DETAILED ACTION
This action is in response to new application titled “DEEP LEARNING-BASED ANALYSIS OF SIGNALS FOR THREAT DETECTION” filed 10/22/2024. Claims 1-20 were received for consideration.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d). The certified copy has been received.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 9/2/2025 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 12,141,280. Although the claims at issue are not identical, they are not patentably distinct from each other because each and every element of the above independent claims 1, 10 and 15 of the present application is broader and therefore anticipated by the corresponding independent claims 1 15 and 20 of U.S. Patent No. 12,141,280.
18/922898 Claim 1
12,141,280 Claim 1
A computer-implemented method comprising:
A computer-implemented method comprising:
generating a process tree using process data, signal data, and parent and child relationships of a plurality of processes of a client computer system;
receiving process data from a client computer system based on activity and behaviors of the client computer system; generating a process tree based on parent and child relationships associated with the process data, wherein the process data is associated with a plurality of processes;
based on the process tree, generating a vector of a sequence of events, wherein the vector is associated with scoring a probability that the sequence of events from the vector is malicious;
associating, in the process tree, each of the plurality of processes with a corresponding signal associated with signal data; based on the process tree comprising the parent and child relationships and a chronology of execution of the plurality processes having corresponding signals, generating a vector of a sequence of events, wherein the vector is associated with scoring a probability that the sequence of events from the vector is malicious, the vector is a representation of the process tree comprising a first process that produces a first signal at a first time and a second process that produces a second signal at a second time, the first process and the second process have a parent and child relationship;
inputting the vector into a trained model associated with registry-related features of a plurality of sequences of events that indicate malicious activity, the registry-related features of the plurality of sequences of events correspond to registry-related features in training process data and training signal data;
inputting the vector into a trained model associated with registry-related features of a plurality of sequences of events that indicate malicious activity, the registry-related features of the plurality of sequences of events correspond to registry-related features in training process data, training signal data, and training chronology of execution and relationship between processes data, the trained model is configured to evaluate the vector for potentially malicious activity;
based on inputting the vector into the trained model, generating a score that indicates whether the sequence of events represented by the vector is malicious, wherein the score is generated using the trained model associated with the registry-related features; and
based on inputting the vector into the trained model, generating a score that indicates whether the sequence of events represented by the vector is malicious, wherein the score is generated using the trained model, the parent and child relationships, chronology of execution of the plurality processes represented in the in the sequence of events of the vector, and registry-related features associated with the sequence of events; and
based on the score satisfying an alert threshold, causing a security risk mitigation action.
based on the score satisfying an alert threshold, causing a security risk mitigation action.
18/922898 Claim 10
12,141,280 Claim 10
A computer system, the system comprising: one or more hardware processors; and one or more computer-readable media having executable instructions embodied thereon, which, when executed by the one or more hardware processors, cause the one or more hardware processors to execute operations comprising:
A behavior scoring computer system comprising:one or more hardware processors; and one or more computer-readable media having executable instructions embodied thereon, which, when executed by the one or more processors, cause the one or more hardware processors to execute: a signal scoring model configured to:
receive process data from a client computer based on activity and behaviors of the client computer system;
generating a process tree using process data, signal data, and parent and child relationships of a plurality of processes of a client computer system;
receive process data from a client computer system based on activity and behaviors of the client computer system; generate a process tree based on parent and child relationships associated with the process data, wherein the process data is associated with a plurality of processes;
based on the process tree, generating a vector of a sequence of events, wherein the vector is associated with scoring a probability that the sequence of events from the vector is malicious;
associate, in the process tree, each of the plurality of processes with a corresponding signal associated with signal data;
based on the process tree comprising the parent and child relationships and a chronology of execution of the plurality processes having corresponding signals, generating a vector of a sequence of events, wherein the vector is associated with scoring a probability that the sequence of events from the vector is malicious,
the vector is a representation of the process tree comprising a first process that produces a first signal at a first time and a second process that produces a second signal at a second time, the first process and the second process have a parent and child relationship;
inputting the vector into a trained model associated with registry-related features of a plurality of sequences of events that indicate malicious activity, the registry-related features of the plurality of sequences of events correspond to registry-related features in training process data and training signal data;
input the vector into a trained model associated with registry-related features of a plurality of sequences of events that indicate malicious activity, the registry-related features of the plurality of sequences of events correspond to registry-related features in training process data, training signal data, and training chronology of execution and relationship between processes data,
the trained model is configured to evaluate the vector for potentially malicious activity;
based on inputting the vector into the trained model, generating a score that indicates whether the sequence of events represented by the vector is malicious, wherein the score is generated using the trained model associated with the registry-related features; and
based on inputting the vector into the trained model, generating a score that indicates whether the sequence of events represented by the vector is malicious, wherein the score is generated using the trained model, the parent and child relationships, chronology of execution of the plurality processes represented in the in the sequence of events of the vector, and registry-related features associated with the sequence of events; and
based on the score satisfying an alert threshold, causing a security risk mitigation action.
based on the score satisfying an alert threshold, causing a security risk mitigation action.
18/922898 Claim 15
12,141,280 Claim 15
One or more computer storage media storing computer-useable instructions that, when used by one or more computing devices, cause the one or more computing devices to perform operations comprising:
One or more computer storage media storing computer-useable instructions that, when used by one or more computing devices, cause the one or more computing devices to perform operations comprising:
generating a process tree using process data, signal data, and parent and child relationships of a plurality of processes of a client computer system;
receiving process data from a client computer system based on activity and behaviors of the client computer system; generating a process tree based on parent and child relationships associated with the process data, wherein the process data is associated with a plurality of processes;
based on the process tree, generating a vector of a sequence of events, wherein the vector is associated with scoring a probability that the sequence of events from the vector is malicious;
associating, in the process tree, each of the plurality of processes with a corresponding signal associated with signal data;
based on the process tree comprising the parent and child relationships and a chronology of execution of the plurality processes having corresponding signals, generating a vector of a sequence of events, wherein the vector is associated with scoring a probability that the sequence of events from the vector is malicious,
the vector is a representation of the process tree comprising a first process that produces a first signal at a first time and a second process that produces a second signal at a second time, the first process and the second process have a parent and child relationship;
inputting the vector into a trained model associated with registry-related features of a plurality of sequences of events that indicate malicious activity, the registry-related features of the plurality of sequences of events correspond to registry-related features in training process data and training signal data;
inputting the vector into a trained model associated with registry-related features of a plurality of sequences of events that indicate malicious activity, the registry-related features of the plurality of sequences of events correspond to registry-related features in training process data, training signal data, and training chronology of execution and relationship between processes data, the trained model is configured to evaluate the vector for potentially malicious activity;
based on inputting the vector into the trained model, generating a score that indicates whether the sequence of events represented by the vector is malicious, wherein the score is generated using the trained model associated with the registry-related features; and
based on inputting the vector into the trained model, generating a score that indicates whether the sequence of events represented by the vector is malicious, wherein the score is generated using the trained model, the parent and child relationships, chronology of execution of the plurality processes represented in the in the sequence of events of the vector, and registry-related features associated with the sequence of events; and
based on the score satisfying an alert threshold, causing a security risk mitigation action.
based on the score satisfying an alert threshold, causing a security risk mitigation action.
Reasons for Allowance
The prior art does not show with respect to Independent claim 1, 10 and 15 "inputting the vector into a trained model associated with registry-related features of a plurality of sequences of events that indicate malicious activity, the registry-related features of the plurality of sequences of events correspond to registry-related features in training process data and training signal data; based on inputting the vector into the trained model, generating a score that indicates whether the sequence of events represented by the vector is malicious, wherein the score is generated using the trained model associated with the registry-related features" with the other limitations of the claim.
The closest prior art Griffin al (US 2020/0167464), Mesdagq et al (US 9,294,501), Brown (US 2018/0322276), Meyer et al (EP 4266201), Ducau et al (US 2020/0364338), Sai (US 2018/0314983), Muddu et al (US 2017/0142140), Ananthakrishnan (US 2018/0189339), Kitahara et al (US 2021/0089420) and Nguyen et al (US 2020/0327225) do not teach these limitations.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018. The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M. The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Rupal Dharia, can be reached on 571-272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/DEVIN E ALMEIDA/Examiner, Art Unit 2492