Sensory and Response Machine Learning Modeling

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Claims 1-20 are presented for examination. IDS filed on 9/5/25 is considered. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Ahmed et al. US Patent Publication Number 2019/0297096, hereinafter Ahmed. Referring to claim 1, Ahmed discloses a system (systems 310, 1600)( abstract, [0022]) comprising: a processing system (processors 1610, [0126][0127]) ; and memory comprising computer executable instructions (memory 1620, [0128]) that, when executed, perform operations comprising: receiving, from a first computing environment (figure 3, sources 320, 328 and system 326), a payload ([0080], payloads of packets are accessed by the security system) at a sensory machine learning (ML) model (data collection 312)([0028], the security platform implements a unified data collection model that facilitates the introduction of additional data collection components (e.g., new sensors)) implemented in a service environment ([0047], security threat detection and mitigation platform 310 receives input data (e.g., sensor data from agents that is provided as streaming data, or other information) from any of a variety of sources;); generating, using the sensory ML model (data collection 312), an insight (feature of interest) for the payload based on data within the payload ([0031], figure 1, step 110, extracting/generating features of interest in classifying the behavior of computing resource instances from the received network traffic data; also see figure 3, data collection 312 collects inputs for analysis in 314); providing the insight to a response ML model (response layer 316) implemented in the service environment (platform 310)(figure 1, steps 110-140 [0033], figure 3, 312 to 316, traffic insight are collected and passed to data analysis layer and response layer for security threat determination); generating, using the response ML model (response layer 316), an egress determination for the payload based on data within the insight (figure 1, steps 140-150, malicious determination), wherein the egress determination indicates whether the payload is permitted to egress from the first computing environment to a second computing environment ([0033][0045], determination is made to whether block the traffic with pattern X or allow the traffic from the first computing environment to the second environment); and processing the payload based on the egress determination (figure 1, steps 150-170, figure 7, steps 725-760, determination on security threat is determined and processed.). Referring to claim 2, Ahmed discloses the system of claim 1, wherein the first computing environment and the second computing environment are part of a one-way transfer system (see figure 3, data are collected and transferred uni-directionally/one-way from the sources to the response mitigation flows, so the computing environments in the system is viewed as part of this one-way transfer system). Referring to claim 3, Ahmed discloses the system of claim 1, wherein the sensory ML model is trained outside of the service environment (the sensory model includes data 312 and the sensors that are situated in a system outside of platform 310, see [0028], the security platform may implement a unified data collection model that facilitates the introduction of additional data collection components (e.g., new sensors) and [0047], security threat detection and mitigation platform 310 may receive input data (e.g., sensor data from agents that is provided as streaming data, or other information); the collection/model system could be trained outside of the service environment as the collecting units such as sensors/agents are situated outside of the environment) and the response ML model is trained inside of the service environment ([0032], step 120, training a machine learning engine (e.g., a machine model) to classify the behavior of computing resource instances based on the features off interest in the network traffic data, is showing how the response model is trained to make threat determination and response to the determination made). Referring to claim 4, Ahmed discloses the system of claim 1, wherein the sensory ML model (data collection 312) and the response ML model (response layer 316) are implemented in a security abstraction engine (security threat detection and mitigation platform 310) comprising an application programming interface (API) (API 1402) for interfacing with at least one of the sensory ML model or the response ML model ([0080][0112], figure 14, APIs 1402 are used for interfacing services in the network). Referring to claim 5, Ahmed discloses the system of claim 1, the operations further comprising: prior to receiving the payload at the sensory ML model, generating a preprocessed payload by preprocessing the payload in the service environment ([0050], pre-processes the data to refine, shape, and curate it for the use of the analysis layer for further analysis), wherein preprocessing the payload identifies at least one of: a number of files in the payload; a file type of at least one file in the payload; or a topic related to data in the payload ([0050], Other types of data (e.g., data that is not very high volume nor rapidly changing, such as the IP/DNS reputation of an instance); [0057], figure 5, preprocessors 542. The cited passage shows the pre-process is able to determine type of data/file in the payload). Referring to claim 6, Ahmed discloses the system of claim 5, wherein: the sensory ML model is a first sensory ML model; and the operations further comprise: providing a first portion of the preprocessed payload to the first sensory ML model; and providing a second portion of the preprocessed payload to a second sensory ML model implemented in the service environment ([0057][0058], pre-processor fleet 540 comprises multiple pre-processors to handle multiple outputs 528 from logging data store 510). Referring to claim 7, Ahmed discloses the system of claim 1, wherein the insight includes a likelihood that the payload comprises at least one of: data relating to an object class identified in the payload; or files of a file type identified in the payload ([0023], The security platform detects security threats of different type (or to detect similar types of security threats using different approaches). Referring to claim 8, Ahmed discloses the system of claim 1, wherein the service environment is implemented at least partly within the first computing environment (figure 3, [0046], the data collection 312 is implemented along with the source agents/sensors in the first computing environment in order to collect data from the sensors). Referring to claim 9, Ahmed discloses the system of claim 1, wherein the insight includes an anomalous activity corresponding to at least one of user behavior or network behavior associated with the payload ([0027], the security platform may enable services and/or modules built on the platform to detect anomalous and/or malicious activities). Referring to claim 10, Ahmed discloses the system of claim 1, wherein generating the egress determination for the payload comprises using, by the response ML model, rules or policies specific to a particular user or a particular entity to evaluate the insight ([0026], classify the behavior of computing resources instances using simple rules and heuristics that are applied against telemetry collected from other services; [0036], an inference engine applies rules that are generated and/or updated using machine learning techniques. Referring to claim 11, Ahmed discloses the system of claim 10, wherein the rules or policies govern egress of data from the first computing environment and at least one of: ingress of data to the first computing environment; or usage of data within the first computing environment ([0036][0045], figure 2, steps 220-240, rules are applied to enforce mitigation action including throttle traffic which corresponds to ingress of data to the first computing environment) . Referring to claim 12, Ahmed discloses the system of claim 1, wherein processing the payload comprises: providing the egress determination to a determination enforcement component implemented in the service environment ([0060], figure 5, determination made at 552 is passed to response layer 570); and enforcing, by the determination enforcement component, the egress determination on the payload ([0060][0033], performing action based on the determination made). Referring to claim 13, Ahmed discloses the system of claim 12, wherein enforcing the egress determination comprises: transmitting the payload to the second computing environment; or applying an indication associated with the egress determination to the payload ([0033][0045], traffic is not blocked if determination is made with no threat deteceted). Referring to claim 14, Ahmed discloses the system of claim 12, wherein enforcing the egress determination comprises causing performance of a security action corresponding to: quarantining the payload; deleting the payload; or notifying a responsible party of the egress determination for the payload ([0045], notifying customer). Referring to claims 15-20, the claims encompass the same scope of the invention as that of the claims 1-14. Therefore, claims 15-20 are rejected on the same ground as the claims 1-14. Furthermore, for claim 17, Ahmed discloses the first and second computing environment being trusted and untrusted ([0050), traffics with trusted entities communicating to each are not fed to the analysis. The passage shows the all other combination including at least one untrusted entity would be fed into the system which including the claimed combination of wherein the first computing environment is a trusted environment and the second computing environment is an untrusted environment). For the claim 19, Ahmed discloses the instance could be shut down or the traffic can be throttled/blocked ([0045]) which corresponds to the claimed “preventing the payload from egressing from the computing environment; and preventing subsequent data flows of a user or a device that caused a data flow associated with the payload”. For claim 20, Ahmed discloses in claim 1 and claim 7 that the extracted interest/insight will include object class to allow the system to determine the type of the traffic, and Ahmed in [0036][0045], figure 2, steps 220-240, discloses mitigation action including throttle traffic which corresponds to disallowing the payload to egress from the computing environment based on the determination. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Applicant is reminded that in amending in response to a rejection of claims, the patentable novelty must be clearly shown in view of the state of the art disclosed by the references cited and the objection made. Applicant must show how the amendments avoid such references and objections. See 37 CFR 1.111(c). Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIANGCHE A WANG whose telephone number is (571)272-3992. The examiner can normally be reached M-F 10:00am to 6:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon H Hwang can be reached on 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. Liang-che Alex Wang January 22, 2026 /LIANG CHE A WANG/Primary Examiner, Art Unit 2447