CROSS-PLATFORM SECURITY THREAT DETECTION

§101 §102 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Interpretation The phrase “a notable event” in claim 3 would typically warrant a 35 U.S.C. 112(b) rejection for a relative term. However, the specification gives support for a standard for ascertaining the requisite degree, and one of ordinary skill in the art would be reasonably apprised of the scope of the invention. For example, paragraph [0022] of the specification filed on 7/19/24, states in part: “Meanwhile, the series of notable events may include any events involving the primary entity that have been determined to be unusual. Events that have been deemed normal may be discarded by the threat detection platform, and therefore not recorded in the ABC timeline.” Furthermore, paragraph [0058] of the specification filed on 7/19/24, states in part: “The events are processed by knowledge engine 310 and feature processor 320 to identify enriched events 304 and features. An event analysis engine 330 performs single-event analysis 340 using a risk model 342 and an abnormality model 344. Each model determines a respective score associated with a given event. The abnormality score and the risk score each indicates whether an event is notable.” As to claims 15 and 16, the claims are not rejected under 35 U.S.C. 101 (as is the case for claims 1-14 and 17-20 below), because claim 15 adds the limitation of “wherein the user interface includes an automatically generated narrative associated with the detection of the potential security threat.” A person is not capable of mentally “automatically” generating a narrative and therefore this is not an abstract idea and requires the significant use of additional elements that result in more than the judicial exception. Claim 16 depends upon claim 15. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-14 and 17-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. As to claim 1, the claim recites “determining that a specific event in a plurality of events from a plurality of different digital service platforms meets a criterion for multievent analysis.” Paragraph [0030] of the specification as filed on 7/19/24 states the event may be an incoming or outgoing email. Therefore, a person could perform the mental process of reading an email and deciding if it warrants performing a multievent analysis (e.g., examining multiple emails to find emails from the same sender). Similarly, the claim recites “identifying, among the plurality of events, a group of cross-platform events related to the specific event; analyzing at least the group of cross-platform events to detect a potential security threat; and providing a security threat analysis result associated with the identified group of cross-platform events.” All of these limitations may also be performed mentally by a person. For example, a person may examine a plurality of emails from a plurality of platforms to decide which ones are related to the original email, the person may decide if the emails represent a potential security threat, and the person may present the results of this decision verbally or written with pen on paper. This judicial exception is not integrated into a practical application because the claim is directed to an abstract idea performed by mental processes alone. Even if the use of a computer to display emails or print emails for analysis by a person is assumed, this is not a meaningful limitation to the abstract idea because it would amount to simply implementing the abstract idea on a computer via the use of generic computer elements such as a computer monitor and/or computer printer. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the claim does not require the use of a computer at all or at best requires the use of a computer only for insignificant actions such as displaying the emails or printing the emails with generic computer elements as discussed in the preceding paragraph. As to claims 2-14 and 17, the claims are similarly rejected under 35 U.S.C. 101 as they do not add limitations that overcome the interpretation applied to claim 1 above. Each claim is directed to an abstract idea that may be performed mentally by a person or in conjunction with the insignificant usage of generic computer elements. As to claim 18, the claim is similarly rejected under 35 U.S.C. 101 as the claim only differs from claim 1 by the inclusion of a system comprising a processor and a memory configured to provide instructions to the processor. These are generic computer elements that do not change the interpretation of the subject matter applied to claim 1 above. As to claim 19, the claim is similarly rejected under 35 U.S.C. 101 as it does not add limitations that overcome the interpretation applied to claim 18 above. The claim is directed to an abstract idea that may be performed mentally by a person or in conjunction with the insignificant usage of generic computer elements. As to claim 20, the claim is similarly rejected under 35 U.S.C. 101 as the claim only differs from claim 1 by the inclusion of a computer program product embodied in a non-transitory computer readable medium and comprising computer instructions. These are generic computer elements that do not change the interpretation of the subject matter applied to claim 1 above. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-7, 10-13, and 18-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Sims et al. (hereafter referred to as “Sims”), U.S. Patent App. Pub. No. 2019/0132328 A1. As to claim 1, Sims discloses a method (Fig. 3; ¶ [0023], wherein a “process flow” is a method; Claim 14), comprising: determining that a specific event in a plurality of events from a plurality of different digital service platforms meets a criterion for multievent analysis (Fig. 3; ¶ [0060], “aggregating user event record cross multiple platforms” and “the infrastructure resources include one or more network management software, which manages and monitors data routing, combining, and allocating network bandwidth, access control, and other core networking processes”; ¶ [0063], “the process flow includes determining whether the detected exposure event meets the threshold level of a red-flag indicating a potential intrusion”; ¶ [0066]); identifying, among the plurality of events, a group of cross-platform events related to the specific event (Fig. 3, block 308; ¶ [0023], “aggregating user event record cross multiple platforms”; ¶ [0066]); analyzing at least the group of cross-platform events to detect a potential security threat (Fig. 3, block 308; ¶ [0023], “aggregating user event record cross multiple platforms”; ¶ [0066], “a red-flag indicating a potential intrusion”); and providing a security threat analysis result associated with the identified group of cross-platform events (Fig. 3, block 310; ¶ [0070]). As to claim 2, Sims discloses wherein the group of cross-platform events includes at least one event associated with a first platform and at least one event associated with a second platform (¶ [0023], “aggregating user event record cross multiple platforms”; ¶ [0060], “aggregating user event record cross multiple platforms”). As to claim 3, Sims discloses wherein events included in the group of cross-platform events related to the specific event are related by at least one of: being associated with a particular user, being a notable event, or being associated with a particular entity (Fig. 3, block 308; ¶ [0023], “aggregating user event record cross multiple platforms”; ¶ [0055], wherein the potential intrusion is related by way of being directed at the same entity of the invention of Sims; ¶ [0066], “a red-flag indicating a potential intrusion”, wherein the events are related by way of being grouped together by the notable event of their combination indicating a potential intrusion). As to claim 4, Sims discloses wherein identifying the group of cross-platform events related to the specific event includes filtering events to determine a subset of notable events that are relevant to the specific event (¶ [0066]; ¶ [0070], “In one aspect, the system may be configured to initiate a presentation of a graphical user interface for display on the one or more detection systems. In this regard, the graphical user interface may include information associated with the combination of exposure events that met the threshold level of a red-flag”). As to claim 5, Sims discloses wherein the filtering is based at least on a similarity between the specific event and other events in the group of cross-platform events with respect to at least one of: time, internet protocol (IP) address, or type (¶ [0061], “the machine learning algorithm may incorporate the number of times and/or frequency with which the exposure events have been determined to be potential intrusions”; ¶ [0069], “the system may be configured to analyze the exposure events to identify specific types of patterns or trends in the exposure events to determine whether any combination of the exposure events raise to meet the level of a red-flag”). As to claim 6, Sims discloses wherein analyzing at least the group of cross- platform events to detect the potential security threat includes using at least one detector to detect the potential security threat (Fig. 2; ¶ [0057]). As to claim 7, Sims discloses wherein each of at least a subset of the at least one detector is configured to detect a respective type of potential security threat (Fig. 2; ¶ [0057]). As to claim 10, Sims discloses determining a confidence score associated with the security threat analysis result (¶ [0072]). As to claim 11, Sims discloses wherein the security threat analysis result includes a history of specific events associated with the detection of the potential security threat (¶ [0061], “In this regard, the system may be configured to use historical exposure events generate a score for the exposure event detected by the detection system”; ¶ [0063], “In some embodiments, the score required to meet the threshold level of a red-flag may be generated by the machine learning algorithm based on historical occurrences of potential intrusions by same or similar exposure events”). As to claim 12, Sims discloses wherein at least a portion of the security threat analysis result is logged without presenting the security threat analysis result on a user interface (¶ [0067]; ¶ [0070], “Next, as shown in block 310, the process flow includes transmitting the combination of exposure events that meet the threshold level of the red-flag to a user computing device for additional review”; wherein the information associated with exposure events is stored in the centralized data repository, but only transmitted to the user interface when a combination of exposure events rises to a certain threshold to warrant doing so and therefore exposure events that never reach this threshold are stored but never presented in the user interface). As to claim 13, Sims discloses providing a user interface including the security threat analysis result (¶ [0070], “In one aspect, the system may be configured to initiate a presentation of a graphical user interface for display on the one or more detection systems. In this regard, the graphical user interface may include information associated with the combination of exposure events that met the threshold level of a red-flag”). As to claim 18, Sims discloses a system (Fig. 1; ¶ [0021]; Claim 1), comprising: a processor (¶ [0035], “the system 130 may include a processor 102”) configured to: determine that a specific event in a plurality of events from a plurality of different digital service platforms meets a criterion for multievent analysis (Fig. 3; ¶ [0060], “aggregating user event record cross multiple platforms” and “the infrastructure resources include one or more network management software, which manages and monitors data routing, combining, and allocating network bandwidth, access control, and other core networking processes”; ¶ [0063], “the process flow includes determining whether the detected exposure event meets the threshold level of a red-flag indicating a potential intrusion”; ¶ [0066]); identify, among the plurality of events, a group of cross-platform events related to the specific event (Fig. 3, block 308; ¶ [0023], “aggregating user event record cross multiple platforms”; ¶ [0066]); analyze at least the group of cross-platform events to detect a potential security threat (Fig. 3, block 308; ¶ [0023], “aggregating user event record cross multiple platforms”; ¶ [0066], “a red-flag indicating a potential intrusion”); and provide a security threat analysis result associated with the identified group of cross-platform events (Fig. 3, block 310; ¶ [0070]); and a memory coupled to the processor (¶ [0035], “the system 130 may include a processor 102, memory 104” and “Each of the components 102, 104, 106, 108, 111, and 112 are interconnected using various buses, and may be mounted on a common motherboard or in other manners as appropriate”) and configured to provide the processor with instructions (¶ [0035], “The processor 102 can process instructions for execution within the system 130, including instructions stored in the memory 104”). As to claim 19, Sims discloses wherein analyzing at least the group of cross- platform events to detect the potential security threat includes using at least one detector to detect the potential security threat (Fig. 2; ¶ [0057]). As to claim 20, Sims discloses a computer program product embodied in a non-transitory computer readable medium (¶ [0037], “A computer program product can be tangibly embodied in an information carrier” and “The information carrier may be a non-transitory computer- or machine-readable storage medium, such as the memory 104, the storage device 104, or memory on processor 102”) and comprising computer instructions (¶ [0037], “The computer program product may also contain instructions that, when executed, perform one or more methods, such as those described above”) for: determining that a specific event in a plurality of events from a plurality of different digital service platforms meets a criterion for multievent analysis (Fig. 3; ¶ [0060], “aggregating user event record cross multiple platforms” and “the infrastructure resources include one or more network management software, which manages and monitors data routing, combining, and allocating network bandwidth, access control, and other core networking processes”; ¶ [0063], “the process flow includes determining whether the detected exposure event meets the threshold level of a red-flag indicating a potential intrusion”; ¶ [0066]); identifying, among the plurality of events, a group of cross-platform events related to the specific event (Fig. 3, block 308; ¶ [0023], “aggregating user event record cross multiple platforms”; ¶ [0066]); analyzing at least the group of cross-platform events to detect a potential security threat (Fig. 3, block 308; ¶ [0023], “aggregating user event record cross multiple platforms”; ¶ [0066], “a red-flag indicating a potential intrusion”); and providing a security threat analysis result associated with the identified group of cross-platform events (Fig. 3, block 310; ¶ [0070]). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Sims as applied above, in view of KANG et al. (hereafter referred to as “Kang”), U.S. Patent App. Pub. No. 2010/0024033 A1. As to claim 8, Sims is silent on wherein the at least one detector utilizes rule-based pattern analysis. However, Kang discloses wherein the at least one detector utilizes rule-based pattern analysis (¶ [0017], “The malicious code detector may detect the malicious code using a rule-based pattern matching method”). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to modify the teachings of Sims in the aforementioned manner as taught by Kang in order to enable the intrusion detection systems of Sims to also detect malicious code. Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Sims as applied above, in view of Zevetchin et al. (hereafter referred to as “Zevetchin”), U.S. Patent No. 11,972,427 B2. As to claim 9, Sims is silent on wherein the at least one detector detects the potential security threat in response to at least one of: at least a first number of sign-ins are observed for a user within a time span, at least one sign-in exceeds an abnormal score, and at least one sign-in exceeds a risk score; or fewer than the first number of sign-ins are observed for the user within the time span, and at least one sign-in exceeds a risk score. However, Zevetchin discloses wherein the at least one detector detects the potential security threat (Fig. 1; Claim 7, “A system for deterring unauthorized access to an account”) in response to at least one of: at least a first number of sign-ins are observed for a user within a time span, at least one sign-in exceeds an abnormal score, and at least one sign-in exceeds a risk score; or fewer than the first number of sign-ins are observed for the user within the time span, and at least one sign-in exceeds a risk score (Claim 7, “disabling access to the account associated with the identified username for a duration of time T.sub.B being at least fifteen minutes and less than sixty minutes when one or more of: the determined number of received login requests is above a request threshold B being two or less and the risk score is not within the acceptable risk score range”, wherein only one or more of the conditions is required to disable access and therefore the account may be disabled when the determined number of received login requests is below the request threshold B, but the risk score is not within an acceptable risk score range). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to modify the teachings of Sims in the aforementioned manner as taught by Zevetchin in order to deter unauthorized access when a number of login requests is not suspicious, but other factor(s) related to the login request(s) are perceived as risky. Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Sims as applied above, in view of Dixit, U.S. Patent App. Pub. No. 2022/0358212 A1, and further in view of Wilson et al. (hereafter referred to as “Wilson”), U.S. Patent App. Pub. No. 2024/0056405 A1. As to claim 14, Sims discloses wherein: the user interface includes an event [information] for each event in a group of events associated with the potential security threat (¶ [0011], “initiate a presentation of a user interface for display on the computing device, wherein the user interface comprises information associated with each exposure event associated with the intrusion”; ¶ [0070], “In one aspect, the system may be configured to initiate a presentation of a graphical user interface for display on the one or more detection systems. In this regard, the graphical user interface may include information associated with the combination of exposure events that met the threshold level of a red-flag”; Claim 5, “thereby requiring elevated review of each exposure event in the combination of at least a portion of the one or more exposure events”). Sims is silent on wherein: the user interface includes an event card for each event; and the event card includes a dynamically generated reason for why a respective event is included in the group of events. However, Dixit discloses wherein: the event [information] includes a dynamically generated reason for why a respective event is included in the group of events (¶ [0038]). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to modify the teachings of Sims in the aforementioned manner as taught by Dixit because the reasons for an event may be important to responding to the event, ensuring classification is happening properly, or a user may simply be curious as to why a particular event was classified in a particular way. Sims and Dixit are silent on wherein: the user interface includes an event card for each event. However, Wilson discloses wherein: the user interface includes an event card for each event (Fig. 3A; Fig. 3B; ¶ [0005]). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to modify the teachings of Sims and Dixit in the aforementioned manner as taught by Wilson in order to organize information into conveniently viewable event cards for each event. Claims 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Sims, in view of Dixit. As to claim 15, Sims is silent on wherein the user interface includes an automatically generated narrative associated with the detection of the potential security threat. However, Dixit discloses wherein the user interface includes an automatically generated narrative associated with the detection of the potential security threat (¶ [0026], wherein the autoencoder generates the reasons; ¶ [0038], wherein the reasons are a narrative presented to the end user for consumption; ¶ [0053], wherein the underprediction and overprediction of anomalies indicate the alleged security threats are potentially accurate or potentially inaccurate). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to modify the teachings of Sims in the aforementioned manner as taught by Dixit because the reasons for an event may be important to responding to the event, ensuring classification is happening properly, or a user may simply be curious as to why a particular event was classified in a particular way. As to claim 16, Sims discloses wherein: the user interface includes a set of events associated with the [information] (¶ [0011], “initiate a presentation of a user interface for display on the computing device, wherein the user interface comprises information associated with each exposure event associated with the intrusion”; ¶ [0070], “In one aspect, the system may be configured to initiate a presentation of a graphical user interface for display on the one or more detection systems. In this regard, the graphical user interface may include information associated with the combination of exposure events that met the threshold level of a red-flag”); and the set of events is a subset of the plurality of events from the plurality of different digital service platforms meeting the criterion for the multievent analysis (Fig. 3; ¶ [0060], “aggregating user event record cross multiple platforms” and “the infrastructure resources include one or more network management software, which manages and monitors data routing, combining, and allocating network bandwidth, access control, and other core networking processes”; ¶ [0063], “the process flow includes determining whether the detected exposure event meets the threshold level of a red-flag indicating a potential intrusion”; ¶ [0066]; Claim 5, “thereby requiring elevated review of each exposure event in the combination of at least a portion of the one or more exposure events”). Sims is silent on the [information] being an automatically generated narrative. However, Dixit discloses the [information] being an automatically generated narrative (¶ [0026], wherein the autoencoder generates the reasons; ¶ [0038], wherein the reasons are a narrative presented to the end user for consumption). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to modify the teachings of Sims in the aforementioned manner as taught by Dixit because the reasons for an event may be important to responding to the event, ensuring classification is happening properly, or a user may simply be curious as to why a particular event was classified in a particular way. Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Sims as applied above, in view of Ryan et al. (hereafter referred to as “Ryan”), U.S. Patent App. Pub. No. 2019/0132787 A1. As to claim 17, Sims is silent on wherein the user interface specifies a confidence associated with the security threat analysis result. However, Ryan discloses wherein the user interface specifies a confidence associated with the security threat analysis result (Fig. 9; ¶ [0084]). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to modify the teachings of Sims in the aforementioned manner as taught by Ryan in order to allow a user or system to respond to the likelihood that a classification is accurate. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Whipple whose telephone number is 571-270-1244. The examiner can normally be reached Mondays-Thursdays from 9:30 AM to 3:30 PM ET; Fridays from 9:30 AM to 11:30 AM ET and 1:30 PM to 3:30 PM ET; and Saturdays from 9:30 AM to 9:30 PM ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon Hwang can be reached at 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Brian Whipple/ Primary Examiner Art Unit 2447 11/20/25