Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to the communication filed on February 27, 2025.
Claims 2-21 ae examined and are pending.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/10/2025 and 05/27/2025. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1, 12 and 13 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Step 1 This part of the eligibility analysis evaluates whether the claim falls within any statutory category MPEP 2106.03.
Step 2A Prong One This part of the eligibility analysis evaluates whether the claim recites a judicial exception. As explained in MPEP 2106.04(II) and the October 2019 Update, a claim “recites” a judicial exception when the judicial exception is “set forth” or “described” in the claim.
Step 2A Prong 2 This part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by (a) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (b) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. 2019 PEG.
Step 2B This part of the eligibility analysis evaluates whether the claim as a whole amount to significantly more than the recited exception, i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. MPEP 2106.05.
Step 1 Statutory Category:
Claims 2-11 are recited as being directed to “a computer implemented method”. Claim 12-20 is recited as being directed to “a system comprising one or more computers …”.
Claim 21 is recited as being directed to a “non-transitory storage medium storing instruction …” Thus claims 2, 12 and 21 have been identified to be directed towards the appropriate statutory category. Below is further analysis related to step 2.
a). In analyzing under step 2A Prong One, Does the claim recite an abstract idea law of nature or natural phenomenon? Yes.
Claim 2, 12 and 21 recites, receiving an event log comprising a plurality of event records; converting the event log into a graph, wherein the converting comprises: normalizing the plurality of event records to generate a plurality of normalized event records, wherein the normalizing comprises anonymizing a unique identifier value in each event record and replacing a variable value in each event record with a predetermined value; representing each normalized event record in the plurality of normalized event records as one or more nodes in the graph; and generating a plurality of event clusters, wherein each event cluster includes an aggregated group of nodes and is generated based on common attributes of and hierarchical relationships between the plurality of normalized event records represented by the nodes in the aggregated group; and generating, from the graph, labeled training data that comprises a plurality of training inputs, wherein each training input (i) comprises one or more normalized event records represented by one or more nodes included in the graph and (ii) is associated with a ground truth label that specifies a classification of the one or more normalized event records; and training the machine learning model using the labeled training data.
As claim texts drafted by a set of very minimal limitations (or elements) of each of the three claim categories, receiving event log; converting event log; normalizing event log; representing normalized event log; generating plurality event clusters and generating graph with nodes and generating labeled training data and training a machine learning model, are merely a process that, under its broadest reasonable interpretation, covers mental processes – concepts performed in the human mind (including an observation, evaluation, judgment, opinion), but for the recitation of processing unit, memory and a computer readable medium which are explicitly generic computing components, including:
“normalizing the plurality of event records to generate a plurality of normalized event records, wherein the normalizing comprises anonymizing a unique identifier value in each event record and replacing a variable value in each event record with a predetermined value” as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, a user can normalize received events observe and evaluate the events and any removing or replacing unwanted parameters from the event with a identifier value such as number 1, 2, 3 or letter a, b, c, etc., using his/her mind or with the aid of pen and paper. Therefore, the normalizing limitation is a mental process (including an observation, evaluation, judgment, opinion).
Similarly, “representing each normalized event record in the plurality of normalized event records as one or more nodes in the graph”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, a user can draw a graph and put the relevant event in each node in the graph by observing and judging in the events using his/her mind or with the aid of pen and paper. Therefore, the normalizing limitation is a mental process (including an observation, evaluation, judgment, opinion).
Similarly, “generating a plurality of event clusters, wherein each event cluster includes an aggregated group of nodes and is generated based on common attributes of and hierarchical relationships between the plurality of normalized event records represented by the nodes in the aggregated group; and generating, from the graph, labeled training data that comprises a plurality of training inputs, wherein each training input (i) comprises one or more normalized event records represented by one or more nodes included in the graph and (ii) is associated with a ground truth label that specifies a classification of the one or more normalized event records”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, a user can gather similar event by observing and evaluating and create plurality of clusters based on similarity relationship and name or label them (for example cluse1, as labeled as “login event”, cluster 2 labeled as “password event”, etc. with his/her mind or with the aid of pen and paper. Therefore, generating event cluster and labeling them is a mental process (including an observation, evaluation, judgment, opinion).
The claim recites three additional; elements: “receiving an event log comprising a plurality of event records”, “converting the event log into a graph”, wherein the converting comprises: and “training the machine learning model using the labeled training data”.
The receiving step as recited amounts to mere data gathering for use in the detection step, which is a form of insignificant extra-solution activity, (see Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information)). Further receiving input step as recited also amounts to mere data gathering which is a form of insignificant extra-solution activity. The converting step as recited is merely transferring the received event into deferent node in a graph data for labeling which is nothing more than data gathering and outputting. Hence, converting step is an insignificant extra-solution activity. Accordingly, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claim is directed to the abstract idea.
b) In analyzing under step 2A Prong Two, Does the claim recite additional elements that integrate the judicial exception into a practical application? NO.
This judicial exception is not integrated into a practical application. In particular, the claim only recites additional elements – “system comprising one or more computers”, “one or more non-transitory computer readable storage medium”, and “training machine learning model”. The additional components are generic computer components even being recited as additional limitations, however, do not preclude the claims from reciting an abstract idea. For instance, as the above detailed analysis on the minimal limitations as abstract ideas that can be performed mentally in mind by human, without reciting any “additional element” to integrate the judicial exception into a practical application.
The processes of receiving necessities for performing an action and providing indication of completed such that it amounts no more than mere instructions to apply the exception using a generic computer component, processing unit(s), memory and computer readable medium for the processes. That is, the limitations represent well-understood, routine, conventional activity (See MPEP 2106.05(g) or 2106.05(d) for receiving or transmitting data over a network, e.g. see Intellectual Ventures v. Symantec; Storing and retrieving information in memory: Versata; Analyzing data: Genetic Techs; Determining: OIP Techs; Electronic recordkeeping: Alice Corp). Accordingly, even considering all the elements as additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. As such, the claim is directed to an abstract idea.
c) In analyzing under step 2B, does the claim recite additional elements that amount to significantly more than the judicial exception? NO
The claims 2, 12 and 21 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, there is simply no additional elements adding to the already analyzed very few minimal steps of performing action. The steps, represent well-understood, routine, conventional activity previously known to the industry and are specified at a high level of generality, and in the context of the limitations reciting performing action that can be practically performed in the human mind and may be considered to fall within the mental process and mathematical concepts groupings.
As such, the limitations represent well-understood, routine, conventional activity (See MPEP 2106.05(g) or 2106.05(d) for receiving or transmitting data over a network, e.g. see Intellectual Ventures v. Symantec; Storing and retrieving information in memory: Versata; Analyzing data: Genetic Techs; Determining: OIP Techs; Electronic recordkeeping: Alice Corp). The claims are not patent eligible.
Further the limitations in the dependent claims 3-11 and 13-20 are an extension of the abstract idea of claim 1 and 12 above.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 2, 4-12, and 14-21 are rejected under 35 U.S.C. 103 as being unpatentable over Chandrasekharan et al (US 11,676,072 B1), in view of Ma et al (US 2020/0206920 A1).
As per claim 1, Chandrasekharan discloses:
- a computer-implemented method of training a machine learning model to generate predictions of threat or suspicious activities, wherein the method comprises (a method for training machine learning model to predict and detect threat from a stream of event, column 6, line 30-35, column 128, line 14-35, Fig. 48B, item 4880),
- receiving an event log comprising a plurality of event records (receiving machine data (i.e., event data, event log) with plurality of events, column 6, line 45-55, column 8, line 29-50, column 10, line 55-65, Fig. 2, item 202),
- converting the event log into a graph, wherein the converting comprises (parsing events data stream (i.e., converting the event log) to organize in an event node, Fig. 35B, column 63, line 30-40, column 93, line 5-25, in a graph with node, column 144, line 30-40, column 164, line 45-65, column 167 line 50-67),
- normalizing the plurality of event records to generate a plurality of normalized event records (normalizing events into a common format, column 56, line 45-55, column 163, line 60-67, column 163, line 1-10),
- representing each normalized event record in the plurality of normalized event records as one or more nodes in the graph (normalized event represent as a node in a graph, column 164, line 1-10, Fig. 51, item 5108, Fig. 52),
- generating a plurality of event clusters, wherein each event cluster includes an aggregated group of nodes and is generated based on common attributes of and hierarchical relationships between the plurality of normalized event records represented by the nodes in the aggregated group (clustering events according to attribute distance, Fig. 55-56, where each even cluster include node with common attribute, column 130, line 5-20, column 162, line 10-25, presented in parent/child tree structure, column 115, line 5-25, column 143, line 50-60),
- generating, from the graph, labeled training data that comprises a plurality of training inputs, wherein each training input (i) comprises one or more normalized event records represented by one or more nodes included in the graph and (ii) is associated with a ground truth label that specifies a classification of the one or more normalized event records (labeling each node in the graph of training input, Fig. 39 B, column 151, line 55-65, column 161, line 55-67, column 166, line 1-10, with (i) normalizing event by pairwise binary similarity label, Para [0171], line 5-40), and (ii), grouping (i.e., classifying) similar notable event together (i.e., ground truth label classification), Fig. 50, column 166, line 1-25),
- and training the machine learning model using the labeled training data (training machine learning model, Abstract, line 1-10, column 167, line 10-15),
Chandrasekharan does not explicitly disclose wherein the normalizing comprises anonymizing a unique identifier value in each event record and replacing a variable value in each event record with a predetermined value. However, in the same field of endeavor Ma in an analogous art disclose wherein the normalizing comprises anonymizing a unique identifier value in each event record and replacing a variable value in each event record with a predetermined value (normalization of event with removing and replacing value (i.e., anonymizing unique id) in an event stream, Para [0116] – [0128]), examiner broadest reasonable interpretation: event steam 'res': ['' leftClick: explorer_exe.pane\(\).pane\ (\).button\(Show desktop\)$'], normalized by removing “show desktop” (i.e., event record) by replacing a variable value, r, see Para [0017] – [0121], 'res': [''(.*?)(.*)_CtrlC!_$'],, replace with “copy:{argos()[1]}, see Para [0126] – [0128]).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the normalization of anonymizing a unique identifier value in each event record and replacing a variable value in each event record with a predetermined value taught by Ma as the means to training a machine learning model with received event to detect threat or abnormal activities by normalizing event in Chandrasekharan, (Chandrasekharan, column 6, line 30-35, column 128, line 14-35, Ma, Para [0126] – [0128]). Chandrasekharan and Ma are analogous prior art since they both deal with analyzing event data received from various machine and normalizing the events into group of similar nodes in a graph. A person of the ordinary skill in the art would have been motivated to make aforementioned modification to efficiently analyzing large group of data. This is because one aspect of Chandrasekharan invention is to reduce the potentially vast amount of data that may be generate and pre-process those data to generate a system for efficient retrieval and analysis, as described at least in column 1, line 25-45. Anonymizing a unique identifier value in each event record and replacing a variable value in each event record with a predetermined value is part of this process. However, Chandrasekharan doesn’t specify any particular manner in which unique identifier is anonymized and replace with a predetermined value. This would have lead one of the ordinary skill in the art to seek and recognize the unique identifier is anonymized and replace with a predetermined value as taught by Ma. Ma describes how their event normalization process merge similar evet node together to improve the efficiency of task performance as described at least in Para [0266], as desired by Chandrasekharan.
As per claim 4, rejection claim 2 is incorporated, and further Chandrasekharan discloses:
- wherein the hierarchical relationships comprise a parent- child process relationship between the plurality of normalized event records (tree structure (i.e., hierarchical relationship) with parent-child relationship, column 115, line 1-5).
As per claim 5, rejection of claim 2 is incorporated, and further Chandrasekharan discloses:
- wherein the hierarchical relationships comprise a file hierarchy relationship between the plurality of normalized event records (tree structure (i.e., hierarchical relationship) with directories of file, Fig. 21B, column 97, line 10-20).
As per claim 6, rejection of claim 2 is incorporated, and further Ma discloses:
- wherein the nodes in the aggregated group are connected by directed edges to represent the hierarchical relationships (edge represent the sequence and relationship between events in a graph, Para [0169], [0244]).
As per clam 7, rejection of claim 2 is incorporated, and further Chandrasekharan discloses:
- wherein the common attributes comprise one or more of: process name, command line expression, file path, user name, or event category (command line expression, column 107, line 50-60).
As per claim 8, rejection of claim 2 is incorporated, and further Chandrasekharan discloses:
- automatically generating a label for each training input in plurality of training inputs in accordance with content of the one or more normalized event records included in the training input (algorithm used for labeling node indication relationship for training dataset, column 166, line 1-15, 40-60).
As per claim 9, rejection of claim 2 is incorporated, and further Chandrasekharan discloses:
- wherein the machine learning model comprises a neural network model, and wherein training the machine learning model comprises using a gradient- based supervised learning training technique (neural network machine learning model, column 157, line 65-67, column 158, line 10-20), semi-supervised (i.e., supervised) ML model, column 169, line 5-15).
As per claim 10, rejection of claim 2 is incorporated, and further Chandrasekharan discloses:
- further comprising using the machine learning model to process one or more new event logs, feature information derived from the one or more new event logs, or both in accordance with trained values of parameters of the machine learning model to generate a new prediction of the threat or suspicious activities (machine learning model to predict and detect threat from a stream of event, column 6, line 30-35, column 128, line 14-35, Fig. 48B, item 4880),
As per claim 11, rejection of claim 2 is incorporated, and further Chandrasekharan discloses:
- further comprising displaying the detected threat or suspicious on an end-user device (application used by a computing device to detect security relevant threat (i.e., suspicious activity or threat), column 127, line 5-15, column 128, line 15-25).
As per claims 12 and 14-20,
Claims 12 and 14-20 are system claim corresponding to method claim 1, and 4-11 respectively and rejected under the same reason set forth to the rejection of claims 1, and 4-11 above.
Claim 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Chandrasekharan et al (US 11,676,072 B1), in view of Ma et al (US 2020/0206920 A1), as applied to claim 2 and 12 and further in view of Fairweather (US 2006/0235811 A1).
As per claim 3, rejection of claim 2 is incorporated,
Combined method of Chandrasekharan and Ma does not explicitly discloses wherein generating the plurality of event clusters comprises applying a deterministic finite automaton (DFA) algorithm over the plurality of normalized event records. However, in the same field of endeavor Fairweather in an analogous art disclose wherein generating the plurality of event clusters comprises applying a deterministic finite automaton (DFA) algorithm over the plurality of normalized event records (deterministic Finite Algorithm (DFA) applied to lexical analyzation of a data stream and normalization, Para [0268], [0284]).
Therefore, it would have been obvious to a person of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Chandrasekharan, as previously modified with Ma with the teaching of Fairweather by modifying Chandrasekharan such that sequence of stream are parsed into token and analyzed using DFA. The motivation for doing so would be looking up a given word in a data stream efficiently, (Fairweather, Para [0294]).
As per claims 13,
Claim 13 is a system claim corresponding to method claim 3 respectively and rejected under the same reason set forth to the rejection of claim 3 above.
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED R UDDIN whose telephone number is (571)270-3138. The examiner can normally be reached M-F: 9:00 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Beausoliel Robert can be reached at 571-272-3645. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MOHAMMED R UDDIN/Primary Examiner, Art Unit 2167