … wherein the alert is information on cyber security; acquiring a history of actions taken by an analyst with respect to investigation of an indicator of compromise (IOC) included in information on cyber security and creating IOC feature information on the basis of information obtained from the history of actions acquired in the acquisition by the acquiring, wherein the creating creates the IOC feature information based on information on an elapsed time from a point in time when the action was performed within a predetermined time window”. The claim does not put any limits on how the history of actions is received or obtained, but the specification supports the plain meaning of “acquiring” as encompassing receiving the data pertaining to history of actions taken by an analyst and somehow the action history as described “can be easily obtained”. The claim also does not limit the plain meaning of “creating” which, as explained “information on the basis of information obtained from the history of actions”. All the Steps are all recited with the use of performed by a “determination circuitry”. The recited circuitry is recited at a high level of generality, since the specification is devoid of adequate description to perform the claimed steps/functions, and merely interpreted as i.e., as a generic computer performing generic computer functions. Step 1: See MPEP 2106.03. The claim recites at least one step or act, including receiving continuous “a history of actions” (i.e. data) and “creating information”, i.e. creating data. Thus, the claim is to a process, which is one of the statutory categories of invention. (Step 1: YES). Step 2A, Prong One: As explained in MPEP 2106.04, subsection II, a claim “recites” a judicial exception when the judicial exception is “set forth” or “described” in the claim. The broadest reasonable interpretation of steps is that those steps fall within the mental process groupings of abstract ideas because they cover concepts performed in the human mind, including observation, evaluation, judgment, and opinion. See MPEP 2106.04(a)(2), subsection III. Under its broadest reasonable interpretation when read in light of the specification, the “receiving” and “creating” encompasses mental observations or evaluations that are practically performed in the human mind. For example, the claimed acquiring of history encompasses observing data in a data set and performing an evaluation. Step creating recites create information i.e. generate data. Step 2A, Prong Two. See MPEP 2106.04(d). The claim recites the additional elements of “by determination circuitry storing a trained machine learning model in a memory, an alert from an analysis engine” This judicial exception is not integrated into a practical application because the limitations “receiving, “by an determination circuitry, in this case taken as analogous to a general-purpose computer, is recited at a high level of generality. The “circuitry, memory and machine learning” is used as a tool to perform the generic computer function of receiving data and creating data. See MPEP 2106.05(f). The limitations, the computer is used to perform an abstract idea, as discussed above in Step 2A, Prong One, such that it amounts to no more than mere instructions to apply the exception using a generic computer. See MPEP 2106.05(f). Even when viewed in combination, these additional elements do not integrate the recited judicial exception into a practical application (Step 2A, Prong Two: NO), and the claim is directed to the judicial exception. (Step 2A: YES). Step 2B: See MPEP 2106.05. As explained with respect to Step 2A, Prong Two, the additional elements. The additional elements above are at best mere instructions to “apply” the abstract ideas, which cannot provide an inventive concept. See MPEP 2106.05(f) The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because even when considered in combination, these additional elements represent mere instructions to implement an abstract idea or other exception on a computer and insignificant extra-solution activity, which do not provide an inventive concept. (Step 2B: NO). The claim is ineligible. Claims 2 and 4-5 and 9-10, all recites other forms of creating”, with claim 5 further the specification support supports the plain meaning of “statistics” to be nothing more than by stating calculation, which uses mathematical calculations to create information. Which encompass mental choices or evaluations, and the claimed statistics performing mathematical calculations. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more under step 2A and Sept 2B, similarly as above analyzed. The claims are ineligible Claim 6 and 7, the limitations “circuitry” and “computer readable medium storing ..program that cause a computer to execute” the same steps, in this case a computer, are recited at a high level of generality, as above noted for claim 1. In these limitations are used as a tool to perform the generic computer function of receiving data and creating data. See MPEP 2106.05(f). The claims are ineligible. Claim 8, while further reciting a particular machine learning model of linear regression, the specification, describes such trained machine learning model as merely be “any known supervised machine learning algorithm” and as adopted see [0095], but does not appear to disclose a specific technical improvement to computer functionality or cybersecurity technology beyond abstract data processing. The claim does not recite any novel hardware, specialized data structures, or innovative algorithms beyond conventional data acquisition and feature creation. Thus, “determination circuitry storing a trained machine learning model of logistic regression,” simply corresponds to generic computer components, use as a tool, it amounts to no more than mere instructions to apply the exception using a generic computer. See MPEP 2106.05(f). The claims are ineligible. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claim(s) 1, 2 and 4-7 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Mitelman US PGPUB 2019/0340353. Regarding claim 1, Mitelman discloses An extraction method (FIG. 1 is computer system implementation, [0002]), comprising: receiving, by determination circuitry storing a trained machine learning model in a memory, an alert from an analysis engine, wherein the alert is information on cyber security ((see e.g., Mitelman ¶¶ [0002], [0021], [0025], Fig. 1). Mitelman discloses processors and memory that store instructions and trained models (see ¶ [0025] describing memory 160 storing instructions 162 and supervised machine learning engine(s) 130). Mitelman describes receiving alerts or data from analysis components/engines that represent security events and triggering processing by the guidance/ML engines (see ¶¶ [0012], [0021], [0033], [0049]). Mitelman’s processing node(s), investigation guidance engine(s), and supervised ML engine(s) correspond to “determination circuitry” and the memory storing trained models recites the claimed memory storing a trained machine learning model); acquiring, from the analysis engine, a history of actions taken by an analyst (security analyst 117) with respect to investigation of an indicator of compromise (IOC) included in the information on cyber security (Fig. 2 and Fig. 3, [0012], [0033]; [0049]; see ¶¶ [0018] (“the investigation of a given security threat may involve a number of inquiries, analyses and decisions that are made by a security analyst 117 in a series of investigative steps; [0021] describing observing analyst actions/steps already taken by the security analyst and gathering training data by observing actions/results); and creating IOC feature information on the basis of information obtained from the history of actions acquired by the acquiring ([0021], “data representing the current state of a security threat investigation”; supervised machine learning engine 130 …recommends one or multiple actions to be taken for the next step), wherein creating creates the IOC feature information based on an elapsed time from a point in time when the action was performed within a predetermined time window (([0021] time lines considered; (¶ [0021] discusses time lines considered, steps already taken, and using observed actions as training data; ¶¶ [0031], [0033], [0049] discuss deriving features and using temporal characteristics in recommendation/training). Regarding claim 2, Mitelman discloses The extraction method according to claim 1, wherein the creating creates the feature information on the based on information on a number of actions and an interval of time between the actions ([0021] “based on” step(s) already taken by the security analyst and time lines considered; The description that timelines are considered and that features are constructed from observed analyst actions, as readily understood by one with ordinary skill, means that temporal features (e.g., elapsed time from a point in time when an action was performed, within a considered window ‘history” observed actions taken when conducting investigation). Regarding claim 4, Mitelman discloses The extraction method according to claim 1, creating creates the feature information based on of information on a date and time when the action was performed and a work pattern of the analyst ([0018], “based on” the investigation of a given security threat may involve a number of inquiries, analyses and decisions that are made by a security analyst 117 in a series of investigative steps, disclosed example steps; [0021], observing analyst actions taken, security analysts when (emphasis added) conducting security threat investigation). Regarding claim 5, Mitelman discloses the extraction method according to 1 to 4 claim 1, wherein creating creates the feature information on based on information obtained from the history of actions and a statistic calculated from the information ([0021], observing analyst actions taken and comparative analyses that have been performed; [0031], weight to training data gathered by observing actions/results that are associated with higher tier (and thus, more experienced) security analysts 117). Regarding claim 6, claim 6 is drawn to the circuitry performing the corresponding method of using same as claimed in claim 1. Therefore, device claims 6 correspond to method claims 1, and is rejected for the same reasons of anticipation as used above [0025], “The memory 160 may store instructions 162 that, when executed by the processor(s) 150, cause the processor(s) 150 to form one or multiple components of the processing node 110, such as, for example, the investigation guidance engine(s) 120 and the supervised machine learning engine(s) 130). Regarding claim 7, claim 7 is drawn to the CRM corresponding to the method of using same as claimed in claim 1. Therefore, CRM claims 7 correspond to method claims 1, and is rejected for the same reasons of anticipation as used above ( [0025], “The memory 160 may store instructions 162 that, when executed by the processor(s) 150, cause the processor(s) 150 to form one or multiple components of the processing node 110, such as, for example, the investigation guidance engine(s) 120 and the supervised machine learning engine(s) 130). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mitelman US PGPUB 2019/0340353 in view of Applicant’s admission of prior art. Claim 8 further recites, wherein the machine learning model is trained using logistic regression. Mitelman already discloses, as outlined above, and further (see ¶ [0025] supervised machine learning engine(s) 130). While not specially expressly disclosing “logistic regression”. However, as known in the art “logistic regression” is merely a supervised machine learning algorithm. And, it is also admitted by the Applicant in [0095]-[0097], “learning unit 23 can adopt any known supervised machine learning algorithm” “logistic regression is known”. Therefore, one of ordinary skill in the art would have recognized that applying the known technique would have yielded predictable results and resulted in an improved system. Since a particular known “logistic regression” technique was recognized as part of the ordinary capabilities of one skilled in the art, as admitted by the Applicant. One of ordinary skill in the art would have been capable of applying this known technique and the results would have been predictable to one of ordinary skill in the art. Furthermore, it would have been obvious to one of an ordinary skill in the art before the effective date of the claimed invention to use particularly logistic regression in Mitelman, since it already discloses supervised machine learning to which the regression is part of, and the one of ordinary skill in the art would have recognized and motivated to use the advantages and capabilities of the known highly interpretable, is scalable and fast. Claim(s) 9 and 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mitelman US PGPUB 2019/0340353 in view of Trost et al., herein after Trost (US PUB. 2021/0126938). Regarding claim 9, Mitelman discloses creating feature information based on analyst action history and timelines (i.e., time-based features derived from the sequence and timing of analyst actions), (per ¶ [0021] and related context disclosure as outlined above). The supervised machine learning engine 130 may receive data representing a state of a current investigation… Based on this information, the supervised machine learning engine 130 may then provide various outputs, such as … determining a timeline for a chart displayed on the GUI.” (Fig. 3; see also ¶[0053]: “determining a timeline for a chart displayed on the GUI.”) • The GUI shows explicit selection of a time window: “LAST 24 HOURS” (Fig. 4A, element 414). Mitelman teaches using multiple temporal granularities for analysis — “day” and “hour” — and switching between them when needed: – “The supervised machine learning engine 130 may suggest a chart parameter having a ‘day’ granularity…” (¶[0041]). – “…the security analyst may override the suggested chart granularity and select an ‘hour’ granularity…” (¶[0041]–[0042]; see Fig. 4C–4D showing DAY vs HOURS on X‑axis). • Mitelman further emphasizes analyst decisions include choosing “the appropriate time range that is suited for the category of alert” (¶[0036]–[0037]), and the system’s guidance includes recommending “a certain time line” (¶[0023], ¶[0053]). These disclosures show the use and importance of time windows/timelines in constructing investigation features. While Mitelman does not expressly show specifically five different time windows as claim 9 recites or particular range of days, as in claim 10, in the same field on endeavor Trost teaches in [0069] In FIG. 11, an alert event is initially plotted 1102 as an alert containing a macro enabled MS Office being downloaded. Thereafter, server 120 (using, for example rules engine 1008), may access variable data storage 1002, in order to retrieve signals related to the alert event within a predefined time window. The size of the time window may be based on the type of alert or the alert metadata. For example, some types of alerts may require more substantive data points and therefore, a larger time window for investigating related data, wherein others may require fewer data points to reach a conclusion on the disposition of the alert event and whether or not it is a malicious threat. [0070] … the signals help provide a context related to the event in order to determine whether the alert event is truly a cyber security threat. Signals are used to both automatically score/characterize the alert (through a machine learning model) and they are rendered with the alert so the user doesn't need to go find them by manually investigating all the raw log data. Therefore, it would have been obvious to a person of ordinary skill in the art (POSITA), before the effective date of the claimed invention, to implement the feature‑creation step using any desired multiple time windows to capture behavior at different temporal scales (short‑term vs weekly/biweekly/monthly) for improved robustness and discrimination in IOC features. The choice to employ multiple windows is a routine, result‑effective optimization of a known variable (time range) in time‑series/triage feature engineering, explicitly suggested Mittleman emphasis on timelines/time windows. See KSR v. Teleflex, 550 U.S. 398 (2007) (combining familiar elements according to known methods is obvious when it yields predictable results) MPEP 2144.05(II) (optimization of a result‑effective variable). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jorge L Ortiz Criado whose telephone number is (571)272-7624. The examiner can normally be reached 8-4 M-Th; 7-12 F. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496