Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
This application claims the benefit of provisional application Ser. No. 63/501,165 filed May 10, 2023 and titled “Detecting and Blocking Stealthy Command and Control Communications,” the entire content of which is hereby incorporated by reference.
DETAILED ACTION
This Office Action is in response to an Amendment Application received on 03/11/2026.
In the application, claims 1, 12, and 18-19 have been amended. Claims 2-11, 13-17, and 20 remain original.
In the application, claims 1-20 have been received for consideration and have been examined.
Response to Arguments
Claim Objections
Applicant’s amendment to claim 12 has been reviewed and based on amendment, the objection has been withdrawn.
Claim Interpretation & Claim Rejections – 35 USC § 112
Applicant’s amendments to claims 12, and 18 in regards to claim interpretation under 35 U.S.C. 112(f) have been reviewed, however, amendments fail to clarify the interpretation showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f). Claims 12, and 18 recite “an analyzer having one or more processors configured to” and “a predictor having one or more processors configured to” fails to overcome the claim interpretation lacking sufficient structure because “having one or more processors” does not disclose if processor is a software or hardware.
Therefore, Claim interpretation and Claim rejection under 35 USC § 112(b) & (a) are maintained in this rejection. See Office Action for details.
Claim Rejections - 35 USC § 101 – Examiner’s Response
Applicant’s amendments to independent claims 1, and 12 have been reviewed, however, amendments do not appear to overcome the raised 35 USC § 101 Abstract Idea. Examiner considered the amended language of “include two or more IP addresses and ports of a sender and a receiver, a protocol, duration of a connection between the sender and the receiver, a transport layer protocol or an application protocol, inter-packet timing, inter-flow timing and payload size” and notice that traffic flow features extracted from monitored network traffic are additional elements which do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore, the claims are directed to an abstract idea.
Furthermore, Applicant citations of instant specification paragraphs mentioning technical improvements include reduced false positives and improved detection of encrypted C2 traffic which are not recited in the amended claim language. The amended claim language is devoid of reciting any improvement to detecting malicious network traffic.
Therefore, the amended claims are still rejected under 35 USC § 101 reciting an Abstract Idea. See Office Action for details.
Claim Rejections - 35 USC § 102
Applicant’s remarks in light of the amended claims and instant specification have been reviewed, however, amendments in light of the remarks and specification do not overcome the Ranjan reference. After review, the remarks have been summarized as follows:
# 1. Applicant's "timing and flow duration features" are independent of the content of monitored network traffic, such as packet content. The present disclosure allows for content-independent detection of C2 traffic, whereas Ranjan uses features that include packet content in part. Please reference Table 1 of Applicant's specification for a listing of timing and flow duration features that are independent of content of the monitored network traffic.
Examiner’s Response
Regarding remark #1, that Applicant's "timing and flow duration features" are independent of the content of monitored network traffic, such as packet content, examiner respectfully disagree. Applicant pointed to Table 1 of the instant specification reciting features that are independent of the content which is also taught by Ranjan reference where supervised machine learning based method for online detection of bots using streaming layer-3/layer-4 information includes (i) using external blacklists (e.g., honeypots and IPS/IDS systems) to provide information (i.e., ground truth data set) about currently known bots and C&C servers, (ii) computing the aforementioned features for both legitimate and malicious nodes during a training phase based on the ground truth data set, (iii) training models using the following machine learning algorithms (see Ranjan: Col. 4, Line # 24-55).
The above citation discloses that Ranjan uses generalized data traffic which is independent from any particular content during the training of machine learning to determine whether activities associated with these data units (e.g., flow tuples) reflect botnet communication or legitimate activity.
# 2. The use of flow-only features are robust to encrypted traffic. While Ranjan uses some flow metrics, it does not use only flow metrics that are independent of the content of monitored traffic.
Examiner’s Response
Regarding remark # 2, that while Ranjan uses some flow metrics, it does not use only flow metrics that are independent of the content of monitored traffic, examiner respectfully disagree. As mentioned in response to Remark # 1 that Ranjan discloses monitoring generalized data traffic which is equivalent to claimed data traffic independent of content. With regards to Applicant’s remark that “use of flow-only features are robust to encrypted traffic”, this subject matter is taught by secondary reference of Ackerman.
# 3. With regard to claims 9, 19 and 20, Ranjan trains conventionally and does not select based on TPR/FPR rations. This is in contract to selection of ML models using TPR/FPR ratios as a training metric, as recited in these claims.
Examiner’s Response
Regarding remark # 3, that Ranjan trains conventionally and does not select based on TPR/FPR rations, examiner would like to note that 3rd reference of Wick (US20240289685A1) discloses utilizing true positive rate metric for training machine learning models (see Wick: [0015-0020]).
Based on above citations and explanations, the claims are still rejected under 35 USC §§ 102 & 103 under already cited references.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are:
“an analyzer having one or more processors configured to analyze (claim 12);
a predictor having one or more processors configured to predict (claim 12);
a monitor having one or more processors configured to monitor (claim 18)”.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 12-18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim limitation “an analyzer having one or more processors configured to analyze (claim 12); a predictor having one or more processors configured to predict (claim 12); a monitor having one or more processors configured to monitor (claim 18)” invokes 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph.
Applicant may:
(a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph;
(b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either:
(a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 12-18 rejected under 35 U.S.C. 112(a) or pre-AIA 35 U.S.C. 112, first paragraph, because the claim purports to invoke 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, but fails to recite a combination of elements as required by that statutory provision and thus cannot rely on the specification to provide the structure, material or acts to support the claimed function. As such, the claim recites a function that has no limits and covers every conceivable means for achieving the stated function, while the specification discloses at most only those means known to the inventor. Accordingly, the disclosure is not commensurate with the scope of the claim.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an Abstract Idea without significantly more analyzed according to MPEP 2106.
Step 1: The independent claims 1, 12, and 19 do fall into one of the four statutory categories of “a method, and a system” claims. Nevertheless, the claims still are considered as Abstract Idea (i.e., Mental process) for the following prongs and reasons.
Step 2A: Prong 1: The limitations of the independent claims 1, 12, and 19 recite the abstract idea of:
(Claim 1) A method of detecting malicious network traffic, comprising:
analyzing, via a trained [[machine]] learning model, at least timing and flow duration features of a plurality of traffic flow features extracted from monitored network traffic, the at least timing and flow duration features independent of content of the monitored network traffic and include two or more [[IP]] addresses and ports of a sender and a receiver, a protocol, duration of a connection between the sender and the receiver, a transport layer protocol or an application protocol, inter-packet timing, inter-flow timing and payload size (Mental process: a human can perform “analyzation” of trained learning model comprising timing and flow duration of monitored network traffic data using various information present in the monitored network traffic data); and
predicting, via the trained [[machine]] learning model, from the analyzed at least timing and flow duration features of the plurality of traffic flow features that a cyber-attack has occurred or is occurring (Mental process: the human can predict based on the analyses of timing and flow duration of monitored network traffic data if an attack has occurred or is process of occurring on the monitored data).
(Claim 12) A detection system, comprising:
an analyzer configured to analyze, via a trained [[machine]] learning model, at least timing and flow duration features of a plurality of traffic flow features extracted from monitored network traffic, the at least timing and flow duration features independent of content of the monitored network traffic and include two or more IP addresses and ports of a sender and a receiver, a protocol, duration of a connection between the sender and the receiver, a transport layer protocol or an application protocol, inter-packet timing, inter-flow timing and payload size (Mental process: a human can perform “analyzation” of trained learning model comprising timing and flow duration of monitored network traffic data); and
a predictor configured predict, via the trained [[machine]] learning model, from the analyzed at least timing and flow duration features of the plurality of traffic flow features that a cyber-attack has occurred or is occurring (Mental process: the human can predict based on the analyses of timing and flow duration of monitored network traffic data if an attack has occurred or is process of occurring).
(Claim 19) A method of training a machine learning model, comprising:
evaluating a plurality of [[machine]] learning models based on a plurality of performance metrics of timing and flow duration features of a plurality of traffic flow features extracted from monitored network traffic and analyzed, the evaluating including determining for each of the plurality of machine learning models evaluated at least a true positive rate (TPR) metric and a false positive rate (FPR) metric and include two or more [[IP]] addresses and ports of a sender and a receiver, a protocol, duration of a connection between the sender and the receiver, a transport layer protocol or an application protocol, inter-packet timing, inter-flow timing and payload size (Mental process: a human can perform “analyzation” of trained learning model comprising timing and flow duration of monitored network traffic data);
selecting a [[machine]] learning model of the plurality of [[machine]] learning models having a favorable performance metric of the plurality of performance metrics including a favorable ratio of the true positive rate (TPR) to the false positive rate (FPR) (Mental process: the human can select appropriate metrics based on the monitored data); and
training the selected [[machine]] learning model on a training dataset to generate the trained [[machine]] learning model (Mental process: the human can further train the model to generate and update trained learning model).
The claim generically recites the concept of Mental process comprising detecting malicious traffic includes: an analyzer configured to analyze, via a trained learning model, at least timing and flow duration features of a plurality of traffic flow features extracted from monitored traffic, the at least timing and flow duration features independent of content of the monitored traffic; and a predictor configured predict, via the trained learning model, from the analyzed at least timing and flow duration features of the plurality of traffic flow features that an attack has occurred or is occurring.
The above limitations are steps which clearly fall into the Mental Process - concepts performed in the human mind (including an observation, evaluation, judgment, opinion) bucket which under its broadest reasonable interpretation, covers performance of the limitations in the human mind and / or with pen and paper.
As mentioned above, the steps of claim can be performed between two or more persons who can exchange monitored traffic data and training the learning model.
Step 2A: Prong 2: The judicial exception (i.e., machine learning model) is not integrated into a practical application. In particular, the claims do not recite any additional element to perform beyond routine steps. To show that the involvement of a computer assists in improving the technology, the claims must recite the details regarding how a computer aids the method, the extent to which the computer aids the method, or the significance of a computer to the performance of the method. Merely adding generic computer components to perform the method is not sufficient. Thus, the claim must include more than mere instructions to perform the method on a generic component or machinery to qualify as an improvement to an existing technology (MPEP 2106.5(a) II).
In this particular case, the additional elements of the claims are:
“trained machine learning model” and “plurality of traffic flow features extracted from monitored network traffic are independent of content of the monitored network traffic and including two or more IP addresses and ports of a sender and a receiver, a protocol, duration of a connection between the sender and the receiver, a transport layer protocol or an application protocol, inter-packet timing, inter-flow timing and payload size”.
Recitation of these additional elements do not improve the functioning of the computer or to any other technology or technical field.
The additional elements are recited at a high-level of generality (i.e., as generic terms performing generic computer functions (PgPub instant spec. [0141-0142] discloses that embodiments described herein are implemented using dedicated hardware, configurable hardware or programmed processors executing programming instructions that are broadly described in flow chart form that can be stored on any suitable electronic storage medium or transmitted over any suitable electronic communication medium) such that it amounts no more than mere instructions to apply the exception using generic computer components. Accordingly, the additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore, the claims are directed to an abstract idea.
Step 2B: The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the claims do not reflect improvement in the technology. Further, mere automated instructions to apply an exception using a generic computer component cannot provide an inventive concept. Thus, the claims are not patent eligible.
As discussed above with respect to integration of the abstract idea into a practical application, the above identified additional elements amount to no more than mere instructions to apply the exception using general purpose computer.
To support this factual conclusion, the examiner takes Official Notice that one of the ordinary skills in the art, before the effective filing date of the claimed invention, would have found processors and/or software well-known and routine in technology that involves computers (PgPub instant spec. [0141-0142]) such that it amounts no more than mere instructions to apply the exception using generic computer components. Accordingly, the additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Thus, the examiner asserts that the above noted elements, when considered individually or in combination, do not constitute as “significantly more” than the abstract idea.
Dependent claims 2-11, 13-18, and 20 recite a method and system and hence falls into one of the statutory categories and therefore passes step 1 analysis. However, under step 2, 2A & 2B analysis, the claim fails to recite any limitations that create a difference in the 101 analyses as indicated for claims 1, 12, and 19 because dependent claims merely recite steps which fall under a mental process where human users can perform the steps of these dependent claims and thus dependent claims are ineligible as well.
Overall analysis of the claims 1-20 demonstrates that limitations are directed to a mental process performable by a human being in their head using a pen and paper in a methodical and orderly manner. Therefore, the claims recite an abstract idea.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claim(s) 1-8, 10, and 12-18 are rejected under 35 U.S.C. 102 (a)(1) & (a)(2) as being anticipated by Ranjan., (US8682812B1).
Regarding claim 1, Ranjan discloses:
A method of detecting malicious network traffic, comprising:
analyzing, via a trained machine learning model, at least timing and flow duration features of a plurality of traffic flow features extracted from monitored network traffic (Col. 11, Line # 50-61; In Step 204, the historical network data and the ground truth data set are analyzed for those data units found in both historical network data and the ground truth data set. Specifically, the analysis uses a machine learning algorithm to generate a model that statistically predicts (i.e., models) the labels (denoted as Y) of the data units in the ground truth data set as a function (denoted as f(X)) of the values (denoted as X) of the feature of the corresponding data units calculated using the historical network data. X may have a scalar value if the feature includes only one metric or have a vector value if the feature includes multiple metrics (e.g., one or more of the metrics listed in TABLE 1); Col. 11, Line # 6-10; The example feature may include one or more metric of the flow Such as bytes per second, packets per flow, inter arrival times, etc. listed in TABLE 1 below. In one or more embodiments, the metrics listed in TABLE 1 are based on a pre-determined time interval where appropriate),
the at least timing and flow duration features independent of content of the monitored network traffic and include two or more IP addresses and ports of a sender and a receiver, a protocol, duration of a connection between the sender and the receiver, a transport layer protocol or an application protocol, inter-packet timing, inter-flow timing and payload size (Col. 8, Line # 6-14; In one or more embodiments, the malicious node classification tool (120) includes the acquisition module (123) that is configured to obtain network trace from the computer network (110), for example via data collectors (114). In one or more embodiments, the acquisition module (123) works in conjunction with the data collectors (114) to parse data packets and collate data packets belonging to the same flow tuple (e.g., defined by a source IP address, destination IP address, etc.); Col. 10, Line # 60-63; In Step 202, the historical network data is analyzed, using a pre-determined heuristic, to determine values of a feature for the data units in the historical network data; Col. 11, Line # 6-10; The example feature may include one or more metric of the flow Such as bytes per second, packets per flow, inter arrival times, etc. listed in TABLE 1 below. In one or more embodiments, the metrics listed in TABLE 1 are based on a pre-determined time interval where appropriate; Col. 11, Line # 13-18; In one or more embodiments, the values of the feature are time dependent and comprise a first set of values corresponding to a first version of the historical network data within a first time window and a second set of values corresponding to a second version of the historical network data within a second time window; Col. 13, Line # 55-62; FIG. 3B depicts a data flow diagram of the BotWatch system (300) described above. The inputs to the BotWatch system (300) are layer-4 flows (401) in the format of a real-time feed. Such real-time feed may be captured using a netflow device or semantic traffic analyzer (STA), which parses packets and collates packets having (associated with) the same flow tuple (e.g., defined by a source IP address, a destination IP address, etc.)); and
predicting, via the trained machine learning model, from the analyzed at least timing and flow duration features of the plurality of traffic flow features that a cyber-attack has occurred or is occurring (Col. 11, Line # 60-67 – Col. 12, Line # 1-4; For example, data unit FT1 (e.g., a particular flow tuple) may be found in both the historical network data as well as the ground truth data set. The feature value of FT1 may be calculated as x.FT1 based on characteristics of the historical network data. The label of the data unit FT1 may be “malicious” based on the ground truth data set. The machine learning algorithm is configured to adjust the model such that a prediction of the model based on f(x.FT1) matches the actual known label of “malicious” for the data unit FT1 in the ground truth data set within a pre-determined statistical range).
Regarding claim 12, it is a system claim and recites similar subject matter as claim 1 and therefore rejected under similar ground of rejection.
Regarding claim 2, Ranjan discloses:
The method of claim 1, further comprising extracting from monitored network traffic the plurality of traffic flow features (Col. 10, Line # 60-63; Col. 11, Line # 6-10; Col. 11, Line # 13-18).
Regarding claim 18, it is a system claim and recites similar subject matter as claim 1 and therefore rejected under similar ground of rejection.
Regarding claim 3, Ranjan discloses:
The method of claim 1, further comprising:
grouping trace data of the monitored network traffic based on connections between first and second hosts, where the first host initiates connections and the second host participates in the connections; and the analyzing further including, for each connection of a number of connections between the first and second hosts, analyzing a duration of the connection, exfiltration of the second host compared to the first host during the connection, and interval timing of activity of the first host during the connection (Col. 10, Line # 43-59).
Regarding claim 13, it is a system claim and recites similar subject matter as claim 3 and therefore rejected under similar ground of rejection.
Regarding claim 4, Ranjan discloses:
The method of claim 3 further analyzing, for each connection of a number of connections between the first and second hosts, a connection state of the connection to determine the interval timing of activity of the first host during the connection (Col. 19, Line # 47-60).
Regarding claim 14, it is a system claim and recites similar subject matter as claim 4 and therefore rejected under similar ground of rejection.
Regarding claim 5, Ranjan discloses:
The method of claim 4, further analyzing, for each connection of a number of connections between the first and second hosts, one or more of a transport layer protocol of the connection, an identification of an application protocol sent over the connection, first payload bytes sent by the first host, second payload bytes sent by the second host, a state history of connections between the first host and the second host, a first number of packets sent by the first host, a second number of packets sent by the second host, a first number of IP level bytes sent by the first host, and a second number of IP level bytes sent by the second host (Col. 3, Line # 59-67 – Col. 4, Line # 1-15).
Regarding claim 15, it is a system claim and recites similar subject matter as claim 5 and therefore rejected under similar ground of rejection.
Regarding claim 6, Ranjan discloses:
The method of claim 3, further analyzing, for each connection of a number of connections between the first and second hosts, a transport layer protocol of the connection and an identification of an application protocol sent over the connection (Col. 3, Line # 59-67 – Col. 4, Line # 1-15).
Regarding claim 16, it is a system claim and recites similar subject matter as claim 6 and therefore rejected under similar ground of rejection.
Regarding claim 7, Ranjan discloses:
The method of claim 6, further analyzing, for each connection of a number of connections between the first and second hosts, one or more of a connection state of the connection to determine the interval timing of activity of the first host during the connection, first payload bytes sent by the first host, second payload bytes sent by the second host, a state of the connection, a state history of connections between the first host and the second host, a first number of packets sent by the first host, a second number of packets sent by the second host, a first number of IP level bytes sent by the first host, and a second number of IP level bytes sent by the second host (Col. 3, Line # 59-67 – Col. 4, Line # 1-15).
Regarding claim 17, it is a system claim and recites similar subject matter as claim 7 and therefore rejected under similar ground of rejection.
Regarding claim 8, Ranjan discloses:
The method of claim 1, further comprising:
training to generate the trained machine learning model, the training including:
evaluating a plurality of machine learning models based on a plurality of performance metrics; selecting a machine learning model of the plurality of machine learning models having at least two favorable metrics of the plurality of performance metrics; and training the selected machine learning model on a training dataset to generate the trained machine learning model (Col. 13, Line # 55-67 – Col. 14, Line # 1-9).
Regarding claim 10, Ranjan discloses:
The method of claim 8, where training the selected machine learning model includes training the machine learning model on a mixture of actual malicious traffic and normal traffic training datasets (Col. 19, Line # 47-60).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 9, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ranjan., (US8682812B1) in view of Wick et al., (US20240289685A1).
Regarding claim 9, Ranjan discloses:
The method of claim 8, where the evaluating the plurality of machine learning models and the selecting the machine learning model.
Ranjan fails to disclose:
determining for each of the plurality of machine learning models evaluated an accuracy metric, a precision metric, a true positive rate (TPR) metric, a false positive rate (FPR) metric and an F1 score metric based on the precision metric and the TPR; and selecting the machine learning model of the plurality of machine learning models having a favorable ratio of a true positive rate (TPR) to a false positive rate.
However, Wick discloses:
determining for each of the plurality of machine learning models evaluated an accuracy metric, a precision metric, a true positive rate (TPR) metric, a false positive rate (FPR) metric and an F1 score metric based on the precision metric and the TPR; and selecting the machine learning model of the plurality of machine learning models having a favorable ratio of a true positive rate (TPR) to a false positive rate ([0015] In various embodiments, an evaluation may take advantage of statistical estimation in which the values of four underlying statistics of model performance may be first estimated. These four underlying or baseline performance indicators may be false positives (e.g., a prediction that something is true when it is not true), false negatives (e.g., a prediction that something is not true when it is true), true positives (e.g., a prediction that something is true when it is true), and true negatives (e.g., a prediction that something is not true when it is not true). These baseline performance indicators may be predicted as expected values of random variables computed over data distributions. From these four estimated baseline performance indicators, many of the most common evaluation metrics in machine learning, including precision, recall, f1 and accuracy can then be determined; [0020] First consider the typical workaday case for which a target dataset does have labels. Suppose there is a target dataset Dt on which it is desirable to evaluate a machine learning model f(x)→y in terms of a performance metric μ like precision, recall or F1. When there is access to the ground truth labels, the underlying statistics may be determined by counting the number of true positives, false positives, false negatives, true negatives and then combine them into precision, recall, F1, accuracy or other performance metrics of interest. Each of these statistics count the number of examples in the corpus for which some indicator function is true. For example, if an evaluation μ is precision, then count the number of true positives tp and false positives fp and use this to compute y under the definition of precision:
tp=∑x∈Dt[f(x)=ℓ(x)∧ℓ(x)=1] fp=∑x∈Dt[f(x)≠ℓ(x)∧f(x)=1] μ=tptp+fp).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the method of obtaining historical network data, analyzing the data of Ranjan and include techniques for determining machine learning model performance on unlabeled out of distribution data using statistical estimation in which the values of four underlying statistics of model performance may be first estimated, as disclosed by Wick.
The motivation to include the techniques is to generate baseline performance indicators may be predicted as expected values of random variables computed over data distributions.
Regarding claim 19, Ranjan discloses:
A method of training a machine learning model, comprising:
evaluating a plurality of machine learning models based on a plurality of performance metrics of timing and flow duration features of a plurality of traffic flow features extracted from monitored network traffic and analyzed (Col. 11, Line # 50-61; In Step 204, the historical network data and the ground truth data set are analyzed for those data units found in both historical network data and the ground truth data set. Specifically, the analysis uses a machine learning algorithm to generate a model that statistically predicts (i.e., models) the labels (denoted as Y) of the data units in the ground truth data set as a function (denoted as f(X)) of the values (denoted as X) of the feature of the corresponding data units calculated using the historical network data. X may have a scalar value if the feature includes only one metric or have a vector value if the feature includes multiple metrics (e.g., one or more of the metrics listed in TABLE 1); Col. 11, Line # 6-10; The example feature may include one or more metric of the flow Such as bytes per second, packets per flow, inter arrival times, etc. listed in TABLE 1 below. In one or more embodiments, the metrics listed in TABLE 1 are based on a pre-determined time interval where appropriate);
and the plurality of traffic flow features extracted from monitored network traffic are independent of content of the monitored network traffic and including two or more IP addresses and ports of a sender and a receiver, a protocol, duration of a connection between the sender and the receiver, a transport layer protocol or an application protocol, inter-packet timing, inter-flow timing and payload size (Col. 13, Line # 55-62; FIG. 3B depicts a data flow diagram of the BotWatch system (300) described above. The inputs to the BotWatch system (300) are layer-4 flows (401) in the format of a real-time feed. Such real-time feed may be captured using a netflow device or semantic traffic analyzer (STA), which parses packets and collates packets having (associated with) the same flow tuple (e.g., defined by a source IP address, a destination IP address, etc.));
selecting a machine learning model of the plurality of machine learning models (Col. 4, Line # 24-40; the supervised machine learning based method for online detection of bots using streaming layer-3/layer-4 information includes (i) using external blacklists (e.g., honeypots and IPS/IDS systems) to provide information (i.e., ground truth data set) about currently known bots and C&C servers, (ii) computing the aforementioned features for both legitimate and malicious nodes during a training phase based on the ground truth data set, (iii) training models using the following machine learning algorithms: Logistic Regression, Logistic Model Tree, Bayesian network, Multi-layer perceptron, Decision tree, Alternating Decision Tree, and Naives Bayes Tree, and (iv) computing the features for new and not yet labeled data units (e.g., flow tuples) during an online phase (i.e., real-time detection phase) and applying the trained model to determine whether activities associated with these data units (e.g., flow tuples) reflect botnet communication or legitimate activity); and
training the selected machine learning model on a training dataset to generate the trained machine learning model (Col. 4, Line # 56-60; Given the dynamic nature of botnets, embodiments of the invention re-learn new machine learning models over time, utilizing continually updated lists of known bots for training. In this regards, the classifier is retrained and the learned model is to keep pace with the changing botnet behavior).
Ranjan fails to disclose:
the evaluating including determining for each of the plurality of machine learning models evaluated at least a true positive rate (TPR) metric and a false positive rate (FPR) metric; having a favorable performance metric of the plurality of performance metrics including a favorable ratio of the true positive rate (TPR) to the false positive rate (FPR).
However, Wick discloses:
the evaluating including determining for each of the plurality of machine learning models evaluated at least a true positive rate (TPR) metric and a false positive rate (FPR) metric ([0015] In various embodiments, an evaluation may take advantage of statistical estimation in which the values of four underlying statistics of model performance may be first estimated. These four underlying or baseline performance indicators may be false positives (e.g., a prediction that something is true when it is not true), false negatives (e.g., a prediction that something is not true when it is true), true positives (e.g., a prediction that something is true when it is true), and true negatives (e.g., a prediction that something is not true when it is not true). These baseline performance indicators may be predicted as expected values of random variables computed over data distributions. From these four estimated baseline performance indicators, many of the most common evaluation metrics in machine learning, including precision, recall, f1 and accuracy can then be determined);
having a favorable performance metric of the plurality of performance metrics including a favorable ratio of the true positive rate (TPR) to the false positive rate (FPR) ([0046] One performance metric may be precision. Precision may be determined using the unbiased estimates for true-positives and false-positives. The number of true positives may be divided by the sum of true positives and false positives (e.g., Precision=true positives/(true positives+false positives); [0047] Another performance metric may be recall. Recall may be determined using the unbiased estimates for true-positives and false-negatives. The number of true positives may be divided by the sum of true positives and false negatives (e.g., Precision=true positives/(true positives+false negatives); [0048] Another performance metric may be F1. F1 may be determined using the precision and recall performance metrics. F1 may be (2*Precision*Recall)/(Precision+Recall); [0049] Another performance metric that may be determined is accuracy. Accuracy may be the total number of correct predictions divided by the total number of predictions made for a dataset. Thus accuracy may be (true positives+true negatives)/(true positives+true negatives+false positives+false negatives)).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the method of obtaining historical network data, analyzing the data of Ranjan and include techniques for determining machine learning model performance on unlabeled out of distribution data using statistical estimation in which the values of four underlying statistics of model performance may be first estimated, as disclosed by Wick.
The motivation to include the techniques is to generate baseline performance indicators may be predicted as expected values of random variables computed over data distributions.
Regarding claim 20, the combination of Ranjan and Wick discloses:
The method of claim 19, the evaluating further including determining one or more of an accuracy metric, a precision metric, and an F1 score metric based on the precision metric and the TPR ([0048] Another performance metric may be F1. F1 may be determined using the precision and recall performance metrics. F1 may be (2*Precision*Recall)/(Precision+Recall).).
Claim 11 rejected under 35 U.S.C. 103 as being unpatentable over Ranjan., (US8682812B1) in view of Ackerman., (US20230336575A1).
Regarding claim 11, Ranjan fails to disclose:
The method of claim 1, where the monitored network traffic includes encrypted or unencrypted content.
However, Ackerman discloses:
where the monitored network traffic includes encrypted or unencrypted content ([0099] The network activity system 425 may be used to provide a stream of network activity 424 for storage at a data lake 427. Network activity may be encrypted or unencrypted, and may be provided as an unstructured, partially structured, or structured data stream to the data lake 427).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the method of obtaining historical network data, analyzing the data of Ranjan and include a network activity system which includes network data comprising encrypted or unencrypted, as disclosed by Ackerman.
The motivation to analyze network data comprising encrypted or unencrypted data is to ensuring data security, operational performance, and compliance even when the data is encrypted.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Korzuch can be reached at 571-272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SYED M AHSAN/Primary Examiner, Art Unit 2491