DETAILED ACTION
Claims 1-21 remain for examination. The amendment filed 1/26/26 amended claims 1, 6, 8, & 17.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
The rejection of claims 17-21 under 35 USC 112(b) is withdrawn in view of Applicant’s amendment to those claims.
Applicant’s arguments, see pages 9-10 of the amendment filed 1/26/26, with respect to the rejection(s) of claims 1-21 under 35 USC 102 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made under 35 USC 103 in view of Porras combined with the newly discovered reference to Shao.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Porras (U.S. Patent Publication 2019/0132214) in view of Shao (U.S. Patent Publication 2022/0400131).
Regarding claim 1:
Porras discloses a system comprising: a user input processing module implemented on a processor in communication with a memory, wherein the processor is to execute specific computer-executable instructions to process natural language based inputs and generate network security processing parameters (the network security keyphrase extraction module 326 of Figure 3; see also Figures 5A-5C, and paragraphs 0095-0097, including “In FIG. 5A, a dialog 500 between a user 502 and the system 110 is initiated by the user 502 speaking the NL phrase shown in 504. At 506, the NL speech 504 is processed by the ASR subsystem 320. The ASR subsystem 320 outputs the NL text shown in 508. The NL text 508 is processed by the network security keyphrase extraction module 326, at 510. At 510, the network keyphrase extraction module 326 identifies the key words and phrases shown in brackets in 512. The bracketed words and phrases shown in 512 are, at 510, extracted by the network keyphrase extraction module 326, and analyzed by the network dialog parser module 334 in 514. The network dialog parser module 334 generates a parse tree 516 based on the extracted key words and phrases 512 (words and phrases may be referred to herein collectively or individually as “keyphrases.” In creating the parse tree 516, the parser module 334 assigns semantics to information contained in or derived from the key words and phrases 512; e.g., the parser module 334 determines one or more actions to be performed by the system 110 based on the keyphrases 512…”); a network security processing module implemented on a processor in communication with a memory, wherein the processor is to execute specific computer-executable instructions to identify one or more network security processing actions implemented by a network service, the one or more network security processing actions based on the generated network security processing parameters, wherein implementation of the one or more network security processing actions by the network service causes the generation of processing results (the network dialog interpreter module 332 of Figure 3, and paragraphs 0095-0097: “The elements of the parse tree 516 are processed by the network action generator module 337, in 518. The network action generator module 337 generates the network-actionable directive 520, based on the parse tree 516. The directive 520 may be generated as “intermediate-level” code, which is then converted to device-executable instructions (e.g., by the security initiative translator module 410)”); and an output processing module implemented on a processor in communication with a memory, wherein the processor is to execute specific computer-executable instructions to process the generated processing results and generate natural-language based outputs (Ibid, particularly element 346 of Figure 3, & elements 580 & 582 of Figure 5C, and paragraph 0097: “While not specifically shown in FIG. 5C, the network analytics subsystem 142 and/or the network security subsystem 130 returns query results, which, in 580, the natural language generator module 346 converts to NL dialog output 582. The natural language generator module 346 interfaces with the user interface subsystem 836 to output the NL dialog output 582 as system generated speech, via one or more speakers of the computing system 100”; see also Figures 7A-7D).
Although machine learning is explicitly disclosed as being usable within the Porras invention (paragraphs 0106-0107), its use appears to be limited to the reasoning module which is outside the scope of the claim. Thus, while the modules cited from the Porras disclosure perform the same functionality as the recited first and second machine learning models, and at least the network security keyphrase extraction module relies on a network security dialog model to function (see element 328 of Figure 3), nevertheless it is unclear from the Porras disclosure if all of the relevant modules can be implemented as machine learning models. However, Shao discloses a related invention for a network administrator security tool that includes inter alia one or more machine learning models that are capable of turning natural language instructions into computer-executable code, and vice versa (Shao, paragraph 0041: “Risk mitigation module 132 generates suggestions that include actions that a user, such as a network administrator, can perform to mitigate risk in a network. The actions may include natural language instructions that are generated by one or more machine learning models...Given a text description of issues or warmings, which can be obtained from risk reports, risk mitigation module 132 may encode the natural language descriptions into a machine-understandable format that can be used to infer problem symptoms, causes, troubleshooting activities, and resolution actions. In some embodiments, risk mitigation module 132 employs a generative adversarial network (GAN) for generating natural language suggestions for actions to mitigate risk”; and paragraph 0054: “The generative adversarial model may encode natural language descriptions of issues described in risk reports into machine-understandable formats (e.g., vector representations), which can be processed and decoded into natural language instructions that include actions that a user can perform to mitigate risk”). It would have been obvious prior to the effective filing date of the instant application for Porras to implement each of the relevant modules as a machine learning model, as this was clearly a known option within the grasp of a person of ordinary skill in the art, in order to identify, explain, and plan the mitigation of network risk in a fully-automated manner (Shao, paragraph 0022).
Regarding claims 8 and 17:
The rejection of claim 1 applies mutatis mutandis to each of claims 8 and 17.
Regarding claims 2, 9, and 18: Porras further discloses wherein the network security processing parameters include an identification of one or more data sources to be accessed by the network service (e.g. paragraph 0096: “…as well as arguments or parameters to associate with those actions (e.g., source=AlertDB, record type-security alerts, where=source is homenet, when=last 24 hours), using, e.g., a network security ontology.” [emphasis Examiner’s]).
Regarding claims 3, 10, and 19: Porras further discloses wherein the network security processing parameters include an identification of criteria for searching data sources accessed by the network service (e.g. paragraph 0095: “…the parser module 334 determines one or more actions to be performed by the system 110 based on the keyphrases 512 (e.g., email deny flow), as well as arguments or parameters to associate with those actions (e.g., source=peripherals, event=outbound flow, destination=non-US), in accordance with rules defined by, e.g., a network security ontology” [emphasis Examiner’s]).
Regarding claim 4: Porras further discloses wherein the criteria include timing information (e.g. paragraph 0029 & Table 1: “tell me if any SSH server accepts a connection from an ITAR host that lasts greater than 120 seconds”; and paragraph 0069 & Table 2: “disconnect any local BitTorrent servers from the network when the network bandwidth exceeds 100 megabits per second”).
Regarding claims 5, 14, and 20: Porras further discloses wherein the network security processing parameters include an identification of at least one network security processing action to be implemented by the network service (e.g. paragraph 0095: “…one or more actions to be performed by the system 110 based on the keyphrases 512 (e.g., email deny flow)…”).
Regarding claims 6 and 15: Porras further discloses wherein the one or more network security processing actions includes a request for a system analysis to be implemented by the network service (the “impact analysis” of paragraphs 0048-0049).
Regarding claims 7 and 21: Porras further discloses wherein the network security processing parameters include an identification of an output to be generated in response to a natural language input (element 582 of Figure 5C; see also Figures 7A-7D).
Regarding claim 11: Porras further discloses wherein the criteria include criteria for searching data sources (e.g. paragraph 0097: “For instance, the parser module 334 determines one or more actions to be performed by the system 110 based on the keyphrases 540 (e.g., “query”), as well as arguments or parameters to associate with those actions (e.g., source=AlertDB, record type=security alerts, where=source is homenet, when=last 24 hours) (e.g., based on network security ontology)” [emphasis Examiner’s]).
Regarding claim 12: Porras further discloses wherein the criteria include criteria for searching raw metric data (implied by the various queries of Tables 1 & 2).
Regarding claim 13: Porras further discloses wherein the criteria include criteria for searching network security analytics (paragraphs 0047-0049).
Regarding claim 16: Porras further discloses wherein at least the first machine learning model or the second machine learning model correspond to large language models (paragraph 0068).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Thomas A Gyorfi whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at 571-270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
THOMAS A. GYORFI
Examiner
Art Unit 2435
/THOMAS A GYORFI/Examiner, Art Unit 2435 5/27/2026
/AMIR MEHRMANESH/Supervisory Patent Examiner, Art Unit 2435