Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
Applicant's submission filed on 12/3/2025 has been entered. Claim(s) 1-19, 21 is/are pending in the application.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-19, 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fujishima (U.S. Patent App Pub 20140115663) in view of Dickey (U.S. Patent App Pub 20150295775).
Regarding claim 1,
Fujishima teaches a computer-implemented method, comprising: monitoring, by a remote capture agent, network packets traversing a network interface of a computing device in an information technology (IT) environment; (See paragraphs 130-133, Fujishima teaches capturing network packets)
obtaining network data from the network packets; (See paragraphs 71-74, Fujishima teaches analyzes an authentication request or an authentication response included in a packet stored in the captured data storage unit 112, and collects information for detecting an unauthorized procedure for receiving authentication performed through the network 94.)
Fujishima does not explicitly teach but Dickey teaches receiving, by a remote capture agent, configuration information from a configuration server, the configuration information specifying a manner in which to modify one or more network data from one or more network packets for event creation;(See paragraphs 47-48, 52, figures 1, 4, Dickey teaches receiving configuration information from the server and modifying the events)
modifying the network data, in accordance with configuration information specifying the manner in which to modify the network data for the event creation and obtained by the remote capture agent from a configuration server, to obtain modified network data;(See paragraphs 31, 48, 50-52, fig 1, 4 Dickey teaches dynamically modifying the network data.)
generating a plurality of timestamped events based on the modified network data; and (See paragraphs 23, 75, 83, 93, fig 4, Dickey teaches generating timestamped events based on the modified data)
sending the plurality of timestamped events to another component on the network for subsequent processing. (See paragraphs 23, 75, 152, 70, fig 4, Dickey teaches sending the timestamped information to another element)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have known to combine the teachings of Dickey with Fujishima because both deal with capturing network traffic. The advantage of incorporating the above limitation(s) of Dickey into Fujishima is that Dickey enables eliminating the need to deploy and connect physical hardware to network ports, thus allowing users to configure and change data capture configuration on-the-fly rather than in fixed formats, while reducing subsequent real-time processing of event data by an application and overhead associated with the processing by providing configuration information that causes a remote capture agent to transform event data into a form that can be used by the application, therefore making the overall system more robust and efficient. (See paragraphs 3-5, Dickey)
Regarding claim 2,
Fujishima and Dickey teach the method of claim 1, wherein an event of the plurality of timestamped events includes a field specified by the configuration information. (See paragraphs 72-73, Fujishima teaches SMB protocol being captured)
Regarding claim 3,
Fujishima and Dickey teach the method of claim 1, wherein the plurality of timestamped events is a first plurality of timestamped events, wherein an event of the first plurality of timestamped events includes a first field specified by the configuration information, and wherein the method further comprises: (See paragraphs 116, 23, 75, Dickey)
obtaining updated configuration information from the configuration server, wherein the updated configuration information specifies a second field to be included in timestamped events generated by the remote capture agent; generating a second plurality of timestamped events based on the modified network data, wherein the second plurality of timestamped events includes the second field. (See paragraphs 116, 23, 75, Dickey) See motivation to combine for claim 1.
Regarding claim 4,
Fujishima and Dickey teach the method of claim 1, wherein the remote capture agent executes in a cloud computing system.(See paragraphs 120, 122, Fujishima teaches a cloud)
Regarding claim 5,
Fujishima and Dickey teach the method of claim 1, wherein the remote capture agent monitors network packets traversing a plurality of network interfaces including the network interface. (See figure 1 and 4, paragraphs 69-70, Fujishima teaches capture agent in between network interfaces)
Regarding claim 6,
Fujishima and Dickey teach the method of claim 1, wherein the remote capture agent initiates generation of the plurality of timestamped events responsive to identification of a potential security risk, and wherein the remote capture agent identifies the potential security risk based on network packets monitored by the remote capture agent. (See paragraphs 39-40, 90,abstract, claim 1, Fujushima teaches the events are used to see unauthenticated access and a security risk)
Regarding claim 7,
Fujishima and Dickey teach the method of claim 1.
Dickey teaches further comprising identifying network packets associated with a source specified by the configuration information, and wherein the network data is obtained from the network packets associated with the source. (See paragraphs 116, 51, 53, Dickey) See motivation to combine for claim 1.
Regarding claim 8,
Fujishima and Dickey teach the method of claim 1, further comprising identifying a protocol used by the network packets, wherein the remote capture agent obtains network data from the network packets based on the protocol used by the network packets. (See paragraphs 72-73, Fujishima teaches SMB protocol being captured and authenticated)
Regarding claim 9,
Fujishima and Dickey teach the method of claim 1, further comprising generating the plurality of timestamped events based on a time interval specified by the configuration information. (See paragraphs 71-72, Fujishima teaches generated time stamped events in intervals)
Regarding claim 10,
Fujishima and Dickey teach the method of claim 1, further comprising assembling the network packets into a packet flow, wherein the network data is obtained from the packet flow. (See paragraphs 42-43, Fujishima teaches a packet flow)
Claims 11-15 list all the same elements of claims 1-5, but in system form rather than method form. Therefore, the supporting rationale of the rejection to claims 1-5 applies equally as well to claims 11-15. Furthermore with regards to the limitation of A computing device, comprising: a processor; and a non-transitory computer-readable medium having stored thereon instructions that, when executed by the processor, cause the processor to perform operations including: (See paragraphs 66-67, Fujishima)
Claims 16-19 list all the same elements of claims 1-4, but in system form rather than method form. Therefore, the supporting rationale of the rejection to claims 1-4 applies equally as well to claims 16-19. Furthermore with regards to the limitation of A non-transitory computer-readable medium having stored thereon instructions that, when executed by one or more processors, cause the one or more processors to perform operations including: (See paragraphs 66-67, Fujishima)
Regarding claim 21,
Fujishima and Dickey teach method of claim 1.
Dickey further teaches wherein the configuration information includes an indication of a unique identifier, an indication of a type of event, an indication of a field to include in events, an indication of a filtering rule for filtering events, or a combination thereof. (See paragraphs 51-53, Dickey) See motivation to combine for claim 1.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-19, 21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11973852. Although the claims at issue are not identical, they are not patentably distinct from each other because the limitations of the independent claims when taken in light of the dependent claims of the patent are either the same or obvious variations of the instant application.
See table below: For the sake of brevity the method claims are listed below but apply equally to the other statutory categories.
Instant Application
Patent 11973852
1. A computer-implemented method, comprising: receiving, by a remote capture agent, configuration information from a configuration server, the configuration information specifying a manner in which to modify one or more network data from one or more network packets for event creation: monitoring, by a remote capture agent, network packets traversing a network interface of a computing device in an information technology (IT) environment; obtaining network data from the network packets; modifying the network data, in accordance with configuration information specifying the manner in which to modify the network data for the event creation and obtained by the remote capture agent from a configuration server to obtain modified network data; generating a plurality of timestamped events based on the modified network data; and sending the plurality of timestamped events to another component on the network for subsequent processing.
2. The method of claim 1, wherein an event of the plurality of timestamped events includes a field specified by the configuration information.
3. The method of claim 1, wherein the plurality of timestamped events is a first plurality of timestamped events, wherein an event of the first plurality of timestamped events includes a first field specified by the configuration information, and wherein the method further comprises: obtaining updated configuration information from the configuration server, wherein the updated configuration information specifies a second field to be included in timestamped events generated by the remote capture agent; generating a second plurality of timestamped events based on the modified network data, wherein the second plurality of timestamped events includes the second field.
4. The method of claim 1, wherein the remote capture agent executes in a cloud computing system.
5. The method of claim 1, wherein the remote capture agent monitors network packets traversing a plurality of network interfaces including the network interface.
6. The method of claim 1, wherein the remote capture agent initiates generation of the plurality of timestamped events responsive to identification of a potential security risk, and wherein the remote capture agent identifies the potential security risk based on network packets monitored by the remote capture agent.
7. The method of claim 1, further comprising identifying network packets associated with a source specified by the configuration information, and wherein the network data is obtained from the network packets associated with the source.
8. The method of claim 1, further comprising identifying a protocol used by the network packets, wherein the remote capture agent obtains network data from the network packets based on the protocol used by the network packets.
9. The method of claim 1, further comprising generating the plurality of timestamped events based on a time interval specified by the configuration information.
10. The method of claim 1, further comprising assembling the network packets into a packet flow, wherein the network data is obtained from the packet flow.
1. A computer-implemented method, comprising: receiving, by a remote capture agent, configuration information from a configuration server, wherein the configuration information specifies a first source address or a first destination address to be used by the remote capture agent to generate a first plurality of timestamped events from captured network packets that include the first source address or the first destination address; monitoring, by the remote capture agent, network packets traversing a network interface of a computing device in an information technology (IT) environment; identifying, from the network packets, a first plurality of particular network packets associated with the first source address or the first destination address specified in the configuration information; generating the first plurality of timestamped events based on the first plurality of particular network packets; sending the first plurality of timestamped events to a component on the network for subsequent processing; receiving, by the remote capture agent, updated configuration information from the configuration server, wherein the updated configuration information specifies a second source address or a second destination address that is different from the first source address or the first destination address, and wherein the updated configuration information is to be used by the remote capture agent to generate a second plurality of timestamped events from captured network packets that include the second source address or the second destination address; identifying, from the network packets, a second plurality of particular network packets associated with the second source address or the second destination address; generating the second plurality of timestamped events based on the second plurality of particular network packets; and sending the second plurality of timestamped events to the component on the network for subsequent processing.
2. The method of claim 1, wherein an event of the first plurality of timestamped events includes a field specified by the configuration information.
3. The method of claim 1, wherein the remote capture agent executes in a cloud computing system.
4. The method of claim 1, wherein the remote capture agent monitors network packets traversing a plurality of network interfaces including the network interface.
5. The method of claim 1, wherein the remote capture agent initiates generation of the first plurality of timestamped events responsive to identification of a potential security risk, and wherein the remote capture agent identifies the potential security risk based on network packets monitored by the remote capture agent.
6. The method of claim 1, further comprising identifying network packets associated with a particular type of protocol specified in the configuration information.
7. The method of claim 1, further comprising identifying a protocol used by the network packets, wherein the remote capture agent obtains network data from the network packets based on the protocol associated with the network packets.
8. The method of claim 1, further comprising generating the first plurality of timestamped events based on a time interval specified by the configuration information.
9. The method of claim 1, further comprising assembling the network packets into a packet flow, wherein the first plurality of timestamped events is generated based on network data obtained from the packet flow.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11115505. Although the claims at issue are not identical, they are not patentably distinct from each other because the limitations of the independent claims when taken in light of the dependent claims of the patent are either the same or obvious variations of the instant application.
11. A computer-implemented method, comprising: receiving, by a remote capture agent, configuration information from a configuration server, the configuration information specifying a manner in which to modify one or more network data from one or more network packets for event creation: monitoring, by a remote capture agent, network packets traversing a network interface of a computing device in an information technology (IT) environment; obtaining network data from the network packets; modifying the network data, in accordance with configuration information specifying the manner in which to modify the network data for the event creation and obtained by the remote capture agent from a configuration server to obtain modified network data; generating a plurality of timestamped events based on the modified network data; and sending the plurality of timestamped events to another component on the network for subsequent processing.
2. The method of claim 1, wherein an event of the plurality of timestamped events includes a field specified by the configuration information.
3. The method of claim 1, wherein the plurality of timestamped events is a first plurality of timestamped events, wherein an event of the first plurality of timestamped events includes a first field specified by the configuration information, and wherein the method further comprises: obtaining updated configuration information from the configuration server, wherein the updated configuration information specifies a second field to be included in timestamped events generated by the remote capture agent; generating a second plurality of timestamped events based on the modified network data, wherein the second plurality of timestamped events includes the second field.
4. The method of claim 1, wherein the remote capture agent executes in a cloud computing system.
5. The method of claim 1, wherein the remote capture agent monitors network packets traversing a plurality of network interfaces including the network interface.
6. The method of claim 1, wherein the remote capture agent initiates generation of the plurality of timestamped events responsive to identification of a potential security risk, and wherein the remote capture agent identifies the potential security risk based on network packets monitored by the remote capture agent.
7. The method of claim 1, further comprising identifying network packets associated with a source specified by the configuration information, and wherein the network data is obtained from the network packets associated with the source.
8. The method of claim 1, further comprising identifying a protocol used by the network packets, wherein the remote capture agent obtains network data from the network packets based on the protocol used by the network packets.
9. The method of claim 1, further comprising generating the plurality of timestamped events based on a time interval specified by the configuration information.
10. The method of claim 1, further comprising assembling the network packets into a packet flow, wherein the network data is obtained from the packet flow.
1. A computer-implemented method, comprising: receiving, via a graphical user interface (GUI), input defining a custom content extraction rule, wherein the input specifies: a source field in network packets to be monitored by a remote capture agent, wherein the source field contains structured data, an extraction rule to be used to extract data from the structured data to obtain extracted data, and a field name to be used to identify the extracted data in timestamped events to be generated by the remote capture agent; generating configuration information based on the input; sending the configuration information to the remote capture agent, wherein the configuration information causes the remote capture agent to generate timestamped events, wherein the timestamped events include extracted data obtained by applying the custom content extraction rule to network packets monitored by the remote capture agent, and wherein the extracted data is identified in the timestamped events using the field name; receiving the timestamped events from the remote capture agent, wherein each of the timestamped events includes extracted data identified by the field name; and storing the timestamped events in a data store, wherein storage of the timestamped events in the data store enables execution of queries based on the field name.
2. The computer-implemented method of claim 1, wherein the remote capture agent generates a timestamped event of the timestamped events at least in part by: parsing a network packet of the network packets to identify a structure of the network packet, wherein the structure of the network packet is used to determine a protocol associated with the network packets; applying the extraction rule to the network packet to obtain extracted content, wherein applying the extraction rule includes: identifying the source field in the network packet containing the structured data from which the extracted content is to be obtained, and extracting data from the structured data contained in the source field of the network packet; generating a timestamped event including a field storing the extracted content; and sending the timestamped event including the extracted content to another component on a computer network for storage in a data store, the data store facilitating querying of timestamped event data stored in the data store using late-binding schemas generated from received queries.
3. The computer-implemented method of claim 1, wherein the method further comprises: storing the timestamped events in a data store; receiving a query to be applied to the timestamped events stored in the data store; retrieving timestamped events from the data store satisfying the query; using a late-binding schema generated from the query to retrieve data values from the retrieved timestamped events; and processing the query using the retrieved data values.
4. The computer-implemented method of claim 1, wherein the input further specifies a protocol to be associated with the custom content extraction rule.
5. The computer-implemented method of claim 1, wherein the input further specifies a field-specific regular expression to be applied to the source field in the network packets, and wherein applying the custom content extraction rule to the network packets includes applying the field-specific regular expression to the source field in the network packets.
6. The computer-implemented method of claim 1, wherein the structured data includes eXtensible Markup Language (XML) formatted data, and wherein applying the custom content extraction rule includes extracting data from the XML-formatted data.
7. The computer-implemented method of claim 1, wherein the structured data includes JavaScript Object Notation (JSON) formatted data, and wherein applying the custom content extraction rule includes extracting data from the JSON-formatted data.
8. The computer-implemented method of claim 1, wherein the custom content extraction rule is associated with a protocol, and wherein the remote capture agent uses a deep-packet inspection engine to determine that the network packets are associated with the protocol.
9. The computer-implemented method of claim 1, wherein the input further specifies an extraction rule type that identifies a type of extraction rule to be used to obtain the extracted data.
10. The computer-implemented method of claim 1, wherein the configuration information causes the remote capture agent to send the timestamped events to another component for storage in a data store.
Response to Arguments
Applicant’s arguments with respect to claim(s) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure and located in the PTO-892 form.
1.Sun, U.S. Patent App 20150215383, teaches, a server receives a first URL link from a first mobile device of a first user. In response to the first URL link, the server determines whether a first mobile application that is associated with the URL link has been installed at the first mobile device. If the first mobile application has not been installed at the first mobile device, interactive data of the first user with respect to the first URL link is collected and stored in an event database of the server. If the first mobile application has been installed at the first mobile device, first data that is associated with the first URL link is retrieved from the link database and a second URL link is generated, the second URL link including the first data embedded therein. The second URL link is transmitted to the first mobile device.
2. Bhattacharaya, U.S. Patent 7483972, teaches a security monitoring system processes event messages related to computer network security in real time, evaluating inter-event constraints so as to identify combinations of events that are partial solutions to a predefined event correlation rule, and furthermore evaluating combinations of the partial solutions do determine if they together satisfy the predefined event correlation rule. A decision tree is formed based on the rule. Event messages are categorized into groups at leaf nodes of the tree in accordance with a plurality of intra-event constraints, and then the messages are correlated in accordance with a plurality of inter-event constraints at non-leaf nodes of the tree. When the inter-event constraint at a root node of the tree has been satisfied, a network attack alert is issued and protective actions may be taken.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NINOS DONABED whose telephone number is (571)272-8757. The examiner can normally be reached Monday - Friday 8:00pm - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached on (571) 272-3964. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/NINOS DONABED/Primary Examiner, Art Unit 2444