DETAILED ACTION
This non-final office action is responsive to application 18/290,274 as submitted on 10 November 2023.
Claim status is currently pending and under examination for claims 1-20 of which independent claims are 1, 11 and 19.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-6, 8-16 and 18-20 are rejected under 35 U.S.C. 102a(1) as being anticipated by Nathezhtha et al. (“Cloud Insider Attack Detection Using Machine Learning”), hereinafter Nathezhtha.
Regarding Claim 1, Nathezhtha teaches:
A categorizing device (32) for categorizing a new user (U1) in an information technology system (10) ((P. 60, Abstract) “proposed ILSTM not only identifies an anomaly node but also finds whether a misbehaving node is a broken node or a new user node or a compromised node using the calculated trust factor. The proposed model not only detects the attack accurately but also reduces the false alarm in the cloud network”
A computer (‘categorizing device’) is implied by using an ILSTM model to classify new user nodes.),
the categorizing device (32) comprising a processor (40) acting on computer instructions (44) whereby said categorizing device (32) is operative to (A computer (‘categorizing device’) is implied by using an ILSTM model, which further implies a processor executing computer instructions.):
obtain user behaviour data of at least one known user of the system, which at least one known user is similar to the new user (U1) ((P. 63, Sec. IV, ¶3) “The details in the comparable users database is used to find whether the new user is malicious node or not. The model compares the behavior of similar users with the newly joined user and their transactions until the necessary personal behavior data is produced by the new entity”);
provide the user behaviour data of the at least one known user as comparable user behaviour data (CUBD) for application in a cell (93) of a long short-term memory architecture provided for the new user (U1) ((P. 62, Sec. III, ¶3) “A concatenation layer (Bi) does not exists in LSTM. The concatenation layer is added to this state which provides additional information about the comparable cell state, using these values the new user node can be classified as either malicious node or a normal node, the value of Bi is calculated”
(P. 62, Sec. III, Last Paragraph) “In ILSTM, when the states of the user lack, it compares the transaction of the user with the data of other similar users and also analyzes the transaction history of the user to categorize a normal user from an attacker. So the comparable user behavior data is also recorded and stored in a memory cell along with their transaction history so that a compromised user can easily be identified even if the compromised node is a newly joined user”);
and obtain a categorization (CAT) of the new user (U1), which categorization has been made based on said application of the comparable user behaviour data (CUBD) in the cell (93) of the long short-term memory architecture ((P. 62, Sec. III, ¶3) “A concatenation layer (Bi) does not exists in LSTM. The concatenation layer is added to this state which provides additional information about the comparable cell state, using these values the new user node can be classified as either malicious node or a normal node, the value of Bi is calculated”
(P. 63, Sec. IV, ¶3) “comparable user’s behavior data (Bi) … The ILSTM calculates the value of a user behavior data and value of a comparable user behavior data using UPDB and CUDB database. …The CUDB is the comparable user’s behavior data”).
Regarding Claims 2 and 12, Nathezhtha teaches:
The categorizing device (32) according to claim 1, wherein the comparable user behaviour data (CUBD) of the at least one known user is provided for application in a similar user gate layer (100) of the cell (93) and the categorization (CAT) is based on an output (Bt) of the similar user gate layer (100) ((P. 61-62, Sec. III, Last Paragraph) “ILSTM follows the basic structure of LSTM for adding deleting and maintaining the information. A new layer has been added to the second gate which is used to maintain additional information to identify the trustworthiness of the new user nodes”
(P. 62, Sec. III, ¶3) “the tanh layer creates a new value that updates the old cell state into a new cell state(equation (3)). … A concatenation layer (Bi) does not exists in LSTM. The concatenation layer is added to this state which provides additional information about the comparable cell state, using these values the new user node can be classified as either malicious node or a normal node, the value of Bi is calculated using equation (4) …
B
i
=
σ
(
W
B
t
(
c
o
t
-
1
,
o
i
t
+
b
B
t
)
”
(P. 62, Sec. III, ¶4) “The value of the current state (CSt) is computed by multiplying the forget gate value with the value of the old state (CSt-1) and adding the multiplied value of input gate and tanh layer”
(P. 62, Sec. III, ¶6) “
c
o
t
=
o
g
t
*
t
a
n
h
(
C
S
t
)
…
c
o
t
is the current output value”
A concatenation layer
B
i
is added to a second gate (input gate) and uses a sigmoid function
σ
to produce an output
B
i
, therefore layer
B
i
is a similar user gate layer. Layer
B
i
is added to new cell state (current state CSt) and current state CSt is used to calculate output value
c
o
t
, therefore categorization is based on an output of the similar user gate layer.).
Regarding Claims 3 and 13, Nathezhtha teaches:
The categorizing device (32) according to claim 2, wherein the similar user gate layer (100) is a sigmoid gate layer ((P. 62, Sec. III, ¶3) “the value of Bi is calculated using equation (4) …
B
i
=
σ
(
W
B
t
(
c
o
t
-
1
,
o
i
t
+
b
B
t
)
”).
Regarding Claims 4 and 14, Nathezhtha teaches:
The categorizing device (32) according claim 2, wherein the categorization (CAT) is based on a temporary trustworthiness indicator (TTI) for the new user (U1) ((P. 63, Sec. IV, ¶4-5) “Since the model is trained automatically there might be lack of data for a new user, to avoid unwanted alert generation for new user, node whose time is lesser than the number of training days i.e. when threshold value is lesser than G and ut is lesser than T, a temporary trust factor is calculated as given below
PNG
media_image1.png
75
427
media_image1.png
Greyscale
If the equation (9) produces a positive value then it is considered to be a normal user behavior … if ttf is around 0 then it is considered to be a broken node if the value of ttf is negative an anomaly detection alarm is raised to the server”),
which temporary trustworthiness indicator is based on the output (Bt) of the similar user gate layer (100) (Equation 9 for calculating a temporary trust factor uses an output
B
i
. See (P. 62, Sec. III, ¶3) describing an output
B
i
of the concatenation layer
B
i
is calculated using a sigmoid function.).
Regarding Claims 5 and 15, Nathezhtha teaches:
The categorizing device (32) according to claim 2, being further operative to obtain personal user behaviour data (PUBD) of the new user (U1) and provide the personal user behaviour data (PUBD) for application in said cell (93) ((P. 61, Sec. II, Last Paragraph) “The proposed model automatically trains itself based on both the behavioral process of a user personal data and comparable user data. … The ILSTM approach is used to predict the behavior of a user based on the behavior data”
(P. 62, Sec. III, ¶3) “The next layer is an input gate (igt) and a tanh layer (Ci) which decides about the information stored in the cell. The input gate is responsible to decide whether the information needs to be updated or not. The information is updated based on the value produced from equation (2) …
PNG
media_image2.png
68
786
media_image2.png
Greyscale
”
(P. 62, Sec. III, ¶6) “cot-1 is the previous input, cit is the input value”),
said application comprising applying the personal user behaviour data (PUBD) in an input gate layer (96) and a new candidate state layer (98) of the cell (93) ((P. 62, Sec. III, ¶3) “The next layer is an input gate (igt) and a tanh layer (Ci) which decides about the information stored in the cell. The input gate is responsible to decide whether the information needs to be updated or not … the tanh layer creates a new value that updates the old cell state into a new cell state(equation (3)). tanh layer is a vector of new candidate value. …
PNG
media_image3.png
37
509
media_image3.png
Greyscale
”
Input information (input value cit) is applied to an input gate and tanh layer (‘new candidate state layer’).)
and combining an output (it) of the input gate layer (96) with an output (Ct) of the new candidate state layer (98) and with the output (Bt) of the similar user gate layer (100) in order to obtain a cell output (ht) ((P. 62, Sec. III, ¶3) “the tanh layer creates a new value that updates the old cell state into a new cell state(equation (3)). … A concatenation layer (Bi) does not exists in LSTM. The concatenation layer is added to this state which provides additional information about the comparable cell state … the value of Bi is calculated using equation (4)”
(P. 62, Sec. III, ¶4) “The value of the current state (CSt) is computed by multiplying the forget gate value with the value of the old state (CSt-1) and adding the multiplied value of input gate and tanh layer”
(P. 62, Sec. III, ¶6) “
c
o
t
=
o
g
t
*
t
a
n
h
(
C
S
t
)
…
c
o
t
is the current output value”
An output
B
i
of concatenation layer
B
i
(‘similar user gate layer’) is added to new cell state (current state CSt). Current state CSt is computed by adding the multiplied value of input gate and tanh layer, therefore current state CSt combines an output of an input gate layer with an output of a new candidate state layer (tanh layer) with an output of a similar user gate layer. The current state CSt is used to calculate output value
c
o
t
(‘cell output’).).
Regarding Claims 6 and 16, Nathezhtha teaches:
The categorizing device (32) according to claim 5, wherein the categorization (CAT) is based on a regular trustworthiness indicator (TI) of the user (U1) ((P. 63, Sec. IV, ¶2) “All the cloud users are assigned a trust factor (tf) … if the trust factor is greater than G (G is the threshold fixed by a service provider to identify an authorized user) then it is assumed to be a normal user activity else an anomaly detection suspicion is raised”),
which regular trustworthiness indicator (TI) is determined based on the cell output (ht) and the similar user gate layer output (Bt) ((P. 63, Sec. IV, ¶3) “
t
f
=
c
o
t
+
B
i
+
t
l
t
… The trust factor is calculated by taking the output value cot and comparable user’s behavior data (Bi) and the threshold of transaction history value of the user node(tlt). … If the trust factor of the user is greater than G then the user is considered to be a normal user, if the tf is lesser than G then the user is suspected to be an abnormal node”
See (P. 62, Sec. III, ¶3) describing an output
B
i
of the concatenation layer
B
i
(‘similar user gate layer’) is calculated using a sigmoid function.).
Regarding Claim 8, Nathezhtha teaches:
The categorizing device (32) according to claim 1, wherein the categorization (CAT) is a categorization of the new user as a normal user, as a broken user or as a malicious user ((P. 60, Abstract) “The proposed ILSTM not only identifies an anomaly node but also finds whether a misbehaving node is a broken node or a new user node or a compromised node using the calculated trust factor”).
Regarding Claims 9 and 18, Nathezhtha teaches:
The categorizing device (32) according to claim 1, being further operative to perform an activity in the information technology system (10) based on the categorization (CAT) ((P. 63, Sec. IV, ¶1) “The output value reduces from 1 when a value reaches to 0 it can either be a broken node or a malicious node. In this case, the recorded transaction history of the user is referred. If the transaction value (tlt) contains positive value then the node is referred to be a legal but broken node. If the output value is -1 then a malicious insider existence is confirmed. Fig.3 shows the detection and alert generation of a compromised user”
See Figure 3 on P. 63 depicting an alert is generated after a user is classified as anomalous (malicious).).
Regarding Claim 10, Nathezhtha teaches:
The categorizing device (32) according to claim 1, wherein said at least one known user that is similar to the new user is a user having the same quality of service in the information technology system (10) ((P. 63, Sec. IV, ¶3) “The trust factor is calculated by taking the output value cot and comparable user’s behavior data (Bi) and the threshold of transaction history value of the user node(tlt). … The transaction value(tlt) is calculated based on the number of transactions made by the user in the cloud. It takes the number of file uploads, downloads and data transfer rate by a single user. … the threshold value is calculated based on comparing a user’s transaction with the other user’s transaction belonging to the same domain”
(P. 65, Sec. V, Last Paragraph) “Based on the similarity of the behavior and transaction value the node is classified as either malicious or normal node”
The data transfer rates of a new user and other users belonging to the same domain are compared to determine a trust factor. Data transfer rates measure the speed a user can upload or download data from a cloud server, therefore a low or high data transfer rate indicates the quality of a user’s connection to a cloud server (and therefore a data transfer rate is a measurement of quality of service).).
Regarding Claim 11, the rejection of claim 1 is incorporated. The difference in scope being:
A method of categorizing a new user (U1) in an information technology system (10), the method ((P. 60, Abstract) “proposed ILSTM not only identifies an anomaly node but also finds whether a misbehaving node is a broken node or a new user node or a compromised node using the calculated trust factor. The proposed model not only detects the attack accurately but also reduces the false alarm in the cloud network”).
Regarding Claim 19, the rejection of claim 1 is incorporated. The difference in scope being:
A computer program … the computer program comprising computer program code (44) which when run by a processor (40) of a categorizing device (32), causes the categorizing device (32) to ((P. 60, Abstract) “proposed ILSTM not only identifies an anomaly node”
A computer (‘categorizing device’) is implied by using an ILSTM model to classify nodes, which further implies a processor executing computer program code.).
Regarding Claim 20, Nathezhtha teaches:
A computer program product for categorizing a new user in an information technology system (10), the computer program product comprising a data carrier (128) with said computer program code (44) according to claim 19 ((P. 60, Abstract) “proposed ILSTM not only identifies an anomaly node but also finds whether a misbehaving node is a broken node or a new user node”
A computer is implied by using an ILSTM model, which further implies a computer program product comprising a hard drive (‘data carrier’) that stores computer program code.).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Nathezhtha in view of Esman (US 11450419 B1).
Regarding Claims 7 and 17, Nathezhtha teaches:
The categorizing device (32) according to claim 6, wherein the current regular trustworthiness indicator (TI) is formed based on a current sum of the cell output (ht) with a current similar user gate layer output (Bt) ((P. 63, Sec. IV, ¶3) “
t
f
=
c
o
t
+
B
i
+
t
l
t
… The trust factor is calculated by taking the output value cot and comparable user’s behavior data (Bi)”).
However, Nathezhtha does not teach comparing a trustworthiness indicator with a middle point of clusters of regular trustworthiness indicators, which is taught by Esman:
wherein the categorization (CAT) that is based on the regular trustworthiness indicator (TI) is based on a comparison of a current regular trustworthiness indicator (TI) with a middle point of clusters (Cm) of regular trustworthiness indicators ((Col. 145, Lines 34-53) “the healthcare privacy analytics application uses a k-means clustering algorithm to cluster the plurality of feature vectors. … Using the clustering algorithm, the healthcare privacy analytics application identifies a centroid of the cluster and determines each vertices' distances away from the centroid of the cluster and compares the determined value with a threshold value. In one embodiment, the healthcare privacy analytics application flags, or otherwise indicates, each vertex whose distance from the centroid of the cluster are less than the threshold value as being “Typical” or “Expected.” In contrast, the healthcare privacy analytics application flags, or otherwise indicates, each vertex whose distance from the centroid of the cluster are greater than the threshold value as an “Anomaly,” which indicates that the corresponding users are accessing, or otherwise interacting, with the patient records in the patient record systems in ways that are different, beyond an expected variance”
(Col. 139, Lines 34-37) “Each feature of a user's feature vector is generally associated with a numerical value indicating a characteristic of the user's interactions with the medication dispensing system”
Feature vectors are clustered and compared to a cluster centroid to classify a user’s behavior as anomalous if distance from a centroid exceeds a threshold, therefore feature vectors are regular trustworthiness indicators.).
Esman teaches calculating distances from a cluster’s centroid to classify users as anomalous is a known method in the art. Before the effective filing date, it would have been obvious to a person of ordinary skill in the art to modify the detection system of Nathezhtha with the technique disclosed by Esman to perform clustering to classify user behavior. By performing clustering to classify user behavior, data can be grouped into clusters by using distance-based metrics, thereby reducing dimensionality and revealing hidden patterns.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PEDRO J MORALES whose telephone number is (571)272-6106. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, MIRANDA M HUANG can be reached at (571)270-7092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/PEDRO J MORALES/Examiner, Art Unit 2124
/VINCENT GONZALES/Primary Examiner, Art Unit 2124