DETAILED ACTION
Claims 1-20 are presented for examination.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 7/23/25 has been considered by the examiner.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1, 2, 6, 7, and 11-19 are rejected under 35 U.S.C. 102(a)(1) and 35 U.S.C. 102(a)(2) as being anticipated by Seul (U.S. Patent Publication 2020/0336497).
Regarding claim 1:
Seul discloses a system comprising: a processor (Figure 8, and paragraphs 0096-0101); and a memory that stores program code executable by the processor circuit (Ibid), the program code comprising: a logging system that: receives operation information for an executing operation (the security events representing operations occurring on a monitored system, as per e.g. paragraph 0083: “The security events are received from an event collector…” and paragraph 0088: “Firstly, the security events 602 are sent to an event preprocessor after being collected from the log sources via one or more event collectors”)comprising a plurality of sub-operations (paragraphs 0043-0045, including: “The term ‘cyber-attack chain’ may denote a sequence of sub-attacks to a computer or similar system” and “The term ‘sequence of security events’ may denote that each of the sequence of partial cyber-attacks may establish a breach of security measures of which most operate under the radar of simply cyber-attack defense systems”), determines, based on the operation information, a sub-operation subset of the plurality of sub-operations satisfies a risk logging criterion (paragraph 0027, including: “According to one additional, preferred embodiment, the method may also comprise removing the at least one configured rule for a downstream partial cyber-attack in the specific cyber-attack chain in the set of rules if it is determined that a risk value for the specific cyber-attack chain is reduced to below a predetermined risk threshold value”), generates a log of the determined sub-operation subset without including a first sub-operation of the plurality of sub-operations that fails to satisfy the risk logging criterion (the correlation queue of paragraph 0089, wherein the correlation queue is a “log” under the broadest reasonable interpretation of the term in view of the instant specification, as said correlation queue is a collection of log entries obtained from other external security logs, and preprocessed such that the log data is in a more useful form for the invention to analyze), during generation of the log, detects, based on the determined sub-operation subset, a triggering event corresponding to a potential data exfiltration cyber-attack (paragraph 0083: “The correlation engine 518 accesses the TTP identifying rules 506, which matches the incoming events against known Indicators of compromise”; see also paragraphs 0089-0092; data exfiltration attacks as a type of cyber-attack that the invention protects against at paragraph 0065), and performs a first protective action to mitigate the potential data exfiltration cyber-attack (i.e. raise an alarm to a cyber security officer to correct the issue: paragraphs 0026 & 0085).
Regarding claim 2: Seul further discloses wherein to detect the triggering event, the logging system: determines a level of similarity between a pattern of the determined sub-operation subset and a pattern of the potential data exfiltration cyber-attack satisfies a triggering event criterion (paragraphs 0074-0082).
Regarding claim 6: Seul further discloses wherein to detect the triggering event, the logging system: identifies data accessed by the determined sub-operation subset (paragraphs 0074-0081); and determines a frequency of previous accesses to the data satisfies a triggering event criterion (Ibid, particularly paragraph 0079 regarding the number of firewall events).
Regarding claim 7: Seul further discloses wherein to detect the triggering event, the logging system: determines the determined sub-operation subset comprises a data transfer operation (paragraphs 0074-0081); and determines an amount of time spent executing the executing operation satisfies a triggering event criterion (Ibid).
Regarding claim 11: Seul further discloses wherein the system comprises: an operation engine that executes the executing operation; and to receive the operation information, the logging system monitors activity of the operation engine (e.g. paragraph 0013: “According to another aspect of the present invention, a security information and event monitoring (SIEM) system for dynamically identifying security threats comprising a cyber-attack chain may be provided”).
Regarding claim 12:
Seul discloses a method for mitigating a potential ransomware cyber-attack (e.g. paragraphs 0058 & 0074-0075), the method comprising: receiving operation information for an executing operation (the security events representing operations occurring on a monitored system, as per e.g. paragraph 0083: “The security events are received from an event collector…” and paragraph 0088: “Firstly, the security events 602 are sent to an event preprocessor after being collected from the log sources via one or more event collectors”); generating a log of the executing operation based on the operation information (the correlation queue of paragraph 0089, wherein the correlation queue is a “log” under the broadest reasonable interpretation of the term in view of the instant specification, as said correlation queue is a collection of log entries obtained from other external security logs, and preprocessed such that the log data is in a more useful form for the invention to analyze); during said generating the log, detecting, based on the executing operation, a triggering event corresponding to a potential ransomware cyber-attack (paragraph 0083: “The correlation engine 518 accesses the TTP identifying rules 506, which matches the incoming events against known Indicators of compromise”; see also paragraphs 0089-0092), and performing a protective action to mitigate the potential ransomware cyber-attack (i.e. raise an alert to a cyber security officer to correct the issue: paragraphs 0026 & 0085).
Regarding claim 13: Seul further discloses wherein the executing operation comprises a plurality of sub-operations (paragraphs 0043-0045, including: “The term ‘cyber-attack chain’ may denote a sequence of sub-attacks to a computer or similar system” and “The term ‘sequence of security events’ may denote that each of the sequence of partial cyber-attacks may establish a breach of security measures of which most operate under the radar of simply cyber-attack defense systems”) and, said generating the log comprises: determining a sub-operation subset of the plurality of sub-operations satisfy a risk logging criterion (paragraph 0027, including: “According to one additional, preferred embodiment, the method may also comprise removing the at least one configured rule for a downstream partial cyber-attack in the specific cyber-attack chain in the set of rules if it is determined that a risk value for the specific cyber-attack chain is reduced to below a predetermined risk threshold value”); and including the determined sub-operation subset in the log without including a first sub-operation of the plurality of sub-operations that fails to satisfy the risk logging criterion (Ibid).
Regarding claim 14: Seul further discloses wherein the executing operation comprises a plurality of sub-operations (paragraphs 0043-0045) and, said detecting the triggering event comprises: determining a similarity between a pattern of the sub-operations and a pattern of the potential ransomware cyber-attack satisfies a triggering event criterion (paragraphs 0074-0082).
Regarding claim 15: Seul further discloses wherein said detecting the triggering event comprises: receiving first operation embeddings corresponding to the potential ransomware cyber-attack (e.g. the campaign rules for detecting ransomware at paragraphs 0078-0082); determining a level of similarity between a potential operation for executing against a database and the executing operation satisfy a similarity threshold (Ibid; see also paragraph 0026: “Thus, some of the activities of the SIEM system may be operated automatically until a threshold of partial cyber-attacks belonging together has been reached…”); determining second operation embeddings correspond to the executing operation based on a mapping of the second operation embeddings to the potential operation (see each of the three rules from paragraphs 0078-0082); and determining a semantic similarity between the first operation embeddings and the second operation embeddings satisfies a triggering event criterion (Ibid).
Regarding claim 16: Seul further discloses wherein said detecting the triggering event comprises: identifying data accessed by the executing operation (paragraphs 0074-0081); and determining a frequency of previous accesses to the data satisfies a triggering event criterion (Ibid, particularly paragraph 0079 regarding the number of firewall events).
Regarding claim 17: Seul further discloses wherein said receiving operation information comprises: monitoring activity of an operation engine configured to execute operations (e.g. paragraph 0013: “According to another aspect of the present invention, a security information and event monitoring (SIEM) system for dynamically identifying security threats comprising a cyber-attack chain may be provided”).
Regarding claim 18:
Seul discloses a computer readable storage medium having program instructions recorded thereon, the program instructions structured to cause a processor to perform a method comprising: receiving operation information for an executing operation (the security events representing operations occurring on a monitored system, as per e.g. paragraph 0083: “The security events are received from an event collector…” and paragraph 0088: “Firstly, the security events 602 are sent to an event preprocessor after being collected from the log sources via one or more event collectors”) comprising a plurality of sub-operations (paragraphs 0043-0045, including: “The term ‘cyber-attack chain’ may denote a sequence of sub-attacks to a computer or similar system” and “The term ‘sequence of security events’ may denote that each of the sequence of partial cyber-attacks may establish a breach of security measures of which most operate under the radar of simply cyber-attack defense systems”); determining a sub-operation subset of the plurality of sub-operations satisfies a risk logging criterion (paragraph 0027, including: “According to one additional, preferred embodiment, the method may also comprise removing the at least one configured rule for a downstream partial cyber-attack in the specific cyber-attack chain in the set of rules if it is determined that a risk value for the specific cyber-attack chain is reduced to below a predetermined risk threshold value”); generating a log of the determined sub-operation subset without including a first sub-operation of the plurality of sub-operations that fails to satisfy the risk logging criterion (the correlation queue of paragraph 0089, wherein the correlation queue is a “log” under the broadest reasonable interpretation of the term in view of the instant specification, as said correlation queue is a collection of log entries obtained from other external security logs, and preprocessed such that the log data is in a more useful form for the invention to analyze); detecting, based on the determined sub-operation subset, a triggering event corresponding to a potential cyber-attack (paragraph 0083: “The correlation engine 518 accesses the TTP identifying rules 506, which matches the incoming events against known Indicators of compromise”; see also paragraphs 0089-0092); and performing a first protective action to mitigate the potential cyber-attack (i.e. raise an alarm to a cyber security officer to correct the issue: paragraphs 0026 & 0085).
Regarding claim 19:
Seul further discloses wherein said detecting the triggering event comprises: receiving first operation embeddings corresponding to the potential cyber-attack (e.g. the campaign rules for detecting ransomware at paragraphs 0078-0082); determining second operation embeddings correspond to the determined sub-operation subset based on a mapping of the second operation embeddings to a potential operation for executing against a database, the potential operation having a level of similarity to the determined sub-operation subset that satisfies a similarity criterion (Ibid); and determining a semantic similarity between the first operation embeddings and the second operation embeddings satisfies a triggering event criterion (Ibid).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 3-5 are rejected under 35 U.S.C. 103 as being unpatentable over Seul as applied to claim 1 above, and further in view of Hebbagodi (U.S. Patent Publication 2023/0396641).
Regarding claim 3: Seul further discloses: an embedding generator that: receives a set of potential operations for execution against a database (paragraphs 0074-0081) but does not disclose utilizing a generative artificial intelligence (AI) model to generate operation embeddings for the set of potential operations, and storing the operation embeddings in a vector database; and wherein the logging system detects the triggering event based on the determined sub-operation subset and the operation embeddings. However, Hebbagodi discloses a related invention for detecting cyber-attacks comprising utilizing a generative artificial intelligence (AI) model to generate operation embeddings for the set of potential operations (paragraphs 0022-0023, including: “Illustratively, the machine-learning-based architecture obtains a set of inputs from a wide variety of input sources, which may be generally described as input signals…The machine-learning-based architecture then generates processing results from the input signals that correspond to vectorized data”; and paragraph 0044, including: “Further, the vectorization components 216 may vectorize the input signals by selecting appropriate embeddings.”; generative AI machine learning models at paragraph 0105), and storing the operation embeddings in a vector database (paragraph 0044: “The clustering components 218 may perform input signal comparison and selection, create a run-time vector database for comparison of different input signals, and then group (e.g., cluster) input signals with a certain threshold of similarity to each other”); and wherein the logging system detects the triggering event based on the determined sub-operation subset and the operation embeddings (paragraph 0044, Ibid). It would have been obvious prior to the effective filing date of the instant application for Seul to use generative AI to analyze his input signals for signs of a cyber-attack, as disclosed by Hebbagodi, as generative AI enhances the efficiency and effectiveness of generating or updating detection policies based on the derived intelligence (Hebbagodi, paragraph 0105).
Regarding claim 4:
The combination further discloses, to detect the triggering event based on the sub-operation subset and the operation embeddings, the logging system: receives a first subset of the operation embeddings corresponding to the potential cyber-attack (Seul, paragraphs 0078-0082; Hebbagodi, paragraph 0044); determines a second subset of the operation embeddings corresponding to the determined sub-operation subset based on a mapping of the second subset to a potential operation of the set of potential operations, the potential operation having a level of similarity to the determined sub-operation subset that satisfies a similarity criterion (Ibid); and determines a semantic similarity between the first subset of the operation embeddings and the second subset of the operation embeddings satisfies a triggering event criterion (Ibid).
Regarding claim 5: Seul does not disclose further comprising: an embedding generator that utilizes a generative AI model to generate operation embeddings based on the determined sub-operation subset; and wherein to detect the triggering event, the logging system determines a semantic similarity between the operation embeddings and attack embeddings satisfies a triggering event criterion, the attack embeddings corresponding to a previously executed operation associated with a cyber-attack. However, Hebbagodi discloses a related invention for detecting cyber-attacks comprising these limitations (paragraphs 0022-0023 & 0044 as discussed supra in the rejection of claim 3; see also paragraph 0066: “In another aspect, the network service can build and score impact graphs based on traces (above) and attack paths generated from previous processing results” [emphasis Examiner’s]). It would have been obvious prior to the effective filing date of the instant application for Seul to use generative AI to analyze his input signals for signs of a cyber-attack, as disclosed by Hebbagodi, as generative AI enhances the efficiency and effectiveness of generating or updating detection policies based on the derived intelligence (Hebbagodi, paragraph 0105).
Claims 8-10 & 20 are rejected under 35 U.S.C. 103 as being unpatentable over Seul as applied to claims 1 & 18 above, and further in view of Alimian (U.S. Patent Publication 2024/0114056).
Regarding claim 8: Seul does not discloses wherein the determined sub-operation subset comprises an operation to download a copy of data and, to perform the first protective action, the logging system: causes a watermark to be inserted in the copy. However, Alimian discloses a related invention for detecting cyber-attacks including data exfiltration (e.g. paragraph 0091) comprising detecting an operation to download a copy of data (paragraph 0051: “Strictly as some examples, event history 150 might include any number of deep content inspection results 134, any number of occurrences of anomalous downloads, and number of occurrences of access pattern deviations 111, and/or any number of user vectors 107”; see also paragraph 0035 for an example scenario), and, to perform the first protective action, the logging system: causes a watermark to be inserted in the copy (paragraph 0100, including Table 1 on page 9: “Exfiltration Activities over content objects that are made accessible via rules 234 shared links are subjected to heightened scrutiny. A user corresponding to such activities is subjected to increased observance. Access behaviors over these content object are screened for suspicious downloading events. These content objects might be subjected to forensic watermarking, including video watermarking”; see also paragraph 0031 regarding applying a watermark). It would have been obvious prior to the effective filing date of the instant application for Seul to detect a suspicious download and watermark the content being accessed in that case as disclosed by Alimian, as watermarking facilitates forensic analysis, which is useful in risk calculations for detecting cyber-attacks (Alimian, paragraph 0076).
Regarding claim 9:
The combination further discloses wherein the watermark comprises: pixel data configured to be analyzed by a watermark detection system to determine a secret indicative that the data was exfiltrated; an identifier of a user account the executing operation was executed on behalf of; or watermarked data in a result of the executing operation (user-specific watermarks at Alimian, paragraph 0079).
Regarding claim 10:
The combination further discloses wherein the logging system further: receives a remediation request indicating exfiltrated data comprises the watermark Alimian, paragraph 0116: “Strictly as one further example, if inappropriate exfiltration of data were detected, a low latency policy enforcement engine can immediately invoke countermeasures (e.g., by terminating the user session, by erecting logical shields against a repeat, etc.)”; and responsive to receiving the remediation request, performs a second protective action based on the watermark (Alimian, Ibid).
Regarding claim 20:
The rejection of claims 8 & 10 apply mutatis mutandis to claim 20.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
U.S. Patent 12,107,874 (Malhotra)
U.S. Patent Publication 2023/0095306 (Fenton)
U.S. Patent Publication 2022/0321531 (Fenton)
U.S. Patent Publication 2017/0063897 (Muddu)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Thomas A Gyorfi whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at 571-270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
THOMAS A. GYORFI
Examiner
Art Unit 2435
/THOMAS A GYORFI/Examiner, Art Unit 2435 5/2/26