DETAILED ACTTION
Notice of Pre-AIA or AIA Status
The present application is being examined under the pre-AIA first to invent provisions. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1-19 are presented for examination
Response to Arguments
Applicant's arguments filed 04-03-2026 have been fully considered but they are not persuasive.
With respect to rejecting of claims under 35 USC 101, applicant argues that “a human mind cannot process 1,000 events per day. This amounts to processing roughly 1 event per minute at the low end, and 1 event every 6 seconds(!), again, for a healthy machine. The human mind is simply incapable of receiving this amount of records, and certainly is not equipped to detect anything in such an amount of records. The human mind is also incapable of parsing this amount of records… The human mind is not capable of initiating anything in a computing environment, at least because the human mind lacks the capability to interface with a computing environment.. Also, the human mind does not inspect resources for cybersecurity objects. The resource is deployed in a computing environment, and the human mind lacks the ability to communicate with a resource”.
In response, in determining whether a claim recites an abstract idea, the question is not whether a human can practically perform the claimed steps at the same speed or scale of a machine, but whether the claimed steps corresponds to concepts that can be performed mentally or with pen and paper. The operation of receiving data (event record), analyzing data (detect event record of first type), identifying information (detect resource identifier) and performing inspection and mitigation (initiating inspection, initiating a mitigation action) are fundamentally data collection and analysis steps that fall within the category of mental processes. Performing these steps on a large volume of data (i.e., 1000 events per day) or at the high speed using a generic computing components does not make the claim patent -eligible under Subject Matter Eligibility Guidance. Accordingly, claims remain directed to an abstract idea.
With respect to rejection of claims under 35 USC 103, Applicant argues that “The inspection of Wood is performed constantly, by the security agent 306. The security agent 306 is never not there, and so applying Wood's teaching to the instant claim, inspection would not be initiated on the resource for a cybersecurity object based on the event, but rather inspection would be performed continuously. These are entirely different arrangements”.
Applicant’s argument is not persuasive because it incorrectly treats continuous operation and initiation as mutually exclusive. The fact that security agent in Wood operates continuously does not mean inspection is never initiated. Instead, even in a continuously running system, inspection is initiated each time the system processes detected events and associated data as part of its analysis. Under applicant’s interpretation, no continuously running security system could ever initiate inspection, which is an unreasonable and impractical reading of the claim.
In wood, when events are detected, the system processes them by creating and updating aggregate event record, analyzing the resulting data and detecting security threats, which constitutes initiating inspection of activity and associated resources (paragraph [0182]).
Applicant argues that in Wood “The security agent 306 is not installed based in response to anything, or based on anything, and thus there is no initiation of inspection which occurs only in response to detection of resource, because security agent 306 of Wood does not need to detect a resource identifier of a resource in order to operate, it is simply always there.
Examiner does not agree. Applicant’s argument is based on an improper reading of the claim. Claim does not require that the inspection be initiated based on or only in response to a detection of an event. Rather the claim recites “initiating inspection of a resource for a cybersecurity object”. Claim also does not exclude embodiment in which inspection is performed continuously. Wood discloses, a local security agent receives streams of events, aggregates event by continuously aggregating events of a particular event type, transmits the aggregated event to a security resource (paragraph [0182], [0185], [0187], [0193]), and the security resource initiates inspection and detects malware based on the aggregated event (paragraph [0194]).
In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e., “The only reason to need a resource identifier is because the claim has events which identify resources, and those resources are clearly not previously inspected”) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). In this case, both applied references are directed to the same general field of endeavor, specifically computer implemented cybersecurity and system monitoring. Wood relates to detecting and analyzing security events generated by endpoint systems to identify potential malicious activity. Similarly, Frascadore relates to monitoring system generated events and associating those event with computing resources to evaluate security or compliance conditions. Both referees operate within computer security systems that process event data to assess system behaviors and detect undesirable condition.
As noted in the office action, while Wood discloses parsing the even record of the first type, Wood does not explicitly disclose, parsing to detect resource identifier, wherein the resource identifier corresponds to a resource deployed in the computing environment. However, Frascadore discloses, this limitation of the claim (paragraph [0072]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Wood’s security event analyzing and detection system with Frascadore’s monitoring and security compliance evaluation system, in order to identify computing resources associated with events.
In light of the above discussion Examiner maintains the rejection as follows:
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement.
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
"A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). " ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).
Claims 1-19 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-15 of U.S. Patent No.12,095,808. Claims 1-15 of US Patent No.12,095,808 contains every element of claims 1-19 of the instant application and as such anticipate claim1 1-19 of the instant application. Although the conflicting claims are not identical, they are not patentably distinct from each other, as shown below for example, in mapping of claim 1.
Instant Application
U.S. Patent No.12,095,808
1. A method for near-real time inspection of a computing environment for a cybersecurity object, comprising:
continuously receiving a plurality of event records, each event record having an event type, and corresponding to an event in the computing environment;
detecting in the plurality of event records, an event record of a first type;
parsing the event record of the first type to detect a resource identifier, wherein the resource identifier corresponds to a resource deployed in the computing environment;
initiating inspection of the resource for a cybersecurity object; and
initiating a mitigation action in the computing environment, in response to detecting the cybersecurity object on the resource.
1. A method for near-real time inspection of a computing environment for a cybersecurity object, comprising:
continuously receiving from a first source a first plurality of event records, each event record having an event type, and corresponding to an event in the computing environment;
periodically receiving from a second source a second plurality of event records, each event record having an event type, and corresponding to an event in the computing environment;
detecting an event record of a first type;
detecting an event record of a second type; determining that the event record of the second type occurring after the event record of the first type;
parsing the event record of the first type to detect a resource identifier, wherein the resource identifier corresponds to a resource deployed in the computing environment;
initiating inspection of the resource for a cybersecurity object only in response to detecting that the event record of the second type occurred after the event record of the first type; and
initiating a mitigation action in the computing environment, in response to detecting the cybersecurity object on the resource.
Claim Rejections - 35 USC § 101
835 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
The claims when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance, are directed to abstract idea. Claim 1 for example, recites a method and, therefore, is a process. The claim recites the limitation of “…continuously receiving plurality of event record…detecting in the plurality of event records, an event record of a first type…initiating inspection of the resource for a cybersecurity object; and initiating a mitigation action…, in response to detecting the cybersecurity object…”. These limitations, under broadest reasonable interpretation are directed performance of the limitation in a human mind. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, the claim encompasses a human simply receiving records/logs on a piece of paper, by looking at the records detecting a type of record (for example, a record showing access to a file), identifying the resource identifier (for example, file identifier) corresponding to a resource, inspecting for abnormalities/cybersecurity object in the file (for example, by comparing the file to an original file that does not include abnormalities or modification) and when the file includes abnormalities or modification initiating a mitigation action (such as by removing the file or reporting the file as suspicious or malicious file). Thus, the claim recites a mental process when analyzed under step 2A prong 1.
Claim is further analyzed in step 2A prong 2, to evaluate whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by identifying whether there are any additional elements recited in the claim beyond the judicial exception, and evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. However, each of the remaining limitation (“computing environment ”) appears to be generic computer functions which do not constitute meaningful limitations that would amount to significantly more than the abstract idea. The receiving step is recited at a high level of generality (i.e., as a general means of collecting event records), and amount to mere data gathering, which is a form of insignificant extra solution activity. The combination of these additional element is no more than generic computer functions. Thus, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limitations on practicing the abstract idea.
Claim is additionally analyzed under Step 2B to evaluates whether the claim as a whole amount to significantly more than the recited exception, whether any additional element, or combination of additional elements, adds an inventive concept to the claim. When claims evaluated under step 2B, it is no more than what is well-understood, routine, conventional activity in the field. The specification does not provide any indication anything other than a generic computer component. The mere “continuously receiving plurality of event record…detecting in the plurality of event record an event record of a first type…initiating inspection of the resource for a cybersecurity object; and initiating a mitigation action…in response to detecting the cybersecurity object” is a well-understood, routing and conventional function when it is claimed in a merely generic manner as it is here.
Independent claims 10 and 11include limitations similar to the limitations of claim 1 and are rejected under 35 U.S.C. 101 as being directed to abstract idea for the same reasons discussed above with respect to claim 1.
Dependent claims 2-9 and 12-19 do not recite nor impart any further limitation(s) that would bring the invention in conformance with 35 U.S.C. §101 as patentable subject matter.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-19 are rejected under 35 U.S.C. 103 as being unpatentable over Wood et al. (Publication No.2023/0300112 ) in view of Frascadore et al. (US Publication No. 2014/0331277), hereinafter Frascadore.
As per claim 1, 10 and 11, Wood discloses a method for near-real time inspection of a computing environment for a cybersecurity object, comprising (paragraph [006], “detecting malware on the endpoint based on the aggregate event”): continuously receiving a plurality of event records (paragraph [00182, “ The local security agent may generate an aggregate event by continuously aggregating events of a particular event type in the stream of events”); detecting in the plurality of event records, an event record of a first type (paragraph [00185],“the local security agent may detect the first event type when the first event type corresponds to a certain resource for logging security events, such as Microsoft Event Tracer, or for specific event types within an event stream from such a resource”); parsing the event record of the first (paragraph [0116], “analyze the event stream 814 to identify patterns of event 806 within the event stream 814 useful for identifying unusual or suspicious behavior”); initiating inspection of the resource for a cybersecurity object (paragraphs [0194], “detecting malware on the endpoint based on the aggregate event”); and initiating a mitigation action in the computing environment, in response to detecting the cybersecurity object on the resource (paragraph [0196],“upon detection of malware, the method 1300 may also or instead include remediating the malware on the endpoint. The local security agent running on the endpoint may execute a variety of remediation functions, such as malware scanning, malware identification, malware removal, and the like. The local security agent may also or instead quarantine the endpoint, update security software, or take any other remediation steps”).
While Wood discloses parsing the even record of the first type, Wood does not explicitly disclose, but in an analogues art, Frascadore discloses, parsing to detect resource identifier, wherein the resource identifier corresponds to a resource deployed in the computing environment (paragraph [0072], “the event monitor 510 does receive notification of a newly generated event, then, at block 604, the example resource identifier 512 (FIG. 5) identifies a computing resource( s) ( e.g., the example computing server 104 (FIG. 1)) associated with the event. For example, the resource identifier 512 may parse information in a message from the event monitor 510 to identify one or more computing resources associated with the event. In some examples, the resource identifier 512 queries the inventory builder 502 (FIG. 5) to identify computing resources related to the event-associated computing resources”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Wood with Frascadore. This would have been obvious because one of ordinary skill in the art would have been motivated to identify computing resources associated with events.
As per claim 2 and 12, Frascadore furthermore discloses periodically inspecting each resource of a plurality of resources deployed in the computing environment for the cybersecurity object, based on a list of resource identifiers (paragraph [0072], the resource identifier queries the inventory builder to identify computing resources related to the event-associated computing resources, and the compline tester tests the event associated computing resources). The motivation is similar to the motivation provided in claim 1.
As per claim 3 and 13, Frascadore furthermore discloses determining that the resource corresponding to the resource identifier was not inspected in a previous inspection period (paragraph [0074], determine the computing resources that have not been assessed within a threshold duration). The motivation is to inspect the newly added or uninspected resources within the computing system.
As per claim 4 and 14, Frascadore further comprising: initiating inspection of the resource further based on a determination that the resource was not previously inspected (paragraph [0074], “test compliant of the computing resource”). The motivation is to detect security issues of the new or uninspected resources.
As per claim 5 and 15, Frascadore furthermore discloses adding the resource identifier to the list of resource identifiers (paragraph [0056], “register the computing resources”). The motivation is similar to the motivation provided in claim 1.
As per claim 6, and 16, Wood furthermore discloses initiating inspection of a second resource in response to detecting the cybersecurity object on the resource (paragraph [0152], searching for the malware event on one or more other endpoints [second resource] coupled to the enterprise network based on a pattern of event in the filtered event stream”), wherein the event record includes an identifier of the second resource (paragraph [0184], “ Each event in the stream of events may include one or more event fields, such as an event time, a server process identifier, a server thread identifier, a processor number, resource utilization data, and an event type”).
As per claim 7 and 17, Wood furthermore discloses continuously receiving event records from a first source (paragraph [0005], continuously aggregating subsequent event of the first event type, paragraph [0009], events from plurality (first) of compute instances [0185], first event type); and periodically receiving event records from a second source (paragraph [paragraph [0009], events from plurality (second) of compute instances [0191]-[0192], a new event is received which may be periodically polled).
As per claim 8 and 18, Wood furthermore discloses detecting in the plurality of event records an event record of a second type (paragraph [0191], “event of the second type occurs”, paragraph [0185], event of the first type detected, the event of the second type occurs after event of the first type ); and initiating inspection of the resource only in response to detecting that the event record of the second type occurred after the event record of the first type (paragraph [0194], detecting the malware on the end point after receiving event record of the second type).
As per claim 9 and 19, Wood furthermore discloses initiating inspection of the resource for a second cybersecurity object; and determining that the resource includes a cybersecurity risk, based on detecting the cybersecurity object and the second cybersecurity object(paragraph ([0186] and [0195], “an additional detection may also be performed, e.g., based on the initial detection of an event in step 1304, or at any other useful time during the method 1300. This approach advantageously permits a concurrent use of initial detections based on specific events and subsequent detections based on aggregated events”).
References Cited, Not Used
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Akiyama et al. (US Publication No.2012/0210158) discloses, an anomaly detection mechanism is provided that detects an anomaly in a control network, and includes an identifying unit to receive event information on an event that occurs, and to identify a group including a resource related to the event information by referring to a configuration management database for retaining dependence relationships between processes and resources including a control system; a policy storing unit to store one or more policies each of which associates one or more actions with a condition defining a situation suspected to have an anomaly; an adding unit to acquire group-related information needed for application to the one or more policies, and to add the acquired information to the event information; and a determining unit to apply the event information to the one or more policies and to determine the one or more actions associated with the matched condition as one or more actions to be taken.
Cho et al. (US Publication No.2017/0206619) discloses, a mechanism capable of assigning at least one index (ID) to violation abuse resources, violation association information, and violation information by taking into consideration organic relationships between the violation abuse resources, the violation association information, and the violation information when the generated violation abuse resources, the violation association information, and the violation information are collected through an external violation sharing channel or when they are collected or queried and of managing the generated violation abuse resources, the violation association information, and the violation information.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437