DETAILED ACTION
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
This Office Action is in response to the communication filed on 9/11/2024.
Claims 1-20 are pending for consideration.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 2/13/2025 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 12,124,577. Although the claims at issue are not identical, they are not patentably distinct from each other because both applications disclose the detection and alerting on malicious queries that are directed towards a data store. (See Claims Comparison Table)
Instant Application 18882129
Patent Application 12124577
Claim 1:
A computing system that detects malicious queries directed towards a data store, said computing system comprising: one or more processors; and one or more hardware storage devices that store instructions that are executable by the one or more processors to cause the computing system to: access syntax metrics for a query directed towards a data store, wherein the syntax metrics include a complexity measure of the query; predict a maliciousness of the query based on the syntax metrics, wherein predicting the maliciousness is based on a code density between a number of commands and a number of parameters in the query; and based on the maliciousness, alert a computing entity associated with the data store.
Claim 1:
A computing system that detects malicious queries directed towards a data store, said computing system comprising: one or more processors; and one or more hardware storage devices that store instructions that are executable by the one or more processors to cause the computing system to: access one or more syntax metrics of a query directed towards a data store, wherein the one or more syntax metrics include a complexity measure of the query, the complexity measure defining a complexity of the query as a function of a number of commands and a number of parameters in the query; feed the one or more syntax metrics into a model that is configured to predict maliciousness of the query based on the one or more syntax metrics, wherein predicting the maliciousness based on the one or more syntax metrics includes predicting the maliciousness based on a code density between the number of commands and the number of parameters in the query; access an output of the model, the output representing a predicted maliciousness of the query; and based on the output of the model representing the predicted maliciousness, alert a computing entity associated with the data store.
Claim 10:
A method for detecting malicious queries directed towards a data store, said method comprising: accessing syntax metrics for a query directed towards a data store, wherein the syntax metrics include a complexity measure of the query; predicting a maliciousness of the query based on the syntax metrics, wherein predicting the maliciousness is based on a code density between a number of commands and a number of parameters in the query; and based on the maliciousness, alerting a computing entity associated with the data store.
Claim 9:
A method for detecting and alerting on malicious queries directed towards a data store, the method comprising: accessing one or more syntax metrics of a query directed towards a data store, wherein the one or more syntax metrics include a complexity measure of the query, the complexity measure defining a complexity of the query as a function of a number of commands and a number of parameters in the query; feeding the one or more syntax metrics into a model that is configured to predict maliciousness of the query based on the one or more syntax metrics, wherein predicting the maliciousness based on the one or more syntax metrics includes predicting the maliciousness based on a code density between the number of commands and the number of parameters in the query; accessing an output of the model, the output representing a predicted maliciousness of the query; and based on the output of the model representing the predicted maliciousness, alerting a computing entity associated with the data store.
Claim 19:
One or more hardware storage devices that store instructions that are executable by one or more processors to cause the one or more processors to: access syntax metrics for a query directed towards a data store, wherein the syntax metrics include a complexity measure of the query; predict a maliciousness of the query based on the syntax metrics, wherein predicting the maliciousness is based on a code density between a number of commands and a number of parameters in the query; and based on the maliciousness, alert a computing entity associated with the data store.
Claim 20:
One or more hardware storage devices that store instructions that are executable by one or more processors to cause the one or more processors to: access one or more syntax metrics of a query directed towards a data store, wherein the one or more syntax metrics include a complexity measure of the query, the complexity measure defining a complexity of the query as a function of a number of commands and a number of parameters in the query; feed the one or more syntax metrics into a model that is configured to predict maliciousness of the query based on the one or more syntax metrics, wherein predicting the maliciousness based on the one or more syntax metrics includes predicting the maliciousness based on a code density between the number of commands and the number of parameters in the query; access an output of the model, the output representing a predicted maliciousness of the query; and based on the output of the model representing the predicted maliciousness, alert a computing entity associated with the data store.
The dependent claims of the instant application recite language similar to the dependent claims of the patent application and are covered by the patent application.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Talmat (US 20220156361) (hereinafter Talmat).
Regarding claim 1, Talmat discloses a computing system that detects malicious queries directed towards a data store (Talmat: paragraph 0010-0013, “The detection and prevention of unauthorized commands is disclosed”), said computing system comprising: one or more processors (Talmat: paragraphs 0008-0013, “The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor.”); and one or more hardware storage devices that store instructions that are executable by the one or more processors to cause the computing system to: access syntax metrics for a query directed towards a data store, wherein the syntax metrics include a complexity measure of the query (Talmat: paragraphs 0013 and 0016, “an execution tree can be analyzed to identify one or more metrics of a generated command”… “create one or more arguments to pass to the operating system command. In some embodiments, the generated operating system command is parsed to identify one or more metrics. For example, identified metrics can include the number of spawned processes predicted by the generated operating system command and/or the number of arguments for the generated operating system command.”); predict a maliciousness of the query based on the syntax metrics, wherein predicting the maliciousness is based on a code density between a number of commands and a number of parameters in the query (Talmat: paragraphs 0013, 0016 and 0036-0040, “he determined behavior includes predicting one or more metrics of the command. For example, by analyzing the execution tree of a generated operating system command, the number of spawned processes and the number of arguments passed to the command can be predicted. Other metrics can be predicted as well,”… “a generated operating system command with fewer or more predicted processes or input arguments would not match the corresponding behavior definitions and the automation script is invalidated due to an identified security risk. An invalid generated operating system command corresponds to an identified security risk. For example, a command predicted to spawn five processes when the corresponding behavior definition allows for only three processes is a security risk. The additional two extra processes can indicate a command line injection attack.”); and based on the maliciousness, alert a computing entity associated with the data store (Talmat: paragraphs 0013, 0034 and 0046, “The two extra processes exceed the approved number of processes for the command and a security risk is identified. In some embodiments, upon detecting a security risk, the generated operating system command is disallowed from being executed. For example, an operator is notified, and the generated command may be quarantined until an operator has reviewed the suspicious command.”).
Regarding claim 10, the claim 10 discloses a method claim that is substantially equivalent to the system of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 10 and rejected for the same reasons.
Regarding claim 19, the claim 19 discloses a storage device claim that is substantially equivalent to the system of claim 1. Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 19 and rejected for the same reasons.
Regarding claims 2, 11 and 20, Talmat discloses wherein the complexity measure defines a complexity of the query based on a number of commands in the query (Talmat: paragraphs 0013, 0016 and 0026-0028, “an execution tree can be analyzed to identify one or more metrics of a generated command”… “create one or more arguments to pass to the operating system command. In some embodiments, the generated operating system command is parsed to identify one or more metrics. For example, identified metrics can include the number of spawned processes predicted by the generated operating system command and/or the number of arguments for the generated operating system command.”).
Regarding claims 3 and 12, Talmat discloses wherein the complexity measure defines a complexity of the query based on a number of parameters in the query (Talmat: paragraphs 0013 and 0039, “an abstract syntax tree can be analyzed to identify the number of predicted processes that will be spawned from executing the generated command and/or the number of supplied arguments to the generated command”).
Regarding claims 4 and 13, Talmat discloses wherein predicting the maliciousness of the query is performed by a machine learning model (Talmat: paragraphs 0022 and 0029, “Whereas valid behavior definitions can be used to match and identify authorized commands, invalid behavior definitions can be used to match and identify unauthorized commands. In some embodiments, the dataset is a trained machine learning model.”… “based on the security analysis performed as part of applying an automation plan to input data at 207, behavior definitions associated with generated operating system commands can be updated. In some embodiments, the updated behavior definitions are used to keep the dataset of behavior definitions fresh by expiring older definitions. In some embodiments, the updated dataset is used to train (or retrain) a machine learning model to identify valid behaviors associated with generated operating system commands.”).
Regarding claims 5 and 14, Talmat discloses wherein accessing the syntax metrics includes generating a syntax metric without evaluating unmasked content of the query (Talmat: paragraphs 0032 and 0040-0046, “The execution trees can be analyzed to determine whether the predicted behavior of the generated commands match behavior definitions for valid (or invalid) uses of the corresponding commands. An automation script with valid generated commands is validated whereas an automation script that includes invalid generated commands is not validated. In some embodiments, the generated operating system commands are also sanitized to limited additional potential attacks.”).
Regarding claims 6 and 15, Talmat discloses wherein accessing the syntax metrics includes generating a syntax metric without retaining unmasked content of the query (Talmat: paragraphs 0032-0034 and 0040-0046, “In some embodiments, a timeout or throttling is imposed on any access privileges associated with invalid automation script, for example, until an incident team can address the identified security threat. In some embodiments, the invalid generated operating system commands are dropped from the automation script and corresponding alerts are triggered.”…“The execution trees can be analyzed to determine whether the predicted behavior of the generated commands match behavior definitions for valid (or invalid) uses of the corresponding commands. An automation script with valid generated commands is validated whereas an automation script that includes invalid generated commands is not validated. In some embodiments, the generated operating system commands are also sanitized to limited additional potential attacks.”).
Regarding claims 7 and 16, Talmat discloses wherein the syntax metrics include data generated by a compilation of the query (Talmat: paragraph 0016, “For example, identified metrics can include the number of spawned processes predicted by the generated operating system command and/or the number of arguments for the generated operating system command. The identified one or more metrics are automatically evaluated to determine a security risk associated with the generated operating system command. For example, in the event the number of processes the generated operating system command is predicted to spawn deviates from an approved number of processes, the generated operating system command is flagged as a security risk. As another example, in the event the number of arguments passed into the generated operating system command deviates from the approved number of arguments, the generated operating system command is also flagged as a security risk. In various embodiments, determining the security risk includes determining whether to allow execution of the generated operating system command. For example, in the event the generated operating system command is determined to spawn more processes than it is approved for, the generated operating system command is blocked from being executed. In automatically evaluating the identified one or more metrics, the identified one or more metrics can be compared with one or more historical reference metrics. For example, a valid execution behavior dataset is created to track valid metrics. The valid metrics can include history reference metrics, such as run-time behavior characteristics, of previously approved executions of the same or related operating system commands”).
Regarding claims 8 and 17, Talmat discloses wherein the syntax metrics include a string entropy of all or a portion of the query (Talmat: paragraph 0016, “For example, identified metrics can include the number of spawned processes predicted by the generated operating system command and/or the number of arguments for the generated operating system command. The identified one or more metrics are automatically evaluated to determine a security risk associated with the generated operating system command. For example, in the event the number of processes the generated operating system command is predicted to spawn deviates from an approved number of processes, the generated operating system command is flagged as a security risk. As another example, in the event the number of arguments passed into the generated operating system command deviates from the approved number of arguments, the generated operating system command is also flagged as a security risk. In various embodiments, determining the security risk includes determining whether to allow execution of the generated operating system command. For example, in the event the generated operating system command is determined to spawn more processes than it is approved for, the generated operating system command is blocked from being executed. In automatically evaluating the identified one or more metrics, the identified one or more metrics can be compared with one or more historical reference metrics. For example, a valid execution behavior dataset is created to track valid metrics. The valid metrics can include history reference metrics, such as run-time behavior characteristics, of previously approved executions of the same or related operating system commands”).
Regarding claims 9 and 18, Talmat discloses wherein the query is determined to be a suspicious query when the code density indicates that the number of commands is higher than the number of parameters in the query (Talmat: paragraphs 0013, 0016 and 0040, “The two extra processes exceed the approved number of processes for the command and a security risk is identified. In some embodiments, upon detecting a security risk, the generated operating system command is disallowed from being executed. For example, an operator is notified, and the generated command may be quarantined until an operator has reviewed the suspicious command. In some embodiments, a network session associated with the analyzed automation process with a detected security risk is invalidated. Similarly, an account, email address, IP Address, and/or other user/client property associated with the analyzed automation process with a detected security risk can be disabled. In some embodiments, the execution of the automation is blocked or throttled until an incident team can address the identified security threat.”… “For example, a generated operating system command with fewer or more predicted processes or input arguments would not match the corresponding behavior definitions and the automation script is invalidated due to an identified security risk. An invalid generated operating system command corresponds to an identified security risk. For example, a command predicted to spawn five processes when the corresponding behavior definition allows for only three processes is a security risk. The additional two extra processes can indicate a command line injection attack.”).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740. The examiner can normally be reached Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/TRANG T DOAN/Primary Examiner, Art Unit 2431