Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Response to Amendment
This is a reply to the application filed on 8/8/2025, in which, claim(s) 1-20 is/are pending.
Response to Arguments
Claim Objection:
Applicant’s arguments with respect to objection of claim(s) 7-10, 12, 14-15, and 17-18 have been considered. The objection has been withdrawn in view of the amendment to claim.
Claim Rejections - 35 U.S.C. § 112:
Applicants’ arguments with respect to 112 2nd paragraph with rejection of claim(s) 1-6 have been fully considered and are persuasive. The rejection of 112 2nd paragraph have been withdrawn in view of the amendment to claim.
Claim Rejections - 35 U.S.C. § 101:
Applicants’ arguments with respect to claim(s) 1-6 have been fully considered and are persuasive. The rejection of 35 USC §101 have been withdrawn in view of the amendment to claim.
Regarding the 101 rejections under abstract idea. Applicants argues that the pre-aggregation improving processing speed and reducing load on the final aggregation and the final aggregation calculates the boundary values which is an improvement. (See pp. 1-2 of remarks filed on 8/8/2025)
The Examiner respectfully disagrees. Both the pre-aggregation and the final aggregation is still just abstract ideas, as they are collecting, prepared and processing/categorized data. As the current claims stand, boundary values are number data, pre-aggregation is preparing the data, and final aggregation is grouping/categorizing based the data. The Applicants need to defined the pre-aggregation steps and final aggregation boundaries to defined the invention. Applicants’ arguments with respect to claim(s) 7-18 and 20 have been fully considered and are not persuasive.
Claim Rejections - 35 U.S.C. § 102 and 35 U.S.C. § 103:
Applicant’s argues that “1. The pre-aggregation module both continuously processes raw data and executes the most demanding computations to improve performance and reduce load on the final aggregation module; and 2. The final aggregation module operates on statistical boundary values derived from multiple aggregated datasets, enabling detection of deviations in the proportion of automated vs. non-automated network activities.” (See pg. 4 of the Remarks filed on 8/8/2025).
The Examiner respectfully disagrees. In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e., 1. The pre-aggregation module both continuously processes raw data and executes the most demanding computations to improve performance and reduce load on the final aggregation module; and 2. The final aggregation module operates on statistical boundary values derived from multiple aggregated datasets, enabling detection of deviations in the proportion of automated vs. non-automated network activities) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Based on claims 1 and 7, the pre-aggregation process raw data and making demanding computation. Since it is not cleared as to what is the “demanding computation”. Thus, based on broadest reasonable interpretation, it means to analyzing and preparing the data. Which is standard process, as before you can aggregate the data, you need to know what is the data to be aggregated. Furthermore, the final aggregation is preformed of all the events collected, which is from the event collection module, not statistical boundary values from the analyzed module as Applicant argues.
Applicants’ arguments with respect to claims rejected under prior art have been fully considered but they are not persuasive.
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-6 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 reciting “a final aggregation module comprising executable instructions executed by the hardware processor to perform final aggregation of all events collected in the network traffic, wherein the final aggregation module comprises a pre-aggregation module comprising executable instructions executed by the hardware processor to continuously process raw data and perform demanding computations and configured to continuously process raw data and make demanding computations, wherein the event collection module is connected to the pre-aggregation module that is connected to the analysis module and/or to the final aggregation module, wherein the analysis module is also connected to the final aggregation module, and wherein the list of decision signatures is connected to the event collection module and to the final aggregation module.”.
If the final aggregation module comprising a pre-aggregation. It is unclear how the event collection module can connect to the pre-aggregation module and not connect to the final aggregation module. Since the pre-aggregation is part of the final aggregation, if the event collection module connects to the pre-aggregation, it must connect to the final aggregation module as well, and not and/or option.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claim(s) 7 recites the limitation “aggregating all events collected in the network traffic is performed using the final aggregation module comprising executable instructions executed by the hardware processor.” (emphasis added). There is insufficient antecedent basis for the term “the final aggregation module” limitation in the claim.
Dependent claims 8-20 are rejected for at least in part for incorporating the deficiency as stated above.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim(s) 1-18 and 20 is/are rejected under 35 U.S.C. 101 because the claimed is being directed to non-statutory subject matter.
The claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Claim(s) 1 and 7 is/are directed to a method and system. The claim(s) do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the claimed invention is directed to a judicial exception (i.e. an abstract idea) without significantly more. Based upon consideration of all of the relevant factors with respect to the claims as a whole, claims are held to claim an unpatentable abstract idea, and are therefore rejected as ineligible subject matter under 35 U.S.C. § 101.
Inventions for a “new and useful process, machine, manufacture, or composition of matter” generally constitute patent-eligible subject matter. 35 U.S.C. § 101. However, the U.S. Supreme Court has long interpreted 35 U.S.C. § 101 to include implicit exceptions: “[l]aws of nature, natural phenomena, and abstract ideas” are not patentable. Alice Corp. v. CLS Bank Int’1l, 573 U.S. 208,216 (2014).
The Supreme Court, in Alice, reiterated the two-step framework previously set forth in Mayo Collaborative Services v. Prometheus Laboratories, Inc., 566 U.S. 66 (2012), “for distinguishing patents that claim laws of nature, natural phenomena, and abstract ideas from those that claim patent- eligible applications of those concepts.” Alice Corp., 573 U.S. at 217. The first step in that analysis is to “determine whether the claims at issue are directed to one of those patent-— ineligible concepts.” Id. If the claims are not directed to a patent-ineligible concept, e.g., an abstract idea, the inquiry ends. Otherwise, the inquiry proceeds to the second step where the elements of the claims are considered “individually and ‘as an ordered combination’” to determine whether there are additional elements that “‘transform the nature of the claim’ into a patent-eligible application.” Id. (quoting Mayo, 566 U.S. at 79, 78). This is “a search for an ‘inventive concept’ - i.e., an element or combination of elements that is ‘sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the [ineligible concept] itself.’” Id. at 217-18 (alteration in original).
The USPTO published revised guidance on January 7, 2019, for use by USPTO personnel in evaluating subject matter eligibility under 35 U.S.C. § 101. 2019 REVISED PATENT SUBJECT MATTER ELIGIBILITY GUIDANCE, 84 Fed. Reg. 50 (Jan. 7, 2019) (the “2019 Revised Guidance”). That guidance revised the USPTO's examination procedure with respect to the first step of the Mayo/Alice framework by (1) “[p]roviding groupings of subject matter that [are] considered an abstract idea”; and (2) clarifying that a claim is not “directed to” a judicial exception if the judicial exception is integrated into a practical application of that exception. Id. at 50.1
The first step, as set forth in the 2019 Revised Guidance (i.e., Step 2A), is, thus, a two-prong test. In Step 2A, Prong One, we look to whether the claim recites a judicial exception, e.g., one of the following three groupings of abstract ideas: (1) mathematical concepts; (2) certain methods of organizing human activity, e.g., fundamental economic principles or practices, commercial or legal interactions; and (3) mental processes. See 2019 Revised Guidance, 84 Fed. Reg. at 54; MPEP §§ 2106.04(II) (A) (1), 2106.04(a). If so, we next determine, in Step 2A, Prong Two, whether the claim as a whole integrates the recited judicial exception into a practical application of that exception, i.e., whether the additional elements recited in the claim beyond the judicial exception, apply, rely on, or use the judicial exception in a manner that imposes a meaningful limit on the judicial exception, such that the claim is more than a drafting effort designed to monopolize the judicial exception. See 2019 Revised Guidance, 84 Fed. Reg. at 54-55; MPEP §§ 2106.04 (IT) (A) (2), 2106.04(d). Only if the claim (1) recites a judicial exception and (2) does not integrate that exception into a practical application do we conclude that the claim is “directed to” the judicial exception, e.g., an abstract idea. See 2019 Revised Guidance, 84 Fed. Reg. at 54-55; MPEP § 2106.04 (IT) (A) (2).
If the claim is determined to be directed to a judicial exception under Step 2A, we next evaluate the additional elements, individually and in combination, in Step 2B, to determine whether they provide an inventive concept, i.e., whether the additional elements or combination of elements amounts to significantly more than the judicial exception itself; only then, is the claim patent eligible. See 2019 Revised Guidance, 84 Fed. Reg. at 56; MPEP § 2106.05.
Step One of the Mayo/Alice Framework (2019 Revised Guidance, Step 2A)
2019 Revised Guidance, Step 2A, Prong 1
The abstract idea to which claims 1-18 and 20 are directed to is mental process such as concepts performed in the human mind (including an observation, evaluation, judgement, opinion) and mathematical relationships/calculations. In particular, the claims recite the following abstract concepts:
“collecting events in the network traffic using the event collection module;” (i.e., abstract idea of receiving and collecting data/information as found abstract by the Courts in Internet Patents, Content Extraction, Digitech, CyberSource, Electric Power Group, Classen, FairWarning)
“pre-aggregating raw data using the pre-aggregation module;” (i.e., abstract idea of mental process of detecting, analyzing data, data recognition and storage as found abstract by the Courts in TLI Comms, Digitech, SmartGene, Bancorp Servs, Electric Power Group, Classen, FairWarning, Cybersource)
“calculating, based on the collected events, boundary values of a typical proportion of automated and non-automated activities in the network traffic are calculated using the analysis module;” (i.e.., abstract idea of Organizing and manipulating information through mathematical correlations (Digitech) and mathematical formula for calculating parameters indicating an abnormal condition (Grams))
“aggregating all events collected in the network traffic is performed using the final aggregation module.” (i.e.., abstract idea of organizing and manipulating information through mathematical correlations (Digitech) and mathematical formula for calculating parameters indicating an abnormal condition (Grams))
The Supreme Court and Federal Circuit have identified abstract ideas in patent claims by making comparisons to concepts found in past decisions to be judicial exceptions to eligibility. The 2019 IEG summarizes concepts the courts have considered to be abstract ideas by associating eligibility decisions with judicial descriptors (e.g., “an idea of itself,” “certain methods of organizing human activities”, “mathematical relationships and formulas”) based on common characteristics. These associations define the judicial descriptors in a manner that stays within the confines of the judicial precedent, with the understanding that these associations are not mutually exclusive, i.e., some concepts may be associated with more than one judicial descriptor.
The abstract functions of the claims in the case are claim(s) is/are directed to system and method of receiving and collecting data/information (i.e., abstract idea mental process) and providing cleaned data collection as defined by the claimed steps above.
The present claims, as a whole, and individual limitations, are reciting abstract concept of data collection, comparing and removing of data. As such the claims are analogous to Digitech, Content Extraction and FairWarning, 839 F.3d at 1093-94 (concluding claims directed to "collecting, comparing and removing personal information when personal information is detected" to be mental processes within the abstract-idea category); Electric Power Group; and TLI Comms.
Looking at the steps of the claims, for each of the claims, data is simply being collecting, comparing and removing of data which was ruled abstract in:
a. Collecting and comparing known information (Classen);
b. Comparing information regarding a sample or test subject to a control or target data (Ambry/Myriad CAFC);
c. Collecting and analyzing information to detect misuse and notifying a user when misuse is detected (FairWarning);
d. Data recognition and storage (Content Extraction);
e. Obtaining and comparing intangible data (Cybersource);
f. Collecting, selecting, categorizing, analyzing, and displaying certain results of the collection and analysis (Electric Power Group);
g. Organizing and manipulating information through mathematical correlations (Digitech);
h. Virus Screening (int. Ventures v. Symantec ‘610 patent);
i. A mathematical formula for calculating parameters indicating an abnormal condition (Grams).
Furthermore, the invention is nothing more than data collecting and comparing as described in the claims that can be performed mentally (or with a pen and piece of paper). The steps are similar to concepts and ideas that have been identified as abstract by the courts. For example, calculating using boundaries and performed aggregation (Electric Power Group and Grams). While the specific facts of the case differ from these cases, the claims are still directed to collecting, comparing, and removing information and providing known information.
2019 Revised Guidance, Step 2A, Prong 2
The 2019 Revised Guidance sets forth a non-exhaustive listing of considerations indicative that an additional element or combination of elements may have integrated a recited judicial exception into a practical application. See 2019 Revised Guidance, 84 Fed. Reg. at 55; MPEP § 2106.04(d). In particular, the Guidance describes that an additional element may have integrated the judicial exception into a practical application if, inter alia, the additional element reflects an improvement in the functioning of a computer or an improvement to other technology or a technical field. Id. At the same time, the Guidance makes clear that merely including instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea; adding insignificant extra-solution activity to the judicial exception; or only generally linking the use of the judicial exception to a particular technological environment or field are not sufficient to integrate the judicial exception into a practical application. Id.
The abstract functions of the claims in the case are claim(s) is/are directed to system and method of data processing to detect personal information (i.e., abstract idea mental process) and providing the clean data as defined by the claimed steps. The claims do not require an arguably inventive set of components, methods, or algorithms. The recitation of “modules”. The abstract idea is implemented using generic computing elements and an off the shelf that do not integrate a practical application of the abstract idea in the claims (step 2A, prong 2). Accordingly, even in combination, these additional generic computing elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims recite a mental process, i.e., an abstract idea, and that the additional elements recited in the claim beyond the abstract idea are no more than generic computer components used as tools to perform the recited abstract idea and insignificant extra-solution activity. As such, they do not integrate the abstract idea into a practical application. See Alice Corp., 573 U.S. at 223-24 ("(Wholly generic computer implementation is not generally the sort of ‘additional featur[ e]’ that provides any ‘practical assurance that the process is more than a drafting effort designed to monopolize the [abstract idea] itself.’” (quoting Mayo, 566 U.S. at 77)); 2019 Revised Guidance, 84 Fed. Reg. at 55 (identifying “an additional element adds insignificant extra-solution activity to the judicial exception” and “an additional element does no more than generally link the use of a judicial exception to a particular technological environment or field of use” as examples in which a judicial exception has not been integrated into a practical application).
Step Two of the Mayo/Alice Framework (2019 Revised Guidance, Step 2B)
Step 2B: Considering Additional Elements
The considerations are whether the claim includes:
Improvements to another technology or technical field;
Improvements to the functioning of the computer itself;
Applying the judicial exception with, or by use of, a particular machine;
Effecting a transformation or reduction of a particular article to a different state or thing;
Adding a specific limitation other than what is well-understood, routine and conventional in the field, or adding unconventional steps that confine the claim to a particular useful application;
Other meaningful limitations beyond generally linking the use of the judicial exception to a particular technological environment;
Adding the words "apply it" (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer;
Simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception;
Adding insignificant extra-solution activity to the judicial exception;
Generally linking the use of the judicial exception to a particular technological environment or field of use.
The relevant question under Step 2B is whether claim includes an additional element or combination of elements adds specific limitations beyond the judicial exception that are not “well-understood, routine, conventional activity” in the field or simply appends well-understood, routine, conventional activities previously known to the industry to the judicial exception. Here, the additional elements of claim beyond the abstract idea, namely, a “computer hardware”, “programs”, “machine learning model” is a conventional computing equipment and algorithm used in a well-understood, routine, and conventional manner. These additional elements do not provide an inventive concept; rather, they simply append well-understood, routine, conventional activities previously known to the industry to the judicial exception.
Applying the test to the claims in the application, the structural elements of the claims, which include “modules” when taken in combination with the functional elements claim(s) is/are directed to method to collect data, analysis, calculating and performed aggregation, together do not offer “significantly more” than the abstract idea itself because the claims do not recite an improvement to another technology or technical field, an improvement to the functioning of any computer itself, or provide meaningful limitations beyond generally linking an abstract idea to a particular technological environment (a general purpose computer and/or environment of the user). When considered as an ordered combination, the Examiner does not find any combination of the additional elements that amounts to more than the sum of the parts. The Examiner finds that the individual elements of the claims are performing their intended roles and functions. In most cases, the additional elements are applied merely to carry out data processing, as discussed above, fall under well-understood, routine, and conventional functions of generic computers in our common day-to-day interactions. Therefore, the claimed interactions of the various generically recited methods/devices lacks an unconventional step that confines the claim to a particular useful application in the sense that the result is equivalent to purely mental activity, e.g., aggregating of data.
Dependent claims do not add an inventive step to the abstract idea of the independent claims and are therefore rejected based on the aforementioned rationale discussed in the rejection. Dependent claims 8-18 and 20 does not add any inventive concept or using an unconventional computing element or improving the underlying computer technology.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shin et al. (US 20060085855 A1; hereinafter Shin) in view of Sheppard (US 20110016522 A1) further in view of Zou et al. (US 20150149609 A1; hereinafter Zou).
Regarding claims 1 and 7, Shin discloses a system for automatic assessment of the network traffic signature quality, implemented on a tangible computing device comprising at least one hardware processor, a non-transitory memory storing executable instructions, and a network interface, comprising:
an event collection module comprising executable instructions stored in the non- transitory memory and executed by the hardware processor to collect events in the network traffic via the network interface (monitoring network traffics, collecting and storing suspicious packets [Shin; ¶12-13; Fig. 1 and associated text]);
a list of decision signatures (signature database [Shin; ¶12, 24; Fig. 1 and associated text]);
a final [aggregation] module comprising executable instructions executed by the hardware processor to perform final aggregation of all events collected in the network traffic, wherein the final aggregation module (As shown in FIG. 1, a packet collecting unit 310, a packet analyzing unit 320, a signature creating and verifying unit 330, a signature testing unit 340, and a signature applying unit 350 [Shin; ¶24-29; Figs. 1, 3-4 and associated texts]),
wherein the event collection module is connected to the pre-aggregation module that is connected to the analysis module and/or to the final aggregation module, wherein the analysis module is also connected to the final [aggregation] module, and the list of decision signatures is connected to the event collection module and to the final [aggregation] module (the anomaly behavior based detecting device 200 detects the suspicious packets, the packet collecting unit 310 collects and stores the detected suspicious packets. Each of the stored suspicious packets includes destination/source IP address information, destination/source port number information, protocol information, data payload information, severity information indicating a severity degree of the detected result, and the like. Alternatively, the packet analyzing unit 320 searches for and analyzes common information of packet information on the basis of the collected packet information. As shown in FIG. 3, the packet analyzing unit 320 includes a packet receiving unit 321, a packet header analyzing unit 322, a packet payload analyzing unit 323, and a packet analysis result transmitting unit 324. At this time, the packet receiving unit 321 receives packet data collected through the packet collecting unit 310 to transmit the received packet data to the packet header analyzing unit 322. The packet header analyzing unit 322 receives the packet data from the packet receiving unit 321 to analyze a destination/source IP address common portion, a destination/source port number common portion, a protocol common portion and a packet payload size common portion of the received packet data. Further, the packet payload analyzing unit 323 receives an analyzed result of the packet data from the packet header analyzing unit 322 to separate packet payloads of the packet data every kind and search each kind of the packet payloads for a common portion. The packet analysis result transmitting unit 324 transmits common portion result information of packet information, which are analyzed through the packet payload analyzing unit 323, to the signature creating and verifying unit 330. Meanwhile, the signature creating and verifying unit 330 creates the signature applicable to the signature based detecting device 100, on the basis of the analyzed result using the packet payload analyzing unit 323, and then constructs an actual detection system environment to verify whether or not the new signature is actually applicable to the signature based detecting device 100. As shown in FIG. 4, the signature creating and verifying unit 330 includes a signature creation and verification result analyzing unit 331, a signature transmitting unit 332, and a signature test result receiving unit 333. [Shin; ¶24-29; Figs. 1, 3-4 and associated texts]). Shin discloses a signature based detecting device; an anomaly behavior based detecting device; and a new signature creating and verifying device disposed between the signature based detecting device and the anomaly behavior based detecting device. Shin does not explicilty discloses an analysis module comprising executable instructions executed by the hardware processor to calculate, based on collected events, boundary values of a typical proportion of automated and non-automated activities in the network traffic; a pre-aggregation module comprising executable instructions executed by the hardware processor to continuously process raw data and perform demanding computations and configured to continuously process raw data and make demanding computations, and the signature creating and verifying unit performed an aggregated function; however, in a related and analogous art, Sheppard teaches this feature.
In particular, Sheppard teaches calculating characteristics of the network traffics and event and established thresholds value, the selected data item is then processed in accordance with one more processing technique to obtain characteristic metrics in respect to the selected data item. The resulting values of the characteristic metrics are combined to obtain an "aggregate thumbprint" of the selected data item. The aggregate thumbprints of sequences of activity patterns, such as network intrusion detection signatures, can be calculated. This can provide a means of correlating such activity and identifying similar patterns [Sheppard; ¶10, 25-29, 46-48, 72; Fig. 2, 5 and associated texts]. It would have been obvious before the effective filing date of the claimed invention to modify Shin in view of Sheppard aggregated function of the selected data item with the motivation to improve data precision of the characteristic metrics [Sheppard; ¶10-12]. Shin-Sheppard combination discloses collecting network traffics and events, use the traffic data to calculate characteristics metrics and aggregating the metrics. Since the claim does not clarify what demanding computation occurs. Thus, it is considered as calculating metrics from the data and events; however, if the claims indicate the demanding computation to be independent and offload the aggregation function. Zou would teach this feature.
In particular, Zou teaches an independent pre-aggregator that operates in part on raw performance data. It parses data, extracting and mapping the data to a mapping table [Zou; ¶23-24; Fig. 2 and associated text]. It would have been obvious to one with ordinary skill in the art before the effective filing date of the claimed invention to modify Shin-Sheppard combination in view of Zou to offload the pre-aggregation with the motivation to reduce overload and faster detection of malicious contents.
Regarding claim 2, Shin-Sheppard-Zou combination discloses the system for automatic assessment of the network traffic signature quality of Claim 1 is characterized in that the event collection module is configured to collect events in the network traffic from at least one computer, computer system, and/or server configured to connect to the network (packets collected in a packet collecting unit from network packet [Shin; ¶25-26; Fig. 2 and associated text]).
Regarding claim 3, Shin-Sheppard-Zou combination discloses the system for automatic assessment of the network traffic signature quality of Claim 1, wherein the event collection module includes a grouping module (packets collected in a packet collecting unit from network packet and grouped, based on criteria [Shin; ¶25-27; Fig. 2 and associated text]).
Regarding claim 4, Shin-Sheppard-Zou combination discloses the system for automatic assessment of the network traffic signature quality of Claim 1, wherein in that the analysis module includes a list of boundary values and a boundary value repository module configured to update the list of boundary values (the packet payload analyzing unit 323 receives an analyzed result of the packet data from the packet header analyzing unit 322 to separate packet payloads of the packet data every kind and search each kind of the packet payloads for a common portion. The packet analysis result transmitting unit 324 transmits common portion result information of packet information, which are analyzed through the packet payload analyzing unit 323, to the signature creating and verifying unit 330 [Shin; ¶25-28; Fig. 2 and associated text]).
Regarding claim 5, Shin-Sheppard-Zou combination discloses the system for automatic assessment of the network traffic signature quality of Claim 1, wherein the analysis module includes an assessment module configured to assess the presence of statistical outliers (the packet payload analyzing unit 323 receives an analyzed result of the packet data from the packet header analyzing unit 322 to separate packet payloads of the packet data every kind and search each kind of the packet payloads for a common portion. The packet analysis result transmitting unit 324 transmits common portion result information of packet information, which are analyzed through the packet payload analyzing unit 323, to the signature creating and verifying unit 330. Meanwhile, the signature creating and verifying unit 330 creates the signature applicable to the signature based detecting device 100, on the basis of the analyzed result using the packet payload analyzing unit 323, and then constructs an actual detection system environment to verify whether or not the new signature is actually applicable to the signature based detecting device 100. As shown in FIG. 4, the signature creating and verifying unit 330 includes a signature creation and verification result analyzing unit 331, a signature transmitting unit 332, and a signature test result receiving unit 333 [Shin; ¶27-29; Fig. 2 and associated text]).
Regarding claim 6, Shin-Sheppard-Zou combination discloses the system for automatic assessment of the network traffic signature quality of Claim 1, wherein the final aggregation module includes a signature repository module configured to update the list of decision signatures (the signature creating and verifying unit 330 creates the signature applicable to the signature based detecting device 100, on the basis of the analyzed result using the packet payload analyzing unit 323, and then constructs an actual detection system environment to verify whether or not the new signature is actually applicable to the signature based detecting device 100. As shown in FIG. 4, the signature creating and verifying unit 330 includes a signature creation and verification result analyzing unit 331, a signature transmitting unit 332, and a signature test result receiving unit 333. [Shin; ¶24-29; Figs. 1, 3-4 and associated texts]. Sheppard teaches the selected data item is then processed in accordance with one more processing technique to obtain characteristic metrics in respect to the selected data item. The resulting values of the characteristic metrics are combined to obtain an "aggregate thumbprint" of the selected data item. The aggregate thumbprints of sequences of activity patterns, such as network intrusion detection signatures, can be calculated. This can provide a means of correlating such activity and identifying similar patterns [Sheppard; ¶10, 72; Fig. 1, 5 and associated texts]. The motivation to improve data precision of the characteristic metrics [Sheppard; ¶10-12].
Regarding claim 8, Shin-Sheppard-Zou combination discloses the method of automatic assessment of the network traffic signature quality of Claim 7, wherein, after the step of collecting events in the network traffic using the event collection module, events are grouped according to signatures using the grouping module included in the event collection module (the signature transmitting unit 332 receives the new signature from the signature creation and verification result analyzing unit 331, and then transmits the received new signature to the signature testing unit 340. The signature test result receiving unit 333 receives a test result value for the new signature from the signature testing unit 340 to transmit the received test result value to the signature creation and verification result analyzing unit 331. The signature testing unit 340 tests the new signature, which is created through the signature creating and verifying unit 330, through a normal actual network traffic, by concurrently applying normal network packets introduced from the network and the suspicious packets detected using the anomaly behavior based detecting device 200 [Shin; ¶30-32; Figs. 1, 3-4 and associated texts]. The resulting values of the characteristic metrics are combined to obtain an "aggregate thumbprint" of the selected data item. The aggregate thumbprints of sequences of activity patterns, such as network intrusion detection signatures, can be calculated. This can provide a means of correlating such activity and identifying similar patterns [Sheppard; ¶10, 72; Fig. 1, 5 and associated texts]. The motivation to improve data precision of the characteristic metrics [Sheppard; ¶10-12].
Regarding claim 9, Shin-Sheppard-Zou combination discloses the method of automatic assessment of the network traffic signature quality of Claim 7, wherein, after the step of calculating, based on collected events, the boundary values of a typical proportion of automated and non-automated activities in the network traffic, the list of boundary values is automatically updated using the boundary value repository module (the packet payload analyzing unit 323 receives an analyzed result of the packet data from the packet header analyzing unit 322 to separate packet payloads of the packet data every kind and search each kind of the packet payloads for a common portion. The packet analysis result transmitting unit 324 transmits common portion result information of packet information, which are analyzed through the packet payload analyzing unit 323, to the signature creating and verifying unit 330 [Shin; ¶25-28; Fig. 2 and associated text]).
Regarding claim 10, Shin-Sheppard-Zou combination discloses the method of automatic assessment of the network traffic signature quality of Claim 7, wherein, after the step of calculating, based on collected events, the boundary values of a typical proportion of automated and non-automated activities in the network traffic, the presence of statistical outliers is assessed using the assessment module (the signature transmitting unit 332 receives the new signature from the signature creation and verification result analyzing unit 331, and then transmits the received new signature to the signature testing unit 340. The signature test result receiving unit 333 receives a test result value for the new signature from the signature testing unit 340 to transmit the received test result value to the signature creation and verification result analyzing unit 331. The signature testing unit 340 tests the new signature, which is created through the signature creating and verifying unit 330, through a normal actual network traffic, by concurrently applying normal network packets introduced from the network and the suspicious packets detected using the anomaly behavior based detecting device 200 [Shin; ¶30-31; Fig. 1 and associated text]).
Regarding claim 11, Shin-Sheppard-Zou combination discloses the method of automatic assessment of the network traffic signature quality of Claim 7, wherein the step of pre-aggregating raw data using the pre-aggregation module is implemented as follows: raw demanding data collected from the events are recorded; demanding computations with the recorded raw data collected from the events are made (the packet collecting unit 310 collects and stores the detected suspicious packets. At this time, as shown in FIG. 2, each of the stored suspicious packets includes destination/source IP address information, destination/source port number information, protocol information, data payload information, severity information indicating a severity degree of the detected result, and the like [Shin; ¶25-28; Fig. 1-2 and associated text]).
Regarding claim 12, Shin-Sheppard-Zou combination discloses the method of automatic assessment of the network traffic signature quality of Claim 7, wherein, at the step of pre- aggregating raw data, after the step of demanding computations with the recorded raw data, using the pre-aggregation module, at least one of the following is performed:
pre-processed data are sent to the analysis module; pre-processed data are sent to the final aggregation module (the collected data are sent to the analysis unit for analyzing [Shin; ¶25-28; Fig. 1-2 and associated text]).
Regarding claim 13, Shin-Sheppard-Zou combination discloses the method of automatic assessment of the network traffic signature quality of Claim 7, wherein the final aggregation of all events using the final aggregation module, is performed by comparing the calculated boundary values of a typical proportion of automated and non-automated activities in the network traffic (the signature are used in comparing with the signature based detecting, such the signature transmitting unit 332 receives the new signature from the signature creation and verification result analyzing unit 331, and then transmits the received new signature to the signature testing unit 340. The signature test result receiving unit 333 receives a test result value for the new signature from the signature testing unit 340 to transmit the received test result value to the signature creation and verification result analyzing unit 331. The signature testing unit 340 tests the new signature, which is created through the signature creating and verifying unit 330, through a normal actual network traffic, by concurrently applying normal network packets introduced from the network and the suspicious packets detected using the anomaly behavior based detecting device 200 [Shin; ¶30-31; Fig. 1 and associated text]).
Regarding claim 14, Shin-Sheppard-Zou combination discloses the method of automatic assessment of the network traffic signature quality of Claim 7, wherein, the final aggregation of all events using the final aggregation module, is performed by comparing the calculated boundary values of a typical proportion of automated and non-automated activities in the network traffic with the boundary values of a typical proportion of automated and non-automated activities in the network traffic calculated in at least one previous cycle (the signature transmitting unit 332 receives the new signature from the signature creation and verification result analyzing unit 331, and then transmits the received new signature to the signature testing unit 340. The signature test result receiving unit 333 receives a test result value for the new signature from the signature testing unit 340 to transmit the received test result value to the signature creation and verification result analyzing unit 331. The signature testing unit 340 tests the new signature, which is created through the signature creating and verifying unit 330, through a normal actual network traffic, by concurrently applying normal network packets introduced from the network and the suspicious packets detected using the anomaly behavior based detecting device 200 [Shin; ¶30-32; Figs. 1, 3-4 and associated texts]. The resulting values of the characteristic metrics are combined to obtain an "aggregate thumbprint" of the selected data item. The aggregate thumbprints of sequences of activity patterns, such as network intrusion detection signatures, can be calculated. This can provide a means of correlating such activity and identifying similar patterns [Sheppard; ¶10, 72; Fig. 1, 5 and associated texts]. The motivation to improve data precision of the characteristic metrics [Sheppard; ¶10-12].
Regarding claim 15, Shin-Sheppard-Zou combination discloses the method of automatic assessment of the network traffic signature quality of Claim 7, wherein, the final aggregation of all events using the final aggregation module is performed by assessment based on calculated boundary values of a typical proportion of automated and non-automated activities in the network traffic and of a ratio of automated to non-automated activities in the network traffic (the signature transmitting unit 332 receives the new signature from the signature creation and verification result analyzing unit 331, and then transmits the received new signature to the signature testing unit 340. The signature test result receiving unit 333 receives a test result value for the new signature from the signature testing unit 340 to transmit the received test result value to the signature creation and verification result analyzing unit 331. The signature testing unit 340 tests the new signature, which is created through the signature creating and verifying unit 330, through a normal actual network traffic, by concurrently applying normal network packets introduced from the network and the suspicious packets detected using the anomaly behavior based detecting device 200 [Shin; ¶30-32; Figs. 1, 3-4 and associated texts]. The resulting values of the characteristic metrics are combined to obtain an "aggregate thumbprint" of the selected data item. The aggregate thumbprints of sequences of activity patterns, such as network intrusion detection signatures, can be calculated. This can provide a means of correlating such activity and identifying similar patterns [Sheppard; ¶10, 72; Fig. 1, 5 and associated texts]. The motivation to improve data precision of the characteristic metrics [Sheppard; ¶10-12].
Regarding claim 16, Shin-Sheppard-Zou combination discloses the method of automatic assessment of the network traffic signature quality of Claim 14, wherein the decision signatures generate the final aggregation of all events using the final aggregation module based on the performed assessment (The signature test result receiving unit 333 receives a test result value for the new signature from the signature testing unit 340 to transmit the received test result value to the signature creation and verification result analyzing unit 331. The signature testing unit 340 tests the new signature, which is created through the signature creating and verifying unit 330, through a normal actual network traffic, by concurrently applying normal network packets introduced from the network and the suspicious packets detected using the anomaly behavior based detecting device 200 [Shin; ¶30-32; Figs. 1, 3-4 and associated texts]. The resulting values of the characteristic metrics are combined to obtain an "aggregate thumbprint" of the selected data item. The aggregate thumbprints of sequences of activity patterns, such as network intrusion detection signatures, can be calculated. This can provide a means of correlating such activity and identifying similar patterns [Sheppard; ¶10, 72; Fig. 1, 5 and associated texts]. The motivation to improve data precision of the characteristic metrics [Sheppard; ¶10-12].
Regarding claim 17, Shin-Sheppard-Zou combination discloses the method of automatic assessment of the network traffic signature quality of claim 16, wherein, for final aggregation of all events using the final aggregation module, the generated decision signatures are saved to the list of decision signatures (The signature test result receiving unit 333 receives a test result value for the new signature from the signature testing unit 340 to transmit the received test result value to the signature creation and verification result analyzing unit 331. The signature testing unit 340 tests the new signature, which is created through the signature creating and verifying unit 330, through a normal actual network traffic, by concurrently applying normal network packets introduced from the network and the suspicious packets detected using the anomaly behavior based detecting device 200 [Shin; ¶30-32; Figs. 1, 3-4 and associated texts]. The resulting values of the characteristic metrics are combined to obtain an "aggregate thumbprint" of the selected data item. The aggregate thumbprints of sequences of activity patterns, such as network intrusion detection signatures, can be calculated. This can provide a means of correlating such activity and identifying similar patterns [Sheppard; ¶10, 72; Fig. 1, 5 and associated texts]. The motivation to improve data precision of the characteristic metrics [Sheppard; ¶10-12].
Regarding claim 18, Shin-Sheppard-Zou combination discloses the method of automatic assessment of the network traffic signature quality of Claim 16, wherein, for final aggregation of all events using the final aggregation module, the list of decision signatures is updated with the generated decision signatures using the signature repository module included in the final aggregation module (The signature test result receiving unit 333 receives a test result value for the new signature from the signature testing unit 340 to transmit the received test result value to the signature creation and verification result analyzing unit 331. The signature testing unit 340 tests the new signature, which is created through the signature creating and verifying unit 330, through a normal actual network traffic, by concurrently applying normal network packets introduced from the network and the suspicious packets detected using the anomaly behavior based detecting device 200 [Shin; ¶30-32; Figs. 1, 3-4 and associated texts]. The resulting values of the characteristic metrics are combined to obtain an "aggregate thumbprint" of the selected data item. The aggregate thumbprints of sequences of activity patterns, such as network intrusion detection signatures, can be calculated. This can provide a means of correlating such activity and identifying similar patterns [Sheppard; ¶10, 72; Fig. 1, 5 and associated texts]. The motivation to improve data precision of the characteristic metrics [Sheppard; ¶10-12].
Regarding claim 19, Shin-Sheppard-Zou combination discloses the method of automatic assessment of the network traffic signature quality of Claim 7, wherein the final aggregation of all events using the final aggregation module, which is performed as follows:
calculated boundary values of a typical proportion of automated and non- automated activities in the network traffic are compared with the boundary values of a typical proportion of automated and non-automated activities in the network traffic calculated in at least one previous cycle; based on calculated boundary values of a proportion of automated and non-automated activities in the network traffic, the ratio of automated to non-automated activities in the network traffic is assessed; based on the assessment, decision signatures are generated; the generated decision signatures are saved in the list of decision signatures; the list of decision signatures is updated with the generated decision signatures using the signature repository module included into the final aggregation module (The signature test result receiving unit 333 receives a test result value for the new signature from the signature testing unit 340 to transmit the received test result value to the signature creation and verification result analyzing unit 331. The signature testing unit 340 tests the new signature, which is created through the signature creating and verifying unit 330, through a normal actual network traffic, by concurrently applying normal network packets introduced from the network and the suspicious packets detected using the anomaly behavior based detecting device 200 [Shin; ¶30-32; Figs. 1, 3-4 and associated texts]. The resulting values of the characteristic metrics are combined to obtain an "aggregate thumbprint" of the selected data item. The aggregate thumbprints of sequences of activity patterns, such as network intrusion detection signatures, can be calculated. This can provide a means of correlating such activity and identifying similar patterns [Sheppard; ¶10, 72; Fig. 1, 5 and associated texts]. The motivation to improve data precision of the characteristic metrics [Sheppard; ¶10-12].
Regarding claim 20, Shin-Sheppard-Zou combination discloses the method of automatic assessment of the network traffic signature quality of any one of Claim 7, wherein each step is performed separately for each group of events generated using the grouping module according to signatures (The resulting values of the characteristic metrics are combined to obtain an "aggregate thumbprint" of the selected data item. The aggregate thumbprints of sequences of activity patterns, such as network intrusion detection signatures, can be calculated. This can provide a means of correlating such activity and identifying similar patterns [Sheppard; ¶10, 72; Fig. 1, 5 and associated texts]). The motivation to improve data precision of the characteristic metrics [Sheppard; ¶10-12].
Internet Communications
Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439, http://www.uspto.gov/sites/default/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only: (1) Central Fax which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAO Q HO whose telephone number is (571)270-5998. The examiner can normally be reached on 7:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DAO Q HO/Primary Examiner, Art Unit 2432
1 The MANUAL OF PATENT EXAMINING PROCEDURE (“MPEP”) incorporates the revised guidance and subsequent updates at § 2106 (9th ed. Rev. 10.2019, rev. June 2020).
Prosecution Insights