DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is a non-final office action in response to applicant’s communication filed on 10/10/2024.
Claims 1-24 are pending and being considered.
Priority
The instant application is a continuation of US application 17/545,594 filed on 12/8/2021, now US Patent No. 12,129,550 B2.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/30/2026, has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, initialed and dated copy of Applicant’s IDS form 1449 filed as stated above is attached to the instant Office Action.
Claim Objections
Claims 2-7, 9-16, 18-24 are objected to because of the following informalities:
Dependent claims are referring to their respective independent claims. Applicant is suggested to recite “The network security anomaly detection system according to Claim …” instead of “A network security anomaly detection system according to Claim …” for claims 2-7; "The method of detecting network security anomalies according to Claim …” instead of “A method of detecting network security anomalies according to Claim …” for claims 9-16; “The non-transitory computer-readable storage medium according to Claim …” instead of “A non-transitory computer-readable storage medium according to Claim …” for claims 18-24.
Claim 5 line 3, “the plurality of models” may read “the plurality of probabilistic models”.
Similarly claim 12 line 5; claim 21 line 4.
Claim 15 line 4, “… with ROC curves” may read “… with ROC (Receiver Operating Characteristic) curves”.
Similarly claim 23 line 4.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 6, 18-21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 6 recites the limitation "the latent space n-D point scatter plot" in line 4. There is insufficient antecedent basis for this limitation in the claim.
Claim 18 line 2 recites “the processor”. There is insufficient antecedent basis for this limitation in the claim.
Claims 19-21 depend on claim 18, therefore are also rejected for the same reason set forth above.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-24 are rejected on the ground of nonstatutory double patenting as being anticipated by the corresponding claims of US Patent No. 12,149,550 B2 (hereinafter “’550”), as seen in the Claim Comparison table below.
Claim Comparison
Instant Application 18/912,009
US Patent No. 12,149,550 B2
Claim 8 (similarly claim 1, 17). A method/A network security anomaly detection system/ A non-transitory computer-readable storage medium, of detecting network security anomalies in a network of interconnected devices, the method comprising the steps of:
generating device status information for at least a plurality of the devices in the network;
receiving the device status information at a processor in communication with the network;
and operating a variational autoencoder on the processor that is configured for
receiving the device status information;
optimizing the received device status information;
and determining or enabling a user to determine whether the device status information qualifies as an anomaly that requires a response.
Claim 8 (similarly claim 1, 16). A method/A network security anomaly detection system/ A non-transitory computer-readable storage medium, of detecting network security anomalies in a network of interconnected devices, the method comprising the steps of:
generating device status information for at least a plurality of the devices in the network;
receiving the device status information at a processor in communication with the network;
operating a variational autoencoder on the processor that is configured for
receiving the device status information;
optimizing the received device status information;
and determining or enabling a user to determine whether the device status information qualifies as an anomaly that requires a response;
and comparing, via the processor, the optimized device status information to at least one of non-anomalous device status data or anomalous device status data in a latent space of the variational autoencoder, wherein the optimizing step further comprises steps of: generating, via the processor, a plurality of probabilistic models of the device status information; and determining, via the processor, which of the plurality of probabilistic models is optimal, wherein the step of determining which of the plurality of probabilistic models is optimal further comprises steps of: applying a game theoretic optimization to the plurality of probabilistic models; and selecting which of the plurality of probabilistic models to use to generate an n-D point scatter plot in latent space.
Claim 2, 9, 18
Claim 1
Claim 3, 10, 19
Claim 1 and 2
Claim 4, 11, 20
Claim 3
Claim 5, 12, 21
Claim 1
Claim 6
Claim 5
Claim 7, 14, 22
Claim 6
Claim 15, 23
Claim 14
Claim 16, 24
Claim 15
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-24 are rejected under 35 U.S.C. §101 because the claimed invention is directed to an abstract idea without significantly more.
Eligibility Step 2A Prong One: Claim 1, similarly claims 8, 17, recites “receives[ing] device status information”, “optimizes[ing] the device status information”, “determine or enables a user to determine whether …”. These would be interpreted as being analogous to concepts relating to organizing or analyzing information and mathematical concepts in a way that can be performed mentally or human mental work. Accordingly, the claim recites the abstract idea.
The limitations of receiving, optimizing, determining, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of relating to data/information processing by using generic computer components. Nothing in the claim element precludes the steps from practically being performed in the mind. Accordingly, the claim recites an abstract idea.
Eligibility Step 2A Prong Two: Claims 1, 8, 17, recite additional limitations of “network of interconnected devices”, “processor”, “variational autoencoder” to perform the steps of method discussed above. The limitations of receiving, optimizing, determining, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “network of interconnected devices”, “processor”, “variational autoencoder”, nothing in the claim element precludes the steps from practically being performed in the mind. Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application because the claim only recites the additional limitations of “generating device status information” for devices in the network, which are merely used as generic and well-known terminologies, and they do not amount to significantly more than the abstract idea. In addition, the claims only recite additional elements – network of interconnected devices, processor, variational autoencoder, to perform the generating/receiving/optimizing/determining steps. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Under the broadest reasonable interpretation, the claim merely uses generic computer components to implement the abstract idea.
Eligibility Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using computing system to perform the generating/receiving/optimizing/determining steps amounts to no more than mere instructions to apply the exception using generic computing system. Mere instructions to apply an exception using generic computing machines cannot provide an inventive concept. The claim is not patent eligible.
Dependent claims 2-7, 9-16, 18-24 depend on the rejected independent claims, therefore, are not patent eligible.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 5, 8-9, 12-13, 17-18, 21 are rejected under 35 U.S.C. 103 as being unpatentable over Aydore et al (US11537902B1-IDS, hereinafter, "Aydore"), in view of Trinh et al (US20200379454A1-IDS, hereinafter, “Trinh”).
Regarding claim 8, Aydore teaches:
A method of detecting network security anomalies in a network of interconnected devices (Aydore, discloses systems, devices and methods for detecting anomalous events from categorical data using autoencoders. A system may receive a data set associated with actions requested within the computing environment, [Abstract]. See also Fig. 1A, Fig. 8 for communications for interconnected devices), the method comprising the steps of:
generating [device status] information for at least a plurality of the devices in the network (Fig. 2, and [Col. 16 lines 38-41] context representation generator 210 may receive contextual attributes of a request to invoke an action within the computing environment 100, and may generate a reduced size representation of the contextual information (i.e., information of request from devices). And [Col. 7 lines 47-55] The request processor 112 may receive incoming requests from client devices that instruct the computing environment 100 to perform one or more actions with respect to computing resources 140. The request processor 112 may provide information about the incoming request (e.g., event attributes defining the properties of the requested event, also referred to herein as “request attributes,” and contextual attributes defining information about the user that generated the request) to request the anomaly detector 114); (See Trinh below for teaching of limitation in brackets above and below)
receiving the [device status] information at a processor in communication with the network (e.g. [Col. 16 lines 38-44] The context representation generator 210 may receive contextual attributes of a request to invoke an action within the computing environment 100, and may generate a reduced size representation of the contextual information, which may be used by encoder 230 to encode a request to perform an action within the computing environment 100 into a code z. And Fig. 2 shows Encoder/Decoder including hardware processor as shown in Fig. 8);
and operating a variational autoencoder on the processor that is configured for
receiving the [device status] information (e.g. [Col. 2 line 64-Col. 3 line 3] Autoencoders, such as variational autoencoders (VAEs), … that encode data into a latent space and reconstruct approximations of the data from an encoding in the latent space may be used to recognize potentially anomalous activity within a distributed computing system. And [Col. 3 lines 11-15] A VAE is a probabilistic graphical model that includes an encoder and a decoder. An advantage of VAEs over some other autoencoders is that VAEs may learn the distribution of data that provides a reconstruction probability rather than a reconstruction error as an anomaly score);
optimizing the received [device status] information (e.g. [Col. 3 lines 19-24] The decoder of the VAE samples from the variational distribution of the code and transforms the sample into a reconstruction of the input. VAEs use the concept of variational inference and re-parameterize the variational evidence lower bound (ELBO) so that it may be optimized. And [Col. 12 lines 47-61] … by using β-divergence with MMD to determine the loss function (e.g., replacing the KL divergence loss function above with the below β-divergence loss function), the distribution p(x) using β-divergence with MMD may result in an estimate that is more robust to the outliers 152, and closer to the normal data. The graphical representation 160 shows the distribution using β-divergence with MMD. Using β-divergence with MMD may be more forgiving than KL divergence with respect to penalty scores, and therefore may facilitate improved anomaly detection when the training data 132 for the VAE includes the outliers 152. In this manner, β-divergence with MMD may allow the VAE to identify, more accurately than when compared KL divergence or other techniques, anomalous data);
and determining or enabling a user to determine whether the [device status] information qualifies as an anomaly that requires a response (See Fig. 4 from step 406 to 408-410 or 412-414, i.e. the response to step 406 being Yes or the response being No).
While Aydore teaches network anomalous event detection using variational autoencoder, but does not specifically teach the event data is device status information, in similar field of endeavor Trinh teaches:
device status information (Trinh, discloses predicting anomaly score of equipment in a network based on sensor data using machine learning with variational autoencoder, see [Abstract]. And see e.g. Fig. 5 step 510, receiving sensor data from a piece of equipment (i.e. device status information)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Trinh in the anomalous event detection system of Aydore by determining anomaly score from sensor data of equipment as device status information. This would have been obvious because the person having ordinary skill in the art would have been motivated to use VAE to predict anomaly score for predictive maintenance of equipment (Trinh, [Abstract]).
Regarding claim 1, claim 1 is a system claim that encompasses limitations similar to those limitations of the method claim 8. Therefore, claim 1 is rejected with the same rationale and motivation as applied against claim 8. In addition, Aydore teaches a network security anomaly detection system (Aydore, [Abstract] Systems, devices, and methods are provided for detecting anomalous events from categorical data using autoencoders. A system may receive a data set associated with actions requested within the computing environment), comprising: a network of interconnected devices (See Fig. 1A, Fig. 8 for communications for interconnected devices).
Regarding claim 17, claim 17 is a computer-readable storage medium claim that encompasses limitations similar to those limitations of the method claim 8. Therefore, claim 17 is rejected with the same rationale and motivation as applied against claim 8. In addition, Aydore teaches a non-transitory computer-readable storage medium (Aydore, [Abstract] Systems, devices, and methods are provided for detecting anomalous events from categorical data using autoencoders. A system may receive a data set associated with actions requested within the computing environment. And [Col. 26 lines 53-57] The storage device 816 may include a machine readable medium 822 on which is stored one or more sets of data structures or instructions 824 (e.g., software) embodying or utilized by any one or more of the techniques or functions described herein. Also see Fig. 8, e.g. 804).
Regarding claim 2, similarly claim 9, claim 18, Aydore-Trinh combination teaches a network security anomaly detection system according to Claim 1, a method of detecting network security anomalies according to Claim 8, a non-transitory computer-readable storage medium according to Claim 17,
Aydore-Trinh combination further teaches: wherein the processor compares the optimized device status information to at least one of non-anomalous device status data or anomalous device status data in a latent space of the variational autoencoder (Aydore, e.g. [Col. 4 lines 11-15] A dataset anomaly may refer to an observation that does not conform to normal patterns in the data. In this manner, training data for a VAE may teach the VAE (e.g., using unsupervised machine learning) to identify normal patterns and deviations from the normal patterns. And [Col. 15 lines 49-51] Referring to FIG. 1B, the training data 132 may include non-anomalous (e.g., normal) samples 172 and anomalous samples 174 that deviate from non-anomalous samples. And Trinh teaches the data being device status information).
Regarding claim 5, similarly claim 12, claim 21, Aydore-Trinh combination teaches a network security anomaly detection system according to Claim 2, a method of detecting network security anomalies according to Claim 9, a non-transitory computer-readable storage medium according to Claim 18,
Aydore-Trinh combination further teaches: the processor optimizes the device status information by generating a plurality of probabilistic models of the device status information and determining which of the plurality of models is optimal (Aydore, [Col. 3 line 11-24] A VAE is a probabilistic graphical model that includes an encoder and a decoder. An advantage of VAEs over some other autoencoders is that VAEs may learn the distribution of data that provides a reconstruction probability rather than a reconstruction error as an anomaly score. The encoder of a VAE transforms high-dimensional input data, such as data with many attributes, with an intractable probability distribution into a low-dimensional code with an approximate variational distribution that is tractable. The decoder of the VAE samples from the variational distribution of the code and transforms the sample into a reconstruction of the input. VAEs use the concept of variational inference and re-parameterize the variational evidence lower bound (ELBO) so that it may be optimized. And Trinh teaches the data being device status information).
Regarding claim 13, Aydore-Trinh combination teaches a method of detecting network security anomalies according to Claim 12,
Trinh further teaches: wherein the optimizing step is performed for at least one subset of the device status information (Trinh, [0004] The process may also include selecting a subset of sensor data, the subset of sensor data comprising data generated from the sensors and excluding the measured values of the target sensor). Same motivation as presented in claim 8 would apply.
Claims 3, 10, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Aydore-Trinh combination as applied above to claims 2, 9, 18 respectively, further in view of Norlander et al (“Latent space conditioning for improved classification and anomaly detection”-IDS, hereinafter, “Norlander”).
Regarding claim 3, similarly claim 10, claim 19, Aydore-Trinh combination teaches a network security anomaly detection system according to Claim 2, a method of detecting network security anomalies according to Claim 9, a non-transitory computer-readable storage medium according to Claim 18,
While the combination of Aydore-Trinh teaches network security anomaly detection with VAE, but does not specifically teach the following limitation, in the same field of endeavor Norlander teaches:
wherein the latent space comprises an n-D point scatter plot, and wherein the further the optimized device status information is from the non-anomalous device status data in the latent space, the greater the likelihood the device status information represents an anomaly (Norlander, discloses variational autoencoder to perform improved pre-processing for clustering and anomaly detection on data with latent space conditioning, see [Abstract]. And Section 4.1 Clustering, Fig. 3 shows with optimized VAE, the clustering in classification is clearer with CL-VAE (weight adjusted) (i.e. greater the likelihood the device status information represents an anomaly). In this case scattering plot is shown in 2-D).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Norlander in the anomalous event detection system of Aydore-Trinh by using 2-D scatter plot to show unique clusters with optimized VAE. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the optimized VAE to identify anomalies (Norlander, [Abstract], Section 4.1).
Claims 4, 11, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Aydore-Trinh-Norlander combination as applied above to claims 3, 10, 19 respectively, further in view of Kolagunda et al (US20220180205A1-IDS, hereinafter, “Kolagunda”).
Regarding claim 4, similarly claim 11, claim 20, Aydore-Trinh-Norlander combination teaches a network security anomaly detection system according to Claim 3, a method of detecting network security anomalies according to Claim 10, a non-transitory computer-readable storage medium according to Claim 19,
While the combination of Aydore-Trinh-Norlander teaches network security anomaly detection with VAE, but does not specifically teach the following limitation, in the similar field of endeavor Kolagunda teaches:
wherein the latent space comprises a 3D point scatter plot that includes hidden vector values (Kolagunda, discloses method for generating and displaying an embedding of multivariate time series data in an embedded space, see [Abstract]. And [0017] ... the optimized generative deep learning neural network model may be used to effectively parse and visualize different patterns and anomalies in the multivariate time series data. In particular, see Fig. 2, 3D scatter plot in embedded space. And [0026] Referring now to FIG. 2, a visual representation of raw input data 202 and an example a reconstruction of the raw input data 202 in an embedded space 204 is depicted).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kolagunda in the anomalous event detection system of Aydore-Trinh-Norlander by using 3-D scatter plot to represent input data in embedded space. This would have been obvious because the person having ordinary skill in the art would have been motivated to represent and display multivariate time series data in embedded space so that temporal relationship between data points from input is captured and presented (Kolagunda, [Abstract]).
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Aydore-Trinh-Norlander combination as applied above to claim 3, further in view of Orlova et al (US20180018386A1-IDS, hereinafter, “Orlova”).
Regarding claim 6, Aydore-Trinh-Norlander combination teaches a network security anomaly detection system according to Claim 3,
While the combination of Aydore-Trinh-Norlander teaches a display and a user interface (Aydore, see Fig. 8, graphical display device 810, a user interface navigation device 814), but does not specifically teach following limitation(s), in similar field of endeavor Orlova teaches:
further comprising: [a display; and a user interface], the user interface enabling a user to select a data sample from the device status information and to see where the data sample is located in the latent space n-D point scatter plot (Orlova, discloses systems and methods for cluster matching across samples and guided visualization of multidimensional cytometry data, see [Title], [Abstract]. And [0042] the method further includes displaying a selection indicator associated with each single parameter chart or graph in the second interactive display, and receiving an input from a user indicating a selection of one or more of the selection indicators and, in response to the input, and [0069] FIG. 8 includes a screen shot of 2D cluster plot window including a user selection of a subset of the displayed data displayed in a plot editor window that includes a guidance selection feature).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Orlova in the anomalous event detection system of Aydore-Trinh-Norlander by using display and user interface devices. This would have been obvious because the person having ordinary skill in the art would have been motivated to represent multidimensional measurement data for guided visualization (Orlova, [Abstract]).
Claims 7, 14, 22 are rejected under 35 U.S.C. 103 as being unpatentable over Aydore-Trinh combination as applied above to claims 1, 8, 17 respectively, further in view of Gupta et al (US20190158112A1-IDS, hereinafter, “Gupta”).
Regarding claim 9, similarly claim 14, claim 22, Aydore-Trinh combination teaches a network security anomaly detection system according to Claim 1, a method of detecting network security anomalies according to Claim 8, a non-transitory computer-readable storage medium according to Claim 17,
While the combination of Aydore-Trinh does not specifically teach following limitation(s), in similar field of endeavor Gupta teaches:
the processor further comprising an image gradient sobel edge detector that preprocesses the device status information prior to optimizing the device status information (Gupta, discloses system and method for image vectorization operations using machine learning, see [Title], [Abstract]. And [0061] Sobel … uses a convolution-based, image-gradient approximation to augment a current edge-detection output at appropriate regions in the graphics data being processed).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gupta in the anomalous event detection system of Aydore-Trinh by using Sobel operator for image gradient approximation. This would have been obvious because the person having ordinary skill in the art would have been motivated to transform input graphic into output vector graphic by applying a customization specific to visual characteristics of the input data (Gupta, [Abstract]).
Claims 15, 23 are rejected under 35 U.S.C. 103 as being unpatentable over Aydore-Trinh combination as applied above to claims 8, 17 respectively, further in view of Nguyen et al (“GEE: A Gradient-based Explainable Variational Autoencoder for Network Anomaly Detection”-IDS, hereinafter, “Nguyen”).
Regarding claim 15, similarly claim 23, Aydore-Trinh combination teaches a method of detecting network security anomalies according to Claim 8, a non-transitory computer-readable storage medium according to Claim 17,
While the combination of Aydore-Trinh teaches network security anomaly detection with VAE, but does not specifically teach the following limitation, in the same field of endeavor Nguyen teaches:
further comprising the steps of: implementing a 3D p-value statistical test to measure anomaly detection accuracy; and representing the results of the 3D p-value statistical test with ROC curves (Nguyen, discloses a gradient-based VAE for network anomaly detection, see [Abstract]. Section V. B (ROC Performance on Anomaly Detection) shows using ROC curves to demonstrate advantage of VAE over AE and GBT in anomaly detection).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Nguyen in the anomalous event detection system of Aydore-Trinh by using ROC curves with statistical result to show anomaly detection accuracy and demonstrate advantage of gradient-based VAE in anomaly detection. This would have been obvious because the person having ordinary skill in the art would have been motivated to develop a framework for detecting and explain anomalies in network traffic (Nguyen, [Abstract]).
Claims 16, 24 are rejected under 35 U.S.C. 103 as being unpatentable over Aydore-Trinh-Nguyen combination as applied above to claims 15, 23 respectively, further in view of Norlander et al (“Latent space conditioning for improved classification and anomaly detection”-IDS, hereinafter, “Norlander”).
Regarding claim 16, similarly claim 24, Aydore-Trinh-Nguyen combination teaches a method of detecting network security anomalies according to Claim 15, a non-transitory computer-readable storage medium according to Claim 23,
While the combination of Aydore-Trinh-Nguyen does not specifically teach the following limitation, in the same field of endeavor Norlander teaches:
the implementing step further comprising the steps of: selecting a 3D view of latent space clusters that shows the most separation of test hypotheses; and calculating the probability of the most likely non-anomalous device status data to which received device status information might belong to latent space distribution (Norlander, discloses variational autoencoder to perform improved pre-processing for clustering and anomaly detection on data with latent space conditioning, see [Abstract]. And Section 4.1 Clustering, Fig. 3 shows with optimized VAE, the clustering in classification is clearer with CL-VAE (weight adjusted) (i.e. most likely non-anomalous device status data to which received device status information might belong to latent space distribution). Examiner notes, it is obvious to one ordinary skilled in the art that Norlander’s 2D view can be applied to 3D view).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Norlander in the anomalous event detection system of Aydore-Trinh-Nguyen by using 2-D scatter plot to show unique clusters with optimized VAE. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the optimized VAE to identify anomalies (Norlander, [Abstract], Section 4.1).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Klos et al (US20230205161A1) discloses method for monitoring of industrial devices.
Agrawal et al (US20220294715A1) discloses method of detection of abnormal network communication traffic for a class of devices associated with the computing device.
Servajean et al (US20200210782A1) discloses method of anomaly detection for network traffic communicated by devices via a computer network.
Vaidya et al (US11587101B2) discloses method for detecting abnormal entities and activities using machine learning algorithms.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975. The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL M LEE/Primary Examiner, Art Unit 2436