DETAILED ACTION
Claims 1-19 have been examined and are pending.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) organizing human behavior such as converting regulations into a structured format and then training a model. This judicial exception is not integrated into a practical application because the generically recited computer elements do not add a meaningful limitation to the abstract idea because they amount to implementing the abstract idea on a computer.
Claims 1-8 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because they are directed to a system that appear to exist in software alone.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-19 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub. No. 2024/0037158 to Yang et al. (hereinafter “Yang”) and further in view of US Pub. No. 2008/0222631 to Bhatia et al. (hereinafter “Bhatia”).
As to Claim 1, Yang discloses a system for automated compliance monitoring and risk detection for applications executing in a distributed operating environment, the system comprising:
an automated mapping and tree structure generation module configured to automatically [convert rule-containing documents] to tree data structures comprising nodes representing compliance rules (Paragraph [0018] of Yang discloses training the model include random forest, linear regression, support vector machine, naive Bayes, logistic regression, K-nearest neighbors, decision trees, gradient boosted decision trees);
a compliance mapping system configured to separate technical and domain expertise and provide mappings between said tree data structures, controls which monitor applications for compliance with compliance rules, and generate compliance evidence when an event triggers the control (Paragraph [0020] of Yang discloses a SaaS application service could be compliant with one or more protocols (e.g., a legal compliance or technical compliance, etc. Paragraph [0132] of Yang discloses the system can determine a compliance score or a likelihood of whether the SaaS product is compliant with the one or more protocols);
a layered anomaly detection system configured to detect anomalous behaviour from said application, said anomaly detection system comprising a real-time processing component and a second processing component de-coupled from said real-time processing component, said second processing component configured to generate and refine anomaly detection machine learning models, said real-time processing component configured to detect anomalous behavior in real-time using said anomaly detection machine learning models (Paragraph [0046] of Yang discloses trains a model to determine whether a SaaS product is compliant or non-compliant with a particular protocol or set of protocols or otherwise determine a risk score of the SaaS product and/or whether the SaaS product is risky. Paragraph [0021] of Yang discloses a model (e.g., a machine learning model, a neural network model, etc.) is used in connection with determining whether a particular SaaS product is compliant with one or more protocols); and
a compliance and risk prediction system configured to account for partial compliance evidence by generating predicted partial compliance evidence data for missing components of said compliance controls (Paragraph [0057] of Yang discloses prediction engine 174 determines whether the SaaS product is compliant with a protocol, or a likelihood that the SaaS product is compliant, based at least in part on one or more of (i) a mapping of SaaS products (or identifiers thereof) to indications of whether the corresponding SaaS products are compliant with one or more protocols).
Yang does not explicitly disclose convert rule-containing documents.
However, Bhatia discloses this. Paragraph [0030] of Bhatia discloses converting, by said compliance software application, said plurality of compliance rules from said text format to a first plurality of program objects.
It would have been obvious to one of ordinary skill in the art before the effective filing of the invention to combine the compliance management system as disclosed by Yang, with converting compliance rules as disclosed by Bhatia. One of ordinary skill in the art would have been motivated to combine to apply a known technique to a known device ready for improvement to yield predictable results. Yang and Bhatia are directed toward compliance management systems and as such it would be obvious to use the techniques of one in the other. Paragraph [0020] of Yang discloses A SaaS application service could be compliant with one or more protocols (e.g., a legal compliance or technical compliance, etc.). Some well-known compliance protocols. Accordingly, Yang already considers needing to encode specific compliance protocols and it would be obvious to use the techniques of Bhatia to do so.
As to Claim 2, Yang-Bhatia discloses the system of claim 1, wherein the distributed operating environment is a public cloud (Paragraph [0039] of Yang discloses private, public, and hybrid cloud computing environments).
As to Claim 3, Yang-Bhatia discloses the system of claim 1, wherein the distributed operating environment is a private cloud (Paragraph [0039] of Yang discloses private, public, and hybrid cloud computing environments).
As to Claim 4, Yang-Bhatia discloses the system of claim 1, wherein the application is a Software-as-a-Service (SaaS) application (Paragraph [0040] of Yang discloses the system for determining whether a SaaS product is compliant).
As to Claim 5, Yang-Bhatia discloses the system of claim 1, wherein said mapping and tree generation module is further configured to automatically update said tree data structures when any of said underlying rule-containing documents are modified (Paragraph [0085] of Bhatia discloses accept an updated corporate standard that creates a new rule and changes another rule).
Examiner recites the same rationale to combine used for claim 1.
As to Claim 6, Yang-Bhatia discloses the system of claim 1, wherein said rule-containing documents comprise at least one of regulatory documents, policy documents, technical standards documents, compliance documents, and/or risk documents (Paragraph [0024] of Yang discloses Examples of protocols include: GDPR, HIPAA, International Traffic in Arms Regulations (ITAR), ISO 9001, Financial Industry Regulatory Authority (FINRA), COBIT, Family Educational Rights and Privacy Act (FERPA), Federal Financial Institutions Examination Council (FFIEC), ISO 27002, Jerico Forum Commandments, ISO 27001, (COPPA), (GLBA), ISAE 3402, (PCI), PrivacyMark (e.g., a Japanese protocol), FedRamp, Sarbanes-Oxley Act (SOX), Cloud Security Alliance Security Trust Assurance and Risk (CSA STAR) Self-Assessment, Safe Harbor, (FISMA), Generally Accepted Privacy Principles (GAPP), C5 (e.g., a German protocol), Statement on Standards for Attestation Engagements no. 18 (SSAE 18), NIST SP 800-53, ISO 27017, HITRUST CSF, Privacy Shield, TrustArc, ISO 27018, System and Organization Controls 1 (SOC1), System and Organization Controls 2 (SOC2), Criminal Justice Information Services (CJIS). Various other protocols may be implemented).
As to Claim 7, Yang-Bhatia discloses the system of claim 1, wherein said compliance mapping system is further configured to generate a compliance score based on said compliance evidence and said control (Paragraph [0132] of Yang discloses the system can determine a compliance score or a likelihood of whether the SaaS product is compliant with the one or more protocols).
As to Claim 8, Yang-Bhatia discloses the system of claim 1, further comprising adjusting parameters of one or more of said layered anomaly detection system and/or said compliance and risk prediction system based on outputs of said system (Paragraph [0078] of Yang discloses in response to determining that the SaaS product is compliant, SaaS product risk assessor 170 provides to the security entity an update of a mapping of SaaS products (or hashes, signatures, or other unique identifiers corresponding to webpages for the SaaS product) to indications of whether a corresponding SaaS product is compliant with one or more protocols, or an update to a blacklist for SaaS products (e.g., for non-compliant SaaS products) or a whitelist for compliant SaaS products (e.g., identifying SaaS products that are not deemed risky)).
As to Claim 9, Yang discloses a method of compliance monitoring and risk detection for applications executing in a distributed operating environment, the method comprising:
[converting rule-containing documents] to tree data structures comprising nodes representing compliance rules (Paragraph [0018] of Yang discloses training the model include random forest, linear regression, support vector machine, naive Bayes, logistic regression, K-nearest neighbors, decision trees, gradient boosted decision trees);
providing mappings between said tree data structures (Paragraph [0020] of Yang discloses a SaaS application service could be compliant with one or more protocols (e.g., a legal compliance or technical compliance, etc. Paragraph [0132] of Yang discloses the system can determine a compliance score or a likelihood of whether the SaaS product is compliant with the one or more protocols);
providing controls which monitor applications for compliance with compliance rules (Paragraph [0132] of Yang discloses the system can determine a compliance score or a likelihood of whether the SaaS product is compliant with the one or more protocols);
generating compliance evidence when an event triggers at least one of said controls (Paragraph [0132] of Yang discloses the system can determine a compliance score or a likelihood of whether the SaaS product is compliant with the one or more protocols);
detecting anomalous behaviour from said application using a real-time processing component and a second processing component de-coupled from said real-time processing component (Paragraph [0046] of Yang discloses trains a model to determine whether a SaaS product is compliant or non-compliant with a particular protocol or set of protocols or otherwise determine a risk score of the SaaS product and/or whether the SaaS product is risky. Paragraph [0021] of Yang discloses a model (e.g., a machine learning model, a neural network model, etc.) is used in connection with determining whether a particular SaaS product is compliant with one or more protocols); and
generating predicted partial compliance evidence data for missing components of said compliance controls (Paragraph [0057] of Yang discloses prediction engine 174 determines whether the SaaS product is compliant with a protocol, or a likelihood that the SaaS product is compliant, based at least in part on one or more of (i) a mapping of SaaS products (or identifiers thereof) to indications of whether the corresponding SaaS products are compliant with one or more protocols).
Yang does not explicitly disclose convert rule-containing documents.
However, Bhatia discloses this. Paragraph [0030] of Bhatia discloses converting, by said compliance software application, said plurality of compliance rules from said text format to a first plurality of program objects.
Examiner recites the same rationale to combine used for claim 1.
As to Claim 10, Yang-Bhatia discloses the method of claim 9, further comprising automatically updating said tree data structures when any of said rule-containing documents are modified (Paragraph [0085] of Bhatia discloses accept an updated corporate standard that creates a new rule and changes another rule).
Examiner recites the same rationale to combine used for claim 1.
As to Claim 11, Yang-Bhatia discloses the method of claim 9, wherein said second processing component is configured to generate and refine anomaly detection machine learning models (Paragraph [0046] of Yang discloses trains a model to determine whether a SaaS product is compliant or non-compliant with a particular protocol or set of protocols or otherwise determine a risk score of the SaaS product and/or whether the SaaS product is risky).
As to Claim 12, Yang-Bhatia discloses the method of claim 11, wherein said real-time processing component is configured to detect anomalous behaviour in real-time using said anomaly detection machine learning models (Paragraph [0021] of Yang discloses a model (e.g., a machine learning model, a neural network model, etc.) is used in connection with determining whether a particular SaaS product is compliant with one or more protocols).
As to Claim 13, Yang-Bhatia discloses the method of claim 9, wherein said rule-containing documents comprise at least one of regulatory documents, policy documents, technical standards documents, compliance documents, and/or risk documents (Paragraph [0024] of Yang discloses Examples of protocols include: GDPR, HIPAA, International Traffic in Arms Regulations (ITAR), ISO 9001, Financial Industry Regulatory Authority (FINRA), COBIT, Family Educational Rights and Privacy Act (FERPA), Federal Financial Institutions Examination Council (FFIEC), ISO 27002, Jerico Forum Commandments, ISO 27001, (COPPA), (GLBA), ISAE 3402, (PCI), PrivacyMark (e.g., a Japanese protocol), FedRamp, Sarbanes-Oxley Act (SOX), Cloud Security Alliance Security Trust Assurance and Risk (CSA STAR) Self-Assessment, Safe Harbor, (FISMA), Generally Accepted Privacy Principles (GAPP), C5 (e.g., a German protocol), Statement on Standards for Attestation Engagements no. 18 (SSAE 18), NIST SP 800-53, ISO 27017, HITRUST CSF, Privacy Shield, TrustArc, ISO 27018, System and Organization Controls 1 (SOC1), System and Organization Controls 2 (SOC2), Criminal Justice Information Services (CJIS). Various other protocols may be implemented).
As to Claim 14, Yang-Bhatia discloses the method of claim 9, further comprising generating a compliance score based on said compliance evidence and said control (Paragraph [0132] of Yang discloses The system can determine a compliance score or a likelihood of whether the SaaS product is compliant with the one or more protocols).
As to Claim 15, Yang-Bhatia discloses the system of claim 9, further comprising adjusting parameters of one or more of said layered anomaly detection system and/or said compliance and risk prediction system based on outputs of said system Paragraph [0078] of Yang discloses in response to determining that the SaaS product is compliant, SaaS product risk assessor 170 provides to the security entity an update of a mapping of SaaS products (or hashes, signatures, or other unique identifiers corresponding to webpages for the SaaS product) to indications of whether a corresponding SaaS product is compliant with one or more protocols, or an update to a blacklist for SaaS products (e.g., for non-compliant SaaS products) or a whitelist for compliant SaaS products (e.g., identifying SaaS products that are not deemed risky)).
As to Claim 16, Yang discloses a non-transitory computer-readable storage medium having stored thereon processor-executable instructions that, when executed by one or more processors, cause the one or more processors to perform a method comprising:
[converting rule-containing documents] to tree data structures comprising nodes representing compliance rules (Paragraph [0018] of Yang discloses training the model include random forest, linear regression, support vector machine, naive Bayes, logistic regression, K-nearest neighbors, decision trees, gradient boosted decision trees);
providing mappings between said tree data structures (Paragraph [0020] of Yang discloses a SaaS application service could be compliant with one or more protocols (e.g., a legal compliance or technical compliance, etc. Paragraph [0132] of Yang discloses the system can determine a compliance score or a likelihood of whether the SaaS product is compliant with the one or more protocols);
providing controls which monitor applications for compliance with compliance rules (Paragraph [0132] of Yang discloses the system can determine a compliance score or a likelihood of whether the SaaS product is compliant with the one or more protocols);
generating compliance evidence when an event triggers at least one of said controls (Paragraph [0132] of Yang discloses the system can determine a compliance score or a likelihood of whether the SaaS product is compliant with the one or more protocols);
detecting anomalous behaviour from said application using a real-time processing component and a second processing component de-coupled from said real-time processing component (Paragraph [0046] of Yang discloses trains a model to determine whether a SaaS product is compliant or non-compliant with a particular protocol or set of protocols or otherwise determine a risk score of the SaaS product and/or whether the SaaS product is risky. Paragraph [0021] of Yang discloses a model (e.g., a machine learning model, a neural network model, etc.) is used in connection with determining whether a particular SaaS product is compliant with one or more protocols); and
generating predicted partial compliance evidence data for missing components of said compliance controls (Paragraph [0057] of Yang discloses prediction engine 174 determines whether the SaaS product is compliant with a protocol, or a likelihood that the SaaS product is compliant, based at least in part on one or more of (i) a mapping of SaaS products (or identifiers thereof) to indications of whether the corresponding SaaS products are compliant with one or more protocols).
Yang does not explicitly disclose convert rule-containing documents.
However, Bhatia discloses this. Paragraph [0030] of Bhatia discloses converting, by said compliance software application, said plurality of compliance rules from said text format to a first plurality of program objects.
Examiner recites the same rationale to combine used for claim 1.
As to Claim 17, Yang-Bhatia discloses the non-transitory computer-readable storage medium of claim 16, further comprising automatically updating said tree data structures when any of said rule-containing documents are modified (Paragraph [0085] of Bhatia discloses accept an updated corporate standard that creates a new rule and changes another rule).
Examiner recites the same rationale to combine used for claim 1.
As to Claim 18, Yang-Bhatia discloses the non-transitory computer-readable storage medium of claim 16, wherein said second processing component is configured to generate and refine anomaly detection machine learning models (Paragraph [0046] of Yang discloses trains a model to determine whether a SaaS product is compliant or non-compliant with a particular protocol or set of protocols or otherwise determine a risk score of the SaaS product and/or whether the SaaS product is risky).
As to Claim 19, Yang-Bhatia discloses the non-transitory computer-readable storage medium of claim 18, wherein said real-time processing component is configured to detect anomalous behaviour in real-time using said anomaly detection machine learning models (Paragraph [0021] of Yang discloses a model (e.g., a machine learning model, a neural network model, etc.) is used in connection with determining whether a particular SaaS product is compliant with one or more protocols).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kevin S Mai whose telephone number is (571)270-5001. The examiner can normally be reached Monday to Friday 9AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KEVIN S MAI/Primary Examiner, Art Unit 2499