DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/04/2023 and 05/20/2024 and 01/28/2025 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 25-40 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Applying the subject matter eligibility test, as outlined in MPEP 2106:
Step 1: Statutory Category
The claims fall within a statutory category. Claims 25-40 are considered “machines” based claims. Machines are members of the statutory categories. Thus, the analysis moves towards step 2A, prong one of the subject matter eligibility test.
Step 2A, Prong One: Judicial Exception
The claims recite a judicial exception, specifically an abstract idea. For example, claims 25 and 33 recite classifying an event, determining if the classified event is an attack word (e.g. ignoring the event or adding the event to an attack graph based on the determination) and classifying the attack graph and determining if the attack graph is a valid attack sentence (e.g. ignoring or committing the event based on the determination). Such processes are akin to a mental process or methods of organizing human activity, which have been recognized as abstract ideas. Thus, the analysis moves towards step 2A, prong two.
Step 2A, Prong Two: Integration into a Practical Application
The claims do not integrate the abstract idea into a practical application. The additional elements, such as a processor, memory, blocking or terminating a malware process tree do not impose any meaningful limits on the abstract idea because it does not impose any meaningful limits on practicing the abstract idea. For example. For the blocking or terminating step, 1) it is simply a manipulation of the attack graph (“a malware process tree” is interpreted as a graph without definition in the claim) which can be performed by a human; 2) the step is conditionally performed. Thus, the analysis moves towards step 2B.
Step 2B: Inventive concept
Finally, the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of “a processor, memory, blocking or terminating a malware process tree amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Because none of these recitations describe a fundamental improvement to computer technology itself, the claim is “directed to” an abstract idea.
Claims 26-32 and 34-40 merely add details to the generic off-shelf components that were already disclosed in claims 25 and 33, but do not alter the outcome of the analysis above.
Claims 33-40 are further rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
Claim 33 recites " computer-readable storage medium" which, given the broadest reasonable claim interpretation (no definition in the specification), covers forms of non-transitory tangible media and may include transitory propagating signals per se. Since certain signals or carrier waves may be used to store multiple instructions and the specification includes "any other medium which can be used to store the desired information" with regards to the definition of the term "computer storage media" the claim is rejected as ineligible subject matter under 35 U.S.C. § 101.
Dependent claims 34-40 are also rejected for being directed to a non-statutory subject matter.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 25-40 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Specifically, while the claim recites "malware process tree”, the specification lacks a detailed description of the term. It’s also unclear how the is related to the attack graph. As established in Ariad Pharms., Inc. v. Eli Lilly & Co., 598 F.3d 1336, 1351, 94 USPQ2d 1161,5 1172 (Fed. Cir. 2010), the specification must convey with reasonable clarity to those skilled in the art that the inventor had possession of the claimed invention. Merely using the term without further elaboration, does not satisfy this requirement.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claim 25-40 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention.
Regarding claim 25, Key limitations "malware process tree" is presented purely as functional labels with no objective boundaries, leaving readers unable to determine where infringement begins or ends. Every operative verb (classifying, determining) is recited only by its desired outcome. Because a person having ordinary skill in the art could not ascertain the claim scope with reasonable certainty, the claims are indefinite under 35 U.S.C § 112(b).
Claim 25 is further rejected because it recites “if the event is not ignored, blocking or terminating a malware process tree” conditional statement. Examiner submits that “if” statement does not positively claim the subject matter and renders parts of the claims optional or indefinite.
Independent 33 is also rejected for the same rational as claim 25.
Dependent claims 26-32, 34-40 are also rejected for inheriting the deficiencies of the independent claims from which they depend on.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 25-28, 32-36 and 40 are rejected under 35 U.S.C. 103 as being unpatentable over Shen (US 2018/0212986) in view of Yu et al. (WO 2021/258479, hereinafter Yu) and Li et al. (US 2021/0064751, hereinafter Li).
Regarding claim 25: Shen teaches: A system for classifying an event for an anti-malware behavioral graph engine comprising:
a memory; a processor in operable communication with the memory (Shen - Fig. 4), the processor operable to provide instructions and data and perform steps which include providing behavioral information by
classifying an event (Shen - [0073]: the above to-be-detected character strings refer to such network transmission data as HTTP request message);
determining if the classified event is an attack word, if the classified event is not an attack word, ignoring the event (Shen - [0073]: Based on such methods as semantic and character recognition, the words contained therein can be obtained by performing word segmentation on the to-be-detected character strings. [0078]: determining whether, in a pre-obtained attack model database, there are model tuples corresponding to the determined tuples, and whether there are model words corresponding to the first one of the obtained words. if there are, then executing operation 104, otherwise, finishing),
However, Shen doesn’t explicitly teach, but Yu discloses: wherein if the classified event is an attack word provisionally adding the event to an attack graph (Yu - [Page 2, Line 16-17]: A vector graph generating module, configured to convert the character labels in the label graph into word vectors, respectively, to generate a vector graph containing the word vectors);
classifying the attack graph; determining if the attack graph is a valid attack sentence (Yu - [Page 2, Line 45-46]: The constructed label map trains a classification model to detect traffic with network attack behaviors through the classification model obtained through training),
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Shen with Yu so that a vector graph containing word vector is generated and the graph classification is used to detect the attack. The modification would have allowed the system to enhance security.
However, the combination of Shen and Yu doesn’t explicitly teach, but Li discloses: wherein if the attack graph is not an attack sentence, ignoring the event and if the attack graph is an attack sentence, committing the event to the attack graph; and if the event is not ignored, blocking or terminating a malware process tree (Li - [0087]: the process related to a causal path or provenance graph containing one or more detected malicious activities or actions can be terminated to protect the computer system from infection).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Shen with Yu and Li so that detected malicious activities are terminated. The modification would have allowed the system to protect the computer system from infection.
Regarding claim 26: Shen as modified teaches: further comprising: checking the event against at least one classification engine (Yu - [Page 4, Line 44]: after the training of the classification model is completed, the classification model can be used to detect network attack behaviors).
The reason to combine is in the same rational as claim 25.
Regarding claim 27: Shen as modified teaches: wherein the at least one classification engine includes one or more bespoke attack words (Shen - [0030]: to perfrom word segmentation for the to-be-detected character string and to obtain words contained in the to-be-detected character string).
Regarding claim 28: Shen as modified teaches: further comprising:
applying a malware model; and recognizing non-trivial events (Shen - [0050]: if the attack probability is larger than or equal to a preset probability threshold, to determine that the to-be-detected character string is a character string having an attack behavior).
Regarding claim 32: Shen as modified teaches: further comprising:
temporally ordering a sequence of events (Shen - [0077]: there are three words of A, B and C in sequence obtained after word segmentation on the to-be-detected character string S).
Regarding claims 33-36 and 40: Claims are directed to computer readable medium claims and do not teach or further define over the limitations recited in claims 25-28 and 32. Therefore, claims 33-36 and 40 are also rejected for similar reasons set forth in claims 25-28 and 32. Furthermore, Shen in para. [0138] discloses a storage medium.
Claims 29-30 and 37-38 are rejected under 35 U.S.C. 103 as being unpatentable over Shen (US 2018/0212986) in view of Yu et al. (WO 2021/258479, hereinafter Yu) and Li et al. (US 2021/0064751, hereinafter Li) and Parker (US 2019/0020667).
Regarding claims 29 and 37: Shen as modified doesn’t explicitly teach but Parker discloses further comprising:
performing a feed check against one or more threat intelligence feeds (Parker - [0039]: Threat intelligence feeds are constantly updating streams of indicators or artifacts derived from a source outside the organization. The real-time nature of threat intelligence feeds is important because when integrated with threat intelligence platforms or security information and event management (SIEM) platforms it enables the automatic comparison of feed entries with internal telemetry such as firewall and DNS logs to identify potential attacks)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Shen and Yu and Li with Parker so that real time threat intelligence feeds are examined for potential attack. The modification would have allowed the system to be more secure.
Regarding claims 30 and 38: Shen as modified discloses further wherein the feed check performed against the threat intelligence feed is performed real-time (Parker - [0039]: The real-time nature of threat intelligence feeds is important because when integrated with threat intelligence platforms or security information and event management (SIEM) platforms it enables the automatic comparison of feed entries with internal telemetry such as firewall and DNS logs to identify potential attacks).
The reason to combine is in the same rational as claim 29 and 37.
Claims 31 and 39 are rejected under 35 U.S.C. 103 as being unpatentable over Shen (US 2018/0212986) in view of Yu et al. (WO 2021/258479, hereinafter Yu) and Li et al. (US 2021/0064751, hereinafter Li) and Wu et al. (US 2020/0125727, hereinafter Wu).
Regarding claims 31 and 39: Shen as modified doesn’t explicitly teach but Wu discloses further comprising:
performing a flagged check against one or more user flagged attack vectors (Wu - [0069]: the malware detection engine is configured to detect future instances of the malware entity based on the outputted label).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Shen and Yu and Li with Wu so that malware detection is based on outputted labels. The modification would have allowed the system to detect malware with provided labels.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Sulatycki et al. US 2021/0357507 teaches an API framework, fully distributed and scalable, is used to access the attack-tree modeling based on attack trees, or decision trees, to emulate attacker behavior and decisions taken during an attack
Yu et al. US 2022/0050895 teaches a method further includes performing, by a processor device, intrusion detection responsive to a provenance graph with program contexts. The provenance graph has nodes formed from the user functions that trigger the low-level system calls in the system-call trace
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729. The examiner can normally be reached M-F 8:30-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MENG LI/
Primary Examiner, Art Unit 2437