Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In response to communications received 7/17/2025, this is the second Office action on the merits. The claims 1 – 20 are pending.
Response to Arguments
Applicant’s arguments, see pages 9-11, filed 7/17/2025, with respect to the effective priority date of the claims has been fully considered and are persuasive.
Applicant’s arguments, see page 14, filed 7/17/2025, with respect to the 112(b) rejection of claims 6, 13, and 20 have been fully considered and are persuasive. The 112(b) rejection of claims 6, 13, and20 has been withdrawn.
Applicant's arguments filed 7/17/2025 with respect to the 112(a) rejection have been fully considered but they are not persuasive.
Note that the portion of the 112(a) concerned with “pinpointing attack detection points” has been withdrawn and Applicant’s remarks directed thereto are persuasive. Similarly, the 112(a) rejection of claim 6 has been withdrawn due to Applicant’s amendment and remarks.
However, Applicant’s remarks directed to “analyzing computer attack data resulting from the backtracking to prevent present and future computer attacks” is not persuasive. Notably, nothing in Applicant’s specification discloses acts or structure to perform a prevention. Instead, Applicant’s specification presents the results of the analysis to an external entity. See Applicant’s specification ¶¶ 20 and 22.
Applicant’s arguments, see pages 15-17, filed 7/17/2025, with respect to the rejection(s) of claim(s) 1-20 under Sekar in view of Gusat, as well as other references, have been fully considered and are persuasive. Sekar in view of Gusat does not disclose the amended features of: “selecting a set of largest anomaly scores determined by comparing the metric to a threshold value; scaling the comparison by the threshold value; and discarding metrics below the threshold value.”
Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Sekar in view of Gusat and Siffer et al. “Anomaly Detection in Streams with Extreme Value Theory”.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1 – 20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claims 1, 8, and 15 recite “analyzing computer attack data resulting from the backtracking to prevent present and future computer attacks”. Independent claims 8 and 15 recite the same limitations. The limitations in question do not satisfy the written description requirement under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph.
There is no evidence that the inventors were in possession of analyzing computer attacks from the results or any description to prevent “present and future” computer attacks. Furthermore, there is no evidence in the specification as to how such “present” and “future” computer attacks are prevented. The specification sets forth that the result of the analysis may be presented to a human or external processing agent in ¶¶ 20 and 22; however, no automated remediation of present and future attacks is featured. Intended use of an invention is not disclosure of the performance of that use.
Claims 2 – 7, 9 – 14, and 16 – 20 fall together accordingly.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1 – 2, 5 – 9, 12 – 16, and 19 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sekar et al (US 2020/0059481 A1), hereinafter Sekar, in view of Gusat et al (US 2023/0325269 A1), hereinafter Gusat, and Siffer et al. “Anomaly Detection in Streams with Extreme Value Theory”, hereafter Siffer.
Regarding Claim 1, Sekar discloses “A method for detecting an origin of a computer attack given a detection point based on multi-modality data, the method comprising:
monitoring a plurality of hosts in different enterprise system entities to audit log data” (Sekar: [0065] – [0066] describe how cyber events are extracted from audit data in order to generate a scenario representation. These audit data streams (i.e., audit log data) are gleaned from enterprise data. An example of the enterprise is shown in Figure 14);
“generating causal dependency graphs based on the log data” (Sekar: [0067] describes how a dependency graph abstraction of audit log data is used for the disclosed invention. [0069] describes the how of a dependence graph construction module in order to generate the tagged dependency graph, as additionally shown in the overview provided by Fig. 1);
“detecting a computer attack by pinpointing attack detection points” (Sekar: [0078] describes using a dependence graph to trace back to the root cause (i.e., pinpoint) of intrusion points (i.e., attack detection point);
“backtracking from the attack detection points by employing the causal dependency graphs to locate an origin of the computer attack” (Sekar: [0075] describes how a backward analysis algorithm (i.e., backtracking algorithm) can be employed to follow dependences in the causal dependency graph to identify the source(s) (i.e., origin) of the attack);
“analyzing computer attack data resulting from the backtracking to prevent present and future computer attacks” (Sekar: [0075] describes how, starting from the sources of the attack, a full impact analysis is performed to generate a subgraph which shows the analyst what objects and subjects are affected by the attack).
Audit log data, as taught by Sekar, may contain elements of metric log data, which is understood by one of ordinary skill in the art be analogous to KPIs’ data, and is to include features such as network resource utilization, CPU utilization, read/write response times, read/write input/output rates, system/network events, and various other features found in the art.
Sekar discloses the above computer attack detection method, but fails to expressly and specifically disclose “monitoring…metrics data…to learn statistical causal relationships between the different enterprise system entities based on the…metrics data”.
Analogous art from the same field of endeavor, Gusat, teaches the monitoring of specifically metric data for learning statistical causal relationships between enterprise system entities based on metric data: [0014] describes the monitoring of KPIs and their data (i.e., metrics data). The paragraph additionally shows a causal graph (i.e., causal dependency graph) is obtained, which details the mapping of the obtained data. [0032] describes how a networked system of computerized devices (i.e., enterprise system) is used for the technique disclosed in the literature. [0045] describes the goal of building a causal DAG, employed as a causal sequence diagram, to identify causal factors and sequences of causal relationships of the KPIs between the systems to learn anomalies. [0046] describes how some KPIs can be determined based on statistics, based on what is believed to be anomalous or not.
Gusat does not teach specifically “audit log data”, but this is found within Sekar, as previously described: [0065] – [0066] describe how cyber events are extracted from audit data (i.e., audit log data) in order to generate a scenario representation.
Therefore, based on Sekar in view of Gusat, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of monitoring metric log data to learn statistical causal relationships of Gusat to the detection of an origin computer attack system of Sekar in order to implement a method of root cause analysis of computerized system anomalies for causal analysis (Gusat, [0014]). Swiftly detecting the root cause in an attack detection system allows the user or administrator a more efficient way of eliminating the issue(s) present.
Sekar in view of Gusat does not disclose:
selecting a set of largest anomaly scores determined by comparing the metric to a threshold value;
scaling the comparison by the threshold value; and
discarding metrics below the threshold value
Siffer discloses:
selecting a set of largest anomaly scores determined by comparing the metric to a threshold value; (“If a value exceeds our threshold zq then we consider it as abnormal (we can retrieve this anomaly in a list A).” Siffer § 4.2.1)
scaling the comparison by the threshold value; and (“In the other cases, either Xi is greater than the initial threshold (peak case) either it is a \common" value (normal case). In the peak case, we add the excess to the peaks set and we update the threshold zq.” Siffer § 4.2.1)
discarding metrics below the threshold value (“If a value exceeds our threshold zq then we consider it as abnormal (we can retrieve this anomaly in a list A).” Siffer § 4.2.1. All non-anomalies are discarded. See Applicant’s specification ¶ 64)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Sekar in view of Gusat with Siffer by utilizing the anomaly detection threshold of Siffer to prune the telemetry of Sekar in view of Gusat. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Siffer with Sekar in view of Gusat in order to detect anomalous events without manually setting thresholds or making assumptions about the underlying data, Siffer Abstract.
Regarding Claim 2, Sekar teaches “The method of claim 1, wherein the causal dependency graphs are generated”: [0069] describes the use of a tagged dependence graph and its generation.
Gusat teaches “…by employing a feature extractor and a metric prioritizer”: [0038] describes how aKPIs are symptoms of the detected anomaly, whereas xKPIS are potential causes of said symptoms, where a subset of judiciously selected KPIs is identified. These KPIs include abnormal and potentially explanatory KPIs (i.e., feature extraction and determination). [0015] describes how a feature importance attribution algorithm (i.e., prioritizer) can be run to determine importance values of monitored KPIs to each of the identified aKPIs (symptoms)).
Therefore, based on Sekar in view of Gusat, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of employing a feature extractor and a metric prioritizer of Gusat to the causal dependency graph teaching of Sekar in order to determine relative importance values of the monitored KPIs to each of the identified symptoms, which makes it possible to restrict the number of potential causal KPIs (Gusat, [0015]). By extracting relevant features and prioritizing certain metrics, this allows a user or administrator to quickly pinpoint areas of interest that may be potentially malicious.
Regarding Claim 5, Sekar further discloses “The method of claim 1, wherein…generating the causal dependency graphs…”: [0069] describes the use of a tagged dependence graph and its generation.
Gusat further teaches “causal structure learning…is divided into intra-level learning and inter-level learning”: [0038] describes the difference between the aKPIs and xKPIs – aKPIs are symptoms of the detected anomaly (i.e., process level), whereas xKPIs are potential causes of said symptoms (i.e., system level), which is equivalent to the explanation of high- and low-level nodes in the written specification of the instant application found in [00034]); and
“intra-level learning pertaining to learning causation among a same level of nodes and intra-level learning pertaining to learning cross-level causation”: [0018] describes a causality algorithm that learns causal graph structure by discovering causal relationships between the xKPIs and the aKPIs (cross-level causation). An algorithm is run to determine relative importance values between each of the identified aKPIs (same-level learning).
Therefore, based on Sekar in view of Gusat, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of causal structural learning division into high- and low-level learnings of Gusat to the causal dependency graph generation system of Sekar in order to perform a causality algorithm to connect xKPIs to aKPIs to discover causal relationships of the KPIs (Gusat, [0040]). By discovering the causal relationships between symptoms, both high and low level, it allows a user or administrator to accurately determine the relationships between symptoms and processes, in order to efficiently pinpoint any potential anomalies.
Regarding Claim 6, Gusat further discloses “The method of claim 5, wherein inter-level learning includes a first part and a second part, the first part used to learn the cross-level causation between process-level and server-level nodes”: As described prior, aKPIs correspond to process level activities (low-level), whereas xKPIs correspond to system level activities (high-level). The written specification of the instant application gives example of high and low levels in [00034]);
“and the second part used to construct causal linkages between the server-level nodes and key performance indicators (KPI)”: Gusat: [0047] describes how monitored KPIs have a relative importance value determined. This makes it possible to identify the xKPIs (i.e., high-level nodes), where a casual linkage is formed between them.
Therefore, based on Sekar in view of Gusat, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of cross-level causations and causal linkages of KPIs of Gusat to the system of Sekar in order to implement a causality algorithm to obtain distinct causal graphs and analyze their linkages for a composite root cause analysis (Gusat, [0016, 0017, 0019]). By analyzing the distinct causal graphs, a composite root cause analysis can be performed, which allows a user or administrator the ability to efficiently and accurately pinpoint the exact origin of an anomaly.
Regarding Claim 7, Gusat further teaches “The method of claim 1, wherein the causal dependency graphs meet an acyclicity requirement”: The method of obtaining a causal dependency graph is applied to build a causal, specifically directed acyclic graph (DAG) [0045]. A DAG has acyclicity requirements in order to be considered a DAG, where it must have no directed cycles and must be topologically ordered, as understood by one of ordinary skill in the art.
Therefore, based on Sekar in view of Gusat, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of employing an acyclicity requirement of causal dependency graphs of Gusat to the system of Sekar in order to build a causal sequence diagram to identify causal factors and depict the sequence of causal relationships that lead to the occurrence of an anomaly in the monitored system(s) (Gusat, [0045]). Building the sequence diagram allows a user or administrator to efficiently determine relationships between nodes and track these sequences to effectively narrow down what is anomalous.
Claims 8 – 9 and 12 – 14 are non-transitory computer-readable storage medium claims that are drawn to the use of the method as claimed in claims 1 – 2 and 5 – 7. Therefore, the non-transitory computer-readable storage medium claims 8 – 9 and 12 – 14 correspond to method claims 1 – 2 and 5 – 7, and are likewise rejected under the same reasoning of obviousness as described above.
Claims 15 – 16 and 19 – 20 are system claims that are drawn to the use of the non-transitory computer-readable storage medium claims as claimed in claims 8 – 9 and 12 – 13. Therefore, the system claims 15 – 16 and 19 – 20 correspond to non-transitory computer-readable storage medium claims 8 – 9 and 12 – 13, and are likewise rejected under the same reasoning of obviousness as described above.
Claim(s) 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Sekar et al (US 2020/0059481 A1), hereinafter Sekar, in view of Gusat et al (US 2023/0325269 A1), hereinafter Gusat, and Siffer et al. “Anomaly Detection in Streams with Extreme Value Theory”, hereafter Siffer, in further view of Mei et al (“CTSCOPY: Hunting Cyber Threats within Enterprise via Provenance Graph-based Analysis”), hereinafter Mei.
Regarding Claim 3, Gusat discloses “The method of claim 2, wherein the feature extractor uses an auto-encoder model”: [0074] describes how processing performed by a cognitive model for the causal relationships is implemented as an autoencoder model by a trained neural network. The autoencoder includes both an encoder and decoder.
The combination of Sekar, Gusat, and Siffer discloses the use of an autoencoder model for feature extraction, but fails to expressly disclose specifically “and a language model”. However, analogous art from the same field of endeavor, Mei, teaches this language model: pg. 34, under subheading “C. Causality Subgraph Embedding”, the representation of features of the graph with several paths therein and consideration of the causal path as a sentence/document utilizes a natural language processing (NLP) technique to convert the causal path into a sentence).
Therefore, based on Sekar in view of Gusat, and further in view of Mei, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Mei to the system of Sekar and Gusat in order to utilize a provenance graph-based approach for detecting major threats to enterprise IT environments (Mei, pg. 28, Abstract). Graph-based depictions of network activity or network nodes allows a user or administrator to trace the graph to accurately detect where a particular anomaly has occurred, reducing time spent trying to determine where an anomaly has initially occurred.
Claim 10 is a non-transitory computer-readable storage medium claim that is drawn to the use of the method as claimed in claim 3. Therefore, the non-transitory computer-readable storage medium claim 10 corresponds to method claim 3, and is likewise rejected under the same reasoning of obviousness as described above.
Claim 17 is a system claims that are drawn to the use of the non-transitory computer-readable storage medium claims as claimed in claim 10. Therefore, the system claim 17 corresponds to non-transitory computer-readable storage medium claim 10, and is likewise rejected under the same reasoning of obviousness as described above.
Claim(s) 4, 11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Sekar et al (US 2020/0059481 A1), hereinafter Sekar, in view of Gusat et al (US 2023/0325269 A1), hereinafter Gusat, and Siffer et al. “Anomaly Detection in Streams with Extreme Value Theory”, hereafter Siffer, in further view of Wang et al (“Improving Gradient-based DAG Learning by Structural Asymmetry”), hereinafter Wang.
Regarding Claim 4, Sekar discloses “The method of claim 1, wherein generating the causal dependency graphs…”: [0069] describes the use of a tagged dependence graph and its generation.
Sekar discloses the generation of causal dependency graphs, but fails to expressly teach “…involves employing a learning layer that enforces asymmetry of weighted adjacency matrices corresponding to directed acyclic graphs (DAGs)”. However, analogous art from the same field of endeavor, Wang, teaches the weighted adjacency matrices corresponding to DAGs: pg. 96, under subheading “B: Structural Asymmetry”),
Wang discloses that the gradient-based DAG learning method, as developed and discussed under “IV. OUR PROPOSED FRAMEWORK”, for causal analysis includes continuous optimization, where the neural network estimates the weighted adjacency matrix in the form of parameters. The real causal direction of the graph for the method follows a structural asymmetry.
Therefore, based on Sekar in view of Gusat, and further in view of Wang, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the weighted adjacency matrices corresponding to DAGs teachings of Wang to the system of Sekar and Gusat in order to leverage structural asymmetry of DAGs to significantly improve the performance of gradient-based DAG learning algorithms (Wang, pg. 94, Abstract). The use of DAGs in an enterprise network environment allows a user or administrator the ability to utilize the depiction of network nodes or anomalies to reduce time spent trying to detect the origin of an anomaly, which allows for more effective and efficient damage control.
Claim 11 is a non-transitory computer-readable storage medium claim that is drawn to the use of the method as claimed in claim 4. Therefore, the non-transitory computer-readable storage medium claim 11 corresponds to method claim 4, and is likewise rejected under the same reasoning of obviousness as described above.
Claim 18 is a system claims that are drawn to the use of the non-transitory computer-readable storage medium claims as claimed in claim 11. Therefore, the system claim 18 corresponds to non-transitory computer-readable storage medium claim 11, and is likewise rejected under the same reasoning of obviousness as described above.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Chesneau et al., US 2024/0248784, disclosing automated incident detection and root cause analysis.
Nikolic et al., US 2023/0368054, disclosing anomaly score normalization based on extreme value theory.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RUPAL DHARIA whose telephone number is (571)272-3880. The examiner can normally be reached M-F 9am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/RUPAL DHARIA/Supervisory Patent Examiner, Art Unit 2492