Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Elected claims 1-7 are pending examination. Non-elected claims 8-20 should be canceled in subsequent reply.
Election/Restrictions
Applicant's election with traverse of Group I (Claims 1-7) in the reply filed on 10/27/2025 is acknowledged. The traversal is on the grounds that (A) the claims are not “independent or distinct”, (B) Group I and II has overlapping scope and (C) there is no search burden. This is not found persuasive because:
Applicant argues the claims are not “independent or distinct”. Examiner respectfully disagrees. The three groups relate in that it receives a plurality of events and then processes these received events, however, what happens after the receiving of the events during the processing steps is distinct from one another. With the processing of the received events being unique from one another is what makes the groups distinct. The groups are deemed “independent or distinct” as Group I essentially discloses: receiving a plurality of events, grouping the events by a destination address and a source address, establishing a plurality of threat vectors for each of the grouped event records, merging the plurality of threat vectors to form a plurality of risk events, and storing the plurality of risk events. While Group II differs in deriving a primary and secondary keys, merging each event sharing a primary and secondary keys into a record, merging a plurality of threat factor to each record, grouping each record of the plurality of records sharing a secondary keys, merging a risk score of each subset, grouping each subset sharing a primary keys into a plurality of sets, and storing the plurality of sets. And Group III further discloses deriving a first key for each event, superimposing each event, superimposing a plurality of threat vectors, calculating a threat valuation, generating a risk event, and storing the risk event.
Applicant argues the groups share overlapping scope between Group I’s “a first timeframe” and Group II and III’s “sliding windows”. Examiner respectfully disagrees as the “timeframe” and “sliding windows” is in of itself insignificant with the meets and bounds of the claims. The “timeframe” and “sliding windows” describe when event records are received, however, it is the Examiner’s position that the further processing of these received events that are unique and distinct from one another groups as discussed above. Essentially, it is the Examiner’s position that the argued overlapping scope is insignificant in the overall scope of the claims. Likewise, just because all three groups claimed “a computer-readable data store” doesn’t make this limitation essential or significant to the meets and bound of the claims for the “overlapping scope” analysis. And therefore, the “first timeframe” and “sliding windows” aspect is not considered as overlapping scope for double patenting analysis.
Applicant argues “no serious search or examination burden has been established” and that all the groups are classified in H04L 63. Examiner respectfully disagrees. Assuming even if all three groups are classified under the same classification, a restriction is still proper as the claims are distinct and requiring different search strategies and different field of search. Specifically, any potential prior art found relating to one group may not be fully applicable to the others groups. As in, any potential prior art found teaching Group 1’s “receiving a plurality of events, grouping the events by a destination address and a source address, establishing a plurality of threat vectors for each of the grouped event records, merging the plurality of threat vectors to form a plurality of risk events, and storing the plurality of risk events” may not apply to Group II’s limitations of primary and secondary keys or Group III’s limitations of superimposing events with derived key, among other limitations. Further 35 USC 101 analysis for one group may not be applicable to the other groups.
The requirement is still deemed proper and is therefore made FINAL.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 2/28/24 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-7 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claims essentially recite receiving a plurality of event records, grouping the event records, establishing a plurality of vector based on the grouped event, merging the vectors and storing into a data store. This judicial exception is not integrated into a practical application because the claims are closely related to the abstract idea of “mathematical concepts” of grouping data and general data relationship, or even under “mental processes” of observing and evaluating the received data. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional element of a data store by itself is simply the usage of a generic database well known in the art for storing events.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-7 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 and 3-8 of U.S. Patent No. 11,165,807. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant applicant is anticipated by the Patent. The instant application discloses a broader scope of the Patent and Claims 1-7 is therefore anticipated by claims of the Patent. Therefore, the claims 1-7 of the instant application is anticipated by claims 1 and 3-8 of the Patent.
A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a 35 patent claim to a species within that genus). “ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-7 are rejected under 35 U.S.C. 103 as being unpatentable over Jordan et al. (US Pub No 2015/0088868) in view of Baikalov et al. (US Pub No 2016/0226905).
With respect to claim 1, Jordan teaches
1. A method, comprising:
receiving a plurality of event records in a first timeframe, each event record comprising a plurality of attribute-value pairs (e.g., “all messages may be parsed into pairing of an attribute and its data into an attribute-value pairing” ¶ 0037 and the receiving is in a first event window ¶ 0040);
grouping the event records by a destination address and a source address to form grouped event records (e.g., “the parsing of the incoming messages in a process referred to as normalization” ¶ 0037 and step (a) of the simplified overview flow of the SID process ¶ 0032-0033, which teaches the grouping of event and using “derived tuple fields…A tuple may be a source address/port, destination address/port” teaches the records grouping by destination and source address ¶ 0038);
establishing a plurality of threat [vectors] for each of the grouped event records based on the attribute-value pairs (e.g., establishing a plurality of threats for events with the step (b) of the simplified overview flow f the SID process ¶ 0032-0034 and with “New events may create a new record in the superimposed event window in embodiments of the present disclosure. Additional metadata may be added to the event in the insertion process. Attributes of an event may themselves be a tree or array of information.” ¶ 0040-0041);
merging the plurality of threat [vectors] with the corresponding grouped event records to form a plurality of risk events (e.g., merging a plurality of threats for events with both steps (b) and (c) of the simplified overview flow of the SID process ¶ 0032-0035 and with “simple merger may be based on a schema of appending new attribute data to the existing attribute.” ¶ 0040-0041 ); and
storing the plurality of risk events in a computer-readable data store (e.g., storing the records into a datastore ¶ 0046).
Jordan discloses the claimed subject matter as discussed above with records to detecting threat and merging a plurality of threats together, but does not explicitly discloses “threat vectors”. However, analogous art from the same field of endeavor, Baikalov teaches this by applying threat indicator, threat scores and threat vectors (¶ 0005, 0027-0028 @ Figs 2-3). Therefore, based on Jordan in view of Baikalov, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Baikalov to the system of Jordan in order to reliably identity threats and evaluate risks while minimizing false positive alerts (@ Baikalov ¶ 0007) . Hence, it would have been obvious to combine the references to obtain the invention as specified in the instant claim.
The prior arts above further teaches claim:
2. The method of claim 1, wherein the destination address and the source address are based on internet protocol (IP) addresses (e.g., IP address @ Jordan ¶ 0038).
The prior arts above further teaches claim:
3. The method of claim 1, wherein the plurality of threat vectors includes statistics evaluations, flow anomalies, reputation information, alerts based on other network security systems, or a combination thereof (e.g., network flow data, file capture and intrusion detection alert @ Jordan ¶ 0041).
The prior arts above further teaches claim:
4. The method of claim 1, further comprising: notifying a user of a risk event if a risk valuation of the risk event is above a predetermined threshold value (e.g., presents view to the user if threshold is reached to be considered event as part of an attack @ Jordan ¶ 0048).
The prior arts above further teaches claim:
5. The method of claim 4, wherein the risk valuation corresponds to a joint- distribution probability of the threat vectors merged to the event record (e.g., applying probability to the threat vectors @ Baikalov ¶ 0027-0028).
The prior arts above further teaches claim:
6. The method of claim 1, further comprising: optimizing each threat vector of the plurality of threat vectors based on machine learning (e.g., reputation and validation engine review @ Jordan ¶ 0006 and flow analytics ¶ 0007 ).
The prior arts above further teaches claim:
7. The method of claim 1, wherein the first timeframe is a sliding window (e.g., event and sliding window ¶ 0040).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Particularly, Shah (US Pub No 2006/0026688) discloses relevant methods of analyzing security data over a period of time to generate threat and vulnerability index.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAU LE whose telephone number is (571)270-7217. The examiner can normally be reached M-F 8:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LINGLAN EDWARDS can be reached at (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHAU LE/Primary Examiner, Art Unit 2408