DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
Claims 1-22 are pending in the application. No claims are currently amended. No claims have been canceled. No new claims are currently added.
Response to Arguments
With regard to Applicant’s remarks dated February 10, 2026:
Regarding the rejection of claims 1-22 under 35 U.S.C. 103, Applicant’s argument has been fully considered. Applicants argue that cited paragraphs of Akhtar do not discuss using application or process identifiers as training data to train the model. Examiner disagrees. Akhtar teaches training a model to determine an application (e.g., an application identifier) corresponding to a particular sample of network traffic (e.g., a sample obtained from the network traffic log). The system performs a feature extraction and generates a set of feature vectors for training a machine learning model (par. [0040]). Akhtar makes is clear that the particular sample of network traffic is associated with an application identifier (par. [0029]-[0030]). Therefore, the generated set of feature vectors are inherently associated with that application identifier from sample network traffic of which they were extracted. If, as suggested by Applicants, the system of Akhtar was not using application identifiers as part of the model training, there would simply be no logical way for the system of Akhtar to then perform predicted classification (par. [0027]). Therefore, Applicant’s argument cannot be held as persuasive.
Applicants further argue that “an "application identifier" as used in Akhtar refers to identifying a type of application (e.g., a SaaS application) based on network traffic patterns (see, e.g., Akhtar et al., paragraph [0040]), which is fundamentally different from a "process ID" that identifies a specific executing process on a host computer. The claims require identifying the specific process ID of a process responsible for triggering a security alert, whereas Akhtar merely categorizes network traffic by application type without any reference to process-level identification”. Examiner disagrees. Akhtar teaches that an application identifier is an identifier that uniquely identifies the application (par. [0027]) not identifying a type of applications, as argued. Also, Applicants failed to explain a patentable distinction between a “process ID” and an “application ID” where it is well known in the applicable art that when application is executed, it initiates a process, which, at many times, carries the same identifier. For example, Windows Explorer application would execute as explorer.exe process, thus, having the same identifier for all intended purposes. Therefore, Applicant’s argument cannot be held as persuasive and the rejection is maintained.
As to any arguments not specifically addressed, they are the same as those discussed above.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5-8, 11-17, and 19-22 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson et al. (US 2024/0126910 A1) in view of Akhtar et al. (US 2025/0007882 A1).
As to claim 1, Johnson teaches a method, comprising:
collecting, during a time period from security agents executing on respective host computers [primary systems 102n] (Fig. 1, par. [0024]), reports of communication events, each of the communication events comprising communication activity performed by a process having a respective process identifier (ID) [event logs 104 include an event type and event attributes containing an object which can be an application accessed by an actor, where Fig. 6A shows applications identified by a name] (par. [0012], [0025]) and executing on one of the host computers [periodically obtaining event logs including a plurality of entries] (par. [0027], [0049]);
generating, from each of the collected reports, a set of features comprising characteristics of the communication activity and the respective process ID [analyzing event logs to retrieve one or more attributes associated with the event, attributes including accessed applications identified by a name] (par. [0015], [0025], [0098]);
training, by a processor, a machine learning model for identifying, based on the features of one or more of the events, the process ID of one of the processes performing the one or more of the events [machine learning model is trained based on the one or more event logs that are sorted into training date and validation data, the one or more logs identified one or more accessed applications as objects] (par. [0099]-[0102]);
receiving, from a network management device [event analysis system 112] (Fig. 1) subsequent to the time period, an alert indicating malicious activity and referencing one or more reports of additional communication events performed by a given host computer [providing a notification of an anomalous event being detected to an external device 122] (par. [0029], [0056]);
applying the machine learning model to the one or more reports of additional communication events so as to identify, on the given host computer, a given process ID of a given process responsible for the alert [re-analyze the one or more event logs to identify the one or more other events, if any, associated with the selected user interface item, where events are associated with an object such as an application that the actor accessed or attempted to access] (Fig. 2, par. [0021], [0059], [0073]); and
initiating a protective action with respect to at least the given process executing on the given host computer [sharing evidence board with another user] (par. [0120]).
While Johnson teaches that the machine learning model is trained based on previously received event logs containing a plurality of entries (par. [0098]-[0102]), Johnson fails to expressly teach that the machine learning model is trained using, as training data, the respective process IDs collected from the security agents during the time period.
Akhtar is directed to determining an application identifier (ID) obtained from the network traffic log based at least in part on machine learning (abstract). In particular, Akhtar teaches that the machine learning model is trained using, as training data, the respective process IDs collected from the security agents during the time period [using a set of feature vectors to train a machine learning model based on training data that includes samples of network traffic for a set of applications] (par. [0040], [0047]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the method and system of Johnson by having the machine learning model trained using, as training data, the respective process IDs collected from the security agents during the time period in order to use machine learning-based application classification in determining an application identifier for policy enforcement (par. [0097] in Akhtar).
As to claim 2, Johnson teaches that the network management device comprises a firewall (par. [0025]).
As to claim 3, Johnson teaches that generating a given feature comprises extracting a given feature from a given collected report (par. [0012], [0025]).
As to claim 5, Johnson teaches that generating a given feature comprises computing the given feature based on one or more of the extracted features [processing attributes as part of analyzing the event logs] (par. [0098]).
As to claim 6, Johnson teaches that a given feature comprises a domain [location from which the event occurred] (par. [0012]). It is noted that this is a non-functional descriptive material.
As to claim 7, Johnson teaches that a given feature comprises an Internet Protocol (IP) address (par. [0012]). It is noted that this is a non-functional descriptive material.
As to claim 8, Johnson teaches that a given feature indicates whether or not the IP address comprises an Autonomous System Number (ASN) (par. [0012], Fig. 6D). It is noted that this is a non-functional descriptive material.
As to claim 11, Johnson teaches that a given feature comprises a Server Name Indication (SNI) hostname (Fig. 7A). It is noted that this is a non-functional descriptive material.
As to claim 12, Johnson teaches that a given feature comprises the given process identifier [name of the application] (Fig. 6N). It is noted that this is a non-functional descriptive material.
As to claim 13, Johnson teaches that a given feature comprises a logical port number (Fig. 7A). It is noted that this is a non-functional descriptive material.
As to claim 14, Johnson teaches that a given feature comprises the process ID [name of the application] (Fig. 6N). It is noted that this is a non-functional descriptive material.
As to claim 15, Johnson teaches that a given feature comprises one or more network protocols used in the communication activity (Fig. 7A). It is noted that this is a non-functional descriptive material.
As to claim 16, Johnson teaches that applying the machine learning model comprises generating additional features from the one or more additional communication events, and applying the machine learning model to the additional features [re-analyze one or more event logs to identify one or more additional events based on different GUI selection by the user] (par. [0078]-[0080]).
As to claim 17, Johnson teaches that the host computers comprise first host computers, and wherein the given host computer comprises an additional host computer different from any of the first host computers (Fig. 1).
As to claim 19, Johnson teaches that initiating the protective action with respect to a given process comprises presenting, on a display, details of the given process (Fig. 6F, 7A).
As to claim 20, Johnson teaches that receiving the alert comprises receiving a given report for a specific communication event (Fig. 6F, 7A).
As to claim 21, Johnson in view of Akhtar teaches an apparatus, comprising: a memory configured to store a model; and a processor (par. [0128] in Johnson) configured to perform the method steps, as discussed per claim 1 above.
As to claim 22, Johnson in view of Akhtar teaches a computer software product for protecting a computing device, which includes a processor and a memory and is coupled to a storage device storing a set of one or more files, the computer software product comprising a non- transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer (par. [0128] in Johnson), cause the computer to perform the method steps, as discussed per claim 1 above.
Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Johnson et al. in view of Akhtar et al. and in further view of Shachar et al. (US 2024/0380766 A1).
As to claim 4, Johnson in view of Akhtar teaches all the elements except that generating a given feature comprises normalizing the extracted given feature.
Shachar is directed to early detection of malicious behavior (abstract). In particular, Shachar teaches that generating a given feature comprises normalizing the extracted given feature (par. [0062]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system of Johnson in view of Akhtar by having generating a given feature comprise normalizing the extracted given feature in order to ensure that the numerical features are on the same scale (par. [0062] in Shachar).
Claims 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over Johnson et al. in view of Akhtar et al. and in further view of Jayamohan et al. (US 2022/0086178 A1).
As to claims 9 and 10, Johnson in view of Akhtar teaches all the elements except that a given feature comprises a JA3/JA3S fingerprint. It is noted that this is a non-functional descriptive material.
Jayamohan is directed to efficient monitoring of network activity (abstract). In particular, Jayamohan teaches that a given feature comprises a JA3/JA3S fingerprint [SSL fingerprints] (par. [0018]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system of Johnson in view of Akhtar by having a given feature comprise a JA3/JA3S fingerprint in order to identify suspicious data packets in real-time or shortly thereafter (par. [0018] in Jayamohan).
Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Johnson et al. in view of Akhtar et al. and in further view of Genc et al. (US 2021/0264028 A1).
As to claim 18, Johnson in view of Akhtar teaches all the elements except that initiating the protective action with respect to a given process comprises isolating the given process.
Genc is directed to preventing ransomware attacks on computing systems (abstract). In particular, Genc teaches that initiating the protective action with respect to a given process comprises isolating the given process (par. [0009]-[0013]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method and system of Johnson in view of Akhtar by having initiating the protective action with respect to a given process comprise isolating the given process, in order to stop or prevent further harm (par. [0012] in Genc).
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG SURVILLO whose telephone number is (571)272-9691. The examiner can normally be reached 9:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ario Etienne can be reached at 571-272-4001. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/OLEG SURVILLO/Primary Examiner, Art Unit 2457