Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The IDS filed July 16, 2024 has been considered.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-17 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1-20 of U.S. Patent No. 12,095,607. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims in the present application are fully anticipated by the patent. Please see the correspondence table below. The only difference is the claim combination. For example, claims 1 and 2 combination of the present application is anticipated by claims 1-3 combination of the patent. Before the effective filing date of the invention, one of ordinary skill in the art would be motivated to present claim in different variation in order to expand patent protection.
Present Application
U.S. Patent No. 12,095,607
1. A system for anomaly recognition in network topologies using interactive visualization, the system comprising: a processing device; a non-transitory storage device containing instructions when executed by the processing device, causes the processing device to: determine that an end-point device is associated with anomalous activity; capture, using a virtual reality application installed on a user input device, real-time network traffic associated with the end-point device; generate a multi-dimensional model of the real-time network traffic associated with the end-point device, wherein the multi-dimensional model comprises a stack of data layers for visualization of the real-time network traffic, wherein the stack of data layers comprises a network topology layer, a network traffic layer, a performance metric layer, an incident layer, an application data layer, and nodal information layer; display, via the virtual reality application, the multi-dimensional model to a user; isolate, using the virtual reality application, network traffic associated with the anomalous activity; initiate spatial and temporal traffic analysis on the anomalous activity; determine a remedial action based on the spatial and temporal traffic analysis to mitigate effects of the anomalous activity; and implement the remedial action on the end-point device.
2. The system of claim 1, wherein executing the instructions further causes the processing device to: determine, using the virtual reality application, an initiator and a recipient associated with the anomalous activity based on the spatial and temporal traffic analysis; initiate an access management evaluation on the initiator and the recipient; determine access controls associated with the initiator and the recipient contributing to the anomalous activity; and initiate a reassessment of the access controls associated with the initiator and the recipient.
3. The system of claim 1, wherein executing the instructions further causes the processing device to: receive, via the user input device, a user selection of one or more data layers from the stack of data layers; generate the multi-dimensional model of the real-time network traffic by overlaying the one or more data layers on one another; and display, via the virtual reality application, the multi-dimensional model with the one or more data layers overlaid on one another to the user.
4. The system of claim 1, wherein executing the instructions further causes the processing device to: determine that the end-point device is associated with a device administrator; trigger an access prompt on a computing device associated with the device administrator to allow the device administrator to access the multi-dimensional model of the real-time network traffic; receive a request from the computing device of the device administrator to access the multi-dimensional model in response to the access prompt; and generate a controlled access version of the multi-dimensional model of the real-time network traffic in response to the request.
5. The system of claim 4, wherein a level of access associated with the controlled access version of the multi-dimensional model is based on an authorization level of the device administrator.
6. The system of claim 1, wherein executing the instructions further causes the processing device to: isolate the end-point device in response to determining that the end-point device is associated with anomalous activity; and implement the remedial action on the isolated end-point device to mitigate the effects of the anomalous activity.
7. A computer program product for anomaly recognition in network topologies using interactive visualization, the computer program product comprising a non-transitory computer-readable medium comprising code causing an apparatus to: determine that an end-point device is associated with anomalous activity; capture, using a virtual reality application installed on a user input device, real-time network traffic associated with the end-point device; generate a multi-dimensional model of the real-time network traffic associated with the end-point device, wherein the multi-dimensional model comprises a stack of data layers for visualization of the real-time network traffic, wherein the stack of data layers comprises a network topology layer, a network traffic layer, a performance metric layer, an incident layer, an application data layer, and nodal information layer; display, via the virtual reality application, the multi-dimensional model to a user; isolate, using the virtual reality application, network traffic associated with the anomalous activity; initiate spatial and temporal traffic analysis on the anomalous activity; determine a remedial action based on the spatial and temporal traffic analysis to mitigate effects of the anomalous activity; and implement the remedial action on the end-point device.
8. The computer program product of claim 7, wherein the code further causes the apparatus to: determine, using the virtual reality application, an initiator and a recipient associated with the anomalous activity based on the spatial and temporal traffic analysis; initiate an access management evaluation on the initiator and the recipient; determine access controls associated with the initiator and the recipient contributing to the anomalous activity; and initiate a reassessment of the access controls associated with the initiator and the recipient.
9. The computer program product of claim 7, wherein the code further causes the apparatus to: receive, via the user input device, a user selection of one or more data layers from the stack of data layers; generate the multi-dimensional model of the real-time network traffic by overlaying the one or more data layers on one another; and display, via the virtual reality application, the multi-dimensional model with the one or more data layers overlaid on one another to the user.
10. The computer program product of claim 7, wherein the code further causes the apparatus to: determine that the end-point device is associated with a device administrator; trigger an access prompt on a computing device associated with the device administrator to allow the device administrator to access the multi-dimensional model of the real-time network traffic; receive a request from the computing device of the device administrator to access the multi-dimensional model in response to the access prompt; and generate a controlled access version of the multi-dimensional model of the real-time network traffic in response to the request.
11. The computer program product of claim 10, wherein a level of access associated with the controlled access version of the multi-dimensional model is based on an authorization level of the device administrator.
12. The computer program product of claim 7, wherein the code further causes the apparatus to: isolate the end-point device in response to determining that the end-point device is associated with anomalous activity; and implement the remedial action on the isolated end-point device to mitigate the effects of the anomalous activity.
13. A method for anomaly recognition in network topologies using interactive visualization, the method comprising: determining that an end-point device is associated with anomalous activity; capturing, using a virtual reality application installed on a user input device, real-time network traffic associated with the end-point device; generating a multi-dimensional model of the real-time network traffic associated with the end-point device, wherein the multi-dimensional model comprises a stack of data layers for visualization of the real-time network traffic, wherein the stack of data layers comprises a network topology layer, a network traffic layer, a performance metric layer, an incident layer, an application data layer, and nodal information layer; displaying, via the virtual reality application, the multi-dimensional model to a user; isolating, using the virtual reality application, network traffic associated with the anomalous activity; initiating spatial and temporal traffic analysis on the anomalous activity; determining a remedial action based on the spatial and temporal traffic analysis to mitigate effects of the anomalous activity; and implementing the remedial action on the end-point device.
14. The method of claim 13, wherein the method further comprises: determining, using the virtual reality application, an initiator and a recipient associated with the anomalous activity based on the spatial and temporal traffic analysis; initiating an access management evaluation on the initiator and the recipient; determining access controls associated with the initiator and the recipient contributing to the anomalous activity; and initiating a reassessment of the access controls associated with the initiator and the recipient.
15. The method of claim 13 further comprising: receiving, via the user input device, a user selection of one or more data layers from the stack of data layers; generating the multi-dimensional model of the real-time network traffic by overlaying the one or more data layers on one another; and displaying, via the virtual reality application, the multi-dimensional model with the one or more data layers overlaid on one another to the user.
16. The method of claim 13 further comprising: determining that the end-point device is associated with a device administrator; triggering an access prompt on a computing device associated with the device administrator to allow the device administrator to access the multi-dimensional model of the real-time network traffic; receiving a request from the computing device of the device administrator to access the multi-dimensional model in response to the access prompt; and generating a controlled access version of the multi-dimensional model of the real-time network traffic in response to the request.
17. The method of claim 16, wherein a level of access associated with the controlled access version of the multi-dimensional model is based on an authorization level of the device administrator.
1. A system for anomaly recognition in network topologies using interactive visualization, the system comprising: a processing device; a non-transitory storage device containing instructions when executed by the processing device, causes the processing device to: determine that an end-point device is associated with anomalous activity; capture, using a virtual reality application installed on a user input device, real-time network traffic associated with the end-point device; isolate, using the virtual reality application, network traffic associated with the anomalous activity; initiate spatial and temporal traffic analysis on the anomalous activity; determine, using the virtual reality application, an initiator and a recipient associated with the anomalous activity based on the spatial and temporal traffic analysis; initiate an access management evaluation on the initiator and the recipient; determine access controls associated with the initiator and the recipient contributing to the anomalous activity; initiate a reassessment of the access controls associated with the initiator and the recipient; determine a remedial action based on the spatial and temporal traffic analysis to mitigate effects of the anomalous activity; and implement the remedial action on the end-point device.
2. The system of claim 1, wherein executing instructions to capture the real-time network traffic further causes the processing device to: generate a multi-dimensional model of the real-time network traffic associated with the end-point device; and display, via the virtual reality application, the multi-dimensional model to a user.
3. The system of claim 2, wherein the multi-dimensional model further comprises a stack of data layers for visualization of the real-time network traffic, wherein the stack of data layers comprises a network topology layer, a network traffic layer, a performance metric layer, an incident layer, an application data layer, and nodal information layer.
4. The system of claim 3, wherein executing the instructions further causes the processing device to: receive, via the user input device, a user selection of one or more data layers from the stack of data layers; generate the multi-dimensional model of the real-time network traffic by overlaying the one or more data layers on one another; and display, via the virtual reality application, the multi-dimensional model with the one or more data layers overlaid on one another to the user.
5. The system of claim 2, wherein executing the instructions further causes the processing device to: determine that the end-point device is associated with a device administrator; trigger an access prompt on a computing device associated with the device administrator to allow the device administrator to access the multi-dimensional model of the real-time network traffic; receive a request from the computing device of the device administrator to access the multi-dimensional model in response to the access prompt; and generate a controlled access version of the multi-dimensional model of the real-time network traffic in response to the request.
6. The system of claim 5, wherein a level of access associated with the controlled access version of the multi-dimensional model is based on an authorization level of the device administrator.
7. The system of claim 1, wherein executing the instructions further causes the processing device to: isolate the end-point device in response to determining that the end-point device is associated with anomalous activity; and implement the remedial action on the isolated end-point device to mitigate the effects of the anomalous activity.
8. A computer program product for anomaly recognition in network topologies using interactive visualization, the computer program product comprising a non-transitory computer-readable medium comprising code causing an apparatus to: determine that an end-point device is associated with anomalous activity; capture, using a virtual reality application installed on a user input device, real-time network traffic associated with the end-point device; isolate, using the virtual reality application, network traffic associated with the anomalous activity; initiate spatial and temporal traffic analysis on the anomalous activity; determine, using the virtual reality application, an initiator and a recipient associated with the anomalous activity based on the spatial and temporal traffic analysis; initiate an access management evaluation on the initiator and the recipient; determine access controls associated with the initiator and the recipient contributing to the anomalous activity; and initiate a reassessment of the access controls associated with the initiator and the recipient; determine a remedial action based on the spatial and temporal traffic analysis to mitigate effects of the anomalous activity; and implement the remedial action on the end-point device.
9. The computer program product of claim 8, wherein the code further causes the apparatus to: generate a multi-dimensional model of the real-time network traffic associated with the end-point device; and display, via the virtual reality application, the multi-dimensional model to a user.
10. The computer program product of claim 9, wherein the multi-dimensional model further comprises a stack of data layers for visualization of the real-time network traffic, wherein the stack of data layers comprises a network topology layer, a network traffic layer, a performance metric layer, an incident layer, an application data layer, and nodal information layer.
11. The computer program product of claim 10, wherein the code further causes the apparatus to: receive, via the user input device, a user selection of one or more data layers from the stack of data layers; generate the multi-dimensional model of the real-time network traffic by overlaying the one or more data layers on one another; and display, via the virtual reality application, the multi-dimensional model with the one or more data layers overlaid on one another to the user.
12. The computer program product of claim 9, wherein the code further causes the apparatus to: determine that the end-point device is associated with a device administrator; trigger an access prompt on a computing device associated with the device administrator to allow the device administrator to access the multi-dimensional model of the real-time network traffic; receive a request from the computing device of the device administrator to access the multi-dimensional model in response to the access prompt; and generate a controlled access version of the multi-dimensional model of the real-time network traffic in response to the request.
13. The computer program product of claim 12, wherein a level of access associated with the controlled access version of the multi-dimensional model is based on an authorization level of the device administrator.
14. The computer program product of claim 8, wherein the code further causes the apparatus to: isolate the end-point device in response to determining that the end-point device is associated with anomalous activity; and implement the remedial action on the isolated end-point device to mitigate the effects of the anomalous activity.
15. A method for anomaly recognition in network topologies using interactive visualization, the method comprising: determining that an end-point device is associated with anomalous activity; capturing, using a virtual reality application installed on a user input device, real-time network traffic associated with the end-point device; isolating, using the virtual reality application, network traffic associated with the anomalous activity; initiating spatial and temporal traffic analysis on the anomalous activity; determining, using the virtual reality application, an initiator and a recipient associated with the anomalous activity based on the spatial and temporal traffic analysis; initiating an access management evaluation on the initiator and the recipient; determining access controls associated with the initiator and the recipient contributing to the anomalous activity; initiating a reassessment of the access controls associated with the initiator and the recipient; determining a remedial action based on the spatial and temporal traffic analysis to mitigate effects of the anomalous activity; and implementing the remedial action on the end-point device.
16. The method of claim 15, wherein the method further comprises: generating a multi-dimensional model of the real-time network traffic associated with the end-point device; and displaying, via the virtual reality application, the multi-dimensional model to a user.
17. The method of claim 16, wherein the multi-dimensional model further comprises a stack of data layers for visualization of the real-time network traffic, wherein the stack of data layers comprises a network topology layer, a network traffic layer, a performance metric layer, an incident layer, an application data layer, and nodal information layer.
18. The method of claim 17, wherein the method further comprises: receiving, via the user input device, a user selection of one or more data layers from the stack of data layers; generating the multi-dimensional model of the real-time network traffic by overlaying the one or more data layers on one another; and displaying, via the virtual reality application, the multi-dimensional model with the one or more data layers overlaid on one another to the user.
19. The method of claim 16, wherein the method further comprises: determining that the end-point device is associated with a device administrator; triggering an access prompt on a computing device associated with the device administrator to allow the device administrator to access the multi-dimensional model of the real-time network traffic; receiving a request from the computing device of the device administrator to access the multi-dimensional model in response to the access prompt; and generating a controlled access version of the multi-dimensional model of the real-time network traffic in response to the request.
20. The method of claim 19, wherein a level of access associated with the controlled access version of the multi-dimensional model is based on an authorization level of the device administrator.
Claim 1-16 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-18 of co-pending Application No. 18/774,051 (reference application). Please see the correspondence claim table below. Although the claims at issue are not identical, they are not patentably distinct from each other because both applications anticipate each other. The only difference is the claim combination. For example, claims 1 and 6 combination of the present application, is the same as claims 1, 3 and 4 combination of the co-pending application. This is an obvious variation. Before the effective filing date of the invention, one of ordinary skill in the art would have been motivated to present different claim variation in order to expand patent protection.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Present Application
co-pending Application No. 18/774,051
1. A system for anomaly recognition in network topologies using interactive visualization, the system comprising: a processing device; a non-transitory storage device containing instructions when executed by the processing device, causes the processing device to: determine that an end-point device is associated with anomalous activity; capture, using a virtual reality application installed on a user input device, real-time network traffic associated with the end-point device; generate a multi-dimensional model of the real-time network traffic associated with the end-point device, wherein the multi-dimensional model comprises a stack of data layers for visualization of the real-time network traffic, wherein the stack of data layers comprises a network topology layer, a network traffic layer, a performance metric layer, an incident layer, an application data layer, and nodal information layer; display, via the virtual reality application, the multi-dimensional model to a user; isolate, using the virtual reality application, network traffic associated with the anomalous activity; initiate spatial and temporal traffic analysis on the anomalous activity; determine a remedial action based on the spatial and temporal traffic analysis to mitigate effects of the anomalous activity; and implement the remedial action on the end-point device.
6. The system of claim 1, wherein executing the instructions further causes the processing device to: isolate the end-point device in response to determining that the end-point device is associated with anomalous activity; and implement the remedial action on the isolated end-point device to mitigate the effects of the anomalous activity.
2. The system of claim 1, wherein executing the instructions further causes the processing device to: determine, using the virtual reality application, an initiator and a recipient associated with the anomalous activity based on the spatial and temporal traffic analysis; initiate an access management evaluation on the initiator and the recipient; determine access controls associated with the initiator and the recipient contributing to the anomalous activity; and initiate a reassessment of the access controls associated with the initiator and the recipient.
3. The system of claim 1, wherein executing the instructions further causes the processing device to: receive, via the user input device, a user selection of one or more data layers from the stack of data layers; generate the multi-dimensional model of the real-time network traffic by overlaying the one or more data layers on one another; and display, via the virtual reality application, the multi-dimensional model with the one or more data layers overlaid on one another to the user.
4. The system of claim 1, wherein executing the instructions further causes the processing device to: determine that the end-point device is associated with a device administrator; trigger an access prompt on a computing device associated with the device administrator to allow the device administrator to access the multi-dimensional model of the real-time network traffic; receive a request from the computing device of the device administrator to access the multi-dimensional model in response to the access prompt; and generate a controlled access version of the multi-dimensional model of the real-time network traffic in response to the request.
5. The system of claim 4, wherein a level of access associated with the controlled access version of the multi-dimensional model is based on an authorization level of the device administrator.
7. A computer program product for anomaly recognition in network topologies using interactive visualization, the computer program product comprising a non-transitory computer-readable medium comprising code causing an apparatus to: determine that an end-point device is associated with anomalous activity; capture, using a virtual reality application installed on a user input device, real-time network traffic associated with the end-point device; generate a multi-dimensional model of the real-time network traffic associated with the end-point device, wherein the multi-dimensional model comprises a stack of data layers for visualization of the real-time network traffic, wherein the stack of data layers comprises a network topology layer, a network traffic layer, a performance metric layer, an incident layer, an application data layer, and nodal information layer; display, via the virtual reality application, the multi-dimensional model to a user; isolate, using the virtual reality application, network traffic associated with the anomalous activity; initiate spatial and temporal traffic analysis on the anomalous activity; determine a remedial action based on the spatial and temporal traffic analysis to mitigate effects of the anomalous activity; and implement the remedial action on the end-point device.
12. The computer program product of claim 7, wherein the code further causes the apparatus to: isolate the end-point device in response to determining that the end-point device is associated with anomalous activity; and implement the remedial action on the isolated end-point device to mitigate the effects of the anomalous activity.
8. The computer program product of claim 7, wherein the code further causes the apparatus to: determine, using the virtual reality application, an initiator and a recipient associated with the anomalous activity based on the spatial and temporal traffic analysis; initiate an access management evaluation on the initiator and the recipient; determine access controls associated with the initiator and the recipient contributing to the anomalous activity; and initiate a reassessment of the access controls associated with the initiator and the recipient.
9. The computer program product of claim 7, wherein the code further causes the apparatus to: receive, via the user input device, a user selection of one or more data layers from the stack of data layers; generate the multi-dimensional model of the real-time network traffic by overlaying the one or more data layers on one another; and display, via the virtual reality application, the multi-dimensional model with the one or more data layers overlaid on one another to the user.
10. The computer program product of claim 7, wherein the code further causes the apparatus to: determine that the end-point device is associated with a device administrator; trigger an access prompt on a computing device associated with the device administrator to allow the device administrator to access the multi-dimensional model of the real-time network traffic; receive a request from the computing device of the device administrator to access the multi-dimensional model in response to the access prompt; and generate a controlled access version of the multi-dimensional model of the real-time network traffic in response to the request.
11. The computer program product of claim 10, wherein a level of access associated with the controlled access version of the multi-dimensional model is based on an authorization level of the device administrator.
13. A method for anomaly recognition in network topologies using interactive visualization, the method comprising: determining that an end-point device is associated with anomalous activity; capturing, using a virtual reality application installed on a user input device, real-time network traffic associated with the end-point device; generating a multi-dimensional model of the real-time network traffic associated with the end-point device, wherein the multi-dimensional model comprises a stack of data layers for visualization of the real-time network traffic, wherein the stack of data layers comprises a network topology layer, a network traffic layer, a performance metric layer, an incident layer, an application data layer, and nodal information layer; displaying, via the virtual reality application, the multi-dimensional model to a user; isolating, using the virtual reality application, network traffic associated with the anomalous activity; initiating spatial and temporal traffic analysis on the anomalous activity; determining a remedial action based on the spatial and temporal traffic analysis to mitigate effects of the anomalous activity; and implementing the remedial action on the end-point device.
18. The method of claim 13 further comprising: isolating the end-point device in response to determining that the end-point device is associated with anomalous activity; and implementing the remedial action on the isolated end-point device to mitigate the effects of the anomalous activity.
14. The method of claim 13, wherein the method further comprises: determining, using the virtual reality application, an initiator and a recipient associated with the anomalous activity based on the spatial and temporal traffic analysis; initiating an access management evaluation on the initiator and the recipient; determining access controls associated with the initiator and the recipient contributing to the anomalous activity; and initiating a reassessment of the access controls associated with the initiator and the recipient.
15. The method of claim 13 further comprising: receiving, via the user input device, a user selection of one or more data layers from the stack of data layers; generating the multi-dimensional model of the real-time network traffic by overlaying the one or more data layers on one another; and displaying, via the virtual reality application, the multi-dimensional model with the one or more data layers overlaid on one another to the user.
16. The method of claim 13 further comprising: determining that the end-point device is associated with a device administrator; triggering an access prompt on a computing device associated with the device administrator to allow the device administrator to access the multi-dimensional model of the real-time network traffic; receiving a request from the computing device of the device administrator to access the multi-dimensional model in response to the access prompt; and generating a controlled access version of the multi-dimensional model of the real-time network traffic in response to the request.
1. A system for anomaly recognition in network topologies using interactive visualization, the system comprising: a processing device; a non-transitory storage device containing instructions when executed by the processing device, causes the processing device to: determine that an end-point device is associated with anomalous activity; capture, using a virtual reality application installed on a user input device, real-time network traffic associated with the end-point device; isolate, using the virtual reality application, network traffic associated with the anomalous activity; initiate spatial and temporal traffic analysis on the anomalous activity; determine a remedial action based on the spatial and temporal traffic analysis to mitigate effects of the anomalous activity; isolate the end-point device in response to determining that the end-point device is associated with anomalous activity; and implement the remedial action on the isolated end-point device to mitigate the effects of the anomalous activity.
3. The system of claim 1, wherein executing instructions to capture the real-time network traffic further causes the processing device to: generate a multi-dimensional model of the real-time network traffic associated with the end-point device; and display, via the virtual reality application, the multi-dimensional model to a user.
4. The system of claim 3, wherein the multi-dimensional model further comprises a stack of data layers for visualization of the real-time network traffic, wherein the stack of data layers comprises a network topology layer, a network traffic layer, a performance metric layer, an incident layer, an application data layer, and nodal information layer.
2. The system of claim 1, wherein executing the instructions further causes the processing device to: determine, using the virtual reality application, an initiator and a recipient associated with the anomalous activity based on the spatial and temporal traffic analysis; initiate an access management evaluation on the initiator and the recipient; determine access controls associated with the initiator and the recipient contributing to the anomalous activity; and initiate a reassessment of the access controls associated with the initiator and the recipient.
5. The system of claim 3, wherein executing the instructions further causes the processing device to: receive, via the user input device, a user selection of one or more data layers from the stack of data layers; generate the multi-dimensional model of the real-time network traffic by overlaying the one or more data layers on one another; and display, via the virtual reality application, the multi-dimensional model with the one or more data layers overlaid on one another to the user.
6. The system of claim 3, wherein executing the instructions further causes the processing device to: determine that the end-point device is associated with a device administrator; trigger an access prompt on a computing device associated with the device administrator to allow the device administrator to access the multi-dimensional model of the real-time network traffic; receive a request from the computing device of the device administrator to access the multi-dimensional model in response to the access prompt; and generate a controlled access version of the multi-dimensional model of the real-time network traffic in response to the request.
7. The system of claim 6, wherein a level of access associated with the controlled access version of the multi-dimensional model is based on an authorization level of the device administrator.
8. A computer program product for anomaly recognition in network topologies using interactive visualization, the computer program product comprising a non-transitory computer-readable medium comprising code causing an apparatus to: determine that an end-point device is associated with anomalous activity; capture, using a virtual reality application installed on a user input device, real-time network traffic associated with the end-point device; isolate, using the virtual reality application, network traffic associated with the anomalous activity; initiate spatial and temporal traffic analysis on the anomalous activity; determine a remedial action based on the spatial and temporal traffic analysis to mitigate effects of the anomalous activity; isolate the end-point device in response to determining that the end-point device is associated with anomalous activity; and implement the remedial action on the isolated end-point device to mitigate the effects of the anomalous activity.
10. The computer program product of claim 9, wherein the code further causes the apparatus to: generate a multi-dimensional model of the real-time network traffic associated with the end-point device; and display, via the virtual reality application, the multi-dimensional model to a user.
11. The computer program product of claim 10, wherein the multi-dimensional model further comprises a stack of data layers for visualization of the real-time network traffic, wherein the stack of data layers comprises a network topology layer, a network traffic layer, a performance metric layer, an incident layer, an application data layer, and nodal information layer.
9. The computer program product of claim 8, wherein the code further causes the apparatus to: determine, using the virtual reality application, an initiator and a recipient associated with the anomalous activity based on the spatial and temporal traffic analysis; initiate an access management evaluation on the initiator and the recipient; determine access controls associated with the initiator and the recipient contributing to the anomalous activity; and initiate a reassessment of the access controls associated with the initiator and the recipient.
12. The computer program product of claim 10, wherein the code further causes the apparatus to: receive, via the user input device, a user selection of one or more data layers from the stack of data layers; generate the multi-dimensional model of the real-time network traffic by overlaying the one or more data layers on one another; and display, via the virtual reality application, the multi-dimensional model with the one or more data layers overlaid on one another to the user.
13. The computer program product of claim 10, wherein the code further causes the apparatus to: determine that the end-point device is associated with a device administrator; trigger an access prompt on a computing device associated with the device administrator to allow the device administrator to access the multi-dimensional model of the real-time network traffic; receive a request from the computing device of the device administrator to access the multi-dimensional model in response to the access prompt; and generate a controlled access version of the multi-dimensional model of the real-time network traffic in response to the request.
14. The computer program product of claim 13, wherein a level of access associated with the controlled access version of the multi-dimensional model is based on an authorization level of the device administrator.
15. A method for anomaly recognition in network topologies using interactive visualization, the method comprising: determining that an end-point device is associated with anomalous activity; capturing, using a virtual reality application installed on a user input device, real-time network traffic associated with the end-point device; isolating, using the virtual reality application, network traffic associated with the anomalous activity; initiating spatial and temporal traffic analysis on the anomalous activity; determining a remedial action based on the spatial and temporal traffic analysis to mitigate effects of the anomalous activity isolating the end-point device in response to determining that the end-point device is associated with anomalous activity; and implementing the remedial action on the isolated end-point device to mitigate the effects of the anomalous activity.
17. The method of claim 15, wherein the method further comprises: generating a multi-dimensional model of the real-time network traffic associated with the end-point device; and displaying, via the virtual reality application, the multi-dimensional model to a user.
18. The method of claim 17, wherein the multi-dimensional model further comprises a stack of data layers for visualization of the real-time network traffic, wherein the stack of data layers comprises a network topology layer, a network traffic layer, a performance metric layer, an incident layer, an application data layer, and nodal information layer.
16. The method of claim 15, wherein the method further comprises: determining, using the virtual reality application, an initiator and a recipient associated with the anomalous activity based on the spatial and temporal traffic analysis; initiating an access management evaluation on the initiator and the recipient; determining access controls associated with the initiator and the recipient contributing to the anomalous activity; and initiating a reassessment of the access controls associated with the initiator and the recipient.
19. The method of claim 18, wherein the method further comprises: receiving, via the user input device, a user selection of one or more data layers from the stack of data layers; generating the multi-dimensional model of the real-time network traffic by overlaying the one or more data layers on one another; and displaying, via the virtual reality application, the multi-dimensional model with the one or more data layers overlaid on one another to the user.
20. The method of claim 17, wherein the method further comprises: determining that the end-point device is associated with a device administrator; triggering an access prompt on a computing device associated with the device administrator to allow the device administrator to access the multi-dimensional model of the real-time network traffic; receiving a request from the computing device of the device administrator to access the multi-dimensional model in response to the access prompt; and generating a controlled access version of the multi-dimensional model of the real-time network traffic in response to the request.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-18 is/are rejected under 35 U.S.C. 103 as being unpatentable Apostolopoulos (US 20190124104, hereinafter referred to as “Apos”) in view of Chavez (US 2020/0314245, hereinafter referred to as “Chavez”).
Regarding claim 1, Apos teaches a system for anomaly recognition in network topologies using interactive visualization, the system comprising:
a processing device (figure 1: host device 106);
a non-transitory storage device ([0270] Embodiments of the techniques introduced here may be implemented, at least in part, by a computer program product which may include a non-transitory machine-readable medium having stored thereon instructions) containing instructions when executed by the processing device, causes the processing device to:
determine that an end-point device is associated with anomalous activity ([0099] Network Security Anomaly and Threat Detection);
capture, using an application installed on a user input device, real-time network traffic associated with the end-point device ([0106] In this description the term “event data” refers to machine data related to activity on a network with respect to an entity of focus, such as one or more users, one or more network nodes, one or more network segments, one or more applications, etc. In certain embodiments, incoming event data from various data sources is evaluated in two separate data paths: (i) a real-time processing path and (ii) a batch processing path. Preferably, the evaluation of event data in these two data paths occurs concurrently. The real-time processing path is configured to continuously monitor and analyze the incoming event data (e.g., in the form of an unbounded data stream) to uncover anomalies and threats. To operate in real-time, the evaluation is performed primarily or exclusively on event data pertaining to current events contemporaneously with the data being generated by and/or received from the data source(s). In certain embodiments, the real-time processing path excludes historical data (i.e., stored data pertaining to past events) from its evaluation. Alternatively, in an embodiment, the real-time processing path excludes third-party data from the evaluation in the real-time processing path. These example types of data that are excluded from the real-time path can be evaluated in the batch processing path.);
generate a multi-dimensional model of the real-time network traffic associated with the end-point device (figure 15), wherein the multi-dimensional model further comprises a stack of data layers for visualization of the real-time network traffic (figure 15), wherein the stack of data layers comprises a network topology layer (figure 15: 1522-1526, graph representing nodes, edges, and relationships; figure 16), a network traffic layer ([0152] The composite relationship graph or enterprise security graph can be stored, for example, as multiple files, one file for each of multiple predetermined time periods. The time period depends on the environment (e.g., the network traffic)), a performance metric layer ([0155] (e.g., the complex processing engine) can use models to perform analytics on the composite relationship graph or on any particular portion (i.e., “projection,” discussed further below) of the composite relationship graph.), an incident layer ([0257] a pattern of “account takeover,” followed by an “exfiltration” anomaly would warrant a raised alert level because the pattern tells a logic story that implies a causal relationship: the exfiltration (e.g., transferring a large number of files to external networks) might be a direct result of the account takeover.), an application data layer ([0118] Above the security intelligence layer 500 is an application layer 514. The application layer 514 represents the layer in which application software modules may be implemented. In an example, the output of the machine learning layer 510 includes anomalies, threat indicators, and/or threats. This output may be analyzed by the various applications such as a threat detection application 516, a security analytics application 518 or other applications 520), and nodal information layer ([0145] graph in the context of this description includes a number of nodes and edges. Each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities. In general, any event involves at least two entities with some relationship between them (e.g., a device and a user who accesses the device) and therefore can be represented as an event-specific relationship graph.);
display, via the virtual reality application, the multi-dimensional model to a user (figure 23);
isolate, using the application, network traffic associated with the anomalous activity ([0183] The process continues with generating anomaly data 1004 indicative of the anomalies in response to the detection. The anomaly data 1004, as used herein, generally refers to the entire set or a subset of the detected anomalies across the computer network. For example, as represented in FIG. 11, the processing of event data 1002 according to the plurality of models at step 1102 leads to the outputting of anomalies (or associated data) 1 through M at step 1104. In some embodiments, the anomaly data 1004 includes only the event data 1002 associated with detected anomalies. In other words, the anomaly processing can be viewed as a filtering process to pass on only event data associated with anomalous activity.);
initiate spatial and temporal traffic analysis on the anomalous activity ([0204] FIGS. 15 through 18 relate to a method for storing and analyzing a security data structure (e.g., a graph including nodes and edges) for identifying security threats in a computer network. The nodes represent entities in or associated with the computer network, such as users, devices, applications, and anomalies. The edges, which connect nodes, represent the relationships between the entities. An ETL process generates event-specific graph data structures (also referred to as “mini-graphs” or “relationship graphs”) corresponding to events that have occurred in the computer network. The method introduced here detects anomalies based on the mini-graphs, and combines the anomalies with the mini-graphs to generate the composite relationship graph, which may also be called an “enterprise security graph” to the extent it may relate to a network of a particular enterprise (e.g., a corporation, educational institution, government agency, etc.). The composite relationship graph includes nodes that represent the anomalies and edges that represent relationships between anomalies and other entities involved in the events. Figure 17 illustrates how traffic is organized and analyzed. The days are interpreted as temporal as claimed);
determine a remedial action based on the spatial and temporal traffic analysis to mitigate effects of the anomalous activity ([0262] At step 1970, after identifying actionable threats, a network security related action can be performed on the identified threat. For example, the threats detected may be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer, shutting down software and or hardware processes, and the like. In certain embodiments, the discovered anomalies and threats may be presented to a network operator (e.g., a network security administrator or analyst) for decision); and
implement the remedial action on the isolated end-point device to mitigate the effects of the anomalous activity ([0262] At step 1970, after identifying actionable threats, a network security related action can be performed on the identified threat. For example, the threats detected may be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer, shutting down software and or hardware processes, and the like. In certain embodiments, the discovered anomalies and threats may be presented to a network operator (e.g., a network security administrator or analyst) for decision.).
However, Apos does not teach the use of a virtual reality application installed on a user input device.
In an analogous art, Chavez teaches the use of a virtual reality application installed on a user input device ([0069] AI engine 124 can gather information in various ways. For example, AI engine 124 may monitor incoming and/or outgoing communications. AI engine 124 may monitor voice, video, IM, email, text, and/or virtual reality communications for key words to identify trends that are occurring. For instance, AI engine 124 may identify that there is a specific type of problem in a newly released product serviced by contact center 120 by identifying keywords (e.g., the name of the product, the word “problem,” and the phrase “cannot configure”) in communications coming into contact center 120. The keywords may trigger an action (e.g., to reconfigure routing of communications) based on a number of keyword hits (i.e., a threshold). Alternatively, another application may identify keywords or information and then provide the information to AI engine 124.)
Before the effective filing date of the invention, one of ordinary skill in the art would have been motivated to incorporate the use of virtual reality application in order to facilitate users in multi-dimensional visualization, thus making anomaly analysis more intuitive.
Regarding claim 2, Apos teaches the system of claim 1, wherein executing the instructions further causes the processing device to: determine, an initiator and a recipient associated with the anomalous activity based on the spatial and temporal traffic analysis ([0204] FIGS. 15 through 18 relate to a method for storing and analyzing a security data structure (e.g., a graph including nodes and edges) for identifying security threats in a computer network. The nodes represent entities in or associated with the computer network, such as users, devices, applications, and anomalies. The edges, which connect nodes, represent the relationships between the entities. An ETL process generates event-specific graph data structures (also referred to as “mini-graphs” or “relationship graphs”) corresponding to events that have occurred in the computer network. The method introduced here detects anomalies based on the mini-graphs, and combines the anomalies with the mini-graphs to generate the composite relationship graph, which may also be called an “enterprise security graph” to the extent it may relate to a network of a particular enterprise (e.g., a corporation, educational institution, government agency, etc.). The composite relationship graph includes nodes that represent the anomalies and edges that represent relationships between anomalies and other entities involved in the events. Figure 17 illustrates how traffic is organized and analyzed. The days are interpreted as temporal as claimed); initiate an access management evaluation on the initiator and the recipient ([0105] security threats are examples of a type of activity to be detected. It should be understood, however, that the security platform and techniques introduced here can be applied to detect any type of unusual or anomalous activity involving data access, data transfer, network access, and network use regardless of whether security is implicated or not.); determine access controls associated with the initiator and the recipient contributing to the anomalous activity ([0094] This arrangement generally may be referred to as an “on-premises” solution. That is, the system 108 is installed and operates on computing devices directly controlled by the user of the system. Some users may prefer an on-premises solution because it may provide a greater level of control over the configuration of certain aspects of the system (e.g., security, privacy, standards, controls, etc.). However, other users may instead prefer an arrangement in which the user is not directly responsible for providing and managing the computing devices upon which various components of system 108 operate.); and initiate a reassessment of the access controls associated with the initiator and the recipient ([0094] This arrangement generally may be referred to as an “on-premises” solution. That is, the system 108 is installed and operates on computing devices directly controlled by the user of the system. Some users may prefer an on-premises solution because it may provide a greater level of control over the configuration of certain aspects of the system (e.g., security, privacy, standards, controls, etc.). However, other users may instead prefer an arrangement in which the user is not directly responsible for providing and managing the computing devices upon which various components of system 108 operate.).
However, Apos does not teach the virtual reality application. In an analogous art, Chavez teaches the use of a virtual reality application installed on a user input device ([0069] AI engine 124 can gather information in various ways. For example, AI engine 124 may monitor incoming and/or outgoing communications. AI engine 124 may monitor voice, video, IM, email, text, and/or virtual reality communications for key words to identify trends that are occurring. For instance, AI engine 124 may identify that there is a specific type of problem in a newly released product serviced by contact center 120 by identifying keywords (e.g., the name of the product, the word “problem,” and the phrase “cannot configure”) in communications coming into contact center 120. The keywords may trigger an action (e.g., to reconfigure routing of communications) based on a number of keyword hits (i.e., a threshold). Alternatively, another application may identify keywords or information and then provide the information to AI engine 124.). The motivation to combine is the same as claim 1 above.
Regarding claim 3, Apos teaches the system of claim 1, wherein executing the instructions further causes the processing device to: receive, via the user input device, a user selection of one or more data layers from the stack of data layers ([0066] a monitor trigger may be included at or near the beginning of the executable code of the client application 110 such that the monitoring component 112 is initiated or triggered as the application is launched, or included at other points in the code that correspond to various actions of the client application, such as sending a network request or displaying a particular interface.); generate the multi-dimensional model of the real-time network traffic by overlaying the one or more data layers on one another (figure 15; graphs are combined into a composite relationship graph); and display the multi-dimensional model with the one or more data layers overlaid on one another to the user (figures 15 and 23: graphs are displayed).
However, Apos does not teach display via the virtual reality application. In an analogous art, Chavez teaches the use of a virtual reality application installed on a user input device to display the multi-dimensional model ([0069] AI engine 124 can gather information in various ways. For example, AI engine 124 may monitor incoming and/or outgoing communications. AI engine 124 may monitor voice, video, IM, email, text, and/or virtual reality communications for key words to identify trends that are occurring. For instance, AI engine 124 may identify that there is a specific type of problem in a newly released product serviced by contact center 120 by identifying keywords (e.g., the name of the product, the word “problem,” and the phrase “cannot configure”) in communications coming into contact center 120. The keywords may trigger an action (e.g., to reconfigure routing of communications) based on a number of keyword hits (i.e., a threshold). Alternatively, another application may identify keywords or information and then provide the information to AI engine 124.). The motivation to combine is the same as claim 1 above.
Regarding claim 4, Apos teaches the system of claim 1, wherein executing the instructions further causes the processing device to: determine that the end-point device is associated with a device administrator ([0183] a user ID or account associated with a device); trigger an access prompt on a computing device associated with the device administrator to allow the device administrator to access the multi-dimensional model of the real-time network traffic ([0137] , the security platform can prompt (e.g., through a user interface) the administrator to specify the data format or the type of machine(s) the environment includes); receive a request from the computing device of the device administrator to access the multi-dimensional model in response to the access prompt ([0095] a service provider may provide a cloud-based data intake and query system by managing computing resources configured to implement various aspects of the system (e.g., forwarders, indexers, search heads, etc.) and by providing access to the system to end users via a network.); and generate a controlled access version of the multi-dimensional model of the real-time network traffic in response to the request ([0095] a service provider may provide a cloud-based data intake and query system by managing computing resources configured to implement various aspects of the system (e.g., forwarders, indexers, search heads, etc.) and by providing access to the system to end users via a network.).
Regarding claim 5, Apos teaches the system of claim 4, wherein a level of access associated with the controlled access version of the multi-dimensional model is based on an authorization level of the device administrator ([0035] access is obtained by using accounts/system or privileges).
Regarding claim 6, Apos teaches the system of claim 1, wherein executing the instructions further causes the processing device to:
isolate the end-point device in response to determining that the end-point device is associated with anomalous activity ([0110] The anomalies and threats detected by the real-time processing path may be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer, shutting down software and or hardware processes, and the like.); and
implement the remedial action on the isolated end-point device to mitigate the effects of the anomalous activity ([0262] At step 1970, after identifying actionable threats, a network security related action can be performed on the identified threat. For example, the threats detected may be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer, shutting down software and or hardware processes, and the like. In certain embodiments, the discovered anomalies and threats may be presented to a network operator (e.g., a network security administrator or analyst) for decision.).
Claims 7-12 are computer program product version of claims 1-6, respectively, therefore are rejected under the same rationale.
Claims 13-18 are method version of claims 1-6, respectively, therefore are rejected under the same rationale.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Cavallari et al. (US 11399037) - detecting anomaly behavior in interactive networks and generating an attributed bipartite graph related to the problem.
Chen et al., (US 20160330226) - detecting malicious processes include modeling system data as a graph comprising vertices that represent system entities and edges that represent events between respective system entities.
Bardenstein (US 11916944) - A security system detects and attributes anomalous activity in a network.
Drake et al. (US 11558412) - Security related anomalies in the data related to network entities are identified, and a risk score is assigned to each entity based on the anomalies. Visualization data is generated for a color-coded interactive visualization.
Nair et al. (US 20170310546) - A digital network assistant which can detect network anomalies, identify actions likely to remediate them, and assist the user in carrying out those actions.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALINA N BOUTAH whose telephone number is (571)272-3908. The examiner can normally be reached M-F 7:00 AM - 3:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached at (571) 270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
ALINA BOUTAH
Primary Examiner
Art Unit 2458
/ALINA A BOUTAH/ Primary Examiner, Art Unit 2458