Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on November 20, 2025 has been entered.
Response to Arguments
Applicant's arguments filed November 20, 2025 have been fully considered but they are not persuasive.
On page 1 of the remarks, Applicant states that claims 6, 8, 17, and 19 were rejected under 35 U.S.C. 112(b) (“112(b)”), with claims 6 and 17 rejected for the term “determined value of importance” being relative and lacking an objective boundary, but the Applicants states that support can be found in paragraphs [0042] and [0065], and states that “importance” is a processor-assigned “importance level” that uses predefined, quantized tiers [and used as a multiplicative weight. Applicant amends the claims to replace “determined value of importance” with “an importance score selected from predefined tiers indicative of system-criticality […]”. Furthermore, Applicant states that “security definition” in claims 8 and 19 was rejected as an undefined relative term, with Applicant stating that support found in paragraphs [0056] and [0061]. Applicant amends the claim to replace “security definition” with “a malware detection signature identifier used by malware detector […]”, with further support found in paragraphs [0039] for the malware detector. Applicant makes these clarifications to cure any ambiguity previous in the claims without alerting scope or introducing new matter in the claims.
Examiner withdraws the rejections of the claims under 112(b) as the amended claims 6, 8, 17, and 19 are definite and also have support in the Specification of the Applicant.
In pages 2-4 of the remarks, claims 1, 4-12, and 15-20 remain rejected under 35 U.S.C. 112(a) ("112(a)") as failing to comply with the written description requirement, and states that the Final Office Action ("OA") restates the previous position that the claims are not described "in such a way as to reasonably convey" possession, and that the Specification convey possession of each disputed limitation. For claims 1, 12, and 20, the process of determining maliciousness apart from malware detector 102 is stated in paragraphs [0039], and [0057]-[0060] further describe the process of detecting and showing a real-time UI behavior based on the determinations, and Applicant states it is not a "mere restatement", as it teaches the module, its role in the pipeline, and when the processor invokes the module. "Additional information" content and display (from claims 7-8, and 18-19) are given a description in paragraphs [0056], [0061], and Fig. 3, and "timeline highlight and time window link to a branch" (from claims 10-11) are stated in paragraphs [0047], [0068], and Fig. 2
Examiner states that in claims 1, 12, and 20, the limitation of "determining whether any of the source object or the target object is a malicious object", as described in paragraphs [0057], is further described in paragraphs [0058]-[0060] and Fig. 4, but does not elaborate on step 406 of Fig. 4 on how the invention determines if any of the source object and the target object is a malicious object. The limitation of “determining whether any of source object […] is a malicious target” is also a mere repetition of the Specification, as it is unclear how a user interface generator 106 determines an object being malicious in step 406 in Fig. 4, and how the invention determines whether “word.exe” or “powershell.exe” is malicious based on actions performed in the example provided in paragraph [0057]. Finally, the Specification does not describe the limitation of “determining whether any of source object […] is a malicious target” at all and without any clarification, the independent claims fail to meet the requirements of ‘2161.01 Computer Programming, Computer Implemented Inventions, and 35 U.S.C. 112(a)’ in the MPEP, as there is not an adequate description for the claim limitation in the Specification, as it merely repeats the claim language and does not provide a sufficient explanation as to how the invention performs the determination of a malicious object with a user interface generator 106, and no algorithm for step 406 of Fig. 4 is provided as well. Furthermore, claim 8 and 19's limitation of "additional information" content and display, which is stated in window 302, listing information on a name of the object, verdict of maliciousness, and the severity of the malicious activity are shown in paragraph [0056], with paragraph [0061] repeating the additional information present in window 302, which appear to disclose the limitations in claims 8 and 19. Finally, in claim 11, for the "generating, for display on the graphical user interface" limitations, paragraph [0047] describes a user hovering over a time window 210 by a pointing cursor on the rightmost bar in Fig. 2. Paragraph [0068] further supports the claimed limitations and Fig. 2. As a result, Examiner maintains the rejection under 112(a) for the independent claims, but removes the limitations for claims 8/19, and claim 11.
On page 4 of the remarks, Applicant states that Murphy does not disclose “summary templates”, and that Examiner turned to Gamble, but does not disclose, or suggest at natural-language “summary templates”, template selection keyed to the branch triplet, or populating text fields with identifiers to generate a user-facing dialogue. Applicant further states that Gamble discloses analytics over graphs of security events, producing graph-based encodings with descriptive data such as severity, probability, event phase, and anomaly flags, with Figs. 3-6 stating that the text describing security events, graph processing, and time-anomaly analysis. Applicant states that Gamble’s figures are graphical plots and timelines, “descriptive data” are structured numeric/label data for analytics, not UI text templates, with Murphy’s UI features not being the claimed template-driven summaries, and the auto-playing of a process tree not corresponding to a natural-language “dialogue” summary by selecting and filling out “summary templates”.
Examiner disagrees with the Applicant regarding Gamble’s lack of “summary templates” and graphical plots and timelines. Examiner states that Fig. 6 of Gamble and section [Col. 11, lines 47-58], where events are linked as either independent or dependent elements of a small 'chain', and along with Fig. 4 of Murphy, stating that a user clicks on a process on a branch that contains both a parent and child process, details are given for the processes, corresponding to determining a summary template from multiple summary templates as claimed by the Applicant, along with describing attack events. As for the motivation explaining the rationale where the visualization of how events are displayed providing to events gives users an idea as to what processes can be affected is stated by Gamble [Col. 11, lines 34-58]. Examiner maintains the rejections for the independent claims 1, 12, and 20.
Dependent claims 4 and 15, Applicant states that Murphy's detail panels show process data and highlight key events, but neither of the references of Murphy nor Gamble teach the "attack summary [...] comprises visual identifiers of the at least one malicious object and the target objects [...]", and states that the cited references do not establish the element of the "attack summary" and comprising identifiers.
Examiner disagrees, as claim 4/15 recites in paragraph [0049] has each line in a process tree represent an action in the tree region 402 in Figure 4. The tree region 402 corresponds to the attack summary of the Applicant, and the target objects are shown that are affected by the malicious ‘parent’ object that has been selected. The target objects correspond to identifiers of the Applicant.
Furthermore, dependent claims 5/16, and 6/17 recite 'determining a severity level based on an amount of target objects affected', and a 'severity level' be a function of an importance of each target object and a type of action applied on each target object, respectively. Applicant states that Gamble's "severity", "probability", or "risk" is a chain-level analytic label applied in graph analytics, and does not disclose the claimed, per-target-object multiplicative function. To further clarify the meaning of the term "importance" and further distinguish from Gamble, claims 6/17 have been amended to recite that "the importance being an importance score selected from predefined tiers", with support found in paragraph [0042] of the Specification as filed, and that Gamble does not disclose nor suggest this subject matter.
Examiner disagrees, as the combination of Murphy in view of Gamble also teach the severity level based on "an amount of target objects affected", with [Col. 13, lines 4-6] of Gamble, where security platform 100 determines an event's severity. When combining Gamble with Murphy's paragraph [0040] and Fig. 1, where relevant information, including processes and events are shown from the alerts, teach the limitations of the Applicant in claim 5/16. As for claim 6/17, the amended limitations of "the importance being an importance score [...]" is taught by [Col. 12, lines 67-Col. 13, line 3] Each event can be assigned a score by how severe a threat is. Events can also be weighted to indicate how likely an event is not a false positive, with Figure 4 displaying properties of events, and the Specification in [Col. 12, lines 40-43] with Figure 6 describing an overall security score that can be utilized by the invention of Gamble. The overall security score can be used to indicate a security incident occurring across an aggregate of events. As a result, Examiner maintains the rejections of claims 5/16 and 6/17.
For claims 7/18, Applicant states that Murphy's detail region 404/424 does not point to an actual malicious-object detail window with the claimed content, and disclosure as a set in a malicious-object window is not shown, claims 8/19 showing 'additional information' expressly includes a 'verdict on maliciousness, a reason of detection, [...]', and the Office Action relies on Murphy for date, and command line as a 'tactic', and Gamble for a 'verdict on maliciousness', and Applicant states that a 'probability not a false positive' is not a 'verdict on maliciousness' of an object as displayed to the user. Claims 10-11 describes a linking of timeline 'time indicators' to 'respective branches' and the behavior of highlighting a first branch corresponding to the selected indicator and displaying a 'time window', with Murphy's timeline/event panels needing a precise mapping to branch-level correspondence, and Applicant states that Murphy does not show a per-branch highlight linkage anchored to the branch's first action in the manner claimed. Applicant states that the cited prior art does not disclose all elements of the dependent claims, with mapping being incomplete or conflating chain-level analytics with object-level UI mechanics.
Claim 7/18 is taught by Murphy as the selection of a visual identifier associated with at least one malicious object and generating a window with additional information about the malicious object is also stated in Murphy's paragraph [0049] and [0051], with dots in a tree region 402 showing malicious processes. Claim 8/19 is also taught by Murphy's paragraph [0023] with date and times associated with a process, a command line shown in detail region 204 correspond to tactics used for malicious activities. Furthermore, the limitation of "a malware detection signature identifier used by malware detector" is disclosed by Murphy in paragraphs [0023], [0026], and [0028], and in particular, with identifiers including MD5 hash, signatures, process IDs, or other types of identifiers, and Murphy’s analyst device being used for detecting impersonation, in an example, with MD5 signatures for the process being performed, and the analyst device can determine alerts by an anti-virus or other detection software being used to detect malicious objects. Finally, claims 10 and 11 demonstrate a per-branch linkage anchored to the branch's first action in the manner that is shown in a GUI, with paragraph [0050] of Murphy shows event region 410 display where information for selected events from the timeline 408 can be displayed, with the process tree region 402 further showing a process displaying further branches to other processes in Fig. 4. Examiner maintains the rejections made to the claims 1, 4-12, and 15-20 based on Murphy in view of Gamble.
Finally, the Applicant states that even if Murphy's process-tree UI is combined with Gamble's graph analytics, the Office must explain why a person of ordinary skill in the art (POSITA) would have combined to yield the natural-language, template-selected "attack summary" keyed to the branch's action/source/target triplet and specific severity function tied to target-count and other functions as UI outputs of Murphy.
Examiner states that for further support for the combination can be made as events can be categorized based using a framework such as Lockheed Martin Cyber Kill Chain™ or MITRE attack Framework™, and the sequence of events can fit into a frameworks attack progression, and prioritized by security platform 100 through a scoring/ranking system, which can be integrated into a GUI and identify attacks happening in a system or network, as stated by Gamble [Col. 12, lines 49-57].
Claim Rejections - 35 USC § 112(a)
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1, 4-12, and 15-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Regarding claim 1, there is no description provided as to how a method of ‘determining whether any of the source object or the target object is a malicious object’ in the specification. Paragraph [0057] provides no description as to how determining if an object is malicious is determined apart from using malware detector 102 from Fig. 1 in the process of Fig. The limitation of “determining whether any of source object […] is a malicious target” is also a mere repetition of the Specification, as a person of ordinary skill in the art would not understand how to make or use the invention with regards to the determination of source or target objects being malicious, as it is unclear how a user interface generator 106 determines an object being malicious in step 406 in Fig. 4, and how the invention determines whether “word.exe” or “powershell.exe” is malicious based on actions performed in the example provided in paragraph [0057].
Regarding claims 4-11, the dependent claims that depend on an independent claim inherits the deficiency of their respective independent claim, and therefore, claims 4-11 inherit the deficiencies of claim 1 as recited above.
Regarding claim 12, limitations of this claim are similar to claim 1, and therefore, the deficiencies of claim 1 are shared with claim 12.
Regarding claims 15-19, the dependent claims that depend on an independent claim inherits the deficiency of their respective independent claim, and therefore, claims 15-19 inherit the deficiencies of claim 12 as recited above.
Regarding claim 20, limitations of this claim are similar to claim 1, and therefore, the deficiencies of claim 1 are shared with claim 20.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 4-12, and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Murphy et al. (US 20210294896 A1), hereinafter Murphy, in view of Gamble et al. (US 11212299 B2), hereinafter Gamble.
Regarding claim 1, Murphy discloses ‘a method for generating a user interface for endpoint detection and response (EDR) systems, the method comprising: detecting a plurality of actions performed on a computing device’ ([0020] Fig. 1, method 100 is an instance of endpoint detection and response attack tree analysis. [0023] Fig. 1, when analysis is complete for alerts, process moves to block 120 to display a full flow of an attack, as seen in Figs. 2-5.);
‘for each respective action of the plurality of actions: identifying a source object performing the respective action and a target object on which the respective action is performed’ ([0049] Fig. 4, each line in a process tree represents an action in tree region 402, and each dot represents an object, wherein dots that are left of a line correspond to a source object of the applicant, and dots right of a line correspond to a target object.);
‘determining whether any of the source object or the target object is a malicious object’ ([0051] Fig. 4 shows a malware attack at play, which corresponds to a source object being a malicious object. Furthermore, a malicious child object is shown as 'downloader.exe' in the attack tree.);
‘in response to detecting at least one malicious object, generating, for display on a graphical user interface, an attack chain comprising a plurality of branches associated with the at least one malicious object, wherein each branch of the plurality of branches comprises a first visual identifier of a respective source object, a second visual identifier of a respective target object, and a third visual identifier of a respective action’ ([0040] Fig. 1, an attack tree is shown when all alerts have been processed for displaying a full flow of an attack tree. [0049] Fig. 4, an attack tree is displayed, wherein an attack tree corresponds to an attack chain of the applicant. Furthermore, a plurality of processes is shown as lines connecting dots, wherein lines, representing connections of processes, correspond to 'third visual identifier of a respective action' connecting two objects together. Processes correspond to objects of an applicant, wherein dots that are left of a line correspond to 'first visual identifier of a source objects', and dots which are right of a line correspond to 'second visual identifier of a target objects', respectfully.);
‘generating, on the graphical user interface, a fourth visual indicator of the at least one malicious object on the attack chain’ ([0051] A malicious child process 'downloader.exe' is shown as a malicious PDF file is run through an Adobe Reader process, the malicious child process corresponding to a fourth visual indicator of the at least one malicious object on the attack chain. Key events and processes are highlighted along the way, which fulfills the requirement of marking at least one malicious object of the applicant. Full flow is created from a beginning program, with the malicious child process 'downloader.exe' being created as part of the full flow, corresponding to generating a fourth visual indicator on the graphical user interface of the Applicant.).
‘generating, for display on the graphical user interface, an attack summary comprising a dialogue describing an origin of the at least one malicious object and target objects affected by the at least one malicious object by’ ([0043] Fig. 2, detail region 204 shown an area of user interface 200, showing additional details of a process. This can include a time which the process has started, corresponding to an origin of the at least one malicious object, and as described in paragraph [0040], additional details can be highlighted associated with other processes that connect with other processes, with detail region 204 being an example as to what types of details can be shown. Paragraph [0040] stating that other related processes can be displayed corresponds to target objects also being shown that are affected by the at least one malicious object of the applicant.);
‘identifying a branch in the attack chain’ ([0040] Additional details include processes which connect other processes together, which corresponds to identifying a branch in the attack chain of the applicant.);
‘at least one of an action, a source object, and a target object of the branch’ (In [0049], Fig. 4 of Murphy, a user clicks on a process on a branch, wherein a process has a parent and a child process, with lines corresponding to action, and states details regarding a process, including what process the clicked process depends from, and what is dependent upon the clicked process.);
‘and populating the fields with identifiers extracted from the branch to generate the dialogue’ ([0040] Fig. 1, block 120, full flow of attack is displayed, with relevant files, events, and processes highlighted in block 114 for each alert.)
Murphy does not appear to disclose, but Gamble teaches the method of ‘determining, from a plurality of summary templates, a summary template that corresponds to the branch based on at least one of an action, a source object, and a target object of the branch, wherein the summary template comprises text describing an attack event and fields for entering identifiers of the action, the source object, and the target object of the branch’ (Taking Fig. 6 of Gamble into account in section [Col. 11, lines 47-58], where events are linked, as either independent or dependent elements of a small 'chain', where this is detailed to a user, where events corresponds to multiple summary templates of the Applicant. Integrating this aspect of Gamble into Murphy teaches the limitations of the claim 3 of the applicant, including a unique identifier for users or machines in [Col. 10, lines 42-47] of Gamble, wherein the letters in Figs. 4-6 of Gamble are placeholders for in Gamble. Fig. 4 of Murphy, stating that a user clicks on a process on a branch that contains both a parent and child process, and details are given for the processes, which corresponds to determining a summary template from multiple summary templates, and involve describing attack events of the Applicant.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Murphy and Gamble before them, to include Gamble’s ‘determining, from a plurality of summary templates, a summary template that corresponds to the branch based on at least one of an action, a source object, and a target object of the branch, wherein the summary template comprises text describing an attack event and fields for entering identifiers of the action, the source object, and the target object of the branch’ in Murphy’s method performing ‘generating an innovative user interface for endpoint detection and response (EDR) systems, the method comprising: detecting a plurality of actions performed on a computing device’. One would have been motivated to make such a combination to increase efficiency as a visualization of how events are related to events gives users some idea as to what can be affected, even at a cursory glance, as taught by Gamble [Col. 11, lines 34-58].
Regarding claim 4, Murphy and Gamble teach the limitations of claim 1 as recited above. Murphy also discloses ‘wherein the attack summary comprises visual identifiers of the at least one malicious object and the target objects affected by the at least one malicious object’ ([0049] Fig. 4, each line in a process tree represents an action in tree region 402, and a user can click on a process, where in tree region 402, target objects are shown that are affected by the malicious 'parent'/'source' object selected.);
Regarding claim 5, Murphy and Gamble teach the limitations of claim 1 as recited above. Murphy does not appear to disclose, but Gamble teaches ‘determining a severity level associated with the at least one malicious object based on an amount of target objects affected by the at least one malicious object’ (In [Cols. 13, lines 4-6] of Gamble, security platform 100 can determine if a score of an attack chain is based on if event is a false positive, and the severity of the event. Combined with paragraph [0040] of Murphy, additional details can be highlighted associated with other processes that connect with other processes, with detail region 204 being an example as to what types of details can be shown, wherein events seen in Gamble, Fig. 4, can work in conjunction with the amount of processes linked with other processes in Murphy.);
‘and generating the severity level for display on the graphical user interface’ (In [Cols. 13, lines 4-6] of Gamble, security platform 100 can determine a severity of the event. Combined with paragraph [0040] of Murphy, where additional details can be displayed, both passages teach the limitations of claim 5 of the applicant.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Murphy and Gamble before them, to include Gamble’s ‘determining a severity level associated with the at least one malicious object based on an amount of target objects affected by the at least one malicious object’, and ‘generating the severity level for display on the graphical user interface’ in Murphy’s method performing ‘generating an innovative user interface for endpoint detection and response (EDR) systems, the method comprising: detecting a plurality of actions performed on a computing device’. One would have been motivated to make such a combination to enhance security as a severity level can indicate how dangerous an event is such that a user can take action to mitigate an event from occurring, as stated in [Col. 13, lines 4-6].
Regarding claim 6, Murphy and Gamble teach the limitations of claim 1 as recited above. Murphy does not appear to disclose, but Gamble teaches ‘wherein the severity level is a function of a determined value of importance of each target object, the importance being an importance score selected from predefined tiers indicative of system-criticality assigned to each target object, and a type of action applied on each target object by the at least one malicious object’ (After [Cols. 15-16, line 33] onwards, a table spanning multiple pages is shown. In [Cols. 17-18] "page_rank" is used as a determined value of importance of a connection in graph theory. In [Cols. 13, lines 4-6], security platform 100 can determine if a score of an attack chain is based on if event is a false positive, and the severity of the event. [Col. 12, lines 67-Col. 13, line 3] Each event can be assigned a score by how severe a threat is. Events can also be weighted to indicate how likely an event is not a false positive. Fig. 4 shows properties (408, 410, 412) of events, such as severity level and probability, with Fig. 6 describing that an overall security score can be used, as stated in [Col. 12, lines 40-43].).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Murphy and Gamble before them, to include Gamble’s ‘wherein the severity level is a function of a determined value of importance of each target object and a type of action applied on each target object by the at least one malicious object’ in Murphy’s method performing ‘generating an innovative user interface for endpoint detection and response (EDR) systems, the method comprising: detecting a plurality of actions performed on a computing device’. One would have been motivated to make such a combination to enhance security by assigning a ranking or score as to how severe an event is so that a response can be taken before attackers can exploit the issue, as stated in Gamble [Col. 12, line 67]-[Col. 13, line 3].
Regarding claim 7, Murphy and Gamble teach the limitations of claim 1 as recited above. Murphy also discloses ‘receiving a selection of a visual identifier associated with the at least one malicious object’ ([0049] A plurality of processes are shown as dots in a tree region 402, wherein the processes are considered malicious. [0051] Fig. 4 shows a malware attack at play, which corresponds to a source object being a malicious object. Furthermore, a malicious child object is shown as 'downloader.exe' in the attack tree.);
‘in response to receiving the selection, generating, for display on the graphical user interface, a window that includes additional information about the at least one malicious object’ ([0049] Fig. 4, when a process is clicked in tree region 402, detail region 404 is shown that shows more details about the process, which is considered a malicious object.).
Regarding claim 8, Murphy and Gamble teach the limitations of claim 1 as recited above. Murphy also discloses ‘wherein the additional information includes a reason of detection, a tactic used for malicious activity, a detection date, and a malware detection signature identifier used by malware detector to detect the at least one malicious object’ ([0023] Dates and times are associated with a file or process, including an access time, corresponding to a detection date of the applicant. A command line shown in a detail region 204 corresponds to a tactic used for malicious activity as that is what a process utilizes to execute on a system. Furthermore, a hash or identifier such as an MD5 corresponds to a security definition used to detect the at least one malicious object of the applicant. In paragraph [0022], a file alert can indicate that a file contains malware, a link to malware, or otherwise is associated with malware, and can be included in details in paragraph [0023], corresponding to a reason of detection when found. [0023] Identifiers include MD5 hash, signatures, process IDs, etc. [0028] Alert for device for impersonation example can contain MD5 signature for a process is performed by the analyst device. Analyst device determines alerts via an anti-virus or other detection software, as stated in [0026].).
Murphy does not appear to fully disclose, but Gamble also teaches the limitation of ‘a verdict on maliciousness’ ([Col. 12, line 67]-[Col. 13, line 3] Fig. 4, probability score is a statement of what the possibility is that an event is not a false positive, indicating that an event is considered malicious, corresponding to a verdict on maliciousness of the applicant.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Murphy and Gamble before them, to include Gamble’s ‘a verdict on maliciousness’ in Murphy’s method performing ‘generating an innovative user interface for endpoint detection and response (EDR) systems, the method comprising: detecting a plurality of actions performed on a computing device’. One would have been motivated to make such a combination to enhance security as descriptive data comprises a risk rating, or a probability indicating likelihood that a security event is a false positive is included to indicate what the probability is of a potential issue occurring, as stated in Gamble [Col. 6, lines 19-25].
Regarding claim 9, Murphy and Gamble teach the limitations of claims 1 and 7 as recited above. Murphy also discloses ‘in response to receiving the selection, modifying visual identifiers not directly associated as source objects or target objects with the at least one malicious object such that the attack chain solely depicts visual identifiers of the at least one malicious object’ ([0042] Fig. 2, where a process tree and selected detail of a process, that can be used in conjunction with displaying a full flow that is shown in Fig. 4, described in paragraph [0051], and Fig. 4 shows a malware attack at play, which corresponds to a source object being a malicious object. [0042] When used in conjunction with Fig. 4's full flow display, Fig. 2 shows a few process that are directly related to a selected process, wherein a process to the left is a 'source object' of the applicant, and a process to the right is a 'target object' of the applicant.).
Regarding claim 10, Murphy and Gamble teach the limitations of claim 1 as recited above. Murphy also discloses ‘generating, for display on the graphical user interface, a timeline associated with the attack chain, wherein each time indicator of the timeline corresponds to a respective branch of the attack chain’ ([0050] Fig. 4, timeline 408 is populated with dots that represent events, with related events to processes linked together, and placed on approximately different times in the timeline.).
Regarding claim 11, Murphy and Gamble teach the limitations of claims 1 and 10 as recited above. Murphy also discloses ‘receiving a selection of a first time indicator on the timeline’ ([0051] Key events and processes are highlighted along the way, which fulfills the requirement of marking at least one malicious object of the applicant.);
‘generating, for display on the graphical user interface, a highlighting visual on a first branch corresponding to the first time indicator’ ([0050] Selected events on the timeline 408 can be displayed on event region 410, corresponding to highlighting visually in accordance with the applicant.);
‘and generating, for display on the graphical user interface, a time window depicting a timestamp of when a first action of the first branch was performed’ ([0050] As events are displayed in event region 410 during a timeframe, a first action of a first branch is performed and is in the event region 410.).
Regarding claim 12, Murphy and Gamble teach limitations similar to independent claim 1, and therefore, the rejections of claim 1 are shared with claim 12. Murphy also discloses ‘a system for generating a user interface for endpoint detection and response (EDR) systems, comprising: at least one memory;’ ([0020] Fig. 1, method 100 is an instance of endpoint detection and response attack tree analysis. [0023] Fig. 1, when analysis is complete for alerts, process moves to block 120 to display a full flow of an attack, shown in Figs. 2-5. [0056]-[0057] Fig. 6, Memory 630. [0056] Fig. 6 shows a system of an invention of Murphy.);
‘and at least one hardware processor coupled with the at least one memory and configured, individually or in combination, to: detect a plurality of actions performed on a computing device’ ([0056]-[0057] Fig. 6, CPU 605 is coupled to a memory 630 via an interconnect/bus 620. [0023] Fig. 1, when analysis is complete for alerts, process moves to block 120 to display a full flow of an attack, shown in Figs. 2-5.);
Regarding claim 15, Murphy and Gamble teach the limitations of claim 12 as recited above. Murphy and Gamble teach limitations similar to dependent claim 4 above, and shares the rejections of claim 4 stated above.
Regarding claim 16, Murphy and Gamble teach the limitations of claim 12 as recited above. Murphy and Gamble teach limitations similar to dependent claim 5 above, and shares the rejections of claim 5 stated above.
Regarding claim 17, Murphy and Gamble teach the limitations of claim 12 as recited above. Murphy and Gamble teach limitations similar to dependent claim 6 above, and shares the rejections of claim 6 stated above.
Regarding claim 18, Murphy and Gamble teach the limitations of claim 12 as recited above. Murphy and Gamble teach limitations similar to dependent claim 7 above, and shares the rejections of claim 7 stated above.
Regarding claim 19, Murphy and Gamble teach the limitations of claim 12 as recited above. Murphy and Gamble teach limitations similar to dependent claim 8 above, and shares the rejections of claim 8 stated above.
Regarding claim 20, Murphy and Gamble teach limitations similar to independent claim 1, and therefore, the rejections of claim 1 are shared with claim 12. Murphy discloses ‘a non-transitory computer readable medium storing thereon computer executable instructions for generating a user interface for endpoint detection and response (EDR) systems, including instructions for: detecting a plurality of actions performed on a computing device’ ([0092] Computer readable storage medium/media containing program instructions for a processor to carry out the invention. [0093] describes varying types of media, including RAM, ROM, a hard disk, a compact disc, and other media formats used for storing instructions to a physical medium. [0020] Fig. 1, method 100 is an instance of endpoint detection and response attack tree analysis. [0023] Fig. 1, when analysis is complete for alerts, process moves to block 120 to display a full flow of an attack, shown in Figs. 2-5.);
‘for each respective action of the plurality of actions: identifying a source object performing the respective action and a target object on which the respective action is performed’ ([0049] Fig. 4, each line in a process tree represents an action in tree region 402, and each dot represents an object, wherein dots that are left of a line correspond to a source object of the applicant, and dots right of a line correspond to a target object.);
‘determining whether any of the source object or the target object is a malicious object’ ([0051] Fig. 4 shows a malware attack at play, which corresponds to a source object being a malicious object. Furthermore, a malicious child object is shown as 'downloader.exe' in the attack tree.);
‘in response to detecting at least one malicious object, generating, for display on a graphical user interface, an attack chain comprising a plurality of branches associated with the at least one malicious object, wherein each branch of the plurality of branches comprises a first visual identifier of a respective source object, a second visual identifier of a respective target object, and a third visual identifier of a respective action’ ([0040] Fig. 1, an attack tree is shown when all alerts have been processed for displaying a full flow of an attack tree. [0049] Fig. 4, an attack tree is displayed, wherein an attack tree corresponds to an attack chain of the applicant. Furthermore, a plurality of processes is shown as lines connecting dots, wherein lines, representing connections of processes, correspond to 'third visual identifier of a respective action' connecting two objects together. Processes correspond to objects of an applicant, wherein dots that are left of a line correspond to 'first visual identifier of a source objects', and dots which are right of a line correspond to 'second visual identifier of a target objects', respectfully.);
‘generating, on the graphical user interface, a fourth visual indicator of the at least one malicious object on the attack chain’ ([0051] A malicious child process 'downloader.exe' is shown as a malicious PDF file is run through an Adobe Reader process, the malicious child process corresponding to a fourth visual indicator of the at least one malicious object on the attack chain. Key events and processes are highlighted along the way, which fulfills the requirement of marking at least one malicious object of the applicant. Full flow is created from a beginning program, with the malicious child process 'downloader.exe' being created as part of the full flow, corresponding to generating a fourth visual indicator on the graphical user interface of the Applicant.).
‘generating, for display on the graphical user interface, an attack summary comprising a dialogue describing an origin of the at least one malicious object and target objects affected by the at least one malicious object by’ ([0043] Fig. 2, detail region 204 shown an area of user interface 200, showing additional details of a process. This can include a time which the process has started, corresponding to an origin of the at least one malicious object, and as described in paragraph [0040], additional details can be highlighted associated with other processes that connect with other processes, with detail region 204 being an example as to what types of details can be shown. Paragraph [0040] stating that other related processes can be displayed corresponds to target objects also being shown that are affected by the at least one malicious object of the applicant.);
‘identifying a branch in the attack chain’ ([0040] Additional details include processes which connect other processes together, which corresponds to identifying a branch in the attack chain of the applicant.);
‘at least one of an action, a source object, and a target object of the branch’ (In [0049], Fig. 4 of Murphy, a user clicks on a process on a branch, wherein a process has a parent and a child process, with lines corresponding to action, and states details regarding a process, including what process the clicked process depends from, and what is dependent upon the clicked process.);
Murphy does not appear to disclose, but Gamble teaches the limitations of ‘determining, from a plurality of summary templates, a summary template that corresponds to the branch based on at least one of an action, a source object, and a target object of the branch, wherein the summary template comprises text describing an attack event and fields for entering identifiers of the action, the source object, and the target object of the branch’ (Taking Fig. 6 of Gamble into account in section [Col. 11, lines 47-58], where events are linked, as either independent or dependent elements of a small 'chain', where this is detailed to a user, where events corresponds to multiple summary templates of the Applicant. Integrating this aspect of Gamble into Murphy teaches the limitations of the claim 3 of the applicant, including a unique identifier for users or machines in [Col. 10, lines 42-47] of Gamble, wherein the letters in Figs. 4-6 of Gamble are placeholders for in Gamble. Fig. 4 of Murphy, stating that a user clicks on a process on a branch that contains both a parent and child process, and details are given for the processes, which corresponds to determining a summary template from multiple summary templates, and involve describing attack events of the Applicant.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Murphy and Gamble before them, to include Gamble’s ‘determining, from a plurality of summary templates, a summary template that corresponds to the branch based on at least one of an action, a source object, and a target object of the branch, wherein the summary template comprises text describing an attack event and fields for entering identifiers of the action, the source object, and the target object of the branch’ in Murphy’s non-transitory computer readable medium storing thereon computer executable instructions performing ‘generating an innovative user interface for endpoint detection and response (EDR) systems, the method comprising: detecting a plurality of actions performed on a computing device’. One would have been motivated to make such a combination to increase efficiency as a visualization of how events are related to events gives users some idea as to what can be affected, even at a cursory glance, as taught by Gamble [Col. 11, lines 34-58].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TOMMY MARTINEZ whose telephone number is (703)756-5651. The examiner can normally be reached Monday thru Friday ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached at (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/T.M./ Examiner, Art Unit 2496
/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496