Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1-23 are pending. Claims 1, 12 and 13 have been amended.
Response to Arguments
Applicant's amendments/arguments filed on 12-10-2025 have been fully considered.
With respect to rejection of claims under 35 USC 101, applicant asserts “the claim elements of, ‘transmitting the cybersecurity event to a backend server and ‘initiating a mitigation action in a cloud computing environment based on the transmitted cyber security event and the predetermined rule used to generate the event set’ are inherently processes, which cannot be practically perform in the human mind…”.
Examiner respectfully disagrees. A human for example, a computer technician who is responsible for monitoring activities of users could monitors users’ activities on a computer monitor/log. The technician follows a predetermined rule of recording only certain types of activities (such as repeated access request of users), writes on a piece of paper users’ activities, identifies the number of the repeated access requests of the users and compares the number of requests to a predetermined threshold (for example 3 request in 10 minutes) defined by a company policy, if more than 3 requests occur within 10 minutes, treats the activity as a security threat and reports the threat to system administrator on the piece of paper or via a telephone call, and after the threats are reported a mitigation action such as disabling suspicious user’s account or notifying or warning the user attempting multiple access requests is performed. Therefore, the limitations of the claim could be performed in human mind. The backend server and cloud computing environment as claimed do not change an operation of computer nor define a specific architectures, they are merely stating where the abstract idea happens. Therefore the abstract idea is not integrated into a practical application. The complete analysis is provided in the office action below.
Applicant’s arguments with respect to rejection of claims under 35 USC 103 are moot in view of a new ground of rejection.
Information Disclosure Statement PTO-1449
The Information Disclosure Statement submitted by applicant on 9/19/2025, 10/17/2025 and 12/10/2025 have been considered. Please see attached PTO-1449.
Claim Rejections - 35 USC § 101
835 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-23 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
The claims when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance, are directed to abstract idea. Claim 1 for example, recites a method and, therefore, is a process. The claim recites the limitation of “…listen on a data link …for event;…generate an event set form a plurality of events, based on a predetermined rule; detecting that a number of events in the event set exceeds a predetermined threshold…; determining that a cyber security event occurred...; transmitting the cybersecurity …and initiating a mitigation action… based on the transmitted cyber security event”. These limitations, under broadest reasonable interpretation are directed performance of the limitation in a human mind. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, the claim encompasses a human simply listening for an event and writing on a piece of paper a set of events from a plurality of event based on rule, comparing the set of event to a predetermined threshold to detect the number of event exceed the predetermined threshold, determining cybersecurity event when the number of event exceed the predetermined threshold, sending/transmitting a cybersecurity event and initiating a mitigation action. Thus, the claim recites a mental process when analyzed under step 2A prong 1.
Claim is further analyzed in step 2A prong 2, to evaluate whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by identifying whether there are any additional elements recited in the claim beyond the judicial exception, and evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. However, each of the remaining limitation ( backend server, cloud computing) appears to be generic computer functions which do not constitute meaningful limitations that would amount to significantly more than the abstract idea. The combination of these additional element is no more than generic computer functions. Thus, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limitations on practicing the abstract idea.
Claim is additionally analyzed under Step 2B to evaluates whether the claim as a whole amount to significantly more than the recited exception, whether any additional element, or combination of additional elements, adds an inventive concept to the claim. When claims evaluated under step 2B, it is no more than what is well-understood, routine, conventional activity in the field. The specification does not provide any indication anything other than a generic computer component. The mere “…listen on a data link …for event;…generate and event… based on a rule; detecting that a number of events…exceeds a predetermined threshold; determining that a cyber security event occurred...; transmitting the cybersecurity event…and initiating a mitigation action…” is a well-understood, routing and conventional function when it is claimed in a merely generic manner as it is here.
Independent claims 12 and 13 include limitations similar to the limitations of claim 1 and are rejected under 35 U.S.C. 101 as being directed to abstract idea for the same reasons discussed above with respect to claim 1.
Dependent claims 2-11and 14-23 do not cure the deficiency of the independent claims and are directed to abstract idea when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 3, 4, 9, 11-13, 15, 16, 21 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Fellows et al. (US Publication No. 2021/0273953 ), hereinafter Fellows, in view of Shimoni et al. (US Publication No. 2010/0192201), hereinafter Shimoni.
As per claim 1, 12 and 13, Fellow discloses a method for reducing network communication from a sensor for detecting cybersecurity threats, comprising: configuring a resource to deploy thereon a sensor, the sensor configured to listen on a data link layer of the resource for an event (paragraph [0023], sensor is configured to monitor traffic, and paragraph [0052], “The cyber-defense appliance securely communicates and cooperates with a suite of different endpoint agent cSensors that can ingest onboard traffic from multiple different independent systems using protocols for at least one of a data link layer”); configuring the sensor to generate an event set from a plurality of events, based on a predetermined rule (paragraph [0023], “A collation module of the cSensors 105A-D can cooperate with the security module to obtain input data from the collected first set of traffic data… Which option of these three DPI actions to take for the level of DPI applied to each connection by the cSensor 105A-D is dependent on the network parameters… Thus, the cSensors 105A-D may be configured to intelligently chose to pass on i) just the metadata associated with the packet traffic, ii) just a subset of the packets ( e.g., packets of potential interest) and the meta data, and/or iii) pass along all of the packets to the central cyber security appliance 120 at a separate location from the cSensors 105A-D by factoring in one or more of these factors.”); detecting that [a number of events in the] event set exceeds a predetermined threshold; determining that a cybersecurity event occurred in response to detecting that [the number of] events exceeds the predetermined threshold (paragraph [0067], detecting cyber threat by detecting behavior on the computing system that falls outside of normal behavior threshold); transmitting the cybersecurity event to a backend server (paragraph[0023], “endpoint agents 111A-D that monitors devices' network activity and delivers key data and metadata to the cyber security appliance 120”); and initiating a mitigation action in a cloud computing environment based on the transmitted cybersecurity event (paragraph [0029], “The autonomous actions comprise at least one or more of blocking a particular connection, blocking a particular type of traffic data, preventing a particular type of activity, cooperating with the operating system to shut down one or more computer processes running on the endpoint computing device, and other similar network preventative actions”).
While Fellow discloses detecting cyber attack if event falls outside of a threshold, Fellow does not explicitly disclose, but in an analogous art, Shimoni discloses detecting that a number of events in the event set exceeds a predetermined threshold (paragraph [0137], “determination is then made whether the number of requests made by the source is then compared request received from the source exceed a threshold”), wherein the predetermined threshold is based on a rolling window of a number of event (paragraph [0139], rolling time window”) and determining that a cybersecurity event occurred in response to detecting that the number of events exceeds the predetermined threshold, wherein the cyber security event is indicative of a cybersecurity threat ( paragraph [0138], “If a threshold was exceeded, then a responsive action is performed”, abstract, “Excessive access rates are one type of anomalous traffic that is detected by monitoring a source and determining whether the number of requests that the source generates within a specific time frame is above a threshold”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Fellow with Shimoni. This would have been obvious because one or ordinary skill in the art would have been motivated to improve security systems and techniques to safeguard information form cybercriminals and security breaches.
As per claim 3 and 15, Fellows furthermore discloses sending information of the event set in response to determining that the cybersecurity event occurred (paragraph [0027], transmit a second set of traffic data associated with the specified DPI performed on the input data).
As pe claim 4 and 16, Fellow furthermore discloses sending a representative event from the event set (paragraph [0027], receive the input data from the first set of traffic data).
As per claims 9 and 21, Shimoni discloses detecting that a number of events in a [second ]event set exceeds a [second] predetermined threshold; and determining that the cybersecurity event occurred in response to detecting that the number of events exceeds the predetermined threshold, and the number of events in the [second] event set exceeds the second predetermined threshold (paragraph [0137], “determination is then made whether the number of requests made by the source is then compared request received from the source exceed a threshold”, paragraph [0138], “If a threshold was exceeded, then a responsive action is performed”, abstract, “Excessive access rates are one type of anomalous traffic that is detected by monitoring a source and determining whether the number of requests that the source generates within a specific time frame is above a threshold”).
Although Shimoni. does not explicitly disclose second event set and second predetermined threshold, it is noted that the same steps applied by Shimoni for determining that the cybersecurity event occurred based on detecting the number of event in a first event set exceed a first predetermined threshold, could have been similarly applied for any number event set (i.e., second event set) based on any number of threshold (i.e., second predetermined threshold). Therefore, such modification would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, since such modification does not include any inventive concept. It would have obvious to one of ordinary skill in the art to determine the cyber security threat for different type of event set based on different criteria and thresholds.
As per claim 11 and 23, Fellows as modified furthermore discloses detecting events from a plurality of resources, each resource having a sensor deployed thereon (paragraph [0023], cSenors 105A-D monitor traffic and passing traffic and metadata to cyber security applicant); determining that the cybersecurity event did not occur in response to detecting that a number of events aggregated from the plurality of resources exceeds a threshold (paragraph [0067], “A normal behavior threshold is used by the model as a moving benchmark of parameters that correspond to a normal pattern of life for the computing system. The normal behavior threshold is varied according to the updated changes in the computer system allowing the model to spot behavior on the computing system that falls outside the parameters set by the moving benchmark”).
Claims 2 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Fellows, in view of Shimoni, further in view of Osuala et al. (US Publication No. 2021/0382784), hereinafter Osuala.
As per claim 2 and 14, Fellows as modified does not explicitly disclose, but in an analogous art, Osuala discloses generating the event set based on detecting a group of events having a common event type (paragraph [0062], “The records may be clustered…Each resulting cluster may be a group of related records that represent the same event category”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Fellows with Osuala. This would have been obvious because one of ordinary skill in the art would have been motivated to analyze events having similar attributes.
Claims 5, 7, 17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Fellows, in view of Shimoni,, further in view of Misra et al. (US Publication No. 2021/0326883), hereinafter Misra.
As per claim 5 and 17, Fellows as modified does not explicitly disclose, but in an analogous art, Misra discloses sending the rule based on which the event set was generated (paragraph [0005], receiving…a first rule…applying…the first rule to an initial data set of event..”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Fellows with Misra. This would have been obvious because one of ordinary skill in the art would have been motivated to predict the classification of an event.
As per claim 7 and 19, Fellows as modified does not explicitly disclose, but in an analogous art, Misra discloses detecting an event of a first type; and generating a rule to generate an event set based on the first type (paragraph [0005], applying the first rule to an initial data set of event, the first rule is generated by client computer).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Fellows with Misra. This would have been obvious because one of ordinary skill in the art would have been motivated to predict the classification of an event.
Claims 6 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Fellows, in view of Shimoni, further in view of Treuhaft et al. (US Publication No. 2010/0274970), hereinafter Treuhaft.
As per claim 6 and 18, Fellows as modified does not explicitly disclose, but in an analogous art, Treuhaft discloses configuring the sensor to detect an event of a second type, in response to determining that the cybersecurity event occurred (paragraph [0080], after an anomaly is detected, the monitoring process continues at step 800 which server check for anomaly).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Fellows with Treuhaft. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to achieve the predictable result of detecting malware of different event types.
Claims 8 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Fellows, in view of Shimoni. and Misra, further in view of Shnklin et al. (US Publication No. 2002/0133586), hereinafter Shnklin.
As per claim 8 and 20, Fellows as modified does not explicitly disclose, but in an analogous art, Shanklin discloses deleting the generated rule, in response to determining that the event set based on the first type includes a number of events which is below a first threshold (paragraph [0068], “if the intruder is not transmitting , or is now transmitting within the threshold limits, then at 220, the rule is removed”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Fellows with Shanklin. This would have been obvious because one of ordinary skill in the art would have been motivated to improve adaptability of security system by employing dynamic rules for detecting anomalies.
Claims 10 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Fellows, in view of Shimoni, further in view of Briliauskas et al. (US Patent No. 11,593,485), hereinafter Briliauskas.
As per claim 10 and 22, Fellows as modified does not explicitly disclose, but in an analogous art, Briliauskas discloses, determining that the cybersecurity event did not occur in response to detecting that the number of events exceeds a second predetermined threshold which is higher than the predetermined threshold (column 11, line 64-column 12, line 1, file is labeled as clean file if the maliciousness score is below a first threshold (e.g., .0.5) or if a confidence score of the prediction is above a second threshold (e.g., above 0.8)).
It would have been obvious to one of ordinary skill in the art to modify the cyber attack detection system based on amount of event and packet size of Fellow and Shimoni with the attack detection system of Briliauskas. This would have been obvious because one of ordinary skill in the art would have been motivated to classify files as clean with accuracy and high confidence.
References Cited, Not Used
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Kislitsin (US Pub No. 2018/0083987) discloses, a method for auto-generation of decision rules for attack detection feedback systems. The method is executed on a server. The method comprises: receiving at least one event from an event database, the event database having been generated from data obtained by at least one sensor; analyzing the at least one event to determine whether the at least one event belongs to a class of malware control center interactions; if the at least one event belongs to the class of malware control center interactions, extracting at least one attribute from the at least one event; generating decision rules using the at least one attribute; and saving the decision rules; saving the decision rules, the decision rules being instrumental in updating what type of further data is obtained by the at least one sensor based on the decision rule.
Baikalov (US Pub No. 2015/0067850) discloses, methods and apparatus for detecting a network attack. A sensor grid may be established in a network ( e.g., an enterprise network). The sensors may monitor network assets across various network layers and transmit to a server signals that indicate the probability of an attack on the network. The server may apply an amplification algorithm to combine and amplify all of the received signals into a single signal that more accurately displays the probability of an
attack on the network.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437