DETAILED ACTION
This Office Action is in response to the application 18/768076, filed on 07/10/2024.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined and are pending in this application. Claims 1, 17, and 20 are independent.
Priority/Continuity
This application is a continuation of Application No. 17/351563, filed on 06/18/2021, currently US Patent No. 12,058,150.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 07/10/2024, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the Examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used. Please visit http://www.uspto.gov/forms/. The filing date of the application will determine what form should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 2, and 5-20 of U.S. Patent No. 12,058,150. Although, the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the reference claims.
The following claims are presented side by side for comparison. The comparison shows how the broader independent claims 1, 17, and 20, of the instant application, are anticipated by the narrower independent claims 1, 14, and 18, of the reference patent claims.
Instant Application 18/768076
Reference Patent US 12,058,150
1. A device, comprising:
a processor; and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations, comprising:
generating a first identifier associated with first network equipment and a second identifier associated with second network equipment;
obtaining first data associated with the first network equipment and obtaining second data associated with the second network equipment;
in response to determining that the first data and the second data are related, generating a first flag signal representative of a first malicious warning flag applicable to the first data and a second flag signal representative of a second malicious warning flag applicable to the second data; and
adjusting the first data to include the first identifier and the first malicious warning flag and adjusting the second data to include the first identifier and the second malicious warning flag.
1. A device, comprising:
a processor; and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations, comprising:
determining first data, associated with first network equipment, originating at a first origination node of a group of nodes, and second data, associated with second network equipment, originating at a second origination node of the group of nodes;
generating a first identifier associated with the first network equipment and the first origination node and a second identifier associated with the second network equipment and the second origination node;
updating the first data to comprise the first identifier and the second data to comprise the second identifier;
in response to the first data and the second data being determined to be directed to a common destination node, determining whether the first data and the second data are related according to a relation criterion;
in response to determining that the first data and the second data are related, generating a first malicious warning flag signal representative of a first malicious warning flag applicable to the first data and a second malicious warning flag signal representative of a second malicious warning flag applicable to the second data; and appending the first data with the first malicious warning flag and appending the second data with the second malicious warning flag.
17. A non-transitory machine-readable medium, comprising executable instructions that, when executed by a processor, facilitate performance of operations, comprising:
generating a first identifier associated with first network equipment and a second identifier associated with second network equipment; obtaining first data associated with the first network equipment and obtaining second data associated with the second network equipment;
in response to determining that the first data and the second data are related, determining that the first data comprise malicious data according to a malicious data criterion;
in response to determining that the first data and the second data are related, determining that the second data comprise malicious data according to the malicious data criterion;
generating a first flag signal representative of a first malicious warning flag applicable to the first data and a second flag signal representative of a second malicious warning flag applicable to the second data; and
adjusting the first data to include the first identifier and the first malicious warning flag and adjusting the second data to include the first identifier and the second malicious warning flag.
20. A method, comprising:
generating, by a processing system including a processor, a first identifier associated with first network equipment and a second identifier associated with second network equipment;
obtaining, by the processing system, first data associated with the first network equipment and obtaining second data associated with the second network equipment;
in response to determining, by the processing system, that the first data and the second data are related, generating, by the processing system, a first flag signal representative of a first malicious warning flag applicable to the first data and a second flag signal representative of a second malicious warning flag applicable to the second data, wherein the first malicious warning flag signal comprises first information indicative of a first color label and the second malicious warning flag signal comprises second information indicative of the first color label; and
adjusting, by the processing system, the first data to include the first identifier and the first malicious warning flag and adjusting the second data to include the first identifier and the second malicious warning flag.
11. A method, non-transitory machine-readable medium, comprising executable instructions that, when executed by a processor, facilitate performance of operations, comprising:
determining a first data segment, associated with first network equipment, originating at a first origination node of a group of nodes, and a second data segment, associated with second network equipment, originating at a second origination node of the group of nodes;
generating a first identifier associated with the first network equipment and the first origination node and a second identifier associated with the second network equipment and the second origination node;
updating the first data segment to comprise the first identifier and the second data segment to comprise the second identifier; in response to the first data segment and the second data segment being determined to be directed to a common destination node, determining whether the first data segment and the second data segment are related according to a relation criterion; in response to determining that the first data segment and the second data segment are related, generating a first malicious warning signal representative of a first malicious warning applicable to the first data and a second malicious warning signal representative of a second malicious warning applicable to the second data; and
appending the first data with the first malicious warning and appending the second data with the second malicious warning.
18. A method, comprising: determining, by network equipment comprising a processor, first data, associated with first network equipment, originating at a first origination node of a group of nodes, and second data, associated with second network equipment, originating at a second origination node of the group of nodes; generating, by the network equipment, a first identifier associated with the first network equipment and the first origination node and a second identifier associated with the second network equipment and the second origination node; updating, by the network equipment, the first data to comprise the first identifier and the second data to comprise the second identifier; in response to the first data and the second data being determined to be directed to a common destination node, determining, by the network equipment, whether the first data and the second data are related according to a relation criterion; in response to determining that the first data and the second data are related, generating, by the network equipment, a first malicious warning flag signal representative of a first malicious warning flag applicable to the first data and a second malicious warning flag signal representative of a second malicious warning flag applicable to the second data; and, appending the first data with the first malicious warning flag and appending the second data with the second malicious warning flag.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
As to claim 1, the claims recite, performing function steps: “generating a first identifier [ ] and a second identifier,” “obtaining first data [ ] and obtaining second data,” “generating a first flag signal [ ] and a second flag signal,” and “adjusting the first data [ ] and the first malicious warning flag and adjusting the second data,” along with refining limitations.
The limitations, in the context of this claim, encompasses the user manually performs the function steps. The limitations, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind, then it falls within the “Mental Processes” of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. Additional element of the function steps does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. Viewing the limitations in combination also fails to amount to significantly more than the abstract idea. The addressed claimed functions, even with the additional limitations, reflect mental process steps, as would be recognized by those of ordinary skill in the field of data processing, and does not add significantly more to a judicial exception. Even considering, that the functions are performed “device, comprising processor, memory, and executable instruction,” they are generic computing functions that a person is able to conceptualize them mentally. Therefore, the claims are not patent eligible.
As to the independent claims 17 and 20, the claims recite limitations with similar scope to claim 1. Therefore, these claims are also rejected under 35 USC 101 as being directed to non-statutory subject matter.
As to the dependent claims 2-16, 18, and 19, the claims are dependent on claims 1 or 17, respectively, and do not include additional steps/element that are sufficient to amount to significantly more to transform the abstract idea into patent-eligible subject matter. Therefore, these claims are also rejected under 35 USC 101 as being directed to non-statutory subject matter.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-6 and 9-20 are rejected under 35 U.S.C. 103 as being unpatentable over Desi et al (“Desai,” US 2003/0188189, published on 10/02/2003), in view of Scott et al (“Scott,” US 9, 819,685, patented on 1/14/2017).
As to claim 1, Desai teaches a device, comprising: a processor; and a memory that stores executable instructions that, when executed by the processor, facilitate performance of operations (Desai: pars 0025-0026,0088, an intrusion detection and response system applying a knowledge-based event analysis and classification subsystem for preventing malicious attack, such as, buffer overflows, malformed URL's, and DDoS (distributed denial of service) attacks), comprising:
generating a first identifier associated with first network equipment and a second identifier associated with second network equipment (Desai: pars 0025-0026, 0081, 0108, the data traffic originating from the sources [i.e. from the first and second network equipment] are identified using IP address of the sources for analysis and identification of abnormal incoming traffic);
obtaining first data associated with the first network equipment (Desai: pars 0025-0026, 0078, 0081; Fig 2, receiving a plurality of data sets from plurality of devices or plurality of originating sources (e.g., routers, hosts, port), [i.e. including a first data from first network equipment]); Identifying abnormal behavior of source and destination IP's, network services across multiple diverse devices. See also pars 0045, 0081, 0083) and obtaining second data associated with the second network equipment (Desai: pars 0025-0026, 0078, 0081; Fig 2, receiving a plurality of data sets from plurality of devices or plurality of originating sources (e.g., routers, hosts, port), [i.e. including, at least, a second data from a second network equipment]);
in response to determining that the first data and the second data are related (Desai: pars 0076, 0081, 0083, based on the correlation between source and destination IP's, network services [i.e. relation criterion], and matching of distinct patterns of abnormal behavior, if it is identified that there is an abnormal behavior or intrusion characteristics with the traffic, an alarm and alarm response function is initiated to mitigate the malicious traffic or intrusion).
Desai does not explicitly teach generating a first flag signal representative of a first malicious warning flag applicable to the first data and a second flag signal representative of a second malicious warning flag applicable to the second data; and adjusting the first data to include the first identifier and the first malicious warning flag and adjusting the second data to include the first identifier and the second malicious warning flag.
However, in an analogous art, Scott teaches generating a first flag signal representative of a first malicious warning flag applicable to the first data and a second flag signal representative of a second malicious warning flag applicable to the second data (Scott: col 2, lines 10-39, col 10, lines 30-43, col 15, lines 62-67, col 16, lines 1-11, method and system for identifying security risks [i.e. malicious warning] using graph analysis, where each communicating entity represented with a node [i.e. at least there is first and second data communication from first and second equipment], and the connection network is presented with a graph display for the security access patterns visualization. Identifying a connection between the node and another node of the plurality of nodes, both correspond to a same security group, where identification of the node and connection are marked with indicators such as a color, pattern, number [i.e. a first flag and second flag]).; and
adjusting the first data to include the first identifier and the first malicious warning flag and adjusting the second data to include the first identifier and the second malicious warning flag (Scott: col 2, lines 10-39, col 10, lines 30-43, col 15, lines 62-67, col 16, lines 1-11, identify a connection between the node and another node of the plurality of nodes, both correspond to a same security group, where identification of the node and connection are marked with indicators such as a color, pattern, number).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Scott with the method/system of Desai to include the limitation(s), generating a first flag signal representative of a first malicious warning flag applicable to the first data and a second flag signal representative of a second malicious warning flag applicable to the second data; and adjusting the first data to include the first identifier and the first malicious warning flag and adjusting the second data to include the first identifier and the second malicious warning flag where one would have been motivated for the benefit of providing a user with a means for identifying each communicating node and there traffic connection to a same destination nodes using a makers to the nodes and the connection path for easily identify using graph/visualization of unauthorized/abnormal access or traffic flow, so that a remediation action can be taken by the system (Scott: col 2, lines 10-39, col 10, lines 30-43).
As to claim 2, the combination of Desai and Scott teaches the device of claim 1,
Desai further teaches wherein the determining that the first data and the second data are related comprises determining that the first data and the second data are directed to a common destination node (Desai: pars 0063, 0081, 0108, identifying abnormal behavior where an excessive number of port sessions to the same destination IP address during a given time period [i.e. determination of first data and second data directed to a common destination]).
As to claim 3, the combination of Desai and Scott teaches the device of claim 1,
Desai further teaches wherein the determining that the first data and the second data are related comprises determining that the first data and the second data are related according to a relation criterion (Desai: pars 0081, 0083, 0108, an event Correlation Engine performs Data Correlation process for correlation between source and destination IP's, network services [i.e. relation criterion], and matching of distinct patterns of abnormal behavior).
As to claim 4, the combination of Desai and Scott teaches the device of claim 3,
Desai further teaches wherein the relation criterion comprises a common origination criterion (Desai: pars 0063, 0081, 0108, identifying abnormal behavior where an excessive number of port sessions to the same destination IP address during a given time period, and identifying same originating IP address/IP subnet attacking same service [i.e. common origination criterion]).
As to claim 5, the combination of Desai and Scott teaches the device of claim 3,
Desai further teaches wherein the relation criterion is determined using machine learning based on previous data relationships (Desai: pars 0026, 0076, 0083, knowledge-based event classification subsystem analyzing historical views showing similarities [i.e. previous data relationships] between abnormal behavior across multiple diverse devices).
As to claim 6, the combination of Desai and Scott teaches the device of claim 3,
Desai further teaches wherein the relation criterion is associated with a commonality of nodes traversed by data traffic (Desai: pars 0063, 0081, 0108, identifying abnormal behavior where an excessive number of port sessions to the same destination IP address during a given time period, and identifying same originating IP address/IP subnet attacking same service. Applying a log-based subsystems to see all traffic traversing the network).
As to claim 9, the combination of Desai and Scott teaches the device of claim 1,
Desai and Scott further teaches wherein the first malicious warning flag signal and the second malicious warning flag signal are representative of warning information that enables a warning about malicious network traffic (Desai: pars 0076, 0081, 0083, if it is identified that there is an abnormal behavior or intrusion characteristics with the traffic, an alarm and alarm response function is initiated to mitigate the malicious traffic or intrusion. Scott: col 2, lines 10-39, col 10, lines 30-43, col 15, lines 62-67, col 16, lines 1-11, identifying security risks using graph analysis, where a connection between the node and another node of the plurality of nodes, both correspond to a same security group is identified, where identification of the node and connection are marked with indicators such as a color, pattern, number).
As to claim 10, the combination of Desai and Scott teaches the device of claim 1,
Scott further teaches wherein the first malicious warning flag signal comprises first information indicative of a first color label and the second malicious warning flag signal comprises second information indicative of the first color label (Scott: col 2, lines 10-39, col 10, lines 30-43, col 15, lines 62-67, col 16, lines 1-11, identify a connection between the node and another node of the plurality of nodes, both correspond to a same security group, where identification of the node and connection are marked with indicators such as a color, pattern, number [i.e. a first flag with a first color/label and second flag with a second color/label]).
As to claim 11, the combination of Desai and Scott teaches the device of claim 1,
Desai and Scott further teaches wherein the first malicious warning flag indicates a first malicious activity, wherein the second malicious warning flag indicates a second malicious activity (Desai: pars 0076, 0081, 0083, if it is identified that there is an abnormal behavior or intrusion characteristics with the traffic, an alarm and alarm response function is initiated to mitigate the malicious traffic or intrusion. Scott: col 2, lines 10-39, col 10, lines 30-43, col 15, lines 62-67, col 16, lines 1-11, identifying security risks using graph analysis, where a connection between the node and another node of the plurality of nodes, both correspond to a same security group is identified, where identification of the node and connection are marked with indicators such as a color, pattern, number).
As to claim 12, the combination of Desai and Scott teaches the device of claim 1,
Desai further teaches wherein the first data and the second data each comprise encrypted data (Desai: pars 0044, 0089, traffic encrypted while in transport on the network).
As to claim 13, the combination of Desai and Scott teaches the device of claim 1,
Desai further teaches wherein the operations further comprise: in response to determining that the first data and the second data are related: determining that the first data comprise malicious data according to a malicious data criterion; and determining that the second data comprise malicious data according to the malicious data criterion (Desai: pars 0063, 0076, 0081, 0085, 0108, identifying abnormal behavior where an excessive number of port sessions to the same destination IP address during a given time period, and identifying same originating IP address/IP subnet attacking same service. Knowledge-based event classification subsystem analyzing historical views showing similarities [i.e. previous data relationships] between abnormal behavior across multiple diverse devices).
As to claim 14, the combination of Desai and Scott teaches the device of claim 13,
Desai further teaches wherein the malicious data criterion is determined using machine learning based on previously identified malicious data (Desai: pars 0026, 0076, 0083, 0085, knowledge-based event classification subsystem analyzing historical views showing similarities between abnormal behavior across multiple diverse devices).
As to claim 15, the combination of Desai and Scott teaches the device of claim 1,
Desai further teaches wherein the first identifier and the second identifier each comprise respective data origination information and data destination information (Desai: pars 0025-0026, 0081, 0108, the data traffic originating from the sources and the destination are identified using IP address of the sources for analysis and identification of abnormal incoming traffic).
As to claim 16, the combination of Desai and Scott teaches the device of claim 1,
Desai teaches wherein the first identifier further comprises hardware information associated with a first origination node, and wherein the second identifier further comprises hardware information associated a second origination node (Desai: pars 0025-0026, 0081, 0108, the data traffic originating from the sources are identified using IP address of the sources for analysis and identification of abnormal incoming traffic).
As to claim 17, the claim is directed to a machine-readable medium, and the scope of the claim limitations is similar to the scope of the device claim 1, and therefore, rejected for the same reason set forth above for claim 1.
As to claims 18 and 19, the limitations of the claims are similar to the claims 2 and 3, respectively, and therefore, rejected for the same reason set forth above for claims 2 and 3.
As to claim 20, the claim is directed to a method, and the scope of the claim limitations is similar to the scope of the device claim 1, and therefore, rejected for the same reason set forth above for claim 1.
Claims 7 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Desi et al (“Desai,” US 2003/0188189, published on 10/02/2003), in view of Scott et al (“Scott,” US 9, 819,685, patented on 1/14/2017), and further in view of Green et al (“Green,” US 8, 321,936, patented on 11/27/2012).
As to claim 7, the combination of Desai and Scott teaches the device of claim 1,
Desai or Scott does not explicitly teach wherein the adjusting of the first data to include the first identifier and the first malicious warning flag comprises appending the first data with the first malicious warning flag.
However, in an analogous art, Green teaches wherein the adjusting of the first data to include the first identifier and the first malicious warning flag comprises appending the first data with the first malicious warning flag (Green: col 10, lines 32-57, claim 1, alert/reporting module flags an electronic message as associated malicious content. Appending a flag to the electronic message responsive to the electronic message or content associated with the electronic message including malicious content).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Scott with the method/system of Desai to include the limitation(s), wherein the adjusting of the first data to include the first identifier and the first malicious warning flag comprises appending the first data with the first malicious warning flag, where one would have been motivated for the benefit of providing a user with a means for generating a flag for a data set associated with the malicious content, and appending the flag with the data, so that a recipient device can identify the warning associated with the data (Green: col 10, lines 32-57).
As to claim 8, the combination of Desai and Scott teaches the device of claim 1,
Desai or Scott does not explicitly teach wherein the adjusting of the second data to include the first identifier and the second malicious warning flag comprises appending the second data with the second malicious warning flag.
However, in an analogous art, Green teaches wherein the adjusting of the second data to include the first identifier and the second malicious warning flag comprises appending the second data with the second malicious warning flag (Green: col 10, lines 32-57, claim 1, alert/reporting module flags an electronic message as associated malicious content. Appending a flag to the electronic message responsive to the electronic message or content associated with the electronic message including malicious content).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Scott with the method/system of Desai to include the limitation(s), wherein the adjusting of the second data to include the first identifier and the second malicious warning flag comprises appending the second data with the second malicious warning flag, where one would have been motivated for the benefit of providing a user with a means for generating a flag for a data set associated with the malicious content, and appending the flag with the data, so that a recipient device can identify the warning associated with the data (Green: col 10, lines 32-57).
Conclusion
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to Jahangir Kabir whose telephone number is (571) 270-3355. The Examiner can normally be reached on 9:00- 5:00 Mon-Thu.
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center and Private PAIR for authorized users only. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form.
/JAHANGIR KABIR/ Primary Examiner, Art Unit 2439