DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Amendment filed 29 August 2025 has been received and considered.
Claims 2-21 are pending.
This Action is Final.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
Claims 2-12 in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
The “data collection module” and “alerting module” limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
The limitation “a data classification module” is not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph because the remaining portions of the claim limitation provide structure to these limitations. The “recurrent neural network” provides sufficient additional structure.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 2-12 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim limitation “alerting module” invokes 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The Specification provides no details on the implementation of the alerting/notifying means. The Specification only describes (see paragraph [0046]) high level sending of a “signal” to an administrator. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph.
Applicant may:
(a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph;
(b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either:
(a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claims 2-12 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
With respect to claims 2 and 12 references “the data log”. It is unclear to what this limitation refers and as such lack antecedent basis. It is unclear whether this “data log” is the same as the data structures or whether it is a different set of data all together. The remaining claims are rejected by virtue of their dependency from claim 2 or 12.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 2-21 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claims 2, 12, and 13 require “avoiding storage” of the data log or the time-series data structures, and while the Specification (see paragraph [0027]) states that the data log is not stored on the device there lacks any details towards how it is avoided from being stored. More specifically, in order to compile data structures and logs, they must be stored in some sort of memory (e.g. RAM or registers) to be able to be put together into a single structure/log. Therefore, there lacks the necessary details in the Specification to provide support for this limitation.
Claim 4 requiring the “streaming” of segments, but the specification provides to description of any such streaming and therefore lacks written description.
Claims 5 and 14 require intervals between 0.1ms and 10ms, but the specification (see paragraphs [0027]-[0028]) on describes intervals of 10ms and therefore lacks written description for the claimed range.
Claims 6 and 16 require the use of symmetric cryptography, however, the Specification fails to provide that level of detail as it only generally describes encryption.
The remaining claims are rejected by virtue of their dependencies.
Claim Interpretation - 35 USC § 101
As put forth above, claims 2-12 invoke 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph and as such is considered to be a combination of hardware and software. Absent this invocation the claims would be directed towards non-statutory subject matter of software per se. If applicant removes the “means” language, it is suggested to incorporate an explicit recitation of hardware into the claims to avoid a rejection under this interpretation.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims are rejected under 35 U.S.C. 103 as being unpatentable over Polychronou et al. (US 20230273998) in view of Tivadar et al. (US 20240070268) and further in view of Lutas et al. (US 20170180318).
As per claims 2 and 13, Polychronou et al. discloses a method and system for detecting malware on a user computer, comprising: a data collection module configured to monitor hardware performance counters of the user computing device at predetermined intervals and to compile the monitored data into time-series data structures and using the collected data to compile a performance counter data structure (see paragraphs [0080]-[0094] and [0108]-[0113] where the different components, i.e. monitoring module, data limiter and local ML, collect hardware events, and filter them into suspicious hardware performance counter data);
a classification module comprising a semi-supervised recurrent neural network configured to process the time- series data structures and generate anomaly scores, a statistical aggregation mechanism configured to aggregate anomaly indications from the anomaly scores, and a smoothing filter configured to output a classification result indicating benign or malicious behavior (see paragraphs [0114]-[0124] where the filtered events are send to the remote cloud ML system the uses a semi-supervised RNN to classify the events as malicious or benign).
While the Polychronou et al. system generally has means for notifying the classification (see Fig. 2 numerals 207 and 209) there lacks any explicit recitation of notifying an administrator of the classification output.
However, Tivadar et al. teaches a remote system analyzing hardware events using a recurrent neural network (see paragraphs [0036] and [0076]) that provides notifications to administrators of a classification output (see paragraphs [0032] and [0080] where the user who has control over the device to mitigate the malware, i.e. an administrator, is notified of a classification output).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to notify an administrator of the classification output.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to allow for prompt mitigation of any detected malware.
While the modified Polychronou et al. and Tivadar et al. system generally discloses the avoiding of storing of the event data (see Polychronou et al. as applied above where the data is used but on stored in temporary memory) and sending the portions encrypted to a remote device (see Polychronou et al. paragraphs [0109]-[0113]), but fails to explicitly disclose the use of a SSH tunnel to send the data.
However, Lutas et al. teaches the use of an SSH tunnel to send live data (i.e. event data as they occur) (see paragraphs [0053]-[0054]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the details of Lutas et al. in the modified Polychronou et al. and Tivadar et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to have a more immediate response (i.e. directly sending the events) using a well-known and commonly implemented tunnel (i.e. SSH).
As per claims 3 and 15, the modified Polychronou et al., Tivadar et al., and Lutas et al. system discloses data collection module slices said data log into segments using sliding windows of a fixed length (see Polychronou et al. paragraphs [0109]-[0113]).
As per claim 4, the modified Polychronou et al., Tivadar et al., and Lutas et al. system discloses the data collection module avoids storing said data log on the user computing device by streaming each encrypted segment immediately upon generation (see Lutas et al. paragraphs [0053]-[0054]).
As per claims 5 and 14, the modified Polychronou et al., Tivadar et al., and Lutas et al. system discloses the data collection module comprises a kernel module configured to probe hardware performance counters at intervals of between 0.1 ms and 10 ms (see Polychronou et al. paragraphs [0073] and [0119]).
As per claims 6 and 16, the modified Polychronou et al., Tivadar et al., and Lutas et al. system fails to explicitly disclose the key used for encryption is a symmetric key. However, Official Notice is taken that at a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to use symmetric keys in the modified Polychronou et al., Tivadar et al., and Lutas et al. system as these are well-known and commonly used encryption keys.
As per claims 7 and 17, the modified Polychronou et al., Tivadar et al., and Lutas et al. system discloses said semi-supervised recurrent neural network comprises a long short-term memory network configured to: predict subsequent time-series values; and compute anomaly scores based on prediction errors (see Polychronou et al. paragraphs [0114]-[0124] where paragraph [0120] explicitly discloses the LSTM).
As per claims 8, 9, 18, and 19, the modified Polychronou et al., Tivadar et al., and Lutas et al. system discloses various statistical aggregation and smoothing methods, but fails to explicitly disclose the use of weights or an exponential moving average. However, Official Notice is taken that at a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include weighted aggregation and EMA smoothing in the modified Polychronou et al., Tivadar et al., and Lutas et al. system as these are well-known and common methods applied to the inputs and outputs of neural networks.
As per claims 10 and 20, the modified Polychronou et al., Tivadar et al., and Lutas et al. system discloses said alerting module is configured to: issue a warning notification when a single anomaly score exceeds a threshold; and issue an alarm notification when multiple anomaly scores exceed respective thresholds within a predefined time window (see Polychronou et al. paragraphs [0100]-[0109] and [0119] and Tivadar et al. paragraph [0055]).
As per claims 11 and 21, the modified Polychronou et al., Tivadar et al., and Lutas et al. system discloses said separate machine stores the reassembled time-series data in a secure environment isolated from the user computing device (see Tivadar et al. paragraphs [0055]-[0059]).
Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over the modified Polychronou et al., Tivadar et al., and Lutas et al. system as applied to claim 2 above, and further in view of Stefan (US 20240143760).
As per claim 12, the modified Polychronou et al., Tivadar et al., and Lutas et al. system discloses the system as substantially similar to claim 2 and further discloses the use of an autoencoder and a multi-stage processing (see Polychronou et al. paragraphs [0114], [0100]-[0109], and [0119]), but fails to explicitly disclose the autoencoder is trained using benign data.
However, Stefan teaches training an autoencoder using benign data (see paragraph [0044]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to train the autoencoder of the modified Polychronou et al., Tivadar et al., and Lutas et al. system using benign data.
Motivation to do so would have been to detect anomalous data that is different from the benign data (see Stefan paragraph [0044]).
Response to Arguments
Applicant’s arguments with respect to claim(s) 2-21 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the remaining references put forth on the PTO-892 form are directed towards the use of hardware events and neural networks to detect malware.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875. The examiner can normally be reached Monday-Thursday 7:30am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached at (571) 270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Michael Pyzocha/ Primary Examiner, Art Unit 2409