NETWORK MONITORING DEVICE, NETWORK MONITORING METHOD, AND RECORDING MEDIUM

§102 §103

DETAILED ACTION Claim Status Claims 2 and 7-10 have been cancelled. New claims 13-15 have been added. Claims 1, 3-6, and 11-15 are pending in the application. Applicant’s amendment overcomes the 101 (Abstract idea) rejection by adding additional elements that integrate the judicial exception into a practical application. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 3 and 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Siadati (US 20180124082 A1) in view of Lomonaco (US 20210064759 A1), and in view of Crabtree (US 20240163261 A1). Regarding claim 1, Siadati teaches a network monitoring device comprising: a memory storing instructions; and at least one processor configured to execute the instructions to: (Fig. 1. Fig. 2. Fig. 9: processors 910 and storage devices 920) collect an authentication history of access to a management function of a network device to be monitored; (Fig. 1 and Fig. 2. [0086]: compares the login events with history of logins (e.g., logins in the past three month) to spot the login changes. [0110]: The role of the example pattern miner component is to mine logins and extract login patterns. Inputs of this component are the history of all logins of an interval (for example, spanning a few months in the past) and the attributes of both users and computers during the given time interval.) calculate statistical value information about the authentication history; and ([0023]: employed credential usages for detecting misbehaving computers based on an unsupervised clustering approach. They used features such as the number of successful and failed logins, as well as statistics about administrator logins for detection.) display the authentication history when the abnormality is detected. ([0029]: render a display providing a visualization of the login patterns based on the tracked logins; and receive a user input, in association with the visualization display rendered, which defines at least one of the login patterns as either (A) benign, or (B) malicious. [0085]: The login information for each day are processed to generate a summary of the number of logins per-day. The login data is also aggregated with computer and user information.) Siadati does not explicitly disclose the statistical value information including a transition of a number of successes and a number of failures of authentication in the network device for each predetermined period; display a graph showing a number of times of authentication per predetermined period divided into the number of successes and the number of failures in time series based on the statistical value information. However, Lomonaco teaches the statistical value information including a transition of a number of successes and a number of failures of authentication in the network device for each predetermined period; display a graph showing a number of times of authentication per predetermined period divided into the number of successes and the number of failures in time series based on the statistical value information. (Fig. 16 and Fig. 17. [0142]-[0143]: FIG. 16, another example user activity interface 1600 including user activity information from the previous 30 days is shown. As displayed, graph 624 may show a number of successful logins, unsuccessful logins, and locked out accounts for each day of the last 30 days. FIG. 17, an example user login graph interface 1700 is shown. The administrator may view data associated with any of successful logins, unsuccessful logins, and/or locked out accounts.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitation into Siadati. One would have been motivated to do so because it is desirable for a method for automatically detecting and mitigating risks related to cybersecurity in a Building Management System (BMS). The invention includes presenting, on the user interface, a graph of user activity within the BMS over a period of time. The graph shows at least one selected from a group of a number of successful logins; a number of unsuccessful logins; and a number of locked out accounts. As taught by Lomonaco, [0003]-[0008]. Siadati and Lomonaco do not explicitly disclose detect an abnormality in a case in which any one of following conditions is satisfied: the number of successes or the number of failures of authentication rapidly changes. However, Crabtree teaches detect an abnormality in a case in which any one of following conditions is satisfied: the number of successes or the number of failures of authentication rapidly changes. ([0214]: Monitoring the packet capture can reveal abnormal traffic patterns, such as a sudden increase in RADIUS requests or a high rate of failed authentication attempts, indicating a potential brute-force or dictionary attack.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitation into Siadati and Lomonaco. One would have been motivated to do so because it is desirable to Monitoring the packet capture can reveal abnormal traffic patterns, such as a sudden increase in RADIUS requests or a high rate of failed authentication attempts, indicating a potential brute-force or dictionary attack. As taught by Crabtree, [0214]. Regarding claim 3, Siadati, Lomonaco and Crabtree teach the network monitoring device according to claim 1. Siadati teaches wherein the at least one first processor is further configured to execute the instructions to: create a list of authentication information about the authentication history in a predetermined period; and display the list together with the statistical value information. (Fig. 5. Fig. 6A-6C. [0110] and [0023]. [0071]: generate a list of alerts (i.e., suspicious logins).) Same rationale applies to the rejection of claim 11 (method) and claim 12 (recording medium) because they are substantially similar to claim 1 (device). Claim(s) 4 is rejected under 35 U.S.C. 103 as being unpatentable over Siadati (US 20180124082 A1) in view of Lomonaco (US 20210064759 A1), and in view of Crabtree (US 20240163261 A1), and further in view of Tamura (US 20070055975 A1). Regarding claim 4, Siadati, Lomonaco and Crabtree teach the network monitoring device according to claim 3. Siadati teaches wherein the at least one first processor is further configured to execute the instructions to: create a list by arranging pieces of the authentication information. (Fig. 5. Fig. 6A-6C. [0081]: The list of alerts is presented in tabular format.) Siadati, Lomonaco and Crabtree do not explicitly disclose create a list by arranging pieces of the authentication information in order of authentication time. However, Tamura teaches create a list by arranging pieces of the authentication information in order of authentication time. ([0080]: selects output information associated with the login user sorted in descending order of used date in step S802 in turn from a record with the latest used date as a record of interest.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitation into Siadati, Lomonaco and Crabtree. One would have been motivated to do so because it is common practice to sort authentication records by date/time which can help user identify data/pattern of interest efficiently. Claim(s) 5 is rejected under 35 U.S.C. 103 as being unpatentable over Siadati (US 20180124082 A1) in view of Lomonaco (US 20210064759 A1), and in view of Crabtree (US 20240163261 A1), and further in view of Chiu (US 20170099306 A1). Regarding claim 5, Siadati, Lomonaco and Crabtree teach the network monitoring device according to claim 3. Siadati teaches create a list of authentication histories. (Fig. 5. Fig. 6A-6C. [0081]: The list of alerts is presented in tabular format.) Siadati, Lomonaco and Crabtree do not explicitly disclose wherein the at least one first processor is further configured to execute the instructions to: in a case where access to a specific network device is scheduled, create a list of authentication histories associated with the scheduled access. However, Chiu teaches in a case where access to a specific network device is scheduled, create a list of authentication histories associated with the scheduled access. ([0035]: FIG. 4, the schedule definition rules indicate the time when the critical assets are normally accessed. Access to the critical assets outside their normal access times may be deemed to be abnormal. For example, a server that has been designated a critical asset may have an indicated normal access time in the rules of between 00:00 hours and 05:00 hours Monday through Friday. Access to that server outside its normal access time (e.g., access to the server at 08:00 hours) may be deemed to be abnormal.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitation into Siadati, Lomonaco and Crabtree. One would have been motivated to do so because it is desirable to define schedule definition rules to indicate the time when the critical assets are normally accessed. Access to the critical assets outside their normal access times may be deemed to be abnormal. As taught by Chiu, [0035]. Claim(s) 6 is rejected under 35 U.S.C. 103 as being unpatentable over Siadati (US 20180124082 A1) in view of Lomonaco (US 20210064759 A1), and in view of Crabtree (US 20240163261 A1), and further in view of Bertiger (US 20230053182 A1). Regarding claim 6, Siadati, Lomonaco and Crabtree teach the network monitoring device according to claim 1. Soadati teaches wherein the at least one first processor is further configured to execute the instructions to: detect the abnormality in a case where the abnormality is found in the statistical value information. ([0026]: to detect malicious logins (such as those used in CLM attacks) within a private network. [0027]: classify logins within a private network as benign or malicious by (a) receiving login patterns within a private network, wherein each login pattern includes one or more attributes of each of (i) a user uniquely associated with the login, (ii) a source computer uniquely associated with the login, and (iii) a destination computer uniquely associated with the login, and wherein each login pattern is characterized as one of (A) a normal login pattern, (B) a benign login pattern, or (C) a malicious login pattern; (b) receiving a new login; and (c) classifying the new login as benign or malicious using the login patterns for the private network.) Siadati, Lomonaco and Crabtree do not explicitly disclose warn an administrator in a case where the abnormality is detected. However, Bertiger teaches warn an administrator in a case where the abnormality is detected. ([0022]-[0024]: The threat mitigation component may, for instance, notify a system administrator or security analyst of the anomaly, e.g., by sending a push notification via email, text, or some other messaging system, or by listing the access event in an anomaly or security-alert log that can be accessed by the system administrator or security analyst via an administrator console or similar user interface.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitation into Siadati, Lomonaco and Crabtree. One would have been motivated to do so because it is desirable to take actions in case of detecting anomaly, such as notify a system administrator. As taught by Bertiger, [0022]-[0024]. Claim(s) 13 is rejected under 35 U.S.C. 103 as being unpatentable over Siadati (US 20180124082 A1) in view of Lomonaco (US 20210064759 A1), and in view of Crabtree (US 20240163261 A1), and further in view of Rouby (US 20220414210 A1). Regarding claim 13, Siadati, Lomonaco and Crabtree teach the network monitoring device according to claim 3. Siadati, Lomonaco and Crabtree do not explicitly disclose highlight authentication histories in which abnormalities are detected among the authentication histories included in the displayed list. However, Rouby teaches highlight authentication histories in which abnormalities are detected among the authentication histories included in the displayed list. ([0015]: utilize a visualization approach that represents, in graphical form, the user behavior and interactions with the system in order to highlight risky access attempts within the context of the users and the system.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitation into Siadati, Lomonaco and Crabtree. One would have been motivated to do so because it is desirable to utilize a visualization approach that represents, in graphical form, the user behavior and interactions with the system in order to highlight risky access attempts within the context of the users and the system. This approach may reduce the amount of time needed to diagnose the behavior and provide administrators with the ability to intuitively understand the patterns in the access and comprehend the nature and scope of the behavior of the malicious users. As taught by Rouby, [0015]. Claim(s) 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Siadati (US 20180124082 A1) in view of Lomonaco (US 20210064759 A1), and in view of Crabtree (US 20240163261 A1), and further in view of Sodja (US 20210185084 A1). Regarding claim 14, Siadati, Lomonaco and Crabtree teach the network monitoring device according to claim 3. Siadati, Lomonaco and Crabtree do not explicitly disclose collect the authentication histories from the plurality of the network devices; andcalculate a statistical value obtained by adding the authentication histories from the plurality of the network devices as the statistical value information. However, Sodja teaches collect the authentication histories from the plurality of the network devices; and (Fig. 1. [0021]: detection of anomalous activity indicating a brute force attack causes programmatic reconfiguration of network security devices such as firewalls, proxies, routers, switches, or other network devices to mitigate the brute force attack. [0060]: one or more time series relating to a single device or across multiple devices.) calculate a statistical value obtained by adding the authentication histories from the plurality of the network devices as the statistical value information. (Fig. 2A. [0039]: a number of days devices of a network experienced a brute force attack. Large counts of failed logins are often associated with brute force attacks. [0055]-[0060]: a time series indicating counts of unsuccessful logins, and a separate time series indicating counts of successful logins. Some embodiments include one or more time series relating to across multiple devices.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include above limitation into Siadati, Lomonaco and Crabtree. One would have been motivated to do so because brute force attacks represent a technical problem in that they can be difficult to detect while generating a manageable number of false positives. It is desirable to combine a plurality of anomaly indications generated by a corresponding plurality of mixture models via a combination process to generate a combined indicator of anomaly, based on the indication of anomaly, a likelihood of a brute force attack on the network is determined. As taught by Sodja, [0126]-[0127]. Regarding claim 15, Siadati, Lomonaco, Crabtree and Sodja teach the network monitoring device according to claim 14. Siadati teaches display the list together with the statistical value information. (Fig. 5. Fig. 6A-6C. [0110] and [0023]. [0071]: generate a list of alerts (i.e., suspicious logins).) Sodja teaches display the statistical value information. (Fig. 2A, 2B, 3) Response to Arguments Applicant's arguments, see pages 12-14, filed 02/06/2026, with respect to the rejection(s) of claims 1-12 under 35 U.S.C. § 102 and 35 U.S.C. § 103 have been fully considered but are moot in view of new ground(s) of rejection. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZI YE whose telephone number is (571)270-1039. The examiner can normally be reached Monday - Friday, 8:00am - 4:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise can be reached at 5712723865. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /ZI YE/Primary Examiner, Art Unit 2455