SYSTEM FOR MANAGING SECURITY RISKS WITH GENERATIVE ARTIFICIAL INTELLIGENCE

§101 §103

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. DETAILED ACTION Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-4, 6-16 and 18-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e. an abstract idea) without significantly more. Claim Interpretation: Under the broadest reasonable interpretation, the terms of the claim are presumed to have their plain meaning consistent with the specification as it would be interpreted by one of ordinary skill in the art. See MPEP 2111. Claim 1 is directed to system for exfiltration analysis, the system comprising: a processor subsystem; and memory including instructions, which when executed by the processor subsystem, cause the processor subsystem to: receive a plurality of file identifiers of a corresponding plurality of files, the plurality of files related to exfiltration alerts; store information about the plurality of files in a forensic file data store, the forensic file data store used to provide contextual information for a large language model (LLM); receive an exfiltration query from a user of the system; and produce a generative output using the LLM based on the exfiltration query and the contextual information. Broadly, the following elements can be interpreted as: The forensic file data store is considered to be some data structure, database, storage, etc. storing any information related files.. The exfiltration query is a query to be received by a large language model provided by a user of the system. The Large Language Model (LLM) is a generic, generative AI Model trained for natural language processing tasks. The Produce a Generative Output is consider to be the result provided by the LLM in response to the exfiltration query that is in human readable text such as a report, answer, summary, etc. Step 1: This part of the eligibility analysis evaluates whether the claim falls within any statutory category. See MPEP 2106.03. The claims recites a system, method and machine readable medium These are directed to a machine, series of steps or acts, and manufacture, and falls within one of the statutory categories of invention. (Step 1: YES). Step 2A, Prong One: This part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception or whether the claim is “directed to” the judicial exception. This evaluation is performed by (1) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (2) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. See MPEP 2106.04(d). Claim 1 recites a system for exfiltration analysis, the system comprising: a processor subsystem; and memory including instructions, which when executed by the processor subsystem, cause the processor subsystem to: receive a plurality of file identifiers of a corresponding plurality of files, the plurality of files related to exfiltration alerts; store information about the plurality of files in a forensic file data store, the forensic file data store used to provide contextual information for a large language model (LLM); receive an exfiltration query from a user of the system; and produce a generative output using the LLM based on the exfiltration query and the contextual information. These limitation (receiving, storing, receiving, producing...), as drafted, are processes that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components (processor, memory, forensic file data store, LLM). That is, other than reciting “processor, memory, forensic file data store, LLM” nothing in the claim element precludes the step from practically being performed in the mind or performed between people. For example, but for the “processor, memory, forensic file data store, LLM” language, “receiving, storing, receiving, producing...” in the context of this claim encompasses a user, such as an security analyst, gathering information related to a receiving alert from a data loss prevention tool such as the file, data/time of the alert, etc., and can store this data mentally or in a file, spreadsheet (e.g. data store), receiving an inquiry from a supervisor and providing a result based on investigation written or verbally. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. (Step 2A, Prong One: YES). Step 2A, Prong Two: This part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception or whether the claim is “directed to” the judicial exception. This evaluation is performed by (1) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (2) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. See MPEP 2106.04(d). The limitations “receive, store, receive, produce” are mere data gathering and post-solution activity recited at a high level of generality, and thus are insignificant extra-solution activity. See MPEP 2106.05(g) (“whether the limitation is significant”). In addition, all uses of the recited judicial exceptions require such data gathering and post-solution activity, and, as such, these limitations do not impose any meaningful limits on the claim. These limitations amount to necessary data gathering and outputting. See MPEP 2106.05. This judicial exception is not integrated into a practical application. In particular, the claim only recites the additional elements – processor, memory, forensic file data store, LLM. The additional elements are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer component. No technical improvement or transformation of data is disclosed nor any specific configuration of the hardware or specialized hardware is claimed. Accordingly, these additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element as described above amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Even when viewed in combination, these additional elements do not integrate the recited judicial exception into a practical application (Step 2A, Prong Two: NO), and the claim is directed to the judicial exception. (Step 2A: YES). Step 2B: This part of the eligibility analysis evaluates whether the claim as a whole amounts to significantly more than the recited exception i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. See MPEP 2106.05. One way to determine integration into a practical application is when the claimed invention improves the functioning of a computer or improves another technology or technical field. To evaluate an improvement to a computer or technical field, the specification must set forth an improvement in technology and the claim itself must reflect the disclosed improvement. See MPEP 2106.04(d)(1) and 2106.05(a). Under the 2019 PEG, a conclusion that an additional element is insignificant extra-solution activity in Step 2A should be re-evaluated in Step 2B. Here, the monitoring, determining and performing an action step was considered to a mental process in Step 2A, and thus it is re-evaluated in Step 2B to determine if it is more than what is well-understood, routine, conventional activity in the field. Ad discussed in Step 2A, Prong Two, the only additional elements beyond the abstract idea are the process and memory which are generic and conventional. Receiving, storing and receiving are understood to be well-understood, routine, conventional activity (WURC) in the field of security. Using the LLM to perform the abstract idea (e.g. using a known tool to perform a known function) is not inventive. The additional element as described above amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. (Step 2B: NO). Therefore, claim 56 is directed to non-statutory subject matter. Additionally, the claims 13 and 20 are rejected for at least the reasons mentioned above. Additionally, the dependent claims are rejected as they do not recite additional elements that amount to significantly more than the judicial exception as they are only directed towards further limitations of the logic and functionality. For example claim 2-4 and 14-16 recite merely provides the source of the exfiltration alert which are conventional data gathering that must be performed and is considered to be pre-solution activity, claims 6 and 7 recite mathematical algorithms which related to mathematical concepts which are abstract ideas and claims 8-12 and 18-19 establishes post-solution activity that are WURC in response to any analysis such as mitigating an action or generating a risk score. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-4, 8-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 20200193019 to Tietz et al. (hereinafter “Tietz”) in view of US 20240414211 to Boyer et al. (hereinafter “Boyer”) Claim 1 Tietz teaches a system for exfiltration analysis, [e.g. Tietz; Abstract, Para. 0007, 0019, 0020– Tietz discloses a system for exfiltration analysis.] the system comprising: a processor subsystem; and memory including instructions, which when executed by the processor subsystem, [e.g. Tietz; Abstract, Para. 0007, 0019, 0020– Tietz discloses a memory and processor.] cause the processor subsystem to: receive a plurality of file identifiers of a corresponding plurality of files, the plurality of files related to exfiltration alerts; [e.g. Tietz; Abstract, Para. 0004, 0005, 0007, 0019-0024, 0026-0048, 0074-0083 – Tietz discloses receiving file management information of a plurality of files and alerts corresponding to the files.] store information about the plurality of files in a forensic file data store, ... [e.g. Tietz; Abstract, Para. 0004, 0005, 0007, 0019-0024, 0026-0048, 0074-0083 – Tietz discloses storing information in a file history chain (e.g. forensic data store).] While Tietz teaches the system of claim 1 Tietz fails to explicitly teach utilizing large language models to aid in exfiltration analysis. More specifically Tietz fails to teach however, Boyer teaches: ... the forensic file data store used to provide contextual information for a large language model (LLM); [e.g. Boyer; Abstract, Para. 0064-0084, 0100-0106, 0107-0116 – Boyer discloses using a data store by a LLM .] receive an exfiltration query from a user of the system; [e.g. Boyer; Abstract, Para. 0018-0063, 0064-0084, 0100-0106, 0107-0116 – Boyer discloses sending a query to allow a user to interact with a LLM regarding a cyber related event (e.g. exfiltration event).] and produce a generative output using the LLM based on the exfiltration query and the contextual information. [e.g. Boyer; Abstract, Para. 0064-0084, 0100-0106, 0107-0116 – Tietz discloses sending a response based on the query and contextual information .] Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to include, the features above in the invention as disclosed by Tietz as a primary benefit is that it allows cyber security system operators to explain the ongoing incidents to different levels of end users with cyber security knowledge without requiring human time to rephrase that data, and present that data to explain things such as why the network was breached as disclosed by Boyer in paragraph 0029. Claim 2: Tietz teaches the system of claim 1, wherein an exfiltration alert of the exfiltration alerts is based on at least one filesystem event. [e.g. Tietz; Abstract, Para. 0004, 0005, 0007, 0019-0024, 0026-0048, 0074-0083 – Tietz discloses that the alert is based on a file operation trigger (e.g. filesystem event).] Claim 3: Tietz teaches the system of claim 2, wherein the at least one filesystem event includes an operation to create, read, modify, or delete a filesystem element. [e.g. Tietz; Abstract, Para. 0004, 0005, 0007, 0019-0024, 0026-0048, 0074-0083 – Tietz discloses that operations such as deletion, modification, movement, etc.] Claim 4: Tietz teaches the system of claim 2, wherein an exfiltration alert of the exfiltration alerts is based on an exfiltration model used to determine whether the at least one filesystem event is indicative of exfiltration. [e.g. Tietz; Abstract, Para. 0004, 0005, 0007, 0019-0024, 0026-0048, 0074-0083 – Tietz discloses a rules engine (e.g. exfiltration model) to determine a risk and generate alerts.] Claim 7: Tietz teaches the system of claim 6, wherein the vector comparison is one of: a dot product operation, a cosine similarity operation, or a soft cosine similarity operation. [e.g. Singh; Abstract, Para. 0018, 0066-0069, 0075, 0088, 0091-0093, 0095 0100-0106, 0107-0116 – Singh discloses using embeddings (e.g. vector representations) and determining similarity for data loss prevention.] Claim 8: Tietz teaches the system of claim 1, wherein the processor subsystem is to generate a risk score of an activity related to at least one of the exfiltration alerts. [e.g. Tietz; Abstract, Para. 0004, 0005, 0007, 0019-0024, 0026-0048, 0074-0083 – Tietz discloses a rules engine determine a level of risk (e.g. risk score) related to the activity.] Claim 9: Tietz teaches the system of claim 8, wherein the processor subsystem is to initiate a mitigation function based on the risk score. [e.g. Tietz; Abstract, Para. 0004, 0005, 0007, 0019-0024, 0026-0048, 0074-0083 – Tietz discloses the rules engine outputting a response based on a level of risk such as sending alerts to the user, system administrator, block an action etc.] Claim 10: Tietz teaches the system of claim 9, wherein to initiate the mitigation function, the processor subsystem is to alert a human administrator. [e.g. Tietz; Abstract, Para. 0004, 0005, 0007, 0019-0024, 0026-0048, 0074-0083 – Tietz discloses the rules engine outputting a response based on a level of risk such as sending alerts to the user, system administrator, block an action etc.] Claim 11: Tietz teaches the system of claim 9, wherein to initiate the mitigation function, the processor subsystem is to transmit an educational ... to a user related to the activity. [e.g. Tietz; Abstract, Para. 0004, 0005, 0007, 0019-0024, 0026-0048, 0074-0083 – Tietz discloses the rules engine outputting a response based on a level of risk such as explaining to the user why an action was not allowed (e.g. educating the user).] While Tietz teaches the system of claim 1 and teaches in paragraph 0044 and 0081 of providing a message that explains why the user action was not allowed via text, pop-up etc. Tietz fail to explicitly teach providing a video. However, as Tietz population of the education responses are open ended it would have been an obvious matter of design choice to further modify the message of Tietz by also providing a response that would include a video which would yield predictable results. In this case, the predictable result would be informing and educating the user of the action in a different format. Claim 12: Tietz teaches the system of claim 9, wherein to initiate the mitigation function, the processor subsystem is to restrict access to network resources for a user related to the activity. [e.g. Tietz; Abstract, Para. 0004, 0005, 0007, 0019-0024, 0026-0048, 0074-0083 – Tietz discloses the rules engine outputting a response based on a level of risk such as sending alerts to the user, system administrator, block an action etc.] Regarding claims 13-16 and 18-20 they are method and manufacture claims essentially corresponding to the above recitations, and they are rejected, at least, for the same reasons. Claims 5 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over US 20200193019 to Tietz et al. (hereinafter “Tietz”) in view of US 20240414211 to Boyer et al. (hereinafter “Boyer”) and further in view of US 20240291833 to Murphy et al. (hereinafter “Murphy”) Claim 5: While Tietz and Boyer teaches the system of claim 1 and Boyer teaches fine tuning LLM with contextual information the combination fails to explicitly teach that the LLM is a commercially available LLM. More specifically the combination fails to teach however, Murphy teaches: wherein the LLM is a commercially available model fine-tuned .... [e.g. Murphy; Abstract, Para. 0457-0461– Murphy discloses it is well known to fine-tune a commercially available LLM such as OpenAI’s GPT-3.] Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to include, the features above in the invention as disclosed by Tietz and Boyer as enables developers to create more accurate and effective natural language processing application and it well known in the art as disclosed by Murphy in paragraphs 0457-0461. Claims 6 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over US 20200193019 to Tietz et al. (hereinafter “Tietz”) in view of US 20240414211 to Boyer et al. (hereinafter “Boyer”) and further in view of US 20240370584 to Singh et al. (hereinafter “Singh”) Claim 6 and 7: While Tietz and Boyer teaches the system of claim 1 the combination fails to explicitly teach however, Singh teaches: wherein to produce the generative output, the processor subsystem is to: vectorize the exfiltration query to produce a vector representation of the exfiltration query; and perform a vector comparison of the vector representation of the exfiltration query and vector representations of the contextual information. [e.g. Singh; Abstract, Para. 0018, 0066-0069, 0075, 0088, 0091-0093, 0095 0100-0106, 0107-0116 – Singh discloses using embeddings (e.g. vector representations) and determining similarity for data loss prevention.] wherein the vector comparison is one of: a dot product operation, a cosine similarity operation, or a soft cosine similarity operation. [e.g. Singh; Abstract, Para. 0018, 0066-0069, 0075, 0088, 0091-0093, 0095 0100-0106, 0107-0116 – Singh discloses using word embeddings (e.g. vector representations) and determining similarity scores for data loss prevention. As these are word embeddings cosine similarity is a well-known technique used for finding similarity of word embedding] Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to include, the features above in the invention as disclosed by Tietz and Boyer with the advantage of finding similar matches even if content (e.g. query) is modified. Furthermore, these techniques are well known and it would have been obvious to choose from a finite number of identified, predictable solutions, with a reasonable expectation of success. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER C HARRIS whose telephone number is (571)270-7841. The examiner can normally be reached Monday through Friday between 8:00 AM to 4:00 PM CST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CHRISTOPHER C HARRIS/Primary Examiner, Art Unit 2432