Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the communication and claim amendment filed on 10/08/2025; Claims 1, 4, and 11 have been amended; Claims 8-9 and 18-19 were cancelled; Claim 20 has been added; Claims 1 and 11 are independent claims. Claims 1-7, 10, 11-17, and 20-21 have been examined and are pending. This Action is made FINAL.
Response to Arguments
The objection to claims 1, 10-11, and 20 is withdrawn as the claims has been amended.
The rejections of claims 1-8, 10-18, and 20 under 35 U.S.C. § 101 are withdrawn as the claims have been amended.
The rejection of claims 6 and 16 under 35 U.S.C. § 112 second paragraph is withdrawn as the claim has been amended.
Applicants’ arguments in the instant Amendment, filed on 10/08/2025, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicants argue: Applicant's general assertion that cited art fails to teach dynamically changeable ADP (Applicant Remarks /Arguments, page 7).
The Examiner respectfully disagrees with the Applicants.
Applicant's argument is conclusory. Applicant restates the claim language and asserts the prior art is deficient without specifically explaining why the Examiner's mapping of the prior art to the claim limitations is incorrect. Merely reciting claim language and stating the art "fails to teach" is insufficient to overcome a properly established prima facie case of obviousness.
Applicants argue: Applicant's assertion that Sharda relies on static data (Applicant Remarks /Arguments, page 7).
The Examiner respectfully disagrees with the Applicants.
Applicant's argument is conclusory. Sharda explicitly teaches dynamic, continuous telemetry collection:
- “The agent operates in the background, “continuously collecting” endpoint telemetry data” (par. 0025, 0034).
- "Data lake 106 may receive the monitoring events... synchronously (e.g., in real-time)" (par. 0034)
- System detects "unknown or emerging threats" through heuristic analysis (par. 0026).
Continuous, real-time collection and analysis of telemetry data is the opposite of "static data." Sharda's telemetry is inherently dynamic because it is continuously collected and used to detect emerging threats in real-time.
Applicants argue: Applicant's assertion that Kaciulis teaches rules, not perimeters (Applicant Remarks /Arguments, page 7).
The Examiner respectfully disagrees with the Applicants.
The Examiner respectfully disagrees. Under the broadest reasonable interpretation (BRI), "dynamically modifiable rules" reads on the claimed "analytics-defined perimeter (ADP)" because both define operational boundaries that determine permitted versus prohibited activity. Rules that define acceptable behavior effectively create a "perimeter" of allowed actions. Applicant has not explained why this equivalence is unreasonable or provided any meaningful distinction between "rules" and "perimeters" in this security context. Furthermore, Kaciulis teaches that rules change based on observed conditions:
- Rules provide guidance on how to "analyze the data activity” and “determine if the data activity is harmless or is occurring as a result of malicious activity" (par. 0080) - The processor may "dynamically generate one or more new sets of rules" (par. 0080).
- Dynamic rule generation is "particularly advantageous in dealing with malware that keeps changing, evolving, and transforming at a rapid rate" (par. 0080).
This teaches rules (ADP under BRI) that are dynamically modified based on observed conditions.
Applicants argue: No combination of these references teaches or suggests the claimed embodiments. (Applicant Remarks /Arguments, page 7).
The Examiner respectfully disagrees with the Applicants.
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). The combination teaches all limitations: Collecting telemetry data (Sharda (pars. 0025, 0034); Updating activity database (Sharda: par. 0034); Applying rule to detect crossing (Sharda: par. 0026); ADP dynamically modifiable as conditions change (Kaciulis: par. 0080); Conditions from telemetry such that ADP changes (Sharda provides telemetry; Kaciulis provides rules that change based on observed data activity); Apply policy, implement action (Sharda: pars. 0026, 0046). The combination operates as follows: Kaciulis's dynamically modifiable rules would operate on Sharda's continuously collected telemetry data, resulting in an ADP that changes based on conditions determined from telemetry data.
Applicants argue: Regarding New Claim 21 (ADP defined as part of policy) (Applicant Remarks /Arguments, page 8).
The Examiner respectfully disagrees with the Applicants.
It would have been obvious to one of ordinary skill in the art to define the ADP as part of the policy because combining two related components (perimeter definition and policy) into a unified structure is an obvious design choice that simplifies system management. This yields predictable results with no unexpected technical advantage. See KSR Int'l Co. v. Teleflex Inc., 550 U.S. 398 (2007).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 11-13, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Sharda et al. (“Sharda,” US 2024/0356950, filed on Aug. 24, 2023) in view of Kaciulis et al. (“Kaciulis,” US 2024/0154980, filed on Nov. 9, 2022).
Regarding claim 1, Sharda teaches a method comprising:
collecting telemetry data concerning an activity occurring in an information technology (IT) infrastructure (Sharda: par. 0025, The agent operates in the background, continuously collecting endpoint telemetry data and sending it to a central management console and/or the Extended detection & Response (XDR) system 104; par. 0034, The agent operates in the background, continuously collecting endpoint telemetry data and sending it to a central management console and/or the XDR system 104; par. 0003, XDR platforms integrate data from the entire information technology (IT) infrastructure of a computing system to provide unified visibility and automated actions against cyberattacks);
updating an activity database with the telemetry data (Sharda: par. 0034, Data lake 106 may receive the monitoring events retrospectively (e.g., asynchronously) and/or synchronously (e.g., in real-time) from the monitoring components 102, storing them in a structured or semi-structured format for efficient retrieval and analysis. Data lake 106 may be implemented using a database, data warehouse, and/or cloud storage.);
applying a rule to determine if the activity is associated with a crossing of an analytics-defined perimeter (ADP) within the IT infrastructure (Sharda: par. 0026, Heuristic analy-sis involves applying predefined rules and behavioral models to detect unknown or emerging threats. In some cases, the IDS/IPS 102B performs at least one of an IDS or an IPS functionality. The IDS functionality may identify suspicious or anomalous network behaviors, such as port scans, unusual data transfer patterns, or unauthorized access attempts);
when a perimeter crossing has been determined to have occurred, applying a policy to determine whether, and what, action should be taken with respect to the perimeter crossing (Sharda: par. 0046, In some cases, when the cross-domain analytics component 108 identifies a security incident, the incident response component 110 is triggered to initiate appropriate responses. These responses may be automated, where pre-defined response actions are executed based on predefined playbooks and policies, or manual, where security analysts are involved in making informed decisions on response actions based on the severity and nature of the incident); and
implementing an action with respect to an entity whose activity is being evaluated when the perimeter crossing is determined to be contrary to the policy (Sharda: par. 0026, … IPS functionality may take immediate action to block or prevent identified threats from progressing further into the network; par. 0046, the incident response com-ponent 110 may take automated actions to block or blacklist malicious IP addresses or domains associated with the detected threats), wherein the action comprises restricting or facilitating prevention of the entity from engaging in the activity outside of the perimeter (Sharda: par. 0026, … IPS functionality may take immediate action to block or prevent identified threats from progressing further into the network; par. 0046, the incident response com-ponent 110 may take automated actions to block or blacklist malicious IP addresses or domains associated with the detected threats).
Sharda does not explicitly disclose wherein the ADP is dynamically defined and modifiable as conditions within the IT infrastructure change, and wherein the conditions are determined from the telemetry data such that the ADP changes based on the telemetry data.
However, in an analogous art, Kaciulis discloses
wherein the ADP is dynamically defined and modifiable as conditions within the IT infrastructure change (Kaciulis: par. 0080, The processor may refer to the first set of dynamically modifiable rules for guidance on how to deal with the anomaly. In one case, the first set of dynamically modifiable rules may provide an indication on how to analyze the data activity and determine if the data activity is harmless or is occurring as a result of malicious activity. The first set of dynamically modifiable rules may, for example, provide security-related guidance on how to detect a code pattern and/or a signature that indicates malicious intent and may also provide information about various malicious code patterns and/or signatures. In another case, the processor may use one or more sets of existing rules to dynamically generate one or more new sets of rules. In an example embodiment, the processor may generate a new set of rules based on applying, for example, machine learning or artificial intelligence, on one or more sets of existing rules. The new set or sets of rules may for example, be applied for malware detection. The dynamic generation of new rules in this manner may be particularly advantageous in dealing with malware that keeps changing, evolving, and transforming at a rapid rate), and wherein the conditions are determined from the telemetry data such that the ADP changes based on the telemetry data (Kaciulis: par. 0080);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Kaciulis with the method and system of Sharda to include wherein the ADP is dynamically defined and modifiable as conditions within the IT infrastructure change, and wherein the conditions are determined from the telemetry data such that the ADP changes based on the telemetry data. One would have been motivated to provide directing the rules applicable to data access at procedures related to retrieving, modifying, copying, or moving data between various computing devices in a reliable and secure manner (Kaciulis: par. 0029).
Regarding claim 2, the combination of Sharda and Kaciulis teaches the method as recited in claim 1. The combination of Sharda and Kaciulis further teaches, wherein the ADP crossing is verified directly through the policy (Sharda: par. 0044, In some cases, the predictive models 114 include an incident model that determines ( e.g., based on alert features generated by the alert model) whether each alert is an incident as determined based on predefined incident definition criteria).
Regarding claim 3, the combination of Sharda and Kaciulis teaches the method as recited in claim 1. The combination of Sharda and Kaciulis further teaches, wherein the perimeter defines a segment of the IT infrastructure (Sharda: par. 0003, monitoring data from different security domains associated with different monitoring components; processes events across heterogeneous monitoring components 102 to uncover attacks spanning multiple monitoring domains).
Regarding claim 11, claim 11 is directed to a non-transitory storage medium (Sharda: pars. 0081, 0085) having stored therein instructions that are executable by one or more hardware processors (Sharda: par. 0077) to perform operations associated with the method claimed in claim 1; claim 11 is similar in scope to claim1, and is therefore rejected under similar rationale.
Regarding claim 12, claim 12 is similar in scope to claim 2, and is therefore rejected under similar rationale.
Regarding claim 13, claim 13 is similar in scope to claim 3, and is therefore rejected under similar rationale.
Regarding claim 21, the combination of Sharda and Kaciulis the method of claim 1. Sharda and Kaciulis do not explicitly discloses wherein the ADP is defined as a part of the policy.
However, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to define the ADP as part of the policy (i.e. combine them into one single component) because combining known element to yield predictable result is obvious. Such combination would improve management efficiency by having boundary definitions and decision rules in one place. It is merely an obvious design choice with no unexpected result.
Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Sharda et al. (“Sharda,” US 2024/0356950, filed on Aug. 24, 2023) in view of Kaciulis et al. (“Kaciulis,” US 2024/0154980, filed on Nov. 9, 2022), and further in view of Yamamoto et al. (“Yamamoto,” US 2019/0294803, published on Sep. 26, 2019).
Regarding claim 4, the combination of Sharda and Kaciulis teaches the method as recited in claim 1. Sharda and Kaciulis do not explicitly teach “wherein the ADP is defined without use of direct intervention in an IT infrastructure.”
However, in an analogous art, Yamamoto teaches “wherein the ADP is defined without use of direct intervention in an IT infrastructure.” (Yamamoto: par. [0065] The log monitoring technique is a technique of monitoring a log and detecting an anomaly in the log. A specific example of a security product having the log monitoring technique implemented therein is a SIEM product. “SIEM” is an abbreviation for Security Information and Event Management. When the detection technique implemented in the security product as an evaluation target is the log monitoring technique, a program for executing a series of processes intended by an attacker is used as the attack module 212. Examples of the processes intended by the attacker are file manipulations, user authentication, program startup, and uploading of information to outside; par. [0137] When the detection technique implemented in the security product as an evaluation target is the log monitoring technique, it is monitored whether the basic function is exerted by an attack causing a log. Examples of the basic function are file manipulations, user authentication, program startup, and uploading of information to outside. Specifically, the basic function monitoring unit 231 monitors a log such as Syslog and communication log to determine whether a log regarding the basic function is present. That is, the basic function monitoring unit 231 operates as a program for searching information in the log by following definitions determined in advance);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Yamamoto with the method and system of Sharda and Kaciulis to include “wherein the ADP is defined without use of direct intervention in an IT infrastructure.” One would have been motivated to provide the skillful attack sample which maintain the function estimated as aggressor intends is generable. The security products are evaluated using skillful attack sample (Yamamoto: pars. 0010, 0015).
Regarding claim 14, claim 14 is similar in scope to claim 4, and is therefore rejected under similar rationale.
Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Sharda et al. (“Sharda,” US 2024/0356950, filed on Aug. 24, 2023) in view of Kaciulis et al. (“Kaciulis,” US 2024/0154980, filed on Nov. 9, 2022), further in view of Stergioudis et al. (“Stergioudis,” US 2021/0400075, published on Dec. 23, 2021).
Regarding claim 5, the combination of Sharda and Kaciulis teaches the method as recited in claim 1. Sharda and Kaciulis do not explicitly disclose wherein the ADP determines a conditional access authorization for the entity based on a network state representation.
However, in an analogous art, Stergioudis discloses wherein the ADP determines a conditional access authorization for the entity based on a network state representation (Stergioudis: par. [0004] In responding to a request to access, an access management system may determine whether to grant an agent (e.g., executing on a client) access to a resource (e.g., hosted on a remote server) in accordance with various authentication. For instance, the access management system may perform the determination using a risk-based authentication (RBA) schema. The RBA schema may take into account a profile of the agent requesting access to the server to determine a risk profile associated with the transaction. The risk profile may then be used to determine a complexity of the challenge against which to verify the request access. A higher risk profile may lead to a stronger challenge. In contrast, a lower risk profile may be satisfied by the entry of a static account identifier and passcode. The user of the client may be challenged for additional credentials when the determined risk level is appropriate; par. [0005] The RBA schema may thus be an improvement over access management systems where user accounts are created and assigned roles with each role having a set level of predefined access. For example, the risk level determined for an employee trying to access sensitive files during expected working hours via a corporate network may be low. But if the same user tried to access such files outside working hours and from outside the corporate network (e.g., at home or via a public network), the determined risk level may be relatively higher. Under access management systems that do not account for risk profile, the user may be determined to be equally risky (e.g., low risk) in both scenarios and would be allowed to access the sensitive files if the assigned role permitted such access.. ).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Stergioudis with the method and system of Sharda and Kaciulis to include wherein the ADP determines a conditional access authorization for the entity based on a network state representation. One would have been motivated to provide the method enables determining a risk profile to determine a complexity of a challenge against which to verify a request access, so that a higher risk profile can lead to a stronger challenge, thus allowing a user of a client to be challenged for additional credentials when the determined risk level is appropriate and improving a risk-based authentication (RBA) schema over access management systems such that user accounts are created and assigned roles with each role including a set level of predefined access (Stergioudis: pars. 0004-0005).
Regarding claim 15, claim 15 is similar in scope to claim 5, and is therefore rejected under similar rationale.
Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Sharda et al. (“Sharda,” US 2024/0356950, filed on Aug. 24, 2023) in view of Kaciulis et al. (“Kaciulis,” US 2024/0154980, filed on Nov. 9, 2022), further in view of Lloy et al. (“Lloyd,” US 6,219,790, published on Apr. 17, 2001).
Regarding claim 6, the combination of Sharda and Kaciulis teaches the method as recited in claim 1. Sharda and Kaciulis do not disclose “wherein the ADP is defined without use of a local policy enforcement point (PEP).
However, in an analogous art, Lloyd discloses wherein the ADP is defined without use of a local policy enforcement point (PEP) (Lloyd: Col. 10, lines 36-40, the AAA server 118 of the present invention uses a rules table 305, referred to as "imp.radius.rules" 501 to filter incoming requests and to define services offered. The rules table 305 is used to implement specific 40 access policies.)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Lloyd with the method and system of Sharda and Kaciulis to include wherein the ADP is defined without use of a local policy enforcement point (PEP). One would have been motivated to has advantage of allowing conventional software to be used within each client 204--212 with little or no modification (Lloyd: Col. 7, lines 12-14).
Regarding claim 16, claim 16 is similar in scope to claim 6, and is therefore rejected under similar rationale.
Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Sharda et al. (“Sharda,” US 2024/0356950, filed on Aug. 24, 2023) in view of Kaciulis et al. (“Kaciulis,” US 2024/0154980, filed on Nov. 9, 2022), further in view of Bharrat et al. (“Bharrar,” US 2020/0213343, published on Jul. 2, 2020).
Regarding claim 7, the combination of Sharda and Kaciulis teaches the method as recited in claim 1. Sharda and Kaciulis do not explicitly disclose wherein the rule and policy are represented as data in a database.
However, in an analogous art, Bharrat discloses wherein the rule and policy are represented as data in a database (Bharrat: par. 0074, The policy database system 806 is a storage device which includes policies and/or rules that define actions to be taken in response to detected threats).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bharrat with the method and system of Sharda and Kaciulis to include wherein the rule and policy are represented as data in a database. One would have been motivated to provide input on a detected threat or anomaly and corrective action has already been taken, policy and actions will be updated to ensure that the operator suggested action is implemented with regard to an ongoing or new threat of the same type. (Bharrat: par. 0119).
Regarding claim 17, claim 17 is similar in scope to claim 7, and is therefore rejected under similar rationale.
Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sharda et al. (“Sharda,” US 2024/0356950, filed on Aug. 24, 2023) in view of Kaciulis et al. (“Kaciulis,” US 2024/0154980, filed on Nov. 9, 2022), further in view of McCarty et al. (“McCarty,” US 2020/0358823, published Nov. 12, 2020).
Regarding claim 10, the combination of Sharda and Kaciulis teaches the method as recited in claim 1. Sharda and Kaciulis do not explicitly disclose wherein the action is implemented by a PEP.
However, in an analogous art, McCarty discloses wherein the action is implemented by a PEP (McCarty: par. 0042, By way of additional background, FIG. 4 illustrates a representative policy management system 400. The system 400 may be implemented across one or more machines operating in a computing environment, such as shown in FIG. 1. Typically, the system comprises a policy administration point (PAP) 402, the policy decision point (PDP) 404, and a policy enforcement point (PEP) 406. Generally, policy administration point 402 is used to define a policy, which may be specified as a set of XACML policy expressions. This policy uses subject attributes provided from a user repository 408, as well runtime and environment data received from policy information point (PIP) 410. The policy decision point (PDP) 404 receives similar information and responds to an XACML policy query received from the policy enforcement point (PEP) 406 to enforce the policy on a subject and with respect to a particular action initiated by the subject. The PDP 404 implements the policy decision. In one commercial implementation of this approach, the PAP 402 is implemented by IBM® Tivoli® Security Policy Manager (TSPM) policy service/console, the PDP 404 is implemented in the TSPM runtime security service, and the PEP is implemented as a TSPM plug-in to application server, such as IBM WebSphere® Application Server).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of McCarty with the method and system of Sharda and Kaciulis to include wherein the action is implemented by a PEP. One would have been motivated to provide the efficient evaluation of authorization requests for an application architecture is provided. The hybrid approach allows the policy to be driven through a centrally-managed model, while at the same time allowing optimized authorization checks to be made within a local runtime application or service context (McCarty: pars. 0006-0007).
Regarding claim 20, claim 20 is similar in scope to claim 10, and is therefore rejected under similar rationale.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CANH LE whose telephone number is (571)270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham, can be reached at telephone number 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center and Private PAIR for authorized users only. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form.
/Canh Le/
Examiner, Art Unit 2439
December 11th, 2025
/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439