DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 7/29/2024 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Specification
The abstract of the disclosure is objected to because:
It repeats information given in the title. Specifically, the first sentence of the abstract, “An ultra-light clustering-based generative intrusion detection device, includes …”, repeats a portion of the title verbatim.
It uses the form and legal phraseology often used in patent claims. Specifically, the abstract appears to be essentially a copy of claim 1.
A corrected abstract of the disclosure is required and must be presented on a separate sheet, apart from any other text. See MPEP § 608.01(b).
Claim Objections
Claim 10 is objected to because of the following informalities:
Regarding claim 10:
The claim recites, “… extracting the normal signatures from a data set that is not identified as the at least one big-group …”. The plain meaning of this claim based on its verbiage provides for any data set, including data other than the recited data stream, to be used as the source of the “normal signatures.” It seems clear that the intent is for the “normal signatures” to be extracted from a subset of the dataset, where the subset is disjoint from the subset which includes any “big-groups”; however, applicant is strongly encouraged to amend the claims so that this is explicit.
Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) do not fall within at least one of the four categories of patent eligible subject matter because as drafted, the claim limitations are processes that, under their broadest reasonable interpretation, may be performed in the mind. That is, nothing in the claim elements precludes the steps from practically being performed in the mind (or with pen and paper).
If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claims recite an abstract idea.
The claims, minus their recited generic computer components, are summarized as follows:
Claims 1, 11, and 15:
Receive data.
Identify a “big-group” of data in the received data based on a “chunk set.”
Create a “signature” for each “big-group.”
Create a “signature group.”
Claim 2:
Receive a type of data from among “alerts,” “logs,” “files,” and others.
Claims 3 and 12:
Apply a MinHash technique of using a different hash function for each chunk to create a minimized vector representation (virtual vector) of the minimum values of each hash.
Accumulate the virtual vector on a list (fixed-size counter array).
Claim 4:
Changing a number of bit values to a “1” where the number is the number of hash functions used.
Claims 5 and 13:
Identify a “big-counter” as a value in the list exceeding a threshold.
Claim 6:
Calculating a “proportion” of the “big-counter” in the list.
Claims 7 and 14:
Calculate an average and variance of counters in the list.
Adding counters based on the average and variance to the “big-counter.”.
Repeating the steps until no new counters can be added.
Claim 8:
Calculating the threshold based on a tuning parameter and the average and variance.
Claim 9:
Apply a clustering algorithm to the “big-group.”
Remove signatures found on a “white list.”
Claim 10:
Create the white list from other sets of normal signatures.
The claims do not fall within at least one of the four categories of patent eligible subject matter because as drafted, the claims are directed to the abstract idea of collecting data and processing data.
This judicial exception is not integrated into a practical application. Claims and their limitations directed to hardware and computer devices recite generic computer components performing generic functions, and do not recite any specific improvement to existing hardware in order to achieve the invention. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea.
The claims further do not include additional elements that amount to significantly more than the judicial exception. Limiting the claims to generic form factors such as a “intrusion detection device,” without more, is insufficient to transform them into patent-eligible applications of the abstract idea which is at their core. The claims are not patent eligible.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are:
Claims 1 and 11:
“a data receiver [means] configured to receive a data stream [function]”
“a big-group identification unit [means] configured to identify at least one big-group [function]”
“a signature generator [means] configured to extract signatures [function]”
Claims 3 and 12:
“a minhashed virtual-vector (MV2) module [means] configured to generate the virtual vector represented as a bitmap [function]”
“a Jaccard-index grouping (JIG) module [means] configured to determine the similar data classified as the big-group [function]”
Claim 9:
“a signature-group generation (SG2) module [means] configured to generate the signature group for each cluster [function]”
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may:
amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) (e.g., by reciting sufficient structure to perform the claimed function); or
present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f).
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
Claim 8 is rejected under 35 U.S.C. 112(a) as failing to comply with the enablement requirement. The claims contain subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention.
Regarding claim 8:
The claim recites “… c is a tuning parameter.” The limitation is not enabled; See MPEP § 2164.
The test of enablement is whether one reasonably skilled in the art could make or use the invention from the disclosures in the patent coupled with information known in the art without undue experimentation; United States v. Telectronics, Inc., 857 F.2d 778, 785, 8 USPQ2d 1217, 1223 (Fed. Cir. 1988). The factors to be considered when determining whether there is sufficient evidence to support a determination that a disclosure does not satisfy the enablement requirement and whether any necessary experimentation is “undue” include, but are not limited to: (a) the breadth of the claims; (b) the nature of the invention; (c) the state of the prior art; (d) the level of one of ordinary skill; (e) the level of predictability in the art; (f) the amount of direction provided by the inventor; (g) the existence of working examples; and (h) the quantity of experimentation needed to make or use the invention based on the content of the disclosure; In re Wands, 858 F.2d 731, 737, 8 USPQ2d 1400, 1404 (Fed. Cir. 1988).
As to (a) the breadth of the claims, the claims are broadly directed to using Jaccard Similarity to identify portions of a data stream which are similar to each other. The limitation in question is narrowly directed to the calculation of a threshold value used for determining a high occurrence rate of a value. However, the recitation of a “tuning parameter” with no further guidance or explanation creates an essentially infinite breadth of possible values, and would require an extremely large amount of experimentation for one skilled in the art to derive the intended value.
As to (b) the nature of the invention, methods which process data using various known mathematical algorithms are nearly infinite in their diversity and purpose, and while the claims and specification purport that the invention is used in the narrower field of intrusion detection, neither the claims nor specification are explicit in the use of any output of the claimed invention in such a purpose. The nature of the invention does not reduce the expected amount of experimentation required.
As to (c) the state of the prior art and (d) the level of skill in the art, it is generally considered well-established and high. However, given the degree to which an unknown value may alter the equation in question, the state of the prior art and the level of skill in the art do not reduce the amount of experimentation required.
As to (e) the level of predictability in the art and (f) the amount of direction provided by the inventor, the computer security arts are generally considered predictable. However, similarly to comments directed to factors (b) and (c) above, the degree to which an unknown value may alter the equation in question means that the level of predictability in the art does not reduce the amount of experimentation required.
As to the (g) existence of working examples, no examples are provided in which a value is given to the “tuning parameter.” This require an undue amount of experimentation.
As to the (h) quantity of experimentation needed, there is no particular evidence in the record to indicate the quantity of experimentation that one of ordinary skill in the art would need to implement the present invention. However, analysis of this factor in light of the other factors present suggest the amount of experimentation required to make and use the invention is undue.
The majority of factors for which there is evidence suggest that undue experimentation is required. After weighing all of the factors and all the evidence of record, the totality of the evidence suggests that it would require undue experimentation to make and use the claimed invention.
Claims 1-14 are rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the application was filed, had possession of the claimed invention.
Regarding claims 1-15:
The claims are each directed to “intrusion detection,” embodied in either a device or method. Neither the claims nor specification describe a step, result, or output which is characterized as an intrusion or a detection of an intrusion. Given the wording of the title of the invention, the abstract of the disclosure, and the preambles of the claims, one expects language which indicates how and when a detection of an intrusion takes place. The complete lack of this language calls the validity of the entire claim set into question.
Regarding claims 1, 3, 9, 11, and 12:
Claim limitations reciting a “data receiver,” “big-group identification unit,” “signature generator,” “minhashed virtual-vector (MV2) module,” “Jaccard-index grouping (JIG) module,” and/or “signature-group generation (SG2) module” lack sufficient written description in the specification and claims. No specific physical structures of these features are explicitly described. Further, computer-implemented claims invoking 35 U.S.C. 112(f) require description of the algorithm or steps required to achieve the claimed functions.
Regarding claims 2, 4-8, 10, 13, and 14:
They are dependent on one or more rejected claims, and thus inherit those rejections. This rejection could be overcome by overcoming the rejection(s) to any claims upon which these claims depend, or by amending the claims such that they are no longer dependent on any rejected claim.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claims 1-15 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Regarding claims 1-15:
Claims 1-14 are directed to an ”ultra-light clustering-based generative intrusion detection device.” Claim 15 is directed to an “intrusion detection method.” The claims are indefinite because the metes and bounds of the claims are unclear. Where the preambles recite “intrusion detection,” the claims fail to provide any limitations which indicate that any detection is performed, or that any intrusion is present. The claim limitations fail to limit the practice of the invention to even their broadest declared use (intrusion detection), and thus cannot be said to distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Regarding claims 1, 3, 9, 11, and 12:
Claim limitations reciting a “data receiver,” “big-group identification unit,” “signature generator,” “minhashed virtual-vector (MV2) module,” “Jaccard-index grouping (JIG) module,” and/or “signature-group generation (SG2) module” lack sufficient written description in the specification and claims. No specific physical structures of these features are explicitly described. Further, computer-implemented claims invoking 35 U.S.C. 112(f) require description of the algorithm or steps required to achieve the claimed functions.
Applicant may:
Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph;
Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either:
Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Regarding claims 1, 11, and 15:
Claim 1 recites, “… identify at least one big-group related to similar data encoded as a virtual vector based on a chunk set for each piece of data of the data stream …”. Claims 11 and 15 recite similar language. The claims are indefinite because the metes and bounds of claims are unclear. The relationship between the “big-group,” “similar data,” virtual vector,” “chunk set,” and “piece of data” is unclear and made impossible to parse by the claim language. The reasons include, but are not necessarily limited to:
It is ambiguous whether,
The “big-group related to similar data” is “encoded as a virtual vector, ” or
The “big-group” is “related to similar data encoded as a virtual vector”
It is ambiguous whether,
The “big-group” is identified as being “related to similar data,” or
The “big-group related to similar data” is identified based on a “chunk set.”
The division of the data stream is unclear. As written, it seems the “data stream” is comprised of “pieces of data,” which are in turn each comprised of “chunk sets.” Child claims indicate these “chunk sets” are further comprised of chunks. It is impossible to determine how the original data stream is meant to be divided in this manner or to this degree.
Regarding claims 3 and 12:
Claim 3 recites, “… determine the similar data classified as the big-group …”. Claim 12 recites similar language. This limitation contradicts depended-on claims 1 and 11, respectively, which recite, “… identify at least one big-group related to similar data …”. Where a “big-group” is previously defined as related to “similar data,” it is then indefinite for a child claim to recite that the “similar data” is classified as the “big-group.” Put simply, the claims recite the similar data and big-group as a single element, and the depended-on claim explicitly recites them as two distinct elements. This rejection can be overcome by making the claims compatible with their depended-on claim.
Regarding claims 5 and 13:
Claim 5 recites, “… the JIG module determines a counter exceeding a preset first threshold value among counters in the counter array …”. Claim 12 recites similar language. The claims are indefinite because the term “a counter” lacks antecedent basis. It is unclear what type of data is referred to as a “counter,” as the “counter array” is previously defined as containing the “virtual vector.” While it may be inferred that a “counter” refers to a portion of this vector, it cannot be determined how the vector may be divided into counters which may then be individually measured against a threshold.
Regarding claim 6:
The claim recites, “… the JIG module calculates a proportion of the big-counter within the counter array …”. The claim is indefinite because it is unclear what proportion is being calculated. Given a proportion represented as a fraction, it is unclear whether the “big-counter” is the top value of the proportion, the bottom value, or whether the proportion itself is referred to as the “big-counter.” In any of these cases, at least one additional required value of any possible proportion is not indicated.
Regarding claims 7 and 14:
Claim 7 recites, “… excluding counters in a big-counter set …”. Claim 14 recites similar language. The claims are indefinite because “a big-counter set” lacks antecedent basis. Is unclear of what values the “big-counter set” is made, as parent claims recite the calculation of only a single “big-counter.” This rejection can be overcome by making the claim compatible with its depended-on claim.
Claim 7 further recites, “… a first step of calculating an average and variance of counters in the counter array …”, and “… adding counters calculated based on the average and variance …”. Claim 14 recites similar language. The claims are further indefinite because they are internally inconsistent. The claim simultaneously recites calculating the “average and variance” of the “counters,” while also reciting calculating “counters” using the “average and variance.” This creates a circular dependency, or closed loop, which makes both elements impossible to calculate. Put another way, ‘A’ cannot be calculated using ‘B’ if ‘B’ is calculated using ‘A.’
Regarding claim 9:
The claim recites, “… applying a clustering algorithm to the similar data identified as the at least one big-group …”. The claim is indefinite because it is unclear what relationship exists, between the “signatures” of depended-on claim 1, and the “signature group” and “similar data” of this claim. Where claim 1 recites, “… extract signatures for each of the at least one big-group and generate a signature group.” One of ordinary skill in the art would infer that the “signature group” is composed of the ”signatures” of each of the “big-groups.” However, claim 9 recites that the “signature group” is the product of a “clustering algorithm” applied to the “similar data.”
This limitation also contradicts depended-on claim 1, which recites, “… identify at least one big-group related to similar data …”. Where a “big-group” is previously defined as related to “similar data,” it is then indefinite for a child claim to recite that the “similar data” is classified as the “big-group.” Put simply, the claim recites the similar data and big-group as a single element, and the depended-on claim explicitly recites them as two distinct elements. This rejection can be overcome by making the claim compatible with its depended-on claim.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1, 2, 11, and 15 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by DAS et al (Doc ID US 20180181641 A1).
Regarding claim 1:
DAS teaches:
An ultra-light clustering-based generative intrusion detection device comprising: a data receiver configured to receive a data stream containing a specific type of data ([0061] "At 300, an incoming dataset may be received via a processing system.");
a big-group identification unit configured to identify at least one big-group related to similar data encoded as a virtual vector based on a chunk set for each piece of data of the data stream ([0062] "At 302, a feature vector for the incoming dataset may be generated." and [0064] "At 306, at least one cluster of datasets ... may be selected based on similarity measures ..."); and
a signature generator configured to extract signatures for each of the at least one big-group and generate a signature group ([0065] "At 308, at least one dataset from the selected at least one cluster may be selected based on similarity measures between the generated feature vector and the representative feature vectors of datasets in the selected at least one cluster.").
Regarding claim 2:
DAS teaches:
The ultra-light clustering-based generative intrusion detection device of claim 1, wherein the data receiver receives a data stream with respect to any one of a plurality of types including an alert, a log, a packet, an e-mail, and a file ([0012] "… the dataset may be a collection of log messages, snippets from text messages, messages from social networking platforms, and so forth.").
Regarding claim 11:
This claim is rejected with the same justification, mutatis mutandis, as its counterpart claim 1 above.
Regarding claim 15:
DAS teaches:
A computer-readable recording medium storing a computer program including instructions for performing an intrusion detection method comprising ([0047] "Processor 202 executes instructions included in the computer readable medium 208."):
The remainder of this claim’s limitations are rejected with the same prior art mapping and justification, mutatis mutandis, as its counterpart claims 1 and 11.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 3 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over DAS et al (Doc ID US 20180181641 A1) as applied to claims 1 and 11 above, and further in view of CHANDOLA et al (Doc ID US 20160269424 A1).
Regarding claim 3:
DAS teaches:
The ultra-light clustering-based generative intrusion detection device of claim 1,
a Jaccard-index grouping (JIG) module configured to determine the similar data classified as the big-group based on a big-counter derived by accumulating the virtual vector in a fixed-size counter array (DAS [0062] "At 302, a feature vector for the incoming dataset may be generated." and [0064] "At 306, at least one cluster of datasets ... may be selected based on similarity measures ...").
CHANDOLA teaches the following limitation(s) not taught by DAS:
wherein the big-group identification unit comprises: a minhashed virtual-vector (MV2) module configured to generate the virtual vector represented as a bitmap based on a minimum value of each hash function by applying a different hash function to each chunk of the chunk set ([0039] "Each of the elements in the vector is calculated using a hashing function. Assume the hashing functions are H.sub.1, H.sub.2, ..., and H.sub.6. Thus, in the example illustrated when H.sub.1 is applied to each element in set A ... and the minimum of those hashes is identified .... The second element “31” is calculated and identified by applying H.sub.2 in the same way to set A."); and
Using a MinHash method to facilitate determination of similar data is a known technique in the art, as demonstrated by CHANDOLA. It would have been obvious to a person having ordinary skill in the art (PHOSITA) before the effective filing date of the claimed invention to modify the data feature extractor of DAS with the MinHash of CHANDOLA with the motivation to quickly and simply determine the prevalence of similar data features between sets. It is obvious to use a known method such as MinHash which is suited to lightweight calculations of this type.
Regarding claim 12:
This claim is rejected with the same justification, mutatis mutandis, as its counterpart claim 3 above.
Claims 4-6 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over DAS et al (Doc ID US 20180181641 A1) and CHANDOLA et al (Doc ID US 20160269424 A1) as applied to claims 3 and 12 above, and further in view of LANCIONI et al (Doc ID US 20240070326 A1).
Regarding claim 4:
The combination of DAS and CHANDOLA teaches:
The ultra-light clustering-based generative intrusion detection device of claim 3,
LANCIONI teaches the following limitation(s) not taught by the combination of DAS and CHANDOLA:
wherein the MV2 module changes k bit values of the bitmap to 1 using k different hash functions, where k is a natural number ([0102] "... FIG. 4, at block 408, the example feature vector encoder circuitry 210 encodes feature vectors with ones of hash elements of the plurality of hash elements that are preserved. ... the feature vector encoder circuitry 210 encodes a feature vector with ... hash elements that occur in more than one LSH. E.g., they are present multiple times across the group of LSHs, denoted by the 1's in FIG. 3C.").
Altering a feature vector based on the results of multiple hashes is a known technique in the art, as demonstrated by LANCIONI. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the MinHashed data feature extractor of DAS and CHANDOLA with the vector update of LANCIONI with the motivation to update the vector as additional sets are analyzed so that the vector represents the totality of analyses.
Regarding claim 5:
The combination of DAS and CHANDOLA teaches:
The ultra-light clustering-based generative intrusion detection device of claim 3,
LANCIONI teaches the following limitation(s) not taught by the combination of DAS and CHANDOLA:
wherein the JIG module determines a counter exceeding a preset first threshold value among counters in the counter array as the big-counter ([0094] "At block 406, the example hash element preservation circuitry 208 (FIG. 2) preserves the hash elements that satisfy a hash element count threshold. In some examples, the hash element count threshold is a value that indicates a minimum number of occurrences of a hash element across a group of LSHs.").
Preserving a feature in a vector based on it exceeding a threshold is a known technique in the art, as demonstrated by LANCIONI. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the MinHashed data feature extractor of DAS and CHANDOLA with the vector update of LANCIONI with the motivation to keep only those vector values which indicate a number of occurrences beyond a minimum threshold. Greater numbers of occurrences likely indicate a stronger similarity.
Regarding claim 6:
The combination of DAS, CHANDOLA, and LANCIONI teaches:
The ultra-light clustering-based generative intrusion detection device of claim 5,
LANCIONI teaches the following limitation(s) not taught by the combination of DAS, CHANDOLA, and LANCIONI:
wherein the JIG module calculates a proportion of the big-counter within the counter array and determines data associated with the virtual vector as the similar data when the proportion exceeds a preset second threshold value (LANCIONI [0105] "At block 414, the example synthetic hash creation circuitry 216 creates at least one synthetic hash of the at least one cluster with a first group of hash elements of the plurality of hash elements that satisfy an occurrence frequency threshold.").
Identifying vector features which exceed a further threshold is a known technique in the art, as demonstrated by LANCIONI. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the MinHashed data feature extractor of DAS, CHANDOLA, and LANCIONI with the vector update of LANCIONI with the motivation to determine which elements of the vector most contribute to its similarity to other sets.
Regarding claim 13:
This claim is rejected with the same justification, mutatis mutandis, as its counterpart claim 5 above.
Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over DAS et al (Doc ID US 20180181641 A1), CHANDOLA et al (Doc ID US 20160269424 A1), and LANCIONI et al (Doc ID US 20240070326 A1) as applied to claims 5 and 13 above, and further in view of IHARA (Doc ID US 20080114564 A1).
Regarding claim 7:
The combination of DAS, CHANDOLA, and LANCIONI teaches:
The ultra-light clustering-based generative intrusion detection device of claim 5,
IHARA teaches the following limitation(s) not taught by the combination of DAS, CHANDOLA, and LANCIONI:
wherein the JIG module repeatedly performs a first step of calculating an average and variance of counters in the counter array excluding counters in a big-counter set in a state in which the big-counter has been initialized, and a second step of adding counters calculated based on the average and variance and exceeding the first threshold value to the big-counter set to determine a counter in the big-counter set as the big-counter ([0296] "Further, as to the ... co-occurrence matrix ..., items smaller than a prescribed threshold may be removed from the objects of evaluation, pieces of information at positions further than a prescribed distance from the mean, based on standard deviation calculated from variance of all probabilities, may be removed from the objects of evaluation ...").
Identifying vector features exceed a further threshold based on the variance and average of features is a known technique in the art, as demonstrated by IHARA. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the MinHashed data feature extractor of DAS, CHANDOLA, and LANCIONI with the vector update of IHARA with the motivation to determine which elements of the vector most contribute to its similarity to other sets.
Regarding claim 14:
This claim is rejected with the same justification, mutatis mutandis, as its counterpart claim 7 above.
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over DAS et al (Doc ID US 20180181641 A1), CHANDOLA et al (Doc ID US 20160269424 A1), LANCIONI et al (Doc ID US 20240070326 A1), and IHARA (Doc ID US 20080114564 A1) as applied to claim 7 above, and further in view of KALLAS et al (Doc ID US 20240338704 A1).
Regarding claim 8:
The combination of DAS, CHANDOLA, LANCIONI, and IHARA teaches:
The ultra-light clustering-based generative intrusion detection device of claim 7,
KALLAS teaches the following limitation(s) not taught by the combination of DAS, CHANDOLA, LANCIONI, and IHARA:
The ultra-light clustering-based generative intrusion detection device of claim 7, wherein the JIG module calculates the first threshold value through the following expression based on the average and variance: θC,i=μi+c×σi wherein, θC,i is the first threshold value, μi and σi are the average and variance, respectively, and c is a tuning parameter ([0045] "… determine the threshold as a sum of the average and the standard deviation. In some cases, the location identifier 124 can adjust the standard deviation based on a predetermined value.").
Using a z-score to calculate a threshold meant to determine standout data in a set is a known technique in the art, as demonstrated by KALLAS. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the MinHashed data feature extractor of DAS, CHANDOLA, LANCIONI, and IHARA with the z-score of KALLAS with the motivation to provide a reasonable threshold value based on the expected maximum deviation from the mean value of the vector.
Claims 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over DAS et al (Doc ID US 20180181641 A1) as applied to claim 1 above, and further in view of GUNTAR et al (Doc ID US 20220318378 A1).
Regarding claim 9:
DAS teaches:
The ultra-light clustering-based generative intrusion detection device of claim 1,
GUNTAR teaches the following limitation(s) not taught by DAS:
The ultra-light clustering-based generative intrusion detection device of claim 1, wherein the signature generator comprises: a signature-group generation (SG2) module configured to generate the signature group for each cluster by applying a clustering algorithm to the similar data identified as the at least one big-group ([0035] "Cluster engine 230 may be used to generate clusters of vectors. The clusters may include similar vectors and a list of user IDs."); and
an automatic whitelisting (AWL) module configured to remove normal signatures in a white list from the signature group ([0036] "… For each identified type, a particular cluster having that type is partitioned into sessions, the matching sessions for the type are removed, and the remainder of session in the cluster will form a new cluster of type “normal.”").
Grouping data results and filtering them based on criteria is a known technique in the art, as demonstrated by GUNTAR. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the data feature extractor of DAS with the MinHash of GUNTAR with the motivation to separate the results into groups where one of the groups is labeled as “normal.”
Regarding claim 10:
The combination of DAS and GUNTAR teaches:
The ultra-light clustering-based generative intrusion detection device of claim 9, wherein the AWL module generates the white list by extracting the normal signatures from a data set that is not identified as the at least one big-group among the data of the data stream (GUNTAR [0036] "… For each identified type, a particular cluster having that type is partitioned into sessions, the matching sessions for the type are removed, and the remainder of session in the cluster will form a new cluster of type “normal.”").
Grouping data results and filtering them based on criteria is a known technique in the art, as demonstrated by GUNTAR. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the data feature extractor of DAS and GUNTAR with the MinHash of GUNTAR with the motivation to separate the results into groups where one of the groups is labeled as “normal.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRANDON BINCZAK whose telephone number is (703)756-4528. The examiner can normally be reached M-F 0800-1700.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BB/Examiner, Art Unit 2437
/ALEXANDER LAGOR/Supervisory Patent Examiner, Art Unit 2437