Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
1. This action is responsive to: an original application filed on 7 June 2024.
2. Claims 1-20 are currently pending and claims 1, 11 and 20 are independent claims.
Information Disclosure Statement
3. No IDS
Priority
4. No Priority claimed.
Drawings
5. The drawings filed on 7 June 2024 are accepted by the examiner.
Claim Rejections - 35 USC § 102
6. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-4, 6-14 and 16-20 are rejected 35 U.S.C §102 (a)(1) as being anticipated by Fu et al. (US Publication No. 20240022577), hereinafter Fu.
Regarding claim 1:
A method comprising: applying an exploration model to a first query of a set of benign queries to generate an exploration query (Fu, ¶106, ¶114), wherein, and generates a set of feature vectors for training a machine learning model for detecting SQL and/or command injection cyber-attacks. The system then uses the set of feature vectors to train a machine learning model (e.g., a detection model) such as based on training data that includes one or more of malicious traffic and benign traffic.
applying an injection prevention model to the exploration query to generate an exploration result (Fu, ¶107, ¶79), wherein, method for detecting exploits according to various embodiments (e.g., using a model trained using a machine learning process) and a related art intrusion prevention system (IPS). Results of the comparison in detection.
updating the set of benign queries to include the exploration query when the exploration result indicates the exploration query was accepted (Fu, ¶114-115).
applying an exploitation model to a second query of the set of benign queries to generate an exploitation query comprising a protected data identifier (Fu, ¶123, ¶173, ¶130), wherein input string (or a computed hash or signature, or other unique identifier, etc.)
applying the injection prevention model to the exploitation query to generate an exploitation result (Fu, ¶71, ¶196, ), wherein system determines whether the sample is malicious based at least in part on a result of an analysis of the sample (e.g., an SQL or command injection string) using the machine learning model (e.g., the detection model).
and storing the exploitation query as an exfiltration query when the exploitation result comprises protected data accessed with the data identifier (Fu, ¶272, ¶107).
Regarding claim 2:
further comprising: updating a set of exfiltration queries to include the exfiltration query when the exploitation result comprises the protected data (Fu, ¶43).
Regarding claim 3:
further comprising: applying a selection model to the set of benign queries to select a benign query as one or more of the first query and the second query, wherein the benign query is randomly selected from the set of benign queries (Fu, ¶160) wherein “random forest” model uses random selection of data inherently.
Regarding claim 4:
wherein applying the injection prevention model to the exploration query comprises processing the exploration query using one or more of a syntax-based algorithm and a feature-based algorithm, and applying the injection prevention model to the exploitation query comprises processing the exploitation query using one or more of the syntax-based algorithm and the feature-based algorithm (Fu, ¶242-243).
Regarding claim 6:
further comprising: generating the exploitation query by: selecting a benign data identifier in the second query, selecting the protected data identifier to replace the benign data identifier in the second query, and updating the second query with the protected data identifier to form the exploitation query (Fu, ¶104).
Regarding claim 7:
further comprising: training the injection prevention model with the set of benign queries as positive samples (Fu, ¶38).
Regarding claim 8:
further comprising: preventing deployment of the injection prevention model responsive to the exfiltration query (Fu, ¶237-239).
Regarding claim 9:
further comprising: retraining the injection prevention model with a set of exfiltration queries, comprising the exfiltration query, as negative samples (Fu, ¶114).
Regarding claim 10:
further comprising: deploying the injection prevention model after retraining the injection prevention model with the exfiltration query (Fu, ¶47-48).
Regarding claim 11:
at least protected one processor (Fu, ¶21).
and an application that, when executing on the at least one processor, performs: applying an exploration model to a first query of a set of benign queries to generate an exploration (Fu, ¶106, ¶114), wherein, and generates a set of feature vectors for training a machine learning model for detecting SQL and/or command injection cyber-attacks. The system then uses the set of feature vectors to train a machine learning model (e.g., a detection model) such as based on training data that includes one or more of malicious traffic and benign traffic.
applying an injection prevention model to the exploration query to generate an exploration result (Fu, ¶107, ¶79), wherein, method for detecting exploits according to various embodiments (e.g., using a model trained using a machine learning process) and a related art intrusion prevention system (IPS). Results of the comparison in detection.
updating the set of benign queries to include the exploration query when the exploration result indicates the exploration query was accepted (Fu, ¶114-115).
applying an exploitation model to a second query of the set of benign queries to generate an exploitation query comprising a protected data identifier (Fu, ¶123, ¶173, ¶130), wherein input string (or a computed hash or signature, or other unique identifier, etc.)
applying the injection prevention model to the exploitation query to generate an exploitation result (Fu, ¶71, ¶196, ), wherein system determines whether the sample is malicious based at least in part on a result of an analysis of the sample (e.g., an SQL or command injection string) using the machine learning model (e.g., the detection model).
and storing the exploitation query as an exfiltration query when the exploitation result comprises protected data accessed with the data identifier (Fu, ¶272, ¶107).
Regarding claim 12:
wherein the application further performs: updating a set of exfiltration queries to include the exfiltration query when the exploitation result comprises the protected data (Fu, ¶43).
Regarding claim 13:
wherein the application further performs: applying a selection model to the set of benign queries to select a benign query as one or more of the first query and the second query, wherein the benign query is randomly selected from the set of benign queries (Fu, ¶160) wherein “random forest” model uses random selection of data inherently.
Regarding claim 14:
wherein: applying the injection prevention model to the exploration query comprises processing the exploration query using one or more of a syntax-based algorithm and a feature-based algorithm, and applying the injection prevention model to the exploitation query comprises processing the exploitation query using one or more of the syntax-based algorithm and the feature-based algorithm (Fu, ¶242-243).
Regarding claim 16:
wherein the application further performs: generating the exploitation query by: selecting a benign data identifier in the second query, selecting the protected data identifier to replace the benign data identifier in the second query, and updating the second query with the protected data identifier to form the exploitation query (Fu, ¶104).
Regarding claim 17:
wherein the application further performs: training the injection prevention model with the set of benign queries as positive samples (Fu, ¶38).
Regarding claim 18:
wherein the application further performs: preventing deployment of the injection prevention model responsive to the exfiltration query (Fu, ¶237-239).
Regarding claim 19:
wherein the application further performs: retraining the injection prevention model with a set of exfiltration queries, comprising the exfiltration query, as negative samples (Fu, ¶114).
Regarding claim 20:
A non-transitory computer readable medium comprising instructions executable by at least one processor (Fu, ¶21) to perform: applying an exploration model to a first query of a set of benign queries to generate an exploration query (Fu, ¶106, ¶114), wherein, and generates a set of feature vectors for training a machine learning model for detecting SQL and/or command injection cyber-attacks. The system then uses the set of feature vectors to train a machine learning model (e.g., a detection model) such as based on training data that includes one or more of malicious traffic and benign traffic.
applying an injection prevention model to the exploration query to generate an exploration result (Fu, ¶107, ¶79), wherein, method for detecting exploits according to various embodiments (e.g., using a model trained using a machine learning process) and a related art intrusion prevention system (IPS). Results of the comparison in detection.
updating the set of benign queries to include the exploration query when the exploration result indicates the exploration query was accepted (Fu, ¶114-115).
applying an exploitation model to a second query of the set of benign queries to generate an exploitation query comprising a protected data identifier (Fu, ¶123, ¶173, ¶130), wherein input string (or a computed hash or signature, or other unique identifier, etc.)
applying the injection prevention model to the exploitation query to generate an exploitation result (Fu, ¶71, ¶196, ), wherein system determines whether the sample is malicious based at least in part on a result of an analysis of the sample (e.g., an SQL or command injection string) using the machine learning model (e.g., the detection model).
and storing the exploitation query as an exfiltration query when the exploitation result comprises protected data accessed with the data identifier (Fu, ¶272, ¶107).
Claim Rejections - 35 USC § 103
7. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 5 and 15 are rejected under 35 U.S.C §103 as being unpatentable over Fu and in view of Shi et al. (CN Publication No. CN 117371041), hereinafter Shi.
Regarding claim 5:
Fu does not explicitly suggest; however, in a same field of endeavor Shi discloses this limitation below:
further comprising: generating the exploration query by: identifying a set of symbols from a query grammar (Shi, page 13, para.2), wherein each symbol of the set of symbols may be one of added to or removed from the first query without violating the query grammar, selecting a symbol from the set of symbols, and updating the first query with the symbol to form the exploration query; (Shi, page 2, para.2-3, page 5, last paragraph).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to include the method of determining injection attack of Fu with the analyzing query to identify normal or abnormal disclosed in Shi to prevent attack and secure the device, stated by Shi at page 30, para.1.
Regarding claim 15:
Fu does not explicitly suggest; however, in a same field of endeavor Shi discloses this limitation below:
wherein the application further performs: generating the exploration query by: identifying a set of symbols from a query grammar, wherein each symbol of the set of symbols may be one of added to or removed from the first query without violating the query grammar, selecting a symbol from the set of symbols, and updating the first query with the symbol to form the exploration query (Shi, page 30, para.1, page 13, para.2).
Same motivation for combining the respective features of Fu and Shi applies herein, as discussed in the rejection of claim 5.
Conclusion
8. The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Monjour Rahim whose telephone number is (571)270-3890.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (in USA or CANANDA) or 571-272-1000.
/Monjur Rahim/
Patent Examiner
United States Patent and Trademark Office
Art Unit: 2436; Phone: 571.270.3890
E-mail: monjur.rahim@uspto.gov
Fax: 571.270.4890