DETAILED ACTION
This communication is in response to application no. 18/920874 filed 19 October 2024.
Claims 1-20 are currently pending and have been examined.
Claims 1-20 are rejected as shown in this detailed action.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings are objected to because Figs 5, 6A, 6B, 7, 8, and 9 contain text that is illegible. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.
Step 1
Claims 1-11 recite a method which is considered a process. Claims 12-16 recite a system which is considered a machine or manufacture. Claims 17-20 recite a non-transitory computer-readable storage medium which is considered a machine or manufacture. Thus, all claims fall into at least one statutory category of invention.
Step 2A-Prong One
(Claims 1, 12, and 17) The “training a base large language model based on one or more rule-containing documents, said one or more rule-containing documents comprising a set of compliance requirements, wherein said rule-containing documents comprise unstructured text” step encompasses mathematical concepts. This step is similar to Example 47, Claim 2, step (c) which involves the training of an artificial neural network. These claims fall into the mathematical concepts grouping of abstract ideas.
(Claims 1, 12, and 17) The “generating one or more tree objects representing one or more of said rule-containing documents” step, as drafted, is a process that under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. For example, but for the “cause the one or more processors to perform” language in claims 12 and 17, the claims encompass a user manually generating a tree object. Claim 1 does not recite any computer components for performing this step, thus its broadest reasonable interpretation also encompasses a user manually performing the step. These claims fall into the mental processes grouping of abstract ideas.
(Claims 1, 12, and 17) The “generating a set of controls based on said one or more tree objects representing said one or more rule-containing documents and a set of control prompts” step, as drafted, is a process that under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. For example, but for the “cause the one or more processors to perform” language in claims 12 and 17, the claims encompass a user manually generating a set of controls based on known information. Claim 1 does not recite any computer components for performing this step, thus its broadest reasonable interpretation also encompasses a user manually performing the step. These claims fall into the mental processes grouping of abstract ideas.
(Claims 1, 12, and 17) The “generating a mapping between said compliance evidence object and said set of tree objects, wherein said mapping comprises a plurality of weights linking a control with a node in one of said tree objects” step, as drafted, is a process that under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. For example, but for the “cause the one or more processors to perform” language in claims 12 and 17, the claims encompass a user manually generating a mapping comprising weights using known information. Claim 1 does not recite any computer components for performing this step, thus its broadest reasonable interpretation also encompasses a user manually performing the step. These claims fall into the mental processes grouping of abstract ideas.
(Claims 1, 12, and 17) The “determining a compliance score for said application based on said compliance evidence object and said mapping” step, as drafted, is a process that under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. For example, but for the “cause the one or more processors to perform” language in claims 12 and 17, the claims encompass a user manually determining a score using known information. Claim 1 does not recite any computer components for performing this step, thus its broadest reasonable interpretation also encompasses a user manually performing the step. These claims fall into the mental processes grouping of abstract ideas.
(Claim 2) This claim further limits the types of documents utilized in the process of claim 1 (see “said rule-containing documents include one or more of regulatory documents, policy documents, public cloud architecture documents, and industry architecture documents). This step does not take the claim out of the above identified abstract idea groupings. For example, a human can still generate a tree object using the documents specified in this claim.
(Claims 3, 5, and 6) These claims further define the environment in which the application operates (see “application is executing in a cloud operating environment” in claim 3, “said cloud operating environment is a public cloud operating environment” in claim 5, and “said cloud operating environment is a private cloud operating environment” in claim 6). These limitations do not take the claims out of the above identified abstract idea groupings. For example, a human can still determine a compliance score for an application in any of the environments specified in these claims.
(Claim 4) This claim further limits that the controls are specific to a cloud environment (see “said set of controls is specific to said cloud operating environment”). This limitation does not take the claim out of the above identified abstract idea groupings. For example, a human can still generate a set of controls wherein the controls are specific to a cloud environment.
(Claim 9) This claim further specifies the sum of the weights (see “wherein the sum of said plurality of weights is equal to 1”). This limitation does not take the claim out of the above identified abstract idea groupings. For example, a human can still generate a mapping and weights wherein the sum of the weights is equal to 1.
(Claims 10, 15, and 20) These claims recite “adjusting one or more of said weights based on one or more of said rule-containing documents being modified” which is a process that under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, the claims encompass a user manually adjusting the weights based on given information. Thus, these claims fall into the mental processes grouping of abstract ideas.
(Claims 11 and 16) These claims recite “determining said compliance score comprises changing said compliance scored based on the weight associated with a specific control” which is a process that under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, the claims encompass a user manually changing the score based on weights. Thus, these claims fall into the mental processes grouping of abstract ideas.
Step 2A-Prong Two
This judicial exception is not integrated into a practical application. The claims recite the additional element of a system comprising one or more processors and a non-transitory computer-readable storage medium (found in claims 12-16) or a non-transitory computer-readable storage medium and one or more processors (found in claims 17-20) and includes no more than mere instructions to apply the exception using a generic computer component. The system or medium and processors does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.
Additionally, the steps of “receiving, from a software application running in a computing environment, a compliance evidence object corresponding to one or more of said controls, said compliance evidence object comprising data relating to said application’s compliance with said one or more of said controls” (found in claims 1, 12, and 17), “automatically collect compliance evidence from one or more applications on a continuous basis” (found in claims 7, 13, and 18), and “receiving a stream of events comprising compliance evidence objects” (found in claims 8, 14, and 19) are mere data gathering. These steps are considered insignificant extra-solution activity and do not integrate the abstract idea into a practical application.
Step 2B
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed previously with respect to Step 2A-Prong Two, the additional element in the claim amounts to no more than mere instructions to apply the exception using a generic computer component. The same analysis applies here in Step 2B, i.e., mere instructions to apply an exception using a generic computer component cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B. See MPEP 2106.05(f). The claims do not provide an inventive concept (significantly more than the abstract idea). The claims are ineligible.
Regarding the step of “receiving, from a software application running in a computing environment, a compliance evidence object corresponding to one or more of said controls, said compliance evidence object comprising data relating to said application’s compliance with said one or more of said controls” (found in claims 1, 12, and 17), “automatically collect compliance evidence from one or more applications on a continuous basis” (found in claims 7, 13, and 18), and “receiving a stream of events comprising compliance evidence objects” (found in claims 8, 14, and 19) the courts have found that “Receiving or transmitting data over a network, e.g., using the Internet to gather data” in considered well-understood, routine, and conventional when claimed in a merely generic manner, as is the case in these claims. Thus, these data gathering steps are considered well-understood, routine, and conventional activity. See MPEP 2106.05(d)(II).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 2023/0274289 (“Kurian”) in view of US 2024/0095077 (“Singh”), and US 2024/0320687 (“Adebayo”).
Regarding Claims 1, 12, and 17, Kurian teaches a method of determining compliance of an application with set of compliance requirements; a system comprising: one or more processors and a non-transitory computer-readable storage medium having stored thereon processor-executable instructions; and non-transitory computer-readable storage medium having stored thereon processor-executable instructions that, when executed by one or more processors, cause the one or more processors to perform a method (See “The present invention may be a system, a method, and/or a computer program product at any possible technical detail level of integration. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention” in ¶ 0020 and “A computer readable storage medium or media, as used herein, is not to be construed as being transitory signals per se” in ¶ 0021.) comprising:
[processing] one or more rule-containing documents, said one or more rule-containing documents comprising a set of compliance requirements, wherein said rule-containing documents comprise unstructured text (See “Still referring to FIG. 4, the rule generator server 402 may include components of the computer system 12 of FIG. 1, and may comprise a special purpose computing device configured to automatically generate compliance and remediation profiles 433, 443 based on existing human-readable documents (e.g., text-based compliance documents). The rule generator server 402 may include one or more program modules (e.g., program module 42 of FIG. 1) executed by the rule generator server 402 and configured to perform one or more functions described herein. In embodiments, the rule generator server 402 includes one or more of the following program modules (e.g., program module 42 of FIG. 1): a natural language processor 420, a rules pre-processor 421 and a compliance and remediation compiler 422. In implementations, the natural language processor 420 is configured to analyze the human-readable documents to generate natural language data for use in generating the compliance and remediation profiles 433, 443” in ¶ 0065.);
generating one or more tree objects representing one or more of said rule-containing documents (See “In embodiments, the compliance and remediation compiler 422 obtains natural language processing data in the form of structured insights 700 from human-readable documents 600, and feeds the data to a semantic analysis module 702 for semantic analysis based on insights grammar (grammar rules) 704. In general, semantic analysis is the process of relating syntactic structures, from the levels of phrases, clauses, sentences and paragraphs to the level of writing as a whole, to their language-independent meanings. Various semantic analysis tools and methods may be utilized in accordance with embodiment of the invention. In implementations, the semantic analysis module 702 generates a semantic tree 706 as an output which is fed to a compiler 714. In embodiments, the rules pre-processor 421 includes a semantic analysis module 710 which utilizes domain specific language (DSL) grammar (domain-specific grammar rules) 708 and DSL rules meta data 712 as input to the compliance remediation compiler 422, wherein the semantic tree 706 is generated based on input from the semantic analysis module 702 and the semantic analysis module 710” in ¶ 0089 and Fig. 7. These structured insights and semantic tree are considered the one or more tree objects as supported by the tree structure found in the present invention at Fig. 6A.);
generating a set of controls based on said one or more tree objects representing said one or more rule-containing documents and a set of control prompts (See “In implementations, the compiler 714 generates the compliance profile 433 and the remediation profile 443 based on the semantic tree 706, and stores the compliance and remediation profiles 433, 443 in the data store 412” in ¶ 0089. The present specification indicates that “controls are tools which define requirements that can be used to collect compliance evidence” which is equivalent to the generated profiles found in Kurian.);
receiving, from a software application running in a computing environment, a compliance evidence object corresponding to one or more of said controls, said compliance evidence object comprising data relating to said application’s compliance with said one or more of said controls (See “In accordance with embodiments of the invention, the audit module 602 provides event data to the configuration management tool 431, which provides the event data for processing by the compliance enforcement bridge 432. In aspects, the compliance enforcement bridge 432 processes the event data and saves information extracted therefrom in the data store 412. The compliance enforcement bridge 432 may provide the configuration management tool 431 with the extracted data” in ¶ 0086 and “In accordance with embodiments of the invention, the configuration management tool 431 of the compliance server 404 notifies the compliance enforcement bridge 432 of a non-compliance event, and event data regarding the non-compliance event is stored in the queue 435 for processing at 800” in ¶ 0091 wherein the event data is considered the compliance evidence object.);
generating a mapping between said compliance evidence object and said set of tree objects, linking a control with a node in one of said tree objects (See “In implementations, the compliance enforcement bridge 432: determines a workload node 408 from which the non-compliance event originated at step 801; determines control failure information (e.g., what caused the failure or non-compliance) at step 802; accesses the mapping table 434 (mapping data from the compliance profile 433 to data of the remediation profile 443) to map the workload node 408 and control failure information to a corresponding remediation action; and invokes the remediation action at step 804” in ¶ 0091.);
determining compliance for said application based on said compliance evidence object and said mapping (See ¶ 0091 and “Any compliance drift (non-compliance events) detected during the scans can be notified through appropriate mechanisms (e.g., service management tools, and collaboration tools) such as the configuration management tool 431. In this example, a mapping (e.g., mapping table 434) between the compliance rules and remediation rules/logics are created through a configuration file (as not all remediation can be attempted as an automatic process). In accordance with embodiments of the invention, the system creates audit and compliance reports during every scheduled run on a real-time basis based on data stored in the data store 412” in ¶ 0093.).
Kurian does not expressly teach training a base large language model; wherein said mapping comprises a plurality of weights; a compliance score.
However, Singh teaches training a base large language model [based on documents, wherein said documents comprise unstructured text] (See “The plan generator functionality 122 may include one or more machine learning processes, such as one or more neural networks, one or more large language model (“LLMs”), and the like. An LLM refers to one or more neural network models, one or more machine learning algorithms, and/or variations thereof, that process text to calculate one or more outputs, such as one or more plans for one or more tasks, a next word in a sequence of words (e.g., predicted based at least in part on one or more preceding words in the sequence), and/or the like. An LLM may be trained on a large corpus of text data” in ¶ 0070 and “The corpus of text data used to train an LLM may include text expressed in one or more human or natural languages exclusively or such natural language text combined with other types of text” in ¶ 0073.).
Further, Adebayo teaches wherein said mapping comprises a plurality of weights; a compliance score (See “FIG. 10 is a flowchart of a process for applying weights in aggregating compliance scores in accordance with an illustrative embodiments” in ¶ 0015, “In this illustrative example, the severity indicates the importance of the compliance check. The severity becomes higher as the importance of the compliance check becomes more important. In this manner, severity can be used to apply a weighting for the passing or failing of individual compliance checks in the compliance score” in ¶ 0014, and “wherein aggregating, by the processor units, the compliance scores comprises: assigning, by the number of processor units, weights to a layer in the layers based on attributes of a set of the components in the layer” in claim 6.).
It would have been obvious to one having ordinary skill in the art at the time of filing to combine the teachings of Kurian and Singh to utilize an LLM. The motivation, as demonstrated in Singh, is to utilize a tool that is known to be sufficient with a large corpus of text data. Additionally, the claimed invention is merely a combination of old elements, in the combination each element merely performs the same function as it does separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
It would have been obvious to one having ordinary skill in the art at the time of filing to combine the teachings of Kurian, Singh, and Adebayo to utilize the weighting and scoring elements described in Adebayo. The motivation, as demonstrated in Adebayo, is to allow for certain aspects which have different severity or importance to be counted as such, resulting in an output score. Additionally, the claimed invention is merely a combination of old elements, in the combination each element merely performs the same function as it does separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Regarding Claim 2, Kurian further teaches said rule-containing documents include one or more of regulatory documents, policy documents, public cloud architecture documents, and industry architecture documents (See “In implementations, a system utilizes cognitive tools such as natural language processing to derive compliance rules and remediation actions from existing human readable (e.g., text-based) documents such as technical specifications, industry, regulatory or corporate requirements, Center for Internet Security (CIS) guidelines, etc” in ¶ 0019 and “As depicted in FIG. 6, in embodiments, the rule generator server 402 obtains a variety of existing human-readable documents 600 providing guidance to enterprise users for analysis by the natural language processor 420” in ¶ 0085 and Fig. 6 showing the input of the variety of industry guidelines.).
Regarding Claim 3, Kurian further teaches said application is executing in a cloud operating environment (See “Aspects of the present invention relate generally to compliance management and remediation for enterprises and, more particularly, to automatic remediation of non-compliance events. In embodiments, a system for ensuring continuous compliance and auto remediation in a hybrid cloud environment of platforms, applications and infrastructure automatically generates human-readable compliance rules and remediation actions from regulatory body guidance and industrial standards” in ¶ 0015.).
Regarding Claim 4, Kurian further teaches said set of controls is specific to said cloud operating environment (See “In embodiments, the rule generator server 402, the compliance server 404, and the provisioning and configuration server 406 comprise nodes 10 in the cloud computing environment 50 of FIG. 2” in ¶ 0063.).
Regarding Claim 5, Kurian further teaches said cloud operating environment is a public cloud operating environment (See “Public cloud: the cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services” in ¶ 0043.).
Regarding Claim 6, Kurian further teaches said cloud operating environment is a private cloud operating environment (See “Private cloud: the cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on-premises or off-premises” in ¶ 0041.).
Regarding Claims 7, 13, and 18, Kurian further teaches said set of controls is configured to automatically collect compliance evidence from one or more applications on a continuous basis (See “the web server provides a notification of the non-compliance event including event data (e.g., type of rule violated, the rule violated, timestamp data, identification (ID) of the workload node 408, etc.) to the compliance server 404. In embodiments, the compliance server 404 receives the event data in real-time upon detection of the non-compliance event by the workload node 408. It should be understood that the compliance server 404 may be in communication with any number of remote workload nodes 408 supplying event data to the compliance server 404 (e.g., in real-time)” in ¶ 0074.).
Regarding Claims 8, 14, and 19, Kurian further teaches receiving a stream of events comprising compliance evidence objects (See “the web server provides a notification of the non-compliance event including event data (e.g., type of rule violated, the rule violated, timestamp data, identification (ID) of the workload node 408, etc.) to the compliance server 404. In embodiments, the compliance server 404 receives the event data in real-time upon detection of the non-compliance event by the workload node 408. It should be understood that the compliance server 404 may be in communication with any number of remote workload nodes 408 supplying event data to the compliance server 404 (e.g., in real-time)” in ¶ 0074.).
Regarding Claim 9, Kurian does not expressly teach the sum of said plurality of weights is equal to 1.
However, Adebayo teaches the sum of said plurality of weights is equal to 1 (See “where E=set of edge layers, edge is an index, n is an index, wedge is a weight assigned to a layer such that ΣedgeE wedge=1” in ¶ 0107.).
It would have been obvious to one having ordinary skill in the art at the time of filing to combine the teachings of Kurian, Singh, and Adebayo to utilize the weighting elements described in Adebayo. The claimed invention is merely a combination of old elements, in the combination each element merely performs the same function as it does separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Regarding Claims 10, 15, and 20, Kurian further teaches adjusting [the process] based on one or more of said rule-containing documents being modified (See “In embodiments, the compliance and remediation profiles 433, 443 are periodically or continuously updated based on new versions of the human-readable documents received by the rule generator server 402” in ¶ 0071.).
Kurian does not expressly teach adjusting the weights.
However, Adebayo teaches adjusting the weights (See ¶¶ 0114-116.).
It would have been obvious to one having ordinary skill in the art at the time of filing to combine the teachings of Kurian, Singh, and Adebayo to utilize the weighting elements described in Adebayo. The claimed invention is merely a combination of old elements, in the combination each element merely performs the same function as it does separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Regarding Claims 11 and 16, Kurian does not expressly teach determining said compliance score comprises changing said compliance scored based on the weight associated with a specific control.
However, Adebayo teaches determining said compliance score comprises changing said compliance scored based on the weight associated with a specific control (See ¶¶ 0114-116.).
It would have been obvious to one having ordinary skill in the art at the time of filing to combine the teachings of Kurian, Singh, and Adebayo to utilize the weighting and scoring elements described in Adebayo. The claimed invention is merely a combination of old elements, in the combination each element merely performs the same function as it does separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
US 2019/0080334 (“Copeland”): Copeland is configured to deploy a compliance assessment application to be executed in parallel on one or more applications; initiate one or more retrieval scripts configured to cause the one or more applications to generate one or more digital artifacts to indicate a compliance of the one or more applications to one or more regulatory requirements; determine that the one or more applications are compliant with the one or more regulatory requirements based on at least the one or more digital artifacts generated; and initiate an execution of a regulatory report script based on at least determining that the one or more applications are compliant with the one or more regulatory requirement.
US 2019/0180034 (“Hinton”): Hinton discloses a method and system for improving deployment of a compliance cloud software component. The method includes receiving application compliance requirements associated with operational requirements associated with hardware and software components. Original configuration files associated with a current hardware and software configuration for each hardware and software component are received and modified and configuration files associated with a modified hardware and software configuration for the hardware and software components are generated. A risk assessment with respect to the application compliance requirements is executed and a specified cloud infrastructure stack is enabled. A software application comprising the specified cloud infrastructure stack is generated, deployed, and executed resulting in operation of the hardware and software components.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MEREDITH A LONG whose telephone number is (571)272-3196. The examiner can normally be reached Mon - Fri 9:30 - 6.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ilana Spar can be reached on 571-270-7537. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MEREDITH A LONG/Primary Examiner, Art Unit 3622