Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e). Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 06/15/2026 has been entered.
Claims 1, 3, 13, 14, 16, 18, and 20 are amended
Claims 2 and 17 have been cancelled
Claims 1, 3-16, and 18-20 are pending
Priority
This application claims priority to Russian Patent Application No. RU2023116032, filed on 19 Jun. 2023. All priority documents have been received. Therefore, the effective filing date of this application is 06/19/2023.
Response to Arguments
Applicant’s arguments filed on 05/22/2026 have been fully considered.
With respect to the objection to the abstract. The objection has been overcome due to Applicant’s amendments.
With respect to the USC 112(b) rejection for claims 1-20. Applicant has amended the claims to overcome most of the rejections. However, not all rejections are overcome.
With respect to USC 112(b) rejection for claims 1, 16, and 20 for reciting the limitation “classifying each unclassified object in each subgraph at least as malicious using classification rules”. The rejection has been overcome due to Applicant’s amendments.
With respect to USC 112(b) rejection for claims 1, 16, and 20 for reciting the limitation “… associations of classified malicious objects … vertices represent classified malicious objects”. The rejection has been overcome due to Applicant’s amendments.
With respect to USC 112(b) rejection for claims 1, 16, and 20 for reciting the limitation “and unclassified objects in a form of vertices … wherein vertices represent classified malicious objects and unclassified objects”. The rejection has been overcome due to Applicant’s amendments.
With respect to USC 112(b) rejection for claims 1, 16, and 20 for reciting the limitation “or with unclassified objects that in turn have a generic information with classified malicious objects”. The rejection has been overcome due to Applicant’s amendments.
With respect to USC 112(b) rejection for claims 3 and 18 for reciting the limitation "the received input objects". The rejection has been overcome due to Applicant’s amendments.
With respect to USC 112(b) rejection for claim 13 for reciting the limitation “analysis of a sequential association”. The rejection has been overcome due to Applicant’s amendments.
With respect to USC 112(b) rejection for claim 14 for reciting the limitation “analysis of a group association”. The rejection has been overcome due to Applicant’s amendments.
With respect to the USC 112(b) rejection for claims 1, 16, and 20 for reciting the limitation “said objects”. Applicant has argued that the recitation of the classified malicious objects and the unclassified objects in the previous limitations provides antecedent basis for said objects. However, Examiner respectfully disagrees. It is not clear which objects “said objects” is referring to. Both classified malicious objects and unclassified objects recite of a plurality objects. Said objects can refer to only classified malicious objects, to only unclassified objects, or to both. Therefore, Examiner suggests amending and replacing “said objects” to recite “the classified malicious objects and the unclassified objects”. Appropriate correction is required.
With respect to the USC 103 rejection for claims 1, 16, and 20. Applicant has amended the independent claims to recite “wherein the graph of associations contains only associations between objects of different types” similar to the limitations of claim 5. Applicant has argued that NABEEL-RAY fails to teach this limitation. Examiner respectfully disagrees. As can be seen in the rejection of claim 5, Examiner is not relying on NABEEL to teach this feature. RAY teaches ([RAY, para. 0106] “As part of a root cause analysis, one or more cause identification rules may be applied to one or more of the preceding computing objects having a causal relationship with the detected security event 502, or to each computing object having a causal relationship to another computing object in the sequence of events preceding the detected security event 502.”) Furthermore, figure 5 of RAY shows a graph of different type of objects and related actions that are associated together. The claim language of “objects of different types” is very broad. An object can be of different types based on various reasons such as file type or even if the file type is the same the use case can be different rendering it to be of a different type. RAY shows in fig. 5 application 1 associated with file 3 and application 2 associated with event 3. Examiner is interpreting these as different types of applications. Therefore, RAY teaches this limitation.
Applicant has further argued that RAY does not teach extracting a subgraph as claimed. Examiner respectfully disagrees. RAY teaches ([RAY, para.0112] “The event graph 500 may include one or more computing objects or events that are not located on a path between the security event 502 and the root cause 504. These computing objects or events may be filtered or ‘pruned’ from the event graph 500 when performing a root cause analysis”). The claim states “extracting from the generated graph of associations at least one subgraph” a graph is already generated and a subgraph is determined from the already generated graph. This is analogous to the teaching pruning of RAY where an event graph 500 is pruned to filter unwanted events to perform root cause analysis. Applicant has argued that extraction begins with an initially empty set and builds up the subgraph. However, this is not recited in the claim language. The claim clearly recites an already generated graph and extracting a subgraph from the generated graph. There is no limitation to state that extraction is done based on an initial empty set.
Furthermore, for the limitation “at least malicious or trusted” NABEEL teaches this limitation as can be seen in the following citation ([NABEEL, para. 0068] “The assessment module 136 may be configured to assess the maliciousness of a domain based on a weighted domain graph. For example, once the graph-building module 134 has completed building a graph detailing weights and relations between the domains of the domain list 108 … the assessment module 136 may employ a path-based inference algorithm to determine the likelihood that a specific domain may be malicious”).
Applicant has further argued that there is no motivation to combine. Examiner respectfully disagrees. The combination of Nabeel and Ray under 103 is proper since both references relate to determining maliciousness by building a graph of associations. Ray realizes the need for improvements to correlation, analysis, and visualization [RAY, abstract].
With respect to the arguments of claim 10, Applicant has argued that NABEEL-RAY fails to teach wherein each of the analysis is performed by at least one machine learning model. Examiner respectfully disagrees. NABEEL teaches ([NABEEL, para. 0052] “The machine learning module 128 may be configured to include a classification module 130, an association module 132, a graph-building module 134, and an assessment module 136.”) ([NABEEL, para. 0075] “providing data to a machine learning module, wherein the machine learning module was previously trained on a plurality of IP address attributes and a plurality of domain attributes”) The machine learning of Nabeel is the one that includes classification and graph building. Therefore, the analysis is done by the machine learning module.
With respect to the arguments of claim 13, Applicant has argued that NABEEL-RAY fails to teach wherein the analysis of a sequential association between objects uses information about at least three objects having an association. Examiner respectfully disagrees. NABEEL teaches ([NABEEL, para. 0071] “For example, the association module 132 deems two domains associated if they share at least on dedicated IP address. This association method is referred to as G-IP within this disclosure. In example graph 200, domains D4 216, D5 220, and D6 224 share the dedicated IP6 222. This association method combined with the association rules used to build graph 300, combine to produce the example graph 400”).
With respect to the arguments of claim 14, Applicant has argued that NABEEL-RAY fails to teach wherein the analysis of a group association between objects uses information about at least four objects, three of which have an association to a fourth. Examiner respectfully disagrees. NABEEL teaches (NABEEL, para. 0073] “FIG. 6 illustrates an example graph 600 built by the method of the present disclosure based on the example IP address and domain graph 200. The graph 600 is expanded beyond the prior example graphs 300, 400, and 500 by implementing all association rules used to create these prior graphs. This association method is referred to as G-IP-Domain within this disclosure. This combination of association rules produces the example graph 600, containing six of the eight domains found in the example IP address and domain graph 200.”). As can be seen in figure 6 of Nabeel D2, D3, D5, and D6 all share a link to D4. This teaches the limitation of group association between objects uses information about at least four objects, three of which have an association to a fourth.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 15, 16, and 20 recite the limitation "the spread of malicious activity". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination Examiner is interpreting this limitation as “a spread of malicious activity”. Appropriate correction is required.
Claims 3-14, and 18-19 depend on claims 1, 16, and 20. Therefore, they inherit the rejection.
Claim 1, 16, and 20 recite the limitation “said objects”. It is unclear what objects are being referred to in this limitation. For the purpose of examination examiner is interpreting this limitation as “the classified malicious objects and the unclassified objects”. Appropriate correction is required.
Claims 3-15, and 18-19 depend on claims 1, 16, and 20. Therefore, they inherit the rejection.
Claims 3 and 18 recite the limitation " determining the similarity ". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination Examiner is interpreting this limitation as “determining a similarity”. Appropriate correction is required.
Claim 4 and 19 depend on claims 3 and 18. Therefore, they inherit the rejection.
Claims 3 and 18 recite the limitation " the classified malicious object". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination Examiner is interpreting this limitation as “the classified malicious objects”. Appropriate correction is required.
Claim 4 and 19 depend on claims 3 and 18. Therefore, they also inherit the rejection.
Claim 6 recites the limitation " the computer network range". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination Examiner is interpreting this limitation as “a computer network range”. Appropriate correction is required.
Claim 7 depends on claim 6. Therefore, it also inherits the rejection
Claim 6 recites the limitation " the IP address to which the object belongs". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination Examiner is interpreting this limitation as “a IP address to which the object belongs”. Appropriate correction is required.
Claim 7 depends on claim 6. Therefore, it also inherits the rejection
Claim 8 recites the limitation “the generating of the graph of associations containing classified objects and unclassified objects”. Examiner suggests amending this limitation to “the generating of the graph of associations containing the classified objects and the unclassified objects”. To refer to the same classified objects and unclassified objects. Appropriate correction is required.
Claim 8 recites the limitation " the number of requests". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination Examiner is interpreting this limitation as “a number of requests”. Appropriate correction is required.
Claim 8 recites the limitation " the domain name system". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination Examiner is interpreting this limitation as “a domain name system”. Appropriate correction is required.
Claim 9 recites the limitation “wherein at least one subgraph”. Examiner suggests amending this to “wherein the at least one subgraph”. To refer to the same at least one subgraph recited in claim 1. Appropriate correction is required.
Claim 9 recites the limitation " wherein the at least one object is unclassified". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination Examiner is interpreting this limitation as “wherein at least one object is unclassified”. Appropriate correction is required.
Claim 12 recites the limitation " the sequential analysis". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination Examiner is interpreting this limitation as “wherein the analysis of the sequential association”. Appropriate correction is required.
Claim 15 recites the limitation “the access to an object that is classified as malicious”. Examiner suggests amending this to “the access to the object that is classified as malicious” to refer to the same object that was classified as malicious as in claim 1. Appropriate correction is required.
Claim 15 recites the limitation " the website". There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination Examiner is interpreting this limitation as “blocking access to a website to which the object is associated; opening the website to which the object is associated”. Appropriate correction is required.
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.
Claim 5 is rejected under 35 U.S.C. 112(d) or pre-AIA 35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends. Claim 5 recites the limitation “wherein the graph of associations contains only associations between objects of different types”. This limitation has now been incorporated into independent claims 1, 16, and 20. Applicant may cancel the claim, amend the claim to place the claim in proper dependent form, rewrite the claim in independent form, or present a sufficient showing that the dependent claim complies with the statutory requirements.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 3, 5-7, 9, 10, 12-16, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over NABEEL (US-20200382533-A1) in view of RAY (US-20210400071-A1), hereinafter NABEEL-RAY.
Regarding claim 1, NABEEL teaches “A method for classifying objects to prevent the spread of malicious activity, the method comprising: ([NABEEL, abstract] “The presently disclosed method and system exploits information and traces contained in DNS data to determine the maliciousness of a domain based on the relationship it has with other domains.”) ([NABEEL, para. 0043] “detecting these malicious domains in a timely manner is important not only to identify domains on which cyber-attacks have occurred, but also to take preventative measures by identifying these malicious domains before a cyber-attack takes place”) collecting information about unclassified objects in a network that have a generic information with classified malicious objects or with unclassified objects that in turn have a generic information with classified malicious objects; ([NABEEL, para. 0045] “building associations between domains from DNS data to reflect their meaningful connections. For example, one association may be that the domains are deployed and/or controlled by the same entity. Once the associations have been established, an inference based approach deploys an inference algorithm to assess the maliciousness of a domain based on its associations with known malicious and benign domains”) ([NABEEL, para. 0048] “two domains may be associated if they are co-hosted and belong to the same dedicated apex domain or share more than one public IP address from different hosting providers. Once these associations have been identified and graphed, an inference-based algorithm may be deployed”) generating a graph of associations of the classified malicious objects and the unclassified objects in a form of vertices connected with edges, wherein vertices represent the classified malicious objects and the unclassified objects, and edges represent associations between said objects, ([NABEEL, para. 0068] “once the graph-building module 134 has completed building a graph detailing weights and relations between the domains of the domain list 108, the assessment module 136 may employ a belief propagation algorithm to determine a likelihood that a specific domain may be malicious”) ([NABEEL, para. 0045] “Once the associations have been established, an inference based approach deploys an inference algorithm to assess the maliciousness of a domain based on its associations with known malicious and benign domains.”) ([NABEEL, para. 0093] “Given a dedicated apex domain or a subdomain belonging to this apex domain, if it was known or inferred to be malicious, it was highly likely all subdomains under this apex domain were malicious.”) ([NABEEL, para. 0069, Fig. 2] “Each domain in the graph 200 belongs to an apex domain. ”) ([NABEEL, para. 0072, Fig. 5] “FIG. 5 illustrates an example graph 500 built by the method of the present disclosure based on the example IP address and domain graph 200. … For example, the association module 132 has determined more domain associations 144 based on a dedicated apex domain relationship. For example, the association module 132 deems two domains associated if they are co-hosted domains and belong to the same dedicated apex domain. This association method is referred to as G-Domain within this disclosure. Of the eight domains in the example IP address and domain graph 200, only domains D2 206, D3 210, and D4 216 qualify for this association. This association method combined with the association rules used to build graph 300, combine to produce the example graph 500, containing five of the eight domains found in the example IP address and domain graph 200, providing an expanded graph for maliciousness analysis.”) … graph … comprising homogeneous objects ([NABEEL, para. 0068] “configured to assess the maliciousness of a domain based on a weighted domain graph. For example, once the graph-building module 134 has completed building a graph detailing weights and relations between the domains of the domain list 108”) … classifying each unclassified object in each subgraph as at least malicious or trusted using classification rules; and … ([NABEEL, para. 0068] “The assessment module 136 may be configured to assess the maliciousness of a domain based on a weighted domain graph. For example, once the graph-building module 134 has completed building a graph detailing weights and relations between the domains of the domain list 108 … the assessment module 136 may employ a path-based inference algorithm to determine the likelihood that a specific domain may be malicious”) ([NABEEL, para. 0045] “Once the associations have been established, an inference based approach deploys an inference algorithm to assess the maliciousness of a domain based on its associations with known malicious and benign domains.”) ([NABEEL, para. 0075] “the maliciousness of a domain is assessed based on the weighted domain graph. For example, an assessment module 136 may employ a random forest classification algorithm on a weighted domain graph 146 to assess the likelihood of maliciousness.”)
However, NABEEL does not teach “wherein the graph of associations contains only associations between objects of different types; extracting from the generated graph of associations at least one subgraph … and containing at least one unclassified object based on at least one of the following: an analysis of a group association between objects; and an analysis of sequential association between objects; … restricting access to an object that is classified as malicious.”
In analogous teaching RAY teaches “… wherein the graph of associations contains only associations between objects of different types; ([RAY, para. 0106] “The event graph 500 may include a sequence of computing objects causally related by a number of events, and which provide a description of computing activity on one or more endpoints”) ([RAY, para. 0109] “the event graph 500 may be traversed in a reverse order from a computing object associated with the security event 502 based on the sequence of events included in the event graph 500. For example, traversing backward from the action 528 leads to at least the first application 520 and the USB device 512. As part of a root cause analysis, one or more cause identification rules may be applied to one or more of the preceding computing objects having a causal relationship with the detected security event 502, or to each computing object having a causal relationship to another computing object in the sequence of events preceding the detected security event 502.”) extracting from the generated graph of associations at least one subgraph … and containing at least one unclassified object based on at least one of the following: an analysis of a group association between objects; and an analysis of sequential association between objects; ([RAY, para.0111] “The event graph 500 may similarly be traversed going forward from one or more of the root cause 504 or the security event 502 to identify one or more other computing objects affected by the root cause 504 or the security event 502. For example, the first file 516 and the second 518 potentially may be corrupted because the USB device 512 included malicious content.”) ([RAY, para.0112] “The event graph 500 may include one or more computing objects or events that are not located on a path between the security event 502 and the root cause 504. These computing objects or events may be filtered or ‘pruned’ from the event graph 500 when performing a root cause analysis or an analysis to identify other computing objects affected by the root cause 504 or the security event 502.”) ([RAY, para.0114] “The event graph 500 may be created or analyzed using rules that define one or more relationships between events and computing objects”) restricting access to an object that is classified as malicious. ([RAY, para.0103] “if a particular process executing on the endpoint is compromised, or potentially compromised or otherwise under suspicion, keys to that process may be revoked in order to prevent, e.g., data leakage or other malicious activity”) ([RAY, para.0065] “Based on reputation, potential threat sources may be blocked, quarantined, restricted, monitored, or some combination of these, before an exchange of data can be made.”).
Thus, given the teaching of RAY, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of subgraphs by RAY into the teaching of method for classifying objects to prevent the spread of malicious activity by NABEEL. One of ordinary skill in the art would have been motivated to do so because RAY recognizes the need for improved threat management ([RAY, abstract] “Event data from these sensors is augmented with contextual information about, e.g., a source of each event in order to facilitate improved correlation, analysis, and visualization at a threat management facility for the enterprise network”).
Regarding claim 16, this claim recites of system that performs the method of claim 1. Therefore, claim 16 is rejected in a similar manner as in the rejection of claim 1.
Regarding claim 20, this claim recites of a non-transitory computer-readable medium storing thereon computer executable instructions which perform the method of claim 1. Therefore, claim 20 is rejected in a similar manner as in the rejection of claim 1.
Regarding claims 3 and 18, NABEEL-RAY teaches all limitations of claims 1 and 16. NABEEL further teaches “wherein the classification rules include at least one of the following: a similarity analysis or an analysis of objects using a machine learning model for determining the similarity of the unclassified objects and the classified malicious object.” ([NABEEL, para. 0052] “The machine learning module 128 may be configured to include a classification module 130, an association module 132, a graph-building module 134, and an assessment module 136.”) ([NABEEL, para. 0068] “The assessment module 136 may be configured to assess the maliciousness of a domain based on a weighted domain graph. For example, once the graph-building module 134 has completed building a graph detailing weights and relations between the domains of the domain list 108, the assessment module 136 may employ a belief propagation algorithm to determine a likelihood that a specific domain may be malicious”) ([NABEEL, para. 0063] “The machine learning module 128 may be further configured to include an association module 132. This association module 132 may be configured to associate each of the plurality of domains on the domain list 108 and the resolving IP addresses 114 found within the DNS data 104 on at least the corresponding associations, determining a plurality of domain associations 144.”).
Regarding claim 5, NABEEL-RAY teaches all limitations of claim 1. RAY further teaches “wherein the graph of associations contains only associations between objects of different types.” ([RAY, para. 0106] “The event graph 500 may include a sequence of computing objects causally related by a number of events, and which provide a description of computing activity on one or more endpoints”) ([RAY, para. 0109] “the event graph 500 may be traversed in a reverse order from a computing object associated with the security event 502 based on the sequence of events included in the event graph 500. For example, traversing backward from the action 528 leads to at least the first application 520 and the USB device 512. As part of a root cause analysis, one or more cause identification rules may be applied to one or more of the preceding computing objects having a causal relationship with the detected security event 502, or to each computing object having a causal relationship to another computing object in the sequence of events preceding the detected security event 502.”).
The same motivation and rejection to modify NABEEL with RAY as in the rejection of claim 1 applies.
Regarding claim 6, NABEEL-RAY teaches all limitations of claim 1. NABEEL further teaches “wherein the objects and object information are at least two of the following types of information: Internet Protocol (IP) address; Fully Qualified Domain Name (FQDN); Universal Resource Identifier (URI) information; domain name data, including information about a domain name registrar; information about an owner of a domain name, including a name of an owner who owns the domain name, an address of the owner of the domain name, an IP address range to which the domain name belongs on the network, and contact information for the owner of the domain name; information about an owner of the IP address, including a name and an address of the owner of the IP address; name of the computer network range; a location that corresponds to an IP address range, including country and city; contact details of an administrator; information about the IP address to which the object belongs; information about public key certificates issued for the domain name; file hash and file path; and web addresses that contain the domain name.” ([NABEEL, para. 0073] “FIG. 6 illustrates an example graph 600 built by the method of the present disclosure based on the example IP address and domain graph 200. … This association method is referred to as G-IP-Domain within this disclosure. This combination of association rules produces the example graph 600, containing six of the eight domains found in the example IP address and domain graph 200.”) ([NABEEL, para. 0053] “These domain based attributes may include the number of fully qualified domain names (“FQDNs”), the number of third level domains which an IP address hosts during a certain time period”).
Regarding claim 7, NABEEL-RAY teaches all limitations of claim 6. RAY further teaches “wherein the URI information comprises at least a page address and page load parameters.” ([RAY, para. 0065] “For instance, reputation filtering may include lists of URIs of known sources of malware or known suspicious IP addresses, code authors, code signers, or domains, that when detected may invoke an action by the threat management facility 100.”) ([RAY, para. 0147] “a URL may be encoded in an event 1106 as a hash of a URL, or as a portion of a URL, or some combination of these (e.g., a literal encoding of the top level domain, and a hash of some or all of the remaining path information).”).
The same motivation and rejection to modify NABEEL with RAY as in the rejection of claim 1 applies.
Regarding claim 9, NABEEL-RAY teaches all limitations of claim 1. RAY further teaches “wherein at least one subgraph extracts associated components that contain information about associated objects, wherein the at least one object is unclassified.” ([RAY, para. 0112] “The event graph 500 may include one or more computing objects or events that are not located on a path between the security event 502 and the root cause 504. These computing objects or events may be filtered or ‘pruned’ from the event graph 500 when performing a root cause analysis”) ([RAY, para. 0111] “The event graph 500 may similarly be traversed going forward from one or more of the root cause 504 or the security event 502 to identify one or more other computing objects affected by the root cause 504 or the security event 502. For example, the first file 516 and the second 518 potentially may be corrupted because the USB device 512 included malicious content”).
The same motivation and rejection to modify NABEEL with RAY as in the rejection of claim 1 applies.
Regarding claim 10, NABEEL-RAY teaches all limitations of claim 1. NABEEL further teaches “wherein each of the analysis is performed by at least one machine learning model.” ([NABEEL, para. 0052] “The machine learning module 128 may be configured to include a classification module 130, an association module 132, a graph-building module 134, and an assessment module 136.”) ([NABEEL, para. 0075] “providing data to a machine learning module, wherein the machine learning module was previously trained on a plurality of IP address attributes and a plurality of domain attributes”).
Regarding claim 12, NABEEL-RAY teaches all limitations of claim 1. NABEEL further teaches “wherein the sequential analysis employs at least one neighboring malicious object.” ([NABEEL, para. 0071] “For example, the association module 132 has determined more domain associations 144 based on a dedicated IP address relationship. For example, the association module 132 deems two domains associated if they share at least on dedicated IP address. This association method is referred to as G-IP within this disclosure”).
Regarding claim 13, NABEEL-RAY teaches all limitations of claim 1. NABEEL further teaches “wherein the analysis of the sequential association between objects uses information about at least three objects having an association.” ([NABEEL, para. 0071] “For example, the association module 132 deems two domains associated if they share at least on dedicated IP address. This association method is referred to as G-IP within this disclosure. In example graph 200, domains D4 216, D5 220, and D6 224 share the dedicated IP6 222. This association method combined with the association rules used to build graph 300, combine to produce the example graph 400”).
Regarding claim 14, NABEEL-RAY teaches all limitations of claim 1. NABEEL further teaches “wherein the analysis of the group association between objects uses information about at least four objects, three of which have an association to a fourth” (NABEEL, para. 0073] “FIG. 6 illustrates an example graph 600 built by the method of the present disclosure based on the example IP address and domain graph 200. The graph 600 is expanded beyond the prior example graphs 300, 400, and 500 by implementing all association rules used to create these prior graphs. This association method is referred to as G-IP-Domain within this disclosure. This combination of association rules produces the example graph 600, containing six of the eight domains found in the example IP address and domain graph 200.”) [Examiner’s note: Objects D5, D3, and D2 all share a link to D4 in figure 6 of NABEEL.]
Regarding claim 15, NABEEL-RAY teaches all limitations of claim 1. RAY further teaches “wherein the access to an object that is classified as malicious is restricted to prevent the spread of malicious activity by one of the following: blocking access to a website to which the object is associated; opening the website to which the object is associated in a browser that runs in protected mode; and pausing a transition to the website, and informing a user that the website is associated with a malicious object.” ([RAY, para. 0062] “security management facility 122 … help control web browsing, and the like, which may provide comprehensive web access control enabling safe, productive web browsing. Web security and control may provide Internet use policies”) ([RAY, para. 0134] “As shown in step 810, the method 800 may include displaying the intermediate threat(s) and supplemental information in a user interface for user disposition, or otherwise augmenting a description of the new threat sample in a user interface with the supplemental information”) ([RAY, para. 0140] “the user interface 900 may display a window 906 with more granular information about features contributing to suspiciousness. For example, an analysis of a threat sample may return a 90% suspicion of malicious code, while a file path analysis may return a 57% suspicion, and a URL analysis may return a 77% suspicion. … Furthermore, for any particular feature (e.g., the URL analysis in FIG. 9), a number of most similar events or threat samples for that feature may be displayed”) ([RAY, para. 0085] “When a threat or other policy violation is detected by the security management facility 122, the remedial action facility 128 may be used to remediate the threat. … block requests to a particular network location or locations”).
The same motivation and rejection to modify NABEEL with RAY as in the rejection of claim 1 applies.
Claims 4 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over NABEEL-RAY in view of ZHANG (US-12223056-B1).
Regarding claims 4 and 19, NABEEL-RAY teaches all limitations of claims 3 and 18. However, NABEEL-RAY does not teach “wherein the similarity analysis is implemented using a Levenshtein metric.”
In analogous teaching ZHANG teaches “wherein the similarity analysis is implemented using a Levenshtein metric.” ([ZHANG, col. 3 lines 57-60, col 4 lines 35-45] “the graph-based abusive computational node detection system 102 may implement a risky candidate computational node detection component 104 … Algorithms such as Levenshtein distance … may be used to determine similarity between attributes when constructing the input graph 106. The input graph 106 may include some seed nodes that have known labels. These labeled computational nodes are a list of confirmed abusive entities (e.g., known malicious computational nodes) and/or confirmed non-abusive entities. Labeled computational nodes may be so labeled based on historic data (e.g., data indicating that a particular computational node is associated with unauthorized scripting, uploading of malicious code, etc.).”).
Thus, given the teaching of ZHANG, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of Levenshtein metric by ZHANG into the teaching of method for classifying objects to prevent the spread of malicious activity by NABEEL-RAY. One of ordinary skill in the art would have been motivated to do so because ZHANG recognizes the need to efficiently detect malicious nodes ([ZHANG, col. 2 lines 37-47, col 3 lines 2-8] “Some common strategies for dealing with automated abuse detection include selection of a set of potentially abusive computational nodes for human investigation based on automated detection system results. … However, while such techniques may be useful, they limit the coverage of computational node abuse detection for several reasons … graph-based abusive computational node detection systems and techniques described herein are able to model high dimensional data to determine relationships between known good computational nodes and/or known abusive computational nodes and potentially risky nodes (e.g., computational nodes under evaluation).”).
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over NABEEL-RAY in view of ADAMS (US-20210185075-A1).
Regarding claim 8, NABEEL-RAY teaches all limitations of claim 1. NABEEL teaches “wherein, the generating of the graph of associations containing classified objects and unclassified objects in the form of vertices” as seen in the rejection of claim 1. The same rejection applies.
However, NABEEL-RAY does not teach “further comprises: classifying unclassified objects that are domain names as trusted in an event that the number of requests received from the domain name system exceeds a predetermined threshold.”.
In analogous teaching ADAMS teaches “further comprises: classifying unclassified objects that are domain names as trusted in an event that the number of requests received from the domain name system exceeds a predetermined threshold.” ([ADAMS, para. 0049] “At step 209, the message security platform 110 may compute an initial set of rank-ordered external domains based on the external domains selected at step 208. … the message security platform 110 may identify a difference between the first ratio and the second ratio, and may apply a weight value to the difference based on a quantity of messages corresponding to the first number of messages and the second number of messages, which may result in a weighted difference value for the external domain (e.g., if the first number of messages and the second number of messages exceed a predetermined threshold, the external domain may correspond to a member of the supply chain that is frequently contacted or otherwise dealt with”).
Thus, given the teaching of ADAMS, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of threshold request of a domain name requests by ADAMS into the teaching of method for classifying objects to prevent the spread of malicious activity by NABEEL-RAY. One of ordinary skill in the art would have been motivated to do so because ADAMS recognizes the need to improve security ([ADAMS, para. 0027] “Some aspects of the disclosure relate to improving enterprise security in electronic communications between an organization and its vendors and/or suppliers, trusted third party entities (which may e.g., be part of the organization's supply chain), and/or other entities.”).
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over NABEEL-RAY in view of MCNEE (US-20220150275-A1).
Regarding claim 11, NABEEL-RAY teaches all limitations of claim 10. However, NABEEL-RAY does not teach “wherein the machine learning model is trained by using boosting decision trees.”.
In analogous teaching MCNEE teaches “wherein the machine learning model is trained by using boosting decision trees.” ([MCNEE, para. 0025] “The machine learning algorithms 110 may comprise any type of machine learning algorithm capable of predictive results. … one example EPSS 100, the ensemble classifier engines 113 use logistic regression, a Bayesian classifier, or a decision tree such as a random forest or a gradient boosted tree.”).
Thus, given the teaching of MCNEE, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of boosting decision trees by MCNEE into the teaching of method for classifying objects to prevent the spread of malicious activity by NABEEL-RAY. One of ordinary skill in the art would have been motivated to do so because MCNEE recognizes the benefits of using machine learning to detect cybersecurity threats ([MCNEE, para. 0019] “Embodiments described herein provide enhanced computer- and network-based methods, techniques, and systems for producing and using enhanced machine learning models and computer-implemented tools to investigate cybersecurity related data and threat intelligence data. … which enables security software application and platform providers to build, deploy, and manage applications for evaluating threat intelligence data that can predict malicious domains”).
Pertinent Art
The prior art made of record and not relied upon is considered pertinent to Applicant’s
disclosure.
BROWN (US-20210037027-A1): This prior art teaches of visualizations of possible malicious incidents associated with an event on a host device may include causing presentation of graphics of a process or thread in a user interface. Information about detected events may be transmitted to a computing device that generates the visualizations for presentation to an analyst to verify the malicious incidents. Based on patterns and information conveyed in the visualizations, the computer device or host device may take action to protect operation of the host device caused by the event.
VOLKOV (US-12417282-B2): This prior art teaches of detecting a malicious infrastructure are provided. The method comprising: receiving a request comprising at least one infrastructure element of a given infrastructure assigned with a respective tag indicative of maliciousness of the given infrastructure; searching a database to identify therein, based at least on the respective tag, and at least one respective parameter of the at least one infrastructure element, and at least one additional infrastructure element and at least one additional respective parameter thereof; determining statistical relationships between the at least one respective parameter of at least one infrastructure element and the at least one additional respective parameter of the at least one additional infrastructure element; determining, based on the statistical relationships, rules for searching the database to identify therein new infrastructure elements; and assigning the respective tag associated with the given malicious infrastructure to the new infrastructure elements, thereby updating the database.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached at (571) 270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/A.A./
06/22/2026
/AFAQ ALI/Examiner, Art Unit 2434
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434