Automated Discovery of Behavioral Threat Protection Rules

DETAILED ACTION This office action is in response to the application filed on 04/05/2026. Claim(s) 1-15 is/are pending and are examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statements (IDS) submitted on 04/13/2026 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the examiner. Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 04/05/2026 has been entered. Response to Arguments Applicant's arguments with respect to amended claim 1 and 8 have been fully considered but are moot in view of the new ground(s) of rejection. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-6, 8-12, and 14-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Myers (US 12,045,610 B1), hereinafter Myers in view of Mualem (US 2005/0018618 A1), hereinafter Mualem in further view of Raje (US 2015/0324188 A1), hereinafter Raje in even further view of Klonowski (US 2020/0311260 A1), hereinafter Klonowski. Regarding Claim(s) 1 and 8 Myers teaches: A computer-implemented method for generating and optimizing threat detection rules in a cybersecurity system, the method comprising: (Myers Col. 2 Ln. 10-25 teaches, systems and methods are described herein for updating rule engines using generated proxy models that mimic the format and structure of the existing rule engines.) obtaining a set of one or more threat detection rules, (Myers Col. 11 Ln. 30-40 teaches, putting the first rule base data (e.g., input 212) into proxy model 220, wherein proxy model 220 processes the first rule base data with the first modified script (e.g., generated by generative model 222) to generate a first modified output. (i.e., set of threat detection rules)) to apply to processes executing on computing devices (Myers Col. 7 Ln. 55-67 teaches, these rules are stored in the rule base. The rule base plays a pivotal role in decision-making processes, business logic, and automation. Rule engines are commonly used in various domains, including business process management, decision support systems, expert systems, fraud detection, and more. (i.e., processes executing on computing devices)) to determine whether a given executing process is malicious or benign, (Myers Col. 11 Ln. 40-55 teaches, in such cases, these rules may act as checkpoints, evaluating user inputs against the defined criteria and preventing invalid or malicious data from entering the system.) where each rule includes a feature set comprising one or more process-related features selected from a predefined list of features (Myers Col. 10 Ln. 11-50 teaches, the system may categorize a given rule based on its content, outcome, and/or effect. categorize rules according to specific criteria, effects, and/or outcomes. (i.e., rule features). Col. 8 Ln. 1-9, Rule base 210 may contain a set of rules, each of which consists of conditions and actions. Conditions specify when a rule should be triggered, while actions define what should happen when the rule is activated. (i.e., everything is predefined)) and where applying a given threat detection rule to a given process comprises evaluating whether the feature set of the given rule is present in the given process; (Myers Col. 8 Ln. 1-9, Rule base 210 may contain a set of rules, each of which consists of conditions and actions. Conditions specify when a rule should be triggered, while actions define what should happen when the rule is activated.) performing a series of automated iterations that expand the set by, in each iteration: selecting, from the set, a threat detection rule that […] meets a selection criterion; (Myers Col.7 Ln. 15-18 teaches, modified script for a modified rule engine may include additional rules, functions, and/or other script components. Myers Col. 10 Ln. 11-50 teaches, the system may categorize a given rule based on its content, outcome, and/or effect. categorize rules according to specific criteria, effects, and/or outcomes. (i.e., selection criterion) the system may determine a first rule is filtered out based on an objectionable effect. The system may then filter out a second rule based on its shared ontology with the first rule. (i.e., if not filtered out the rule will be added, expanding the set.)) adding the one or more expanded threat detection rules to the set; and (Myers Col. 7 Ln. 30-50 teaches, the system may determine a first rule is filtered out based on an objectionable effect. The system may then filter out a second rule based on its shared ontology with the first rule. (i.e., rules that are not filtered out are retained.)) evaluating the quality of each expanded threat detection rule using matrix-based operations; and (Myers Col. 15 Ln. 59-61 teaches, System 300 includes model 302a, which may be a machine learning model, an artificial intelligence model, etc. (which may be referred to collectively as “models” herein). (i.e., machine learning models perform matrix computations) Col. 10 Ln. 1-10, filter 224 may comprise models that can be trained to recognize patterns of objectionable content. They can adapt and improve their detection capabilities over time. Myers Col. 13 Ln. 35-45 teaches, hit rate measures the percentage of rules or conditions that are triggered (i.e., true) relative to the total number of rules or conditions evaluated. (i.e., precision and coverage) A high hit rate suggest that most rules are relevant and effectively contribute to decision-making.) following the series of iterations, outputting an expanded set of threat detection rules (Myers Col. 14 Ln. 5-11 teaches, the model deployment criteria may refer to the set of criteria or conditions that must be met before a model is deployed into a production environment (e.g., the existing rule engine is replaced).) comprising the expanded threat detection rules that meet a threshold quality. (Myers Col. 10 Ln. 40-45 teaches, the system may then filter rules based on the ontologies and/or the relationships therein. For example, the system may determine a first rule is filtered out based on an objectionable effect. Myers Col. 13 Ln. 3-12 teaches, Performance metrics (i.e., recording quality) for a rule engine may refer to measures used to evaluate the effectiveness, efficiency, and/or quality of the rule engine's operations and decision-making. These metrics help assess how well the rule engine is performing its intended tasks, such as processing rules, making decisions, and/or handling data. The performance metrics may be used to identify areas of improvement and ways to optimize the rule engine's behavior.) Myer does not appear to explicitly teach but in related art: generating one or more expanded threat detection rules, by adding one or more additional process-related features from the predefined list to the selected threat detection rule; and (Mualem ¶ 74-75 and 78 teaches, a set of criteria (or constraints) used for matching against network data, and a set of policies or actions to take if the expressed criteria are met. The following criteria are recognized: Source/Destination User or User Group: defined by name and password; Source/Destination Host or Host Group: name and MAC address or IP address; Protocol: TCP, UDP, ICMP, IGMP, and ARP; and Port: Source or destination port numbers. (i.e. process related from predefined list). Adding criteria classes leads to a "tightening" of the specification, resulting in fewer matched packets, while adding more choices to an already-supplied class "loosens" the rule. (i.e., expanding a ruleset)) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Myer in view of Mualem, to modify the method for updating a rules engine with the criteria and modifiable criteria classes of Mualem. The motivation to do so, Mualem ¶ 78, to be able to tighten or loosen a rule. Myer in view of Singla does not appear to explicitly teach but in related art: has not been previously expanded and that (Raje ¶ 34-36 teaches, the rule 202c can specify that if a device includes or does not include a particular attribute and/or set of attributes, the update 202 may or may not be included in a set of updates for the device.) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Myers-Mualem with Raje, the method for updating a rules engine with the adding of a rule based off identified events of Singla with the marking of rules to be updated or not based on an attribute of Raje. The motivation to do so, Raje ¶ 32, to allow update authorities to dynamically alter a set of rules. Myers-Mualem-Raje does not appear to explicitly teach but in related art: features, the predefined list of features describing behavioral characteristics of executing processes, (Klonowski ¶ 4 teaches, a rule may make a determination as to the presence or absence of a behavior. ¶ 21 teaches, matching rule may be defined with respect to a file open operation, whereas a behavior rule processes the API call associated with opening the file. It will be appreciated that any of a variety of system events may be described in a matching rule, including, but not limited to, a file write event, a file deletes event, a process creation event, or an event associated with opening and/or editing a registry key, etc. In examples, a matching rule describes multiple events (e.g., using Boolean logic, a hierarchical structure, etc.).) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Myers-Mualem-Raje with Klonowski, the method for updating a rules engine with the adding of a rule based off identified events of Singla with the marking of rules to be updated or not based on an attribute of Raje with the behavior detection engine of Klonowski. The motivation to do so, Klonowski ¶ 4, to employ a behavior-based approach to detecting malicious or potentially malicious behaviors. Regarding Claim(s) 2 Myers-Mualem-Raje-Klonowski teaches: The method according to claim 1, (Myers-Mualem-Raje-Klonowski teaches the parent claim above.) and comprising protecting one or more computers by applying the expanded set of threat detection rules to one or more processes running in the one or more computers. (Myers Col. 11 Ln. 40-43 teaches, the generated rules may be integrated into various security systems, including firewalls, web servers, and/or intrusion detection systems.) Regarding Claim(s) 3 and 9 Myers-Mualem-Raje-Klonowski teaches: The method according to claim 1, (Myers-Mualem-Raje teaches the parent claim above.) wherein the selection criterion requires that the selected threat detection rule has at least a minimal required quality. (Myers Col. 10 Ln. 32-50 teaches, Ontologies define relationships between concepts and can help categorize rules based on their semantic connections, making it possible to organize rules based on their meanings and context. The system may then filter rules based on the ontologies and/or the relationships therein. (If there aren’t enough connections and relationships (i.e. low quality) it gets filtered out. ) Regarding Claim(s) 4 and 10 Myers-Mualem-Raje-Klonowski teaches: The method according to claim 1, (Myers-Mualem-Raje-Klonowski teaches the parent claim above.) further comprising recording the quality in the set of threat detection rules. (Myers Col. 10 Ln. 40-45 teaches, the system may then filter rules based on the ontologies and/or the relationships therein. For example, the system may determine a first rule is filtered out based on an objectionable effect. Myers Col. 13 Ln. 3-12 teaches, Performance metrics (i.e., recording quality) for a rule engine may refer to measures used to evaluate the effectiveness, efficiency, and/or quality of the rule engine's operations and decision-making. These metrics help assess how well the rule engine is performing its intended tasks, such as processing rules, making decisions, and/or handling data. The performance metrics may be used to identify areas of improvement and ways to optimize the rule engine's behavior.) Regarding Claim(s) 5 and 11 Myers-Mualem-Raje-Klonowski teaches: The method according to claim 1, (Myers-Mualem-Raje-Klonowski teaches the parent claim above.) wherein the matrix-based operations jointly calculates precision and coverage values of multiple possible expansions of a given threat detection rule with respect to a training set. (Myers Col. 15 Ln. 59-61 teaches, System 300 includes model 302a, which may be a machine learning model, an artificial intelligence model, etc. (which may be referred to collectively as “models” herein). (i.e., machine learning models perform matrix computations) Col. 10 Ln. 1-10, filter 224 may comprise models that can be trained to recognize patterns of objectionable content. They can adapt and improve their detection capabilities over time. Myers Col. 13 Ln. 35-45 teaches, hit rate measures the percentage of rules or conditions that are triggered (i.e., true) relative to the total number of rules or conditions evaluated. (i.e., precision and coverage) A high hit rate suggest that most rules are relevant and effectively contribute to decision-making.) Regarding Claim(s) 6 and 12 Myers-Mualem-Raje-Klonowski teaches: The method according to claim 5, (Myers-Mualem-Raje-Klonowski teaches the parent claim above.) wherein a given entry of the training set is derived from one or more executions of one or more processes and comprises (Myers Col. 20 Ln. 25-40 teaches, trained to generate rule engine script based on comparisons of historic script interpretations of historic rule bases for historic rule engines. (i.e., derived from one or more executions) For example, the model may compare historical data to make predictions by learning patterns and relationships within the historical data. The model is trained using the historical data and associated labels by adjusting the model's parameters to minimize the difference between its predictions and the actual outcomes in the training data.) (i) a subset of the features that were found in the executions and (Myers Col. 20 Ln. 25-40 teaches, trained to generate rule engine script based on comparisons of historic script interpretations of historic rule bases for historic rule engines. For example, the model may compare historical data to make predictions by learning patterns and relationships within the historical data. (i.e., found in the executions) The model is trained using the historical data and associated labels by adjusting the model's parameters to minimize the difference between its predictions and the actual outcomes in the training data.) (ii) a label indicating whether the executions are benign or malicious. (Myers Col. 20 Ln. 25-40 teaches, The model is trained using the historical data and associated labels by adjusting the model's parameters to minimize the difference between its predictions and the actual outcomes in the training data. Myers Col. 11 Ln. 40-55 teaches, In such cases, these rules may act as checkpoints, evaluating user inputs against the defined criteria and preventing invalid or malicious data from entering the system) Regarding claim(s) 14 and 15 Myers-Mualem-Raje-Klonowski teaches: The method according to claim 1, wherein the predefined list of features comprises one or more of: (Myers-Mualem-Raje-Klonowski teaches the parent claim above.) a process running from a temporary folder, a process running from a file having a double extension, a process being a script engine, a process running in a hidden powershell, a process writing a portable executable file to disk, a process modifying system files, a process communicating via a network protocol, or a process modifying registry keys for persistence. (Klonowski ¶ 4 teaches, a rule may make a determination as to the presence or absence of a behavior. ¶ 21 teaches, matching rule may be defined with respect to a file open operation, whereas a behavior rule processes the API call associated with opening the file. It will be appreciated that any of a variety of system events may be described in a matching rule, including, but not limited to, a file write event, a file deletes event, a process creation event, or an event associated with opening and/or editing a registry key, etc. In examples, a matching rule describes multiple events (e.g., using Boolean logic, a hierarchical structure, etc.).) Claim(s) 7 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Myers-Mualem-Raje-Klonowski as applied to claim 1 and 8, in further view of Saqib (US 2025/0181718 A1), hereinafter Saqib, and further in view of Zhu (US 2024/0338489 A1), hereinafter Zhu. Regarding Claim(s) 7 and 13 Myers-Mualem-Raje-Klonowski teaches: The method according to claim 5, wherein performing the matrix-based operations comprises: (Myers-Mualem-Raje-Klonowski teaches the parent limitation above.) Myers-Mualem-Raje-Klonowski does not appear to explicitly teach but in related art: generating (i) a first binary matrix whose rows represent one or more entries of the training set labeled as benign and (ii) a second binary matrix whose rows represent one or more entries of the training set labeled as malicious, wherein in both the first and second binary matrices (i) columns represent the features and (ii) a matrix element is set to “1” when the corresponding feature is found in the corresponding entry, and to “0” otherwise; and (Saqib ¶ 109 teaches the concept, The SHAP values for all features in the dataset are obtained, resulting in an array of shape (i, 2, d), (i.e., matrix) where n is the number of instances used for prediction/testing, d is the number of features, and the 2 corresponds to the two classes, namely benign, and malware.) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Myers-Mualem-Raje-Klonowski with Saqib, the method for updating a rules engine with the criteria and modifiable criteria classes of Mualem with matrix indicating if a feature is benign or malicious of Saqib. The motivation to do so constitutes applying a known technique using matrices to indicate binary values to known devices and/or methods for engine rule updating ready for improvement to yield predictable results determining the quality of an added rule. Myers-Mualem-Raje-Klonowski-Saqib does not appear to explicitly teach but in related art: deriving the precision and coverage values of the multiple possible expansions from the first and second binary matrices. (Zhu ¶ 73 teaches the concept, if a target requirement of a computation requestor is computing a product of a three-party matrix, a sum value of the first output matrix, the second output matrix, and the third output matrix is determined as a product of the three-party matrix) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Myers-Mualem-Raje-Klonowski with Zhu, the method for updating a rules engine with the criteria and modifiable criteria classes of Mualem with matrix indicating if a feature is benign or malicious of Saqib with the summation of matrix outputs get a value of Zhu. The motivation to do so constitutes applying a known technique of combining matrix outputs to known devices and/or methods for engine rule updating ready for improvement to yield predictable results determining the quality of a new rule. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 2025/0217479 A1 - SYSTEM AND METHOD FOR THREAT DETECTION AND PREVENTION Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB BENEDICT KNACKSTEDT whose telephone number is (703)756-5608. The examiner can normally be reached Monday-Friday 8:00 am - 5:00 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached on (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /J.B.K./Examiner, Art Unit 2408 /LINGLAN EDWARDS/Supervisory Patent Examiner, Art Unit 2408