Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1-9, 12-20 are pending, Claims 10 and 11 have been canceled and claims 1, 12 and 20 have been amended.
Response to Arguments
Applicant's amendments/arguments filed on 02-05-2026 have been fully considered.
With respect to rejection of claims under 35 U.S.C. § 101 for being directed to an abstract idea, Applicant asserts “claim 1 cannot be considered an abstract idea, at least because the claimed recites ‘sending control signal over the network to [another]system. [t]his is not an operation that can be performed in the mined and /or performed by a human, as Offices suggest with respect to the prior claims, since the above-quoted claim language recites specific interactions between computing system over a network”. Examiner respectfully disagrees.
The added limitation of “wherein taking actin includes sending control signals over the network to a remediation system instructing the remediation system to modify configurations of the network to mitigate the security threat” does not overcome the rejection of the claims as being directed to an abstract idea. The limitation could be performed in human mind or by a human. For example, a human network administrator could receive information regarding a threat activity, contacting a security team (i.e., by phone, email, or massaging system) about the threat activity and instructing them to update network configuration to resolve the issue. The amended limitation does not improve computer or network functionality nor does it integrate the abstract idea into a practical application.
Applicant's arguments with respect to rejection of claims under 35 U.S.C 103 have been fully considered but are moot in view of the new ground(s) of rejection.
Claim Rejections - 35 USC § 101
835 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-9 and 12-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
The claims when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance, are directed to abstract idea. Claim 1 for example, recites a method and, therefore, is a process. The claim recites the limitation of: “ obtaining, by a computing system, historical network activity data …; determining, by the computing system and based on the historical network activity, a baseline of network activity…; collecting, by the computing system, a set of network activity data; applying, by the computing system, an unsupervised algorithm to identify the set of network activity data as anomalous relative to the baseline of network activity; classifying, by the computing system, the network activity data into an identified threat category from among a plurality of threat categories; and taking action, by the computing system and based on the identified threat category, wherein taking an action includes sending a control signals over the network…”. These limitations, under broadest reasonable interpretation are directed performance of the limitation in a human mind. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, the claim encompasses a human simply obtaining historical network activity on a piece of paper, determining a baseline based on the historical network activity written on the piece of paper, collecting a set of network activity written on another piece of paper and identifying the set of network activity data as anomalous if it deviates from baseline of network activity (relative to the baseline network activity), tacking action based on the identified threat category to mitigate a security threat by contacting a security team (i.e., by phone, email, or massaging system) about the threat or malicious activity and instructing them to update network configuration to resolve the issue.. Thus, the claim recites a mental process when analyzed under step 2A prong 1.
Claim is further analyzed in step 2A prong 2, to evaluate whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by identifying whether there are any additional elements recited in the claim beyond the judicial exception, and evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. However, each of the remaining limitation (“computing system”) appears to be generic computer functions which do not constitute meaningful limitations that would amount to significantly more than the abstract idea. The combination of these additional element is no more than generic computer functions. Thus, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limitations on practicing the abstract idea.
Claim is additionally analyzed under Step 2B to evaluates whether the claim as a whole amount to significantly more than the recited exception, whether any additional element, or combination of additional elements, adds an inventive concept to the claim. When claims evaluated under step 2B, it is no more than what is well-understood, routine, conventional activity in the field. The specification does not provide any indication anything other than a generic computer component. The mere obtaining,…historical network activity data…determining…, a baseline of network activity;
Collecting… a set of network activity data… to identify the set of network activity data as anomalous…classifying, by the computing system, the network activity data into an identified threat category…” is a well-understood, routing and conventional function when it is claimed in a merely generic manner as it is here.
Independent claims 12 and 20 include limitations similar to the limitations of claim 1 and are rejected under 35 U.S.C. 101 as being directed to abstract idea for the same reasons discussed above with respect to claim 1.
Dependent claims 2-11and 13-19 do not cure the deficiency of the independent claims and are directed to abstract idea when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 2, 6, 8, 9, 12, 13, 17, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Wolff et al. (US Patent/ Publication No. 2020/0259852), hereinafter Wolff, in view of Le et al. (US Publication No. 2017/0148025), hereinafter Le, in view of Kumar et al. (US Publication No. 2024/0356945), hereinafter Kumar.
As per claims 1, 12 and 20, Wolff discloses a method comprising: obtaining, by a computing system, historical network activity data that includes information about authentication traffic within a network; determining, by the computing system and based on the historical network activity, a baseline of network activity (paragraph [0013], [0028], [0043], [0049] “the characterization of the entities and events is based on the common entity terms, construction , for at least one of the entities, a baseline activity profile”), wherein determining the baseline of network activity further included taking into account contextual information accesses from a context data store (paragraph [0021], the security monitoring and control system analyzes information about user activity in one or more of the cloud services (and, in some cases, on premises applications as well) using machine learning and other algorithms to consolidate and normalize data to ensure activities are associated with the proper entity-whether that be a user, a file, an application, an organization, a role, or other item being tracked and measured”); collecting, by the computing system, a set of network activity data (paragraph [0059], “activity data and /or state data are received”); applying, by the computing system, an [unsupervised] algorithm to identify the set of network activity data as anomalous relative to the baseline of network activity (paragraph [0049],“ unsupervised models can be constructed that identify anomalous reconnaissance related activity”, [0059], “based on the activity data and/or the state data, one or more predictive models are generated (step 404) and configured to detect deviations from normal user behavior (and/or deviations from normal user conditions or privileges) across the application platforms. The activity data and/or the state data for at least one of the users is provided (step 406) as input to the one or more predictive models. An indication that an activity of the least one of the users deviates from the normal user behavior is received (step 408) as output from the one or more predictive models”); classifying, by the computing system, the network activity data into an identified threat category [ from among a plurality of threat categories] (paragraph [0049], “The output models trained on this data can be designed to classify a collection of activity for a given user as either internal reconnaissance or not, along with a measure of confidence that the activity is associated with the correct classification”); and taking action, by the computing system and based on the identified threat category, to mitigate a security threat posed by the network activity data (paragraph [0059], “A remedial or corrective action is taken or facilitated (step 410) to address the indicated deviation”).
While Wolff disclose determining baseline of network activity includes tacking into account contextual information and the contextual information include for example, information about user activity as discussed previously, Wollf does not explicitly disclose contextual information includes information about business practices of the organization. However, firstly, it is noted that the type of information used in determining a baseline does not technically affect the determination of baseline network activity. One of ordinary skill in the art recognizes that the baseline determination techniques are generally applicable regardless of specific type of activity being analyzed. The process for determining a baseline of network activity based on information about for example user as disclosed by Wolff could have been similarly applied to any other type of information (i.e., business practices of organization) without exercising an inventive techniques.
Additionally, in an analogous art, Le discloses wherein determining the baseline of network activity further includes taking into account contextual information accessed from a context data store (claim 4, “extracting…second transaction from a transaction database…”), and wherein the contextual information includes information about business practices of the organization (paragraph [0038], “baseline time window include transactions (business practices of the organization) that have occurred within those windows”, transaction includes characteristics of attributes, paragraph [0039], “baseline window 248 is an earlier time period in which the same risk metrics are calculated based upon transactions occurring within that window 248”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Wolff with Le. This would have been obvious because one of ordinary skill in the art would have been motivated to identify anomalies in group of transaction data.
Wolff in view of Le does not explicitly disclose applying unsupervised algorithm, classifying the network activity data in to an identified threat category from among a plurality of threat category, wherein taking action includes sending control signals over the network to a remediation system instructing the remediation system to modify configurations of the network to mitigate the security threat.
However, in an analogous art, Kumar discloses applying unsupervised algorithm trained according to normal access patten to detect anomalies associated with users accessing network (paragraph [0058] and [0059]), classifying the network activity data in to an identified threat category from among a plurality of threat category (paragraph [0052] critical and non-critical; and taking action includes sending control signals over the network to a remediation system instruction the remediation system to modify configuration of the network to mitigate the security threat (paragraph [0009], “the server is further caused to receive feedback from the SOC specific to the detected anomaly, and modify at least one of the one or more defined rules”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Wolff and Le with Kumar. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to achieve the predictable result of identifying outlier and unusual and hidden data pattern.
As per claim 2 and 13, Wolff furthermore discloses, wherein classifying the network activity data into the identified threat category includes: enabling a subject matter expert to create rules for each of the plurality of threat categories; and applying the rules to classify the network activity data into the identified threat category (paragraph [0040], “..allow a data or security analyst to query, visualize, and or explore the output of the data transformation steps…A domain expert rule engine 224 can include or utilize a series of processes that allow domain experts to create expert rules and heuristics against the underlying data. A model/rule deployment component 226 can be responsible for execution of the expert rules against the underlying data…”).
As per claim 6 and 17, Kumar furthermore discloses, wherein the unsupervised algorithm is an unsupervised machine learning model, and wherein the method further comprises: training, by the computing system, the unsupervised machine learning model using the historical network activity data (paragraph [0058], unsupervised model trained based on feedback). The motivation is similar to the motivation provided in claim .
As per claim 8 and 19, Wolff furthermore discloses, wherein determining the baseline of network activity includes: identifying normal logon behavior of each of a plurality of network users; and identifying normal logon behavior of each of a plurality of types of network users (paragraph [0043], “track a user’s normal behavior to create a baseline activity profile”, paragraph [0009], the deviation from the normal number of logging attempt (normal logon behavior), and users having roles (type of network users).
As per claim 9, Wolff furthermore discloses determining the baseline of network activity further includes: identifying attributes of login behavior of each of the plurality of network users relative to other users (paragraph [0040], “list of email account or addresses or other user identification elements…”, paragraph [0045], “additional platform attributes” such as roles, organizational entity , functional entity and activities).
Claims 3, 4, 14 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Wolff in view of Le and Kumar, further in view of Cai et al. (US Publication No. 2022/0067146), hereinafter Cai
As per claim 3 and 14, Wolff as modified discloses, wherein the set of network activity data is a first set of network activity data, and wherein the method further comprises: collecting, by the computing system, a second set of network activity data; applying, by the computing system, the unsupervised algorithm to identify the second set of network activity data as anomalous relative to the baseline of network activity (Kumar, paragraph [0085], at step 402 receiving one or more data sets applying multiple unsupervised ML models for detecting anomaly, at the step 402 method return to operation 402 to repeat the same process of obtaining one or more data set at step 402 to detect anomaly. It is noted that returning to step 402 for obtaining one or more data set and applying unsupervised algorithm to identify the detect anomaly is equivalent to the claimed collecting a second set of the network activity data and identifying the second set of network activity data as malicious). The motivation is similar to the motivation provided in claim 1.
Wolff as modified does not explicitly disclose, determining, by the computing system, that the second set of network activity data is not classifiable into any of the plurality of threat categories; and taking action, by the computing system and based on identifying the second set of recent network activity data as anomalous, to mitigate a security threat posed by the second set of network activity data.
However, in an analogous art, Cai discloses, determining, by the computing system, that the second set of network activity data is not classifiable into any of the plurality of threat categories; and taking action, by the computing system and based on identifying the second set of recent network activity data as anomalous, to mitigate a security threat posed by the second set of network activity data (paragraph [0060], “when the machine learning model is unable to classify the file as benign or malware with a sufficient level of confidence, then the machine learning model classifies the file as unknown and the file is forwarded to the sandbox for further processing”, paragraph [0076], where file is further analyzed and classified as malware).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Wolff with Cai. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to achieve the predictable result of identifying newly generated unknown malwares.
As per claim 4 and 15, Cai furthermore discloses, wherein determining that the second set of network activity data is not classifiable into any of the plurality of threat categories includes: applying the rules to the second set of network activity data; and determining that applying the rules does not classify the second set of network activity data into any of the plurality of threat categories (paragraph [0058]-[0060], machine learning model is applied to the file, the machine learning model is unable to classify the file). The motivation is similar to the motivation provided in claim 3.
Claims 5 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Wolff in view of Le and Kumar, further in view of Grout et al. (US Publication No. 2024/0275817), hereinafter Grout.
As per claim 5 and 16, Wolff as modified does not explicitly disclose, but in an analogous art, Grout discloses, wherein enabling the subject matter expert to create rules includes: receiving an indication of input from a subject matter expert computing system operated by the subject matter expert; and creating, based on the indication of input, tagging rules for each of the plurality of threat categories (paragraph [0053], “the module 402 is configured to expose to a user (e.g., via an interactive display interface) the auto-generated tags for a given rule. Using this interface, the user can enter information, e.g., to review, accept, decline or update the auto-generated tag set. The interface may also be configured to enable the user to add their own tags from a pre-configured or defined list”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Wolff with Grout. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to categorize the rules for searching and detecting anomalies.
Claims 7 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Wolff in view of Le and Kumar, further in view of Ranjan et al. (US Patent No. 8,762, 298), hereinafter Ranjan.
As per claim 7 and 18, Wolff furthermore discloses wherein classifying the network activity data into the identified threat category includes: training a supervised machine learning model to classify network activity data into at least one of the plurality of threat categories; and applying the supervised machine learning model to the network activity data to classify the network activity data into the identified threat category (paragraph [0049], “supervised classification models can be constructed that identify users who are engaging in or have potential to engage in internal reconnaissance. In some examples, the following features can be provided as input into models related to the classification of internal reconnaissance activity... The output models trained on this data can be designed to classify a collection of activity for a given user as either internal reconnaissance or not”).
Wolff as modified does not explicitly disclose, but in an analogous art Ranjan disclose, labeling at least one of the historical network activity data with one or more of the plurality of threat categories (column 9, lines 36-40, ‘generate a label for a data unit in the historical network data (130) specifying the data unit as either malicious or legitimate (i.e., not malicious’)”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Wolff with Ranjan. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to achieve the predictable result of detecting malicious activities based on labeled historical data.
References Cited, Not Used
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Wang et al. (US Publication No.2024/0348632) discloses, systems and methods for automated anomaly detection. The system receives various types of unlabeled data and determines, through an unsupervised machine learning model, a label for the data. The labels are provided to a supervised machine learning model during a first training process. The system also performs unsupervised labeling and supervised labeling of network flows to infer anomalous network traffic. When new data is received, the supervised machine learning model is executed during an inference process to cluster the new data in accordance with the labels that were determined by the unsupervised machine learning model.
Zaytsev et al. (US Publication No. 2024/0146747) discloses, methods and systems for multi-cloud breach detection using ensemble classification and deep anomaly detection. According to an implementation, a security appliance may receive logged event data. The security appliance may determine using a supervised machine learning (ML) model, a first anomaly score representing a first context. The security appliance may further determine using a semi-supervised machine learning (ML) model, a second anomaly score representing the second context, and using an unsupervised ML model, one or more third anomaly scores representing one or more third contexts. The security appliance may aggregate the first anomaly score, the second anomaly score and the one or more third anomaly scores using a classification module to produce a final anomaly score and a final context. The security appliance may determine that an anomaly exists and a type of attack based on the final anomaly score and the final context.
Ofek, David Mor (EP3547189 A1) discloses, a system of mitigating code weaknesses in a target code by adding micro functionality fixes. The system comprises a mitigation module installed a memory chip of a device and a server for identifying a plurality of code weaknesses in a target code installed in a memory chip of a device and sending configuration instructions to the mitigation module, the configuration instructions
comprising: a plurality of micro functionality fixes, and a plurality of code weakness locations each associated with one of the plurality of code weaknesses and one of the plurality of micro functionality fixes. The execution of the mitigation module by at least one processor of the device induces an installment of the plurality of micro functionality fixes in the plurality of code weakness locations.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437
Prosecution Insights