DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 7/29/2024 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Response to Arguments
Applicant’s arguments, see page(s) 11, filed 3/31/2026, with respect to the objection(s) to the abstract have been fully considered and are persuasive. The associated objection(s) to the abstract has/have been withdrawn.
Applicant’s arguments, see page(s) 11, filed 3/31/2026, with respect to the objection(s) to claim(s) 10 have been fully considered. The issue of the claim reciting an extremely broad scope has not been addressed by the amendments. However, the applicant is free to claim this scope if they wish, provided there it is given sufficient written description in the original disclosure. This objection is withdrawn.
Applicant's arguments, see pages 12-17, filed 3/31/2026, with respect to the rejection of claim(s) 1-15 under 35 USC 101 have been fully considered but they are not persuasive.
Regarding the argument:
“The claims recite specific technical limitations that, when considered as an ordered combination, provide an inventive concept. Specifically, the claims recite:
(1) store the data of the data stream …
(2) generate a signature group …
(3) remove normal signatures included in a white list from the signatures …
(4) detect, as intrusions, … signatures remaining in the signature group …
“This ordered combination reflects a specific technological solution to the technical problem of achieving high detection accuracy with only a small amount of fixed memory and a certain hash operation by identifying frequent signature groups that appear simultaneously in a data stream. …”
Examiner respectfully disagrees and notes that the majority of applicant’s arguments for subject matter providing “significantly more” do not appear in the claims. The claims are written at a high level which does not provide “significantly more” than basic computer processing steps.
Regarding the argument:
“… Here, the combination of storing the data …, generating a signature group …, removing normal signatures …, and detecting, as intrusions, data within the one big-group … provides the technological improvement of achieving high intrusion detection accuracy with only a small amount of fixed memory.
“The claimed combination achieves specific technical benefits analogous to those recognized in Desjardins ...
“These are not generic computer functions applied to an abstract idea but are specific technical improvements to intrusion detection accuracy and efficiency.”
Examiner respectfully disagrees. Similar to above, applicant has described features of the invention which are not present or evident from the claims. One of skill in art would not infer any improvement in detection accuracy or efficiency given the current draft of the claims.
Regarding the argument:
“Furthermore, the Federal Circuit has recognized that improvements to computer- related technology, even when involving mathematical concepts or data processing, can provide the necessary inventive concept. … Here, the specific combination of device identifying one big-group for a data stream, storing the one big-group in a space in a separate memory, generating a signature group by extracting signatures for the one big- group, removing normal signatures included in a white list from the signatures, and detecting, as intrusions, data within the one big-group based on signatures remaining after removal of the normal signatures provides an inventive concept - a particular technical solution to the problem of efficient intrusion detection.”
Examiner respectfully disagrees. While applicant is correct to point out that “improvements to computer-related technology … can provide the necessary inventive concept”, examiner notes that the mere act of providing a solution does not necessarily represent an improvement to technology. In this case, applicant is making an un-evidenced assertion that the acts grouping data, storing data, generating signatures, and detecting intrusions represent an improvement to computer-related technology; however, it is clear from the prior art that these methods have long been in practice, and simply represent an ordered combination of known techniques.
Applicant's arguments, see page 17, filed 3/31/2026, with respect to the interpretation of claim(s) 1, 3, 9, 11, and 12 under 35 USC 112(f) have been fully considered and are persuasive. The associated claim(s) is/are no longer being interpreted under this statute.
Applicant's arguments, see pages 17 and 18, filed 3/31/2026, with respect to the rejection of claim(s) 1-14 under 35 USC 112(a) have been fully considered.
Regarding the argument:
“… Applicant respectfully submits that claim 8, as amended, improves clarity and resolves the issue detailed in the Office Action.”
Examiner respectfully disagrees. The amended claim describes what a “tuning parameter” is for; however, the rejection is directed to the lack of enablement. Both the previous draft and amended claim, as well as the specification, fail to describe the subject matter to the degree necessary for one of ordinary skill in the art to make or use the invention. No examples of a valid parameter are given, nor are any algorithms disclosed by which one could calculate a parameter which would produce the results claimed in the instant application. This rejection is maintained.
Regarding the argument:
“In reply to the rejection of claims 1-14 …, Applicant respectfully submits that claims 1, 3, 9, 11, and 12, as amended, improves clarity and resolves the issue detailed in the Office Action. …”
Regarding the rejection of claims 1-15 directed to insufficient written description of intrusion detection:
The amended claim language represents new matter, and is not supported by the original disclosure. This rejection is maintained.
Regarding the rejection of claims 1, 3, 9, 11, and 12 directed to lack of structure related to claims interpreted under 35 USC 112(f):
The amendments sufficiently address the lack of structural language. This rejection is withdrawn.
Applicant's arguments, see pages 17 and 18, filed 3/31/2026, with respect to the rejection of claim(s) 1-14 under 35 USC 112(b) have been fully considered.
Regarding the rejection of claims 1-15:
This rejection is withdrawn.
Regarding the rejection of 1, 3, 9, 11, and 12:
This rejection is withdrawn.
Regarding the rejection of claims 1, 11, and 15:
This rejection is maintained.
Regarding the rejection of claims 3 and 12:
This rejection is withdrawn.
Regarding the rejection of claims 5 and 13:
This rejection is withdrawn.
Regarding the rejection of claim 6:
This rejection is maintained.
Regarding the rejection of claims 7 and 14:
The rejection directed to antecedent basis is withdrawn.
The rejection directed to “average and variance” and calculation of counters is maintained.
Regarding the rejection of claim 6:
This rejection is withdrawn.
Applicant's arguments, see pages 18-20, filed 3/31/2026, with respect to the rejection of claim(s) 1-15 under 35 USC 102(a)(2) and 103 have been fully considered.
Regarding the argument:
“On page 27 …, the Office Action refers to paragraph [0036] of GUNTAR in alleging that GUNTAR teaches to "remove normal signatures in a white list form the signature group." …
“GUNTAR … fails to disclose, identifying only a normal type of cluster to use the remaining clusters (other than the normal type) for intrusion detection.
“In contrast …, in the present invention, a signature group is generated for one big-group, normal signatures are removed from the signature group …”
This argument is directed to a claim whose scope has been changed by amendments and is moot.
Other arguments directed to claims rejected under 35 USC 102 and 103 are persuasive. Therefore, those rejections have been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of CHRISTODORESCU et al (Doc ID US 20180198812 A1) and DAVID et al (Doc ID US 20180247045 A1).
Examiner notes that additional arguments are directed to the alleged allowability of claims based on their dependency to already-argued claims, and will not be addressed.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) do not fall within at least one of the four categories of patent eligible subject matter because as drafted, the claim limitations are processes that, under their broadest reasonable interpretation, may be performed in the mind. That is, nothing in the claim elements precludes the steps from practically being performed in the mind (or with pen and paper).
If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claims recite an abstract idea.
The claims, minus their recited generic computer components, are summarized as follows:
Claims 1, 11, and 15:
Receive data.
Identify similar “pieces” of data from the stream.
Store the similar data.
Extract “signatures” from the group of similar data.
Claim 2:
Receive a type of data from among “alerts,” “logs,” “files,” and others.
Claims 3 and 12:
Separate each “piece” of data into “chunks.”
Transform each chunk into a vector.
Use the vectors and a min-hash algorithm to determine similarity of the pieces.
Claim 4:
Changing a number of bit values to a “1” where the number is the number of hash functions used.
Claims 5 and 13:
Identify a “big-counter” as a value exceeding a threshold.
Claim 6:
Calculating a “proportion” of the “big-counter” compared to other counters.
Claims 7 and 14:
Start an empty set of counters.
Calculate an average and variance of counters.
Adding counters based on the average and variance to the set.
Repeating the steps until no new counters can be added.
Claim 8:
Calculating the threshold based on a tuning parameter and the average and variance.
Claim 9:
Apply a clustering algorithm to the group to create sub-groups.
Create “signatures” for each sub-group.
Claim 10:
Extract “normal” signatures from the pieces not in the similar group.
The claims do not fall within at least one of the four categories of patent eligible subject matter because as drafted, the claims are directed to the abstract idea of collecting data and processing data.
This judicial exception is not integrated into a practical application. Claims and their limitations directed to hardware and computer devices recite generic computer components performing generic functions, and do not recite any specific improvement to existing hardware in order to achieve the invention. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea.
The claims further do not include additional elements that amount to significantly more than the judicial exception. Limiting the claims to generic form factors such as a “intrusion detection device” and “circuitry,” without more, is insufficient to transform them into patent-eligible applications of the abstract idea which is at their core. The claims are not patent eligible.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL. — The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
Claim 8 is rejected under 35 U.S.C. 112(a) as failing to comply with the enablement requirement. The claims contain subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention.
Regarding claim 8:
The claim recites “… c is a tuning parameter.” The limitation is not enabled; See MPEP § 2164.
The test of enablement is whether one reasonably skilled in the art could make or use the invention from the disclosures in the patent coupled with information known in the art without undue experimentation; United States v. Telectronics, Inc., 857 F.2d 778, 785, 8 USPQ2d 1217, 1223 (Fed. Cir. 1988). The factors to be considered when determining whether there is sufficient evidence to support a determination that a disclosure does not satisfy the enablement requirement and whether any necessary experimentation is “undue” include, but are not limited to: (a) the breadth of the claims; (b) the nature of the invention; (c) the state of the prior art; (d) the level of one of ordinary skill; (e) the level of predictability in the art; (f) the amount of direction provided by the inventor; (g) the existence of working examples; and (h) the quantity of experimentation needed to make or use the invention based on the content of the disclosure; In re Wands, 858 F.2d 731, 737, 8 USPQ2d 1400, 1404 (Fed. Cir. 1988).
As to (a) the breadth of the claims, the claims are broadly directed to using Jaccard Similarity to identify portions of a data stream which are similar to each other. The limitation in question is narrowly directed to the calculation of a threshold value used for determining a high occurrence rate of a value. However, the recitation of a “tuning parameter” with no further guidance or explanation creates an essentially infinite breadth of possible values, and would require an extremely large amount of experimentation for one skilled in the art to derive the intended value.
As to (b) the nature of the invention, methods which process data using various known mathematical algorithms are nearly infinite in their diversity and purpose, and while the claims and specification purport that the invention is used in the narrower field of intrusion detection, neither the claims nor specification are explicit in the use of any output of the claimed invention in such a purpose. The nature of the invention does not reduce the expected amount of experimentation required.
As to (c) the state of the prior art and (d) the level of skill in the art, it is generally considered well-established and high. However, given the degree to which an unknown value may alter the equation in question, the state of the prior art and the level of skill in the art do not reduce the amount of experimentation required.
As to (e) the level of predictability in the art and (f) the amount of direction provided by the inventor, the computer security arts are generally considered predictable. However, similarly to comments directed to factors (b) and (c) above, the degree to which an unknown value may alter the equation in question means that the level of predictability in the art does not reduce the amount of experimentation required.
As to the (g) existence of working examples, no examples are provided in which a value is given to the “tuning parameter.” This requires an undue amount of experimentation.
As to the (h) quantity of experimentation needed, there is no particular evidence in the record to indicate the quantity of experimentation that one of ordinary skill in the art would need to implement the present invention. However, analysis of this factor in light of the other factors present suggest the amount of experimentation required to make and use the invention is undue.
The majority of factors for which there is evidence suggest that undue experimentation is required. After weighing all of the factors and all the evidence of record, the totality of the evidence suggests that it would require undue experimentation to make and use the claimed invention.
Claims 1-15 are rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the application was filed, had possession of the claimed invention.
Regarding claims 1-15:
The claims are each directed to “intrusion detection,” embodied in either a device or method. The original disclosure does not describe a step, result, or output which is characterized as an intrusion or a detection of an intrusion. Given the wording of the title of the invention, the abstract of the disclosure, and the preambles of the claims, one expects language which indicates how and when a detection of an intrusion takes place. The complete lack of this language calls the validity of the entire claim set into question.
Regarding claims 1, 11, and 15:
Claim 1 recites, “… generate a signature group … by extracting the signatures for the one big-group …”. Claims 11 and 15 recite similar language. The claims are indefinite because “the signatures” lacks antecedent basis. It is unclear from what “signatures for the one big-group” the signatures are being extracted. Put another way, no previous limitation recites any generation or acquisition of “signatures for the one big-group,” and it is thus indefinite to recite extracting signatures from them. This rejection can be overcome by amending the claims such that the “signatures for the one big-group” are given antecedent basis.
Claim 1 also recites, “… detect, as intrusions, data within the one big-group …”. Claims 11 and 15 recite similar language. The original disclosure does not contain this step, and it thus represents new matter. At no point does original disclosure link to or describe a “big-group” or “signature group” as being representative of intrusions. This rejection can be overcome by amending the claims such that they recite only that subject matter which is supported in the original disclosure.
Regarding claims 2-10 and 12-14:
They are dependent on one or more rejected claims, and thus inherit those rejections. This rejection could be overcome by overcoming the rejection(s) to any claims upon which these claims depend, or by amending the claims such that they are no longer dependent on any rejected claim.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION. — The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claims 1-15 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Regarding claims 1, 11, and 15:
Claim 1 recites, “… identify, for each piece of data of the data stream, similar data of the data stream as members of one big-group …”. Claims 11 and 15 recite similar language. The claims are indefinite because the metes and bounds of claims are unclear. It is unclear whether the claim is meant to teach that one “big-group” is created which contains all pieces of data which are similar to at least one other piece of data, or whether distinct “big-groups” are created which each contain pieces of data which are similar to each other. This rejection can be overcome by amending the claims such that they clearly and distinctly recite the metes and bounds.
Regarding claims 3 and 12:
Claim 3 recites, “… generate a virtual vector represented as a bitmap based on a minimum value of each hash function by applying a different hash function to each chunk of the chunk set …”. Claim 12 recites similar language. The claims are indefinite because their metes and bounds are not clear. The claim broadly teaches applying hash functions to chunks, on which is based a “bitmap,” which in turn “represents” a virtual vector. It is not clear how the hashes are transformed into a bitmap, or even what the term “bitmap” means in this context. A bitmap, as understood in the art, could be the result of rasterizing data as an image, or the result of a particular form of min-wise hashing called “b-Bit.” Both of these methods can be used in similarity determinations involving min-wise hashing. This rejection can be overcome by amending the claims such that they clearly and distinctly recite the metes and bounds.
Regarding claims 5 and 13:
Claim 5 recites, “… determine any of the counters that exceed a preset first threshold … as the big-counter.” Claim 13 recites similar language. The claims are indefinite because their metes and bounds are not clear. Where the claim teaches mentions “any” counter, this implies that multiple counters may exceed the threshold. It is then indefinite where the claim goes on to teach determining “the big-counter” as a single value. It is ambiguous whether the claim is meant to teach a single “big-counter” or multiple “big-counters.” This rejection can be overcome by amending the claims such that they clearly and distinctly recite the metes and bounds.
Regarding claim 6:
The claim recites, “… calculate a proportion represented as a ratio of the counters in the counter array determined as the big-counter to all counters within the counter array …”. The claim is indefinite because it is unclear what proportion is being calculated. It is unclear whether the elements recited are meant to be, the ratio of (multiple) counters determined as “the big-counter” to all counters in the array; counters in the counter array to the “big-counter”; or some other combination of elements.
Regarding claims 7 and 14:
Claim 7 recites, “… a first step of calculating an average and variance of counters in the counter array …”, and “… adding counters calculated based on the average and variance …”. Claim 14 recites similar language. The claims are indefinite because they are internally inconsistent. The claim simultaneously recites calculating the “average and variance” of the “counters,” while also reciting calculating “counters” using the “average and variance.” This creates a circular dependency, or closed loop, which makes both elements impossible to calculate. Put another way, ‘A’ cannot be calculated using ‘B’ if ‘B’ is calculated using ‘A.’
Regarding claim 9:
Claim 9 recites, “… subdivide the one big-group into multiple clusters and generate the signature group for each cluster.” The claim is indefinite because it is unclear how the claim further limits its depended-on claim. Claim 1, on which this claim depends, recites, “… generate a signature group including signatures by extracting the signatures for the one big-group …”. The parent claim recites generating a single “signature group,” while the child claim recites generating multiple groups. It is unclear whether multiple “signature groups” are created for the multiple clusters in addition to the one “signature group” created for the “big-group,” or whether the multiple groups of claim 9 are meant to supersede and be created instead of the single group of claim 1. This rejection can be overcome by amending the claims such that it is made clear how many signature groups are created and on what they are based.
Regarding claim 10:
Claim 10 recites, “… generate the white list by extracting the normal signatures from a data set that is not identified as the one big-group …”. The claim is indefinite because it is mutually exclusive from its depended-on claim. Claim 1, on which this claim ultimately depends, recite, “… remove normal signatures included in a white list from the signatures included in the signature group …”. Where the parent claim establishes that the “normal signatures” are already present in the whitelist, claim 10 then claims to generate the white list using those same “normal signatures.” At a minimum, the chronological relationship between these steps is ambiguous. This rejection can be overcome by amending the claim such that the relationship between the “normal signatures” and the “whitelist” is made clear.
Regarding claims 2, 4, and 8:
They are dependent on one or more rejected claims, and thus inherit those rejections. This rejection could be overcome by overcoming the rejection(s) to any claims upon which these claims depend, or by amending the claims such that they are no longer dependent on any rejected claim.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 2, 11, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over CHRISTODORESCU et al (Doc ID US 20180198812 A1), and further in view of DAVID et al (Doc ID US 20180247045 A1).
Regarding claim 1:
CHRISTODORESCU teaches:
An ultra-light clustering-based generative intrusion detection device comprising: circuitry configured to receive a data stream containing a specific type of data from a network; ([0072] "In block 602, a processor of the network device may cluster network traffic packets received by a transceiver of the network device.")
identify, for each piece of data of the data stream, similar data of the data stream as members of one big-group; ([0072] "In block 602, a processor of the network device may ... employ one or more clustering algorithms to organize the received network traffic packets into multiple clusters or groups. The network device may observe similar characteristics ..., and may cluster packets with similar characteristics together.")
store the data of the data stream identified as members of the one big-group in a space in memory separate from other data of the data stream ([0072] "... The network device … may cluster packets with similar characteristics together.");
Examiner notes that neither the claims nor specification provide any elaboration on what is meant by "a space in memory separate from". Under its broadest reasonable interpretation, any two data objects are always inherently stored in different memory locations. This extends to any "pieces" of data from a data stream, regardless of whether they are identified as part of a "big-group."
DAVID teaches the following limitation(s) not taught by CHRISTODORESCU:
generate a signature group including signatures by extracting the signatures for the one big-group; ([0047] "… every time a process ... is loaded, the process's SHA256 signature can be calculated …")
remove normal signatures included in a white list from the signatures included in the signature group ([0061] "… If the command is either malware (e.g., signature for the process does not match the signature in the whitelist) ..., the command is rejected and a report is generated for the malicious attempt (506)."); and
detect, as intrusions, data within the one big-group based on signatures remaining in the signature group after removal of the normal signatures ([0061] "… If the command is either malware (e.g., signature for the process does not match the signature in the whitelist) ..., the command is rejected and a report is generated for the malicious attempt (506).").
Receiving a data stream, identifying similar data in the data stream, and storing the similar data are known techniques in the art, as demonstrated by CHRISTODORESCU. Further, creating signatures of the similar data, removing whitelisted signatures from the signatures, and labeling the remaining signatures as intrusions are known techniques in the art, as demonstrated by DAVID. It would have been obvious to a person having ordinary skill in the art (PHOSITA) before the effective filing date of the claimed invention to modify the data similarity calculator of CHRISTODORESCU with the malicious signature identification of DAVID with the motivation to identify malicious signatures as a group instead of individually. It is obvious to group signatures to cut down on processing time.
Regarding claim 2:
The combination of CHRISTODORESCU and DAVID teaches:
The ultra-light clustering-based generative intrusion detection device of claim 1, wherein the circuitry is further configured to receive a data stream with respect to any one of a plurality of types including an alert, a log, a packet, an e-mail, and a file (CHRISTODORESCU [0072] "In block 602, a processor of the network device may cluster network traffic packets received by a transceiver of the network device.").
Regarding claim 11:
This claim is rejected with the same justification, mutatis mutandis, as its counterpart claim 1 above.
Regarding claim 15:
CHRISTODORESCU teaches:
A non-transitory computer-readable recording medium having embodied thereon a computer program, which when executed by a computer causes the computer to execute an intrusion detection method, the method comprising ([0004] "… non-transitory processor-readable storage media including instructions configured to cause a processor to execute the methods for anomalous behavior detection in network traffic."):
The remainder of this claim’s limitations are rejected with the same prior art mapping and justification, mutatis mutandis, as its counterpart claims 1 and 11.
Claims 3-6 are rejected under 35 U.S.C. 103 as being unpatentable over CHRISTODORESCU et al (Doc ID US 20180198812 A1) and DAVID et al (Doc ID US 20180247045 A1) as applied to claim 1 above, and further in view of LANCIONI et al (Doc ID US 20240070326 A1) and CHANDOLA et al (Doc ID US 20160269424 A1).
Regarding claim 3:
The combination of CHRISTODORESCU and DAVID teaches:
The ultra-light clustering-based generative intrusion detection device of claim 1,
LANCIONI teaches the following limitation(s) not taught by the combination of CHRISTODORESCU and DAVID:
wherein the circuitry is further configured to: create a chunk set for each piece of data of the data stream ([0092] "… hash obtainment circuitry 204 (FIG. 2) obtains a plurality of locality sensitive hashes (LSHs) corresponding to sections in a plurality of training samples.");
Examiner notes that the recited "sections" map to the "chunks" of the claim and can be seen illustrated in Fig. 3A.
generate a virtual vector represented as a bitmap based on a minimum value of each hash function ([0092] "Turning now to FIG. 4 ... at block 402, at which the example locality sensitive hash obtainment circuitry 204 (FIG. 2) obtains a plurality of locality sensitive hashes (LSHs) corresponding to sections in a plurality of training samples. ... For example, FIG. 3A illustrates two samples that each have eight hash elements.")
determine the similar data as belonging to the big-group based on a big-counter derived by accumulating the virtual vector for each piece of data of the data stream in a fixed-size counter array of counters ([0103] "At block 410, the example cluster production circuitry 212 produces at least one cluster with the one or more encoded feature vectors. A cluster means a group of feature vectors that are associated based on similarity of the contents (e.g., hash elements) of the feature vectors.").
Splitting data into sections (chunks), performing a MinHash algorithm to create vectors of the sections, and determining similarity among data by clustering the vectors to find repeating hashes is a known technique in the art, as demonstrated by LANCIONI. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the malicious signature detection among similar data of CHRISTODORESCU and DAVID with the MinHash similarity calculation of LANCIONI with the motivation to use a well-known algorithm to determine similarity among pieces of data.
CHANDOLA teaches the following limitation(s) not taught by the combination of CHRISTODORESCU, DAVID, and LANCIONI:
by applying a different hash function to each chunk of the chunk set ([0039] "Each of the elements in the vector is calculated using a hashing function. Assume the hashing functions are H.sub.1, H.sub.2, ..., and H.sub.6. Thus, in the example illustrated when H.sub.1 is applied to each element in set A ... and the minimum of those hashes is identified .... The second element “31” is calculated and identified by applying H.sub.2 in the same way to set A."); and
Using different hash functions for each step of a MinHash process is a known technique in the art, as demonstrated by CHANDOLA. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the malicious signature detection among similar data of CHRISTODORESCU, DAVID, and LANCIONI with the multiple hash functions of CHANDOLA with the motivation to use a well-known variation algorithm of the MinHash algorithm which is known to be more efficient in determining similarity among data.
Regarding claim 4:
The combination of CHRISTODORESCU, DAVID, LANCIONI, and CHANDOLA teaches:
The ultra-light clustering-based generative intrusion detection device of claim 3, wherein the circuitry is further configured to change k bit values of the bitmap to 1 using k different hash functions, where k is a natural number (LANCIONI [0102] "... FIG. 4, at block 408, the example feature vector encoder circuitry 210 encodes feature vectors with ones of hash elements of the plurality of hash elements that are preserved. ... the feature vector encoder circuitry 210 encodes a feature vector with ... hash elements that occur in more than one LSH. E.g., they are present multiple times across the group of LSHs, denoted by the 1's in FIG. 3C.").
Altering a feature vector based on the results of multiple hashes is a known technique in the art, as demonstrated by LANCIONI. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the malicious signature detection among similar data of CHRISTODORESCU, DAVID, LANCIONI, and CHANDOLA with the Jaccard Similarity of LANCIONI with the motivation to use the ratio of repeating MinHashes (big-counters) over all MinHashes (all counters) to determine whether two pieces of data are similar beyond a threshold ratio.
Regarding claim 5:
The combination of CHRISTODORESCU, DAVID, LANCIONI, and CHANDOLA teaches:
The ultra-light clustering-based generative intrusion detection device of claim 3, wherein the circuitry is further configured to determine any of the counters that exceed a preset first threshold value among the counters in the counter array as the big-counter (LANCIONI [0094] "At block 406, the example hash element preservation circuitry 208 (FIG. 2) preserves the hash elements that satisfy a hash element count threshold. In some examples, the hash element count threshold is a value that indicates a minimum number of occurrences of a hash element across a group of LSHs.").
Preserving a feature in a vector based on it exceeding a threshold is a known technique in the art, as demonstrated by LANCIONI. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the malicious signature detection among similar data of CHRISTODORESCU, DAVID, LANCIONI, and CHANDOLA with the vector update of LANCIONI with the motivation to keep only those vector values which indicate a number of occurrences beyond a minimum threshold. Greater numbers of occurrences likely indicate a stronger similarity.
Regarding claim 6:
The combination of CHRISTODORESCU, DAVID, LANCIONI, and CHANDOLA teaches:
The ultra-light clustering-based generative intrusion detection device of claim 5, wherein the circuitry is further configured to: calculate a proportion represented as a ratio of the counters in the counter array determined as the big-counter to all counters within the counter array (LANCIONI [0109] "... the resemblance is a Jaccard resemblance … and is a statistic used for determining the similarity of datasets."); and
Examiner notes that Jaccard similarity, by definition, computes similarity by definition by computing the proportion of the common elements (represented by the "big-counter") over the total elements (represented by all counters).
determine that data associated with the virtual vector corresponding to the big-counter is the similar data when the proportion exceeds a preset second threshold value (LANCIONI [0112] "… The example resemblance incorporation circuitry 228 compares each resemblance to a similarity value threshold …").
Calculating similarity using the Jaccard Similarity is a known technique in the art, as demonstrated by LANCIONI. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the malicious signature detection among similar data of CHRISTODORESCU, DAVID, LANCIONI, and CHANDOLA with the vector update of LANCIONI with the motivation to determine which elements of the vector most contribute to its similarity to other sets.
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over CHRISTODORESCU et al (Doc ID US 20180198812 A1), DAVID et al (Doc ID US 20180247045 A1), LANCIONI et al (Doc ID US 20240070326 A1), and CHANDOLA et al (Doc ID US 20160269424 A1) as applied to claim 5 above, and further in view of IHARA (Doc ID US 20080114564 A1).
Regarding claim 7:
The combination of CHRISTODORESCU, DAVID, LANCIONI, and CHANDOLA teaches:
The ultra-light clustering-based generative intrusion detection device of claim 5, wherein the circuitry is further configured to initialize a big-counter set as an empty set ([0104] "At block 412, the example element occurrence determination circuitry 214 determines an occurrence frequency of the plurality of hash elements in the at least one cluster."); and
a second step of adding counters calculated based on the average and variance and exceeding the first threshold value to the big-counter set to determine additional counters as big-counters (LANCIONI [0094] "At block 406, the example hash element preservation circuitry 208 (FIG. 2) preserves the hash elements that satisfy a hash element count threshold. In some examples, the hash element count threshold is a value that indicates a minimum number of occurrences of a hash element across a group of LSHs."),
wherein the first step and second step are repeated until no additional counters exceed the first threshold value, ([0098] "If there are more hash elements in the current LSH, then the hash element preservation circuitry 208 turns to the next hash element 502E to examine and returns to block 504.") and
wherein counters in the big-counter set after completion of the repeated steps are determined to be big-counters ([0101] "If there are no more LSHs in the group of LSHs, then ... the process flow turns to block 408 in FIG. 4." and [0102] "... at block 408, … encodes feature vectors with ones of hash elements of the plurality of hash elements that are preserved.").
Identifying counts of MinHashed values which exceed a threshold, and adding those counts to a vector to be used in similarity determination are known techniques in the art, as demonstrated by LANCIONI. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the malicious signature detection among similar data of CHRISTODORESCU, DAVID, LANCIONI, and CHANDOLA with the counter thresholds of LANCIONI with the motivation to complete a typical step of using a MinHash algorithm to determine similarity between pieces of data. Adding the counters which exceed a threshold is a necessary step in identifying elements which repeat between data pieces.
IHARA teaches the following limitation(s) not taught by the combination of CHRISTODORESCU, DAVID, LANCIONI, and CHANDOLA:
repeatedly perform a first step of calculating an average and variance of counters in the counter array excluding counters in the big-counter set that have been identified as big-counters, ([0104] At block 412, the example element occurrence determination circuitry 214 determines an occurrence frequency of the plurality of hash elements in the at least one cluster.) and
Calculating the variance and average of features is a known technique in the art, as demonstrated by IHARA. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the malicious signature detection among similar data of CHRISTODORESCU, DAVID, LANCIONI, and CHANDOLA with the average and variance calculation of IHARA with the motivation to use the variance and average in conjunction with a threshold to determine which MinHashed values should be considered in a final determination of similarity.
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over CHRISTODORESCU et al (Doc ID US 20180198812 A1), DAVID et al (Doc ID US 20180247045 A1), LANCIONI et al (Doc ID US 20240070326 A1), CHANDOLA et al (Doc ID US 20160269424 A1), and IHARA (Doc ID US 20080114564 A1) as applied to claim 7 above, and further in view of KALLAS et al (Doc ID US 20240338704 A1).
Regarding claim 8:
The combination of CHRISTODORESCU, DAVID, LANCIONI, CHANDOLA, and IHARA teaches:
The ultra-light clustering-based generative intrusion detection device of claim 7,
KALLAS teaches the following limitation(s) not taught by the combination of DAS, CHANDOLA, LANCIONI, and IHARA:
The ultra-light clustering-based generative intrusion detection device of claim 7, wherein the circuitry is further configured to calculate the first threshold value through the following expression based on the average and variance: θc,i=μi+c×σi wherein, θc,i is the first threshold value, μi and σi are the average and variance, respectively, and c is a tuning parameter used to scale the variance for outlier detection ([0045] "… determine the threshold as a sum of the average and the standard deviation. In some cases, the location identifier 124 can adjust the standard deviation based on a predetermined value.").
Using a z-score to calculate a threshold meant to determine standout data in a set is a known technique in the art, as demonstrated by KALLAS. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the malicious signature detection among similar data of CHRISTODORESCU, DAVID, LANCIONI, CHANDOLA, and IHARA with the z-score of KALLAS with the motivation to provide a reasonable threshold value based on the expected maximum deviation from the mean value of the vector.
Claims 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over CHRISTODORESCU et al (Doc ID US 20180198812 A1) and DAVID et al (Doc ID US 20180247045 A1) as applied to claim 1 above, and further in view of GUNTAR et al (Doc ID US 20220318378 A1).
Regarding claim 9:
The combination of CHRISTODORESCU and DAVID teaches:
The ultra-light clustering-based generative intrusion detection device of claim 1,
GUNTAR teaches the following limitation(s) not taught by the combination of CHRISTODORESCU and DAVID:
The ultra-light clustering-based generative intrusion detection device of claim 1, wherein the circuitry is further configured to: apply a clustering algorithm to the similar data identified as the one big-group to subdivide the one big-group into multiple clusters ([0035] "Cluster engine 230 may be used to generate clusters of vectors. The clusters may include similar vectors and a list of user IDs.") and
generate the signature group for each cluster ([0036] "… For each identified type, a particular cluster having that type is partitioned into sessions, the matching sessions for the type are removed, and the remainder of session in the cluster will form a new cluster of type “normal.”").
Clustering data into groups and transforming the data in each group is a known technique in the art, as demonstrated by GUNTAR. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the malicious signature detection among similar data of CHRISTODORESCU and DAVID with the data clustering and transforming of GUNTAR with the motivation to separate the results into groups so that desired data can be more easily collected or discarded.
Regarding claim 10:
The combination of CHRISTODORESCU, DAVID, and GUNTAR teaches:
The ultra-light clustering-based generative intrusion detection device of claim 9, wherein the circuitry is further configured to generate the white list by extracting the normal signatures from a data set that is not identified as the one big-group among the data of the data stream (GUNTAR [0036] "… For each identified type, a particular cluster having that type is partitioned into sessions, the matching sessions for the type are removed, and the remainder of session in the cluster will form a new cluster of type “normal.”").
Grouping data results and filtering them based on criteria is a known technique in the art, as demonstrated by GUNTAR. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the data feature extractor of CHRISTODORESCU, DAVID, and GUNTAR with the group labelling of GUNTAR with the motivation to separate the results into groups where one of the groups is labeled as “normal.”
Claims 12 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over CHRISTODORESCU et al (Doc ID US 20180198812 A1) and DAVID et al (Doc ID US 20180247045 A1) as applied to claim 11 above, and further in view of LANCIONI et al (Doc ID US 20240070326 A1).
Regarding claim 12:
The combination of CHRISTODORESCU and DAVID teaches:
The ultra-light clustering-based generative intrusion detection method of claim 11,
LANCIONI teaches the following limitation(s) not taught by the combination of CHRISTODORESCU and DAVID:
wherein the identifying the one big-group comprises: creating a chunk set for each piece of data of the data stream ([0092] "… hash obtainment circuitry 204 (FIG. 2) obtains a plurality of locality sensitive hashes (LSHs) corresponding to sections in a plurality of training samples.");
generating a virtual vector represented as a bitmap based on a minimum value of each hash function by applying a different hash function to each chunk of the chunk set ([0092] "Turning now to FIG. 4 ... at block 402, at which the example locality sensitive hash obtainment circuitry 204 (FIG. 2) obtains a plurality of locality sensitive hashes (LSHs) corresponding to sections in a plurality of training samples. ... For example, FIG. 3A illustrates two samples that each have eight hash elements."); and
determining the similar data as belonging to the big-group based on a big-counter derived by accumulating the virtual vector for each piece of data of the data stream in a fixed-size counter array of counters ([0103] "At block 410, the example cluster production circuitry 212 produces at least one cluster with the one or more encoded feature vectors. A cluster means a group of feature vectors that are associated based on similarity of the contents (e.g., hash elements) of the feature vectors.").
Splitting data into sections (chunks), performing a MinHash algorithm to create vectors of the sections, and determining similarity among data by clustering the vectors to find repeating hashes is a known technique in the art, as demonstrated by LANCIONI. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the malicious signature detection among similar data of CHRISTODORESCU and DAVID with the MinHash similarity calculation of LANCIONI with the motivation to use a well-known algorithm to determine similarity among pieces of data.
Regarding claim 13:
The combination of CHRISTODORESCU, DAVID, and LANCIONI teaches:
The ultra-light clustering-based generative intrusion detection method of claim 12, wherein the determining the similar data comprises determining any of counters that exceeds a preset first threshold value among the counters in the counter array as the big-counter (LANCIONI [0094] "At block 406, the example hash element preservation circuitry 208 (FIG. 2) preserves the hash elements that satisfy a hash element count threshold. In some examples, the hash element count threshold is a value that indicates a minimum number of occurrences of a hash element across a group of LSHs.").
Preserving a feature in a vector based on it exceeding a threshold is a known technique in the art, as demonstrated by LANCIONI. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the malicious signature detection among similar data of CHRISTODORESCU, DAVID, and LANCIONI with the vector update of LANCIONI with the motivation to keep only those vector values which indicate a number of occurrences beyond a minimum threshold. Greater numbers of occurrences likely indicate a stronger similarity.
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over CHRISTODORESCU et al (Doc ID US 20180198812 A1), DAVID et al (Doc ID US 20180247045 A1), and LANCIONI et al (Doc ID US 20240070326 A1) as applied to claim 13 above, and further in view of IHARA (Doc ID US 20080114564 A1).
Regarding claim 14:
The combination of CHRISTODORESCU, DAVID, and LANCIONI teaches:
The ultra-light clustering-based generative intrusion detection method of claim 13, wherein the determining as the big-counter comprises: a first step of initializing a big-counter set as an empty set ([0104] "At block 412, the example element occurrence determination circuitry 214 determines an occurrence frequency of the plurality of hash elements in the at least one cluster.");
a third step of adding counters calculated based on the average and variance and exceeding the first threshold value to the big-counter set to determine additional counters as big-counters (LANCIONI [0094] "At block 406, the example hash element preservation circuitry 208 (FIG. 2) preserves the hash elements that satisfy a hash element count threshold. In some examples, the hash element count threshold is a value that indicates a minimum number of occurrences of a hash element across a group of LSHs."); and
a fourth step of determining counters in the big-counter set as the big-counters by repeatedly performing the second and third steps until no new counter exceed the first threshold value ([0098] "If there are more hash elements in the current LSH, then the hash element preservation circuitry 208 turns to the next hash element 502E to examine and returns to block 504."),
wherein counters in the big-counter set after completion of the repeated steps are determined to be the big-counters ([0101] "If there are no more LSHs in the group of LSHs, then ... the process flow turns to block 408 in FIG. 4." and [0102] "... at block 408, … encodes feature vectors with ones of hash elements of the plurality of hash elements that are preserved.").
IHARA teaches the following limitation(s) not taught by the combination of CHRISTODORESCU, DAVID, and LANCIONI:
a second step of calculating an average and variance of counters in the counter array excluding counters in the big-counter set that have been identified as big-counters ([0104] At block 412, the example element occurrence determination circuitry 214 determines an occurrence frequency of the plurality of hash elements in the at least one cluster.);
Calculating the variance and average of features is a known technique in the art, as demonstrated by IHARA. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the malicious signature detection among similar data of CHRISTODORESCU, DAVID, and LANCIONI with the average and variance calculation of IHARA with the motivation to use the variance and average in conjunction with a threshold to determine which MinHashed values should be considered in a final determination of similarity.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRANDON BINCZAK whose telephone number is (703)756-4528. The examiner can normally be reached M-F 0800-1700.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BB/Examiner, Art Unit 2437
/ALEXANDER LAGOR/Supervisory Patent Examiner, Art Unit 2437