DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined and are pending.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1 and 12 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims of U.S. Patent No. 11689556 (hereinafter ‘556). Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-2 and 4-19 of ‘556 recites every element of claim 1 of the instant application, except for the recitation of a SaaS application hosted by a third party operator platform using Artificial Intelligence model trained on normal benign behaviors of a network entity and identifying whether a breach state exists based on deviation of the normal benign behaviors representing a cyber threat. However, it would have been obvious to a person of ordinary skill in the art to apply the recited invention steps to incorporate Software-As-A-Service (SaaS) data into a cyber threat defense system. As taught by Zimmerman EP 3262815B1 paras [0039 0044 0057 0072 0099 0107 0111-0114], each of these components are used interchangeably. Therefore, it would have been obvious to a person of ordinary skill in the art to modify claims 1-2 and 4-19 of ‘556 to achieve the identical invention as recited in claim 1 of the instant invention. In the same manner, it would have been obvious to modify claim 1-2 and 4-19 of ‘556 to achieve the invention as recited in claim 12, in which the only difference is the category of invention.
Claims 1 and 12 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-4 and 6-20 of U.S. Patent No. 12225045 (hereinafter ‘045). Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-4 and 6-20 of ‘045 recites every element of claim 1 of the instant application, except for the recitation of a SaaS application hosted by a third party operator platform using Artificial Intelligence model trained on normal benign behaviors of a network entity and identifying whether a breach state exists based on deviation of the normal benign behaviors representing a cyber threat; or a cooperative module to supply observations of event data via one or more connectors, an open connection and any combination of the two. However, it would have been obvious to a person of ordiary skill in the art to apply the recited invention steps to incorporate Software-As-A-Service (SaaS) data into a cyber threat defense system. As taught by Zimmerman EP 3262815B1 paras [0034 0039 0044 0055 0057 0072 0099 0107 0111-0114], each of these components are used interchangeably. Therefore, it would have been obvious to a person of ordinary skill in the art to modify claim 1-4 and 6-20 of ‘045 to achieve the identical invention as recited in claim 1 of the instant invention. In the same manner, it would have been obvious to modify claim 1-4 and 6-20 of ‘045 to achieve the invention as recited in claim 12, in which the only difference is the category of invention.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/16/2025 was filed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claim(s) 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Zimmerman et al, hereinafter (“Zimmerman”), European Patent Application (EP3262815 B1), was submitted in 01/16/2025 IDS.
Regarding currently amended claims 1 and 12, Zimmerman teaches a method for a cyber threat defense system incorporating data from a Software-as- a-Service (SaaS) application hosted by a third-party operator platform to identify cyber threats related to that SaaS application, comprising; and an apparatus for a cyber threat defense system, comprising: [Zimmerman, ¶¶0009, 0011, 0014, 0018, 0020-0021, 0026-0027, and 0033: A cloud security fabric (CSF 100) allows an enterprise to discover sensitive data, apply policies and automation actions configurations/users/data, and ensures regulated data compliance; wherein the cloud security fabric includes a plurality of modules that comprise services deployed in the cloud security fabric. Other things include discover and manage third party applications on dealing interfaces (including APIs): SaaS-to-SaaS interfaces, etc.]
one or more input ports to connect to one or more connectors and one or more probes deployed to a network entity representing at least one of a user and a network device that utilizes a third-party software-as-a-service (SaaS) application, [Zimmerman, ¶¶0009, 0011, 0014, 0018, 0020-0021, 0026-0027, and 0033: A cloud security fabric (CSF 100) allows an enterprise to discover sensitive data, apply policies and automation actions configurations/users/data, and ensures regulated data compliance. A plurality of connector APIs (i.e. APIs 108, AppConnect APIs 108 and/or platform APIs 108), ports, interface the fabric may discover information about entities relating to the information security of the enterprise computing environment by obtaining information from the interfaces of a plurality of cloud platforms. Other things include discover and manage third party applications on dealing interfaces (including APIs): SaaS-to-SaaS interfaces, etc. ¶0057 UBA platform 500 focus behavior analysis using accurate sensors as access to sensitive data.]
a SaaS module configured to collect, from the one or more connectors, third-party event data describing an administrative event of the third-party SaaS application [Zimmerman, ¶¶0039 and 0044: the CSF 100 enable a user to discover what cloud applications and platforms 132 users of an enterprise are using... as well as from third party security vendors, such as over APIs used to input events and logs into the CSF 100. ¶¶0080-0083 0090 and 0101 UBA platform 500 including a data processing pipeline for event data, shown in Fig. 6 include: Collection facility 602 may include various adapters; from vendors/vendor-specific having differing APIs with differing data formats and different semantics]
a probe module configured to collect, from the one or more probes, probe data describing network-administrated activity, external to the SaaS application, executed by the network entity; [Zimmerman, ¶0057 UBA platform 500 focus behavior analysis using accurate sensors as access to sensitive data. Fig. 6 and ¶¶0101 and 0103-0104: a message bus 610; allow multiple readers to read messages without interfering with each other. Also includes message bus sub-components 610 may include raw message bus sub-component 612 and an enriched message bus sub-component 614.]
a coordinator module configured to contextualize the third-party event data from the SaaS module with the probe data from the probe module to create a combined data set for analysis; [Zimmerman, Fig. 6 and ¶¶0101 and 0107: a stream processing component 626 includes enrichment flow 630 that reads and transforms raw events from raw messages from bus subcomponent 612.]
a comparison module configured to execute a comparison of the combined data set, created by the coordinator module, to at least one Artificial Intelligence (AI) the the [Zimmerman, ¶¶0072 0099 0113-0114 and 0126: Rare activity detection task; Detection of statistical anomalies over some aggregates may include compare incoming events to a statistical baseline. Anomaly detection 640 detects behavioral patterns may be abnormal related to baseline, defined by threshold-based rules or machine learning. A pre-trained model may be applied to machine learning model application activities 642. The system uses machine learning or Artificial Intelligence to understand what is normal inside a company's network, and when something's not normal.]
a cyber threat module configured to identify whetheris deviating from the normal benign behavior of that network entity representing that the network entity is in a breach state of the normal behavior benchmark indicating a potential [Zimmerman, ¶¶0111-0112 Online detection function 608 of the stream processing component 626 where rules-based activities 638 may apply explicit rules and flag violations. An example of a violation may be a user logged in from two distant locations within short timeframe. Rules-based activities 638 may connect to alerts 624.]
an autonomous response module configured to execute at least one autonomous response to the cyber threat identified by the cyber threat module. [Zimmerman, ¶0111 A stream processing component 626 may include an online detection function 608. An online detection function 608 may consist of a set of activities that may perform online analysis of events and may raise alerts about possible security issues. These activities may include rules-based activities 638, anomaly detection activities 640, and machine learning model application activities 642.].
Regarding currently amended claim 2, Zimmerman teaches claim 1 as described above.
Zimmerman teaches further comprising: directing the one or more connectors to send a Hypertext Transfer Protocol Secure event request to the application to request the administrative event from an audit log associated with [[of]] the third-party SaaS application or directing the one more connectors to access an application programming interface of the third-party operation platform to generate an event report that describes a series of administrative events. [Zimmerman, ¶¶0027 CSF’s connection APIs 108 interact with event logs that integrate extracted data from relevant work flows for the various modules of the CSF 100. ¶0093: Event log data may be sourced via API calls to various service providers such as Google, SFDC, Microsoft, Box, Dropbox, Okta and the like. Fig. 52 ¶¶0454-0455 and Fig.64 ¶0468 CSF 100 tracks events and provide various reporting which is reported on dashboards and fed to SIEMS.].
Regarding currently amended claim 3, Zimmerman teaches claim 1 as described above.
Zimmerman teaches wherein identifying whether the behaviors of the network entity that utilized the SaaS application deviates from the normal benign behaviors of the network entity by at least identifying whether (i) a breach state of a normal behavior benchmark describing parameters corresponding to a normal pattern of activity for that network entity to spot behavior on the network deviating from the normal benign behavior [Zimmerman, ¶¶0044 and 0051 improved UBA solutions avoid and manage data breaches; as well as accesses and identifies patterns of user or machine behaviors to determine compromise accounts, bot/crawler behavior rather than real human behavior. ¶0099 detection of statistical anomalies; standard deviation calculations] and (ii) a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to the cyber threat [Zimmerman, ¶¶0111-0113 Online detection function 608 of the stream processing component 626 where rules-based activities 638 may apply explicit rules and flag violations. An example of a violation may be a user logged in from two distant locations within short timeframe. Rules-based activities 638 may connect to alerts 624.].
f
Regarding currently amended claim 4, Zimmerman teaches claim 3 as described above.
Zimmerman teaches directing the one or more connectors to send a Hypertext Transfer Protocol Secure event request to the SaaS application to request a current state of objects on the third-party operator platform; [Zimmerman, ¶¶0242 and 0256: Use of virtual network/NAT/Web server/jump box setup system administrators securely connect to manage the system when deploying CSF 100; use case to analyze a particular file through a content analysis request by a client] and
deriving from metadata of the returned objects whether a specific operation type or types, including i) object creation[[s]], ii) object modification[[s]], or iii) object has occurred whether by
1) requesting only objects modified within a specified time period, or 2) comparing the metadata with a stored list of previous object states, [Zimmerman, See Table 1 – classification criteria may be derived per handling of field metadata; ¶0114: context analysis services 112 (which analyze documents, files or objects for sensitive information based on metadata criteria; ¶0169: an enrich function 636, which may enrich the data stream with various additional data and metadata elements, such as by creating additional layers of data on top of the raw data collected]
Regarding currently amended claim 5, Zimmerman teaches claim 3 as described above.
Zimmerman teaches setting a report period to specify a time frame for the event report; [Zimmerman, ¶¶0204 and 0235 create and set baseline for detection of unusual activity scenarios which include time/day baseline; time window for collection and retention of raw data.] and
where the executing of the autonomous response to take the response to the cyber threat includes one or more of (i)executing at least one of alerting an internal system administrator of the cyber threat and a suggested action to counter the cyber threat, (ii)alerting the third-party operator platform of the cyber threat and a suggested action to counter the cyber threat, (iii)autonomously reducing permissions of the network entity in the breach state of the normal behavior benchmark, and (iv)autonomously disabling a user account of the network entity in the breach state of the normal behavior benchmark, based on a threat risk parameter corresponding to aspects of the cyber threat. [Zimmerman, ¶0104 enrich stream processing sub-component 636 may connect to each feed where alerts 624 may connect to rules 638, anomaly detection activities 640, machine learning model application activities 642 and detection 646.]
Regarding currently amended claim 6, Zimmerman teaches claim 3 as described above.
Zimmerman teaches harvesting metadata from the event report data rich description and then using the metadata in the comparison of the normal behavior benchmark describing parameters corresponding to the normal pattern of activity for that network entity to spot behavior on a network deviating from the normal benign behavior; [Zimmerman, ¶0088 vendor agnostic processing part of the platform 500 may include enrichment 630 with various additional data and metadata elements. ¶0113: Anomaly detection activities 640 may detect behavioral patterns that may be abnormal related to a baseline. ¶0303: Policy automation engine 116 may have different available criteria. Entities may have metadata and classification criteria (such as explicit tagging independent of metadata); where policies identify specific keywords or patterns with suspicious activities.] and
directing the one or more connectors to request the third-party operator platform to delete the event report. [Zimmerman, ¶¶0262-0263: content analysis request processing]
Regarding claim 7, Zimmerman teaches claim 1 as described above.
Zimmerman teaches further comprising: comparing a threat risk parameter listing a set of values describing aspects of the cyber threat to a benchmark matrix having a set of benchmark scores to determine the autonomous response. [Zimmerman, ¶0345: identify anomalies and patterns in scoring particular attributes of application, level of risk of creating a data breach, and other metrics; overall scores for component factors can be used for benchmark purposes]
Regarding currently amended claim 8, Zimmerman teaches claim [[1]]3 as described above.
Zimmerman teaches further comprising: collecting network traffic in addition to the collected data from the SaaS application used by the network entity in order to analyze both to contextualize and understand the breach state and the chain of relevant behavioral parameters deviating from the normal benign behavior of [[that]]the network entity in order to accurately correspond to the breach state and the chain of relevant behavioral parameters to the cyber threat. [Zimmerman, ¶0343: collecting and normalization of information; ¶0345. Information collected and organized to identify anomalies, both in context of a single application and across applications, for scoring particular attributes/classes, level of risk of creating a data breach, and other metrics.]
Regarding claim 9, Zimmerman teaches claim 8 as described above.
Zimmerman teaches further comprising: sending an alert of the cyber threat with a suggested response to the cyber threat to at least one of an internal system administrator and the third-party operator platform. [Zimmerman, ¶0036: policy enforcement automated response action]
Regarding claim 10, Zimmerman teaches claim 8 as described above.
Zimmerman teaches further comprising: collecting, from one or more probes deployed to the network entity, probe data describing network-administrated activity, external to the SaaS application, by the network entity to analyze the probe data and the third-party event data in context to accurately associate the breach state and the chain of relevant behavioral parameters with the cyber threat. [Zimmerman, ¶0057 UBA platform 500 focus behavior analysis using accurate sensors as access to sensitive data. ¶¶0111-0112 Online detection function 608 of the stream processing component 626 where rules-based activities 638 may apply explicit rules and flag violations. An example of a violation may be a user logged in from two distant locations within short timeframe. Rules-based activities 638 may connect to alerts 624.]
Regarding claim 11, Zimmerman teaches when executed by one or more processing apparatuses in the cyber threat defense system to instruct a computing device to perform the method of claim 1. [See independent claims 1 and 12]
Regarding claim 13, Zimmerman teaches claim 12 as described above.
Zimmerman teaches wherein the SaaS module is configured to harvest metadata of the administrative event. [Zimmerman, ¶0303: Policy automation engine 116 may have different available criteria. Entities may have metadata and classification criteria (such as explicit tagging independent of metadata);]
Regarding claim 14, Zimmerman teaches claim 13 as described above.
Zimmerman teaches wherein the SaaS module is configured to anonymize the metadata to remove any personally identifiable information for a third-party operator and the network entity from the metadata. [Zimmerman, ¶0353: The community trust rating (CTR) 2914 may apply to cloud applications and applications accessed on an enterprise network. Because the CSF 100 can be deployed across many enterprises and platforms. A CTR preferably would have fields relating to a company sector, size and the like, and would provide visibility as to the reasons for a rating. In embodiments, the data may be anonymized.]
Regarding currently amended claim 15, Zimmerman teaches claim 12 as described above.
Zimmerman teaches wherein the SaaS module is configured to (i) direct [[i) ]]the one or more connectors to request that the third-party SaaS application hosted by the third-party operator platform return the event data describing the administrative event once it is observed[[;]], or (ii) the third-party operator platform hosting the SaaS application to keep a connection open until an event is observed and the event data describing the administrative event is returned to the SaaS module[Zimmerman, ¶0247 ability to understand pipeline a content analysis request by observing logs thereby providing traceability]
Regarding claim 16, Zimmerman teaches claim 12 as described above.
Zimmerman teaches wherein the SaaS connector is configured to direct the one or more connectors to request that event data describing the administrative event to be sent as a push notification upon the occurrence of the event. [Zimmerman, ¶0342: push data;]
Regarding currently amended claim 17, Zimmerman teaches claim 12 as described above.
Zimmerman teaches wherein the SaaS module is configured to receive the third-party event data describing an administrative event from the one or more connectors as a push notification, and then ning for a deviant characteristic prior to analysis. [Zimmerman, ¶0342: push data; ¶0379: policy automation engine 116 of the CSF 100 might quarantine sensitive content based on content policy or a behavioral anomaly]
Regarding claim 18, Zimmerman teaches claim 12 as described above.
Zimmerman teaches wherein the cyber threat module is configured to identify at least one of a login, a failed login, a resource creation, a resource view, a resource modification, a resource deletion, a file upload, a file download, a resource share, and an administrative action in the third-party event data. [Zimmerman, ¶¶0240-0241 additional UBA use cases involve multiple failed login attempts, monitoring to detect unusually large downloads or uploads…]
Regarding claim 19, Zimmerman teaches claim 12 as described above.
Zimmerman teaches wherein the autonomous response module is configured to lower a threshold for the autonomous response upon identifying a tagged user associated with the cyber threat. [Zimmerman, ¶¶0067-0068 and 0098: predetermined threshold and configure thresholds; automatically determined threshold for a user. ¶0164: tagging mechanism]
Regarding currently amended claim 20, Zimmerman teaches claim 12 as described above.
Zimmerman teaches wherein the one or more connectors interact with the SaaS application by at least one of an application programming interface interaction, a logging access tool, a Hypertext Transfer Protocol Secure protocol request, and any combination of these, and then feed information about user behavior back to one or more of the SaaS module, the probe module, the coordinator module, the comparison module, the cyber threat module, and the autonomous response module; [Zimmerman, ¶0359 reporting may include providing feeds that can be incorporated in other reporting. See also independent claims 1 and 12] and
wherein the cyber-threat defense system is configured to one or more address detection of by at least minimizing memory space, and power consumed by the cyber threat in the network being protected by the cyber threat defense system. [Zimmerman, ¶0123: memory, storage]
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Moore et al WO 2019014159 A1 discloses Cyberanalysis workflow acceleration.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH WHITE-TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 10:45a-6:45p.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CATHERINE THIAW can be reached at 571-270-1138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
SAKINAH WHITE-TAYLOR
Primary Examiner
Art Unit 2407
/Sakinah White-Taylor/Primary Examiner, Art Unit 2407