SYSTEM AND METHOD FOR DETECTING CYCLIC ACTIVITY IN AN EVENT FLOW FOR DYNAMIC APPLICATION ANALYSIS

DETAILED ACTION This office action is in response to the application filed on 11/28/2025. Claim(s) 1-20 is/are pending and are examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 11/28/2025 has been entered. Response to Arguments Applicant's arguments filed on 11/28/2025 have been fully considered but they are not persuasive for the following reasons: Applicant’s Argument: Brown-2 is silent as to and therefore fails to disclose or suggest the features "in response to the detection of the beginning of the cycle, excluding further events occurring in the event stream from subsequent analysis by skipping recording of data related to the further events, and continuing to add each of the further events to the buffer and recalculate the number of unique events in the buffer after said further event is added to the buffer" (emphasis added) as is recited, inter alia, in independent claim 1 and similarly in independent claims 10 and 18. Brown-2 describes locating a loop comprising a repeated sequence of events, determining a distribution of event types within the loop (i.e., measure of frequencies or counts of occurrences of the event types), and determining whether the repeated sequence is associated with malware based on the distribution (Brown-2, paras. [0078]-[0081] and [0131]). Brown-2 further describes maintaining the counts of occurrences of the event types in a buffer (Brown-2, para. [0100]). Unlike the claimed subject matter, events within the loop described in Brown-2 are not added to the buffer. Consequently, based on the deficiencies of Brown-2, any modification of Brown based on Brown- 2 also fails to disclose or suggest the recited subject matter. Accordingly, because Brown-2, alone or in permissible combination, fails to disclose or suggest amended independent claims 1, 10, and 18, Applicant submits that independent claims 1, 10, and 18 are allowable over Brown-2, alone or in permissible combination with Brown. (Applicant’s response filed on 11/28/2025, page 9). Examiner’s Response: The Examiner respectfully disagrees. The cited portion of Brown-2 ¶ 207 teaches the concept, “During the intervening time an incident can be up dated to include newly detected patterns and its composite score may change.” Which is clearly teaching the idea of updating data that is being analyzed to keep the analysis up to date which alone covers the concepts being taught by the limitation, but when Brown-2 is taken in combination with the teachings of Brown, “Col. 8 Ln. 65-67 teaches, this buffer will collect the data so that at some later time (or in-real time) another process can fetch the data for further processing.” Shows data being collected and update in real-time, a constantly updating process. This combination clearly teaches updating data in real time with newly received data to keep analysis up to date as such Brown-2 in combination with Brown clearly teaches the claimed limitation. It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Brown in view of Brown-2, to modify the port scanning system of Brown with the pattern activity detecting of Brown-2. The motivation to do so, Brown-2 ¶ 36, to determining whether the programs running those loops, or the operations within the loops, are suspicious. Applicant's arguments with respect to amended claim 1, 10, and 18 have been fully considered but are moot in view of the new ground(s) of rejection. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 3-5, 7, 9-10, 12-14, 16, 18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brown Jr. (US 11,347,896 B1), hereinafter Brown in view of Beecham (US 12,105,822 B2), hereinafter Beecham in further view of Kumbhar (US 2017/0124327 A1), hereinafter Kumbhar in further view of Brown (EP 3531329 A1), hereinafter Brown-2. Regarding Claim(s) 1, 10, and 18 Brown teaches: A method for detecting cyclic activity in an event stream during of dynamic analysis of an application, the method comprising: (Brown Col. 2 Ln. 1-7 and Col. 21 Ln. 25-33 teaches, methods, systems, and processes for detecting attacks on computer systems. In particular, techniques are disclosed for utilizing computer system capabilities to identify port-scan attacks of a single port across multiple network addresses (referred to as horizontal port scanning) using cascading ring buffers. Port Scanning attack detection requires detecting for patterns/cyclic activity. The code may be stored on a computer-readable storage medium, for example, in the form of a computer program comprising a plurality of instructions executable by one or more processors. The computer-readable storage medium may be non-transitory. Col. 3 Ln. 54-65 teaches, A host computer system, which may be one of a plurality of host computer systems running within a computer system environment, may have one or more services, processes, and/or applications running on the system and may also have one or more users of the system. Each of the services, processes, and/or applications (referred to simply as “services”) may have one or more ports that it may use to, for example, connect to other computer system services via a computer system network.) creating a buffer of a predetermined size for the event stream that occurs during an execution of the application, (Brown Col. 2 Ln. 23-34 teaches, a system of cascading ring buffers may be implemented to maximize computing resources available on a network. Each port, of up to the 65,535 available ports, may have an equally sized ring buffer assigned to it, where each ring buffer provides a historical view of the connections on that specific port for a period of time.) (Brown Col. 2 Ln. 4-10 and Col. 15 Ln. 26-35 teaches, identify port-scan attacks of a single port across multiple network addresses using cascading ring buffers. A threshold value may be determined based at least in part on a set of conditions, which may be a dynamic set of conditions configured by the system or by a user of the system.) processing each event in the event stream, by filling the buffer with the event, …, and determining a number of unique events in the buffer when the event is added to the buffer; (Brown Col. 3 Ln. 20-34 teaches, process may be run across each ring buffer to tally or count the number of connections realized by the source IP address. A user, may define a threshold number of destination IP addresses (i.e., unique events, if there aren’t unique ip address then there is a problem.) and, once that threshold value is reached or exceeded, an alarm may be triggered) when a number of events in the buffer reaches the predetermined size of the buffer, replacing one event in the buffer with a new event by excluding the earliest event and including the event that is newly processed, (Brown Col. 2 Ln. 4-10, identify port-scan attacks of a single port across multiple network addresses using cascading ring buffers. Ring buffers implement FIFO (i.e., excluding earliest event and including the event that is newly processed.) recalculating the number of unique events in the buffer, and comparing the recalculated number of unique events with the threshold; (Brown Col. 3 Ln. 20-35 teaches, As the communications requests are monitored and the destination IP addresses are stored in the slices of the ring buffers, a process may be run across each ring buffer to tally or count the number of connections realized by the source IP address. A user, such as a network administrator, may define a threshold number of destination IP addresses and, once that threshold value is reached or exceeded, an alarm may be triggered.) and Brown does not appear to explicitly teach but in related art Beecham: filling a dictionary (Beecham Col. 30 Ln. 49-55 teaches, analyzed to identify frequencies with which sequences occur, and those sequences may be mapped to a dictionary. The mapping and dictionary may then be stored in the secure distributed storage in a compressed format. (i.e., a database)) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Brown with Beecham, to modify the port scanning system of Brown with the filling of a dictionary of Beecham. The motivation to do so, Beecham Col. 30 Ln. 37-42, data may be encoded with redundant information such that if some of the data is modified before writing or after writing, the encoding reveals errors and, in some cases, provides enough redundant information that data may be recovered. Brown in view of Beecham does not appear to teach but in related art Kumbhar: excluding further events occurring in the event stream from subsequent analysis by skipping recording of data related to the further events, (Kumbhar ¶ 75 teaches, Receiver 520 receives events generated by event generator 340. Since a large number of events (typically in millions) is generally received, receiver 520 is also designed to filter the received events and to select only the desired events of interest.) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Brown in view of Beecham with Kumbhar, to modify the port scanning system of Brown with the filling of a dictionary of Beecham with the removal of certain events of Kumbhar. The motivation to do so, Kumbhar ¶ 6, to be able to detect malware when it is executing in a system. Brown-Beecham-Kumbhar does not appear to explicitly teach but in related art: and determining a threshold for representing a maximum number of unique events in the buffer for cycle detection; (Brown-2 ¶ 100 and 203 teaches, in some examples, at operation 1404, analyzing module 228 can detect patterns 1310 from events 1302 included in plurality of events 1306. The patterns may be detected based on any predetermined criterion to identify detected events that indicates that one or more events of the plurality of events 1306 may indicate suspicious and/or potentially malicious activity was occurring. The predetermined criterion may include, but is not limited to, a predetermined number of repeated sequence(s) of events, (i.e., threshold representing maximum number of unique events) and patterns of statistical significance including distributions 314 as discussed herein with reference to FIGS. 2.) detecting a beginning of a cycle in the buffer when the number of unique events in the buffer is less than or equal to the threshold, and, in response to the detection of the beginning of the cycle (Brown-2 ¶ 100 and 203 teaches, in some examples, at operation 1404, analyzing module 228 can detect patterns 1310 from events 1302 included in plurality of events 1306. The patterns may be detected based on any predetermined criterion (i.e., detecting a beginning of a cycle) to identify detected events that indicates that one or more events of the plurality of events 1306 may indicate suspicious and/or potentially malicious activity was occurring. The predetermined criterion may include, but is not limited to, a predetermined number of repeated sequence(s) of events, (i.e., threshold representing maximum number of unique events) and patterns of statistical significance including distributions 314 as discussed herein with reference to FIGS. 2.) continuing to add new each of the further events to the buffer and recalculate the number of unique events in the buffer after said further event is added to the buffer. (Brown-2 ¶ 207 teaches the concept, During the intervening time an incident can be up dated to include newly detected patterns and its composite score may change.) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Brown-Breecham-Kumbhar with Brown-2, to modify the port scanning system of Brown with the filling of a dictionary of Beecham with the removal of certain events of Kumbhar with the pattern activity detecting of Brown-2. The motivation to do so, Brown-2 ¶ 36, to determining whether the programs running those loops, or the operations within the loops, are suspicious. Regarding Claim(s) 3, 12, and 20 Brown-Breecham-Kumbhar-Brown-2 teaches: The method of claim 1, further comprising: (Brown-Breecham-Kumbhar-Brown-2 teaches the parent claim above.) when the number of unique events in the buffer is greater than the maximum number of unique events in the buffer for cycle detection, continuing to fill the buffer by replacing one event in the buffer with another new event that is newly processed and recalculating the number of unique events in the buffer until the number of unique events in the buffer is less than or equal to the maximum number of unique events in the buffer for cycle detection. (Brown Col. 5 Ln. 5-15 and Col. 3 Ln. 20-35 teaches, the ring buffer is created and/or maintained for all requests being transmitted to the port via source identifier A. Ring buffer have a FIFO approach to filling as slots are occupied. As the communications requests are monitored and the destination IP addresses are stored in the slices of the ring buffers, a process may be run across each ring buffer to tally or count the number of connections realized by the source IP address. A user, such as a network administrator, may define a threshold number of destination IP addresses and, once that threshold value is reached or exceeded, an alarm may be triggered.) Regarding Claim(s) 4 and 13 Brown-Breecham-Kumbhar-Brown-2 teaches: The method of claim 1 further comprising: (Brown-Breecham-Kumbhar-Brown-2 teaches the parent claim above.) after the beginning of the cycle is detected, when the number of unique events in the buffer increases and exceeds the maximum number of unique events in the buffer for cycle detection, (Brown-2 ¶ 100 and 203 teaches, in some examples, at operation 1404, analyzing module 228 can detect patterns 1310 from events 1302 included in plurality of events 1306. The patterns may be detected based on any predetermined criterion (i.e., detecting a beginning of a cycle) to identify detected events that indicates that one or more events of the plurality of events 1306 may indicate suspicious and/or potentially malicious activity was occurring. The predetermined criterion may include, but is not limited to, a predetermined number of repeated sequence(s) of events, (i.e., threshold representing maximum number of unique events) and patterns of statistical significance including distributions 314 as discussed herein with reference to FIGS. 2.) completing the cycle and begin including further additional events occurring in the event stream in the dynamic analysis by recording data related to the further additional events. (Brown Col. 15 Ln. 20-52 teaches, at some point, a threshold value may be detected, (i.e., beginning of a cycle) by the host computer system, such that the threshold value is reached or exceeded, the value being a number of entries stored in each ring buffer. In response to the threshold value having been detected, the host computer system may be configured to generate a report or log of data related to possible horizontal port scanning received on the network. (i.e., dynamic analysis)) Regarding Claim(s) 5 and 14 Brown-Beecham-Kumbhar-Brown-2 teaches: The method of claim 4, further comprising: (Brown-Beecham-Kumbhar-Brown-2 teaches the parent limitation above.) creating another buffer to which the further additional events occurring in the event stream are added; and counting the number of unique events in the buffer to detect another cycle. (Brown Col. 2 Ln. 25-34 teaches, where each ring buffer provides a historical view of the connections on that specific port for a period of time. The system of cascading ring buffers (i.e., another buffer) provides for multiple ring buffers associated together based on a source network address (e.g., source IP address) of the host (e.g., an attacker) transmitting requests.) Regarding Claim(s) 7 and 16 Brown-Beecham-Kumbhar-Brown-2 teaches: The method of claim 1, (Brown-Beecham-Kumbhar-Brown-2 teaches the parent claim above.) wherein the buffer comprises a ring buffer. (Brown Col. 2 Ln. 4-10 teaches, identify port-scan attacks of a single port across multiple networks using cascading ring buffers.) Regarding Claim(s) 9 Brown-Beecham-Kumbhar-Brown-2 teaches: The method of claim 1, (Brown-Beecham-Kumbhar-Brown-2 teaches the parent claim above.) wherein the buffer is generated in real time during the dynamic analysis of the application. (Brown Col. 8 Ln. 65-67 teaches, this buffer will collect the data so that at some later time (or in-real time) another process can fetch the data for further processing.) Claim(s) 2, 8, 11, 17, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brown-Beecham-Kumbhar-Brown-2 as applied to claim 1 above, and further in view of Werner (US 2023/0078266 A1), hereinafter Werner. Regarding Claim(s) 2, 11, and 19 Brown-Beecham-Kumbhar-Brown-2 teaches: The method of claim 1, wherein the threshold is determined using a ratio: (Brown-Beecham-Kumbhar-Brown-2 teaches the parent limitation above.) Xc = L / K, where, Xc represents the maximum number of unique events in the buffer for cycle detection, (Brown Col. 3 Ln. 20-30 teaches, a process may be run across each ring buffer to tally or count the number of connections realized by the source IP address. A user, such as a network administrator, may define a threshold number of destination IP addresses) Brown-Beecham-Kumbhar-Brown-2 does not appear to explicitly teach but in related art Werner: L represents a parameter for the predetermined size of the buffer which indicates a maximum number of events in the buffer, K represents a configurable parameter. (Werner ¶ 16 teaches, within a configurable threshold of a percentage of bandwidth capacity. (i.e., ratio of maximum value)) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Brown-Beecham-Kumbhar-Brown-2 with Werner, to modify the port scanning system of Brown with the filling of a dictionary of Beecham with the removal of certain events of Kumbhar with the configurable threshold of Werner. The motivation to do so constitutes applying a known technique of adaptable thresholds based off of percentages to known devices and/or methods of port scanning protection ready for improvement to yield predictable results. Regarding Claim(s) 8 and 17 Brown-Beecham-Kumbhar-Brown-2 teaches: The method of claim 1, (Brown-Beecham-Kumbhar-Brown-2 teaches the parent claim above.) wherein the maximum number of unique events in the buffer for cycle detection is less than the predetermined size of the buffer which indicates a maximum number of events in the buffer, and the maximum number of unique events in the buffer for cycle detection is less than a total number of events included in a total set of possible events during the execution of the application. (Brown teaches Col 3. Ln 20-35, As the communications requests are monitored and the destination IP addresses are stored in the slices of the ring buffers, a process may be run across each ring buffer to tally or count the number of connections realized by the source IP address. A user, such as a network administrator, may define a threshold number of destination IP addresses and, once that threshold value is reached or exceeded, an alarm may be triggered. Werner ¶ 16 teaches, within a configurable threshold of a percentage of bandwidth capacity. (i.e., ratio of maximum value). If the threshold value is configurable, it can be set so the threshold is less than the maximum size.) The motive given in Claim 2 is equally applicable to the above claim. Claim(s) 6 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brown-Beecham-Kumbhar-Brown-2as applied to claim 1 above, and further in view of Cohen (US 2024/0291863 A1), hereinafter Cohen. Regarding Claim(s) 6 and 15 Brown-Beecham-Kumbhar-Brown-2 teaches: The method of claim 1, (Brown-Beecham-Kumbhar-Brown-2 teaches the parent claim above.) wherein each event in the event stream occurs during the execution of the application when system Application Programming Interface (API) calls. (Cohen ¶ 6 teaches, receive, by an application capable of JavaScript execution, an executable code including an API invocation) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Brown-Beecham-Kumbhar-Brown-2 with Cohen, to modify the port scanning system of Brown with the filling of a dictionary of Beecham with the removal of certain events of Kumbhar with the API of Cohen. The motivation to do so constitutes applying a known technique of using API’s for execution to known devices and/or methods of port scanning protection ready for improvement to yield predictable results. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 2021/0365554 A1 - SECURING COMPUTING SYSTEMS AGAINST MICROARCHITECTURAL REPLAY ATTACKS US 2019/0306281 - METHODS AND APPARATUS FOR REGULATING NETWORKING TRAFFIC IN BURSTY SYSTEM CONDITIONS US 2023/0004532 A1 - Event Logging For Valves And Other Flow Control Devices Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB BENEDICT KNACKSTEDT whose telephone number is (703)756-5608. The examiner can normally be reached Monday-Friday 8:00 am - 5:00 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached on (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /J.B.K./Examiner, Art Unit 2408 /LINGLAN EDWARDS/Supervisory Patent Examiner, Art Unit 2408