DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.
Priority
The claim for priority from US Provisional 63/582,928 filed on 15 September 2023 is duly noted.
Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 200 (Figure 2); 400 (Figure 4).
Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-4, 7-11, 14-18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Myneni et al. (US 2021/0182388 A1 and Myneni hereinafter) in view of Larson et al. (US 2018/0189517 A1 and Larson hereinafter).
As to claims 1 and 15, Myneni discloses a system and method for corrective action on malware intrusion detection using file introspection, the system and method having:
receiving an analysis request based on a suspicious activity alert (event processing component monitors file events upon detecting alert) (0021, lines 5-8);
extracting, responsive to receiving the analysis request and based on the suspicious activity alert, key details from process data associated with the suspicious activity alert (after monitoring event processing component uses file events and alert metadata to generate event correlated data) (0021, lines 7-10);
identifying telemetry data during a predefined period prior to and after the suspicious activity alert (network introspection proves ability to filter TCP network packets at different stages during lifetime of TCP connection at network stack) (0080, lines 1-4, 7-9);
retrieving contextual data (name of file and/or type of attack) and organizational data (username) associated with the process data (0114, lines 6-8);
generating a prompt based on at least the telemetry data, the contextual data, and the organizational data (event processing component correlates the file event and alert to identify option, outputs a corrective action alert with a set of options including at least one recommended action) (0103, lines 3-6).
Myneni fails to specifically disclose:
receiving an analysis report, wherein the analysis report identifies, based on the prompt, potential threats and remediation steps.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Myneni, as taught by Larson.
Larson discloses a system and method for intelligence and analysis driven security and compliance recommendations, the system and method having:
receiving an analysis report (analysis results), wherein the analysis report identifies, based on the prompt, potential threats and remediation steps (information not being protected, implementation of a policy to protect the financial data) (0049, lines 18-22, 25-29, 34-36; 0054, lines 9-12, 14-21).
Given the teaching of Larson, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Myneni with the teachings of Larson by identifying potential threats and mediation steps. Larson recites motivation by disclosing that providing an administrator or user with a dashboard view of potential threats and remediation steps allows for the quick creation and management of data and security policies, therefore providing customized protection (0049). It is obvious that the teachings of Larson would have improved the teachings of Myneni by identifying protection threats and mediation steps in order to provide customized protection.
As to claim 8, Myneni discloses:
a memory comprising instructions (0135, lines 2-5);
a processor configured to execute the instructions which, when executed, cause the processor to (0135, lines 2-5):
receive an analysis request based on a suspicious activity alert (0021, lines 5-8);
extract, responsive to receiving the analysis request and based on the suspicious activity alert, key details from process data associated with the suspicious activity alert (0021, lines 7-10);
identify telemetry data during a predefined period prior to and after the suspicious activity alert (0080, lines 1-4, 7-9);
retrieve contextual data and organizational data associated with the process data (0114, lines 6-8);
generate a prompt based on at least the telemetry data, the contextual data, and the organizational data (0103, lines 3-6).
Myneni fails to specifically disclose:
receiving an analysis report, wherein the analysis report identifies, based on the prompt, potential threats and remediation steps.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Myneni, as taught by Larson.
Larson discloses:
receiving an analysis report (analysis results), wherein the analysis report identifies, based on the prompt, potential threats and remediation steps (information not being protected, implementation of a policy to protect the financial data) (0049, lines 18-22, 25-29, 34-36; 0054, lines 9-12, 14-21).
Given the teaching of Larson, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Myneni with the teachings of Larson by identifying potential threats and mediation steps. Please refer to the motivation recited above with respect to claims 1 and 15 as to why it is obvious to apply the teachings of Larson to the teachings of Myneni.
As to claims 2, 9, and 16, Myneni discloses:
wherein generating the prompt is based on derived context and guidance of at least the telemetry data, the contextual data, and the organizational data (0103, lines 3-6).
As to claims 3, 10, and 17, Myneni discloses:
wherein the key details comprise one of process IDs, code signing information, users, and command line arguments for each process associated with the suspicious activity alert (0114, lines 6-8).
As to claims 4, 11, and 18, Myneni discloses:
wherein identifying the telemetry data comprises focusing on relevant factors comprising one of related processes, users, and network activity (0080, lines 1-4, 7-9).
As to claims 7, 14, and 20, Myneni discloses:
the user message is dynamically generated based on a detected event that triggers the suspicious activity alert (0103, lines 3-6).
Myneni fails to specifically disclose:
wherein the prompt comprises a system message and a user message, wherein the system message is static and the user message is dynamically generated.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Myneni, as taught by Larson.
Larson discloses:
wherein the prompt comprises a system message and a user message, wherein the system message is static and the user message is dynamically generated (0049, lines 18-22, 25-29, 34-36; 0054, lines 9-12, 14-21).
Given the teaching of Larson, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Myneni with the teachings of Larson by using a static system message and a dynamic user message. Please refer to the motivation recited above with respect to claims 1 and 15 as to why it is obvious to apply the teachings of Larson to the teachings of Myneni.
Claim(s) 5, 6, 12, 13, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Myneni in view of Larson as applied to claims 1, 8, and 15 above, and further in view of Loomis et al. (US 2016/0149948 A1 and Loomis hereinafter).
As to claims 5, 12, and 19, Myneni in view of Larson fails to specifically disclose:
searching a threat feed service to retrieve related information associated with the process data.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Myneni in view of Larson, as taught by Loomis.
Loomis discloses a system and method for automated cyber threat mitigation coordinator, the system and method having:
searching a threat feed service to retrieve related information associated with the process data (0020, lines 9-14).
Given the teaching of Loomis, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Myneni in view of Larson with the teachings of Loomis by searching a threat feed service to retrieve related information. Loomis recites motivation by disclosing that searching an incoming feed aids in determining a threat, providing security to a system (0020-0022). It is obvious that the teachings of Loomis would have improved the teachings of Myneni in view of Larson by searching an incoming feed in order to determine a threat and provide security to a system.
As to claims 6 and 13, Myneni in view of Larson fails to specifically disclose:
wherein the related information comprises one of security research and malware tactics, techniques, and procedures.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Myneni in view of Larson, as taught by Loomis.
Loomis discloses:
wherein the related information comprises one of security research and malware tactics, techniques, and procedures (0020, lines 9-14).
Given the teaching of Loomis, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Myneni in view of Larson with the teachings of Loomis by searching on the MD5 hash, URL or IP address. Please refer to the motivation recited above with respect to claims 5, 12, and 19 as to why it is obvious to apply the teachings of Loomis to the teachings of Myneni in view of Larson.
Prior Art Made of Record
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Augé et al. (US 2025/0310357 A1) discloses a system and method for knowledge graph representation for scalable joint threat hunting, detection, and forensics for cloud applications.
Heinemeyer et al. (WO 2021/171090 A1) discloses a system and method for artificial intelligence adversary red team.
Kim et al. (KR 102097305 B1) discloses a system and method for network security monitoring.
Kumar et al. (AU 2022401895 A1) discloses a system and method for telemetry data based event occurrence analysis with adaptive rule filter.
Kumar et al. (US 2023/0138805 A1) discloses a system and method for telemetry data based event occurrence analysis with rule engine.
Sethi et al. (US 2025/0023918 A1) discloses a system and method for smart recommendation and dynamic grouping of devices for a better device management.
Spurlock et al. (US 2024/0007491 A1) discloses a system and method for identity control.
Sundararajan et al. (US 2021/0126927 A1) discloses a system and method for virtual switch-based threat defense for networks with multiple virtual network functions.
Valeyre et al. (US 2025/0392575 A1) discloses a system and method for dynamic routing modification.
Xu et al. (US 2024/0330505 A1) discloses a system and method for trusted third party audit of personal information deletion.
Yongsig et al. (KR 102426889 B1) discloses a system and method for analyzing and processing data by log type for large-capacity event log.
Zhang et al. (CN 120378146 A) discloses a system and method for network security risk evaluation.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SARAH SU whose telephone number is (571)270-3835. The examiner can normally be reached 6:30 AM - 3:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SARAH SU/Primary Examiner, Art Unit 2431