DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Status
Claims 3-12 and 14-23 are canceled.
Claims 1-2 and 13 are amended.
Claims 24-41 are new pending claims
Claims 1-2, 13, and 24-41 are under examination.
Response to Arguments
Applicant’s Remarks filed on 5/11/2026 have been considered.
Regarding Applicant’s remarks and amendment of the independent claims adding the security action is conditioned on a measure of pervasiveness of the entity being less than a predefined threshold not being obvious in view of the cited art, these have been considered and are persuasive. Note that these claims are now rejected under 112(a) for lack of written description support as the specification page 7 lines 7-9 only states “a measure of pervasiveness of the file be less than a predefined threshold” and is silent on a threshold for the measure of pervasiveness when the entity is an element of a web request. New grounds of rejection have been made to address the amended claims.
Regarding Applicant’s remarks on Triantafillos’ teaching of file pervasiveness, they have been considered been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Regarding Applicant’s remarks on Triantafillos’ teaching of web request pervasiveness, they have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 112(a)
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
Claims 1-2, 13, and 24-41 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claims 1, 2, and 13 were amended to add “a measure of pervasiveness of the entity being less than a predefined threshold” however the specification only provides support for the measure of pervasiveness being less than a predefined threshold when the entity is a file and is lacking support for when the entity is an element in a web request.
Claims 24-29, 30-35, and 36-41, are respectively dependent on claims 1, 2, and 13 and inherit this rejection.
Claim Rejections - 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claims 24, 30, and 36 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as failing to set forth the subject matter which the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the applicant regards as the invention.
Regarding claims 24, 30, and 36 the term “relatively uncommon” is a relative term which renders the claim indefinite. The term “relatively” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. For examination purposes, “relatively uncommon” is being interpreted as “uncommon”.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 24-26, 2, 30-32, 13, and 36-38 are rejected under 35 U.S.C. 103 as being unpatentable over Bourget et al. (US Patent No. 10873596), hereinafter Bourget in view of Yumer (US Patent Publication No. 2016/0366167).
Regarding claim 1, a system, comprising: a communication interface; and a processor, configured to (Bourget Column 14 lines 3-5: “The processor may also include, or be operatively coupled to communicate with, one or more data storage devices for storing data”):
receive an alert specifying: a possible cybersecurity compromise on a computer network and at least one entity associated with the possible cybersecurity compromise (Bourget Column 3 Lines 37-41: “Non-limiting examples of alert sources include Intrusion Detection or Intrusion Prevention Systems (IDS/IPS), mal-ware detection systems, e-mail phishing detection systems, firewalls, or Security Information Event Management (SIEM) systems.”), [the entity including a file stored on the computer network or an element specified in a web request originating from the computer network], and
in response to receiving the alert, execute a playbook, which specifies at least one security action for the alert [conditioned on a measure of pervasiveness of the entity being less than a predefined threshold], (Bourget Column 7 lines 61-Column 8line 6: “The Expert System is constructed on ‘if this then that’ (IFTTT) logic framework that operates on a set of user defined rules, and a fact base. In this system, the fact base is composed on every data element associated with 65 an alert or incident in the database. … This allows the entire system to make decisions about specific actions to take based on data elements in an alert, regardless of whether these data elements are parsed from an alert, added as part of the automatic enrichment process…”):
by: via the communication interface, querying a database (Bourget Column 4 lines 45-47: “The Expert System has the ability to transmit information from the system database to these other systems as part of these queries”), which is continually updated with data from the computer network as the computer network is used (Bourget Column 8 lines 42-45: “The machine learning algorithms may learn new rules to be added to the rules base which allow the system to perform tasks that human operators have per-formed in the past.”), [for the measure of pervasiveness ascertaining whether the measure of pervasiveness is less than the predefined threshold, and provided the measure of pervasiveness is less than the predefined threshold], performing the security action (Bourget Column 7 lines 61-Column 8 line 4: “The Expert System is constructed on ‘if this then that’ (IFTTT) logic framework that operates on a set of user defined rules, and a fact base. In this system, the fact base is composed on every data element associated with 65 an alert or incident in the database. … This allows the entire system to make decisions about specific actions to take based on data elements in an alert”).
Bourget fails to explicitly teach the entity including a file stored on the computer network or an element specified in a web request originating from the computer network,
conditioned on a measure of pervasiveness of the entity being less than a predefined threshold, and
for the measure of pervasiveness ascertaining whether the measure of pervasiveness is less than the predefined threshold, and provided the measure of pervasiveness is less than the predefined threshold
However, Yumer teaches the entity including a file stored on the computer network or an element specified in a web request originating from the computer network (Yumer ¶39: “at least one file that is on a computing device used by the high-risk user to download files and that is below a predefined frequency threshold on computing devices used by other users.”)
conditioned on a measure of pervasiveness of the entity being less than a predefined threshold (Yumer ¶39: “include at least one file that is on a computing device used by the high-risk user to download files and that is below a predefined frequency threshold on computing devices used by other users.”)
for the measure of pervasiveness ascertaining whether the measure of pervasiveness is less than the predefined threshold, and provided the measure of pervasiveness is less than the predefined threshold (Yumer ¶39: “the high-risk pattern of download behavior may include at least one file that is on a computing device used by the high-risk user to download files and that is below a predefined frequency threshold on computing devices used by other users.”)
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify Bourget in view of Yumer to use a threshold to distinguish malicious activity from normal activity to protect organizations from malicious activity while not harming normal users (Yumer ¶21: “As will be explained in greater detail below, by using benign download behavior to predict the risk of future malicious download behavior, the systems described herein may be able to protect high-risk users before the users become infected, gather valuable information about the download habits of high-risk users, and/or protect organizations from being compromised by the high-risk behavior of their members.”).
Claims 2 and 13 are substantially similar to claim 1 and are rejected under the same rationale.
In addition, Bourget teaches, claim 13’s a computer software product comprising a tangible non- transitory computer-readable medium in which program instructions are stored, which instructions, when read by a processor, cause the processor to (Bourget Colum 13 lines 6-9: “The present invention (or any part(s) or function(s) thereof) may be implemented using hardware, software, firmware, or a combination thereof and may be implemented in one or more computer systems or other processing systems.”)
Regarding claim 24, Bourget and Yumer teach the system according to claim 1, but Bourget fails to teach wherein the measure of pervasiveness being less than the predefined threshold indicates that the entity is relatively uncommon.
However, Yumer teaches wherein the measure of pervasiveness being less than the predefined threshold indicates that the entity is relatively uncommon (Yumer ¶39: if a file is found on less than 1% of computing devices used by other users, determination module 106 may determine that downloading that file is a high-risk download behavior. In another example, if a file is found on over 50% of computing devices used by other users, determination module 106 may determine that downloading that file is not a high-risk download behavior. In one example, determination module 106 may determine that users who routinely download files that appear on fewer than 10% of other users' computing devices mostly fall into the high-risk user category and that therefore the predefined frequency threshold is 10%).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify Bourget in view of Yumer to use a threshold to distinguish uncommon malicious activity from common normal activity to protect organizations from malicious activity while not harming normal users (Yumer ¶21: “As will be explained in greater detail below, by using benign download behavior to predict the risk of future malicious download behavior, the systems described herein may be able to protect high-risk users before the users become infected, gather valuable information about the download habits of high-risk users, and/or protect organizations from being compromised by the high-risk behavior of their members.”).
Claims 30 and 36 are substantially similar to claim 24 and are rejected under the same rationale.
Regarding claim 25, Bourget and Yumer teach the system according to claim 1, but Bourget fails to teach wherein the entity includes the file, and wherein the measure of pervasiveness includes a number of instances of a path or hash of the file
However, Yumer teaches wherein the entity includes the file, and wherein the measure of pervasiveness includes a number of instances of a path or hash of the file (Yumer ¶41: “determination module 106 may determine the high-risk pattern of download behavior by examining the file paths where the user initially downloads files, stores downloaded files, and/or executes downloaded files. In one embodiment, the high-risk pattern of download behavior may include the total number of distinct file paths on a computing device used by the high-risk user to download files.”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify Bourget in view of Yumer for the measure of pervasiveness to include a number of instances of a path as this metric is useful in distinguishing potential malicious activity from normal user activity (Yumer ¶41: “For example, determination module 106 may determine that a user who stores all of their downloaded files in a single downloads directory (e.g., their browser's default download directory) is at a higher risk for malicious downloads than a user who downloads files to different directories. In another example, determination module 106 may determine that a user who downloads many files to the same few directories (e.g., by downloading multiple different applications from the same reputable publishers) is at a lower risk for malicious downloads than a user who downloads many files to many different directories.”).
Claims 31 and 37 are substantially similar to claim 25 and are rejected under the same rationale.
Regarding claim 26, Bourget and Yumer teach the system according to claim 1, but Bourget fails to teach wherein the entity includes the file, and wherein the measure of pervasiveness includes a number of times the file was downloaded from an Internet.
However, Yumer teaches the system according to claim 1, wherein the entity includes the file, and wherein the measure of pervasiveness includes a number of times the file was downloaded from an Internet (Yumer ¶38: “determination module 106 may examine the total number of files on the computing device and/or the total number of files downloaded to the computing device during the download monitoring time period.”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify Bourget of Yumer for the measure of pervasiveness to include the number of times the file was downloaded as download behavior is useful distinguishing potential malicious activity from normal user activity (Yumer ¶21: “As will be explained in greater detail below, by using benign download behavior to predict the risk of future malicious download behavior, the systems described herein may be able to protect high-risk users before the users become infected, gather valuable information about the download habits of high-risk users, and/or protect organizations from being compromised by the high-risk behavior of their members.”).
Claims 32 and 38 are substantially similar to claim 26 and are rejected under the same rationale.
Claims 27, 33, and 39 are rejected under 35 U.S.C. 103 as being unpatentable over Bourget in view of Yumer in view of Brown (US Patent Publication No. 2018/0121650).
Regarding claim 27, Bourget and Yumer teach the system according to claim 1, but fail to explicitly teach wherein the entity includes the file, and wherein the measure of pervasiveness includes a number of times the file was accessed.
However, Brown teaches wherein the entity includes the file, and wherein the measure of pervasiveness includes a number of times the file was accessed (Brown ¶28: “the security agent 102 can include various components to perform additional or alternative operations such as one or more of: (112) compiling a record of actions 114 on one or more files committed by the process and/or process(es) associated with the process (e.g., process information related to the detecting 104 and/or the detecting 106, the record including a number of unique files accessed, a number of unique file types accessed (e.g., as determined by an extension of the file and/or the contents of the file), a number of times a file is accessed…”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify Bourget and Yumer in view of Brown to include the number of accesses to the file as a measure of pervasiveness to gain another metric that can indicate potentially malicious files to prevent further compromise (Brown ¶20: “The techniques described herein detect that a process is file-modifying malware before a substantive number of files are compromised and/or, for some file access patterns, before any files are irreversibly altered. The configuration of the techniques also enable such detection without introducing high computational expense or limiting the scope of the detection to save on computational load, as current measures do. The configuration of the techniques as described herein accomplishes these advantages.”).
Claims 33 and 39 are substantially similar to claim 27 and are rejected under the same rationale.
Claims 28, 34, and 40 are rejected under 35 U.S.C. 103 as being unpatentable over Bourget in view of Yumer in view of Brandel et al. (US Patent Publication No. 2022/0263828), hereinafter Brandel.
Regarding claim 28, Bourget and Yumer teach the system according to claim 1, but fail to explicitly teach wherein the entity includes the element, and wherein the measure of pervasiveness includes a number of web requests specifying the element.
However, Brandel teaches the system according to claim 1, wherein the entity includes the element, and wherein the measure of pervasiveness includes a number of web requests specifying the element (Brandel ¶98: “if the domain request is made less than the predetermined number of times in 522, then the domain can be added to an alerting list in 528. In other words, the domain in the request can be flagged as potentially malicious.”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify Bourget and Yumer in view of Brandel for the measure of pervasiveness of the web request to include the number of requests specifying the element to better distinguish potential malicious activity from normal user activity (Brandel ¶98: “A domain is more likely to be malicious if it is infrequently or less often requested at the client device 132 and/or at other client devices.”).
Claims 34 and 40 are substantially similar to claim 28 and are rejected under the same rationale.
Claims 29, 35, and 41 are rejected under 35 U.S.C. 103 as being unpatentable over Bourget in view of Yumer in view of Peng (US Patent Publication No. 2005/0249214).
Regarding claim 29, Bourget and Yumer teach the system according to claim 1, but fail to explicitly teach wherein the entity includes the element, and wherein the measure of pervasiveness includes a number of days in which the element was specified in any web request.
However, Peng teaches wherein the entity includes the element, and wherein the measure of pervasiveness includes a number of days in which the element was specified in any web request (Peng ¶111-112: “Normally, users often surf the Internet at regular times, and repeat their network usage behavior daily. Thus, an IP address can be considered to be frequent based on the number of days it has appeared in the network … Empirical observations of independent data sets indicate that typically only 40% of IP addresses appeared in at least two days is of a two-week period. Therefore, around 60% of the IP addresses appeared on only one day in the two week period. These addresses can be considered to be infrequent IP addresses as they are less likely to visit the network again.”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify Bourget and Yumer in view of Peng for the measure of pervasiveness to include the number of days the element was in a web request to better distinguish potential malicious activity from normal user activity and reduce false alarms (Peng ¶82: “There are two key measures that are used to evaluate bandwidth attack detection systems. The first is the false alarm rate, which is one of the biggest concerns among the anomaly detection community. If a system produces too many false alarms, it will require lots of time to investigate whether the alarms indicate a real attack or not. If an attack response (such as packet filtering) is based on a false alarm, innocent traffic will be unfairly punished, and normal network services will be disturbed.”).
Claims 35 and 41 are substantially similar to claim 29 and are rejected under the same rationale.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEC ANKRUM whose telephone number is (571)272-9209. The examiner can normally be reached M-F 7:15am-3:15pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ali Shayanfar can be reached at 571-270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/A.C.A./Examiner, Art Unit 2434
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434