Prosecution Insights
Last updated: July 17, 2026
Application No. 18/772,959

CLASSIFICATION OF NETWORK FLOW DATA TO IDENTIFY CYBER THREATS

Non-Final OA §101§102§103§112
Filed
Jul 15, 2024
Examiner
TAYLOR, SAKINAH W
Art Unit
2447
Tech Center
2400 — Computer Networks
Assignee
AT&T Intellectual Property I L.P.
OA Round
1 (Non-Final)
87%
Grant Probability
Favorable
1-2
OA Rounds
6m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 87% — above average
87%
Career Allowance Rate
332 granted / 383 resolved
+28.7% vs TC avg
Strong +23% interview lift
Without
With
+23.2%
Interview Lift
resolved cases with interview
Typical timeline
2y 6m
Avg Prosecution
13 currently pending
Career history
396
Total Applications
across all art units

Statute-Specific Performance

§101
0.3%
-39.7% vs TC avg
§103
94.9%
+54.9% vs TC avg
§102
2.2%
-37.8% vs TC avg
§112
1.4%
-38.6% vs TC avg
Black line = Tech Center average estimate • Based on career data from 383 resolved cases

Office Action

§101 §102 §103 §112
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-20 have been examined and are pending. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claim 1 recites the following limitations: “using a clustering process to label flow data for identifying the information about known malicious activity, forming cluster labels receiving production flow data corresponding to current network traffic arriving at the network or the data processing system;” “determining clusters and cluster identifiers for the production flow data;” “identifying a relationship between a cluster label for the information about known malicious activity and a cluster identifier for the production flow data;” “based on the relationship between the cluster label for the information about known malicious activity and the cluster identifier, identifying a potential cyber threat to the network or the data processing system.” Each of these limitations would be practical to perform in the mind with the aid of pencil and paper, thus directed towards a mental process (see MPEP §2106.04(a)(2)(III)). Each of these limitations collectively manipulates flow data, and tracks the presence of behavior of various flow data groupings indicative of potential maliciousness. This is the type of analysis that goes into network planning and can reasonably be done in the human mind. As result, the limitations listed recite an abstract idea. This judicial exception is not integrated into a practical application. Claim 1 further recites “a device” and “said device comprises a processor (202) that a processing system including a processor; and a memory that stores executable instructions that, when executed by the processing system”. The claimed device is a generic computer component that is being claimed as just a tool to perform the claimed mental steps. Performing an abstract idea on a computer tool does not transform the abstract idea into a practical application (see MPEP §2106.05(f)). Claim 1 also recites “receiving information about known malicious activity, the information about known malicious activity corresponding to a known cyber threat to operation of a network or data processing system”. The device receiving the claimed flow data is a data gathering step which uses the data from the received flow data to perform the mental process. The claimed data gathering step is insignificant extra solution activity and does not transform the claimed abstract idea into a practical application (see MPEP §2106.05(g)). The additional elements have been considered alone, and in combination with the claimed invention as a whole, but does not integrate the abstract idea into a practical application. As result, the invention is directed towards an abstract idea. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of the device amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The reception of the claimed data packets is an insignificant extra solution activity, which is additional well understood routine, and conventional. MPEP §2106.05(g) details similar data gather steps that have been found by the courts to be well understood routine, and conventional. Additionally applicant’s specification (see ¶0037 and ¶0039-0040 provides only broad disclosure of the reception of flows and makes it clear that it considers the reception of the claimed flow data as well-known aspects of the disclosure. As result, the claim is not patent eligible. Claim 11 is directed towards a non-transitory machine-readable medium rather than the system of claim 1, however the same rationale applies to claim 11 as provided in the rejection to claim 1. As result, claim 11 is not patent eligible. Claim 2 recites “wherein the operations further comprise: based on the relationship between the cluster label for the information about known malicious activity and the cluster identifier, providing contextualizing information regarding the production flow data based on the information about known malicious activity as an alert to a potential cyber threat..” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 2, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 3 recites “wherein the operations further comprise: determining a confidence parameter for the clusters and cluster identifiers for the production flow data; collecting, from the production flow data, a plurality of outlier flows, each outlier flow having a confidence parameter that does not exceed a confidence threshold, forming an outlier pool; and determining additional clusters based on the outlier pool.” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 3, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 4 recites “wherein the operations further comprise: identifying flows in the training flow data having new cluster identifiers, forming outliers; identifying flows in the production flow data having infrequently seen cluster identifiers, forming additional outliers; determining new cluster identifiers based on coincidence over time of similar outliers among the outliers and the additional outliers; and combining the new cluster identifiers with previously identified cluster identifiers for evaluating future production data.” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 4, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 5 recites “wherein the receiving information about known malicious activity comprises: receiving information about network traffic generated by a malicious source accessed in a contained environment.” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 5, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 6 recites “wherein the receiving information about known malicious activity comprises: receiving, from an open source sandbox, information about an executable file executed in the contained environment of the open source sandbox; or receiving, from the open source sandbox, information about a suspicious network location (URL) accessed in the contained environment of the open source sandbox.” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 6, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 7 recites “wherein the operations further comprise: receiving the information about network traffic generated by a malicious source in an IP packet; and converting the information from the first format to flow data.” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 7, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 8 recites “wherein the operations further comprise: processing sandbox flow data in a classifier to infer labels for the flow data; processing the production flow data in the classifier to infer labels for the production flow data; and based on the labels for the flow data and the labels for the production flow data, populating a knowledge base to associate a type of cyber threat with a type of flow in the production flow data.” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 8, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 9 recites “wherein the operations further comprise: taking action to prevent actual damage to the network or the processing system from the potential cyber threat.” The claim provides an additional limitation(s). As result, when additional features of claim 9, when considered alone and in combination is significantly more than the judicial exception itself; thus the claim is eligible. Claim 10 recites “wherein the taking action to prevent actual damage comprises: identifying internet protocol (IP) addresses associated with the potential cyber threat; and suspending access to the network or data processing system from the IP addresses associated with the potential cyber threat.” The claim provides an additional limitation(s). As result, when additional features of claim 9, when considered alone and in combination is significantly more than the judicial exception itself; thus the claim is eligible. Claim 12 recites “wherein the operations further comprise: providing the training flow data to a clustering process to identify relationships between features of the production flow data and to produce clustered data having corresponding labels; providing features identified by the clustering process and the corresponding labels to the classifier as training data for the classifier; and receiving, from the classifier, the inferred labels for flows of the production and ground truth flow data, the inferred labels having been generated by the classifier based on the training data such that flows with the same inferred labels can be considered having the same or similar origin.” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 12, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 13 recites “wherein the operations further comprise: receiving, from the classifier, information about a confidence in an inferred label for a flow of the production flow data; assigning the flow of the production flow data as an outlier flow; and forming a plurality of outlier flows into a new cluster.” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 13, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 14 recites “wherein the operations further comprise: for each outlier flow, determining a probability of the outlier flow belonging to a previously known label of the corresponding labels; and based on the probability, associating the outlier flow with outlier flows of the plurality of outlier flows to form the new cluster.” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 14, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 15 recites “wherein the operations further comprise: identifying suggested malware activity associated with the potential cyber threat; and retrieving current network activity to identify the suggested malware activity occurring in the network.” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 15, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 16 recites “wherein the operations further comprise: receiving information about the known malicious activity, the information about the known malicious activity corresponding to a known cyber threat; identifying cluster labels for the information about known malicious activity; and based on a relationship between the cluster labels for the information about known malicious activity and the inferred labels for flows of the production flow data, generating contextualizing information regarding the production flow data based on the information about known malicious activity as an alert about the potential cyber threat.” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 16, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 17 recites “wherein the receiving information about the known malicious activity comprises: receiving information about network traffic generated by a malicious source accessed in a sandbox environment; processing the information about network traffic generated by a malicious source in the classifier to infer labels for the information about network traffic; and based on the labels for the information about network traffic generated by a malicious source and the inferred labels for the flows of the production flow data, associating a type of cyber threat with a type of flow in the production flow data.” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 17, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 18 is directed towards a method rather than the system of claim 1, however the same rationale applies to claim 11 as provided in the rejection to claim 1. As result, claim 11 is not patent eligible. Claim 19 recites “clustering, by the processing system, the production flow data based on common features among flows of the production flow data.” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 19, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Claim 20 recites “receiving, by the processing system, information about a confidence in a cluster identifier for a flow of the production flow data; assigning, by the processing system, the flow of the production flow data as an outlier flow; and forming, by the processing system, a plurality of outlier flows into a new cluster based on a probability of the outlier flow belonging to a previously known cluster identifier.” The claim provides additional limitations that describe mental processes. As result, when additional features of claim 20, when considered alone and in combination, are still directed to an abstract idea which contains nothing significantly more than the judicial exception itself. Allowable Subject Matter Claim 4, 8, and 17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and all intervening claims. The following is an examiner’s statement of reasons for allowance: Regarding claim 4, none of the references explicitly teach nor suggest in detail, wherein the operations further comprise: identifying flows in the training flow data having new cluster identifiers, forming outliers; identifying flows in the production flow data having infrequently seen cluster identifiers, forming additional outliers; determining new cluster identifiers based on coincidence over time of similar outliers among the outliers and the additional outliers; and combining the new cluster identifiers with previously identified cluster identifiers for evaluating future production data, in view of other limitations of the intervening claims. Regarding claim 8, none of the references explicitly teach nor suggest in detail, wherein the operations further comprise: processing sandbox flow data in a classifier to infer labels for the flow data; processing the production flow data in the classifier to infer labels for the production flow data; and based on the labels for the flow data and the labels for the production flow data, populating a knowledge base to associate a type of cyber threat with a type of flow in the production flow data, in view of other limitations of the intervening claims. Regarding claim 17, none of the references explicitly teach nor suggest in detail, wherein the receiving information about the known malicious activity comprises: receiving information about network traffic generated by a malicious source accessed in a sandbox environment; processing the information about network traffic generated by a malicious source in the classifier to infer labels for the information about network traffic; and based on the labels for the information about network traffic generated by a malicious source and the inferred labels for the flows of the production flow data, associating a type of cyber threat with a type of flow in the production flow data, in view of other limitations of the intervening claims. Thus the prior arts of record taking singly or in combination do not reach or suggest the above-stated limitations taking wholly in combination with all the elements of each independent claim. The closest prior art made of record are: Bilge et al 11025649 B1 teaches (col, lines “…input dynamic traces generated by a malware analysis product…an open source sandbox/malware analysis products is Cuckoo..). Raghuramu et al 20210306354 A1 teaches systems, methods, and related technologies for clustering are described. Thakur et al 20220038490 A1 teaches cybersecurity threat modeling and analysis with text miner and data flow diagram editor. Das et al 20210306354 A1 teaches Method For Analyzing Network Communications, Segmentation And Anomalies, Involves Determining Anomalies Based On Clusters, And Storing Data Associated With Clusters And Anomalies. Information Disclosure Statement The information disclosure statement (IDS) submitted on 07/15/2024 was filed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Specification The use of the term Windows, Mac OS, and Linux in para 0054, which is a trade name or a mark used in commerce, has been noted in this application. The term should be accompanied by the generic terminology; furthermore the term should be capitalized wherever it appears or, where appropriate, include a proper symbol indicating use in commerce such as ™, SM , or ® following the term. Although the use of trade names and marks used in commerce (i.e., trademarks, service marks, certification marks, and collective marks) are permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as commercial marks. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-4 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 1 recites the limitation "a cluster label for the information about known malicious activity" in line due to claim 1, line 9. There is insufficient antecedent basis for this limitation in the claim. Claim 1 recites the limitation "a cluster identifier for the production flow data" in line due to claim 1, line 13. There is insufficient antecedent basis for this limitation in the claim. Claim 2 recites the limitation "a potential cyber threat" in line due to claim 1, line 16. There is insufficient antecedent basis for this limitation in the claim. Claim 3 recites the limitation "cluster identifiers for the production flow data" in line 3 due to claim 1, lines 14. There is insufficient antecedent basis for this limitation in the claim. Claim 4 recites the limitation "the training flow data" in line 2 due to first instance. There is insufficient antecedent basis for this limitation in the claim. In claim 12, the phrase “can be” renders the claim indefinite because it is unclear whether the limitations following the phrase are part of the claimed invention. See MPEP 2173.05(d). Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claim(s) 11 and 18-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Scheib et al, hereinafter (“Scheib”), US PG Publication 20160359697A1. Regarding claim 11, Scheib teaches a non-transitory machine-readable medium, comprising executable instructions that, when executed by a processing system including a processor, facilitate performance of operations, the operations comprising: receiving production flow data corresponding to current network traffic arriving at a network [Scheib ¶¶0014 0029-0030 0042 network traffic data and associated host, process, and/or user data; as well as corresponding data is collected from multiple vantage point at sensors 204, is captured and analyzed to determine up-to-date application topology and provide a comprehensive view of network behavior.]; providing the production flow data to a classifier [Scheib ¶¶0048-0049 network traffic is provided to analytics engine 210 to observe, analyze, detect and train a classifier]; receiving, from the classifier, inferred labels for flows of the production flow data [Scheib ¶0049 the analytics engine 210 may be used to identify observations which differ from other examples in a dataset; a training set of example data with known outlier labels exists, supervised anomaly detection techniques may be used based on supervised anomaly detection techniques used to train a classifier. Examiner uses BRI to interpret inferred labels as a label or annotation that is not explicitly stated in the original process description or diagram, but is logically deduced from the sequence of steps, inputs, outputs, and relationships between them; derived from the context.]; and based on a relationship between the inferred labels for the flows of the production flow data and labels for flows from known malicious activity, identifying in the production flow data a potential cyber threat to the enterprise network. [Scheib ¶¶0048-0049 the analytics engine 210 observe and analyze network traffic and corresponding data to recognize when the network is under attack to identify data sets labeled as normal and abnormal; where a variety of different attacks expose vulnerabilities that could compromise the security of computer networks] Regarding claim 18, Scheib teaches a method, comprising: receiving, by a processing system including a processor [Scheib et al 20160359697 A1 ¶0035 Fig. 2 shows a network traffic monitoring system 200. Figs. 7A and 7B ¶¶0123-0124 and 0130 computing system 700 include a processing unit (CPU or processor) 710], ground truth information about known malicious activity in data networks [Scheib ¶¶0029 0039-0041 sensors 204 monitor, sniff and capture network traffic and corresponding data from sampled packets communicated between nodes. ¶¶0112 0115 0117 0124 the network may utilize historical ground truth flows for simulating network traffic based on what if experiments. The data and network traffic can be evaluated using machine learning to determine an minimum description length principle (MDL) score for potential clustering to determine if the network environment is vulnerability to attacks. Examiner cites to specification, ¶0035 where samples of malicious traffic is referred to as ground truth that are processed to automatically classify the type of traffic such that it is given a label with a meaningful name]; identifying, by the processing system, cluster labels for the ground truth information [Scheib ¶0109 the clustering stage 408 can also include a determination of the optimal clustering given the optimal number of clusters determined via MDL theory or another suitable technique. After clusters are identified, the data pipeline 400 can include a post-processing stage 410. The post-processing stage 410 can include tasks such as naming or labeling clusters]; receiving, by the processing system, production flow data corresponding to current network traffic arriving at a network, the production flow data comprising flows of the production flow data [Scheib Figs. 2 and 3 ¶¶0042-0045 0060 0065-0066 application dependency mapping (ADM) module 240 of network traffic monitoring system 200 receives, verifies, assess, analyzes and assembles flow data set and corresponding data from multiple sensors 204. ADM module 240 may analyze the input data to determine that there is first traffic flowing between external endpoints on port 80 of the first endpoints corresponding to Hypertext Transfer Protocol (HTTP) requests and responses. Such as the network traffic monitoring system 200 of FIG. 2, can be implemented in the network environment 300]; determining, by the processing system, cluster identifiers for flows of the production flow data [Scheib See ¶¶0028 and 0031 clustering; ¶0040 sensors 204 determine additional data for each session, flow, packet, cluster information, or other information corresponding to each flow. Examiner interprets the cluster information as analogous to cluster identifiers.]; and based on relationships between the cluster labels for the ground truth information and the cluster identifiers for the flows of the production flow data, identifying, by the processing system, a potential cyber threat to the network. [Scheib, ¶¶0054 0057 0081-0082 0109 0112 an IP watch list associated with a security threat; the network may utilize historical ground truth flows for simulating network traffic based on what if experiments. The pre-processing 406 stage can identify selected nodes to extract feature vectors and exiting clusters of captured flow data] Regarding claim 19, Scheib teaches claim 18 as described above. comprising: clustering, by the processing system, the production flow data based on common features among flows of the production flow data [Scheib ¶0031 performing similar workload having similar network and security limitation (i.e. policies)]. Regarding claim 20, Scheib teaches claim 18 as described above. comprising: receiving, by the processing system, information about a confidence in a cluster identifier for a flow of the production flow data [Scheib Fig. 4 shows clustering process in an application dependency map shows data collection 402, clustering 408 and post-processing 410 ¶¶0080 0084 0087 and 0091-0092 partition clustering approaches: density-based clustering (e.g., expectation (E) maximization (M) (EM) or DBSCAN) where an iterative process finds maximum likelihood of estimates of parameters in a statistical model]; assigning, by the processing system, the flow of the production flow data as an outlier flow [Scheib ¶0090 clustering process alternate steps, assigns, and updates]; and forming, by the processing system, a plurality of outlier flows into a new cluster based on a probability of the outlier flow belonging to a previously known cluster identifier [Scheib ¶0049 outliers; ¶0086 interconnected group of functions or classifiers merge overlapping detections, combining results from different networks using neural network-based approaches: probabilistic decision-based neural network (PDBNN)]. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claim(s) 1-3, 5, and 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over Scheib et al, hereinafter (“Scheib”), US PG Publication 20160359697A1, in view of Dods et al, hereinafter (“Dods”), US Patent 11769577 B1. Regarding claim 1, Scheib teaches a device, comprising: a device, comprising: a processing system including a processor; and a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations, the operations comprising: [Scheib et al 20160359697 A1 ¶0035 Fig. 2 shows a network traffic monitoring system 200. Figs. 7A and 7B ¶¶0123-0124 and 0130 computing system 700 include a processing unit (CPU or processor) 710] receiving information about known malicious activity, the information about known malicious activity corresponding to a known cyber threat to operation of a network or data processing system [Scheib ¶¶0029 0039-0041 sensors 204 monitor, sniff and capture network traffic and corresponding data from sampled packets communicated between nodes. ¶¶0112 0115 0117 0124 the network may utilize historical ground truth flows for simulating network traffic based on what if experiments. The data and network traffic can be evaluated using machine learning to determine an minimum description length principle (MDL) score for potential clustering to determine if the network environment is vulnerability to attacks. Examiner cites to specification, ¶0035 where samples of malicious traffic is referred to as ground truth that are processed to automatically classify the type of traffic such that it is given a label with a meaningful name]; using a clustering process to label flow data for identifying the information about known malicious activity, forming cluster labels [Scheib ¶0109 the clustering stage 408 can also include a determination of the optimal clustering given the optimal number of clusters determined via MDL theory or another suitable technique. After clusters are identified, the data pipeline 400 can include a post-processing stage 410. The post-processing stage 410 can include tasks such as naming or labeling clusters] receiving production flow data corresponding to current network traffic arriving at the network or the data processing system [Scheib Figs. 2 and 3 ¶¶0042-0045 0060 0065-0066 application dependency mapping (ADM) module 240 of network traffic monitoring system 200 receives, verifies, assess, analyzes and assembles flow data set and corresponding data from multiple sensors 204. ADM module 240 may analyze the input data to determine that there is first traffic flowing between external endpoints on port 80 of the first endpoints corresponding to Hypertext Transfer Protocol (HTTP) requests and responses. Such as the network traffic monitoring system 200 of FIG. 2, can be implemented in the network environment 300]; While Scheib teaches cluster identifiers [Scheib See ¶0040 sensors 204 determine additional data for each session, flow, packet, cluster information, or other information corresponding to each flow. Examiner interprets the cluster information as analogous to cluster identifiers.]; however, Scheib fails to explicitly teach determining cluster identifiers for the production flow but Dods teaches determining clusters and cluster identifiers for the production flow data [Dods col 44, lines 39-43 Clustering Identification: block level events are detected in blockchain ledger by clustering blocks according to numerous possible factors and patterns. Col 45, lines 47-55 similarities identified in clusters indicate an event.]; identifying a relationship between a cluster label for the information about known malicious activity and a cluster identifier for the production flow data [Dods col 7, lines 30-48 classifiers can be trained to classify “good” e.g., authentic, vs. “bad” e.g., fraudfeasor. A machine intelligence process can include using a training set of example submissions of evidence and ground truth outcomes; identifying patterns in data points indicating clusters of data, and applying a label to each cluster…]; and based on the relationship between the cluster label for the information about known malicious activity and the cluster identifier [See Dods col 7, lines 30-48; col 44, lines 39-43; and col 45, lines 47-55], identifying a potential cyber threat to the network or the data processing system. [Dods col 47, lines 48-50 and 55-65 classifiers applied to data points determine events of interest and triggering resident applications; where atypical transaction can be flagged for possible review to catch malicious activity]; Scheib teaches all the features of claim 1 not determining clusters and cluster identifiers for the production flow data; identifying a relationship between a cluster label for the information about known malicious activity and a cluster identifier for the production flow data; and based on the relationship between the cluster label for the information about known malicious activity and the cluster identifier. Scheib teaches a Minimum description length (MDL)-based clustering for application dependency mapping. Dods teaches decentralized identity authentication framework for distributed data. Because both Scheib and Dods teach clustering concepts, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the clustering algorithms and other ML techniques together as taught by Dods to improve the accuracy and may detect potential cyber threats [Dods, col 7, lines 30-48; col 44, lines 39-43; col 45, lines 47-55; and col 47, lines 48-50 and 55-65]. Regarding claim 2, the combination of Scheib and Dods teach claim 1 as described above. While Scheib teaches cluster identifiers [Scheib See ¶0040 sensors 204 determine additional data for each session, flow, packet, cluster information, or other information corresponding to each flow. Examiner interprets the cluster information as analogous to cluster identifiers.]; however, Scheib fails to explicitly teach wherein the operations further comprise: based on the relationship between the cluster label for the information about known malicious activity and the cluster identifier, providing contextualizing information regarding the production flow data based on the information about known malicious activity as an alert to a potential cyber threat [See Dods col 47, lines 48-50 and 55-65 classifiers applied to data points determine events of interest and triggering resident applications; where atypical transaction can be flagged for possible review to catch malicious activity]. Scheib teaches all the features of claim 1 not wherein the operations further comprise: based on the relationship between the cluster label for the information about known malicious activity and the cluster identifier, providing contextualizing information regarding the production flow data based on the information about known malicious activity as an alert to a potential cyber threat. Scheib teaches a Minimum description length (MDL)-based clustering for application dependency mapping. Dods teaches decentralized identity authentication framework for distributed data. Because both Scheib and Dods teach clustering concepts, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the clustering algorithms and other ML techniques together as taught by Dods to improve the accuracy and may detect potential cyber threats [Dods, col 7, lines 30-48; col 44, lines 39-43; col 45, lines 47-55; and col 47, lines 48-50 and 55-65]. Regarding claim 3, the combination of Scheib and Dods teach claim 1 as described above. Scheib teaches wherein the operations further comprise: determining a confidence parameter for the clusters and cluster identifiers for the production flow data [Dods, col 47, lines 41-45 and 58-63 continuously training of a classifier include a neural network with at least some of the clusters and the labels (labelled patterns); where employed learned data identify and compute confidence scores to score transactions Scheib ¶¶0024-0026 0033 EPGs 108 are collection of endpoint connections providing logical groupings for objects that require similar policy/policies 110. Examiner interprets the number of connections as analogous to a confidence parameter]; collecting, from the production flow data, a plurality of outlier flows, each outlier flow having a confidence parameter that does not exceed a confidence threshold, forming an outlier pool [Dods, col 47, lines 1-20 at blocks 1234a, received data X comprises 1024-dimensional data that is compressed and reconstructed, and at 1235a employed by an autoencoder, against a threshold to determine an unhealthy/under attack or healthy data. Examiner interprets the analysis of the data X to determine whether data X minimum has having a healthy/unhealthy state is analogous to a confidence threshold forming an outlier pools]. Scheib teaches all the features of claim 1 not wherein the operations further comprise: determining a confidence parameter for the clusters and cluster identifiers for the production flow data; collecting, from the production flow data, a plurality of outlier flows, each outlier flow having a confidence parameter that does not exceed a confidence threshold, forming an outlier pool; and determining additional clusters based on the outlier pool. Scheib teaches a Minimum description length (MDL)-based clustering for application dependency mapping. Dods teaches decentralized identity authentication framework for distributed data. Because both Scheib and Dods teach clustering concepts, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the clustering algorithms and other ML techniques together as taught by Dods to improve the accuracy and may detect potential cyber threats [Dods, col 7, lines 30-48; col 44, lines 39-43; col 45, lines 47-55; and col 47, lines 48-50 and 55-65]. Regarding claim 5, the combination of Scheib and Dods teach claim 1 as described above. Scheib teaches wherein the receiving information about known malicious activity comprises: receiving information about network traffic generated by a malicious source accessed in a contained environment [Scheib ¶¶0048 0051 and 0053 fetched or pulled raw traffic which may be associated with malicious and corresponding data from the collectors from out-of-band data sources 214 and the third party data sources 216; flow attributes 232]. Regarding claim 9, the combination of Scheib and Dods teach claim 1 as described above. Scheib teaches wherein the operations further comprise: taking action to prevent actual damage to the network or the processing system from the potential cyber threat [Scheib ¶0112 network determines policy changes correct misconfigurations and prevent attacks that occurred in the actual network]. Regarding claim 10, the combination of Scheib and Dods teach claim 9 as described above. Scheib teaches wherein the taking action to prevent actual damage comprises: identifying internet protocol (IP) addresses associated with the potential cyber threat [Scheib ¶0016 policies set forth rules on IP addresses to allow or deny certain types of traffic]; and suspending access to the network or data processing system from the IP addresses associated with the potential cyber threat [Scheib ¶¶0024 and 0026 additional policy configurations provided by policy management model 100 include policies 110 based on blacklist rules or whitelist rules, which deny or explicitly denies traffic]. Claims 6-7 are rejected under 35 U.S.C. 103 as being unpatentable over Scheib et al, hereinafter (“Scheib”), US PG Publication 20160359697A1, in view of Dods et al, hereinafter (“Dods”), US Patent 11769577 B1, in view of Bilge et al, hereinafter (“Bilge”), US Patent 11025649 B1. Regarding claim 6, the combination of Scheib and Kling teach claim 5 as described above. However, the combination of Scheib and Kling fail to explicitly teach but Blige teaches wherein the receiving information about known malicious activity comprises: receiving, from an open source sandbox, information about an executable file executed in the contained environment of the open source sandbox; or receiving, from the open source sandbox, information about a suspicious network location (URL) accessed in the contained environment of the open source sandbox [See Bilge et al 11025649 B1 col 4, lines 45-55“…input dynamic traces generated by a malware analysis product…an open source sandbox/malware analysis products is Cuckoo..]. Scheib teaches all the features of claim 1 not wherein the receiving information about known malicious activity comprises: receiving, from an open source sandbox, information about an executable file executed in the contained environment of the open source sandbox; or receiving, from the open source sandbox, information about a suspicious network location (URL) accessed in the contained environment of the open source sandbox. Scheib teaches a Minimum description length (MDL)-based clustering for application dependency mapping. Dods teaches decentralized identity authentication framework for distributed data. Bilge teaches systems and methods for malware classification. Because Scheib, Dods and Bilge teach clustering concepts, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the clustering algorithms and other techniques employed by more supervised recurrent neural network module together as taught by Bilge to improve the accuracy and may detect potential cyber threats [Bilge, col 4, lines 18-24]. Regarding claim 7, the combination of Scheib, Kling, and Bilge teach claim 6 as described above. However, the combination of Scheib and Kling fail to explicitly teach but Blige teaches wherein the operations further comprise: receiving the information about network traffic generated by a malicious source in an IP packet [Bilge col 4, lines 45-55 “receiving an input dynamic traces…(iv) list of IP addresses contacted …(iv) list of IP addresses contacted”]; and converting the information from the first format to flow data [Bilge col 4, lines 37-41 “A supervised neural network may accept as input a sample pair (X, Y) and seek to find a mapping that matches the input data…” Examiner interprets the mapping function matching input as analogous to converting the information from the first format to flow data]. Scheib teaches all the features of claim 1 not wherein the operations further comprise: receiving the information about network traffic generated by a malicious source in an IP packet; and converting the information from the first format to flow data. Scheib teaches a Minimum description length (MDL)-based clustering for application dependency mapping. Dods teaches decentralized identity authentication framework for distributed data. Bilge teaches systems and methods for malware classification. Because Scheib, Dods and Bilge teach clustering concepts, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the clustering algorithms and other techniques employed by more supervised recurrent neural network module together as taught by Bilge to improve the accuracy and may detect potential cyber threats [Bilge, col 4, lines 18-24]. Claim(s) 12-16 are rejected under 35 U.S.C. 103 as being unpatentable over Scheib et al, hereinafter (“Scheib”), US PG Publication 20160359697A1, in view of Kling et al, hereinafter (“Kling”), European Patent Application EP3834401 B1. Regarding claim 12, Scheib teaches claim 11 as described above. Scheib teaches receiving, from the classifier, the inferred labels for flows of the production and ground truth flow data, the inferred labels having been generated by the classifier based on the training data such that flows with the same inferred labels can be considered having the same or similar origin [See Scheib ¶¶0042-0045 network traffic monitoring system 200 receives, verifies, assess, and assembles flow data set and corresponding data from multiple sensors 204. ¶0049 outlier labels]; however, Scheib fails to explicitly teach but Kling teaches wherein the operations further comprise: providing the training flow data to a clustering process to identify relationships between features of the production flow data and to produce clustered data having corresponding labels [Kling EP3834401 B1 ¶¶0034-0035 0040 0042 0049 and Fig. 4a PHOSITA one or more detection algorithms 221: clustering algorithms (e.g., hierarchical learning) of known suspicious/malicious patterns (provided as training patterns) or activity (i.e., tag or labeled data) or potentially detected suspicious/malicious activity, using a supervised learning method]; providing features identified by the clustering process and the corresponding labels to the classifier as training data for the classifier [Kling EP3834401 B1 ¶0034 classification algorithms (e.g., decision trees); ¶0042 sensor data patterns are provided as training patterns input into one or more ML algorithms 221 into the cybersecurity process 220]. Scheib teaches all the features of claims 11 and 18 not providing the training flow data to a clustering process to identify relationships between features of the production flow data and to produce clustered data having corresponding labels; providing features identified by the clustering process and the corresponding labels to the classifier as training data for the classifier; and receiving, from the classifier, the inferred labels for flows of the production and ground truth flow data, the inferred labels having been generated by the classifier based on the training data such that flows with the same inferred labels can be considered having the same or similar origin. Scheib teaches Minimum description length (MDL)-based clustering for application dependency mapping. Kling teaches an Industrial system event detection and corresponding response. Because both Scheib and Kling are from the same field of endeavor, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the classification algorithms to improve labeling of the training data [Kling ¶¶0033-0035]. Regarding claim 13, Scheib teaches claim 11 as described above. Scheib teaches wherein the operations further comprise: receiving, from the classifier, information about a confidence in an inferred label for a flow of the production flow data [Scheib Fig. 4 shows clustering process in an application dependency map shows data collection 402, clustering 408 and post-processing 410 ¶¶0080 0084 0087 and 0091-0092 partition clustering approaches: density-based clustering (e.g., expectation (E) maximization (M) (EM) or DBSCAN) where an iterative process finds maximum likelihood of estimates of parameters in a statistical model]; assigning the flow of the production flow data as an outlier flow [Scheib ¶0090 clustering process alternate steps, assigns, and updates]; and forming a plurality of outlier flows into a new cluster [Scheib ¶0086 interconnected group of functions or classifiers merge overlapping detections, combining results from different networks using neural network-based approaches: probabilistic decision-based neural network (PDBNN)]. Regarding claim 14, Scheib teaches claim 13 as described above. Scheib teaches wherein the operations further comprise: for each outlier flow, determining a probability of the outlier flow belonging to a previously known label of the corresponding labels [Scheib ¶0080 authorized user may configure an ADM run by selecting the date range of the flow data and associated data to analyze; previously identified clusters during the ADM input data stage 404. ¶0109 post-processing stage 410 can include tasks such as naming or labeling clusters,]; and based on the probability, associating the outlier flow with outlier flows of the plurality of outlier flows to form the new cluster [See Scheib ¶0109-0110 identifying cluster edges; and validating the clusters, such as by calculating silhouette scores; edit/creation of cluster in presentation stage 412. Examiner interprets the edits/creation of cluster is analogous to forming a new cluster]. Regarding claim 15, Scheib teaches claim 11 as described above. Scheib teaches wherein the operations further comprise: identifying suggested malware activity associated with the potential cyber threat [See Scheib, ¶¶0054 0057 0081-0082 0109 0112]; and retrieving current network activity to identify the suggested malware activity occurring in the network [See Scheib, ¶¶0054 0057 0081-0082 0109 0112]. Regarding claim 16, the combination of Scheib and Kling teach claim 11 as described above. Scheib teaches wherein the operations further comprise: receiving information about the known malicious activity, the information about the known malicious activity corresponding to a known cyber threat [See Scheib, ¶¶0048-0049 0054 0057 0081-0082 0109 0112]; identifying cluster labels for the information about known malicious activity [See Scheib ¶¶0029 0039-0041 and ¶¶0112 0115 0117 0124]. While Scheib teaches contextualizing information based about known malicious activity [See Scheib ¶¶0023 and0039 captured network traffic include metadata relating to a collection of packets, a flow, a session…; also include summaries of network activity or other network statistics, based on data patterns and behaviors for known threats]; however, Scheib fails to explicitly teach but Kling teaches based on a relationship between the cluster labels for the information about known malicious activity and the inferred labels for flows of the production flow data, generating contextualizing information regarding the production flow data based on the information about known malicious activity as an alert about the potential cyber threat [Kling ¶0033 a reading that deviates from the process range in an unusual pattern may indicate a possible cyber-attack. ¶0035 The threat patterns may also be sent to the processing environment 240 for storage and further processing and verification. Alert messages may likewise be sent to the processing environment 240 for further processing.]. Scheib teaches all the features of claim 1 not based on a relationship between the cluster labels for the information about known malicious activity and the inferred labels for flows of the production flow data, generating contextualizing information regarding the production flow data based on the information about known malicious activity as an alert about the potential cyber threat. Scheib teaches a Minimum description length (MDL)-based clustering for application dependency mapping. Kling teaches industrial system event detection and corresponding response. Because both Scheib and Kling teach clustering concepts and from the same field of endeavor, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use the clustering algorithms and other ML techniques together as taught by Kling to improve how effective information is contextualized regarding the production flow data based on the information about known malicious activity as an alert about the potential cyber threat [Kling ¶¶0033-0034]. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Jakobsson et al 10880322 B1 teaches Automated tracking of interaction with a resource of a message. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH WHITE-TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 10:45a-6:45p. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CATHERINE THIAW can be reached at 571-270-1138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. SAKINAH WHITE-TAYLOR Primary Examiner Art Unit 2407 /Sakinah White-Taylor/Primary Examiner, Art Unit 2407
Read full office action

Prosecution Timeline

Jul 15, 2024
Application Filed
Apr 28, 2026
Non-Final Rejection mailed — §101, §102, §103
Jun 30, 2026
Examiner Interview Summary
Jun 30, 2026
Applicant Interview (Telephonic)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12659303
ELECTRONIC CONTROL UNIT, AUTHENTICATION METHOD, AND NON-TRANSITORY COMPUTER-READABLE STORAGE MEDIUM STORING AUTHENTICATION PROGRAM
2y 2m to grant Granted Jun 16, 2026
Patent 12659177
SYSTEMS AND METHODS USING SEARCH ENGINES TO GENERATE CRYPTOGRAPHIC KEYS FROM ERRATIC PHYSICAL UNCLONABLE FUNCTIONS
1y 8m to grant Granted Jun 16, 2026
Patent 12641102
MONITORING APPARATUS AND MONITORING METHOD
2y 6m to grant Granted May 26, 2026
Patent 12614001
METHODS AND SYSTEMS FOR RUNNING SECURE PIPELINE TASKS AND INSECURE PIPELINE TASKS IN THE SAME HARDWARE ENTITIES
3y 0m to grant Granted Apr 28, 2026
Patent 12614002
Security Isolation Apparatus and Method
2y 10m to grant Granted Apr 28, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
87%
Grant Probability
99%
With Interview (+23.2%)
2y 6m (~6m remaining)
Median Time to Grant
Low
PTA Risk
Based on 383 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month