ARTIFICIAL INTELLIGENCE-BASED QUERY GENERATION FOR CYBERSECURITY DATA SEARCH

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This Office action is in response to the amendments, arguments and remarks, filed on 1/21/2026, in which claim(s) 1-20 is/are presented for further examination. Claim(s) 1, 3-5, 7, 9-11, 13-16 and 18-20 has/have been amended. Response to Amendment Applicant’s amendment(s) to claim(s) 1, 3-5, 7, 9-11, 13-16 and 18-20 has/have been accepted. Note: The examiner requests that applicant cite where in the specification there is support for applicant’s amendment(s)/addition(s). It will quicken the prosecution if the examiner does not have to search the entire specification to ensure that applicant has not introduced new matter. Response to Arguments Applicant’s arguments with respect to claim(s) 1-20, filed on 1/21/2026, have been fully considered but they are not persuasive. Accordingly, this action has been made FINAL. Applicant’s arguments with respect to the rejection(s) of claim(s) 1-20, under 35 U.S.C. 103, see the bottom of page 7 to page 8 of applicant’s remarks, filed on 1/21/2026, have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Thompson, US 2024/0256678 A1 (hereinafter “Thompson”) in view of Kotaru, US 2024/0419705 A1 (hereinafter “Kotaru”) in further view of Varma et al, US 2012/0254143 A1 (hereinafter “Varma”). Claims 1, 11 and 16 Thompson discloses a method comprising: receiving a request to search cybersecurity data associated with a plurality of computing resources of one or more entities, wherein the request comprises a natural language query (Thompson, [0330], see the application 112 can guide users or entities through completing a protection application (e.g., cybersecurity protection application, insurance application). The application 112 can be designed to integrate with technology and databases (e.g., database 140, response system 130, etc.) [i.e., corresponds to the “plurality of computing resources”] to access information [i.e., corresponds to “receiving a request to search”] used in modeling the protection application and/or guide users/entities through completing the application [i.e., corresponds to accessing cybersecurity information]; and Thompson, [0106], see clients can use queries in a formal query language, inter-process communication architecture, natural language or semantic queries to obtain data from the DBMS, which discloses the ability to submit natural language queries/searches to retrieve data from a database); generating a prompt for a trained generative artificial intelligence (Al) model (Thompson, [0337], see the modeler 2508 can generate a prompt to be inputted into the trained GAI/generative artificial intelligence model based on the identified protection parameter (e.g., content field) of the protection application, receive a response from the prompt (e.g., in response to prompting the GAI using the prompt), and provide the response for modeling by GAI model), the prompt comprising: prompt the GPT model based on identified information (e.g., protection parameters) of the protection application and/or entity data of an entity (e.g., security posture). In some arrangements, the modeler 2508 can incorporate the GAI model to parse and/or extract unstructured input data (e.g., incident response plans in PDF or HTML format, cybersecurity configuration data stored in JSON format, etc.), and the modeler 2508 can use the parsed/extracted input data in performing the functionality described above (e.g., in generating an output, prompting a GAI, adjusting the output, etc.)), providing the prompt as input to the trained generative (AI) model (Thompson, [0337], see the modeler 2508 can generate a prompt to be inputted into the trained GAI model based on the identified protection parameter (e.g., content field) of the protection application, receive a response from the prompt (e.g., in response to prompting the GAI using the prompt), and provide the response for modeling by GAI model); obtaining one or more outputs of the trained generative AI model (Thompson, [0337], see the modeler 2508 can generate a prompt to be inputted into the trained GAI model based on the identified protection parameter (e.g., content field) of the protection application, receive a response from the prompt (e.g., in response to prompting the GAI using the prompt), and provide the response for modeling by GAI model), to fulfill the request to search the cybersecurity data (Thompson, [0338], see the modeler 2508 can implement a generative pre-trained transformer (GPT) model (e.g., trained on a training dataset including cyber security data, protection data, protection control schemas, historical protection data, etc.) and can prompt the GPT model based on identified information (e.g., protection parameters) of the protection application and/or entity data of an entity (e.g., security posture). In some arrangements, the modeler 2508 can incorporate the GAI model to parse and/or extract unstructured input data (e.g., incident response plans in PDF or HTML format, cybersecurity configuration data stored in JSON format, etc.), and the modeler 2508 can use the parsed/extracted input data in performing the functionality described above (e.g., in generating an output, prompting a GAI, adjusting the output, etc.); and Thompson, [0206], see, when running tests through the Responder platform, the analysis circuit 136 of response system 130 can execute the tests and provide detailed analysis of the results. The analysis circuit 136 can identify areas of strength and weakness within the incident response plan, enabling users to fine-tune and optimize their plan accordingly. This level of analysis provides improvement to security architecture by ensuring that the incident response plan is effective, reducing the risk of costly downtime and reputational damage in the event of an incident. Once the test is completed, the user can store the results and review the findings using interactive items 722 and 724. Any issues that are identified can be remediated promptly to ensure that the incident response plan is as effective as possible. In some implementations, Responder offers a set of recommendations for addressing identified weaknesses in the incident response plan, providing the user with clear guidance on how to optimize their plan for maximum effectiveness). Thompson does not appear to explicitly disclose translating the natural language query into a sequence of word embeddings; identifying, based on a chosen similarity metric and a chosen similarity threshold, one or more examples wherein each example of the one or more examples comprises a respective natural language query and a corresponding formal language query; comprising: (i) at least part of the natural language query, (ii) a set of instructions for generating a first formal language query corresponding to the natural language query, and (iii) the one or more examples; the one or more outputs indicating the first formal language query corresponding to the request; and causing the first formal language query to be executed. Kotaru discloses translating the natural language query into a sequence of word embeddings (Kotaru, [0106], see receiving a natural language (NL) query on operator metric data associated with a plurality of metrics, where each metric is associated with a metric definition, and converting the plurality of metric definitions of the definition database and the NL query into word embeddings); identifying, based on a chosen similarity metric and a chosen similarity threshold, one or more examples wherein each example of the one or more examples comprises a respective natural language query and a corresponding formal language query (Kotaru, [0049], see metrics corresponding to metric definitions that are semantically close to the NL query may be extracted as context (e.g., metric context) for processing the NL query [i.e., corresponds to the “one or more examples”]; and Kotaru, [0106], see receiving a natural language (NL) query on operator metric data associated with a plurality of metrics, where each metric is associated with a metric definition [i.e., corresponds to the “formal language query”], and converting the plurality of metric definitions of the definition database and the NL query into word embeddings. Additionally, the method including performing a cosine similarity [i.e., corresponds to the “chosen similarity metric”] on the word embeddings to determine a set of metric definitions that are semantically similar [i.e., where the level is set as being semantically similar corresponds to the “chosen similarity threshold”] to the NL query, where the set of metric definitions corresponds to a set of metrics). Thompson and Kotaru are analogous art because they are from the same field of endeavor of processing data. It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, having the teachings of Thompson and Kotaru before him/her, to modify the querying of Thompson to include the translation of Kotaru because it enhance searching capabilities. The suggestion/motivation for doing so would have been to interact with vast amounts of data without heavy dependence on specialists, see Kotaru, [0019]. Therefore, it would have been obvious to combine Kotaru with Thompson to obtain the invention as specified in the instant claim(s). The combination of Thompson and Kotaru does not appear to explicitly disclose comprising: (i) at least part of the natural language query, (ii) a set of instructions for generating a first formal language query corresponding to the natural language query, and (iii) the one or more examples; the one or more outputs indicating the first formal language query corresponding to the request; and causing the first formal language query to be executed. Varma discloses comprising: (i) at least part of the natural language query, (ii) a set of instructions for generating a first formal language query corresponding to the natural language query, and (iii) the one or more examples (See below); the one or more outputs indicating the first formal language query corresponding to the request (Varma, Abstract, see a natural language query tool comprising cascaded conditional random fields (CRFs) (e.g., a linear-chain CRF and a skip-chain CRF applied sequentially) processes natural language input to produce output that can be used in database searches. For example, cascaded CRFs extract entities from natural language input that correspond to column names or column values in a database, and identify relationships between the extracted entities [i.e., where the extracted entities that correspond to column names or column values in the database and the identified relationships, using BRI, are interpreted as the “embeddings” and the “one or more examples” and the mapping between the natural language to the formal query language, using BRI, is interpreted to be the “set of instructions”]. A search engine can execute queries based on output from the cascaded CRFs over an inverted index of a database, which can be based on one or more materialized views of the database. Results can be sorted (e.g., according to relevance scores) and presented in a user interface; Varma, [0041], see CRFs in described CRF-based learning models can be trained to learn the process of extraction of entities from natural language input and identify relationships between entities, and can be adapted to changes in querying patterns by retraining the classifiers (e.g., with updated training data). Described CRF-based machine learning models use cascaded CRFs, which can learn sequential patterns and allow capturing of semantics which are inherent in a query (e.g., automatically) based on patterns learned during training; and Varma, [0077], see FIG. 8 is a diagram of a natural language query 802 with labels and mapping information after processing with cascaded CRFs. The labels and mapping information shown in FIG. 8 can be produced, for example, by processing the natural language query 802 with the cascaded CRFs shown in system 100 (FIG. 1), system 200 (FIG. 2), or system 300 (FIG. 3). In the example shown in FIG. 8, an input natural language query 802 has been annotated with linear-chain CRF labels 804 and skip-chain CRF labels 806. The linear-chain labels 804 include column value labels (ColVal, or “CV” in FIG. 9), a column name label (ColName, or “CN” in FIG. 8) and Other labels (“OTH” in FIG. 8). The solid lines between adjacent linear-chain labels 804 indicate bi-gram edges obtained with a bi-gram clique template in a linear-chain CRF. As shown in FIG. 8, two words (“managers” and “account”) in input natural language query 802 are labeled “CV” to indicate that they are potential column values. The skip-chain labels 806 include Start (“S” in FIG. 8) and End (“E” in FIG. 8). Dotted line 820 indicates a mapping between a ColName label and a Start label. Dotted line 822 indicates a mapping between a ColVal label and an End label. Dotted lines 820, 822 indicate a mapping edge obtained with a mapping label clique template. Dashed line 810 indicates a mapping between the node labeled with the Start label and the node labeled with the End label. Dashed line 810 indicates a skip-edge obtained with a skip-chain clique template in a skip-chain CRF. Curved line 830 shows that the node labeled with the Start label is associated with the word “jobtitles” in input natural language query 802. Curved line 832 shows that the node labeled with the End label is associated with the word “managers” in input natural language query 802. As shown in FIG. 8, the word “account” does not have a corresponding skip-chain label, despite being labeled as a potential column value, because the skip-chain CRF did not identify the word “account” as being part of a column name/value pair); and causing the first formal language query to be executed (Varma, [0003], see the natural language query tool comprising cascaded CRFs (e.g., a linear-chain CRF and a skip-chain CRF applied sequentially) processes natural language input to produce output that can be used in database searches. For example, cascaded CRFs extract entities from natural language input that correspond to column names or column values in a database, and identify relationships between the extracted entities. The natural language query tool can then form a search string based on entity information (e.g., column value information). A database query can then be executed (e.g., by a search engine). For example, a search engine can execute a query based on a search string over an inverted index of a database, which can be based on one or more materialized views of the database. When results are received, the results can be sorted (e.g., according to relevance scores) and presented in a user interface, potentially along with other information (such as suggestions for corrections or modifications to a natural language query). Thompson, Kotaru and Varma are analogous art because they are from the same field of endeavor of processing data. It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, having the teachings of Thompson, Kotaru and Varma before him/her, to modify the query translation of the combination of Thompson and Kotaru to include requesting a formal language query of Varma because it would allow additional search requests. The suggestion/motivation for doing so would have been to provide a natural language interface for extracting data from databases, see Varma, [0003]. Therefore, it would have been obvious to combine Varma with the combination of Thompson and Kotaru to obtain the invention as specified in the instant claim(s). Claim(s) 11 and 16 recite(s) similar limitations to claim 1 and is/are rejected under the same rationale. With respect to claim 11, Thompson discloses a system comprising: a memory device (Thompson, [0015], see memory); and a processing device coupled to the memory device (Thompson, [0015], see processor). With respect to claim 16, Thompson discloses a non-transitory computer-readable storage medium (Thompson, [0015], see memory). Claims 2, 12 and 17 With respect to claims 2, 12 and 17, the combination of Thompson, Kotaru and Varma discloses further comprising: providing a user interface (UI) comprising one or more UI elements for receiving the request to search cybersecurity data, wherein the one or more UI elements is presented in a first area of the UI (Thompson, [0022], see a graphical user interface (GUI) of the plurality of protection parameters or application including the at least one least one output satisfying the at least one protection parameter, wherein the GAI model comprises an artificial neural network; and Thompson, Fig. 7A). Claims 3, 13 and 18 With respect to claims 3, 13 and 18, the combination of Thompson, Kotaru and Varma discloses further comprising: causing the first formal language query to be presented in a second area of the UI (Thompson, [0022], see a graphical user interface (GUI) of the plurality of protection parameters or application including the at least one least one output satisfying the at least one protection parameter, wherein the GAI model comprises an artificial neural network; and Thompson, Fig. 7A; and Varma, Fig. 7, steps 750 and 760, where it would be obvious to display results of intervening steps of the process). Claims 4, 14 and 19 With respect to claims 4, 14 and 19, the combination of Thompson, Kotaru and Varma discloses wherein the UI comprises one or more additional UI elements for receiving the request to provide feedback on the first formal language query (Thompson, [0357], see the GAI model, executed by the processing circuits and systems of the response system 130 of FIG. 25 , can analyze the questions and responses by the entity and access a vector database for the best answer, and then shows the recommended answer. Accepting or rejecting at 2606B can be used to retrain the GAI model to improve the model based on the feedback). Claim 5 With respect to claim 5, the combination of Thompson, Kotaru and Varma discloses further comprising: receiving a request to modify the formal language query, wherein the UI comprises one or more additional UI elements for receiving the request to modify the first formal language query (Varma, [0003], see, when results are received, the results can be sorted (e.g., according to relevance scores) and presented in a user interface, potentially along with other information (such as suggestions for corrections or modifications to a natural language query). Described tools and techniques can be used in a wide variety of applications to provide a natural language interface for extracting data from databases). Claim 6 With respect to claim 6, the combination of Thompson, Kotaru and Varma discloses wherein the one or more examples comprises a plurality of natural language queries and a corresponding plurality of formal language queries (Thompson, [0364], see supervised learning could be applied to examples where the correct input-output mappings are known (e.g., teaching the model to predict the necessary fields in a protection application based on the specifics of the cybersecurity information provided). This could be supplemented with unsupervised learning to discover patterns or categorizations within the cybersecurity data that are not directly labeled but can enhance the model's understanding and accuracy. Upon training, the GAI model can be used to automatically interpret and fill out protection parameters or applications accurately, using cybersecurity data from entities). Claims 7, 15 and 20 With respect to claims 7, 15 and 20, the combination of Thompson, Kotaru and Varma discloses wherein the prompt further comprises at least one of: a maximum number of tokens to generate for the first formal language query and a hyperparameter specifying a temperature value for generating the first formal language query (Thompson, [0192], [0193] and [0195], see discussion about tokenizing/tokenization; Thompson, [0268], see protection parameters; and Thompson, [0332], see protection and security parameters). Claim 8 With respect to claim 8, the combination of Thompson, Kotaru and Varma discloses further comprising: identifying one or more keywords in the natural language query (See below); and identifying, in a set of data comprising a plurality of examples for generating formal language queries, based on the one or more keywords, the one or more examples pertaining to the request (Varma, Abstract, see a natural language query tool comprising cascaded conditional random fields (CRFs) (e.g., a linear-chain CRF and a skip-chain CRF applied sequentially) processes natural language input to produce output that can be used in database searches. For example, cascaded CRFs extract entities from natural language input that correspond to column names or column values in a database, and identify relationships between the extracted entities [i.e., where the extracted entities that correspond to column names or column values in the database and the identified relationships, using BRI, are interpreted as the “embeddings” and the “one or more examples” and the mapping between the natural language to the formal query language, using BRI, is interpreted to be the “set of instructions”]. A search engine can execute queries based on output from the cascaded CRFs over an inverted index of a database, which can be based on one or more materialized views of the database. Results can be sorted (e.g., according to relevance scores) and presented in a user interface). Claim 9 With respect to claim 9, the combination of Thompson, Kotaru and Varma discloses further comprising: identifying one or more values of the chosen similarity metric (Thompson, [0195], see identifying and extracting relevant information to recognize patterns, relationships, or similarities; and Thompson, [0342], see the embedding system 2506 and/or response system 130 can update mapping parameters of the GAI model based on (1) an input by the entity computing system); and identifying, in a set of data comprising a plurality of examples for generating formal language queries, based on the one or more values of the chosen similarity metric, the one or more examples pertaining to the request (Varma, Abstract, see a natural language query tool comprising cascaded conditional random fields (CRFs) (e.g., a linear-chain CRF and a skip-chain CRF applied sequentially) processes natural language input to produce output that can be used in database searches. For example, cascaded CRFs extract entities from natural language input that correspond to column names or column values in a database, and identify relationships between the extracted entities [i.e., where the extracted entities that correspond to column names or column values in the database and the identified relationships, using BRI, are interpreted as the “embeddings” and the “one or more examples” and the mapping between the natural language to the formal query language, using BRI, is interpreted to be the “set of instructions”]. A search engine can execute queries based on output from the cascaded CRFs over an inverted index of a database, which can be based on one or more materialized views of the database. Results can be sorted (e.g., according to relevance scores) and presented in a user interface). Claim 10 With respect to claim 10, the combination of Thompson, Kotaru and Varma discloses wherein the first formal language query is to be executed to identify: (i) a malicious activity relating to the plurality of computing resources (Thompson, [0301], see analyzing the data for signs of malicious activity), (ii) a potential attack path relating to the plurality of computing resources (Thompson, [0375], see identifying patterns and methods used in cyber-attacks), or (iii) a security-related vulnerability relating to the plurality of computing resources (Thompson, [0305], see newly detected threats or vulnerabilities). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. – Blyumen et al., 2025/0103590 for embedding based heterogeneous dataset evaluation; – Hamilton et al., US 2024/0378223 for intent-driven query processing; – Weiser et al., 2025/0375711 for controlled interactive AI-drive question-and-answer generation based on physical game pieces; – Truong et al., 2024/0330279 for generating and correcting database queries using language models; – Tholar et al., 2025/0245665 for fraud analysis incorporating a large language model; – Patil et al., 2025/0190454 for prompt-based data structure and document retrieval; – Cui et al., 2024/0143680 for managing search engines based on search perform metrics; – Yates et al., 2025/0131042 for using generative AI models for content searching and generation of confabulated search results; and – Walia et al., CA 3008026 for managing natural language queries of customers. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Point of Contact Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUBERT G CHEUNG whose telephone number is (571)270-1396. The examiner can normally be reached M-R 8:00A-5:00P EST; alt. F 8:00A-4:00P EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Apu Mofiz can be reached at (571) 272-4080. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. HUBERT G. CHEUNG Assistant Examiner Art Unit 2161 Examiner: Hubert Cheung /Hubert Cheung/Assistant Examiner, Art Unit 2161Date: April 6, 2026 /APU M MOFIZ/Supervisory Patent Examiner, Art Unit 2161