Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the Remarks filed on 07/11/2025.
In the instant Amendment, claims 1-3, 8-10 and 15-17 are amended; claim 4, 11 and 18 has been cancelled, claims 1-3, 5-10, 12-17 and 19-20 been examined and are pending in this application. This Action is made FINAL.
Response to Arguments
Applicants’ arguments in the instant Amendment, filed on 07/11/2025, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant’s arguments with respect to claim(s) 1 and the rest of the independent claims have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
The Examiner respectfully suggests that the claim be further amended; details in the specification could be incorporated, to distinguish the claimed invention over prior art of record. Should the Applicant desire an interview to further clarify the claim interpretation/rejections, please contact the Examiner at (571) 272-1531 to schedule an interview.
Claim Rejections – 35 U.S.C. § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-3, 5-10, 12-17 and 19-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant) regards as the invention.
Regarding Claims 1, 8, and 15 the claim is indefinite because it includes limitations such as “the data objects” and “a respective data object of the data objects”, which lack clear antecedent basis and create ambiguity as to whether these phrases refer to the entire plurality of identified data objects, a subset thereof, or individual data objects processed by separate handlers. Consequently, it is unclear how many data objects are acted upon in each subsequent step of the claim, such as the graph-generation or classification steps.
Additionally, Claim 1, 8, and 15 recites terms such as “dedicated data handler” and “feature-based rules” without providing objective boundaries or structural context. It is unclear whether a “dedicated data handler” refers to a hardware module, a software component, or a logical process, and what distinguishes one “handler” from another. Likewise, “feature-based rules” is vague without explicit definition of what constitutes a “feature” or the nature of the “rules.”
Claims 2–3, 5-7, 9-10, 12-14, 16-17 and 19-20 are rejected under 35 U.S.C. 112(b) as being dependent on the indefinite base claims 1, 8 and 15. These dependent claims inherit the indefiniteness of Claim 1, 8 and 15 and therefore fail to particularly point out and distinctly claim the invention.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 2, 6, 8, 9, 13, 15, 16 and 20 and is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (US 12,223,056 B1), in view of Hajizadeh (US 2021/0034048 A1).
Regarding Claim 1
Zhang discloses:
A computing device, comprising: one or more processors; and
one or more hardware-based memory devices storing instructions which, when executed by the one or more processors, cause the computing device to:
identify data objects for data received from one or more distinct computing devices associated with a local infrastructure (Zhang Column 3, Lines 57-63 and Column 15, Lines 46-53: teaches a graph-based detection system in which a risky candidate computational node detection component receives input data describing various computational nodes and their attributes from multiple computing devices within a networked data center environment, corresponding to identifying data objects for data received from one or more computing devices associated with a local infrastructure.);
process the identified data objects for information and artifacts, wherein the denominated feature being a characteristic about the respective data object and its data type (Zhang Column 4, Lines 5-12 and Column 9, Lines 4-32: teaches processing input data representing computational nodes and their attributes to generate graphs and encode node attributes as features values characterizing each data object and its data type, corresponding to processing identified data objects for information and artifacts and denominating each identified information and artifact as a feature for future processing.);
generate, , respective graphs for the features and child objects within the data objects, in which individual graphs are associated with individual data objects from the identified data objects (Zhang Column 3, Line 57 – Column 4, Line 45: teaches generating input graphs that represent individual computational nodes (data objects) and their related or child nodes connected by edges based on shared attributes such as IP addresses or account identifiers. Each generated graph corresponds to a respective computational node and includes its associated features and relationships, thereby teaching generating graphs for features and child objects within individual data objects, where each graph is associated with a distinct identified data object.);
apply feature-based rules to the generated graphs, in which the feature-based rules include identifying similarities or other specific patterns among the denominated features within the graphs (Zhang Column 9, Line 64 – Column 10, Line 8: Teaches applying learned features-based rules to the generated graph using SimGNN, which identifies similarities and structural patterns among node feature embeddings within and across graphs, corresponding to applying feature-based rules that include identifying similarities or other specific pattern among denominated features within the graph.);
for a group of graphs of the graphs that satisfy one or more of the applied feature-based rules, pass the group of graphs onto a classification engine that applies classification rules (Zhang Column 9, Lines 15-32; Column 13, Lines 43-52: Teaches that graph satisfying similarity-based criteria are passed to a classification stage, where a classification model applies learned rules to determine whether each candidate node or graph is abusive or non-abusive. The system uses the outputs of features-based similarity analysis (SimGNN) to feed a classification engine that applies classification rules to label graphs, corresponding to passing graphs that satisfy features-based rules onto a classification engine applying classification rules),
wherein the classification rules include determining whether the sets of graphs are a malicious, harmless, or unclassified (Zhang Column 9, Lines 15-32; Column 13, Lines 43-52: Teaches that graph satisfying similarity-based criteria are passed to a classification stage, where a classification model applies learned rules to determine whether each candidate node or graph is abusive (malicious) or non-abusive (harmless). It would also be obvious to a person skilled in the art that if a graph is not labeled as malicious or harmless it would be labeled as unclassified.);
and
for the graphs that satisfy one or more of the classification rules, associate a corresponding classification to the graph, wherein the associated classification include malicious, harmless, or unclassified (Zhang Column 9, Lines 15-32; Column 13, Lines 43-52: Teaches that graphs satisfying one or more classification rules are assigned corresponding classification, specifically labeled as abusive or non-abusive based on model outputs. The classification engine associates each analyzed graph with its determined category, corresponding to associated a classification such as malicious, harmless, or unclassified to the graph.)
In an analogous art, Hajizadeh discloses a data handler system/method that teaches:
wherein the processing occurs at a dedicated data handler associated with and specifically configured to process a data type of a respective data object of the data objects … at each dedicated data handler for associated data types (Hajizadeh ¶23-25: teaches that the telemetry component health predicter receives and process data from multiple types of telemetry device (sensors, gateway) each associated with its own health and identified data. The predictor implements type-specific machine learning model trained on data for different component types, corresponding to processing occurring at dedicated data handlers associated with and specifically configured to process a respective data type.)
Given the teaching of Hajizadeh, a person having ordinary skill in the art before the effective filing data of the claimed invention would have recognized the desirability of modifying the data processing architecture of Zhang to include dedicated data handlers that are specially configured for different data types. Hajizadeh teaches that a telemetry analysis system can employ a telemetry component health predictor that receives various type of data from different telemetry components such as sensors and gateway device, and process them using machine learning models trained for each component type. Incorporating Hajizadeh type-specific processing approach into Zhang’s graph-based classification system would have made it obvious to implement dedicated handlers for each data type, thereby improving analysis accuracy and system modularity when processing heterogenous data objects (Hajizadeh ¶23-25).
Regarding Claim 1
Zhang discloses:
The computing device of claim 1, wherein the feature- based rules further includes identifying direct relations, similarities, or other specific patterns between the group of graphs or determining whether the group of graphs satisfy a customized rule (Zhang Column 9, Line 54 – Column 10, Line 26: teaches applying feature-based rules that include identifying direct relations, similarities, or specific pattern between graph though the SimGNN architecture, which computes similarity scores between graph-level and node-level embedding according to learned or customized similarity metric, corresponding to determining whether a group of graphs satisfy customized rules.).
Regarding Claim 6
Zhang discloses:
The computing device of claim 1, wherein the generated graphs include the initially identified data object and child objects that are stored within or associated with the data object (Zhang Column 4, Lines 5-46: teaches generating input graphs that include each identified computational node along with connected nodes that share attributes such as IP address or account identifiers, corresponding to graph including the initially identified object and associated child objects.).
Regarding Claim 8
Claim 8 is directed to a method corresponding to the computer-implemented method in claim 1. Claim 8 is similar in scope to claim 1 and is therefore rejected under similar rationale.
Regarding Claim 9
Claim 9 is directed to a method corresponding to the computer-implemented method in claim 2. Claim 9 is similar in scope to claim 2 and is therefore rejected under similar rationale.
Regarding Claim 13
Claim 13 is directed to a method corresponding to the computer-implemented method in claim 6. Claim 13 is similar in scope to claim 6 and is therefore rejected under similar rationale.
Regarding Claim 15
Claim 15 is directed to a method corresponding to the computer-implemented method in claim 1. Claim 15 is similar in scope to claim 1 and is therefore rejected under similar rationale.
Regarding Claim 16
Claim 16 is directed to a method corresponding to the computer-implemented method in claim 2. Claim 16 is similar in scope to claim 2 and is therefore rejected under similar rationale.
Regarding Claim 20
Claim 20 is directed to a method corresponding to the computer-implemented method in claim 6. Claim 20 is similar in scope to claim 6 and is therefore rejected under similar rationale.
Claims 3, 7, 10, 14, and 17 and is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (US 12,223,056 B1), in view of Hajizadeh (US 2021/0034048 A1), and in further view of Johnson (US 7,391,735 B2).
Regarding Claim 3
Zhang and Hajizadeh do not disclose the following limitation “wherein the data objects are identified using a format recognition engine that recognizes a data type for a given piece of data”
However, in an analogous art, Johnson discloses a format system/method that includes:
The computing device of claim 1, wherein the data objects are identified using a format recognition engine that recognizes a data type for a given piece of data (Johnson Column 6, Lines 42-55: describes a parsing mechanism that involves analyzing data formats within messages. A parser can identify the data type of a component using format recognition techniques, making it akin to a format recognition engine.).
Given the teachings of Johnson, a person having ordinary skill in the art before the effective filing date of the claimed invention would have recognized the desirability of modifying the teachings of Zhang and Hajizadeh by using a format recognition engine to identify data objects based on their data type. Johnson discloses message repositories that store information about various message formats and a format name lookup step that extracts message format templates. These templates are then applied to messages of the corresponding format, enabling interpretation and manipulation of data as structured name-value pairs. Since Johnson teaches extracting format-specific templates and applying them to data for structured processing, it would have been obvious to implement a format recognition engine to recognize and classify data types for given pieces of data, leveraging Johnson’s method of identifying message formats for structured processing (Johnson Column 6, Lines 42-55).
Regarding Claim 7
Zhang and Hajizadeh do not disclose the following limitation “wherein child objects are processed by corresponding dedicated data handlers based on the child object's data type recognized by a format recognition engine”
However, in an analogous art, Johnson discloses a format system/method that includes:
The computing device of claim 6, wherein child objects are processed by corresponding dedicated data handlers based on the child object's data type recognized by a format recognition engine (Johnson Column 3, Lines 4-26 and Column 11, Lines 57 - Column 12, Line 5: describes a hierarchical parsing system where a first parser identifies the data format of a subcomponent (child object) and selects a dedicated parser to process it. This selection is based on format recognition, allowing each child object to be handled by a corresponding specialized parser rather than a generic one. This ensures efficient processing of nested message structures, aligning with the claim's requirement for dedicated data handlers based on recognized data types.).
Given the teachings of Johnson, a person having ordinary skill in the art before the effective filing date of the claimed invention would have recognized the desirability of modifying the teaching of Zhang and Hajizadeh by processing child objects using corresponding dedicated data handlers based on the recognized data type. Johnson discloses a system where a first parser, assigned to a portion of a message, can identify subcomponents requiring different parsers and invoke appropriate parsers based on the subcomponent format information. Additionally, Johnson teaches that multiple parsers can dynamically determine data formats of nested components and select corresponding parsers to process them efficiently. Thus, it would have been obvious to implement a system where child objects are processed by dedicated data handlers selected based on their recognized data type, leveraging Johnson’s teaching of format-based parser selection for efficient hierarchical data processing (Johnson Column 3, Lines 4-26 and Column 11, Lines 57 - Column 12, Line 5).
Regarding Claim 10
Claim 10 is directed to a method corresponding to the computer-implemented method in claim 3. Claim 10 is similar in scope to claim 3 and is therefore rejected under similar rationale.
Regarding Claim 14
Claim 14 is directed to a method corresponding to the computer-implemented method in claim 7. Claim 14 is similar in scope to claim 7 and is therefore rejected under similar rationale.
Regarding Claim 17
Claim 17 is directed to a method corresponding to the computer-implemented method in claim 3. Claim 17 is similar in scope to claim 3 and is therefore rejected under similar rationale.
Claims 5, 12 and 19 and is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (US 12,223,056 B1), in view of Hajizadeh (US 2021/0034048 A1), in further view of Paithane (US 10,581,879 B1 ).
Regarding Claim 5
Zhang and Hajizadeh do not disclose the following limitation “wherein processing the data objects for information and artifacts includes performing a malware scan, in which results of scanning the data object are denominated as the feature”
However, in an analogous art, Paithane discloses a malware scan system/method that includes:
The computing device of claim 1, wherein processing the data objects for information and artifacts includes performing a malware scan, in which results of scanning the data object are denominated as the feature (Paithane Column 2, 11-21; Column 2, 48-63; Column 7, Lines 54-61: describes a malware detection system that processes received objects and analyzes their features, including those generated during execution, to assess potential maliciousness. It explicitly mentions scanning objects using static and runtime analysis, extracting features such as behavioral characteristics, syntax tree representations, and heuristic indicators. This aligns with the claim limitation as the results of scanning the data object (e.g., AST analysis, behavioral monitoring) are denominated as features for further malware detection processing.).
Given the teachings of Paithane, a person having ordinary skill in the art before the effective filing date of the claimed invention would have recognized the desirability of modifying the teaching of Zhang and Hajizadeh by performing a malware scan on data objects and using the results as features for further analysis. Paithane discloses a malware detection system that processes an object by analyzing its features and any generated objects to assess whether they exhibit characteristics associated with malware. It further describes static scanning, runtime execution within a virtual machine, and analyzing the object's abstract syntax tree (AST) to extract features indicative of malicious behavior. Additionally, Paithane teaches that monitoring logic captures and reports runtime behavior, which is stored as features for determining maliciousness. Thus, it would have been obvious to process data objects by performing a malware scan and using the results as features for further analysis, leveraging Paithane’s teaching of identifying and correlating features of scanned objects with known malware signatures to assess maliciousness (Paithane Column 2, Lines 11-21, Column 2, Lines 48-63, Column 7, Lines 54-61.).
Regarding Claim 12
Claim 12 is directed to a method corresponding to the computer-implemented method in claim 5. Claim 12 is similar in scope to claim 5 and is therefore rejected under similar rationale.
Regarding Claim 19
Claim 14 is directed to a method corresponding to the computer-implemented method in claim 5. Claim 14 is similar in scope to claim 5 and is therefore rejected under similar rationale.
Conclusion
Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Saad Abdullah whose telephone number is (571) 272-1531. The examiner can normally be reached on Monday through Friday, 8:30 AM - 5:00 PM (EST).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAAD AHMAD ABDULLAH/Examiner, Art Unit 2431
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431