DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1. Claims 1 – 20 are currently pending in this application.
Claims 1 and 11 are amended as filed on 02/23/2026.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Murphey et al. (Pre-Grant Publication No. US 2019/0098032 A1), hereinafter Murphey, in view of Hebbagodi et al. (Pre-Grant Publication No. US 2023/0396641 A1), hereinafter Heb, in view of Whalen et al. (Pre-Grant Publication No. US 2024/0430276 A1), hereinafter Whelan, in view of Thomas et al. (Pre-Grant Publication No. US 2023/0114821 A1), hereinafter Thomas, and in further view of Drexl et al. (Patent No. US 11,948,163 B2), hereinafter Drexl.
2. With respect to claims 1 and 11, Murphy taught a method for adaptive threat detection in a computing system comprising a microprocessor, memory, and a plurality of endpoints (0181, where the processor and memory are given and where the plurality of endpoints can be seen in the ETDRs of 0003-0004), the method comprising: collecting events on the endpoints and sending the events to an event router (0105); processing the events on the event router under program control of the microprocessor in the form of a persistent event stream (0129, where the real-time nature implicitly teaches the persistent stream), scoring the events from the persistent event stream using at least a lookup tables (0243. See also the database table of 0072); processing events in a detection engine (0075), wherein the processing includes: detecting a first detection in the persistent event stream within a first time window (0139), correlating the registered first detection with other events in the persistent event stream within a second time window (0238-0239), and detecting a second detection of correlation with higher severity than the first detection (0238-0239); and registering a security incident when the second detection has a severity higher than a predefined threshold (0016 & figure 9B, where the registering of the incident is given).
However, Murphy did not explicitly state wherein the processing includes: normalizing the events and assigning topics to the events to prioritize event enrichment operations and subsequent detection engine operations based on event scores; enriching generic events at an event enrichment unit with event data correlated with the generic events using at least one of the lookup tables or a machine learning model, wherein the enriching is prioritized according to the event score and at least one related topic; processing enriched scored events in a detection engine. On the other hand, Heb did teach wherein the processing includes: normalizing the events and assigning topics to the events to prioritize event enrichment operations and subsequent detection engine operations based on event scores (0122-0127); enriching generic events at an event enrichment unit with event data correlated with the generic events using at least one of the lookup tables or a machine learning model, wherein the enriching is prioritized according to the event score and at least one related topic (0061-0062); processing enriched scored events in a detection engine (0064). Both of the systems of Murphy and Heb are directed towards managing security threats and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Murphy, to utilize the specifically listed normalization and enrichment operations, as taught by Heb, in order to efficiently detect security threats.
However, the combination of Murphy and Heb did not explicitly state wherein the machine learning model utilized a serialized machine learning model or a baselining machine learning model [claim 11: both models required; wherein the baselining machine learning model, the serialized machine learning model, the lookup table, and the machine learning-based detection engine use the exact event data in exact event format. On the other hand, Whalen did teach wherein the machine learning model utilized a serialized machine learning model or a baselining machine learning model [claim 11: both models required] (0037, where the decision tree is a serialized machine learning model and K-means clustering is a baselining machine learning model); wherein the baselining machine learning model, the serialized machine learning model, the lookup table, and the machine learning-based detection engine use the exact event data in exact event format (0037, where the exact event data in exact event format is not a standardized term and generally refers to discrete, timestamped data and was thus, previously shown by Murphey: 0071). Both of the systems of Murphy and Whelan are directed towards managing security threats and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Murphy, to utilize the specifically listed machine learning models, as taught by Heb, in order to utilize efficient models that were contemporary to the time of the invention.
However, Murphy did not explicitly state the use of persistent event streams and that that exact data format was a standardized format; wherein normalizing the events further comprises converting the events into a standardized event format; wherein each event is scored to indicate a likelihood that the event represents a security threat; wherein the enriching includes incorporating at least one additional context for a given generic event; wherein the enriching is prioritized according to at least one topic of the generic event to create enriched scored events; publishing, by the event enrichment unit, the enriched scored events to the persistent event stream by joining standardized event data with the at least one additional context, wherein the persistent event stream is at least partially organized by topics; detecting a first detection in the persistent event stream within a short-term time window, the first detection comprising an immediate potential threat, tagging the first detection with a temporal marker for association in an event correlation lifetime, retrieving other events in the persistent event stream, correlating the registered first detection with the other events in the persistent event stream within a long-term time window according to the event correlation lifetime, wherein the registered first detection has a relationship to the other events by at least one of the standardized event data or the at least one additional context, and detecting a second detection using the correlating, wherein the second detection comprises a more complex potential threat with higher severity than the first detection.
On the other hand, Thomas did teach the use of persistent event streams (0289) and that that exact data format was a standardized format (0270); wherein normalizing the events further comprises converting the events into a standardized event format (0270); wherein each event is scored to indicate a likelihood that the event represents a security threat (0265); wherein the enriching includes incorporating at least one additional context for a given generic event (0266); wherein the enriching is prioritized according to at least one topic of the generic event to create enriched scored events (0273); publishing, by the event enrichment unit, the enriched scored events to the persistent event stream by joining standardized event data with the at least one additional context, wherein the persistent event stream is at least partially organized by topics (0276-0277. See also, 0357); detecting a first detection in the persistent event stream within a short-term time window, the first detection comprising an immediate potential threat, tagging the first detection with a temporal marker for association in an event correlation lifetime, retrieving other events in the persistent event stream, correlating the registered first detection with the other events in the persistent event stream within a long-term time window according to the event correlation lifetime (0175, where the time window would include both short term and long term events based on the persistent stream under broadest reasonable interpretation), wherein the registered first detection has a relationship to the other events by at least one of the standardized event data or the at least one additional context, and detecting a second detection using the correlating, wherein the second detection comprises a more complex potential threat with higher severity than the first detection (0175, where, at least, the correlated malware event is the second event). Both of the systems of Murphy and Thomas are directed towards systems for detecting security threats and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Murphy to utilize specific event streaming and enrichment, as taught by Thomas, in order to more efficiently detect security threats.
However, Murphy did not explicitly state wherein a first event having an event score higher than a second event is processed before the second event, and the publishing being such that at least one event when at least partially organized by topics is in a different order than as originally added to the persistent event stream by the grouping of the at least one event with one or more events having the same specific key corresponding to the organization by topic. On the other hand, Drexl did teach wherein a first event having an event score higher than a second event is processed before the second event (38:1-13), and the publishing being such that at least one event when at least partially organized by topics is in a different order than as originally added to the persistent event stream by the grouping of the at least one event with one or more events having the same specific key corresponding to the organization by topic (38:47-58). Both of the systems of Murphey and Drexl are directed towards systems for detecting managing event streams and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Murphy to utilize specific event stream prioritization, as taught by Drexl, in order to more efficiently organizing event data for management/monitoring.
3. As for claims 2 and 12, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Murphy taught wherein the events collected on endpoints include process start, file access, network connections, and registry changes (0103 & 0095).
4. As for claims 3 and 13, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Murphy taught wherein the topics assigned to events include event attribute source, type, score or severity (0233, where this, at least, teaches the severity limitation).
5. As for claims 4 and 14, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Murphy taught wherein the lookup tables used for scoring are generated based on historical event data stored in an event database configured to collect all events processed in the persistent event stream (0071-0072, the stored events in the database table).
6. As for claims 5 and 15, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Whelan taught wherein the baselining machine learning model is trained using historical event data to recognize normal behavior patterns and detect deviations (0037, where the K-means clustering and the apriori algorithms both use historical data as their input data sets and the detected normal behavior patterns is implicitly taught by a system that is looking for security threats, which are abnormal behavior patterns).
7. As for claims 6 and 16, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Heb taught wherein the event enrichment unit uses additional data sources including third-party threat intelligence feeds, system logs, network traffic data, and user behavior analytics for event enrichment (0107 & 0096: third-party sources and network traffic data, 0021: logs, 0070: behavior).
8. As for claims 7 and 17, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Murphy taught wherein the first detection is registered based on predefined security rules applied to the enriched scored events (figure 9B, where the security rules are, at least, taught by the registered urgency).
9. As for claims 8 and 18, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Murphy taught wherein the second time window for correlating events is dynamically adjusted based on the severity of the first engine detection (0184, where the urgency is based on threat detection algorithms. See also, the proactive severity monitoring tree of 0190 or 0233).
10. As for claims 9 and 19, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Murphy taught wherein the second detection of higher severity is based on the aggregation of multiple correlated events and correlated events scores (0229).
11. As for claims 10 and 20, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Heb taught wherein the event enrichment unit prioritizes the enrichment of events based on event scores and related event topics (0061-0062).
Response to Arguments
Applicant’s arguments with respect to the claim(s) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
(a) Martin et al. (Patent No. US 12,335,348 B1), 65:12-30, 93:54-67.
(b) Brooks et al. (Patent No. US 10,109,021 B2), 1:51-67.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSEPH L GREENE whose telephone number is (571)270-3730. The examiner can normally be reached Monday - Thursday, 10:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas R. Taylor can be reached at 571 272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JOSEPH L GREENE/Primary Examiner, Art Unit 2443