Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 USC 101 as being directed to an abstract idea without being integrated into a practical application or being significantly more.
Regarding claims 1-20, the claims recite the limitations “determining an abnormality score,” “determining a risk score” “determining whether to perform a secondary analysis of the specific event to detect a security threat.” Broadly interpreted, the aforementioned steps are directed to mental processes as said steps could be performed in the human mind. Therefore, the claims recite an abstract idea.
Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that could be considered that the abstract idea is being integrated into a practical application. It’s noted that the claim recites the operations “receiving a plurality of events” However, said operations are not sufficient to consider that the abstract idea is being interpreted into a practical application. Said operations are recited at a high level of generality in gathering/processing/storing information, which are a form of insignificant extra-solution activity.
It’s also noted that the claims recite additional limitation/elements (i.e., system, processing circuitry, processor, memory, etc.,) and “determining a score using an abnormality detection machine learning model,” and “determining a score using a risk detection machine learning model,”. However, said additional elements are recited at a high-level of generality (i.e., as a generic computing device performing a generic computer functions) such that it amounts no more than mere instructions to apply the exception or abstract idea using generic computer components. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
The claims do not include additional elements/limitations/embodiments that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component. Therefore, the claim is directed to non-statutory subject matter.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Martin US 2018/0004948
As per claim 1. Matin teaches A method, comprising: receiving a plurality of events from a plurality of different digital service platforms; for a specific event included in the plurality of events: determining an abnormality score using an abnormality detection machine learning model; and determining a risk score using a risk detection machine learning model, wherein the risk score is different from the abnormality score; and based on at least the abnormality score and the risk score, determining whether to perform a secondary analysis of the specific event to detect a security threat. [0010]-[0012] [0017]-[0021] (teaches an event detector that calculates a plurality of security scores of events and creating a composite risk score, if the score is above a threshold then forwarding for additional analysis; teaches an example of 3 risk scores, the first being for detection of malware, the latter two being detections of anomalous behavior) [0028] [0034][0044][0046] (teaches use of supervised machine learning models) [0075]-[0077][0082] (train a neural network on entity behavior)
As per claim 2. Martin teaches the method of claim 1, further comprising standardizing at least one event of the received plurality of events to a common format. [0050][0051][0070] (standard data structure)
As per claim 3. Martin teaches the method of claim 2, wherein the common format is associated with a sign-in event, the sign-in event including at least one of: one or more repeated clients, one or more repeated actors, one or more repeated targets, or an authentication context. [0019] (repeated login attempts within a time period)
As per claim 4. Martin teaches the method of claim 2, wherein the common format is associated with a user profile, the user profile including at least one of: address, native platform identifier, name, job title, department, location, phone number, permission, or access level. [0015][0036][0069] (address, username)
As per claim 5. Martin teaches the method of claim 2, wherein the common format is associated with at least one of: a message event, a mail filter, a risk event, or an internal email message. [0068] (message email event)
As per claim 6. Martin teaches the method of claim 1, further comprising enriching at least one event of the received plurality of events including by adding additional information to the at least one event. [0015][0042] (include metadata)
As per claim 7. Martin teaches the method of claim 6, wherein the added additional information of the enriched at least one event includes at least: a user-level information, a network quality score, or a count. [0015][0042][0069] (include user metadata)
As per claim 8. Martin teaches the method of claim 1, further comprising determining at least one feature based at least in part on the plurality of events. [0014] [0019] (brute force login attempts between time stamps)
As per claim 9. Martin teaches the method of claim 8, wherein the at least one feature is based at least in part on a comparison of at least one of: a time between two events or a distance between the two events. [0014] [0019] (brute force login attempts between time stamps)
As per claim 10. Martin teaches the method of claim 1, wherein the abnormality detection machine learning model is configured to determine events that are unusual for a particular entity. [0071][0075]-[0077][[0082] (training a neural network with vectors to determined behavior and what constitutes a deviation from normal behavior via a threshold)
As per claim 11. Martin teaches the method of claim 10, wherein the abnormality detection machine learning model is trained at least in part using a frequency aggregate of how often a characteristic of an event has appeared previously. [0071][0075]-[0077][[0082] (training a neural network with vectors, including frequency of behavior of behaviors, to determined behavior and what constitutes a deviation from normal behavior via a threshold)
As per claim 12. The method of claim 1, wherein the risk detection machine learning model is configured to determine events based at least in part on previously detected security threats. ) [0028] [0034][0038][0044][0046] (trained on attack patterns based on prior security threats)
As per claim 13. The method of claim 12, wherein the risk detection machine learning model is trained at least in part using a likelihood of a characteristic of an event appearing based at least in part on known patterns. (attack patterns, machine learning, likelihood of threat )[0021][0028] [0034][0038][0044][0046][0066]
As per claim 14. The method of claim 12, wherein the risk detection machine learning model is trained at least in part using aggregates of categorical features. [0028] [0034][0038][0044][0046] (teaches pattern training for a variety of different categories of attacks)
As per claim 15. The method of claim 1, wherein determining whether to perform the secondary analysis of the specific event to detect the security threat includes determining to perform the secondary analysis in response to the specific event being determined to be not benign. [0041]-[0047] (teaches that if the composite risk score overcomes a first threshold, then an alert is sent for further investigation into the security event)
As per claim 16. The method of claim 1, wherein determining whether to perform the secondary analysis of the specific event to detect the security threat includes determining to perform the secondary analysis in response to at least one of: a determination that the abnormality score meets an abnormality threshold; a determination that the risk score meets a risk threshold; or a determination that a combination of the abnormality score and the risk score meets a combined threshold. [0041]-[0047] (teaches that if the composite risk score overcomes a first threshold then an alert is sent for further investigation into the security event) [0010]-[0012] [0017]-[0021] (teaches an event detector that calculates a plurality of security scores of events and creating a composite risk score, if the score is above a threshold then forwarding for additional analysis; teaches an example of 3 risk scores, the first being for detection of malware, the latter two being detections of anomalous behavior)
As per claim 17. Martin teaches A system, comprising: a processor configured to: receive a plurality of events from a plurality of different digital service platforms; for a specific event included in the plurality of events: determine an abnormality score using an abnormality detection machine learning model; and determine a risk score using a risk detection machine learning model, wherein the risk score is different from the abnormality score; and based on at least the abnormality score and the risk score, determine whether to perform a secondary analysis of the specific event to detect a security threat; and a memory coupled to the processor and configured to provide the processor with instructions. [0010]-[0012] [0017]-[0021] (teaches an event detector that calculates a plurality of security scores of events and creating a composite risk score, if the score is above a threshold then forwarding for additional analysis; teaches an example of 3 risk scores, the first being for detection of malware, the latter two being detections of anomalous behavior) [0028] [0034][0044][0046] (teaches use of supervised machine learning models) [0075]-[0077][0082] (train a neural network on entity behavior)
As per claim 18. Martin teaches the system of claim 17, further comprising enriching at least one event of the received plurality of events including by adding additional information to the at least one event, wherein the added additional information of the enriched at least one event includes at least: a user-level information, a network quality score, or a count. [0015][0042][0069] (include user metadata)
As per claim 19. Martin teaches the system of claim 17, wherein determining whether to perform the secondary analysis of the specific event to detect the security threat includes determining to perform the secondary analysis in response to at least one of: a determination that the abnormality score meets an abnormality threshold; a determination that the risk score meets a risk threshold; or a determination that a combination of the abnormality score and the risk score meets a combined threshold. [0041]-[0047] (teaches that if the composite risk score overcomes a first threshold then an alert is sent for further investigation into the security event) [0010]-[0012] [0017]-[0021] (teaches an event detector that calculates a plurality of security scores of events and creating a composite risk score, if the score is above a threshold then forwarding for additional analysis; teaches an example of 3 risk scores, the first being for detection of malware, the latter two being detections of anomalous behavior)
As per claim 20. Martin teaches A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: receiving a plurality of events from a plurality of different digital service platforms; for a specific event included in the plurality of events: determining an abnormality score using an abnormality detection machine learning model; and determining a risk score using a risk detection machine learning model, wherein the risk score is different from the abnormality score; and based on at least the abnormality score and the risk score, determining whether to perform a secondary analysis of the specific event to detect a security threat. [0010]-[0012] [0017]-[0021] (teaches an event detector that calculates a plurality of security scores of events and creating a composite risk score, if the score is above a threshold then forwarding for additional analysis; teaches an example of 3 risk scores, the first being for detection of malware, the latter two being detections of anomalous behavior) [0028] [0034][0044][0046] (teaches use of supervised machine learning models) [0075]-[0077][0082] (train a neural network on entity behavior)
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439
Prosecution Insights