DETAILED ACTION
The present application is being examined under the pre-AIA first to invent provisions.
Information Disclosure Statement
The information disclosure statement filed 30 May 2025 fails to comply with 37 CFR 1.98(a)(2), which requires a legible copy of each cited foreign patent document; each non-patent literature publication or that portion which caused it to be listed; and all other information or that portion which caused it to be listed. In particular, although Applicant has provided copies of the non-patent documents with cite nos. 13, 15, and 16, the copies are not clearly legible because each page includes what appears to be a pop-up ad from the webpages from which the documents were retrieved, where the ads block large portions of the text. The IDS has been placed in the application file, and the information referred to therein has been considered with the exception of the references noted above.
Specification
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.
Claim Objections
Claims 1, 10, and 20 are objected to because of the following informalities:
In Claim 1, line 12, the abbreviation ML is used without being written out in full.
In Claim 10, line 14, the abbreviation ML is used without being written out in full.
In Claim 20, line 3, the abbreviation EDR is used without being written out in full. In line 11, the abbreviation ML is used without being written out in full.
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites “based on environmental security ranking” in lines 2-3; however, there is no mention of any security ranking elsewhere in the claims or how the configuration would be based on such a ranking. The claim further recites “generic events” in line 8. It is not clear whether this is intended to refer to the same generic events recited in line 6 or to distinct events. The claim additionally recites “events-in-operations” in lines 11 and 28-29 and “events-in-operation” in line 12, which appears to inconsistent and unclear as to which is intended. The claim also recites “the event” in line 14, but it is not clear to which of the plural events this is intended to refer. The claim further recites “the score” in line 14, but it is not clear to which of the plural scores this is intended to refer. The claim additionally recites “the event enrichment operation” in line 26. There is insufficient antecedent basis for this limitation in the claim. The claim also recites “further correlation” in line 31. It is not clear what this is intended to be correlated with. The claim also recites “completing the configuration if the test is passed” in lines 32-33. However, the claim does not recite any operations to be performed if the test is not passed, which amounts to a gap in the claim or an omission of essential subject matter. The above ambiguities render the claim indefinite.
Claim 3 recites “adjusting the adaptive threat detection system configuration” in lines 1-2. It is not clear when this occurs relative to the steps of Claim 1. Claim 3 further recites “new endpoint device” in line 5. It appears that this is missing an article (e.g. “a” or “the”) or another descriptor.
Claim 4 recites “the adjusting the threat detection system configuration” in line 1. There is not clear antecedent basis for this limitation in the claims. Although Claim 3 recites such an adjustment, Claim 4 does not depend from Claim 3.
Claim 5 recites “the adjusting configuration of the event scoring unit” in line 1. There is not clear antecedent basis for this limitation in the claims. Although Claim 3 recites such an adjustment, Claim 5 does not depend from Claim 3. Claim 5 further recites “increasing scores of events with an additional value” in line 2. It is not clear whether the events have the additional value, or if the additional value is used to increase the score.
Claim 6 recites “the adjusting configuration of the detection engine” in line 1. There is not clear antecedent basis for this limitation in the claims. Although Claim 3 recites such an adjustment, Claim 6 does not depend from Claim 3.
Claim 7 recites “the baselining ML model retraining” in line 1 and “the detection engine configuration adjustment” in line 2. There is not clear antecedent basis for these limitations in the claims. Although Claim 3 recites such retraining and adjustment, Claim 7 does not depend from Claim 3.
Claim 9 recites “event-in-operation score” in line 4. It is not clear whether this is intended to refer to one or more of the previously recited scores.
Claim 10 recites “based on environmental security ranking” in lines 1-2; however, there is no mention of any security ranking elsewhere in the claims or how the configuration would be based on such a ranking. The claim additionally recites “the generic event” in line 5. It is not clear to which of the plural generic events this is intended to refer. The claim further recites “generic events” in line 10. It is not clear whether this is intended to refer to the same generic events recited in line 4 or to distinct events. The claim additionally recites “events-in-operations” in lines 13 and 33-34 and “events-in-operation” in line 14, which appears to inconsistent and unclear as to which is intended. The claim also recites “the event” in line 16, but it is not clear to which of the plural events this is intended to refer. The claim further recites “the score” in line 18, but it is not clear to which of the plural scores this is intended to refer. The claim additionally recites “event enrichment operation” in line 31. It is not clear whether this is intended to refer to a previous operation or a distinct operation. The claim further recites “detection engine verdict” in line 35; this appears to be missing an article (e.g. “the” or “a”) or other descriptor. The claim also recites “further correlation” in line 36. It is not clear what this is intended to be correlated with. The claim also recites “complete the configuration if the test is passed” in lines 39-40. However, the claim does not recite any operations to be performed if the test is not passed, which amounts to a gap in the claim or an omission of essential subject matter. The above ambiguities render the claim indefinite.
Claim 11 recites “path node” in line 1. This appears to be missing an article (e.g. “the” or “a”) or other descriptor.
Claim 12 recites “adjust the adaptive threat detection system configuration” in line 2. It is not clear when this occurs relative to the functions of Claim 1. Claim 12 further recites “new endpoint device” in line 5. It appears that this is missing an article (e.g. “a” or “the”) or another descriptor.
Claim 14 recites “the adjusting configuration of the event scoring unit configuration adjustment” in lines 1-2. This appears to be redundant and grammatically unclear. The claim further recites “increasing scores of events with an additional value” in line 2. It is not clear whether the events have the additional value, or if the additional value is used to increase the score.
Claim 15 recites “on updated event database” which appears to be missing an article or other descriptor or other critical language.
Claim 16 recites “the adjusting configuration of the detection engine configuration” in lines 1-2, which appears to be redundant and grammatically unclear.
Claim 19 recites “the event-in-operation score” in line 3. It is not clear to which of the plural scores this is intended to refer.
Claim 20 recites a series of steps in lines 3-30. However, there is no conjunction (e.g. “and” or “or”) recited in this list, and therefore, it is not clear whether all the steps are required or if they may be alternatives. The claim further recites “generic events” in line 7. It is not clear whether this is intended to refer to the same generic events recited in line 4 or to distinct events. The claim also recites “the event” in line 12, but it is not clear to which of the plural events this is intended to refer. The claim additionally recites “completing the configuration if the test is passed” in line 27. However, the claim does not recite any operations to be performed if the test is not passed, which amounts to a gap in the claim or an omission of essential subject matter. The above ambiguities render the claim indefinite.
Claims not explicitly referred to above are rejected due to their dependence on a rejected base claim.
Allowable Subject Matter
Claims 1-20 would be allowable if rewritten or amended to overcome the rejection(s) under 35 U.S.C. 112(b), set forth in this Office action.
The following is a statement of reasons for the indication of allowable subject matter: Although the prior art cited below generally discloses adaptive threat detection configuration, including the use of EDR agents, normalizing event data, enriching events, the use of machine learning models, and configuring detection rules, for example, the cited prior art, in combination, does not clearly teach or suggest the more detailed limitations of the claims.
It is noted that substantial amendments to the claims may require reconsideration of the indication of allowable subject matter.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Muddu et al, US Patent 9516053, discloses a system for anomaly and threat detection that can use machine learning models and pattern matching.
Graves et al, US Patent 12323449, discloses a method that includes code matching patterns using an AI model for detecting threats
Murphey et al, US Patent Application Publication 2019/0098032, discloses a system for enpoint threat detection and response.
Thomas et al, US Patent Application Publication 2023/0114821, discloses enriching events and normalizing event data.
Hebbagodi et al, US Patent Application Publication 2023/0396641, discloses enriching events and normalizing event data.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Zachary A Davis whose telephone number is (571)272-3870. The examiner can normally be reached Monday-Friday, 9:00am-5:30pm, Eastern Time.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal D Dharia can be reached at (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Zachary A. Davis/Primary Examiner, Art Unit 2492