DETAILED ACTION
This office action is in response to the correspondence filed 04/29/2024. This application is a continuation of 17958625 filed on 10/03/2022 and 16742975 filed 01/15/2020. Claims 1-14 are still pending and are examined.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Applicant's claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged.
Information Disclosure Statement
The information disclosure statement (IDS) was submitted on 06/24/2024. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp
Claims 1-14 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-14 of U.S. Patent No. 11477223 B2 (US Application No. 16742975). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims in the instant application are anticipated by the patented claims. The claims in the instant application are essentially the same while slightly broader in scope than the ones in the issued patent. The instant application has the basic elements of enabling search for events with similar feature vectors detailed in both claims while the issued patent has the additional details about processing received data as seen in the example below in claim 1 of the instant application and claim 1 of the issued patent.
Instant Application
U.S. Patent No. 11477223 B2
1. A method of analyzing cybersecurity events in at least one network environment comprising the steps of:
receiving a plurality of events, wherein each event is based on data originating from one of the at least one network environment;
adding contextual data to one or more of the plurality of events describing the circumstances by which the event was produced;
generating a feature vector for each event, wherein the feature vector describes the event and any contextual data added to that event;
determining a similarity metric for each pair of the plurality of events, wherein each similarity metric is a mathematical measure between the feature vectors of that pair;
determining at least one group of correlated events based on comparisons of similarity metrics; and
creating a record of the at least one group of correlated events in a data store, wherein efficient search within the at least one data store for events with similar feature vectors is enabled.
1. A method of analyzing cybersecurity events in at least one network environment in real time comprising the steps of:
receiving, in real time, data originating from the at least one network;
processing, in real time, the received data;
producing a plurality of events in response to the processing;
adding, in real time, contextual data to one or more of the plurality of events describing the circumstances by which the event was produced;
generating, in real time, a feature vector for each event for which contextual data was added, wherein the feature vector describes the event and the contextual data of that event;
determining a similarity metric for each pair of the plurality of events, wherein each similarity metric is a mathematical measure between the feature vectors of that pair;
determining at least one group of correlated events based on comparisons of similarity metrics; and
creating, in real time, a record of the at least one group of correlated events in a data store, wherein efficient search within the at least one data store for events with similar feature vectors is enabled.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention.
Regarding claims 1-14, specifically independent claims 1 and 9, the term “efficient” is a relative term which renders the claim indefinite. The term “efficient” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. Thus, “efficient search” in the limitation has been rendered indefinite.
Regarding claim 6, “the step of sending” was never recited before. There is insufficient antecedent basis for this limitation in the claim.
Regarding claim 7, “the step of applying” was never recited before. There is insufficient antecedent basis for this limitation in the claim.
Appropriate correction is required.
Allowable Subject Matter
Claims 1-14 contain allowable subject matter but remain rejected under 112 and nonstatutory double patenting rejections.
The following is an examiner’s statement of reasons for allowance:
Hayden; Patrick M. et al. (US Pub. No. 20180367553 A1) discloses anomaly detecting circuit to detect anomalous behavior in bus traffic. While Hayden discloses sensing communication or other traffic on a communications bus; detecting anomalous behavior among the traffic; fusing the detected anomalous behavior into groups of similar events; logging the detected anomalous behavior on an electronic data storage device, and alerting an operator if any of the fused groups have abnormal data, it fails to disclose generating a feature vector for each event; the feature vector describes the event and any contextual data added to that event; determining a similarity metric for each pair of the events wherein each similarity metric is a mathematical measure between the feature vectors of that pair as described in the claims.
Christian; Brian P. (US Pub. No. 20200106797 A1) discloses data surveillance for privileged assets on a computer network for detections of security issues. While Christian discloses a context of an event is attached/correlated to entries of server logs of a network of the organization; the context contains all the relevant information related to an event/incident captured by various modules, it fails to disclose determining a similarity metric for each pair of the events wherein each similarity metric is a mathematical measure between the feature vectors of that pair as described in the claims.
Meghdouri et al. (NPL – “Analysis of Lightweight Feature Vectors for Attack Detection in Network Traffic”) discloses evaluating lightweight feature sets with supervised machine learning. While Meghdouri discloses analyzing various lightweight feature sets used for network traffic classification and anomaly detection, it fails to disclose generating a feature vector for each event; the feature vector describes the event and any contextual data added to that event; determining a similarity metric for each pair of the events wherein each similarity metric is a mathematical measure between the feature vectors of that pair as described in the claims.
Therefore, the pending claims are allowed as the prior art of record does not disclose all the combination of features as described in the claims; nor would it have been obvious to one of ordinary skill in the art to further modify the prior art to include all of the deficient features, as set forth in the allowed claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
KAMIYA; Kazunori et al. US-PGPUB US 20200089877 A1 Malicious event detection method
Nakakoji; Hirofumi et al. US-PGPUB US 20100050260 A1 Attack node set determination method
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571) 272-1569. The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KA SHAN CHOY/Primary Examiner, Art Unit 2435