Detailed Action
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments
This Final Office Action is in response to the amendments filed on 11/10/2025. In
which, no claims have been amended, no claims have been cancelled, and
claims 1 – 20 remain pending in the application.
Response to Amendment
The amendment filed 11/10/2025 has been entered. See response to amendments.
Response to Arguments
Applicant’s arguments filed 11/10/2025 in page 7 have been fully considered
but they are not persuasive in light of the previously cited prior arts in the office action mailed on 07/10/2025.
Regarding applicant’s argument (remarks page 7),
“The Office Action alleges that Cohen (e.g., FIG. 3 and paragraph 23) discloses the claim element of displaying in a graphical user interface, attributes of the plurality of filesystem events, grouped by platform domain. However, Applicant respectfully submits that Cohen does not disclose or suggest displaying attributes of the plurality of filesystem events, grouped by platform domain. If anything, Cohen appears to disclose displaying a number of events associated with domains generally (e.g., in FIG. 3, 23
detected risks associated with the category "young domain," 6 events associated with the category "Bad SSL Certificates," etc. This is not the same as, or similar to, displaying attributes of the plurality of filesystem events, grouped by platform domain (e.g., attributes associated with a platform domain X, attributes associated with a platform domain Y, etc.).”.
The Examiner respectfully disagrees and argument is not persuasive. Using the Broadest reasonable interpretation, in FIG 3. The dashboard 300, shows attributes of the plurality of filesystem events and also show grouped by domain in fig 3. There is a header 350, the header 350 that provide information about a site being analyzed, a date and time of inspection, along with an optional, downloadable summary report. A pair of headers 360 may provide a snapshot of all detected risks ( e.g., 57) for that particular site, and a total number of detected risks. Alerts related to the overview may provided as well. The pair of headers 360 may further provide a snapshot of warnings indicative of key security vulnerabilities and/or risks associated with the site. For example, malware, PII exposure, and geographical risk may be the top security vulnerabilities associated with the website. The dashboard configuration of may allow users to define features for specific risks. Risks may fall into one or more risk categories, including but not limited to malware, PII, session replay, fingerprinting, trackers, young domains, a cookie request, a phishing attempt, a URL redirection, a bad SSL, and geographical risks to which examiner interpret as attributes of filesystem.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 9, 15, 16, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Jones et al. (US-20230308485-A1 hereafter Jones), in view of Cohen et al. (US-20240037247-A1 hereafter Cohen).
Regarding claim 1 Jones discloses a system comprising:
a processor subsystem (see Jones par.0024: “depicts a block diagram of a threat management system 101 providing protection against a plurality of threats, such as malware, viruses, spyware, cryptoware, adware, Trojans, spam, intrusion, policy abuse, improper configuration, vulnerabilities, improper access, uncontrolled access, and more according to an example embodiment.”.); and
memory including instructions that, when executed by the processor
subsystem, cause the processor subsystem to perform operations comprising (see Jones par.0067: “The computing device 210 may include a processor
212, a memory 214, a network interface 216, a data store 218, and one or more input/output devices 220.”, par.0069: “The memory 214 may store program instructions,
program data, executables, and other software and data useful for controlling operation of the computing device 200 and configuring the computing device 200 to perform functions for a user. The memory 214 may include a number of different stages and types for different aspects of operation of the computing device 210.”.):
receiving an indication of a filesystem event detected by an event monitor (see Jones par.0092-93: “The event collection and logging module 431 may
further be configured for receiving from a monitoring agent deployed on a monitored device, information related to device usage of the electronic device by the user. This type of device usage may relate to application usage, website usage, application installation or any other type of device usage which might be relevant in setting security settings. This information may further include information indicating the user has downloaded sensitive or confidential information from a repository associated with the at least one entity. Still further, the monitoring agent may be configured to provide information related to when the user attempts to perform data exfiltration with the electronic device, or access an application or website which allows for data exfiltration. the event collection and logging module 431 may be considered “events”.);
determining a platform domain from the indication of the filesystem event (see Jones par.0128: “The local monitoring agent 808 may collect events 806 from sensors or any combination of software and hardware systems operable on the monitored device 802, and form the collected events 806 into event vectors, where applicable, for communication to the threat management facility 812. The local monitoring agent 808 may process events 806 in a variety of ways in order to facilitate communication, computational efficiency, or downstream processing”, par.0130: “events 806 may usefully be labelled in a variety of ways. While labeling with process identifiers is described above, this may also or instead include an identification of an entity associated with the event 806. In this context, the entity may be any physical, logical, or conceptual entity useful for monitoring activity of the monitored devices 802 as described herein. For example, the entity may include a user, a physical device, a virtualized machine, an operating system, an application, a process, a hardware subsystem ( e.g., a network interface card, USB drive, camera, etc.), a network resource, a domain controller, a remote software service, and so forth. It should also be understood that the various entity types may be concurrently associated with a particular event 806, or particular events 806 may be associated with multiple entities or event vectors. Thus for example, storing or downloading a file may be an event 806 associated with a particular user, a particular device or machine, a particular operating system, a particular physical storage device, and so forth. Similarly, attempting to perform data exfiltration may, access a data exfiltration application or website, or attempting to download a data exfiltration application or website may be an event 806 associated with a particular user, a particular device or machine, a particular operating system, a particular physical storage device”.);
storing content of the filesystem event in a data store with content from a plurality of filesystem events (see Jones par.0132: “The events 806 may be received by the threat management facility 812 and stored as an event stream 814 in a data repository 816, which may be any data store, memory, file or the like suitable for storing the events 806 or event vectors. The events 806 may be time stamped or otherwise labeled by the threat management facility 812 to record chronology. The event stream 814 may be used for analysis and detection”.).
Jones appears to be silence on displaying in a graphical user interface, attributes of the plurality of filesystem events, grouped by platform domain
However, Cohen teaches displaying in a graphical user interface, attributes of the plurality of filesystem events, grouped by platform domain. (See Cohen Fig 3 and par.0023 - 0024: “dashboard 300 executable on a graphical user interface. The dashboard provides an ability to identify and assess potential risks and vulnerabilities related to online activity, e.g., browsing through websites. The customizable dashboard enables users to set their privacy preferences related to a plurality of different risk types, including but not limited to malware, PII, session replay, fingerprinting, trackers, young domains, and bad secure socket layer (SSL) certifications. A header 350 may provide information about a site being analyzed, a date and time of inspection, along with an
optional, downloadable summary report. A pair of headers 360 may provide a snapshot of all detected risks ( e.g., 57) for that particular site, and a total number of detected risks. Alerts related to the overview may provided as well. The pair of headers 360 may further provide a snapshot of warnings indicative of key security vulnerabilities and/or risks associated with the site. For example, malware, PII exposure, and geographical risk may be the top security vulnerabilities associated with the website.”, par.0026: “The dashboard configuration.. may allow users to define features for specific risks. Risks may fall into one or more risk categories 410, including but not limited to malware, PII,
session replay, fingerprinting, trackers, young domains, a cookie request, a phishing attempt, a URL redirection, a bad SSL, and geographical risks.”, par.0029: “with respect to PII information, a user may select the types of PII to track and/or prevent from being sent to external parties.” Examiner interpret the risk and vulnerabilities as the attributes of the plurality of filesystem).
PNG
media_image1.png
762
713
media_image1.png
Greyscale
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Jones teaching “monitoring and alerting a system administrator to the possibility of data exfiltration based on the employment status of a user or employee. In general, a client device (e.g. an endpoint) includes a security or monitoring agent that monitors data movement on the client device. The monitoring agent described herein may be configured to monitor installed programs and/or websites visited by the user of the client device. In particular, the monitoring agent may monitor websites and applications that support the uploading of data from the client device (e.g., websites, and/or applications that support data exfiltration). Examples of such websites and applications include Microsoft OneDrive, Google Drive, Carbonite, Box, DropBox, and the like.”, (see Jones par.0023), with Cohen teaching “A graphical user interface displayed on one or more computing devices may provide a customized dashboard for monitoring and managing security vulnerabilities.”, (see Cohen par.0050).
Regarding claim 15 is the method claim corresponding to the method claim 1
respectively, and rejected under the same rational set forth in connection with the
rejection of claim 1.
Regarding claim 19 is the non-transitory machine-readable medium claim corresponding to the method claim 1 respectively, and rejected under the same rational set forth in connection with the rejection of claim 1.
Regarding claim 9 Jones in view of Cohen disclose the system of claim 1, Cohen further teaches further comprising:
categorizing the plurality of filesystem events into risk categories (see Cohen par.0026: “The dashboard configuration of FIG. 4 may allow users to define features for specific risks. Risks may fall into one or more risk categories 410, including but not limited to malware, PII, session replay, fingerprinting, trackers, young domains, a cookie request, a phishing attempt, a URL redirection, a bad SSL, and geographical risks.”.); and
displaying in the graphical user interface, the plurality of filesystem events
grouped by the risk categories (see Cohen Fig 4 and par.0026: “The dashboard configuration of FIG. 4 may allow users to define features for specific risks. Risks may fall into one or more risk categories 410.”.).
PNG
media_image2.png
477
778
media_image2.png
Greyscale
Regarding claim 16 is the method claim corresponding to the method claim 9
respectively, and rejected under the same rational set forth in connection with the
rejection of claim 9.
Claims 2-7, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Jones et al. (US-20230308485-A1 hereafter Jones), in view of Cohen et al. (US-20240037247-A1 hereafter Cohen), in further view of Juncker et al. (US-20220350905-A1 hereafter Juncker).
Regarding claim 2 Jones in view of Cohen disclose the system of claim 1, Jones in view of Cohen appears to be silence wherein the event monitor is configured to interface with a web browser to detect filesystem events.
However, Juncker teaches wherein the event monitor is configured to interface with a web browser to detect filesystem events (see Juncker par.0015: “the exfiltration detection application may include multiple components. For example, a first component may interface with a file system and a second component may interface with one or more browsers… File system element events that are indicative of exfiltration are processed by the second component which may interrogate the web browser or other application or its components to gather context information about the user's activities with respect to the file system element event.”.).
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Jones in view of Cohen of the system claim 1 with Juncker teaching “The first component is alerted to one or more I/O requests and may perform one or more filtering processes to detect file system element events and to filter out I/O requests that indicate normal browser behavior and other behavior that is not indicative of exfiltration. In some examples, after the first filter, the first component may use an exfiltration model to determine whether a file system element event is indicative of exfiltration”, (see Juncker par.0015).
Regarding claim 3 Jones in view of Cohen disclose the system of claim 1, Jones in view of Cohen appears to be silence on wherein the event monitor is configured to interface with a kernel filter to detect filesystem events.
However, Juncker teaches wherein the event monitor is configured to interface with a kernel filter to detect filesystem events (see Juncker par.0015-0019: “the exfiltration detection application may include multiple components. For example, a first component may interface with a file system… On devices executing a MICROSOFT® WINDOWS® operating system (O/S), the first component may be a kernel filter that is attached to an input/output stack of an operating system kernel… A kernel filter acts as a virtual device driver and processes the I/O request. Once processing is finished, the kernel filter passes the I/O request to the next filter or to the next driver in the stack. In this way, a kernel filter has access to all I/O requests within a system; including I/O requests that represent file system element events that relate to file system elements… the first component may process I/O requests detected through an operating system interface to find file system element events that are of interest.”.).
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Jones in view of Cohen of the system claim 1 with Juncker teaching “the first component of the exfiltration detection application, the kernel mode side may be in the form of a filter or minifilter, such as minifilter 250. In some examples, the minifilter 250 of the exfiltration detection application may only activate upon a file system element event and may not activate for other types of I/O, This may be accomplished by specifying the types of I/O that are of interest”, (see Juncker par.0030).
Regarding claim 4 Jones in view of Cohen disclose the system of claim 1, Jones in view of Cohen appears to be silence on wherein the event monitor is configured to interface with an event stream to detect filesystem events.
However, Juncker teaches wherein the event monitor is configured to interface with an event stream to detect filesystem events (see Juncker par.0015: “the exfiltration detection application may include multiple components. For example, a first component may interface with a file system”,par.0017: “On devices executing an Apple operating system such as a macOS® the first component may utilize an event stream that provides I/O requests as one or more events in the stream. For example, an event stream provided by a Basic Security Module (BSM)”, par.0037 “FIG. 3, the first component 350 is not a mini filter. Instead, the first component subscribes to an event stream 330 and reads events, such as event 332-332-N that are placed on the event stream by the operating system file system 325. The events are input/output events that correspond to input/output requests, such as I/O request 320.”.).
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Jones in view of Cohen of the system claim 1 with Juncker teaching “the filter may filter out events with FilePath and ProcessPath that are null; the Event's Process ID matches the currently running Process ID; the Process Path matches one of the monitored applications; the File Path does not contain an excluded string ( e.g., associated with temporary files or system directories); the Event Type=72 and the File Path does not end with "safari." The decision routine 367 may detect an exfiltration event if the Event Type and Event Flags is matched”, (see Juncker par.0038).
Regarding claim 5 Jones in view of Cohen disclose the system of claim 1, Jones in view of Cohen appears to be silence on wherein the event monitor uses calculated hash values for files it monitors to detect when a file experiences the filesystem event
However, Juncker teaches wherein the event monitor uses calculated hash values for files it monitors to detect when a file experiences the filesystem event (see Juncker par.0027: “The exfiltration detection application may then determine that the user is accessing a file sharing service and send an alert 140 to an administration service 125 with information about the file system element event. The alert may include information such as a hash of the file, date, time, Multipurpose Internet Mail Extensions (MIME) type, name of the website, and the like.”.).
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Jones in view of Cohen of the system claim 1 with Juncker teaching “at operation 425, the application may apply an exfiltration signature model to the file system element event. For example, a single file system element event may not be indicative of suspicious activity, however, a pattern of contemporaneous file system element events (e.g., the events occur within a predetermined period of time) may be indicative of suspicious activity. The model may consider the type of file system element event, the location of the file system element corresponding to the event, a size of the file system element event, and any other characteristic of the file system element event or the file system element corresponding to the event.”, (see Juncker par.0047).
Regarding claim 6 Jones in view of Cohen disclose the system of claim 1, Jones in view of Cohen appears to be silence on wherein the event monitor uses calculated hash values for files it monitors to detect when contents of a file experience the filesystem event.
However, Juncker teaches wherein the event monitor uses calculated hash values for files it monitors to detect when contents of a file experience the filesystem event (see par.0046: “the application may filter out normal browser behaviors as previously observed. For example, by ignoring file system element events that come from certain directories and for certain types of files. For example, activity related to cookies, cached files, images, and other files that the browser normally uses. These exclusions may be based upon the file system element type, location, MIME type, contents, and the like. In other examples, rather than exclude certain file system elements, the application may have a list of file system elements that are to be protected. In this case, unless the file system element event is for one of the file system elements that are on the protected list, the event may be ignored. In some examples, this protected list may include a list of hashes of protected files. In these examples, if the hash of the file system element that corresponds to the file system element event does not match one of the hashes on the protected list, then the file system element event may be ignored.”.).
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Jones in view of Cohen of the system claim 1 with Juncker teaching “an exfiltration signature model 270 may be a model that stores signatures of exfiltration or may be used to determine exfiltration and
may be based upon past observed behavior that is labeled as being exfiltration or not-exfiltration.”, (see Juncker par.0032).
Regarding claim 7 Jones in view of Cohen disclose the system of claim 1, Jones in view of Cohen appear to be silence on wherein determining the platform domain from the indication of the filesystem event comprises parsing a destination network location associated with the filesystem event.
However, Juncker teaches wherein determining the platform domain from the indication of the filesystem event comprises parsing a destination network location associated with the filesystem event (see par.0026-27: “The endpoint device 110 which may be a user computing device such as a desktop, laptop, tablet, smartphone, or the like. Exfiltration application executing on the endpoint device 110 monitors the endpoint device 110 and attempts to detect uploads of one or more files to a network based location, such as files 130 uploaded to network-based service 120. The files that are uploaded may be files on local storage of the endpoint device 110. In other examples, the files may be on a remote storage device of an organization. That is, the endpoint device 110 may be logged into a corporate network and may attempt to upload files stored on a file storage system of the corporate network. Network based service may include a file-sharing service, an email service, a social networking service, or the like. The files may be transferred by using a web browser or other application over a network 115. Network 115 may be a packet-based network, such as one or more of a Local Area Network, Wide Area Network, Internet, or the like. For example; using packet-based communications over the network 115, endpoint device 110 may receive a web GUI interface provided by the network-based service 120; the user may navigate the web GUI interface; select a GUI element that provides the option to upload files; select one or more files through a file upload dialog; and the endpoint device 110 may begin transferring the files from the end point device 110, over network 115, to the network-based service 120. This triggers a file system element event for those files which is detected as an I/O request by the first component of the exfiltration application. The exfiltration detection application may then determine that the user is accessing a file sharing service and send an alert 140 to an administration service 125 with information about the file system element event. The alert may include information such as a hash of the file, date, time, Multipurpose Internet Mail Extensions (MIME) type, name of the website, and the like.”.).
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Jones in view of Cohen of the system claim 1 with Juncker teaching “browser components 207, including a browser application 210 and history database 215. Browser application 210 sends various input/output (I/O) requests (e.g., such as requests for the contents of a file stored in a file system) to an operating system, for example, in conjunction with retrieving cached pages, cookies, stored data, resource files, and the like. Browser application 210 may also send I/O requests to an operating system when the browser accesses one or more files for uploading to a file sharing service ( e.g., such as network-based service 120)”, (see Juncker par.0028).
Regarding claim 10 Jones in view of Cohen disclose the system of claim 1, Cohen further teaches further comprising:
and
displaying in the graphical user interface, a first subset of the plurality of filesystem events grouped by personal activity and a second subset of the plurality of filesystem events grouped by corporate activity (see Cohen Fig 6 and par.0032: “FIG. 6 illustrates additional risk management options and categorizations, in accordance with embodiments discussed herein. Sites can be categorized based on their security status and/or risk level. Categories 610 may include unclassified, trusted (Corporate may be permissible), and blocked (personal not permissible). Unclassified is the default categorization for sites. The trusted categorization may indicate a reduced or acceptable level of vulnerability for a user. Settings associated with the Trusted designation may allow all requests to be fulfilled. Alerts will not occur for trusted sites.”.).
PNG
media_image3.png
599
971
media_image3.png
Greyscale
Jones in view of Cohen appears to not explicitly disclose categorizing the plurality of filesystem events as being related to either personal activity or corporate activity; and
However, Juncker explicitly teaches categorizing the plurality of filesystem events as being related to either personal activity or corporate activity(see Juncker par.0023: “Account information may be used to determine whether the account associated with the transfer is a work account (which may be permissible) or a personal account (which may not be permissible). This information may be determined using screen scraping techniques e.g., sites may list the username of the user that is logged in and this information may be scraped. Similarly, information about the user's account on the cloud-based file sharing or storage service such as a directory structure or other files uploaded may also be gathered using screen scraping techniques. If the site is a web-based email, the recipient of the email message may be gathered through scraping techniques as well.”.);
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Jones in view of Cohen of the system claim 1 with Juncker teaching “the file system element event notifications and apply additional detection logic to try and increase accuracy and eliminate false positives. This may include applying one or more permit and reject lists. For example, if a site determined from the browser is in the permit list, the anomaly is not further processed. If the site name determined from the browser is in the reject lists, then an alert may be generated, and processing may continue. One or more of the permit lists
and/or reject lists may be utilized alone or in conjunction.”, (see Juncker par.0025).
Regarding claim 17 is the method claim corresponding to the method claim 10
respectively, and rejected under the same rational set forth in connection with the
rejection of claim 10.
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Jones et al. (US-20230308485-A1 hereafter Jones), in view of Cohen et al. (US-20240037247-A1 hereafter Cohen), in further view of Marwah et al. (US-20200134175-A1 hereafter Marwah).
Regarding claim 8 Jones in view of Cohen disclose the system of claim 1, Jones in view of Cohen appear to be silence on wherein determining the platform domain from the indication of the filesystem event comprises interfacing with a domain name system (DNS) server to verify that the platform domain is registered with the DNS server
However, Marwah teaches wherein determining the platform domain from the indication of the filesystem event comprises interfacing with a domain name system (DNS) server to verify that the platform domain is registered with the DNS server (see Marwah par.0023: “the present disclosure, to more effectively detect a chain of events that corresponds to an issue in a system, an issue detection framework constructs, based on event data representing events in the system, a representation (e.g., a graph) of the events, where the representation includes information relating the events. The issue detection framework further computes issue indications (e.g., anomaly scores, threat scores, or any other indications of potential issues in the system) corresponding to potential issues in the system”, par.0025: “events can include login events (e.g., events relating to a number of login attempts and/or devices logged into), events relating to access of resources such as websites, events relating to submission of queries such as Domain Name System (DNS) queries, events relating to sizes and/or locations of data (e.g., files) accessed, events relating to loading of programs, events relating to execution of programs, events relating to accesses made of components of the computing environment, errors reported by machines or programs, events relating to performance monitoring or measurement of various characteristics of the computing environment”.).
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Jones in view of Cohen of the system claim 1 with Marwah teaching “events can include login events (e.g., events relating to a number of login attempts and/or devices logged into), events relating to access of resources such as websites, events relating to submission of queries such as Domain Name System (DNS) queries, events relating to sizes and/or locations of data (e.g., files) accessed, events relating to loading of programs, events relating to execution of programs, events relating to accesses made of components of the computing environment, errors reported by machines or programs, events relating to performance monitoring or measurement of various characteristics of the computing environment (including monitoring of network communication speeds, execution speeds of programs, etc.).”, (see Marwah par.0027).
Claims 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Jones et al. (US-20230308485-A1 hereafter Jones), in view of Cohen et al. (US-20240037247-A1 hereafter Cohen), in further view of Coates et al. (US-20150040225-A1 hereafter Coates).
Regarding claim 11 Jones in view of Cohen disclose the system of claim 1, Jones in view of Cohen appears to be silence further comprising:
determining from the indication of the filesystem event, a common hostname related to the platform domain; and
displaying in the graphical user interface, the common hostname and the platform domain.
However, Coates teaches further comprising:
determining from the indication of the filesystem event, a common hostname related to the platform domain (see Coates par.0093: “the graphical interface 700 presents additional information based on the security events corresponding to the summaries including the summaries 720, 730. The graphical interface may present a chart displaying new domain activity based on a particular field ( e.g., time or top level domain name) associated with domain activity. These statistics may assist in the identification of a trend of security events associated with domain activity. Further, the summary of security events included in the graphical interface 700 may be useful for identification of a count of requests for a particular domain.”); and
displaying in the graphical user interface, the common hostname and the platform domain (see Coates Fig 7 and par.0093: “The graphical interface may present a chart displaying new domain activity based on a particular field ( e.g., time or top level domain name) associated with domain activity. These statistics may assist in the identification of a trend of security events associated with domain activity.”).
PNG
media_image4.png
1007
1380
media_image4.png
Greyscale
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Jones in view of Cohen of the system claim 1 with Coates teaching “The security events that specify the criteria may be grouped into individual summaries 720, 730 based on having distinct values for the destination field”, (see Coates par.0090).
Regarding claim 18 is the method claim corresponding to the method claim 11
respectively, and rejected under the same rational set forth in connection with the
rejection of claim 11.
Claims 12, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Jones et al. (US-20230308485-A1 hereafter Jones), in view of Cohen et al. (US-20240037247-A1 hereafter Cohen), in view of Juncker et al. (US-20220350905-A1 hereafter Juncker), in further view of Muddu et al. (US-20180367551-A1 hereafter Muddu).
Regarding claim 12 Jones in view of Cohen disclose the system of claim 1, Jones in view of Cohen appear to be silence on further comprising:
determining prevalent platform domains of the plurality of filesystem events; and
filtering platform domains displayed in the graphical user interface to those that are prevalent.
However, Juncker teaches further comprising:
determining prevalent platform domains of the plurality of filesystem events (see Juncker par.0032 “File system element events that pass the filter 260 may be passed to a decision routine 267 where additional factors may be considered. For example, an exfiltration signature model 270 may be a model that stores signatures of exfiltration or may be used to determine exfiltration and may be based upon past observed behavior that is labeled as being exfiltration or not-exfiltration.”, par.0046: “the application may filter out normal browser behaviors as previously observed. For example, by ignoring file system element events that come from certain directories and for certain types of files. For example, activity related to cookies, cached files, images, and other files that the browser normally uses. These exclusions may be based upon the file system element type, location, MIME type, contents, and the like. In other examples, rather than exclude certain file system elements, the application may have a list of file system elements that are to be protected. In this case, unless the file system element event is for one of the file system elements that are on the protected list, the event may be ignored. In some examples, this protected list may include a list of hashes of protected files. In these examples, if the hash of the file system element that corresponds to the file system element event does not match one of the hashes on the protected list, then the file system element event may be ignored.”.); Jones in view of Cohen and Juncker appear to be silence on and filtering platform domains displayed in the graphical user interface to those that are prevalent.
However, Muddu teaches filtering platform domains displayed in the graphical user interface to those that are prevalent (see Muddu Fig 47c and par.0499: “also shown in FIG. 47C, the Users Table view may also include a User Events Trend box 4721, which depicts how many events that the user participated in over a time period. A sudden increase in the number of events can be useful in evaluating potential network compromise. As yet another example, the Users Table view can provide a User Events Classes box 4722, which shows the number of each class of events for which the user was a participant.”.).
PNG
media_image5.png
819
1227
media_image5.png
Greyscale
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Jones in view of Cohen of the system claim 1 with Juncker teaching “the decision routine 367 decides whether the file system element events of interest are to be sent to the exfiltration detection component 382 using exfiltration signature model 370, and past events in the event store 375. Communication routine 380 provides the events that meet the criteria for sending to the exfiltration detection component 382 from the decision routine.”, (see Juncker par.0037), along with Muddu teaching “The data sources 302 provide event data to data receivers 310, which implement various APis and connectors to receive ( or retrieve, depending on the mechanism) the event data for the security platform 300. The data receivers 310 may also optionally filter some of the event data. For example, to reduce the workload of the security platform, a business rule may be set to state that all query events to "www.google.com" should be filtered out as not interesting (e.g., this type of access is determined not to represent any security threat).”, (see Muddu par.0164).
Regarding claim 20 is the non-transitory machine-readable medium claim corresponding to the method claim 12 respectively, and rejected under the same rational set forth in connection with the rejection of claim 12.
Regarding claim 14 Jones in view of Cohen, Juncker and Muddu the system of claim 12, wherein determining prevalent platform domains comprises:
determining a number of users associated with filesystem events that are related to a given platform domain (see Muddu Fig 47C par. 0499: “the Users Table view can provide a User Events Classes box 4722, which shows the number of each class of events for which the user was a participant.”.),
PNG
media_image6.png
819
1227
media_image6.png
Greyscale
;and
marking the given platform domain as a prevalent platform domain when the number of users exceeds a threshold number (see Muddu Fig 71 and par.0637-638: “Once the anomaly score is generated, an anomaly indicating malware in the computer network is detected if the anomaly score satisfies a specified criterion. Consider the previously discussed example range of values from O to 10 for anomaly scores. In this example, the specified criterion may be set such that an anomaly is detected if the anomaly score is 6 or above. The specified criterion need not be static, however. In some embodiments, the criterion is dynamic and changes based on situational factors. Situational factors may include volume of event data, presence or absence of pre-conditional events, user configurations, and volume of event data… shows an example incident response output 7100 based on entity profiles configured for display to a user. The incident response output 7100 is represented in simplified form for clarity as a table including a plurality of entity identifiers 7102 with associated feature scores 7104a-7104d and a recommended response 7106 based on the plurality of feature scores”.).
PNG
media_image7.png
327
634
media_image7.png
Greyscale
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Jones in view of Cohen, Juncker and Muddu of the system claim 12 with Muddu teaching “Detected anomalies indicative of malware on the computer network can be stored in an anomaly graph data structure that includes a plurality of nodes representing entities associated with the computer network, and a plurality of edges representing an anomaly linking two of the plurality of nodes. Further, the anomaly data can be incorporated into a system wide network security graph.”, (see Muddu par.0639).
Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Jones et al. (US-20230308485-A1 hereafter Jones), in view of Cohen et al. (US-20240037247-A1 hereafter Cohen), in view of Juncker et al. (US-20220350905-A1 hereafter Juncker), in view of Muddu et al. (US-20180367551-A1 hereafter Muddu), in further view of Kapoor et al. (US-20240106846-A1 hereafter Kapoor).
Regarding claim 13 Jones in view of Cohen, Juncker and Muddu disclose the system of claim 12, wherein determining prevalent platform domains comprises:
determining a number of filesystem events that are related to a given platform domain (see Muddu par.186: “anomalies and threats are detected by comparing incoming event data ( e.g., a series of events) against the baseline profile for an entity to which the event data relates (e.g., a user, an application, a network node or group of nodes, a software system, data files, etc.). If the variation is more than insignificant, the threshold for which may be dynamically or statically defined, an anomaly may be considered to be detected. The comparison may be based on any of various techniques, for example, time-series analysis (e.g., number of log-ins per hour), machine learning, or graphical analysis ( e.g., in the case of security graphs or security graph projections).”, par.0499: “also shown in FIG. 47C, the Users Table
view may also include a User Events Trend box 4721, which depicts how many events that the user participated in over a time period. A sudden increase in the number of events can be useful in evaluating potential network compromise. As yet another example, the Users Table view can provide a User Events Classes box 4722, which shows the number of each class of events for which the user was a participant.”); and
marking the given platform domain as a prevalent platform domain when the number of filesystem events exceeds a threshold number (see Kapoor par. 0657-658: “Determining 604 device activity associated with the user may be carried out, for example, by one or more data collection agents that are executing on the device, by one or more data collection agents that executing at some other location off of the device, or in some other way….The profile associated with the user may include information describing normal activity for the user. The normal activity for the user may be determined, for example, based on historical usage of the device ( or some other device) associated with the user. That is, normal activity may be learned through an analysis of how the device has historically been used rather than being specified exclusively as a set of rules. The normal activity may include, for example, an identification of applications on the device that are accessed by the user, the times that those applications are accessed, the locations from which those applications are accessed, the order in which the applications on the device are typically accessed by the user”, par.0660: “Readers will appreciate that comparisons the device activity and the profile associated with the user may utilize ranges, thresholds, or similar concepts to allow for minor deviations between the device activity and the profile associated with the user. For example, if the profile associated with the user indicates that the device is typically located at the user's office between the hours of 9 AM and 5 PM on weekdays, but the device activity reveals that the user is still at the office at 6 PM on a particular Tuesday evening, this minor deviation may be tolerated and may not rise to the level of triggering an alarm.”).
It would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have combined Jones in view of Cohen, Juncker and Muddu of the system claim 12 with Kapoor teaching “identifying unusual activity, in these examples the systems described herein may be configured to learn what constitutes 'normal activity' where 'normal activity' is activity observed, modeled, or otherwise identified in the absence of a particular type of threat, intrusion, vulnerability, and so on”, (see Kapoor par.0631).
Conclusion
The prior art made of record and not relied upon is considered pertinent to
applicant's disclosure:
Tietz et al. (US-20200193019-A1) a computer-based method is disclosed to facilitate managing data exfiltration risk in a computer network environment. The method includes collecting computer file management information associated with each respective one of a plurality of computer files in an organization's computer network environment from a computer operating system, collecting user activity information associated with each respective one of a plurality of user sessions by users having access to the organization's computer network environment with a plurality of session monitoring agents, correlating at least some of the collected user activity information to one or more of the computer files associated with the collected file management information; and assessing data exfiltration risk with respect to one or more of the computer files based at least in part on some of the file management information and the correlated user activity information.
Narayanaswamy et al (US-11416641-B2) a visibility dashboard 600 that provides visibility of enterprise information stored on a cloud computing service (CCS). In one implementation, incident indicator 157 identifies incidents for cloud-based applications 652 and determines a plurality of metadata associated with the objects, as discussed supra. Further, the assembled metadata is depicted using the visibility dashboard 600 that generates a graphical summary of the number of incidents by application 674 and number of malware incidents in particular. a display of the compromised credentials for incidents for 15 users on a visibility dashboard. In this example, a webhost customer data breach, a Dropbox data breach and a linkedIn credential dump are included in the report of compromised credentials for the user, who has be obfuscated for the screenshot. shows visibility dashboard results for Dropbox for a single user who owns the files. Various file types are included: documents, folders, text files, presentations and video. In this example, only the presentations have been externally shared. In another use case example, the Dropbox file types can include images, css and confidential folders. Shows, for a single user being investigated for compromised credentials, the relationship between the number of files that are private; public and internally shared, as well as the number and types of violations.
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUILIO MUNGUIA whose telephone number is (571)270-5277. The examiner can normally be reached M-F 9:30AM - 5:00Pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached at (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DUILIO MUNGUIA/Examiner, Art Unit 2497 /ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497