Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Continued Examination Under 37 CFR 1.114
1. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.
Applicant's submission filed on 12-9-2024 has been entered.
2. Claims 1 - 20 are pending. Claims 1, 8, 15 have been amended. Claims 1, 8, 15 are independent. File date is 7-26-2023.
Claim Rejections - 35 USC § 112
3. The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
4. Claims 1, 8, 15 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. There is no disclosure in the Specification or the original claims for the following: “including a soft-margin decision boundary determined by an ad-hoc heuristic”. The term “soft-margin” is not defined in the Specification or the original claims. The term is used in the specification (Paragraph [0057]) once, but no indication is given as to its’ meaning in reference to a “decision boundary” or a “decision boundary radius”.
Claim Rejections - 35 USC § 103
5. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
6. Claims 1, 2, 8, 9, 15, 16 are rejected under 35 U.S.C. 103 as being unpatentable over Thampy et al. (US PGPUB No. 20190068627) in view of Mestha et al. (US PGPUB No. 20170310690).
Regarding Claims 1, 8, 15, Thampy discloses a computer-implemented method for employing a graph-based log anomaly detection framework to detect relational anomalies in system logs and a computer program product for employing a graph-based log anomaly detection framework to detect relational anomalies in system logs and a computer processing system for employing a graph-based log anomaly detection framework to detect relational anomalies in system logs, the method comprising:
a) collecting log events from systems or applications or sensors or instruments; (Thampy ¶ 086: security monitoring and control system 402 may include a log collector system 434 that performs operations for collecting network data about activity in a computing environment. Network data may be collected from log files obtained from one or more computing environments being monitored. The log collector system 434 may be configured to communicate with one or more modules and/or subsystems implemented in a computing environment, and to use these communications to collect network data. For example, each of the first computing environment 440 and the second computing environment 460 may include a first log manager 446 and a second log manager 466, respectively. Each log manager can collect and/or aggregate data from one or more agents (e.g., a first set of agents 444 in the first computing environment 440 and/or a second set of agents 464 in the second computing environment 460) implemented to collect data about network activity. The data may be collected in the form of log files.; ¶ 088: the log collector system 434 may be configured to communicate with a service provider through an interface provided by the service provider. The log collector system 434 can obtain log files and/or event data from the service provider, where the log files and even data describe usage of services by one or more users.)
b) constructing dynamic graphs to describe relationships among the log events and log fields by using a sliding window with a fixed time interval to snapshot a batch of the log events; (Thampy ¶ 309: FIG. 19 illustrates graphs of example of activity data 1900 for a set of eight users 1902. In this example, the activity data 1900 records occurrences of an action taken by each of the users 1902 over the same period of time. The action can be, for example, logins to a cloud service, file uploads, emails sent, or another action. In some examples, the activity data 1900 can represent routine usage of the application by these eight users 1902. The activity data 1900 can thus be input into a pattern recognition and learning system to identify patterns that can be used to identify anomalous behavior.; ¶ 312: a graphical interface may be generated to display the example graphs illustrated in FIG. 19. A graph or other type of chart may be shown to display patterns with regard to an attribute related to usage of a service. In some examples, a graphical interface can alternatively or additionally be generated to display the example patterns and models)
c) capturing sequential patterns by employing temporal-attentive transformers to learn temporal dependencies within the sequential patterns. (Thampy ¶ 100: the user identity repository 509 can also be used to facilitate tracking of user activity and generation of profiles, where the activity and profiles capture data across multiple cloud applications. In addition, collecting information about user behavior across multiple cloud services enables the system 500 to, when a threat is detected based upon behavior on one or more cloud services, take various actions.; ¶ 006: the patterns can capture actions that occur over a span of hours, days, weeks, months, or another time period. In various implementations, the cloud security system can use the learned patterns to identify user behavior that does not fit within the learned patterns, which may indicate a security incident.)
Furthermore, Thampy discloses for d) detecting anomalous patterns in the log events based on relationships between the log events and temporal context determined from the temporal-attentive transformers. (Thampy ¶ 006: provided are systems and methods for a cloud security system that learns patterns of user behavior and uses the learned patterns to detect anomalous behavior. For example, the cloud security system can use machine learning techniques to learn patterns of user behavior, where the patterns represent actions regularly and/or habitually taken by users in using a cloud service. In various examples, the patterns can capture actions that occur over a span of hours, days, weeks, months, or another time period. In various implementations, the cloud security system can use the learned patterns to identify user behavior that does not fit within the learned patterns, which may indicate a security incident.; ¶ 044: provided are systems, methods, and computer-program products for a cloud security service that learns patterns of user behavior, and uses the learned patterns to detect anomalous behavior. In various implementations, the service can scan time series to find frequent or regular patterns of user behavior. Machine learning techniques can be used to generate models from the detected patterns. The models can then be used with machine learning techniques to recognize similar patterns in incoming user activity data, and trigger alerts or other actions when behavior is found that does not correspond to a known pattern.)
Thampy does not explicitly disclose for d) representation in dynamic graphs whose distance to a center ranks beyond a decision boundary radius.
However, Mestha discloses wherein for d) representation in the dynamic graphs whose distance to a center ranks beyond a decision boundary radius. (Mestha ¶ 037: a decision boundary display 1000 according to some embodiments. The display 1000 includes a graphical representation of a simple decision boundary 1010 (in three dimensions it is a ball or a sphere having a radius of 0.3 units) that might be associated with, for example, global features generated from threat node values, such as values from sensor nodes, in gas turbine simulation data. According to some embodiments, a number of threat validation runs are executed and the results 1020 are provided on the display 1000 (e.g., including the run number, the radius value, and the decision of “normal” or “attack”))
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Thampy for d) representation in dynamic graphs whose distance to a center ranks beyond a decision boundary radius as taught by Mestha. One of ordinary skill in the art would have been motivated to employ the teachings of Mestha for the flexibility of a system that enables the utilization of multiple data processing techniques such as dynamic graphs and decision boundaries. (Mestha ¶ 037)
There is no disclosure in the specification for the following claim limitation: “including a soft-margin decision boundary determined by an ad-hoc heuristic”. There is no definition in the Specification for the term “soft-margin” or a “soft-margin” associated with “a decision boundary” or “a decision boundary radius”. (see 112 Rejection).
Furthermore, for Claim 8, Thampy discloses wherein a computer program product for employing a graph-based log anomaly detection framework to detect relational anomalies in system logs, the computer program product comprising a non-transitory computer readable storage medium having program instructions embodied therewith, the program instructions executable by a computer to cause the computer to perform operations. (Thampy ¶ 087: the log managers and/or agents may be implemented in hardware, software (e.g., program code, instructions executable by a processor, etc.) executing on hardware, or combinations thereof. In some examples, the software may be stored in a memory (e.g., a non-transitory computer-readable medium), on a memory device, or some other physical memory and may be executed by one or more processing units (e.g., one or more processors, one or more processor cores, one or more GPUs, etc.). Computer-executable instructions or firmware implementations of the processing unit(s) may include computer-executable or machine-executable instructions written in any suitable programming language to perform the various operations, functions, methods, and/or processes described herein.)
Furthermore, for Claim 15, Thampy discloses wherein a memory device for storing program code; and a processor device, operatively coupled to the memory device, for running the program code to perform operations. (Thampy ¶ 087: the log managers and/or agents may be implemented in hardware, software (e.g., program code, instructions executable by a processor, etc.) executing on hardware, or combinations thereof. In some examples, the software may be stored in a memory (e.g., a non-transitory computer-readable medium), on a memory device, or some other physical memory and may be executed by one or more processing units (e.g., one or more processors, one or more processor cores, one or more GPUs, etc.). Computer-executable instructions or firmware implementations of the processing unit(s) may include computer-executable or machine-executable instructions written in any suitable programming language to perform the various operations, functions, methods, and/or processes described herein.)
Regarding Claims 2, 9, 16, Thampy-Mestha discloses the computer-implemented method of claim 1 and the computer program product of claim 8 and the computer processing system of claim 15, wherein a field extractor employs prompt-based few-shot learning to extract the log fields. (Thampy ¶ 243: One or more instructions can be configured to deny certain types of requests for an application. A user can be prompted at an interface to provide information to configure access to an application so that it is limited according to a policy.; ¶ 248: a remediation action for an application includes causing a graphical interface to prompt the user to adjust a configuration operation of the application.; ¶ 313: a graphical interface may be generated to display elements that are interactive to enable configuration of one or more parameters to configure the process of FIG. 18 including a time period of a window, attributes to monitor, and features of learning techniques including how classification is determined for particular attributes.)
7. Claims 3, 4, 10, 11, 17, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Thampy in view of Mestha and further in view of Bronevetsky et al. (US PGPUB No. 20230176838).
Regarding Claims 3, 10, 17, Thampy-Mestha discloses the computer-implemented method of claim 1 and the computer program product of claim 8 and the computer processing system of claim 15.
Thampy does not explicitly disclose dynamic graphs are encoded using graph convolutional network (GCN) encoders followed by a pre-trained transformer.
However, Bronevetsky discloses wherein the dynamic graphs are encoded in a latent space by using graph convolutional network (GCN) encoders followed by a pre-trained transformer. (Bronevetsky ¶ 031: code knowledge system 102 may include a machine learning (“ML” in FIG. 1) module 105 that has access to data indicative of one or more trained machine learning models (not depicted). These trained machine learning models may take various forms, including but not limited to a graph-based network such as a graph neural network (GNN), graph attention neural network (GANN), or graph convolutional neural network (GCN), a sequence-to-sequence model such as an encoder-decoder,; ¶ 024: Various types of machine learning models may be trained and used to perform such encoding, such as encoder-decoder networks (e.g., with the encoder portion being used to create the embedding), transformer networks,)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Thampy for dynamic graphs are encoded using graph convolutional network (GCN) encoders followed by a pre-trained transformer as taught by Bronevetsky. One of ordinary skill in the art would have been motivated to employ the teachings of Bronevetsky for the flexibility of a system that utilizes multiple types of encoders such as GCN encoders in addition to machine learning. (Bronevetsky ¶ 031; ¶ 024)
Regarding Claims 4, 11, 18, Thampy-Mestha-Bronevetsky discloses the computer-implemented method of claim 3 and the computer program product of claim 10 and the computer processing system of claim 17.
Thampy does not explicitly disclose GCN encoders distinguish between normal and anomalous edges with structural, semantic, and sequential information.
However, Bronevetsky discloses wherein the GCN encoders distinguish between normal and anomalous edges with structural, semantic, and sequential information. (Thampy ¶ 024: natural language comments that often accompany source code snippets, or changes made thereto, may be encoded—with or without the commented-on source code—into semantic embeddings that succinctly represent the semantic context of the source code snippet or an edit thereto. These semantic embeddings may be used as nodes in one or more of the aforementioned graphs to determine edge sequences, and hence, related code edits. Encoding comments into semantic embeddings in this manner may strip away syntactic differences between source code snippets and/or edits of source code snippets, enabling more robust comparison of source code edits that appear syntactically different but are, in fact, related. Various types of machine learning models may be trained and used to perform such encoding,)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Thampy for GCN encoders distinguish between normal and anomalous edges with structural, semantic, and sequential information as taught by Bronevetsky. One of ordinary skill in the art would have been motivated to employ the teachings of Bronevetsky for the flexibility of a system that utilizes multiple types of encoders such as GCN encoders in addition to machine learning. (Bronevetsky ¶ 031; ¶ 024)
8. Claims 5, 12, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Thampy in view of Mestha and further in view of Bronevetsky and Schmidt et al. (US PGPUB No. 20220027777).
Regarding Claims 5, 12, 19, Thampy-Mestha-Bronevetsky discloses the computer-implemented method of claim 3 and the computer program product of claim 10 and the computer processing system of claim 17.
Thampy does not explicitly disclose hidden states for each of the log events and log fields is regarded as an attribute.
However, Schmidt discloses wherein encoded hidden states for each of the log events and log fields is regarded as an attribute and an adjacency matrix represents a structure of the dynamic graphs. (Schmidt ¶ 064: One form of contextual encoding is graph embedding, which constructs and prunes (i.e., limits the extent of) a logical graph of (e.g., temporally, or semantically) related events or records. The graph embedding may be used as a contextual encoding and input stimulus to an ANN.; ¶ 062: When the gradient is negative, the greater the magnitude of error contributed to the network by an edge, the more the edge's weight should be reduced, which is negative reinforcement. When the gradient is positive, then positive reinforcement entails increasing the weight of an edge whose activation reduced the error. An edge weight is adjusted according to a percentage of the edge's gradient. The steeper is the gradient, the bigger is adjustment. Not all edge weights are adjusted by a same amount. As model training continues with additional input samples, the error of the ANN should decline. Training may cease when the error stabilizes (i.e., ceases to reduce) or vanishes beneath a threshold (i.e., approaches zero).; ¶ 065: Hidden state (i.e., memory) is a powerful ANN enhancement for (especially temporal) sequence processing. Sequencing may facilitate prediction and operational anomaly detection, which can be important techniques.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Thampy for hidden states for each of the log events and log fields is regarded as an attribute as taught by Schmidt. One of ordinary skill in the art would have been motivated to employ the teachings of Schmidt for the flexibility of a system that enables the utilization of dynamic graph technology in the processing of data within a network environment. (Schmidt ¶ 064; ¶ 062)
9. Claims 6, 13, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Thampy in view of Mestha and further in view of Schmidt et al. (US PGPUB No. 20220027777).
Regarding Claims 6, 13, 20, Thampy-Mestha discloses the computer-implemented method of claim 1 and the computer program product of claim 8 and the computer processing system of claim 15.
Thampy does not explicitly disclose for each dynamic graph, negative edges are sampled and edge scores are calculated based on learned hidden states.
However, Schmidt discloses wherein, for each dynamic graph, negative edges are sampled and edge scores are calculated based on learned hidden states. (Schmidt ¶ 064: One form of contextual encoding is graph embedding, which constructs and prunes (i.e., limits the extent of) a logical graph of (e.g., temporally, or semantically) related events or records. The graph embedding may be used as a contextual encoding and input stimulus to an ANN.; ¶ 062: When the gradient is negative, the greater the magnitude of error contributed to the network by an edge, the more the edge's weight should be reduced, which is negative reinforcement. When the gradient is positive, then positive reinforcement entails increasing the weight of an edge whose activation reduced the error. An edge weight is adjusted according to a percentage of the edge's gradient. The steeper is the gradient, the bigger is adjustment. Not all edge weights are adjusted by a same amount. As model training continues with additional input samples, the error of the ANN should decline. Training may cease when the error stabilizes (i.e., ceases to reduce) or vanishes beneath a threshold (i.e., approaches zero).; ¶ 065: Hidden state (i.e., memory) is a powerful ANN enhancement for (especially temporal) sequence processing. Sequencing may facilitate prediction and operational anomaly detection, which can be important techniques.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Thampy for each dynamic graph, negative edges are sampled and edge scores are calculated based on learned hidden states as taught by Schmidt. One of ordinary skill in the art would have been motivated to employ the teachings of Schmidt for the flexibility of a system that enables the utilization of dynamic graph technology in the processing of data within a network environment. (Schmidt ¶ 064; ¶ 062)
10. Claims 7, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Thampy in view of Mestha and further in view of Schmidt and Kruglick et al. (Patent No. KR 20140081871 A).
Regarding Claims 7, 14, Thampy-Mestha discloses the computer-implemented method of claim 6 and the computer program product of claim 13.
Thampy does not explicitly disclose utilized to minimize positive edge scores and to maximize negative edge scores.
However, Kruglick discloses wherein a pair-wise margin loss is utilized to minimize positive edge scores and to maximize negative edge scores following a one-class training objective. (Kruglick page 9: The optimization module 118 may be configured to maximize the edge level score of each edge-level bucket. In this way, the optimization module 118 can maximize traffic in the edge layer 106. The optimization module 118 may also be configured to minimize traffic in the integrated layer 110 and the core layer 114.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Thampy for utilized to minimize positive edge scores and to maximize negative edge scores as taught by Kruglick. One of ordinary skill in the art would have been motivated to employ the teachings of Kruglick for the flexibility of a system that enables multiple types of network-connected devices to be utilized in data processing within a network environment. (Kruglick page 9)
Response to Amendments
11. Applicant’s arguments have been fully considered but they were not persuasive.
A. Applicant argues on pages 9-10 of Remarks: ... Mestha fails to teach or suggest at least "detecting anomalous patterns in the log events based on relationships between the log events and temporal context determined from the temporal-attentive transformers and representations in the dynamic graphs whose distance to a center ranks beyond a decision boundary radius including a soft-margin decision boundary determined by an ad-hoc heuristic." ... .
The Examiner respectfully disagrees. Thamby discloses data processing utilizing automated (i.e. analogous to dynamic) techniques. Thampy discloses a graph wherein a set of parameters are generated and the parameters associated with the graph are changed (new or updated) or a variance computed and a new graph is generated. (Thampy ¶ 122: the database is adaptive to structural changes and new values, and can run automated processes to check for changed data.; ¶ 279: a sliding window of time is used to identify patterns in the coarse data. A first window 1610a is illustrated overlaying the graph 1600, where the first window 1610a includes the first seven days of the graph 1600 (days 1 through 7). The pattern recognition and learning system, for example using a scanning engine, can compute a variance for the values within the first window 1610a. This first variance value can be stored in a vector of variance values. A second window 1610b is also illustrated, where the second window 1610b is shifted over by one day, and thus covers days 2 through 8. A variance can also be computed for the values in the second window 1610b. This second variance value can also be added to a vector of variance values. The window of seven days can continue to be shifted by one day, and for each shift a variance value can be computed.)
Thampy discloses data processing utilizing temporal based techniques (i.e. analogous to temporal attentive transformers, time based processing)). (Thampy ¶ 006: provided are systems and methods for a cloud security system that learns patterns of user behavior and uses the learned patterns to detect anomalous behavior. For example, the cloud security system can use machine learning techniques to learn patterns of user behavior, where the patterns represent actions regularly and/or habitually taken by users in using a cloud service. In various examples, the patterns can capture actions that occur over a span of hours, days, weeks, months, or another time period (temporal based parameters). In various implementations, the cloud security system can use the learned patterns to identify user behavior that does not fit within the learned patterns, which may indicate a security incident.; ¶ 044: provided are systems, methods, and computer-program products for a cloud security service that learns patterns of user behavior, and uses the learned patterns to detect anomalous behavior. In various implementations, the service can scan time series to find frequent or regular patterns of user behavior. Machine learning techniques can be used to generate models from the detected patterns. The models can then be used with machine learning techniques to recognize similar patterns in incoming user activity data, and trigger alerts or other actions when behavior is found that does not correspond to a known pattern.)
And, Mestha discloses processing data associated with graphs. Mestha disclose the utilization of graph data, a decision boundary, and a radius associated with the decision boundary. (Mestha ¶ 037: a decision boundary display 1000 according to some embodiments. The display 1000 includes a graphical representation of a simple decision boundary 1010 (in three dimensions it is a ball or a sphere having a radius of 0.3 units) that might be associated with, for example, global features generated from threat node values, such as values from sensor nodes, … , a number of threat validation runs are executed and the results 1020 are provided on the display 1000 (e.g., including the run number, the radius value, and the decision of “normal” or “attack”); (graph data associated with a decision boundary))
There is no disclosure in the specification for the following claim limitation: “including a soft-margin decision boundary determined by an ad-hoc heuristic”. There is no definition in the Specification for the term “soft-margin” or a “soft-margin” associated with “a decision boundary” or “a decision boundary radius”. (see 112 Rejection).
B. Applicant argues on page 10 of Remarks: ... Accordingly, Applicant respectfully submits that independent claims 1, 8, and 15 are patentable over Thamby in view of Mestha under 35 U.S.C. § 103, whether taken alone or in combination.
Independent claims 8 and 15 contains similar limitations as independent claim 1. Responses against independent claim 1 also answer current arguments against independent claims 8 and 15
C. Applicant argues on page 10 of Remarks: ... Claims 2, 9, and 16 depend from one of claims 1, 8, and 15. Thus, for at least the stated reasons, claims 1, 8, and 15 are believed to be patentable, and dependent claims 2, 9, and 16 are likewise believed patentable over Thamby in view of Mestha under 35 U.S.C. § 103.
Responses to arguments against independent claims also answer current arguments against dependent claims.
D. Applicant argues on page 11 of Remarks: ... Bronevetsky fails to teach or suggest at least "detecting anomalous patterns. in the log events based on relationships between the log events and temporal context determined from the temporal-attentive transformers and representations in the dynamic graphs whose distance to a center ranks beyond a decision boundary radius including a soft-margin decision boundary determined by an ad-hoc heuristic." ... .
The Examiner respectfully disagrees. Thamby discloses data processing utilizing automated (i.e. analogous to dynamic) techniques. Thampy discloses a graph wherein a set of parameters are generated and the parameters associated with the graph are changed (new or updated) or a variance computed and a new graph is generated. (Thampy ¶ 122: the database is adaptive to structural changes and new values, and can run automated processes to check for changed data.; ¶ 279: a sliding window of time is used to identify patterns in the coarse data. A first window 1610a is illustrated overlaying the graph 1600, where the first window 1610a includes the first seven days of the graph 1600 (days 1 through 7). The pattern recognition and learning system, for example using a scanning engine, can compute a variance for the values within the first window 1610a. This first variance value can be stored in a vector of variance values. A second window 1610b is also illustrated, where the second window 1610b is shifted over by one day, and thus covers days 2 through 8. A variance can also be computed for the values in the second window 1610b. This second variance value can also be added to a vector of variance values. The window of seven days can continue to be shifted by one day, and for each shift a variance value can be computed.)
Thampy discloses data processing utilizing temporal based techniques (i.e. analogous to temporal attentive transformers, time based processing)). (Thampy ¶ 006: provided are systems and methods for a cloud security system that learns patterns of user behavior and uses the learned patterns to detect anomalous behavior. For example, the cloud security system can use machine learning techniques to learn patterns of user behavior, where the patterns represent actions regularly and/or habitually taken by users in using a cloud service. In various examples, the patterns can capture actions that occur over a span of hours, days, weeks, months, or another time period (temporal based parameters). In various implementations, the cloud security system can use the learned patterns to identify user behavior that does not fit within the learned patterns, which may indicate a security incident.; ¶ 044: provided are systems, methods, and computer-program products for a cloud security service that learns patterns of user behavior, and uses the learned patterns to detect anomalous behavior. In various implementations, the service can scan time series to find frequent or regular patterns of user behavior. Machine learning techniques can be used to generate models from the detected patterns. The models can then be used with machine learning techniques to recognize similar patterns in incoming user activity data, and trigger alerts or other actions when behavior is found that does not correspond to a known pattern.)
And, Mestha discloses processing data associated with graphs. Mestha disclose the utilization of graph data, a decision boundary, and a radius associated with the decision boundary. (Mestha ¶ 037: a decision boundary display 1000 according to some embodiments. The display 1000 includes a graphical representation of a simple decision boundary 1010 (in three dimensions it is a ball or a sphere having a radius of 0.3 units) that might be associated with, for example, global features generated from threat node values, such as values from sensor nodes, … , a number of threat validation runs are executed and the results 1020 are provided on the display 1000 (e.g., including the run number, the radius value, and the decision of “normal” or “attack”); (graph data associated with a decision boundary))
There is no disclosure in the specification for the following claim limitation: “including a soft-margin decision boundary determined by an ad-hoc heuristic”. There is no definition in the Specification for the term “soft-margin” or a “soft-margin” associated with “a decision boundary” or “a decision boundary radius”. (see 112 Rejection).
E. Applicant argues on page 11 of Remarks: ... Schmidt fails to teach or suggest at least "detecting anomalous patterns in the log events based on relationships between the log events and temporal context determined from the temporal-attentive transformers and representations in the dynamic graphs whose distance to a center ranks beyond a decision boundary radius including a soft-margin decision boundary determined by an ad-hoc heuristic." ... .
The Examiner respectfully disagrees. Thamby discloses data processing utilizing automated (i.e. analogous to dynamic) techniques. Thampy discloses a graph wherein a set of parameters are generated and the parameters associated with the graph are changed (new or updated) or a variance computed and a new graph is generated. (Thampy ¶ 122: the database is adaptive to structural changes and new values, and can run automated processes to check for changed data.; ¶ 279: a sliding window of time is used to identify patterns in the coarse data. A first window 1610a is illustrated overlaying the graph 1600, where the first window 1610a includes the first seven days of the graph 1600 (days 1 through 7). The pattern recognition and learning system, for example using a scanning engine, can compute a variance for the values within the first window 1610a. This first variance value can be stored in a vector of variance values. A second window 1610b is also illustrated, where the second window 1610b is shifted over by one day, and thus covers days 2 through 8. A variance can also be computed for the values in the second window 1610b. This second variance value can also be added to a vector of variance values. The window of seven days can continue to be shifted by one day, and for each shift a variance value can be computed.)
Thampy discloses data processing utilizing temporal based techniques (i.e. analogous to temporal attentive transformers, time based processing)). (Thampy ¶ 006: provided are systems and methods for a cloud security system that learns patterns of user behavior and uses the learned patterns to detect anomalous behavior. For example, the cloud security system can use machine learning techniques to learn patterns of user behavior, where the patterns represent actions regularly and/or habitually taken by users in using a cloud service. In various examples, the patterns can capture actions that occur over a span of hours, days, weeks, months, or another time period (temporal based parameters). In various implementations, the cloud security system can use the learned patterns to identify user behavior that does not fit within the learned patterns, which may indicate a security incident.; ¶ 044: provided are systems, methods, and computer-program products for a cloud security service that learns patterns of user behavior, and uses the learned patterns to detect anomalous behavior. In various implementations, the service can scan time series to find frequent or regular patterns of user behavior. Machine learning techniques can be used to generate models from the detected patterns. The models can then be used with machine learning techniques to recognize similar patterns in incoming user activity data, and trigger alerts or other actions when behavior is found that does not correspond to a known pattern.)
And, Mestha discloses processing data associated with graphs. Mestha disclose the utilization of graph data, a decision boundary, and a radius associated with the decision boundary. (Mestha ¶ 037: a decision boundary display 1000 according to some embodiments. The display 1000 includes a graphical representation of a simple decision boundary 1010 (in three dimensions it is a ball or a sphere having a radius of 0.3 units) that might be associated with, for example, global features generated from threat node values, such as values from sensor nodes, … , a number of threat validation runs are executed and the results 1020 are provided on the display 1000 (e.g., including the run number, the radius value, and the decision of “normal” or “attack”); (graph data associated with a decision boundary))
There is no disclosure in the specification for the following claim limitation: “including a soft-margin decision boundary determined by an ad-hoc heuristic”. There is no definition in the Specification for the term “soft-margin” or a “soft-margin” associated with “a decision boundary” or “a decision boundary radius”. (see 112 Rejection).
F. Applicant argues on page 12 of Remarks: ... Kruglick fails to teach or suggest at least "detecting anomalous patterns in the log events based on relationships between the log events and temporal context determined from the temporal-attentive transformers and representations in the dynamic graphs whose distance to a center ranks beyond a decision boundary radius including a soft-margin decision boundary determined by an ad-hoc heuristic." ... .
The Examiner respectfully disagrees. Thamby discloses data processing utilizing automated (i.e. analogous to dynamic) techniques. Thampy discloses a graph wherein a set of parameters are generated and the parameters associated with the graph are changed (new or updated) or a variance computed and a new graph is generated. (Thampy ¶ 122: the database is adaptive to structural changes and new values, and can run automated processes to check for changed data.; ¶ 279: a sliding window of time is used to identify patterns in the coarse data. A first window 1610a is illustrated overlaying the graph 1600, where the first window 1610a includes the first seven days of the graph 1600 (days 1 through 7). The pattern recognition and learning system, for example using a scanning engine, can compute a variance for the values within the first window 1610a. This first variance value can be stored in a vector of variance values. A second window 1610b is also illustrated, where the second window 1610b is shifted over by one day, and thus covers days 2 through 8. A variance can also be computed for the values in the second window 1610b. This second variance value can also be added to a vector of variance values. The window of seven days can continue to be shifted by one day, and for each shift a variance value can be computed.)
Thampy discloses data processing utilizing temporal based techniques (i.e. analogous to temporal attentive transformers, time based processing)). (Thampy ¶ 006: provided are systems and methods for a cloud security system that learns patterns of user behavior and uses the learned patterns to detect anomalous behavior. For example, the cloud security system can use machine learning techniques to learn patterns of user behavior, where the patterns represent actions regularly and/or habitually taken by users in using a cloud service. In various examples, the patterns can capture actions that occur over a span of hours, days, weeks, months, or another time period (temporal based parameters). In various implementations, the cloud security system can use the learned patterns to identify user behavior that does not fit within the learned patterns, which may indicate a security incident.; ¶ 044: provided are systems, methods, and computer-program products for a cloud security service that learns patterns of user behavior, and uses the learned patterns to detect anomalous behavior. In various implementations, the service can scan time series to find frequent or regular patterns of user behavior. Machine learning techniques can be used to generate models from the detected patterns. The models can then be used with machine learning techniques to recognize similar patterns in incoming user activity data, and trigger alerts or other actions when behavior is found that does not correspond to a known pattern.)
And, Mestha discloses processing data associated with graphs. Mestha disclose the utilization of graph data, a decision boundary, and a radius associated with the decision boundary. (Mestha ¶ 037: a decision boundary display 1000 according to some embodiments. The display 1000 includes a graphical representation of a simple decision boundary 1010 (in three dimensions it is a ball or a sphere having a radius of 0.3 units) that might be associated with, for example, global features generated from threat node values, such as values from sensor nodes, … , a number of threat validation runs are executed and the results 1020 are provided on the display 1000 (e.g., including the run number, the radius value, and the decision of “normal” or “attack”); (graph data associated with a decision boundary))
There is no disclosure in the specification for the following claim limitation: “including a soft-margin decision boundary determined by an ad-hoc heuristic”. There is no definition in the Specification for the term “soft-margin” or a “soft-margin” associated with “a decision boundary” or “a decision boundary radius”. (see 112 Rejection).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kyung H Shin whose telephone number is (571)272-3920. The examiner can normally be reached M - F: 12pm - 8pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon H Hwang can be reached on 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KYUNG H SHIN/ 1-22-2026Primary Examiner, Art Unit 2447