DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1. Claims 1, 4-9, and 12-17 are currently pending in this application.
Claims 1, 4-5, 9, and 12-13 are amended as filed on 12/10/2025.
Claims 2-3 and 10-11 are canceled as filed on 12/10/2025.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 4-9, and 12-17 are rejected under 35 U.S.C. 103 as being unpatentable over Fischer et al. (Pre-Grant Publication No. US 2024/0223580 A1), hereinafter Fischer, in view of Lu et al. (Pre-Grant Publication No. US 2024/0129325 A1), hereinafter Lu, and in further view of Overby et al. (Pre-Grant Publication No. US 2019/0379683 A1), hereinafter Overby.
2. With respect to claims 1 and 9, Fischer taught a network security situation assessment method of a network system (0006 & 0009. See also: 0014), the network security situation assessment method comprising: obtaining network traffic of the network system (0006); detecting an anomaly on the network system from the obtained network traffic (0018, the invalid traffic); identifying the detected anomaly (0018, the different invalid traffic scenarios); and assessing a network situation of the network system based on a result of analyzing (0014-0015. See also: 0017, the data analysis and assessing).
However, Fischer did not explicitly state that the anomaly was an attack, analyzing a possibility of an attack and an impact of an attack on the network system based on results of the detecting and identifying of the attack, and wherein the detecting of the attack on the network system comprises: inputting the network traffic into the first model; obtaining a reconstruction error between reconstructed network traffic output from the first model and the input network traffic; obtaining a prediction error between a prediction result of a network traffic pattern output from the second model and network traffic occurring in the network system; and detecting the attack based on the obtained reconstruction error and prediction error. On the other hand, Lu did teach that the anomaly was an attack (0008 & 0035), analyzing a possibility of an attack and an impact of an attack on the network system based on results of the detecting and identifying of the attack (0006, where the type of abnormal traffic of 0027 teaches the attack type, which teaches the impact of the attack under broadest reasonable interpretation), and wherein the detecting of the attack on the network system comprises: inputting the network traffic into the first model (0006); obtaining a reconstruction error between reconstructed network traffic output from the first model and the input network traffic (0006); obtaining a prediction error between a prediction result of a network traffic pattern output from the second model and network traffic occurring in the network system (0006); and detecting the attack based on the obtained reconstruction error and prediction error (0006). Both of the systems of Fischer and Lu are directed towards monitoring network traffic and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Fischer, to utilize deep learning for attack detection, as taught by Lu, as Fischer’s anomalies and machine learning likely already perform said features but it is simply, not explicitly stated.
However, the combination of Fischer and Lu did not explicitly state obtaining a dimensionally reduced vector based on the input network traffic from the first model and inputting the obtained dimensionally reduced vector into the second model. On the other hand, Overby did teach obtaining a dimensionally reduced vector based on the input network traffic from the first model (Overby: 0053 & 0050, where the inputs can be seen in 0054) and inputting the obtained dimensionally reduced vector into the second model (Overby: 0053 & 0050, where the output into the second model can be seen in 0054, where the outputs are used to “derive security description values” which teaches the outputs being fed into a second model under broadest reasonable interpretation). Both of the systems of Fischer and Overby are directed towards managing malicious traffic and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Fischer to utilize specific machine learning functionality such as auto-encoders and dimensionally reduced vectors, as taught by Overby, in order to implement effective machine learning in a system that was contemporary to the time of the invention.
3. As for claims 4 and 12, they are rejected on the same basis as claims 1 and 9 (respectively). In addition, Lu taught detecting that the network traffic includes an attack when a weighted average of the reconstruction error and the prediction error exceeds a predefined threshold (0091, where the weighted averages are given).
4. As for claims 5 and 13, they are rejected on the same basis as claims 1 and 9 (respectively). In addition, Overby taught wherein the first model is trained to generate dimensionally reduced vectors from normal network traffic and to generate reconstructed network traffic based on the dimensionally reduced vectors, and the second model is trained to sequentially receive the dimensionally reduced vectors of the normal network traffic and to predict a network traffic pattern based on the received vectors (0053 & 0050, where the sequentially computations can be seen in 0228 and the LSTM was previously shown by L: 0031).
5. As for claims 6 and 14, they are rejected on the same basis as claims 1 and 9 (respectively). In addition, Lu taught wherein the identifying of the detected attack comprises: identifying the detected attack using a model generated based on deep learning to identify the attack from network traffic in which the attack is detected (0026).
6. As for claims 7 and 15, they are rejected on the same basis as claims 1 and 9 (respectively). In addition, Fischer taught analyzing the possibility of the attack on the network system based on a security vulnerability analysis result of the network system and a result of the detecting of the attack; and analyzing the impact of the attack on the network system based on the security vulnerability analysis result and a result of the identifying of the attack, wherein the security vulnerability analysis result is provided based on common vulnerability and exposure (0093-0094, where understanding the different traffic situations and how it would affect the computing platform teaches the above under broadest reasonable interpretation).
7. As for claims 8 and 16, they are rejected on the same basis as claims 1 and 9 (respectively). In addition, Lu taught wherein the assessing of the network situation comprises: assessing the network situation indicating a security risk of the network system based on a result of the analyzing of the possibility of the attack and the impact of the attack (0006 & 0008).
8. As for claim 17, it is rejected on the same basis as claim 9. In addition, Fischer taught wherein the network security situation assessment system comprises at least one computing device (0001).
Response to Arguments
Applicant's arguments filed 12/10/2025 have been fully considered but they are not persuasive.
9. The applicant argues on page 11 that “the content of the cited portion in Overby is merely "TLS inspection may be used to protect against the improper use of encrypted communications between the virtualized environment 102 (e.g., the embedded system) and the external world." That is. Lu and Overby teach the applicability of LSTM, but do not teach how to apply LSTM. Thus, Lu and Overby fail to teach or suggest "inputting the network traffic into a first mode, obtaining a reconstruction error between reconstructed network traffic output from the first model and the input network traffic, obtaining a dimensionally reduced vector based on the input network traffic from the first model, inputting the obtained dimensionally reduced vector into second model, obtaining a prediction error between a prediction result of a network traffic pattern output from the second model and network traffic occurring in the network system, and detecting the attack based on the obtained reconstruction error and prediction error" of claim 1. Additionally, Lu and Overby do not provide any motivation to combine the references and to derive the claimed features.”
However, the cited portions of Lu in combination with Overby show inputting network traffic into a first and second model (Lu: 0006, where the plurality of classification models can be seen) and puts the out into a dimensionally reduced vector (Overby: 0053, where the input and output can be seen in 0054). Likewise, the citations show that the output is used to derive other data, which implicitly teaches the output being placed into a second model. Lu teaches the reconstruction error (0006). More importantly, feeding data into the appropriate models in a sequential manner is an obvious way to derive the output that one desires and was standard practice at the time of the invention.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
(a) Brooks et al. (Pre-Grant Publication No. US 2009/0273472 A1), 0041.
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSEPH L GREENE whose telephone number is (571)270-3730. The examiner can normally be reached Monday - Thursday, 10:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas R. Taylor can be reached at 571 272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JOSEPH L GREENE/Primary Examiner, Art Unit 2443