DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 2/20/2026 has been entered.
Response to Arguments
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Elsner, publication number: US 2019/0349391 in view of Danielson, publication number: US 2016/0261622.
As per claim 1, Elsner teaches a method comprising:
determining, by a processing device, one or more clusters of entities coupled to a network, the one or more clusters of entities determined based on entity behavior (learned group, [0006]); and
determining, by the processing device, an anomaly associated with an entity coupled to the network based on the one or more clusters of entities (deviation from known data, [0007][0049], network, [0018])
Elsner does not teach the entities having similar network communication behavior and wherein the anomaly is based at least in part on a manner of communication of the entity within a time period in comparison to a manner of communication of the one or more clusters of entities.
In an analogous art, Danielson teaches the entities having similar network communication behavior and wherein the anomaly is based at least in part on a manner of communication of the entity within a time period in comparison to a manner of communication of the one or more clusters of entities (creating clusters [0047], using device data over time to determine cluster transitions and anomalous events, [0031], monitoring source and destination of data sent and received by the device, [0028], notifying administrator of detected anomalies, [0039]).
Therefore, it would have been obvious to one of ordinary skill in the art, prior to the effective filing date of the claimed invention to modify Elsner’s behavior deviation detection system to include clustering based on patterns as described in Danielson’s anomaly detection system for the advantage of speeding up the anomaly identification process.
As per claim 2, the combination teaches performing an action associated with at least one entity of a cluster of the one or more clusters (Elsner: Issuing an alert, [0050]).
As per claim 3, the combination teaches wherein determining the anomaly associated with the entity is further based on entity behavior comprising one or more of network communications, traffic flows, events, dynamic events, or alerts associated with an entity coupled to the network (Elsner: network traffic, [0038], Danielson: using device data over time to determine cluster transitions and anomalous events, [0031]).
As per claim 4, the combination teaches wherein the one or more clusters of entities of further determined based on properties associated with the entities (Elsner: Behavior, [0006][0048]).
As per claim 5, the combination teaches wherein the one or more clusters are further determined based on security information associated with the entities (Elsner: security information, [0007][0036][0042]).
As per claim 6, the combination teaches wherein the one or more clusters are further determined based on a rule-based policy defined by user input (Elsner: Security policy, [0048]).
As per claim 7, the combination teaches determining a typical behavior associated with entities within each of the one or more clusters of entities; and
determining one or more communications of the entity that do not correspond to a cluster in which the entity is grouped (Elsner: Compare to history, [0048-0049][0068])
As per claim 8, the combination teaches wherein determining the anomaly associated with the entity comprises:
detecting that the entity is communicating using a spoofed MAC address or that the entity is behaving like a different type of entity than defined by a cluster in which the entity is grouped (Elsner: Different behavior, [0050]).
As per claim 9, the combination teaches wherein determining the anomaly associated with the entity comprises:
determining that the entity is receiving or sending an amount of data that does not correspond to the cluster in which the entity is grouped (Elsner: expected behavior and accessing information, [0050]).
As per claim 10, the combination teaches determining one or more segments to separate entities of the network based on the one or more clusters (Elsner: groups based on access patterns, [0050]).
Claims 11 – 17 are rejected based on claims 1-9
Claims 18-20 are rejected based on claims 1-2 and 7
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLUGBENGA O IDOWU whose telephone number is (571)270-1450. The examiner can normally be reached Monday-Friday 8am - 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached at 5712723804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/OLUGBENGA O IDOWU/Primary Examiner, Art Unit 2494
Prosecution Insights