Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings are objected to under 37 CFR 1.83(a). The drawings must show every feature of the invention specified in the claims. Therefore, the specific features of claims 1-4 must be shown or the feature(s) canceled from the claim(s). No new matter should be entered.
The drawings are further objected to as failing to comply with 37 CFR 1.84(p)(4) because reference characters “1”, “2”, “3”, “4”, “5”, “6”, “7”, “8”, and “9” has been used to designate respective elements in both Figs. 1 and 4. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Specification
The disclosure is objected to because it contains an embedded hyperlink and/or other form of browser-executable code. Applicant is required to delete the embedded hyperlink and/or other form of browser-executable code; references to websites should be limited to the top-level domain name without any prefix such as http:// or other browser-executable code. See MPEP § 608.01. For example, page 2 of the Specification contains hyperlinks for references 7, 10, 11, 12, and 13.
Claim Objections
Claims 2-4 are objected to because of the following informalities: Claim 2 recites the respective limitations “creation of”, “collection of”, “and creation of”, and “decision of” which should be changed to recite --creating--, --collecting--, --and creating--, and --deciding--, respectively.
Claims 3 and 4 recite “The method in accordance with claim 2, comprising the following process steps:” which should be changed to --The method in accordance with claim 2, further comprising:--.
Claim 4 recites “application of EM algorithm” which should be changed to --applying EM algorithm--.
Appropriate correction is required.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: “a feature selection module that performs…”, “an online learning module that performs…”, “a classification module that decides…”, “a performance evaluation module, which gives…”, “an AutoFS module which determines…”, and “a module that contains…” in claim 1, “a feature selection module selecting…” in claim 2.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-4 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim limitations “a feature selection module that performs…”, “an online learning module that performs…”, “a classification module that decides…”, “a performance evaluation module, which gives…”, an AutoFS module which determines…”, and “a module that contains…” (see claim 1) and “a feature selection module selecting…” (see claim 2) invoke 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Specifically, each of the above invoking “modules” are not described in a manner within Applicant’s Disclosure that would provide sufficient detail regarding structure, material, or acts for performing the respective claimed functions (i.e., what specific structure/material/acts describe the modules which are performing the respective functions) while also linking said structure, material, or acts to the function as recited. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph.
Applicant may:
(a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph;
(b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either:
(a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claim 1 recites the limitation "… the timely and accurate detection of the problem when a Distributed Denial of Service (DDoS) attack occurs in the core of physical networks …" (emphasis added). There is insufficient antecedent basis for these limitations in the claim.
Claim 1 recites the limitation “… owned by the ISP” (emphasis added). There is insufficient antecedent basis for this limitation in the claim because it’s unclear which of “each Internet Service Provider (ISP) that the limitation of “the ISP” is referring to.
Claim 1 recites the limitation “… the high volume of data that will occur by modeling the key performance indicator data received from the routers” (emphasis added). There is insufficient antecedent basis for these limitations in the claim.
Claim 1 recites “the online learning method on the data obtained, using the MLP method” (emphasis added). There is insufficient antecedent basis for these limitations in the claim.
Claim 1 recites “the traffic change in the network is a DDoS attack or not according to the result obtained from the learning process” (emphasis added). There is insufficient antecedent basis for these limitations in the claim.
Claim 1 recites “the feature selection process on the data by looking at the performance metrics…” (emphasis added). There is insufficient antecedent basis for these limitations in the claim.
Claim 1 recites “the most appropriate feature selection method among the specified feature selection methods, according to the feedback from both … the module that contains up-to-date feature information” (emphasis added). There is insufficient antecedent basis for these limitations in the claim.
Claim 1 recites “this module” (emphasis added) which lacks proper antecedent basis.
Claim 1 recites “the notifications coming from the performance evaluation module” (emphasis added). There is insufficient antecedent basis for this limitation in the claim.
Claim 2 recites "… the timely and accurate detection of the problem when a Distributed Denial of Service (DDoS) attack occurs in the core of physical networks …" (emphasis added). There is insufficient antecedent basis for these limitations in the claim.
Claim 2 recites “the collected data … using the YANG data modelling language” (emphasis added). There is insufficient antecedent basis for these limitations in the claim.
Claim 2 recites “the best (preferably 10) features from the data and feeding the data by labeling with the labeling method…” (emphasis added). There is insufficient antecedent basis for these limitations in the claim.
Claim 2 recites “whether the data traffic change in the network” (emphasis added). There is insufficient antecedent basis for these limitations in the claim.
Claim 2 recites “by looking at the performance metrics” (emphasis added). There is insufficient antecedent basis for this limitation in the claim.
Claim 3 recites “the features” (emphasis added). There is insufficient antecedent basis for this limitation in the claim.
Claim 3 recites “over the data obtained, and each feature selection method selects the best ten features” (emphasis added). There is insufficient antecedent basis for these limitations in the claim.
Claim 3 recites “labeling data” (emphasis added). There is insufficient antecedent basis for this limitation in the claims.
Claim 3 recites “the online learning module (6)” (emphasis added). There is insufficient antecedent basis for this limitation in the claims.
Clam 3 recites “the feature selection method that the system will use and the MLP method” (emphasis added). There is insufficient antecedent basis for these limitations in the claim.
Claim 4 recites “for the K-Means algorithm, the K value is determined as 2 and the data is divided into two groups and the interval for the initial values of the EM algorithm is determined (3002), which also improves the consistency of the EM algorithm with the convergence rate” (emphasis added). There is insufficient antecedent basis for these limitations in the claim.
Claim 4 recites “application of EM algorithm” (emphasis added). There is insufficient antecedent basis for this limitation in the claims.
Claim 4 recites “defining the base data” (emphasis added). There is insufficient antecedent basis for this limitation in the claims.
Claim 4 recites “by the other EM algorithm and finding the maximum likelihood estimation of the parameters locally” (emphasis added). There is insufficient antecedent basis for these limitations in the claim.
Claim 4 recites “by collective learning algorithm (3006)” (emphasis added). There is insufficient antecedent basis for this limitation in the claims.
Claim 4 recites “combining the collective learning output” (emphasis added). There is insufficient antecedent basis for this limitation in the claims.
The term “most appropriate feature selection” in claim 1 is a relative term which renders the claim indefinite. The term “most appropriate” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. Thus, the recitation of “most appropriate” as it refers to “feature selection” is indefinite.
The term “best” in claims 2 and 3 is a relative term which renders the claim indefinite. The term “best” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. Thus, the recitation of “best” as it refers to “features” is indefinite.
Claim 3 recites “in the feature selection module, one thousand samples were randomly selected for six feature selection methods to use, over the data obtained, and each feature selection method selects the best ten features”, however this recitation is contextually indefinite in view of the method claim 3 is further limiting.
Claim 4 recites “for the K-Means algorithm, the K value is determined as 2 …” however this entire limitation does not reflect a functional method step, and thus is indefinite in the context of the other limitations recited within claim 4.
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1-4 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Specifically, claim 1 recites the following limitations: “a feature selection module that performs…”, “an online learning module that performs…”, “a classification module that decides…”, “a performance evaluation module, which gives…”, “an AutoFS module which determines…”, and “a module that contains…”, and claim 2 recites “a feature selection module selecting…”, but Applicant’s Disclosure does not provide adequate written description for an algorithm that would accomplish a result of each of the recited modules. Thus, in view of the 112(f) Interpretation for each of the above “modules”, in combination with the lack of structure, material, or acts for performing the claimed function associated with each module (see the 112(b) rejection above), the Disclosure must provide at least a corresponding algorithm (i.e., a step-by-step procedure) describing how each of the respective functions of the modules are being performed. Because the instant Disclosure is absent of such algorithms, the examiner finds claim 1 failing to comply with the written description requirement under 112(a) (see MPEP 2161.01; MPEP 2181(IV)).
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-4 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claim 1 recites “performs machine learning, data modeling, feature selection and data labeling methods” (mental processes - observation, evaluation, and judgement), “modeling the key performance indicator from the routers” (mental process - evaluation), “performs the online learning method on the data obtained” (mental process - evaluation), “decides whether the traffic change in the network is a DDoS attack or not according to the result obtained from the learning process” (mental process - judgement), “gives feedback to the feature selection process on the data by looking at the performance metrics obtained as a result of online learning” (mental process - opinion), “determines the most appropriate feature selection method among the specified feature selection methods, according to the feedback” (mental process - judgement), “contains up-to-date feature information according to notifications (mental process - observation). Claim 2 recites “creation of a digital twin of a physical network” and “collection of necessary data of the physical network over the digital twin (mental process - observation), “feeding the collected data to a YANG modeling module and creation of YANG data models using the YANG data modelling language” (mental process - evaluation), “selecting the best (preferably 10) features from the data and feeding the data by labeling with the labeling method recommended” (mental process - judgement/opinion), “decision of … whether the data traffic change in the network is DDoS attack or not” (mental process - judgement), “deciding whether to upgrade the selected features by looking at the performance metrics” (mental process - judgment). Claim 3 recites “updating the features”, “one thousand samples were randomly selected”, “labeling data”, “performing training and testing”, and “updating the feature selection method” which each can be viewed as mental processes associated with observation, evaluation, and judgement. Claim 4 recites “giving one thousand labeled data samples”, “the K-Means algorithm”, “application of EM algorithm”, “defining the bae data”, “using labeled and unlabeled data … and finding the maximum likelihood estimation of the parameters locally”, “determining final labels by taking output of two EM algorithms” and “combining the collective learning output” which, as a whole, are directed towards mathematical concepts. This judicial exception is not integrated into a practical application because the claims do not recite any further limitations that either apply, rely on, or utilize the abstract idea in a manner that imposes meaningful limit(s) on the abstract idea itself. For example, there’s no further patentable recitation(s) of an improvement to a computerized function nor an improvement to a technology or technical field. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because none of claims 1-4 recite any additional elements which would amount to significantly more than the abstract idea itself. For example, claim 1 recites “a physical network”, “a cloud system that runs a created digital twin of the physical network”, “a digital twin of a router”, “YANG data models”, “a feature selection module”, “an online learning module”, “a classification module”, “a performance evaluation module”, “an AutoFS module”, “a module”. Claim 2 recites “a digital twin of a physical network”, “a YANG modeling module”, “YANG data models”, “a feature selection module”, “an MLP online learning module”. Claim 3 recites “an AutoFS module”. Each of these recitations of claims 1-3 are either directed towards typical components used for storing (and retrieving) information in memory (Versata Dev. Group, Inc. v. SAP AM., Inc., 793 F.3d 1306, 1334, 115 USPQ2d 1681, 1701 (Fed. Cir. 2015); OIP Techs., 788 F.3d at 1363, 115 USPQ2d at 1092-93, or are plainly taught by the prior art of record as being known in the art (see below mappings under 35 U.S.C. 103(a)). The examiner also takes Official Notice regarding the claimed above features as being well-known and conventional in the computer arts. Thus, the above identified abstract idea recited within claims 1-4, when considered individually and in combination with the above recited well-known and conventional components, fails to recite subject matter that would constitute as significantly more than the abstract idea itself.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Teng” (US 2021/0084068) in view of “Gill” (US 2024/0121262).
[Examiner Note: While claims 1-4 are further examined herein on the merits, only claims 1 and 2 could be reasonably rejected under prior art in view of the above issues identified under 35 U.S.C. 112(b). The examiner will update the search and consideration of the respective claims based on upon any corrections made to the above issues by Applicant.]
Regarding Claim 1:
Teng teaches:
A system that ensures the timely and accurate detection of the problem when a Distributed Denial of Service (DDoS) attack occurs in the core of physical networks of each Internet Service Provider (ISP) that provides internet service (Abstract, “… provide resilient and reactive on-demand Distributed Denial-of-Service (DDoS) mitigation services using an exchange … an exchange comprises a first virtual network for switching mixed traffic … from one or more networks to one or more DDoS scrubbing centers …”), the system comprising:
a physical network owned by the ISP, through which data flow is provided to users (Fig. 1, element 12A; Fig. 2, element 202A; ¶0066, “In the example of FIG. 5, an administrator for a customer network (e.g., ISP network)…”);
a cloud system that runs a created digital twin of the physical network (Fig. 2, element 201 comprising cloud elements 14);
a digital twin of a router, which is located in the digital twin of the physical network (Fig. 2, element 22; ¶0033, “… the administrator may configure the network to reroute mixed traffic 16, via gateway device 22 of customer network 12A and using dirty VLAN 36, to DDoS scrubbing centers 14 via exchange point 24, which in turn switches the mixed traffic 16 to a selected DDoS scrubbing center of DDoS scrubbing centers 14 to mitigate DDoS attacks and thereby generate clean traffic…”)…;
…
Teng does not disclose:
… a router, which … performs machine learning, data modeling, feature selection and data labeling methods in the system;
YANG data models that prevent the high volume of data that will occur by modeling the key performance indicator data revied from the routers;
a feature selection module that performs feature selection on modeled data to be used during online learning;
an online learning module that performs the online learning method on the data obtained, using the MLP method;
a classification module that decides whether the traffic change in the network is a DDOS attack or not according to the result obtained from the learning process;
a performance evaluation module, which gives feedback to the feature selection process on the data by looking at the performance metrics obtained as a result of online learning;
an AutoFS module which determines the most appropriate feature selection method among the specified feature selection methods, according to the feedback from both the performance evaluation module and the module that contains up-to-date feature information;
this module also enables online learning to process; and
a module that contains up-to-update feature information according to the notifications coming from the performance evaluation module.
Gill teaches:
… a router (Figure. 1, element 120; ¶0029, “… a cyber security appliance 120 located within the network 110 to monitor and protect network devices, including the endpoint computing devices 101A-D, connected to the network 110 and a scalable cloud platform 135”), which … performs machine learning, data modeling, feature selection and data labeling methods in the system (Figure 6);
YANG data models that prevent the high volume of data that will occur by modeling the key performance indicator data received from the routers (¶0052, “The classifier 402 uses the response and the training instances 428 to be scalable so that the classifier 402 can handle the processing of the current data load of the data associated with the processes coming from the endpoint agents connected to the network 110”; ¶0053, “When the endpoint agent 111 resident in the host endpoint computing device 101 is connected to the Internet, including when connected to the corporate network 110, then the endpoint agent 111 feeds that process data to the scalable cloud platform 135 with its classifier 402 through the shared tenant load balancer. The load data for processes operating on or with the host endpoint computing devices from the host endpoint computing devices is sent through the shared tenant load balancer in order to analyze process data including connection data in order to detect the anomaly”);
a feature selection module that performs feature selection on modeled data to be used during online learning (¶0120, “In addition, a feature classifier can examine and determine features in the data being analyzed into different categories”);
an online learning module (Figure 6, element 560) that performs the online learning method on the data obtained, using the MLP method (¶0139, “… the self-learning AI models 560 that model the normal behavior (e.g. a normal pattern of life) of entities in the network mathematically characterizes what constitutes ‘normal’ behavior, based on the analysis of a large number of different measures of a device's network behavior… ”);
a classification module (Figure 6, element 522) that decides whether the traffic change in the network is a DDOS attack or not according to the result obtained from the learning process (¶0121, “Similarly, the cyber threat analyst module 522 can cooperate with the internal data sources as well as external data sources to collect data in its investigation. More specifically, the cyber threat analyst module 522 can cooperate with the other modules and the AI model(s) 560 in the cyber security appliance 120 to conduct a long-term investigation and/or a more in-depth investigation of potential and emerging cyber threats directed to one or more domains in an enterprise's system. Herein, the cyber threat analyst module 522 … can also monitor for other anomalies, such as model breaches, including, for example, deviations for a normal behavior of an entity, and other techniques discussed herein”);
a performance evaluation module (Figure 6, element 515), which gives feedback to the feature selection process on the data by looking at the performance metrics obtained as a result of online learning (¶0121, “"The analyzer module 515 can cooperate with the AI model(s) 560 or other modules in the cyber security appliance 120 to confirm a presence of a cyberattack against one or more domains in an enterprise's system. A process identifier in the analyzer module 515 can cooperate with the gather module 510 to collect any additional data and metrics to support a possible cyber threat hypothesis”);
an AutoFS module (Figure 6, element 540) which determines the most appropriate feature selection method among the specified feature selection methods, according to the feedback from both the performance evaluation module and the module that contains up-to-date feature information (¶0122, “In a first level of investigation, the analyzer module 515 and AI model(s) 560 can rapidly detect and then the autonomous response module 540 will autonomously respond to overt and obvious cyberattacks”; ¶0127, “Again, the analyzer module 515 can cooperate with the AI model(s) 560 and/or other modules to rapidly detect and then cooperate with the autonomous response module 540 to autonomously respond to overt and obvious cyberattacks, (including ones found to be supported by the cyber threat analyst module 522)”);
this module also enables online learning to process (¶0127, “Again, the analyzer module 515 can cooperate with the AI model(s) 560…”); and
a module (Figure 6, element 510) that contains up-to-update feature information according to the notifications coming from the performance evaluation module (¶0125, “The gather module 510 cooperates with the … analyzer module 515 to collect data to support or to refute each of the one or more possible cyber threat hypotheses that could include this abnormal behavior or suspicious activity by cooperating with one or more of the cyber threat hypotheses mechanisms to form and investigate hypotheses on what are a possible set of cyber threats”).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Teng’s system for mitigating Distributed Denial-of-Service attacks by enhancing Teng’s cloud system to incorporate machine learning techniques which involve data modeling, feature selection, and data labeling, as taught by Gill, in order to improve detection, and remediation, capabilities of cyber threats within the system.
The motivation is to provide Artificial Intelligence modules and capabilities to assist in investigations of cyber security events within a system to detect Distributed Denial-of-Service attacks, thus providing enhanced detection (and remediation) capabilities within the system especially for smaller organizations (Gill, ¶0130).
Claim(s) 2 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Teng” (US 2021/0084068) in view of “Gill” (US 2024/0121262) in further view of “Hegde” (US 11811641).
Regarding Claim 2:
Teng teaches:
A method for the timely and accurate detection of the problem when a Distributed Denial of Service (DDoS) attack occurs in the core of physical networks of each Internet Service Provider (ISP) that provides internet service (Abstract, “… provide resilient and reactive on-demand Distributed Denial-of-Service (DDoS) mitigation services using an exchange … an exchange comprises a first virtual network for switching mixed traffic … from one or more networks to one or more DDoS scrubbing centers …”), the method comprising:
creation of a digital twin of a physical network (Fig. 2, element 201 comprising cloud elements 14; ¶0039);
collection of necessary data of the physical network over the digital twin (1002) (Fig. 2, element 22; ¶0033, “… the administrator may configure the network to reroute mixed traffic 16, via gateway device 22 of customer network 12A and using dirty VLAN 36, to DDoS scrubbing centers 14 via exchange point 24, which in turn switches the mixed traffic 16 to a selected DDoS scrubbing center of DDoS scrubbing centers 14 to mitigate DDoS attacks and thereby generate clean traffic…”);
…
Teng does not disclose:
feeding the collected data to a YANG modeling module and creation of YANG data models using the YANG data modelling language (1003);
in a feature selection module, selecting the best (preferably 10) features from the data and feeding the data by labeling with the labeling method recommended in an MLP online learning module (1004);
decision of the MLP online learning module whether the data traffic change in the network is a DDoS attack or not (1005); and
deciding whether to update the selected features by looking at the performance metrics of the MLP online learning module (1006).
Gill teaches:
feeding the collected data to a YANG modeling module and creation of YANG data models (¶0052, “The classifier 402 uses the response and the training instances 428 to be scalable so that the classifier 402 can handle the processing of the current data load of the data associated with the processes coming from the endpoint agents connected to the network 110”; ¶0053, “When the endpoint agent 111 resident in the host endpoint computing device 101 is connected to the Internet, including when connected to the corporate network 110, then the endpoint agent 111 feeds that process data to the scalable cloud platform 135 with its classifier 402 through the shared tenant load balancer. The load data for processes operating on or with the host endpoint computing devices from the host endpoint computing devices is sent through the shared tenant load balancer in order to analyze process data including connection data in order to detect the anomaly”) …;
in a feature selection module, selecting the best (preferably 10) features from the data (¶0120, “In addition, a feature classifier can examine and determine features in the data being analyzed into different categories”) and feeding the data by labeling with the labeling method recommended in an MLP online learning module (1004) (Figure 6, element 120; ¶0139, “… the self-learning AI models 560 that model the normal behavior (e.g. a normal pattern of life) of entities in the network mathematically characterizes what constitutes ‘normal’ behavior, based on the analysis of a large number of different measures of a device's network behavior… ”);
decision of the MLP online learning module whether the data traffic change in the network is a DDoS attack or not (1005) (¶0121, “Similarly, the cyber threat analyst module 522 can cooperate with the internal data sources as well as external data sources to collect data in its investigation. More specifically, the cyber threat analyst module 522 can cooperate with the other modules and the AI model(s) 560 in the cyber security appliance 120 to conduct a long-term investigation and/or a more in-depth investigation of potential and emerging cyber threats directed to one or more domains in an enterprise's system. Herein, the cyber threat analyst module 522 … can also monitor for other anomalies, such as model breaches, including, for example, deviations for a normal behavior of an entity, and other techniques discussed herein”); and
deciding whether to update the selected features by looking at the performance metrics of the MLP online learning module (1006) (¶0121, “"The analyzer module 515 can cooperate with the AI model(s) 560 or other modules in the cyber security appliance 120 to confirm a presence of a cyberattack against one or more domains in an enterprise's system. A process identifier in the analyzer module 515 can cooperate with the gather module 510 to collect any additional data and metrics to support a possible cyber threat hypothesis”).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Teng’s system for mitigating Distributed Denial-of-Service attacks by enhancing Teng’s cloud system to incorporate machine learning techniques which involve data modeling, feature selection, and data labeling, as taught by Gill, in order to improve detection, and remediation, capabilities of cyber threats within the system.
The motivation is to provide Artificial Intelligence modules and capabilities to assist in investigations of cyber security events within a system to detect Distributed Denial-of-Service attacks, thus providing enhanced detection (and remediation) capabilities within the system especially for smaller organizations (Gill, ¶0130).
Teng in view of Gill does not disclose:
… and creation of YANG data models using the YANG data modelling language (1003);
Hegde teaches:
… and creation of YANG data models using the YANG data modelling language (1003) (Col. 4, lines 38-42, “As one example, the safe state data 112 and/or the current state data 126 may be stored as YANG data models. A YANG data model is a data modelling language that can be used to model network configuration and network state data”);
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Teng in view of Gill’s system for mitigating Distributed Denial-of-Service attacks by enhancing Teng in view of Gill’s artificial intelligence models to incorporate YANG data modelling language, as taught by Hegde, in order to utilize a standardized modelling language.
The motivation is to implement YANG as a data modelling language for at least one data model such that the data model includes standardized language that ensures interoperability across different systems.
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANIEL B POTRATZ whose telephone number is (571)270-5329. The examiner can normally be reached on M-F 10 A.M. - 6 P.M. CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Korzuch can be reached on 571-272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491