DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the application 18/921543 filed on 10/21/2024.
Claims 1-20 have been examined and are pending in this application.
Priority
Applicant priority to U.S. Application No. 18/118,914, filed on 03/08/2023, now U.S. Patent No. 12137110, and U.S. Application No. 15/666,771, filed on 08/02/2017, now U.S. Patent No. 11611574, is acknowledged.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 10/21/2024, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11611574. Although the claims at issue are not identical, they are not patentably distinct from each other because all limitations recited in claims 1, 8 and 15 of the instant application are anticipated by all limitations recited in claims 1, 8 and 15 of the patent ‘574, respectively. Refer to the comparison table below for details.
Instant Application 18/921543
Patent No. 11611574
(Application No. 15/666771)
Claim 1: A method for detecting electronic threats using machine learning, the method comprising:
using one or more hardware processors: receiving, over a computing network, a plurality of signals associated with file system element events from a computing device endpoint, wherein each signal is categorized by a signal type that defines a characteristic being described by each file system element event;
aggregating values of the signals over a first predetermined period of time to create aggregated signal data;
applying a first machine learning algorithm to the aggregated signal data to determine a dynamic threshold for each signal type, wherein the first machine learning algorithm is trained using historical anomaly counts labeled with indicators of normal or suspicious activity;
comparing the aggregated signal data to each respective dynamic threshold to identify a plurality of anomalies;
calculating a risk score based on the identified plurality of anomalies, wherein the risk score is determined by weighting the anomalies using weights generated by a second machine learning algorithm, the second machine learning algorithm trained using historical data comprising anomaly counts labelled with an indication of whether the anomaly counts indicate normal or suspicious activity; and
sending the risk score to a second computing device for display on a graphical user interface (GUI).
Claim 1: A method for detecting inappropriate access of files by an authorized user of a client computing device, the method comprising:
receiving a first file system element event indicator from an application executing on the client computing device, the first file system element event described by the first file system element event indicator including a first value and a first type, the first value being a number of bytes corresponding to the first file system element event, the first type being a deletion event, copy event, move event, or modification event;
summing the first value with a second value of a second file system element event of the first type to create a summed value, the first file system element event and the second file system element event both received within a first predetermined period of time;
determining a threshold for the summed value, the threshold determined based upon past observations of values of other file system element events of the first type during a past time period, a class of the user within an organization, and a function classification of files corresponding to the file system element events, the past time period prior to the first predetermined period of time;
determining that the summed value exceeds the threshold, and in response, incrementing a first anomaly counter of a first type, the first type of anomaly selected based upon the first type of event;
calculating a count of a number of generated anomaly indicators of the first type;
calculating a risk score based upon the count and a second count corresponding to a number of generated anomaly indicators corresponding to second anomalies of a second type, the first and second anomalies occurring within a second predetermined period of time, the risk score quantifying a calculated risk that the authorized user of the client computing device has engaged in inappropriate access of files; and
sending the risk score to a second computing device for display on a graphical user interface (GUI).
Claim 8: A non-transitory machine-readable medium, storing instructions for detecting electronic threats using machine learning, the instructions, which when executed, cause a machine to perform operations comprising:
receiving, over a computing network, a plurality of signals associated with file system element events from a computing device endpoint, wherein each signal is categorized by a signal type that defines a characteristic being described by each file system element event;
aggregating values of the signals over a first predetermined period of time to create aggregated signal data;
applying a first machine learning algorithm to the aggregated signal data to determine a dynamic threshold for each signal type, wherein the first machine learning algorithm is trained using historical anomaly counts labeled with indicators of normal or suspicious activity;
comparing the aggregated signal data to each respective dynamic threshold to identify a plurality of anomalies;
calculating a risk score based on the identified plurality of anomalies, wherein the risk score is determined by weighting the anomalies using weights generated by a second machine learning algorithm, the second machine learning algorithm trained using historical data comprising anomaly counts labelled with an indication of whether the anomaly counts indicate normal or suspicious activity; and
sending the risk score to a second computing device for display on a graphical user interface (GUI).
Claim 8: A system for detecting inappropriate access of files by an authorized user of a client computing device, the system comprising:
a processor:
a memory communicatively coupled to the processor and comprising instructions, which cause the processor to perform operations comprising:
receiving a first file system element event indicator from an application executing on the client computing device, the first file system element event described by the first file system element event indicator including a first value and a first type, the first value being a number of bytes corresponding to the first file system element event, the first type being a deletion event, copy event, move event, or modification event;
summing the first value with a second value of a second file system element event of the first type to create a summed value, the first file system element event and the second file system element event both received within a first predetermined period of time;
determining a threshold for the summed value, the threshold determined based upon past observations of values of other file system element events of the first type during a past time period, a class of the user within an organization. and a function classification of files corresponding to the file system element events, the past time period prior to the first predetermined period of time;
determining that the summed value exceeds the threshold, and in response, incrementing a first anomaly counter of a first type, the first type of anomaly selected based upon the first type of event;
calculating a count of a number of generated anomaly indicators of the first type;
calculating a risk score based upon the count and a second count corresponding to a number of generated anomaly indicators corresponding to second anomalies of a second type, the first and second anomalies occurring within a second predetermined period of time, the risk score quantifying a calculated risk that the authorized user of the client computing device has engaged in inappropriate access of files; and
sending the risk score to a second computing device for display on a graphical user interface (GUI).
Claim 15: A computing device for detecting electronic threats using machine learning, the computing device comprising:
a hardware processor;
a memory, the memory storing instructions, which when executed by the hardware processor cause the computing device to perform operations comprising:
receiving, over a computing network, a plurality of signals associated with file system element events from a computing device endpoint, wherein each signal is categorized by a signal type that defines a characteristic being described by each file system element event;
aggregating values of the signals over a first predetermined period of time to create aggregated signal data;
applying a first machine learning algorithm to the aggregated signal data to determine a dynamic threshold for each signal type, wherein the first machine learning algorithm is trained using historical anomaly counts labeled with indicators of normal or suspicious activity;
comparing the aggregated signal data to each respective dynamic threshold to identify a plurality of anomalies;
calculating a risk score based on the identified plurality of anomalies, wherein the risk score is determined by weighting the anomalies using weights generated by a second machine learning algorithm, the second machine learning algorithm trained using historical data comprising anomaly counts labelled with an indication of whether the anomaly counts indicate normal or suspicious activity; and
sending the risk score to a second computing device for display on a graphical user interface (GUI).
Claim 15: A non-transitory machine readable medium comprising instructions for detecting inappropriate access of files by an authorized user of a client computing device, the instructions, which when executed by a machine, causes the machine to perform operations comprising:
receiving a first file system element event indicator from an application executing on the client computing device, the first file system element event described by the first file system element event indicator including a first value and a first type, the first value being a number of bytes corresponding to the first file system element event, the first type being a deletion event, copy event, move event, or modification event;
summing the first value with a second value of a second file system element event of the first type to create a summed value, the first file system element event and the second file system element event both received within a first predetermined period of time;
determining a threshold for the summed value, the threshold determined based upon past observations of values of other file system element events of the first type during a past time period, a class of the user within an organization, and a function classification of files corresponding to the file system element events, the past time period prior to the first predetermined period of time;
determining that the summed value exceeds the threshold, and in response, incrementing a first anomaly counter of a first type, the first type of anomaly selected based upon the first type of event;
calculating a count of a number of generated anomaly indicators of the first type;
calculating a risk score based upon the count and a second count corresponding to a number of generated anomaly indicators corresponding to second anomalies of a second type, the first and second anomalies occurring within a second predetermined period of time, the risk score quantifying a calculated risk that the authorized user of the client computing device has engaged in inappropriate access of files; and
sending the risk score to a second computing device for display on a graphical user interface (GUI).
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 12137110. Although the claims at issue are not identical, they are not patentably distinct from each other because all limitations recited in claims 1, 8 and 15 of the instant application are anticipated by all limitations recited in claims 1, 8 and 15 of the patent ‘914, respectively. Refer to the comparison table below for details.
Instant Application 18/921543
Patent No. 12137110
(Application No. 18/118914)
Claim 1: A method for detecting electronic threats using machine learning, the method comprising:
using one or more hardware processors: receiving, over a computing network, a plurality of signals associated with file system element events from a computing device endpoint, wherein each signal is categorized by a signal type that defines a characteristic being described by each file system element event;
aggregating values of the signals over a first predetermined period of time to create aggregated signal data;
applying a first machine learning algorithm to the aggregated signal data to determine a dynamic threshold for each signal type, wherein the first machine learning algorithm is trained using historical anomaly counts labeled with indicators of normal or suspicious activity;
comparing the aggregated signal data to each respective dynamic threshold to identify a plurality of anomalies;
calculating a risk score based on the identified plurality of anomalies, wherein the risk score is determined by weighting the anomalies using weights generated by a second machine learning algorithm, the second machine learning algorithm trained using historical data comprising anomaly counts labelled with an indication of whether the anomaly counts indicate normal or suspicious activity; and
sending the risk score to a second computing device for display on a graphical user interface (GUI).
Claim 1: A method for detecting inappropriate access of files by a first user of a client computing device, the method comprising:
receiving, over a packet-based network, a first file system element event indicator from an application executing on the client computing device of the first user, the first file system element event indicator corresponding to a first file system element event of a first file system element and describing a number of bytes corresponding to the first file system element event and a first functional classification indicating a particular function of the first file system element, the first file system element event a deletion event, copy event, move event, or modification event;
summing the number of bytes with a second number of bytes of a second file system element event previously received from the application within a first predetermined period of time and involving a second file system element of the first functional classification to create a summed value;
determining a threshold specific to the first user and to file system elements of the first functional classification, the threshold determined based upon past byte values of previous file system element events of the first user corresponding to the first functional classification, and a role of the first user in an organization, the threshold for the first user a different value than both: a second threshold for a second user for the first functional classification and a third threshold for the first user and a second functional classification;
determining that the summed value exceeds the threshold, and in response, incrementing a first anomaly counter of a first type;
calculating a risk score based upon a first value of the first anomaly counter and a second value of a second anomaly counter tracking a number of generated anomaly indicators corresponding to second anomalies of a second type, anomalies tracked by the first and second anomaly counters occurring within a second predetermined period of time, the risk score quantifying a calculated risk that the first user of the client computing device has engaged in inappropriate access of file system elements; and
sending the risk score to a second computing device for display on a graphical user interface (GUI).
Claim 8: A non-transitory machine-readable medium, storing instructions for detecting electronic threats using machine learning, the instructions, which when executed, cause a machine to perform operations comprising:
receiving, over a computing network, a plurality of signals associated with file system element events from a computing device endpoint, wherein each signal is categorized by a signal type that defines a characteristic being described by each file system element event;
aggregating values of the signals over a first predetermined period of time to create aggregated signal data;
applying a first machine learning algorithm to the aggregated signal data to determine a dynamic threshold for each signal type, wherein the first machine learning algorithm is trained using historical anomaly counts labeled with indicators of normal or suspicious activity;
comparing the aggregated signal data to each respective dynamic threshold to identify a plurality of anomalies;
calculating a risk score based on the identified plurality of anomalies, wherein the risk score is determined by weighting the anomalies using weights generated by a second machine learning algorithm, the second machine learning algorithm trained using historical data comprising anomaly counts labelled with an indication of whether the anomaly counts indicate normal or suspicious activity; and
sending the risk score to a second computing device for display on a graphical user interface (GUI).
Claim 8: A computing device for detecting inappropriate access of files by a first user of a client computing device, the computing device comprising:
a hardware processor;
a memory, the memory storing instructions, which when executed by the hardware processor cause the hardware processor to perform operations comprising:
receiving, over a packet-based network, a first file system element event indicator from an application executing on the client computing device of the first user, the first file system element event indicator corresponding to a first file system element event of a first file system element and describing a number of bytes corresponding to the first file system element event and a first functional classification indicating a particular function of the first file system element, the first file system element event a deletion event, copy event, move event, or modification event;
summing the number of bytes with a second number of bytes of a second file system element event previously received from the application within a first predetermined period of time and involving a second file system element of the first functional classification to create a summed value;
determining a threshold specific to the first user and to file system elements of the first functional classification, the threshold determined based upon past byte values of previous file system element events of the first user corresponding to the first functional classification, and a role of the first user in an organization, the threshold for the first user a different value than both: a second threshold for a second user for the first functional classification and a third threshold for the first user and a second functional classification;
determining that the summed value exceeds the threshold, and in response, incrementing a first anomaly counter of a first type;
calculating a risk score based upon a first value of the first anomaly counter and a second value of a second anomaly counter tracking a number of generated anomaly indicators corresponding to second anomalies of a second type, anomalies tracked by the first and second anomaly counters occurring within a second predetermined period of time, the risk score quantifying a calculated risk that the first user of the client computing device has engaged in inappropriate access of file system elements; and
sending the risk score to a second computing device for display on a graphical user interface (GUI).
Claim 15: A computing device for detecting electronic threats using machine learning, the computing device comprising:
a hardware processor;
a memory, the memory storing instructions, which when executed by the hardware processor cause the computing device to perform operations comprising:
receiving, over a computing network, a plurality of signals associated with file system element events from a computing device endpoint, wherein each signal is categorized by a signal type that defines a characteristic being described by each file system element event;
aggregating values of the signals over a first predetermined period of time to create aggregated signal data;
applying a first machine learning algorithm to the aggregated signal data to determine a dynamic threshold for each signal type, wherein the first machine learning algorithm is trained using historical anomaly counts labeled with indicators of normal or suspicious activity;
comparing the aggregated signal data to each respective dynamic threshold to identify a plurality of anomalies;
calculating a risk score based on the identified plurality of anomalies, wherein the risk score is determined by weighting the anomalies using weights generated by a second machine learning algorithm, the second machine learning algorithm trained using historical data comprising anomaly counts labelled with an indication of whether the anomaly counts indicate normal or suspicious activity; and
sending the risk score to a second computing device for display on a graphical user interface (GUI).
Claim 15: A non-transitory, machine-readable medium, storing instructions for detecting inappropriate access of files by a first user of a client computing device, the instructions, which when executed by a machine cause the machine to perform operations comprising:
receiving, over a packet-based network, a first file system element event indicator from an application executing on the client computing device of the first user, the first file system element event indicator corresponding to a first file system element event of a first file system element and describing a number of bytes corresponding to the first file system element event and a first functional classification indicating a particular function of the first file system element, the first file system element event a deletion event, copy event, move event, or modification event;
summing the number of bytes with a second number of bytes of a second file system element event previously received from the application within a first predetermined period of time and involving a second file system element of the first functional classification to create a summed value;
determining a threshold specific to the first user and to file system elements of the first functional classification, the threshold determined based upon past byte values of previous file system element events of the first user corresponding to the first functional classification, and a role of the first user in an organization, the threshold for the first user a different value than both: a second threshold for a second user for the first functional classification and a third threshold for the first user and a second functional classification;
determining that the summed value exceeds the threshold, and in response, incrementing a first anomaly counter of a first type;
calculating a risk score based upon a first value of the first anomaly counter and a second value of a second anomaly counter tracking a number of generated anomaly indicators corresponding to second anomalies of a second type, anomalies tracked by the first and second anomaly counters occurring within a second predetermined period of time, the risk score quantifying a calculated risk that the first user of the client computing device has engaged in inappropriate access of file system elements; and
sending the risk score to a second computing device for display on a graphical user interface (GUI).
Claim Rejections – 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U. S. C. 101 as being directed to an abstract idea without being integrated into a practical application or being significantly more.
Regarding claims 1, 8, and 15, the claims recite the limitations “aggregating values of the signals over [] period of time;” “comparing the aggregated signal data to each respective dynamic threshold;” and “calculating a risk score based on the identified plurality of anomalies;” Broadly interpreted, the aforementioned steps are directed to mental processes as said steps could be performed in the human mind. Therefore, the claims recite an abstract idea.
Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that could be considered that the abstract idea is being integrated into a practical application. It’s noted that the claim recites the operations “receiving [] a plurality of signals;” and “sending the risk score.”
However, said operations are not sufficient to consider that the abstract idea is being interpreted into a practical application. Said operations are recited at a high level of generality in gathering/processing/storing information, which are a form of insignificant extra-solution activity.
It’s also noted that the claims recite additional limitation/elements (i.e., hardware processor, memory, etc.,). However, said additional elements are recited at a high-level of generality (i.e., as a generic computing device performing a generic computer functions) such that it amounts no more than mere instructions to apply the exception or abstract idea using generic computer components. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
The claims do not include additional elements/limitations/embodiments that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component. Therefore, the claim is directed to non-statutory subject matter.
Regarding claims 2-7, 9-14 and 16-20; the dependent claims are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims recite an abstract idea and the claims do not positively recite any other operations that could be considered as the abstract idea is being integrated into a practical application or significantly more.
It’s noted that claims 2, 9, and 16 recite the limitation: “using the feedback;” claims 3, 10, and 17 recite the limitation “multiplying each anomaly count;” claim 5, 12, and 19 recite the limitation: “categorizing the file system;” Claims 6, 13, and 20 recite the limitation: “generating alert;” and Claims 7 and 14 recite the limitation: “calculating the risk score.” Said steps are either directed to mental processes and/or in a form of insignificant extra-solution activities. Therefore, claims 2-7, 9-14 and 16-20 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Martin et al. (“Martin,” US 2018/0004948) in view of FAIGON et al. (“Faigon,” US 2017/0353477).
Regarding claim 1: Martin discloses a method for detecting electronic threats using machine learning, the method comprising:
using one or more hardware processors (Martin: par. 0117 the computer-executable component can be a processor):
receiving, over a computing network, a plurality of signals associated with file system element events from a computing device endpoint, wherein each signal is categorized by a signal type that defines a characteristic being described by each file system element event (Martin: par. 0020 the system thus collects a multitude of signals over time in Block S100 and then assigns a risk score to each signal in Block S120, such as by writing a preset risk score for a particular signal type to a signal of the same type or by implementing a risk algorithm to calculate a risk score for a signal based on various attributes of the signal);
aggregating values of the signals over a first predetermined period of time to create aggregated signal data (Martin: par. 0021 the system can then aggregate risk scores for the first, second, and third signals [] to calculate a composite risk score for the composite event; par. 0072 the system can generate [] the first vector once per regular interval (e.g., once per hour, once per day));
applying a first machine learning algorithm to the aggregated signal data to determine a dynamic threshold for each signal type (Martin: par. 0034 the system can [] dynamically adjust a risk score or a risk algorithm for a particular signal type. For example, the system can implement machine learning techniques to increase or decrease the risk score for a particular signal type based on security threat investigation data), wherein the first machine learning algorithm is trained using historical anomaly counts labeled with indicators of normal or suspicious activity (Martin: par. 0075 the system can determine that the system has previously observed a similar combination and frequency of behaviors of the first asset; the system can then compare the new vector to a subset of historical vectors of known outcomes (e.g., labeled as malicious or benign) [] if the new vector differs sufficiently from all vectors in the set of historical vectors, the system can label the new vector as an anomaly);
comparing the aggregated signal data to each respective dynamic threshold to identify a plurality of anomalies (Martin: par. 0038 the system can aggregate a set of disparate signals linked by a common asset identification tag of an originating computer, compare this set of disparate signals-in order of timestamps-to cyberattack patterns in the attack database, and identify a nearest match between a particular cyberattack pattern in the attack database and all or a subset of the signals);
calculating a risk score based on the identified plurality of anomalies, wherein the risk score is determined by weighting the anomalies (Martin: par. 0043 the system can then sum risk scores for each signal represented in the composite alert to calculate a single composite risk score for the composite alert. The system can also weight various risk scores and sum these weighted risk scores to calculate the composite risk score); and
sending the risk score to a second computing device for display on a graphical user interface (GUI) (Martin: par. 0047 the system can insert the composite alert-and a corresponding cyberattack type and a prompt to begin an investigation-into an email, into an SMS text message or other text message for a native messaging application, or into a notification for a native security application executing on a smartphone, etc. and push such communication(s) to a security analyst, various security personnel, or a security operation center (or "SOC"), etc.).
Martin does not explicitly disclose using weights generated by a second machine learning algorithm, the second machine learning algorithm trained using historical data comprising anomaly counts labelled with an indication of whether the anomaly counts indicate normal or suspicious activity.
However, Faigon discloses using weights generated by a second machine learning algorithm, the second machine learning algorithm trained using historical data comprising anomaly counts labelled with an indication of whether the anomaly counts indicate normal or suspicious activity (Faigon: par. 0213 the likelihood coefficients and any transformed feature-value pairs that do not have likelihood coefficients because they were not previously observed for the space ID are scored, in combination with evaluation of the standard candle, to produce an anomaly score; par. 0214 when the anomaly score represents a detected anomaly event, history associated with the space ID is accessed to construct a contrast between feature-event pairs of the anomaly event and non-anomalous feature-value pairs of prior events for the space ID).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Faigon with the system/method of Martin to include using historical data comprising anomaly counts labelled with an indication of whether the anomaly counts indicate normal or suspicious activity. One would have been motivated to using machine learning for detecting in real-time anomalous events in network delivered services (Faigon: par. 0003).
Regarding claim 2: Martin in view of Faigon discloses the method of claim 1.
Martin further discloses receiving feedback from a network monitor indicating whether the identified anomalies correspond to actual threats (Martin: par. 0108 prompt deeper review and feedback of the first vector if the malicious and benign scores indicate that the first vector is similarly malicious and benign); and
using the feedback to refine the first machine learning algorithm, the second machine learning algorithm, or the first and second machine learning algorithms (Martin: par. 0044 the system can then implement machine learning techniques to generate a template pattern or other labeled model for a new or existing cyberattack type based on feedback received).
Regarding claim 3: Martin in view of Faigon discloses the method of claim 1.
Faigon further discloses wherein calculating the risk score further comprises multiplying each anomaly count by a corresponding weight to produce weighted anomaly counts and summing the weighted anomaly counts (Faigon: par. 0116 using a constant label [] results in weights that represent approximate frequencies per feature dimension, per event; par. 0102 anomaly detection engine 142 combines the estimated probabilities [] into one overall estimated probability score or a so-called overall likelihood coefficient).
The motivation is the same that of claim 1 above.
Regarding claim 4: Martin in view of Faigon discloses the method of claim 1.
Faigon further discloses wherein receiving the plurality of signals includes receiving signals that describe file transfer events, file access events, and file modification events (Faigon: par. 0060 feature-value pairs 112 include a plurality of dimensions such as an application used dimension (e.g., Google Drive, Drop box, etc. []), an activity type and detail dimension (e.g., uploads, downloads) and a manipulated object dimension (e.g., directory, file name, mime-type, etc.); par. 0187 a stream of security-related events is fed to an online machine learner).
The motivation is the same that of claim 1 above.
Regarding claim 5: Martin in view of Faigon discloses the method of claim 1.
Faigon further discloses categorizing the file system element events into groups based on user roles and applying different thresholds for each group (Faigon: par. 0058 the space ID or event-source ID feature is used to separate features received for a particular user [] the space ID feature is used to construct and persist user-specific models that maintain states or histories of a particular user's habits; par. 0056 the value of the standard candle feature indicates whether a given space ID has had enough history, i.e., the standard candle value has progressed to a set threshold so that anomalies can now be flagged for that space ID).
The motivation is the same that of claim 1 above.
Regarding claim 6: Martin in view of Faigon discloses the method of claim 1.
Martin further discloses generating alerts based on the risk score exceeding a predefined threshold (Martin: par. 0009 in response to the risk score exceeding a threshold risk score, serving the composite alert to human security personnel in Block S140).
Regarding claim 7: Martin in view of Faigon discloses the method of claim 1.
Martin further discloses wherein calculating the risk score includes incorporating time-based decay to prioritize recent anomalies (Martin: par. 0043 the system can apply a greater weight to risk scores calculated from more recent signals and can and apply lower weights to risk scores calculated from older signals).
Regarding claim 8: Martin discloses a non-transitory machine-readable medium, storing instructions for detecting electronic threats using machine learning, the instructions, which when executed, cause a machine to perform operations comprising:
receiving, over a computing network, a plurality of signals associated with file system element events from a computing device endpoint, wherein each signal is categorized by a signal type that defines a characteristic being described by each file system element event (Martin: par. 0020 the system thus collects a multitude of signals over time in Block S100 and then assigns a risk score to each signal in Block S120, such as by writing a preset risk score for a particular signal type to a signal of the same type or by implementing a risk algorithm to calculate a risk score for a signal based on various attributes of the signal);
aggregating values of the signals over a first predetermined period of time to create aggregated signal data (Martin: par. 0021 the system can then aggregate risk scores for the first, second, and third signals [] to calculate a composite risk score for the composite event; par. 0072 the system can generate [] the first vector once per regular interval (e.g., once per hour, once per day));
applying a first machine learning algorithm to the aggregated signal data to determine a dynamic threshold for each signal type (Martin: par. 0034 the system can [] dynamically adjust a risk score or a risk algorithm for a particular signal type. For example, the system can implement machine learning techniques to increase or decrease the risk score for a particular signal type based on security threat investigation data), wherein the first machine learning algorithm is trained using historical anomaly counts labeled with indicators of normal or suspicious activity (Martin: par. 0075 the system can determine that the system has previously observed a similar combination and frequency of behaviors of the first asset; the system can then compare the new vector to a subset of historical vectors of known outcomes (e.g., labeled as malicious or benign) [] if the new vector differs sufficiently from all vectors in the set of historical vectors, the system can label the new vector as an anomaly);
comparing the aggregated signal data to each respective dynamic threshold to identify a plurality of anomalies (Martin: par. 0038 the system can aggregate a set of disparate signals linked by a common asset identification tag of an originating computer, compare this set of disparate signals-in order of timestamps-to cyberattack patterns in the attack database, and identify a nearest match between a particular cyberattack pattern in the attack database and all or a subset of the signals);
calculating a risk score based on the identified plurality of anomalies, wherein the risk score is determined by weighting the anomalies (Martin: par. 0043 the system can then sum risk scores for each signal represented in the composite alert to calculate a single composite risk score for the composite alert. The system can also weight various risk scores and sum these weighted risk scores to calculate the composite risk score); and
sending the risk score to a second computing device for display on a graphical user interface (GUI) (Martin: par. 0047 the system can insert the composite alert-and a corresponding cyberattack type and a prompt to begin an investigation-into an email, into an SMS text message or other text message for a native messaging application, or into a notification for a native security application executing on a smartphone, etc. and push such communication(s) to a security analyst, various security personnel, or a security operation center (or "SOC"), etc.).
Martin does not explicitly disclose using weights generated by a second machine learning algorithm, the second machine learning algorithm trained using historical data comprising anomaly counts labelled with an indication of whether the anomaly counts indicate normal or suspicious activity.
However, Faigon discloses using weights generated by a second machine learning algorithm, the second machine learning algorithm trained using historical data comprising anomaly counts labelled with an indication of whether the anomaly counts indicate normal or suspicious activity (Faigon: par. 0213 the likelihood coefficients and any transformed feature-value pairs that do not have likelihood coefficients because they were not previously observed for the space ID are scored, in combination with evaluation of the standard candle, to produce an anomaly score; par. 0214 when the anomaly score represents a detected anomaly event, history associated with the space ID is accessed to construct a contrast between feature-event pairs of the anomaly event and non-anomalous feature-value pairs of prior events for the space ID).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Faigon with the system/method of Martin to include using historical data comprising anomaly counts labelled with an indication of whether the anomaly counts indicate normal or suspicious activity. One would have been motivated to using machine learning for detecting in real-time anomalous events in network delivered services (Faigon: par. 0003).
Regarding claims 9-14: Claims 9-14 are similar in scope to claim 2-7, respectively, and are therefore rejected under similar rationale.
Regarding claim 15: Martin discloses a computing device for detecting electronic threats using machine learning, the computing device comprising:
a hardware processor (Martin: par. 0117 the computer-executable component can be a processor);
a memory (Martin: par. 0117 the computer-readable medium can be stored on any suitable computer readable media such as RAMs, ROMs, flash memory), the memory storing instructions, which when executed by the hardware processor cause the computing device to perform operations comprising:
receiving, over a computing network, a plurality of signals associated with file system element events from a computing device endpoint, wherein each signal is categorized by a signal type that defines a characteristic being described by each file system element event (Martin: par. 0020 the system thus collects a multitude of signals over time in Block S100 and then assigns a risk score to each signal in Block S120, such as by writing a preset risk score for a particular signal type to a signal of the same type or by implementing a risk algorithm to calculate a risk score for a signal based on various attributes of the signal);
aggregating values of the signals over a first predetermined period of time to create aggregated signal data (Martin: par. 0021 the system can then aggregate risk scores for the first, second, and third signals [] to calculate a composite risk score for the composite event; par. 0072 the system can generate [] the first vector once per regular interval (e.g., once per hour, once per day));
applying a first machine learning algorithm to the aggregated signal data to determine a dynamic threshold for each signal type (Martin: par. 0034 the system can [] dynamically adjust a risk score or a risk algorithm for a particular signal type. For example, the system can implement machine learning techniques to increase or decrease the risk score for a particular signal type based on security threat investigation data), wherein the first machine learning algorithm is trained using historical anomaly counts labeled with indicators of normal or suspicious activity (Martin: par. 0075 the system can determine that the system has previously observed a similar combination and frequency of behaviors of the first asset; the system can then compare the new vector to a subset of historical vectors of known outcomes (e.g., labeled as malicious or benign) [] if the new vector differs sufficiently from all vectors in the set of historical vectors, the system can label the new vector as an anomaly);
comparing the aggregated signal data to each respective dynamic threshold to identify a plurality of anomalies (Martin: par. 0038 the system can aggregate a set of disparate signals linked by a common asset identification tag of an originating computer, compare this set of disparate signals-in order of timestamps-to cyberattack patterns in the attack database, and identify a nearest match between a particular cyberattack pattern in the attack database and all or a subset of the signals);
calculating a risk score based on the identified plurality of anomalies, wherein the risk score is determined by weighting the anomalies (Martin: par. 0043 the system can then sum risk scores for each signal represented in the composite alert to calculate a single composite risk score for the composite alert. The system can also weight various risk scores and sum these weighted risk scores to calculate the composite risk score); and
sending the risk score to a second computing device for display on a graphical user interface (GUI) (Martin: par. 0047 the system can insert the composite alert-and a corresponding cyberattack type and a prompt to begin an investigation-into an email, into an SMS text message or other text message for a native messaging application, or into a notification for a native security application executing on a smartphone, etc. and push such communication(s) to a security analyst, various security personnel, or a security operation center (or "SOC"), etc.).
Martin does not explicitly disclose using weights generated by a second machine learning algorithm, the second machine learning algorithm trained using historical data comprising anomaly counts labelled with an indication of whether the anomaly counts indicate normal or suspicious activity.
However, Faigon discloses using weights generated by a second machine learning algorithm, the second machine learning algorithm trained using historical data comprising anomaly counts labelled with an indication of whether the anomaly counts indicate normal or suspicious activity (Faigon: par. 0213 the likelihood coefficients and any transformed feature-value pairs that do not have likelihood coefficients because they were not previously observed for the space ID are scored, in combination with evaluation of the standard candle, to produce an anomaly score; par. 0214 when the anomaly score represents a detected anomaly event, history associated with the space ID is accessed to construct a contrast between feature-event pairs of the anomaly event and non-anomalous feature-value pairs of prior events for the space ID).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Faigon with the system/method of Martin to include using historical data comprising anomaly counts labelled with an indication of whether the anomaly counts indicate normal or suspicious activity. One would have been motivated to using machine learning for detecting in real-time anomalous events in network delivered services (Faigon: par. 0003).
Regarding claims 16-20: Claims 16-20 are similar in scope to claim 2-6, respectively, and are therefore rejected under similar rationale.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at 5712705002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/FAHIMEH MOHAMMADI/ Examiner, Art Unit 2439
/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439
Prosecution Insights