DETAILED ACTION
Notice of AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending and are rejected.
Drawings
Drawings filled on 02/27/2024 are acceptable for the examination purpose.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claimed invention is directed to abstract idea without significantly more:
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed is directed to an abstract idea without significantly more.
Step 1:
Claims 1-20 fall within one of the four statutory categories (i.e., process, machine, manufacture, or composition of matter).
Step 2A:
The claims 1-20 fall within the judicial exception of an abstract idea. Specifically, Mental Processes such that concepts performed in the human mind or with pen and paper including observation, evaluation, judgment, calculation, determination, and presentation (MPEP 2106.04(a)(2)(III)); and Mathematical Concepts such as mathematical formulas or equations, or mathematical calculations (MPEP 2106.04(A)(a)(I)).
Step 2A – Prong 1:
Claims 1, 9 and 17.
access/accessing an alert set associated with one or more service events;
…extract alert features from the alert set;
…group alerts of the alert set into one or more alert clusters based at least in part on the alert features;
determine/determining an alert significance score for each of the one or more alert clusters;
compare/comparing the alert significance score for each of the one or more alert clusters to an alert insignificance threshold;
These limitations describe extraction, grouping, determination, and comparing data.
These limitations given its broadest reasonable interpretation in light of the specification is a mental process since this is a concept that can be performed in the human mind and is an analysis, evaluation, judgement and determination.
Claims 3, 11 and 19.
wherein determining the alert significance score for each of the one or more alert clusters comprises determining an incident linkage status for each alert of the one or more alert clusters.
These limitations given its broadest reasonable interpretation in light of the specification is a mental process since this is a concept that can be performed in the human mind and is an analysis, evaluation, and determination.
Claims 4, 12 and 20.
wherein determining the alert significance score for each of the one or more alert clusters comprises determining a significant action status for each alert of the one or more alert clusters.
These limitations given its broadest reasonable interpretation in light of the specification is a mental process since this is a concept that can be performed in the human mind and is an analysis, evaluation, and determination.
Claims 5 and 13.
determine/determining if the selected alert cluster of the one or more alert clusters is associated with an increasing alert volume status or a decreasing alert volume status; and
These limitations given its broadest reasonable interpretation in light of the specification is a mental process since this is a concept that can be performed in the human mind and is an analysis, evaluation, and determination.
Claim 6 and 14.
wherein determining an alert significance score for each of the one or more alert clusters comprises determining a ratio between significant alerts and insignificant alerts of the one or more alert clusters.
These limitations given its broadest reasonable interpretation in light of the specification is a mental process since this is a concept that can be performed in the human mind and is an analysis, evaluation, and determination, and Mathematical Concepts such as mathematical calculation.
Claim 7 and 15.
wherein determining an alert significance score for each of the one or more alert clusters comprises applying at least one of a linear discriminant analysis model, a support vector machine model, or a neural network model to alert features of the one or more alert clusters.
These limitations given its broadest reasonable interpretation in light of the specification is a mental process since this is a concept that can be performed in the human mind and is an analysis, evaluation, and determination, and Mathematical Concepts such as mathematical calculation using a model.
Claims 8 and 16.
access/accessing one or more alert policy change instructions generated based on user engagement with the alert policy change recommendation interface; and
These limitations given its broadest reasonable interpretation in light of the specification is a mental process since this is a concept that can be performed in the human mind and is an analysis, evaluation, and determination.
As described above, these limitations describe Mental Process that can be performed in the human mind, or by a human using a pen and paper (Please see MPEP 2106.04(a)(2), III.), and Mathematical Concepts such that mathematical relationships, and mathematical calculations etc. (Please see MPEP 2106.04(a)(2), I.).
Step 2A – Prong 2 and Step 2B:
This judicial exception is not integrated into a practical application because the additional elements such as one or more processors, one or more memories, alert manager device, user device display of the alert manager device, alert policy change recommendation interface that are mere instructions to implement an abstract idea on a general purpose computer (apply it; corresponding structure disclosed in the specification is a general purpose computer implementing the claimed functions characterized as abstract ideas above. See MPEP 2106.05(a)). The claim limitations are implemented on these generic elements such that the following are merely applying the abstract idea on a generic computer: accessing, determining, grouping etc.
The claims further recite:
Claim(s) 1:
An alert cluster analysis apparatus comprising one or more processors and one or more memories storing instructions that are operable, when executed by the one or more processors, to cause the alert cluster analysis apparatus to:…
apply a feature extraction model…
apply an alert clustering model to…
Claim(s) 5:
wherein the one or more processors and one or more memories storing instructions are further operable, when executed by the one or more processors, to cause the alert cluster analysis apparatus to:…
Claim(s) 7 and 15:
applying at least one of a linear discriminant analysis model, a support vector machine model, or a neural network model to alert features of the one or more alert clusters.
Claim(s) 8:
wherein the one or more processors and one or more memories storing instructions are further operable, when executed by the one or more processors, to cause the alert cluster analysis apparatus to:...
Claim(s) 9:
A computer-implemented method comprising:...
applying a feature extraction model…
applying an alert clustering model…
Claim(s) 17:
A computer program product, stored on a computer readable medium, comprising instructions that when executed by one or more computers cause the one or more computers to:…
apply a feature extraction model that is configured to…
apply an alert clustering model to group alerts…
The limitations as described above is generally linking the use of a judicial exception to a particular technological environment or field of use (MPEP 2106.05(h)) (in the field of providing application data for an agricultural field). Further, the limitations, applying feature extraction model, alert clustering model, linear discriminant analysis model, support vector machine model, or neural network model to alert features of the one or more alert clusters is generally linking the use of neural network model and other models in the field of alert management in software management platform.
The claims recite the additional elements:
Claim(s) 1, 9 and 17:
in a circumstance where an alert significance score for a selected alert cluster of the one or more alert clusters satisfies the alert insignificance threshold, output/outputting an alert policy change data object to an alert manager device.
Claim(s) 2, 10 and 18:
wherein the alert policy change data object is configured to cause rendering of an alert policy change recommendation interface to a user device display of the alert manager device.
Claim(s) 5 and 13:
output/outputting the alert policy change data object to the alert manager device only in circumstances where the selected alert cluster is associated with the increasing alert volume status and where the selected alert cluster satisfies the alert insignificance threshold.
Claim(s) 8 and 16:
access/accessing one or more alert policy change instructions generated based on user engagement with the alert policy change recommendation interface; and
store/storing one or more alert policy configuration changes to an alert policy database based on the one or more alert policy change instructions.
These additional elements are recited at a high level of generality and as a form of insignificant extra solution activity recognized by court as well-understood, routine, conventional activity. The claims recite these additional elements as described above that are recited at a high level of generality and amounts to mere data gathering and outputting which is a form of insignificant extra solution activity (MPEP 2106.05(g)). Further, the use of the claimed invention in the field of alert management in software management platform is simply an attempt to limit the use of the abstract idea to a particular technological environment.
Accordingly, these additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore, the claims are directed to an abstract idea.
Even when combined with all of the claim limitations as a whole, it is still directed to the abstract idea of mental process. Therefore, the claims are not patent eligible.
Dependent claim(s) when analyzed as a whole are held to be patent ineligible under 35 U.S.C. 101 because the additional recited limitation(s) fail(s) to establish that the claim(s) is/are not directed to an abstract idea, as they recite further embellishment of the judicial exception.
Viewed as a whole, these additional claim element(s) do not provide meaningful limitation(s) to transform the abstract idea into a patent eligible application of the abstract idea such that the claim(s) amounts to significantly more than the abstract idea itself. Claims 1-20 do not include any further additional elements that are sufficient to amount to significantly more than the judicial exception.
Therefore, the claim(s) 1-20 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Subject matter of claim(s) are directed to transitory form of computer-readable storage medium:
Claim 17 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
Regarding claim 17:
The claim(s) does not fall within at least one of the four categories of patent eligible subject matter, because the subject matter of claim are directed to transitory form of computer-readable storage medium.
Non-limiting examples of claims that are not directed to any of the statutory categories include:
Transitory forms of signal transmission (often referred to as "signals per se"), such as a propagating electrical or electromagnetic signal or carrier wave;
Claim recites “A computer program product, stored on a computer readable medium” such that the subject matter of claim 15 are directed to transitory form of computer-readable storage medium. A transitory, propagating signal does not fall within any statutory category. Mentor Graphics Corp. v. EVE-USA, Inc., 851 F.3d 1275, 1294, 112 USPQ2d 1120, 1133 (Fed. Cir. 2017); Nuijten, 500 F.3d at 1356-1357, 84 USPQ2d at 1501-03.
Applicant’s specification ¶50 describes, However, it will be appreciated that where embodiments are described to use computer-readable storage medium, other types of computer-readable mediums can be substituted for or used in addition to the computer-readable storage medium in alternative embodiments. Thus, according to the specification, other types of computer-readable mediums can be substituted such that in broadest reasonable interpretation it may include transitory form of computer-readable storage medium.
Therefore, claim(s) does not fall within at least one of the four categories of patent eligible subject matter.
For the same reasons, based on their dependencies on claim 17, the dependent claims 18-20 also do not fall within at least one of the four categories of patent eligible subject matter.
Claim Interpretation
It is noted that, at this time, claim 2 is not examined under the claim interpretation 35 USC § 112(f) and therefore the 35 USC §101 rejections are applied. See the 35 USC §101 rejections as applied above.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claim(s) 1-4, 7-12, 15-20 is/are rejected under 35 U.S.C. 102(a)(1)/102(a)(2) as being anticipated by Patrich et al. (US20180351783A1) [hereinafter Patrich].
Regarding claim 1:
Patrich discloses, An alert cluster analysis apparatus comprising one or more processors and one or more memories storing instructions that are operable, when executed by the one or more processors, to cause the alert cluster analysis apparatus to: [¶4: Methods, systems, and computer program products are provided for evaluating a chain of alerts.
¶95: implemented as computer program code/instructions configured to be executed in one or more processors and stored in a computer readable storage medium];
access an alert set associated with one or more service events; [¶58: Flowchart 400 commences at step 402. At step 404, alerts are received. In an embodiment, alerts are obtained from any of servers 112A-112N and/or computing device(s) 140.
¶45: alerts 120A-120N include any security alerts that are perceived as unauthorized or illegitimate attempts to access servers 112A-112N, network 100, or any other device connected to network 110. Alerts 120A-120N may also include comprise one or more alert(s) resulting from Internet noise that any of servers 112A-112N or computing device(s) 140 view as a potential threat.];
apply a feature extraction model that is configured to extract alert features from the alert set;
apply an alert clustering model to group alerts of the alert set into one or more alert clusters based at least in part on the alert features; [¶59: step 406, alerts are grouped into sets based on a predetermined relationship…generator 312 groups alerts contained within alert log 301 into a plurality of alert sets comprising one or more alerts based on a predetermined relationship between the alerts…groups alerts contained within alert log 301 based on a timing relationship between the alerts…group together alerts in alert log 301 that commonly occur together at the same time, or nearly the same time…group alerts into a set that occur within a predetermined time interval…create a set of alerts containing alerts in a sequence of alerts that begins with a first alert and continues until a predetermined length of time passes during which no further alerts are received…group together alerts in alert log 301 using contextual information (e.g., username, process name, IP address, etc.) included in alert log 301…group together alerts in alert log 301 using any number of predetermined criteria, including but not limited to temporal and/or contextual information contained within alert log 301.];
determine an alert significance score for each of the one or more alert clusters; [¶60: In step 408, for each set of alerts, a score is determined that represents a statistical likelihood of correlation between the alerts….Score determiner 322 determines a plurality of scores for the alert sets generated by alert set generator 312. Score determiner 322 may use any suitable technique for generating the score representing statistical likelihood, such as a lift score, a correlation function, etc.];
compare the alert significance score for each of the one or more alert clusters to an alert insignificance threshold; and [¶68: In step 414,…if chain of alerts 305 contained alerts [A, B, C], alert chain searcher 314 may analyze model 332 to determine if the set of alerts [A, B, C] is present (and having an associated score). If chain of alerts 305 has a match in model 332, operation proceeds from step 414 to step 416....
¶69: In step 416,…once chain of alerts 305 (or a sub-chain of alerts thereof) is located in model 332, score analyzer 324 determines whether the corresponding score in model 332 meets a predetermined criteria (e.g., has a relationship with a threshold value, a value range, etc.)…score analyzer 324 determines whether the corresponding score is above a threshold value.];
in a circumstance where an alert significance score for a selected alert cluster of the one or more alert clusters satisfies the alert insignificance threshold, output an alert policy change data object to an alert manager device. [¶69: In step 416,…score analyzer 324 determines whether the corresponding score in model 332 meets a predetermined criteria (e.g., has a relationship with a threshold value, a value range, etc.)…if a score for a chain of alerts is above a threshold value, score analyzer 324 may decide that the chain of alerts indicates an actual threat to network 110 or one of the devices connected to network 110. If the score is below the threshold value, operation proceeds to the iterative loop at step 420, described below, whereby one alert is removed and the extracted sub-chains of alerts are analyzed.
¶71: if score analyzer 324 determines the score meets the predetermined criteria, operation proceeds from step 416 to step 418. If score analyzer 324 determines the score does not meet the predetermined criteria, operation proceeds from step 416 to step 420.
¶72: In step 418 of FIG. 4, if the score meets a predetermined criteria, an indication is provided to an administrator…if score analyzer 324 determines that a score corresponding to chain of alerts 305 (or a sub-chain of alerts) meets the predetermined criteria, user interface 334 provides a notification to a system administrator of the validated incident. The notification may be provided at a computing device of computing device(s) 140, or transmitted to a different computing device,].
Regarding claim 2:
Patrich discloses, The alert cluster analysis apparatus of claim 1, and
Patrich further discloses, wherein the alert policy change data object is configured to cause rendering of an alert policy change recommendation interface to a user device display of the alert manager device. [¶72: In step 418 of FIG. 4, if the score meets a predetermined criteria, an indication is provided to an administrator…if score analyzer 324 determines that a score corresponding to chain of alerts 305 (or a sub-chain of alerts) meets the predetermined criteria, user interface 334 provides a notification to a system administrator of the validated incident. The notification may be provided at a computing device of computing device(s) 140, or transmitted to a different computing device…may provide a notification for play or display to a system administrator (or other user) via user interface 334…User interface 334 may be any one of a graphical user interface, audio interface, haptic interface, or any other interface a user may access and/or monitor.].
Regarding claim 3:
Patrich discloses, The alert cluster analysis apparatus of claim 1, and
Patrich further discloses, wherein determining the alert significance score for each of the one or more alert clusters comprises
determining an incident linkage status for each alert of the one or more alert clusters. [¶60: In step 408, for each set of alerts, a score is determined that represents a statistical likelihood of correlation between the alerts…score determiner 322 determines, for each set of alerts, the likelihood that one alert in the set of alerts is correlated to another alert in the same set…calculates a score representing a statistical likelihood that at least one alert in the set of alerts is correlated to at least one other alert in the set…the determined score may represent how unlikely the alerts in the group of alerts occurred by chance or coincidence…determines a plurality of scores for the alert sets generated by alert set generator 312. Score determiner 322 may use any suitable technique for generating the score representing statistical likelihood, such as a lift score, a correlation function, etc.].
Regarding claim 4:
Patrich discloses, The alert cluster analysis apparatus of claim 1, and
Patrich further discloses, wherein determining the alert significance score for each of the one or more alert clusters comprises
determining a significant action status for each alert of the one or more alert clusters. [¶61: score determiner 322 may extract each combination of unique associations between alerts contained with each alert set…score determiner 322 may extract combinations [A→B, C], [B→A, C], [C→A, B], [A, B→C], [A, C→B], [B, C→A]. For example, the combination [A→B, C] may represent the likelihood that alert [A] is correlated to the occurrence of alert [B] and alert [C]…score determiner 322 determines a score for each association rule extracted. The maximum score determined by score determiner 322 across the combination of unique associations for a particular set of alerts may be assigned by score determiner 322 as the score for the particular set of alerts.].
Regarding claim 7:
Patrich discloses, The alert cluster analysis apparatus of claim 1, and
Patrich further discloses, wherein determining an alert significance score for each of the one or more alert clusters comprises
applying at least one of a linear discriminant analysis model, a support vector machine model, or a neural network model to alert features of the one or more alert clusters. [Examiner notes that claim requires only one of the elements separated by “or” and therefore only one of them is given the patentable weight.
Patrich discloses the limitation, applying a linear discriminant analysis model as described below,
¶66: the model may be used to evaluate further received alerts to determine related alerts for grouping into incidents.
¶60: In step 408, for each set of alerts, a score is determined that represents a statistical likelihood of correlation between the alerts….Score determiner 322 determines a plurality of scores for the alert sets generated by alert set generator 312. Score determiner 322 may use any suitable technique for generating the score representing statistical likelihood, such as a lift score, a correlation function, etc.
¶69: In step 416, if the chain of alerts (or any sub-chain of alerts extracted in step 422) corresponds to a score in the model, it is determined whether the score meets a predetermined criteria. In an embodiment, with respect to FIG. 3, once chain of alerts 305 (or a sub-chain of alerts thereof) is located in model 332, score analyzer 324 determines whether the corresponding score in model 332 meets a predetermined criteria (e.g., has a relationship with a threshold value, a value range, etc.).].
Regarding claim 8:
Patrich discloses, The alert cluster analysis apparatus of claim 2, and
Patrich further discloses, wherein the one or more processors and one or more memories storing instructions are further operable, when executed by the one or more processors, to cause the alert cluster analysis apparatus to:
access one or more alert policy change instructions generated based on user engagement with the alert policy change recommendation interface; and
store one or more alert policy configuration changes to an alert policy database based on the one or more alert policy change instructions. [¶32: take into consideration additional information accompanying the alerts, and adjust a score accordingly based on such additional information. In one embodiment, a system administrator may manually set rules identifying alerts or types of alerts that are related. In such an instance, a score calculation may take these additional rules into account prior to storing the score in the model…
¶65: a system administrator may manually set rules identifying alerts or types of alerts that are correlated or indicative of an attack on device or network. In such an instance, score determiner 322 may take the manual rules or contextual information into account prior to storing the score (e.g., by scaling the score accordingly) in the model…
[¶72: user interface 334 provides a notification to a system administrator of the validated incident…User interface 334 may be any one of a graphical user interface, audio interface, haptic interface, or any other interface a user may access and/or monitor.].
Regarding claim 9:
Patrich discloses, A computer-implemented method comprising: [¶4: Methods, systems, and computer program products are provided for evaluating a chain of alerts.];
accessing an alert set associated with one or more service events; [¶58: Flowchart 400 commences at step 402. At step 404, alerts are received. In an embodiment, alerts are obtained from any of servers 112A-112N and/or computing device(s) 140.
¶45: alerts 120A-120N include any security alerts that are perceived as unauthorized or illegitimate attempts to access servers 112A-112N, network 100, or any other device connected to network 110. Alerts 120A-120N may also include comprise one or more alert(s) resulting from Internet noise that any of servers 112A-112N or computing device(s) 140 view as a potential threat.];
applying a feature extraction model that is configured to extract alert features from the alert set;
applying an alert clustering model to group alerts of the alert set into one or more alert clusters based at least in part on the alert features; [¶59: step 406, alerts are grouped into sets based on a predetermined relationship…generator 312 groups alerts contained within alert log 301 into a plurality of alert sets comprising one or more alerts based on a predetermined relationship between the alerts…groups alerts contained within alert log 301 based on a timing relationship between the alerts…group together alerts in alert log 301 that commonly occur together at the same time, or nearly the same time…group alerts into a set that occur within a predetermined time interval…create a set of alerts containing alerts in a sequence of alerts that begins with a first alert and continues until a predetermined length of time passes during which no further alerts are received…group together alerts in alert log 301 using contextual information (e.g., username, process name, IP address, etc.) included in alert log 301…group together alerts in alert log 301 using any number of predetermined criteria, including but not limited to temporal and/or contextual information contained within alert log 301.];
determining an alert significance score for each of the one or more alert clusters; [¶60: In step 408, for each set of alerts, a score is determined that represents a statistical likelihood of correlation between the alerts….Score determiner 322 determines a plurality of scores for the alert sets generated by alert set generator 312. Score determiner 322 may use any suitable technique for generating the score representing statistical likelihood, such as a lift score, a correlation function, etc.];
comparing the alert significance score for each of the one or more alert clusters to an alert insignificance threshold; and [¶68: In step 414,…if chain of alerts 305 contained alerts [A, B, C], alert chain searcher 314 may analyze model 332 to determine if the set of alerts [A, B, C] is present (and having an associated score). If chain of alerts 305 has a match in model 332, operation proceeds from step 414 to step 416....
¶69: In step 416,…once chain of alerts 305 (or a sub-chain of alerts thereof) is located in model 332, score analyzer 324 determines whether the corresponding score in model 332 meets a predetermined criteria (e.g., has a relationship with a threshold value, a value range, etc.)…score analyzer 324 determines whether the corresponding score is above a threshold value.];
in a circumstance where an alert significance score for a selected alert cluster of the one or more alert clusters satisfies the alert insignificance threshold, outputting an alert policy change data object to an alert manager device. [¶69: In step 416,…score analyzer 324 determines whether the corresponding score in model 332 meets a predetermined criteria (e.g., has a relationship with a threshold value, a value range, etc.)…if a score for a chain of alerts is above a threshold value, score analyzer 324 may decide that the chain of alerts indicates an actual threat to network 110 or one of the devices connected to network 110. If the score is below the threshold value, operation proceeds to the iterative loop at step 420, described below, whereby one alert is removed and the extracted sub-chains of alerts are analyzed.
¶71: if score analyzer 324 determines the score meets the predetermined criteria, operation proceeds from step 416 to step 418. If score analyzer 324 determines the score does not meet the predetermined criteria, operation proceeds from step 416 to step 420.
¶72: In step 418 of FIG. 4, if the score meets a predetermined criteria, an indication is provided to an administrator…if score analyzer 324 determines that a score corresponding to chain of alerts 305 (or a sub-chain of alerts) meets the predetermined criteria, user interface 334 provides a notification to a system administrator of the validated incident. The notification may be provided at a computing device of computing device(s) 140, or transmitted to a different computing device,].
Regarding claim 10:
Patrich discloses, The computer-implemented method of claim 9, and
Patrich further discloses, wherein the alert policy change data object is configured to cause rendering of an alert policy change recommendation interface to a user device display of the alert manager device. [¶72: In step 418 of FIG. 4, if the score meets a predetermined criteria, an indication is provided to an administrator…if score analyzer 324 determines that a score corresponding to chain of alerts 305 (or a sub-chain of alerts) meets the predetermined criteria, user interface 334 provides a notification to a system administrator of the validated incident. The notification may be provided at a computing device of computing device(s) 140, or transmitted to a different computing device…may provide a notification for play or display to a system administrator (or other user) via user interface 334…User interface 334 may be any one of a graphical user interface, audio interface, haptic interface, or any other interface a user may access and/or monitor.].
Regarding claim 11:
Patrich discloses, The computer-implemented method of claim 9, and
Patrich further discloses, wherein determining the alert significance score for each of the one or more alert clusters comprises
determining an incident linkage status for each alert of the one or more alert clusters. [¶60: In step 408, for each set of alerts, a score is determined that represents a statistical likelihood of correlation between the alerts…score determiner 322 determines, for each set of alerts, the likelihood that one alert in the set of alerts is correlated to another alert in the same set…calculates a score representing a statistical likelihood that at least one alert in the set of alerts is correlated to at least one other alert in the set…the determined score may represent how unlikely the alerts in the group of alerts occurred by chance or coincidence…determines a plurality of scores for the alert sets generated by alert set generator 312. Score determiner 322 may use any suitable technique for generating the score representing statistical likelihood, such as a lift score, a correlation function, etc.].
Regarding claim 12:
Patrich discloses, The computer-implemented method of claim 9, and
Patrich further discloses, wherein determining the alert significance score for each of the one or more alert clusters comprises
determining a significant action status for each alert of the one or more alert clusters. [¶61: score determiner 322 may extract each combination of unique associations between alerts contained with each alert set…score determiner 322 may extract combinations [A→B, C], [B→A, C], [C→A, B], [A, B→C], [A, C→B], [B, C→A]. For example, the combination [A→B, C] may represent the likelihood that alert [A] is correlated to the occurrence of alert [B] and alert [C]…score determiner 322 determines a score for each association rule extracted. The maximum score determined by score determiner 322 across the combination of unique associations for a particular set of alerts may be assigned by score determiner 322 as the score for the particular set of alerts.].
Regarding claim 15:
Patrich discloses, The computer-implemented method of claim 9, and
Patrich further discloses, wherein determining an alert significance score for each of the one or more alert clusters comprises
applying at least one of a linear discriminant analysis model, a support vector machine model, or a neural network model to alert features of the one or more alert clusters. [Examiner notes that claim requires only one of the elements separated by “or” and therefore only one of them is given the patentable weight.
Patrich discloses the limitation, applying a linear discriminant analysis model as described below,
¶66: the model may be used to evaluate further received alerts to determine related alerts for grouping into incidents.
¶60: In step 408, for each set of alerts, a score is determined that represents a statistical likelihood of correlation between the alerts….Score determiner 322 determines a plurality of scores for the alert sets generated by alert set generator 312. Score determiner 322 may use any suitable technique for generating the score representing statistical likelihood, such as a lift score, a correlation function, etc.
¶69: In step 416, if the chain of alerts (or any sub-chain of alerts extracted in step 422) corresponds to a score in the model, it is determined whether the score meets a predetermined criteria. In an embodiment, with respect to FIG. 3, once chain of alerts 305 (or a sub-chain of alerts thereof) is located in model 332, score analyzer 324 determines whether the corresponding score in model 332 meets a predetermined criteria (e.g., has a relationship with a threshold value, a value range, etc.).].
Regarding claim 16:
Patrich discloses, The computer-implemented method of claim 10, and
Patrich further discloses, accessing one or more alert policy change instructions generated based on user engagement with the alert policy change recommendation interface; and
storing one or more alert policy configuration changes to an alert policy database based on the one or more alert policy change instructions. [¶32: take into consideration additional information accompanying the alerts, and adjust a score accordingly based on such additional information. In one embodiment, a system administrator may manually set rules identifying alerts or types of alerts that are related. In such an instance, a score calculation may take these additional rules into account prior to storing the score in the model…
¶65: a system administrator may manually set rules identifying alerts or types of alerts that are correlated or indicative of an attack on device or network. In such an instance, score determiner 322 may take the manual rules or contextual information into account prior to storing the score (e.g., by scaling the score accordingly) in the model…
[¶72: user interface 334 provides a notification to a system administrator of the validated incident…User interface 334 may be any one of a graphical user interface, audio interface, haptic interface, or any other interface a user may access and/or monitor.].
Regarding claim 17:
Patrich discloses, A computer program product, stored on a computer readable medium, comprising instructions that when executed by one or more computers cause the one or more computers to: [¶4: Methods, systems, and computer program products are provided for evaluating a chain of alerts.
¶95: implemented as computer program code/instructions configured to be executed in one or more processors and stored in a computer readable storage medium];
access an alert set associated with one or more service events; [¶58: Flowchart 400 commences at step 402. At step 404, alerts are received. In an embodiment, alerts are obtained from any of servers 112A-112N and/or computing device(s) 140.
¶45: alerts 120A-120N include any security alerts that are perceived as unauthorized or illegitimate attempts to access servers 112A-112N, network 100, or any other device connected to network 110. Alerts 120A-120N may also include comprise one or more alert(s) resulting from Internet noise that any of servers 112A-112N or computing device(s) 140 view as a potential threat.];
apply a feature extraction model that is configured to extract alert features from the alert set;
apply an alert clustering model to group alerts of the alert set into one or more alert clusters based at least in part on the alert features; [¶59: step 406, alerts are grouped into sets based on a predetermined relationship…generator 312 groups alerts contained within alert log 301 into a plurality of alert sets comprising one or more alerts based on a predetermined relationship between the alerts…groups alerts contained within alert log 301 based on a timing relationship between the alerts…group together alerts in alert log 301 that commonly occur together at the same time, or nearly the same time…group alerts into a set that occur within a predetermined time interval…create a set of alerts containing alerts in a sequence of alerts that begins with a first alert and continues until a predetermined length of time passes during which no further alerts are received…group together alerts in alert log 301 using contextual information (e.g., username, process name, IP address, etc.) included in alert log 301…group together alerts in alert log 301 using any number of predetermined criteria, including but not limited to temporal and/or contextual information contained within alert log 301.];
determine an alert significance score for each of the one or more alert clusters; [¶60: In step 408, for each set of alerts, a score is determined that represents a statistical likelihood of correlation between the alerts….Score determiner 322 determines a plurality of scores for the alert sets generated by alert set generator 312. Score determiner 322 may use any suitable technique for generating the score representing statistical likelihood, such as a lift score, a correlation function, etc.];
compare the alert significance score for each of the one or more alert clusters to an alert insignificance threshold; and [¶68: In step 414,…if chain of alerts 305 contained alerts [A, B, C], alert chain searcher 314 may analyze model 332 to determine if the set of alerts [A, B, C] is present (and having an associated score). If chain of alerts 305 has a match in model 332, operation proceeds from step 414 to step 416....
¶69: In step 416,…once chain of alerts 305 (or a sub-chain of alerts thereof) is located in model 332, score analyzer 324 determines whether the corresponding score in model 332 meets a predetermined criteria (e.g., has a relationship with a threshold value, a value range, etc.)…score analyzer 324 determines whether the corresponding score is above a threshold value.];
in a circumstance where an alert significance score for a selected alert cluster of the one or more alert clusters satisfies the alert insignificance threshold, output an alert policy change data object to an alert manager device. [¶69: In step 416,…score analyzer 324 determines whether the corresponding score in model 332 meets a predetermined criteria (e.g., has a relationship with a threshold value, a value range, etc.)…if a score for a chain of alerts is above a threshold value, score analyzer 324 may decide that the chain of alerts indicates an actual threat to network 110 or one of the devices connected to network 110. If the score is below the threshold value, operation proceeds to the iterative loop at step 420, described below, whereby one alert is removed and the extracted sub-chains of alerts are analyzed.
¶71: if score analyzer 324 determines the score meets the predetermined criteria, operation proceeds from step 416 to step 418. If score analyzer 324 determines the score does not meet the predetermined criteria, operation proceeds from step 416 to step 420.
¶72: In step 418 of FIG. 4, if the score meets a predetermined criteria, an indication is provided to an administrator…if score analyzer 324 determines that a score corresponding to chain of alerts 305 (or a sub-chain of alerts) meets the predetermined criteria, user interface 334 provides a notification to a system administrator of the validated incident. The notification may be provided at a computing device of computing device(s) 140, or transmitted to a different computing device,].
Regarding claim 18:
Patrich discloses, The computer program product of claim 17, and
Patrich further discloses, wherein the alert policy change data object is configured to cause rendering of an alert policy change recommendation interface to a user device display of the alert manager device. [¶72: In step 418 of FIG. 4, if the score meets a predetermined criteria, an indication is provided to an administrator…if score analyzer 324 determines that a score corresponding to chain of alerts 305 (or a sub-chain of alerts) meets the predetermined criteria, user interface 334 provides a notification to a system administrator of the validated incident. The notification may be provided at a computing device of computing device(s) 140, or transmitted to a different computing device…may provide a notification for play or display to a system administrator (or other user) via user interface 334…User interface 334 may be any one of a graphical user interface, audio interface, haptic interface, or any other interface a user may access and/or monitor.].
Regarding claim 19:
Patrich discloses, The computer program product of claim 17, and
Patrich further discloses, wherein determining the alert significance score for each of the one or more alert clusters comprises
determining an incident linkage status for each alert of the one or more alert clusters. [¶60: In step 408, for each set of alerts, a score is determined that represents a statistical likelihood of correlation between the alerts…score determiner 322 determines, for each set of alerts, the likelihood that one alert in the set of alerts is correlated to another alert in the same set…calculates a score representing a statistical likelihood that at least one alert in the set of alerts is correlated to at least one other alert in the set…the determined score may represent how unlikely the alerts in the group of alerts occurred by chance or coincidence…determines a plurality of scores for the alert sets generated by alert set generator 312. Score determiner 322 may use any suitable technique for generating the score representing statistical likelihood, such as a lift score, a correlation function, etc.].
Regarding claim 20:
Patrich discloses, The computer program product of claim 17, and
Patrich further discloses, wherein determining the alert significance score for each of the one or more alert clusters comprises
determining a significant action status for each alert of the one or more alert clusters. [¶61: score determiner 322 may extract each combination of unique associations between alerts contained with each alert set…score determiner 322 may extract combinations [A→B, C], [B→A, C], [C→A, B], [A, B→C], [A, C→B], [B, C→A]. For example, the combination [A→B, C] may represent the likelihood that alert [A] is correlated to the occurrence of alert [B] and alert [C]…score determiner 322 determines a score for each association rule extracted. The maximum score determined by score determiner 322 across the combination of unique associations for a particular set of alerts may be assigned by score determiner 322 as the score for the particular set of alerts.].
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filling date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
Determining the scope and contents of the prior art.
Ascertaining the differences between the prior art and the claims at issue.
Resolving the level of ordinary skill in the pertinent art.
Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 5 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Patrich and further in view of Gupta’309 et al. (US10469309B1) [hereinafter GUPTA’309].
Regarding claim 5:
Patrich discloses, The alert cluster analysis apparatus of claim 1, and
Patrich further discloses, wherein the one or more processors and one or more memories storing instructions are further operable, when executed by the one or more processors, to cause the alert cluster analysis apparatus to:
determine if the selected alert cluster of the one or more alert clusters is associated with an increasing alert volume status or a decreasing alert volume status; [Examiner notes that claim requires only one of the elements separated by “or” and therefore only one of them is given the patentable weight.
Patrich discloses the limitation, determine if the selected alert cluster of the one or more alert clusters is associated with an increasing alert volume status as described below,
¶31: a score is calculated for sets of alerts occurring in the past on more than a predetermined number of occasions, and is rendered unknown for sets of alerts not occurring more than a predetermined number of occasions.];
output the alert policy change data object to the alert manager device only in circumstances…where the selected alert cluster satisfies the alert insignificance threshold. [¶31: a score is calculated for sets of alerts occurring in the past on more than a predetermined number of occasions, and is rendered unknown for sets of alerts not occurring more than a predetermined number of occasions. The output of the process is a model that contains a score for each set of alerts…
¶72: In step 418 of FIG. 4, if the score meets a predetermined criteria, an indication is provided to an administrator…if score analyzer 324 determines that a score corresponding to chain of alerts 305 (or a sub-chain of alerts) meets the predetermined criteria, user interface 334 provides a notification to a system administrator of the validated incident. The notification may be provided at a computing device of computing device(s) 140, or transmitted to a different computing device,], but doesn’t explicitly disclose, and
GUPTA’309 discloses, output the alert policy change data object to the alert manager device only in circumstances where the selected alert cluster is associated with the increasing alert volume status [col 14, lines 24-33: At 906, avalanche windows may be determined based on an alert count for a time window meeting or exceeding the avalanche threshold….Avalanche patterns may be based on intersections that have an intersection score that meets or exceeds an avalanche pattern threshold. Intersection scores may be determined based on number of intersections and number of avalanche window alerts.…
col 7, lines 23-26: The avalanche window module 308 may determine the avalanche windows 512/514/518 based on a total alert count 502 within each time window TW that…exceeds the avalanche threshold 506…
col 12, lines 43-45: A presentation module 324 may generate a display region for displaying the alert groups for monitoring by a user or system administrator].
Therefore, it would have been obvious to one of ordinary skill in the art before the filling date of the claimed invention to have combined the capability of outputting the alert policy change data object to the alert manager device only in circumstances where the selected alert cluster is associated with the increasing alert volume status in order to enable a user or system administrator to more efficiently manage alert dispositions by reducing the number of alerts by eliminating redundant and insignificant alerts taught by GUPTA’309 with the apparatus taught by Patrich as discussed above in order to have reasonable expectation of success such as to enable a user or system administrator to more efficiently manage alert dispositions by reducing the number of alerts by eliminating redundant and insignificant alerts [GUPTA’309, col 13, lines 5-14: Accordingly, the alert pattern detection and alert grouping is a useful tool to enable a user or system administrator to more efficiently manage alert dispositions by reducing the number of alerts, which may have been inflated due to redundancy of alerts. The compression rate may be compared to a compression parameter to determine if the number of alert groups are satisfactory.].
Regarding claim 13:
Patrich discloses, The computer-implemented method of claim 9, and
Patrich further discloses, determining if the selected alert cluster of the one or more alert clusters is associated with an increasing alert volume status or a decreasing alert volume status; [Examiner notes that claim requires only one of the elements separated by “or” and therefore only one of them is given the patentable weight.
Patrich discloses the limitation, determine if the selected alert cluster of the one or more alert clusters is associated with an increasing alert volume status as described below,
¶31: a score is calculated for sets of alerts occurring in the past on more than a predetermined number of occasions, and is rendered unknown for sets of alerts not occurring more than a predetermined number of occasions.];
outputting the alert policy change data object to the alert manager device only in circumstances…where the selected alert cluster satisfies the alert insignificance threshold. [¶31: a score is calculated for sets of alerts occurring in the past on more than a predetermined number of occasions, and is rendered unknown for sets of alerts not occurring more than a predetermined number of occasions. The output of the process is a model that contains a score for each set of alerts…
¶72: In step 418 of FIG. 4, if the score meets a predetermined criteria, an indication is provided to an administrator…if score analyzer 324 determines that a score corresponding to chain of alerts 305 (or a sub-chain of alerts) meets the predetermined criteria, user interface 334 provides a notification to a system administrator of the validated incident. The notification may be provided at a computing device of computing device(s) 140, or transmitted to a different computing device,], but doesn’t explicitly disclose, and
GUPTA’309 discloses, outputting the alert policy change data object to the alert manager device only in circumstances where the selected alert cluster is associated with the increasing alert volume status [col 14, lines 24-33: At 906, avalanche windows may be determined based on an alert count for a time window meeting or exceeding the avalanche threshold….Avalanche patterns may be based on intersections that have an intersection score that meets or exceeds an avalanche pattern threshold. Intersection scores may be determined based on number of intersections and number of avalanche window alerts.…
col 7, lines 23-26: The avalanche window module 308 may determine the avalanche windows 512/514/518 based on a total alert count 502 within each time window TW that…exceeds the avalanche threshold 506…
col 12, lines 43-45: A presentation module 324 may generate a display region for displaying the alert groups for monitoring by a user or system administrator].
Therefore, it would have been obvious to one of ordinary skill in the art before the filling date of the claimed invention to have combined the capability of outputting the alert policy change data object to the alert manager device only in circumstances where the selected alert cluster is associated with the increasing alert volume status in order to enable a user or system administrator to more efficiently manage alert dispositions by reducing the number of alerts by eliminating redundant and insignificant alerts taught by GUPTA’309 with the method taught by Patrich as discussed above in order to have reasonable expectation of success such as to enable a user or system administrator to more efficiently manage alert dispositions by reducing the number of alerts by eliminating redundant and insignificant alerts [GUPTA’309, col 13, lines 5-14: Accordingly, the alert pattern detection and alert grouping is a useful tool to enable a user or system administrator to more efficiently manage alert dispositions by reducing the number of alerts, which may have been inflated due to redundancy of alerts. The compression rate may be compared to a compression parameter to determine if the number of alert groups are satisfactory.].
Claim(s) 6 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Patrich and further in view of Banerjee et al. (US20130346594A1) [hereinafter Banerjee].
Regarding claim 6:
Patrich discloses, The alert cluster analysis apparatus of claim 1, and
Patrich further discloses, wherein determining an alert significance score for each of the one or more alert clusters comprises [¶60: In step 408, for each set of alerts, a score is determined that represents a statistical likelihood of correlation between the alerts….Score determiner 322 determines a plurality of scores for the alert sets generated by alert set generator 312. Score determiner 322 may use any suitable technique for generating the score representing statistical likelihood, such as a lift score, a correlation function, etc.], but doesn’t explicitly disclose, and
Banerjee discloses, determining a ratio between significant alerts and insignificant alerts of the one or more alert clusters. [¶119: Relationships between clusters may be manually, semi-automatically, or automatically determined based on the clustering analysis. These relationships may be generated via a classification algorithm, for example, that classifies the various clusters according to relative importance and frequency of the clusters,…Such determination of relative importance may be automatically determined based on a mathematical and/or statistical comparison of the clusters…
¶121: The importance of these clusters, relative to other clusters, may be determined in many different ways but one simple importance measure may be simply the number of members of the cluster. That is, if a cluster has a membership that meets or exceeds a predetermined threshold, then the cluster may be determined to be relatively important with regard to the other clusters that may have a membership less than the predetermined threshold, for example. Other more complex mechanisms for determining relative importance may also be utilized without departing from the spirit and scope of the illustrative embodiments.
Examiner notes that, in broadest reasonable interpretation, determining a ratio between significant alerts and insignificant alerts of the one or more alert clusters means determination of any ratio such as relative comparisons between significant/important alerts and insignificant/unimportant alerts of any of the alert clusters.
Banerjee discloses, a ratio showing relative relationships of important alerts and unimportant alerts].
Therefore, it would have been obvious to one of ordinary skill in the art before the filling date of the claimed invention to have combined the capability of outputting the alert policy change data object to the alert manager device only in circumstances where the selected alert cluster is associated with the increasing alert volume status in order to enable a user or system administrator to more efficiently manage alert dispositions by reducing the number of alerts by eliminating redundant and insignificant alerts taught by GUPTA’309 with the apparatus taught by Patrich as discussed above in order to have reasonable expectation of success such as to enable a user or system administrator to more efficiently manage alert dispositions by reducing the number of alerts by eliminating redundant and insignificant alerts [GUPTA’309, col 13, lines 5-14: Accordingly, the alert pattern detection and alert grouping is a useful tool to enable a user or system administrator to more efficiently manage alert dispositions by reducing the number of alerts, which may have been inflated due to redundancy of alerts. The compression rate may be compared to a compression parameter to determine if the number of alert groups are satisfactory.].
Regarding claim 14:
Patrich discloses, The computer-implemented method of claim 9, and
Patrich further discloses, wherein determining an alert significance score for each of the one or more alert clusters comprises [¶60: In step 408, for each set of alerts, a score is determined that represents a statistical likelihood of correlation between the alerts….Score determiner 322 determines a plurality of scores for the alert sets generated by alert set generator 312. Score determiner 322 may use any suitable technique for generating the score representing statistical likelihood, such as a lift score, a correlation function, etc.], but doesn’t explicitly disclose, and
Banerjee discloses, determining a ratio between significant alerts and insignificant alerts of the one or more alert clusters. [¶119: Relationships between clusters may be manually, semi-automatically, or automatically determined based on the clustering analysis. These relationships may be generated via a classification algorithm, for example, that classifies the various clusters according to relative importance and frequency of the clusters,…Such determination of relative importance may be automatically determined based on a mathematical and/or statistical comparison of the clusters…
¶121: The importance of these clusters, relative to other clusters, may be determined in many different ways but one simple importance measure may be simply the number of members of the cluster. That is, if a cluster has a membership that meets or exceeds a predetermined threshold, then the cluster may be determined to be relatively important with regard to the other clusters that may have a membership less than the predetermined threshold, for example. Other more complex mechanisms for determining relative importance may also be utilized without departing from the spirit and scope of the illustrative embodiments.
Examiner notes that, in broadest reasonable interpretation, determining a ratio between significant alerts and insignificant alerts of the one or more alert clusters means determination of any ratio such as relative comparisons between significant/important alerts and insignificant/unimportant alerts of any of the alert clusters.
Banerjee discloses, a ratio showing relative relationships of important alerts and unimportant alerts].
Therefore, it would have been obvious to one of ordinary skill in the art before the filling date of the claimed invention to have combined the capability of outputting the alert policy change data object to the alert manager device only in circumstances where the selected alert cluster is associated with the increasing alert volume status in order to enable a user or system administrator to more efficiently manage alert dispositions by reducing the number of alerts by eliminating redundant and insignificant alerts taught by GUPTA’309 with the method taught by Patrich as discussed above in order to have reasonable expectation of success such as to enable a user or system administrator to more efficiently manage alert dispositions by reducing the number of alerts by eliminating redundant and insignificant alerts [GUPTA’309, col 13, lines 5-14: Accordingly, the alert pattern detection and alert grouping is a useful tool to enable a user or system administrator to more efficiently manage alert dispositions by reducing the number of alerts, which may have been inflated due to redundancy of alerts. The compression rate may be compared to a compression parameter to determine if the number of alert groups are satisfactory.].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed in the PTO-892 Notice of Reference Cited document.
Gupta’467 et al. (US20160364467A1) - Event notification system with cluster classification:
¶17: To reduce the number of alerts generated, cluster processor 108 groups datapoints by similarity as indicated by proximity in a multi-dimensional status-parameter space.
Ranjan et al. (US20150222477A1) - Network alert pattern mining:
¶13: a plurality of network alerts is received at a device over a time frame. A sliding transaction window is used across the time frame to associate each network alert occurring within the transaction window with one or more transactions. A pruning test is applied to subsets of the plurality of network alerts, with the network alerts in a given subset being associated with the same transaction. The pruning test is based in part on the number of co-occurrences of network alerts in a given subset for different transaction windows. The subsets of network alerts are assigned to network alert clusters based on the applied pruning test. The network alerts are then joined within a network alert cluster to identify the largest grouping of network alerts that pass the pruning test. A notification that the identified grouping of network alerts is associated with the same transaction is also provided.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED SHAFAYET whose telephone number is (571)272-8239. The examiner can normally be reached M-F 8:30 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kenneth Lo can be reached at (571) 272-9774. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.S./
Patent Examiner,
Art Unit 2116
/KENNETH M LO/Supervisory Patent Examiner, Art Unit 2116