Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This is in response to the amendment filed of 03/19/2026. Claims 1-20 are pending and have been considered below.
Priority
18673012 filed 05/23/2024 is a Continuation in Part of 18410286, filed 01/11/2024.
Drawings
The drawings filed on 05/23/2024 are accepted.
Specification
The specification filed on 05/23/2024 is accepted.
Response to Arguments
Applicant's arguments with respect to double patenting remarks page 8 have been fully considered but they are not persuasive. The rejection has been maintained.
Applicant’s arguments with respect to claims regarding the 103 rejection have been considered but are moot in view of the new ground of rejection.
Double Patenting
The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a non-statutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-20 are provisionally rejected on the ground of non-statutory double patenting as being unpatentable over claims 1-20 of co-pending Application No. 18/953,963. Although the claims at issue are not identical, they are not patentably distinct from each other because Claims 1-20 are anticipated by claims 1-20 of the co-pending application.
This is a provisional non-statutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
A side-by-side comparison of claims 1, 8 and 15 of the pending application and the 18/953,963 co-pending application is given in the following table to show their similarities and differences:
18/673,012
18/953,963
1. A system for dynamic security monitoring of user activities in backup storage systems, comprising:
one or more processors; and
a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors to:
train machine-learning models to identify historical activities, performed by all types of users of backup storage systems, which comprise at least one of atypical activities or resemblances to malicious activities;
identify, by the machine-learning models, activities, performed by any type of a user of a backup storage system, which comprise at least one of any of the atypical activities or a resemblance to any of the malicious activities;
determine activity scores, corresponding to the identified activities, wherein each activity score is inversely related to a corresponding level of security risk;
output a security health score based on a product of each of the activity scores;
disable disruptive commands and output an alert which enables a system administrator to identify and resolve a security risk,
in response to a determination that the security health score is less than a threshold; and
output an updated security health score based on any change to any identified activity.
8. A computer-implemented method for dynamic security monitoring of user activities in backup storage systems, the computer-implemented method comprising:
training machine-learning models to identify historical activities, performed by all types of users of backup storage systems, which comprise at least one of atypical activities or resemblances to malicious activities;
identifying, by the machine-learning models, activities, performed by any type of a user of a backup storage system, which comprise at least one of any of the atypical activities or a resemblance to any of the malicious activities;
determining activity scores, corresponding to the identified activities, wherein each activity score is inversely related to a corresponding level of security risk;
outputting a security health score based on a product of each of the activity scores;
disabling disruptive commands and outputting an alert which enables a system administrator to identify and resolve a security risk,
in response to a determination that the security health score is less than a threshold; and
outputting an updated security health score based on any change to any identified activity.
15. A computer program product, comprising a non-transitory computer-readable medium having a computer-readable program code embodied therein to be executed by one or more processors, the program code including instructions to:
train machine-learning models to identify historical activities, performed by all types of users of backup storage systems, which comprise at least one of atypical activities or resemblances to malicious activities;
identify, by the machine-learning models, activities, performed by any type of a user of a backup storage system, which comprise at least one of any of the atypical activities or a resemblance to any of the malicious activities;
determine activity scores, corresponding to the identified activities, wherein each activity score is inversely related to a corresponding level of security risk;
output a security health score based on a product of each of the activity scores;
disable disruptive commands and output an alert which enables a system administrator to identify and resolve a security risk,
in response to a determination that the security health score is less than a threshold; and
output an updated security health score based on any change to any identified activity.
1. A system for dynamic security monitoring of user activities in network backup storage systems, comprising:
one or more processors; and
a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors to:
train machine-learning models to identify historical activities, performed by users of backup storage systems, which comprise at least one of atypical activities or resemblances to malicious activities;
identify, by the machine-learning models, activities, performed by any user of a backup storage system, which comprise at least one of any of the atypical activities or a resemblance to any of the malicious activities;
determine activity scores, corresponding to the identified activities, wherein each activity score is related to a corresponding level of security risk;
output a security health score based on the activity scores;
isolate the backup storage system and enable another backup storage system to output another security health score based on one of the activity scores associated with the backup storage system,
in response to a determination that the security health score is less than a threshold; and
output an updated security health score based on any change to any identified activity.
8. A computer-implemented method for dynamic security monitoring of user activities in networked backup storage systems, the computer-implemented method comprising:
training machine-learning models to identify historical activities, performed by users of backup storage systems, which comprise at least one of atypical activities or resemblances to malicious activities;
identifying, by the machine-learning models, activities, performed by any user of a backup storage system, which comprise at least one of any of the atypical activities or a resemblance to any of the malicious activities;
determining activity scores, corresponding to the identified activities, wherein each activity score is related to a corresponding level of security risk;
outputting a security health score based on the activity scores;
isolating the backup storage system and enabling another backup storage system to output another security health score based on one of the activity scores associated with the backup storage system,
in response to a determination that the security health score is less than a threshold; and
outputting an updated security health score based on any change to any identified activity.
15. A computer program product, comprising a non-transitory computer-readable medium having a computer-readable program code embodied therein to be executed by one or more processors, the program code including instructions to:
train machine-learning models to identify historical activities, performed by users of backup storage systems, which comprise at least one of atypical activities or resemblances to malicious activities;
identify, by the machine-learning models, activities, performed by any user of a backup storage system, which comprise at least one of any of the atypical activities or a resemblance to any of the malicious activities;
determine activity scores, corresponding to the identified activities, wherein each activity score is related to a corresponding level of security risk;
output a security health score based on the activity scores;
isolate the backup storage system and enable another backup storage system to output another security health score based on one of the activity scores associated with the backup storage system,
in response to a determination that the security health score is less than a threshold; and
output an updated security health score based on any change to any identified activity.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract idea without significantly more. The claim(s) recite(s) the limitation of” train machine-learning models to identify historical activities, which comprise at least one of atypical activities or resemblances to malicious activities; identify, activities,, which comprise at least one of any of the atypical activities or a resemblance to any of the malicious activities;(mathematical or statical modeling of data pattern);determine activity scores, wherein each activity score is related to a corresponding level of security risk;(assigning value to data based on analysis mathematical computation or mental process); output a security health score based on the activity scores or output an updated security health score; (aggregate numerical values in to a composite metric mathematical calculation) ; isolate the backup storage system and enable another backup storage system to output another security health score(threshold based decision making organizing human security activity)”. This judicial exception is not integrated into a practical application because the recited hardware elements ”one or more processors”, “non-transitory computer readable medium”, and “backup storage system” are generic computing and storage components that merely provide a conventional environment for executing the abstract idea, The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because generic hardware are recited at a high level of generality and represent standard computing components.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 6, 13 and 19 recites the limitation "the alert" in lines 3 and 4. There is insufficient antecedent basis for this limitation in the claim.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-2, 8-9 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Saperstein et al U.S. 12,483,574 B1 in view of Cashin U.S. 8,683,598 B1 in further view of Gu et al U.S. 10,810,089 B1.
Claims 1, 8 and 15: Saperstein et al teaches a system for dynamic security monitoring of user activities in col.22, lines 25-55) comprising:
A computer-implemented method for dynamic security monitoring of user activities in backup storage systems, the computer-implemented method (col.22, lines 25-55,) comprising:
A computer-implemented method for dynamic security monitoring of user activities in col.22, lines 25-5), the computer-implemented method comprising:
one or more processors (col.22, lines 25-55, processor); and
a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors (col.22, lines 11-40) to:
train machine-learning models to identify historical activities, performed by all types of users of col.2, line 63 to col.3 Ine 5, the machine learning model having been previously trained based on malicious activity and corresponding baseline network activity col.8, lines 35-50. Col.4, lines 10-24, the baseline of network activity may be based at least on one of historic network activity of the user generating the network activity, or average network activity of the user generating the network activity);
identify, by the machine-learning models, activities, performed by any type of a user of a col.2, line 63 to col.3 Ine 4, monitoring, by a computer, network activity of a user having a baseline network activity; executing, by the computer, a machine learning model to determine a network activity score indicating a likelihood of the network activity being malicious activity for the baseline network activitycol.7, lines 25-30, a machine learning model to evaluate the network activity score associated with the network activity to determine whether the network activity is malicious activity);
Saperstein et al fails to teach, however Cashin in the same field of endeavor teaches
determine activity scores, corresponding to the identified activities, wherein each activity score is inversely related to a corresponding level of security risk (col.1, lines 55-65, analyzing the received data to determine a score to assign to the event and a weighting factor to apply to the assigned score, col.3, lines 15-18);
output a security health score based on a product of each of the activity scores (col.8, lines 48-67, security operation software application configured to score network activity, according to example embodiments. Using the model suite 321 of the security operations software application 320 (e.g., the signature evaluator 322, the baseline evaluator 324, and the model evaluator 326), the security operations software 320 may be able to provide meaningful detections (also referred to as “network scores”) using context associated with each network score. The provided context, in the form of the relevant features used in determining the network score, is used to determine whether the monitored network activity 310 is indicative of malicious behavior. Relevant features (e.g., context) associated with the network score include features determined from the various evaluators of the model suite 321. For example, relevant features of the signature evaluator 322 (discussed herein) may include an above threshold number of authentications, a below threshold Internet Service Provider (ISP) origination, and relevant features of the baseline evaluator 324 (discussed herein) may include an average network activity score of the user generating the network activity, an average network activity score of one or more groups of similar users, and the like);
col.9, lines 20-67, The model suite 321 of the security operations software application 320 is configured to execute logic (e.g., the signature evaluator 322, the baseline evaluator 324, and/or the model evaluator 326) to score the network activity and generate a network activity score of 330. The network activity score of 330 indicates a likelihood that the network activity is malicious. The model suite 321 may detect malicious activity by matching specific known patterns of attack (e.g., a signature-based approach) and/or alerting one or more administrators/operators of anomalies by analyzing a user's normal behavior on the system (e.g., an anomaly-based approach). In this manner, the model suite 321 generates contextually enriched alerts by determining relevant features (context) associated with each of the evaluators of the model suite 321. Combining one or more approaches (e.g., signature-based approaches and/or anomaly-based approaches) using the one or more evaluators (e.g., the signature evaluator 322, the baseline evaluator 324, and/or the model evaluator 326) enables the model suite 321 to determine the contextually enriched alerts. In some embodiments, the security operations software 320 may output score context information); and
output an updated security health score based on any change to any identified activity (col.19, lines28-55e score evaluator 432 may update the network score cluster with the network score (e.g., re-average the centroid of the network score cluster to include the network score 430). In these implementations, when the score evaluator 432 updates the network score cluster, the score evaluator 432 may take a weighted average of the network scores (and weigh the strong network scores more than other network scores) to determine the centroid of the network score cluster).
Saperstein et al teaches fails to teach, however Gu et al in the same field of endeavor teaches
the activities are backup activities (col.1, line 58 to col. 2, line 10, Anomalous backup activity is managed in conjunction with a backup system. )
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Saperstein et al with the additional features of Gu et al in order to provide the ability to automatically adjust backups and default backup configurations based on anomalous backup activity, as suggested by Gu et al col.1, lines 6-10.
The combination fail s to teach, however Kraplanee et al in the same field of endeavor teaches
disable disruptive commands (par.351, administrator can view a file activity anomaly report for recommendations and based on the recommendations, view, edit, enable, disable, or delete the alerts from the security health monitoring system's user interface.)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Saperstein et al with the additional features of Kraplanee et al in order to provide an information management security health management system for monitoring the security health of one or more information management cells, as suggested by Kraplanee et al par.5.
Claims 2, 9 and 16: the combination teaches wherein identifying the activities which comprise any of the atypical activities is based on one or more of the following:
one of an amount of data which is accessed or an amount of data files transferred by one of a system user or an application that functions as a user, at least one of a time or a location for a login by the system user, a command for storing a passphrase for a system onto a disk, or a command for deleting at least a part of one of a file system, a cloud storage, or a Merkle tree (Saperstein et al, col.7, lines 50 to col.8, line 15, col.13, lines5-15, Gu et al, col.6, lines 15-45).
The same motivation to modify Saperstein et al in view of Gu et al applied to claims 1, 8 and 15 above applies here.
Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Saperstein et al U.S. 12,483,574 B1 in view of Cashin U.S. 8,683,598 B1 in further view of Gu et al U.S. 10,810,089 B1 and Malkov et al U.S. 2020/0159624 A1.
Claims 3, 10 and 17: the combination fails to teach, however Malkov et al In the same field of endeavor teaches wherein identifying activities which comprise the resemblance to any of the malicious activities is based on at least one of
1) a data file that has similarities to at least one of a signature or an attack pattern for an instance of malware (116, 128, 147, 158),
2) data which is from at least one of network traffic or a system log (116, 128, 147, 158), or
3) at least one of a header, content, or user behavior that is associated with an email and has similarities to a phishing email.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Saperstein et al with the additional features of Malkov et al in order to provide the ability for securing and protecting data and data backups from cyberattack and implementing disaster recovery using machine learning and artificial intelligence, as suggested by Malkov et al abstract.
Claims 4 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Saperstein et al U.S. 12,483,574 B1 in view of Cashin U.S. 8,683,598 B1 in further view of Gu et al U.S. 10,810,089 B1 Kraplanee et al U.S. 2020/0285546 A1.
Claims 4 and 11: the combination fails to teach, however Kraplanee et al In the same field of endeavor teaches
wherein the disabled disruptive commands are associated with at least one of storing a system passphrase on a disk or deleting at least a part of one of a file system, a cloud storage, or a Merkle tree(Kraplanee et al, par.8, 350-351).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Saperstein et al with the additional features of Kraplanee et al in order to provide an information management security health management system for monitoring the security health of one or more information management cells, as suggested by Kraplanee et al par.5.
Claims 5, 12 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Saperstein et al U.S. 12,483,574 B1 in view of Cashin U.S. 8,683,598 B1 in further view of Gu et al U.S. 10,810,089 B1 and Yampolskiy et al U.S. 2024/0007496 A1.
Claims 5, 12 and 18: the combination fails to teach, however Yampolskiy et al In the same field of endeavor teaches
wherein determining the security health score comprises weighing each of the activity scores by a corresponding weight which is determined based on an analysis of historical uses of activity scores to produce security health scores and subsequent security risks identified relative to each of the activity scores, and comprises normalizing the security health score using a security health score determined from a product of a maximum value for each activity score and any corresponding weights (par.5-6, 18-20, 39-42, 89).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Saperstein et al with the additional features of Yampolskiy et al in order to provide the ability to calculate an entity's cybersecurity risk and benchmark the calculated risk, as suggested by Yampolskiy et al par.2.
Claims 6, 13 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Saperstein et al U.S. 12,483,574 B1 in view of Cashin U.S. 8,683,598 B1 in further view of Gu et al U.S. 10,810,089 and Ellam et al U.S. 2021/0166548 A1.
Claims 6, 13 and 19: the combination fails to teach, however Ellam et al In the same field of endeavor teaches
wherein the plurality of instructions further causes the processor to lower the security health score below an additional threshold, in response to a time differential, between a previous time when the alert was output and a current time when the system administrator has yet to acknowledge the alert, exceeding a time threshold (par.20-23, 34-40) .
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Saperstein et al with the additional features of Ellam et al in order to provide the ability to dynamically adjust a threshold value for generating an alert within a computing system, as suggested by Ellam et al par.7.
Claims 7,14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Saperstein et al U.S. 12,483,574 B1 in view of Cashin U.S. 8,683,598 B1 in further view of Gu et al U.S. 10,810,089 B1 and Mandagere et al U.S. 2022/0156384 A1.
Claims 7 , 14 and 20: the combination fails to teach, however Mandagere et al In the same field of endeavor teaches
wherein the plurality of instructions further causes the processor to enable the system administrator to select an option associated with one of a subscription, a periodic query, or a manual download to identify any security vulnerability of the backup storage system which is resolved by at least one of a patch or a software release which is available for distribution to the backup storage system (par.64-65).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Saperstein et al with the additional features of Mandagere et al in order to provide the ability to perform vulnerability scans periodically to discover and resolve security threats on a system, as suggested by Mandagere et al par.2.
The following prior art are cited to further show the state of the art at the time of applicant’s invention.
Gildein et al U.S. 2025/0103438 A1 teaches a dynamic adaptation of backup policy schemes on threat confidence.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685. The examiner can normally be reached 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached at 5712724219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Saturday, May 30, 2026
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436