DETAILED ACTION
Claims 1-11 are presented for examination.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Allowable Subject Matter
Claims 3-4, and 9-11 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
CLAIM INTERPRETATION
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
10. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: “the graph constructing module is configured to”,
“the network encoder is configured to”, “the network decoder is configured to”,
“the first message module is configured to”, “the first aggregation module is configured to”, “the attention module is configured to”, “the second message module is configured to”, and “the second aggregation module is configured to”, in claims 7 and 9.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
A review of the specification shows that the following appears to be the corresponding structure described in the specification for the 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph limitation: [Paragraph 0017] Execution unit 112 may include any circuitry, structure, or other hardware, such as an arithmetic unit, logic unit, floating point unit, shifter, etc., for processing data and executing instructions, micro-instructions, and/or micro-operations.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
11. Claims 1 and 9 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) are: “a client component that…”; “an encryption component that….”; “an application component that…”; “application server which is configured to…” in claim 14 and “a map component configured to…” in claim 15.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claims limitation “the graph constructing module is configured to”,
“the network encoder is configured to”, “the network decoder is configured to”,
“the first message module is configured to”, “the first aggregation module is configured to”, “the attention module is configured to”, “the second message module is configured to”, and “the second aggregation module is configured to”, in claims 1 and 9 invokes 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph.
(a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph;
(b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either:
(a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 5-8 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al. (US Patent Application No. 20170063889) (Hereinafter Muddu) in view of Dutton et al. (US Patent Application No. 20240194291) (Hereinafter Dutton).
As per claim 1, Muddu discloses an advanced persistent threat (APT) detection method based on a continuous-time dynamic heterogeneous graph network (CDHGN), comprising:
selecting network interaction event data in a specified time period (fig 40 E, para 719, , extracting entities from the network interaction event data as source nodes and target nodes (para fig 35-36, 410, storing relationship graphs into a composite relationship graph. The process receives event data from various data sources. The event data can be, e.g., timestamped machine data), extracting an interaction event occurring between a source node and a target node as an edge, and determining a type and an attribute of a node, a type and an attribute of the edge (fig 24, para 352, anomaly graph includes a plurality of vertices (nodes) representing entities associated with the computer network and a plurality of edges, each of the plurality of edges representing an anomaly linking two of the plurality of vertices (nodes)), and a moment at which an interaction event occurs, to obtain a continuous-time dynamic heterogeneous graph (fig 35-36, para 216, 353, 410;shows the full heterogeneous graph with multiple node and edge types; );
converting each type of edge( para 256, FIGS. 13A and 13B collectively show a table 1300 that includes example anomalies that can be identified by machine learning models, as well as various event views and fields that can be used by the models to receive relevant information about the events for performing further analytics) in
decoding the embedding representation of each type of edge in the continuous-time dynamic heterogeneous graph by a CDHGN decoder to obtain a detection result of whether each type of edge is an abnormal edge, so as to intercept an APT attack according to the abnormal edge (para 223-225; when the composite relationship graph is created, it can be used to determine what other entities might be involved or affected by this anomaly).
Muddu does not explicitly discloses the continuous-time dynamic heterogeneous graph into a vector by a CDHGN encoder. However, Dutton discloses the continuous-time dynamic heterogeneous graph into a vector by a CDHGN encoder (para 36 and 39, that maps each vertex in either the continuous-time dynamic graph G(V, E.sub.T, custom-character) or the discrete-time dynamic graph G.sub.t(V.sub.t, E.sub.t) into a D-dimensional vector is generated, where D) is the embedding dimension).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Muddu and Dutton. The motivation would have been using a graph neural network encoder-decoder architecture, as GNNs are well known for processing heterogenous graph-structured network data, GNN encoder producing embeddings and a decoder producing anomaly scores would yield predictable improvements in detection accuracy.
The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims.
As per claim 2, claim is rejected for the same reasons and motivation as claim 1 , above. In addition Muddu discloses the APT detection method based on a CDHGN according to claim 1, wherein the continuous-time dynamic heterogeneous graph is represented as a ten-tuple set and denoted as:
{(src,c,dst,t,src_type,dst_type,edge_type,src_feats,dst_feats,edge_feats)}, wherein src represents a source node, and e represents an edge connecting a source node to a target node; dst represents a target node; t represents a moment at which an interaction event occurs between a source node and a target node; src_type, dst_type, and edge_type are respectively a type of a source node, a type of a target node, and a type of an edge; and src_feats, dst_feats, and edge_feats are respectively an attribute of a source node, an attribute of a target node, and an attribute of an edge (para 256, FIG. 12 shows a table 1200 of example uniform access interfaces (“event views”) that can be implemented in the data intake and preparation stage. FIGS. 13A and 13B collectively show a table 1300 that includes example anomalies that can be identified by machine learning models, as well as various event views and fields that can be used by the models to receive relevant information about the events for performing further analytics, fig 20, 38 and 6 teaches event data records that inherently teaches source , destination , time , event types and extracted featured sets).
As per claim 5, claim is rejected for the same reasons and motivation as claim 1 , above. In addition Muddu discloses wherein a method for training the CDHGN decoder comprises: inputting an embedding representation of each type of edge, performing sample labeling on the embedding representation of each type of edge to obtain a sample label, and performing supervised training on the CDHGN encoder and the CDHGN decoder to determine whether an embedding representation of an edge between a source node and a target node at a time point is abnormal (fig 20-25., ML anomaly models trained on event featured sets, threat/anomaly review by a human feedback, labeling of outputs, model update based on feedback, Anomaly model -encoder/classifier and threat indicator = decoder/classifier).
As per claim 6, claim is rejected for the same reasons and motivation as claim 1 , above. In addition Muddu discloses The APT detection method based on a CDHGN according to claim 1, wherein the CDHGN decoder uses a binary cross-entropy loss function and is defined as:
L({tilde over (y)}.sub.i(t),y.sub.i(t))=−(y.sub.i(t).Math. log({tilde over (y)}.sub.i(t))+(1−y.sub.i(t)).Math. log(1−[AltContent: rect](t))), wherein {tilde over (y)}.sub.i(t) represents a result of determining that an i.sup.th edge at a moment t output by the CDHGN decoder is abnormal, and y; (t) represents a sample label value corresponding to the i.sup.th edge (binary cross entropy is a well known conventional loss function for binary classification problems (anomaly vs normal) and would be obvious design choice, para 279, entropy or randomness).
As per claim 7, claim is rejected for the same reasons and motivation as claim 1, above.
As per claim 8, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Muddu discloses wherein the system further comprises a training module, and the training module is configured to train the network encoder and the network decoder (fig 20-25., ML anomaly models trained on event featured sets, threat/anomaly review by a human feedback, labeling of outputs, model update based on feedback, Anomaly model -encoder/classifier and threat indicator = decoder/classifier).
Conclusion
Please see the attached PTO-892 for the prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD A SIDDIQI whose telephone number is (571)272-3976. The examiner can normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached at 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MOHAMMAD A SIDDIQI/Primary Examiner, Art Unit 2493
Prosecution Insights