Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This office action is in response to the application filed on 02/11/2026. Claim(s) 1-20 is/are pending and are examined.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 02/11/2026 has been entered.
Response to Arguments
Applicant's arguments with respect to amended claim(s) 1, 9, and 17 have been fully considered but are moot in view of the new ground(s) of rejection.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Twigg (US 2023/0075355 A1), hereinafter Twigg in view of Schmidt (US 12,380,389 B2), hereinafter Schmidt in further view of Neil (US 2023/0129144 A1), hereinafter Neil in further view of Olszak (US 2026/0003963 A1), hereinafter Olszak.
Regarding Claim(s) 1, 9, and 17 Twigg teaches:
A system for autonomous cyber-security investigation, the system comprising: (Twigg ¶ 81 teaches, the embodiments described herein can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. ¶ 158 teaches, Deviations from the expected normal behavior can then be detected and automatically reported ( e.g., as anomalies or threats detected).)
an input interface, configured to receive security-related inputs detected in a computer system; (Twigg ¶ 59 teaches, data platform may include data ingestion resources configured to ingest data from cloud environment into data platform, data processing resources configured to perform data processing operations with respect to the data, and user interface resources configured to provide one or more external users and/or compute resources ( e.g., computing device) with access to an output of data processing resources. Twigg ¶ 65 teaches, the data may include data representative of configuration information associated with compute assets, information about one or more processes running on compute assets, network activity information, information about events (creation events, modification events, communication events, user-initiated events, etc.) (i.e., security-related inputs)) and one or more processors, configured to:
construct, based on the security-related inputs, a graph comprising nodes and edges, (Twigg ¶ 472-474 teaches, the behavior of users of the environment can be tracked (including across multiple accounts and/or multiple machines) and modeled (e.g., using various graphs described herein).) the nodes comprising (i) one or more appearance-nodes representing occurrences in the computer system having respective times-of-occurrence and (Twigg ¶ 531 teaches, User A notes in the timeline (i.e., times of occurrence) that a user, Harish, connected to a known bad server (examplebad.com) using wget, an event that has a critical severity level. (i.e., appearance node))) (ii) one or more artifact-nodes representing time-static features found in the security-related inputs, and the edges representing relationships between the nodes; (Twigg ¶ 489 teaches, FIG. 4B illustrates an example of a portion of an insider behavior graph (e.g., as rendered in a web browser). In the example shown, node 405 (the external IP address, 52.32.40.231) is an example of a Tier 0 node, and represents an entry point into a datacenter. (i.e., artifact-node as designated by application specification pg. 6 Ln. 1-10))
select in the graph a trigger node that serves as an initial trigger for a given cyber-security investigation; (Neil ¶ 60 teaches, embodiments may select initial node 602 to begin traversing graph 600 based on a heuristic that indicates that activity or relationships associated with the initial node may be potentially malicious. In other instances, embodiments may select initial node 602 based on another indicator of compromise.)
Twigg does not appear to explicitly teach but in related art:
perform an iterative process that generates a sub-graph of the graph that is specific to the given cyber-security investigation, by iteratively (i) enriching the graph with additional information and (Schmidt Col. 23 Ln. 30-50 teaches, the graph database may be enriched with custom data of the cognition feature.)
It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Twigg with Schmidt, to modify the system for monitoring a cloud environment of Twigg with the cognition feature and rules for subgraphs of Schmidt, Col. 1 Ln. 35-36. to assist in monitoring, investigating, and avoiding risks posed by global security threats.
(ii) expanding the sub-graph with one or more additional nodes from the graph in response to the additional information; and (Neil ¶ 63 teaches, Although not shown for clarity, identifying the first target object further comprises at least one of: 1) identifying a first edge with a greatest risk score; or 2) identifying a first node with a greatest risk score. At step 706, the data structure is iteratively crawled to determine a first sub-graph of objects with a risk probability score greater than the existing risk score of the first target object. (i.e., expanding) The first sub-graph of objects being coupled to the first target object.)
decide on a result of the given cyber-security investigation based on the sub-graph. (Neil ¶ 4 teaches, any combination that has a lower risk score are merged into a new sub-graph and reevaluated using the new sub-graph as the starting point and evaluating all reachable nodes and edges until a fully connected sub-graph identify potentially malicious behaviors is identified and stored.)
It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Twigg in view of Schmidt with Neil, to modify the system for monitoring a cloud environment of Twigg with the cognition feature and rules for subgraphs of Schmidt with the malicious behavior detection tool containing subgraphs of Neil. The motivation to do so, Twigg ¶ 4, to yield the efficient use of resources on enormous datasets.
Twigg-Schmidt-Neil does not appear to explicitly teach but in related art:
comprising prevalence information indicating how commonly one or more of the artifact-nodes appear within the computer system, across multiple computer systems, or both (Olszak ¶ 55 teaches, The enriched data added by event enrichment unit includes details such as the geographic location of the event source, the reputation of the involved IP addresses, the prevalence of similar events across different environments, and the typical behavior patterns associated with the event type.)
It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Twigg-Schmidt-Neil with Olszak, to modify the system for monitoring a cloud environment of Twigg with the cognition feature and rules for subgraphs of Schmidt with the malicious behavior detection tool containing subgraphs of Neil with the enriched data including prevalence data of Olszak. The motivation to do so, Olszak ¶ 54, to improve the accuracy of the risk assessment.
Regarding Claim(s) 2 and 10 Twigg-Schmidt-Neil-Olszak teaches:
The system according to claim 1, (Twigg-Schmidt-Neil-Olszak teaches the parent claim above.) wherein the one or more processors are further configured to initiate a responsive action based on the result of the given cyber- security investigation. (Twigg ¶ 647 teaches, detecting and/or remediating (i.e., responsive action) ransomware attacks and/or other malicious action taken with respect to data, systems, and/or other resources associated with one or more entities.)
Regarding Claim(s) 3, 11, and 18 Twigg-Schmidt-Neil-Olszak teaches:
The system according to claim 1, (Twigg-Schmidt-Neil-Olszak teaches the parent claim above.)
wherein the one or more processors are configured to enrich the graph by fetching at least part of the additional information from the computer system. (Schmidt Col. 5 Ln. 40-55 teaches, the cognition feature configures the platform to be able add new categories or themes to an existing and developing graph database. It can allow for a dynamic evolution of risk categories. The graph database may have defined node types and edge types, and the platform may have added a large data set into the graph database in accordance with the graph schema. The platform can be configured to define and add risk categories and assign each risk category to certain nodes in the graph database.)
Regarding Claim(s) 4, 12, and 19 Twigg-Schmidt-Neil-Olszak teaches:
The system according to claim 1, (Twigg-Schmidt-Neil-Olszak teaches the parent claim above.)
wherein the one or more processors are configured to iteratively expand the sub-graph, starting from the trigger node, until failing to find additional nodes whose distance from the trigger node is below one or more defined cut-off distances. (Schmidt Col. 23 Ln. 20-30 teaches, the paths found from that traversal are the cognitions subgraph (there can be multiple paths from a source node to a target or from multiple source nodes to the target node). In some embodiments, there may be configurable rules for the cognition feature that may limit or prune the subgraph and principally as discussed, this could include a maximum node traversal limit.)
Regarding Claim(s) 5 and 13 Twigg-Schmidt-Neil-Olszak teaches:
The system according to claim 4, wherein the one or more processors are configured to: (Twigg-Schmidt-Neil-Olszak teaches the parent limitation above.) assign respective significance scores to the nodes; and (Neill ¶ 63 teaches, the first sub-graph of objects being coupled to the first target object. Although not shown for clarity, iteratively crawling the data structure to determine the first sub-graph of objects further comprises identifying each connected object to the first target object, each connected object having an associated risk score, (i.e., significance score) and selecting a highest risk score of the connected objects to the first target object)
calculate the distance between a candidate node and the trigger node (Twigg ¶ 220 teaches, comparing internal neighbors and calculating a set membership Jaccard distance the pairs of nodes are then ordered by decreasing similarity (i.e., with the most similar sets first).) responsively to the relevance scores of one or more nodes that lie along a shortest path through the graph between the candidate node and the trigger node. (Neil ¶ 63 teaches, the first sub-graph of objects being coupled to the first target object. Although not shown for clarity, iteratively crawling the data structure to determine the first sub-graph of objects further comprises identifying each connected object to the first target object, each connected object having an associated risk score, and selecting a highest risk score of the connected objects to the first target object. (i.e., relevance score))
Regarding Claim(s) 6 and 14 Twigg-Schmidt-Neil-Olszak teaches:
The system according to claim 1, (Twigg-Schmidt-Neil-Olszak teaches the parent claim above.)
wherein the one or more processors are configured to enrich the graph in accordance with a predefined bank of enrichment rules. (Schmidt Col. 7 Ln. 25-35 teaches, System 100 may be configured for example to include a graph database 105 such that system 100 adds or updates the graph database from various sources based on automation (e.g., using a set of configured rules))
Regarding Claim(s) 7, 16, and 20 Twigg-Schmidt-Neil-Olszak teaches:
The system according to claim 1, (Twigg-Schmidt-Neil-Olszak teaches the parent claim above.) wherein the one or more processors are configured to decide on the result of the given cyber-security investigation by running multiple attack detection modules, each attack detection module associated with a respective type of malicious attack. (Neil ¶ 23 teaches, the identified sub-graphs correspond to malicious activities performed by an unauthorized third-party such as reconnaissance, lateral movement, exfiltration of data, spearphishing attacks, or other internal attack behaviors. identifying sub-graphs of potentially malicious activity within an environment, embodiments of the present disclosure are able to pin-point dangerous activity in extensive environments with substantial enterprise traffic.)
Regarding Claim(s) 8 Twigg-Schmidt-Neil-Olszak teaches:
The system according to claim 7, (Twigg-Schmidt-Neil-Olszak teaches the parent limitation above.) wherein a given attack detection module is configured to calculate for the sub-graph a maliciousness score indicative of a likelihood that the sub-graph represents a malicious attack of the respective type. (Neil ¶ 24-26 teaches, Specifically, in some embodiments, each node and edge within an enterprise have an associated risk score that indicate the overall potential that the node and edge correspond to a suspicious or malicious behavior based on heuristics, rules, expert knowledge encodings, supervised machine learning methods, and/or anomaly detection.)
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2024/0386015 A1 - COMPOSITE SYMBOLIC AND NON-SYMBOLIC ARTIFICIAL INTELLIGENCE SYSTEM FOR ADVANCED REASONING AND SEMANTIC SEARCH
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB BENEDICT KNACKSTEDT whose telephone number is (703)756-5608. The examiner can normally be reached Monday-Friday 8:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached on (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/J.B.K./Examiner, Art Unit 2408
/LINGLAN EDWARDS/Supervisory Patent Examiner, Art Unit 2408
Prosecution Insights