DETAILED ACTION
This Office Action is in response to an application filed on March 4, 2025, in which claims 1 through 17 are pending, and ready for examination.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claim 5, 10, and 16 are objected to because of the following informalities:
Claim 5 recites: “to the determined at least on threshold of each metric”
Claim should recite: “at least one threshold”
Claim 10 recites: “A system for detecting and analyzing unmanaged SaaS applications comprising: one or more processors configured to”
Claim is directed to a system comprising of one or more processors. Claim should either disclose more components that make up a system or state that claim 10 is a single device/machine.
Claim 16 is objected to for the same reasons articulated above as to pertains to claim 5
Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 10 – 17 are rejected as the claimed invention is directed to non-statutory subject matter.
Claim 10 is purportedly direct to a “system”. However, the claimed system comprises one component: “one or more processors”. Under the broadest reasonable interpretation in view of the specification, the claimed processor is merely a software processor. This is buttressed by the instant application’s Specification at paragraph [0065] which states, “[t]he various embodiments disclosed herein can be implemented as hardware, firmware, software, or any combination thereof.” Therefore, the broadest reasonable interpretation of the claimed “system” is software per se. A claim that recites no more than software, logic, or a data structure (i.e., an abstraction) does not fall within any statutory category. In re Warmerdam, 33 F.3d 1354,1361 (Fed. Cir. 1994). Significantly, "[a]bstract software code is an idea without physical embodiment." Microsoft Corp. v. AT& T Corp., 550 U.S. 437, 449 (2007). Manipulation of data utilizing a computer program (software), no matter its function, is nothing more than the representation of an algorithm or group of algorithms, conceptually no different from a list of steps written down with pencil and paper for execution by a human being. See In re Ferguson, 558 F.3d 1359, 1363 (Fed. Cir. 2009) (quoting Gottschalk v. Benson, 409 U.S. 63, 67 (1972)). The subject matter of claims permitted within 35 U.S.C. 101 must be a machine, a manufacture, a process, or a composition of matter. "[T]he four categories [of §101] together describe the exclusive reach of patentable subject matter. If the claim covers material not found in any of the four statutory categories, that claim falls outside the plainly expressed scope of §101 even if the subject matter is otherwise new and useful." In re Nuijten, 500 F.3d 1346, 1354 (Fed. Cir. 2007); accord In re Ferguson, 558 F.3d 1359 (Fed. Cir. 2009).
Claims 11 – 17 are each dependent from claim 10, fail to remedy the issue(s) noted above with regard to claim 10 under this title, and are therefore also rejected under the same rationale as claim 10, based upon that dependency.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 2, 4 – 6, 8 – 12, 15 – 17 are rejected under 35 U.S.C. 103 as being unpatentable over US Publication US 20170251013 A1, Kirti et al. (hereinafter Kirti), in view of US Publication US 20210288983 A1, Tambuluri et al. (hereinafter Tambuluri).
Regarding claim 1, Kirti discloses a method for detecting and analyzing unmanaged SaaS applications, comprising:
identifying at least one SaaS application based on a comparison of a set of SaaS application identifiers and entries in a SaaS application database; (Kirti; [0170]; [0074]– [0075]; " Obtaining data about network activity may include obtaining network data from one or more network devices on the network… Data analysis system 236 may perform operations to identify domain information about a domain of a service provider that provides an application." Kirti discloses a system that identifies applications by extracting network-traffic-derived identifiers (domain names, URLs, and application signatures) and comparing them against the stored application information database (App info 232))
verifying, through analysis of user interactions, when the identified at least one SaaS application is unmanaged; (Kirti; [0055] – [0056]; [0159]; “Security monitoring and control system 102 can monitor application activity based on network activity by client devices of an organization through network data from one or more agents operating on network devices. Security monitoring and control system 102 can analyze and correlate data from applications to provides a deep visibility into the activities in an organization and helps to detect anomalies or emerging threats and security risks based on application usage... The security risk may be used to determine whether the application may be unauthorized or unsanctioned for use by a user in an organization.” Kirti discloses that security monitoring and control system 102 monitors application activity based on network activity by client devices. The network activity then produces activity data which is then used to determine whether an application is unauthorized or unsanctioned for use by a user in an organization.)
computing, … , confidence scores of each unmanaged SaaS application, wherein a confidence score is a measure of certainty of the verification that a SaaS application is unmanaged (Kirti; [0009] – [0014]; “The information about an application may be used to compute a measure of security for an application (“an application risk score”) and a user (“a user risk score”)… Computing the measure of security may include computing a first weighted value that is based on multiplying the first value by a first weight value; computing a second weighted value that is based on multiplying the second value by a second weight value; computing a weighted summation that is based on a summation of the first weighted value and the second weighted value; and computing a weight summation that is based on a summation of the first weight value and the second weight value. The measure of security may be a value that is computed based on dividing the weighted summation by the weight summation. In some embodiments, the first weight value is different from the second weight value. In some embodiments, the first value is different from the second value.” Kirti discloses computation of risk scores via weighted summation for each application which includes managed and unmanaged SaaS applications.)
Kirti does not explicitly disclose, but Tambuluri teaches in the same field of endeavor the use of a trained supervised machine learning model to compute confidence scores (Tambuluri; [0005]; [0024]; “transforms an unsupervised learning problem into a supervised learning problem by fixing a target label and learning a regressor without a constant or intercept… determining an anomaly score for a production event based on calculated likelihood coefficients of categorized feature-value pairs and a prevalencist probability value of the production event comprising the coded features-value pairs.” Tambuluri discloses detected SaaS events are anomalous based on probability-based confidence scores expressing certainty to whether or not an event is anomalous.
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to substitute Kirti’s weighted-summation scoring with the trained supervised ML scoring of Tambuluri in order to yield the predictable result of more accurate, data-driven unmanaged application detection.
Regarding claim 2, Kirti in view of Tambuluri discloses the method of claim 1, wherein identifying an unmanaged SaaS application further comprises:
connecting to at least one security tool; retrieving traffic data from the at least one security tool, wherein traffic data includes logs; (Kirti; [0071]; “Log collector system 234 may communicate with log managers 246, 266 and/or agents 244, 264 to gather data about network activity within a computing environment.” Kirti discloses a log collector system connects to log managers and agents (security tools) and retrieves traffic data including log files.) identifying meaningful user interactions with a suspected SaaS application, wherein a set of identifiers associated with each suspected SaaS application is identified; (Kirti; [0127]; [0133]; [0065]; [0074] – [0075]; Kirti discloses network data reflecting meaningful user interactions with suspected SaaS applications, and the extracted domain names, URLs, and application signatures constitute the identified set of identifiers.) generating a key for the set of identifiers associated with each suspected SaaS application; and comparing each key to entries in a SaaS application database. (Kirti; [0127] – [0133]; [0175]; “The apps events may be used to determine unique information identifying each application… A third-party data source may be queried for information about a domain based on the access information. For example, a NSlookup command may be issued to determine a domain of an IP address in the access information.” Under BRI, the unique composite of identifiers derived from network traffic and used to identify a specific application constitutes a “key” for that application’s identifier set. Kirti discloses the access information is used as the key input to perform the database lookup.)
Regarding claim 4, Kirti in view of Tambuluri discloses the method of claim 1, further comprising:
generating a list of identified unmanaged SaaS applications prioritized based on the computed confidence scores and security risk scores (Kirti; [0009] – [0014]; “The information about an application may be used to compute a measure of security for an application (“an application risk score”) and a user (“a user risk score”)… Computing the measure of security may include computing a first weighted value that is based on multiplying the first value by a first weight value; computing a second weighted value that is based on multiplying the second value by a second weight value; computing a weighted summation that is based on a summation of the first weighted value and the second weighted value; and computing a weight summation that is based on a summation of the first weight value and the second weight value. The measure of security may be a value that is computed based on dividing the weighted summation by the weight summation. In some embodiments, the first weight value is different from the second weight value. In some embodiments, the first value is different from the second value.” Kirti discloses a computation of application risk scores for each identified application and applies security policies based on those scores. Under BRI, generating a prioritized ordering of applications based on computed confidence scores and risk scores is a direct and predictable application of Kirti’s risk scoring framework).
Regarding claim 5, Kirti in view of Tambuluri discloses the method of claim 1, wherein computing confidence scores using a trained supervised ML model further comprises:
collecting a dataset of traffic data, wherein the traffic data has associated metrics; (Kirti; [0170]; "obtaining data about network activity includes obtaining network data from one or more network devices on the network" Kirti discloses collecting network activity data from log files and network devices as the training dataset. (Tambuluri; [0052]; “ An event can have three aspects: a timestamp indicating when the event occurred; a set of dimensions indicating various attributes about the event; and a set of metrics related to the event” Tambuluri discloses the associated metrics of the traffic data.)) determining at least one threshold for each metric based on predefined criteria; (Tambuluri; [0099]; [0197]; “ if the relative-spike ratio exceeds a configurable threshold, this indicates that the current event is statistically unusual… the threshold is pre-configured by a system administrator.” Tambuluri discloses a configurable threshold applied to each feature metric to determine statiscal unusualness) labeling traffic data of the dataset according to the determined at least one threshold, wherein the traffic data is assigned a label based on a value of the traffic data with respect to the determined at least on threshold of each metric; (Tambuluri; [0024]; “transforms an unsupervised learning problem into a supervised learning problem by fixing a target label.”) inputting the labeled traffic data of the dataset into a machine learning model; and training the machine learning model to compute confidence scores based on the labeled traffic data of the dataset, wherein the computation is determined by the value of the metric with respect to corresponding thresholds (Tambuluri; [0024]; [0039]; “determining an anomaly score for a production event based on calculated likelihood coefficients of categorized feature-value pairs and a prevalencist probability value of the production event comprising the coded features-value pairs… every chunk of incoming data is used twice: (1) to look for anomalies in it and (2) to update the so-called known or normal behavior models incrementally.” Tambuluri discloses labeled event data is input into the ML model (SGD-based regressor), which is trained to compute likelihood coefficient-based confidence scores, where the computation is determined by feature-metric values relative to the applicable thresholds).
Regarding claim 6, Kirti in view of Tambuluri discloses the method of claim 2:
wherein the at least one security tool is an Endpoint Detection and Response (EDR) system (Kiriti; [0077]; [0071]; "security monitoring and control system 102 may implement a module (e.g., an agent) on each client device 106… Each log manager can collect and/or aggregate data from one or more agents...implemented to collect data about network activity." Kirti discloses a security monitoring and control system that operates on an endpoint device which collects and reports event data to a central security system. Under BRI this constitutes an EDR system as an EDR system continuously monitors devices to detect, investigate, and automatically reports threats to a centralized security system).
Regarding claim 8, Kirti in view of Tambuluri discloses the method of claim 1:
wherein the SaaS application database includes a curated, up-to-date dataset of at least identifiers and traffic data associated with known SaaS applications (Kirti; [0021]; [0074]; "Data analysis system 236 may perform operations to identify domain information about a domain of a service provider that provides an application… searching, using the access information, for domain information about a provider system that provides the third application." Kirti discloses a stored application information database (App info 232) containing organization obtained domain detail identifiers and traffic data gathered from network activity logs associated with known SaaS applications).
Regarding claim 9, Kirti discloses a non-transitory computer-readable medium storing a set of instructions for detecting and analyzing unmanaged SaaS applications, the set of instructions comprising: one or more instructions that, when executed by one or more processors of a device, cause the device to: (Kirti; [0011]; “a non-transitory computer-readable medium, including instructions stored thereon may be implemented such that when executed on a processor, it may perform methods disclosed herein.”)
identify at least one SaaS application based on a comparison of a set of SaaS application identifiers and entries in a SaaS application database; (Kirti; [0170]; [0074]– [0075]; " Obtaining data about network activity may include obtaining network data from one or more network devices on the network… Data analysis system 236 may perform operations to identify domain information about a domain of a service provider that provides an application." Kirti discloses a system that identifies applications by extracting network-traffic-derived identifiers (domain names, URLs, and application signatures) and comparing them against the stored application information database (App info 232))
verify, through analysis of user interactions, when the identified at least one SaaS application is unmanaged; (Kirti; [0055] – [0056]; [0159]; “Security monitoring and control system 102 can monitor application activity based on network activity by client devices of an organization through network data from one or more agents operating on network devices. Security monitoring and control system 102 can analyze and correlate data from applications to provides a deep visibility into the activities in an organization and helps to detect anomalies or emerging threats and security risks based on application usage... The security risk may be used to determine whether the application may be unauthorized or unsanctioned for use by a user in an organization.” Kirti discloses that security monitoring and control system 102 monitors application activity based on network activity by client devices. The network activity then produces activity data which is then used to determine whether an application is unauthorized or unsanctioned for use by a user in an organization.)
compute, … , confidence scores of each unmanaged SaaS application, wherein a confidence score is a measure of certainty of the verification that a SaaS application is unmanaged; (Kirti; [0009] – [0014]; “The information about an application may be used to compute a measure of security for an application (“an application risk score”) and a user (“a user risk score”)… Computing the measure of security may include computing a first weighted value that is based on multiplying the first value by a first weight value; computing a second weighted value that is based on multiplying the second value by a second weight value; computing a weighted summation that is based on a summation of the first weighted value and the second weighted value; and computing a weight summation that is based on a summation of the first weight value and the second weight value. The measure of security may be a value that is computed based on dividing the weighted summation by the weight summation. In some embodiments, the first weight value is different from the second weight value. In some embodiments, the first value is different from the second value.” Kirti discloses computation of risk scores via weighted summation for each application which includes managed and unmanaged SaaS applications.)
Kirti does not explicitly disclose, but Tambuluri teaches in the same field of endeavor the use of a trained supervised machine learning model to compute confidence scores (Tambuluri; [0005]; [0024]; “transforms an unsupervised learning problem into a supervised learning problem by fixing a target label and learning a regressor without a constant or intercept… determining an anomaly score for a production event based on calculated likelihood coefficients of categorized feature-value pairs and a prevalencist probability value of the production event comprising the coded features-value pairs.” Tambuluri discloses detected SaaS events are anomalous based on probability-based confidence scores expressing certainty to whether or not an event is anomalous.
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to substitute Kirti’s weighted-summation scoring with the trained supervised ML scoring of Tambuluri in order to yield the predictable result of more accurate, data-driven unmanaged application detection.
Regarding claim 10, Kirti discloses a system for detecting and analyzing unmanaged SaaS applications comprising: one or more processors configured to: (Kirti; [0011]; “A computer system may include one or more processors and one or more memory accessible to the one or more processors and storing one or more instructions that, upon execution by the one or more processors, causes the one or more processors to implement methods and/or operations disclosed herein.”)
identify at least one SaaS application based on a comparison of a set of SaaS application identifiers and entries in a SaaS application database; (Kirti; [0170]; [0074]– [0075]; " Obtaining data about network activity may include obtaining network data from one or more network devices on the network… Data analysis system 236 may perform operations to identify domain information about a domain of a service provider that provides an application." Kirti discloses a system that identifies applications by extracting network-traffic-derived identifiers (domain names, URLs, and application signatures) and comparing them against the stored application information database (App info 232))
verify, through analysis of user interactions, when the identified at least one SaaS application is unmanaged; (Kirti; [0055] – [0056]; [0159]; “Security monitoring and control system 102 can monitor application activity based on network activity by client devices of an organization through network data from one or more agents operating on network devices. Security monitoring and control system 102 can analyze and correlate data from applications to provides a deep visibility into the activities in an organization and helps to detect anomalies or emerging threats and security risks based on application usage... The security risk may be used to determine whether the application may be unauthorized or unsanctioned for use by a user in an organization.” Kirti discloses that security monitoring and control system 102 monitors application activity based on network activity by client devices. The network activity then produces activity data which is then used to determine whether an application is unauthorized or unsanctioned for use by a user in an organization.)
compute, … , confidence scores of each unmanaged SaaS application, wherein a confidence score is a measure of certainty of the verification that a SaaS application is unmanaged; (Kirti; [0009] – [0014]; “The information about an application may be used to compute a measure of security for an application (“an application risk score”) and a user (“a user risk score”)… Computing the measure of security may include computing a first weighted value that is based on multiplying the first value by a first weight value; computing a second weighted value that is based on multiplying the second value by a second weight value; computing a weighted summation that is based on a summation of the first weighted value and the second weighted value; and computing a weight summation that is based on a summation of the first weight value and the second weight value. The measure of security may be a value that is computed based on dividing the weighted summation by the weight summation. In some embodiments, the first weight value is different from the second weight value. In some embodiments, the first value is different from the second value.” Kirti discloses computation of risk scores via weighted summation for each application which includes managed and unmanaged SaaS applications.)
Kirti does not explicitly disclose, but Tambuluri teaches in the same field of endeavor the use of a trained supervised machine learning model to compute confidence scores (Tambuluri; [0005]; [0024]; “transforms an unsupervised learning problem into a supervised learning problem by fixing a target label and learning a regressor without a constant or intercept… determining an anomaly score for a production event based on calculated likelihood coefficients of categorized feature-value pairs and a prevalencist probability value of the production event comprising the coded features-value pairs.” Tambuluri discloses detected SaaS events are anomalous based on probability-based confidence scores expressing certainty to whether or not an event is anomalous.
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to substitute Kirti’s weighted-summation scoring with the trained supervised ML scoring of Tambuluri in order to yield the predictable result of more accurate, data-driven unmanaged application detection.
Regarding claim 11, Kirti in view of Tambuluri discloses the system of claim 10, wherein the one or more processors, when identifying an unmanaged SaaS application, are configured to:
connect to at least one security tool; retrieve traffic data from the at least one security tool, wherein traffic data includes logs; (Kirti; [0071]; “Log collector system 234 may communicate with log managers 246, 266 and/or agents 244, 264 to gather data about network activity within a computing environment.” Kirti discloses a log collector system connects to log managers and agents (security tools) and retrieves traffic data including log files.) identify meaningful user interactions with a suspected SaaS application, wherein a set of identifiers associated with each suspected SaaS application is identified; (Kirti; [0127]; [0133]; [0065]; [0074] – [0075]; Kirti discloses network data reflecting meaningful user interactions with suspected SaaS applications, and the extracted domain names, URLs, and application signatures constitute the identified set of identifiers.) generate a key for the set of identifiers associated with each suspected SaaS application; and compare each key to entries in a SaaS application database. (Kirti; [0127] – [0133]; [0175]; “The apps events may be used to determine unique information identifying each application… A third-party data source may be queried for information about a domain based on the access information. For example, a NSlookup command may be issued to determine a domain of an IP address in the access information.” Under BRI, the unique composite of identifiers derived from network traffic and used to identify a specific application constitutes a “key” for that application’s identifier set. Kirti discloses the access information is used as the key input to perform the database lookup.)
Regarding claim 12, Kirti in view of Tambuluri discloses the system of claim 11:
wherein the at least one security tool is an Endpoint Detection and Response (EDR) system (Kiriti; [0077]; [0071]; "security monitoring and control system 102 may implement a module (e.g., an agent) on each client device 106… Each log manager can collect and/or aggregate data from one or more agents...implemented to collect data about network activity." Kirti discloses a security monitoring and control system that operates on an endpoint device which collects and reports event data to a central security system. Under BRI this constitutes an EDR system as an EDR system continuously monitors devices to detect, investigate, and automatically reports threats to a centralized security system).
Regarding claim 15, Kirti in view of Tambuluri discloses the system of claim 10, wherein the one or more processors are further configured to:
generate a list of identified unmanaged SaaS applications prioritized based on the computed confidence scores and security risk scores (Kirti; [0009] – [0014]; “The information about an application may be used to compute a measure of security for an application (“an application risk score”) and a user (“a user risk score”)… Computing the measure of security may include computing a first weighted value that is based on multiplying the first value by a first weight value; computing a second weighted value that is based on multiplying the second value by a second weight value; computing a weighted summation that is based on a summation of the first weighted value and the second weighted value; and computing a weight summation that is based on a summation of the first weight value and the second weight value. The measure of security may be a value that is computed based on dividing the weighted summation by the weight summation. In some embodiments, the first weight value is different from the second weight value. In some embodiments, the first value is different from the second value.” Kirti discloses a computation of application risk scores for each identified application and applies security policies based on those scores. Under BRI, generating a prioritized ordering of applications based on computed confidence scores and risk scores is a direct and predictable application of Kirti’s risk scoring framework).
Regarding claim 16, Kirti in view of Tambuluri discloses the system of claim 10, wherein the one or more processors, when computing confidence scores using a trained supervised ML model, are configured to:
collect a dataset of traffic data, wherein the traffic data has associated metrics; (Kirti; [0170]; "obtaining data about network activity includes obtaining network data from one or more network devices on the network" Kirti discloses collecting network activity data from log files and network devices as the training dataset. (Tambuluri; [0052]; “ An event can have three aspects: a timestamp indicating when the event occurred; a set of dimensions indicating various attributes about the event; and a set of metrics related to the event” Tambuluri discloses the associated metrics of the traffic data.)) determine at least one threshold for each metric based on predefined criteria; (Tambuluri; [0099]; [0197]; “ if the relative-spike ratio exceeds a configurable threshold, this indicates that the current event is statistically unusual… the threshold is pre-configured by a system administrator.” Tambuluri discloses a configurable threshold applied to each feature metric to determine statiscal unusualness) label traffic data of the dataset according to the determined at least one threshold, wherein the traffic data is assigned a label based on a value of the traffic data with respect to the determined at least on threshold of each metric; (Tambuluri; [0024]; “transforms an unsupervised learning problem into a supervised learning problem by fixing a target label.”) input the labeled traffic data of the dataset into a machine learning model; and train the machine learning model to compute confidence scores based on the labeled traffic data of the dataset, wherein the computation is determined by the value of the metric with respect to corresponding thresholds (Tambuluri; [0024]; [0039]; “determining an anomaly score for a production event based on calculated likelihood coefficients of categorized feature-value pairs and a prevalencist probability value of the production event comprising the coded features-value pairs… every chunk of incoming data is used twice: (1) to look for anomalies in it and (2) to update the so-called known or normal behavior models incrementally.” Tambuluri discloses labeled event data is input into the ML model (SGD-based regressor), which is trained to compute likelihood coefficient-based confidence scores, where the computation is determined by feature-metric values relative to the applicable thresholds).
Regarding claim 17, Kirti in view of Tambuluri discloses the system of claim 10:
wherein the SaaS application database includes a curated, up-to-date dataset of at least identifiers and traffic data associated with known SaaS applications (Kirti; [0021]; [0074]; "Data analysis system 236 may perform operations to identify domain information about a domain of a service provider that provides an application… searching, using the access information, for domain information about a provider system that provides the third application." Kirti discloses a stored application information database (App info 232) containing organization obtained domain detail identifiers and traffic data gathered from network activity logs associated with known SaaS applications).
Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over 35 U.S.C. 103 as being unpatentable over US Publication US 20170251013 A1, Kirti et al. (hereinafter Kirti), in view of US Publication US 20210288983 A1, Tambuluri et al. (hereinafter Tambuluri), further in view of WIPO Publication 2022246131 A1, Liao et al. (hereinafter Liao).
Regarding claim 3, Kirti in view of Tambuluri discloses the method of claim 1, wherein verifying whether the identified SaaS application is unmanaged further comprises:
enriching traffic data; (Kirti; [0074]; “Data analysis system 236 may perform operations to identify domain information about a domain of a service provider that provides an application.” Kirti discloses augments to raw network traffic data with application domain details and organization information)
Kirti does not explicitly disclose but Liao teaches in the same field of endeavor:
calculating usage statistics for users over a pre-determined time period, wherein usage statistics include data about user interactions with SaaS applications; (Liao; [0101]; [0130]; “utilize statistical- based algorithms based on heuristic performance to detect outliers in user behavior, such as a large number of file downloads or uploads that deviate from a user's normal usage behavior, including brute force and malicious insider actions… The decay curve is based on a decay window of 90 days” Liao calculates usage statistics for users, including data about user interactions with SaaS applications, over a 90-day decay window)
comparing a selected user’s interactions with the identified SaaS application to similar users’ interactions with the identified SaaS application (Liao; [0111]; [0123]; “A group which is too small (usually less than 100 people or 10% of the organization population), or too large (usually more than 500 people or 80% of the whole organization population) will not be considered… user’s latest behavior compared with the baseline statistical models of the same user and their peer group in order to identify anomalies.” Liao discloses comparison of selected user’s SaaS interaction behaviors against the statistical baseline profiles of peer group users).
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kirti’s user interaction verification with Liao’s usage statistics calculation and peer-normalized usage statistics to more accurately analyze and distinguish unmanaged SaaS usage from legitimate use.
Regarding claim 13, Kirti in view of Tambuluri disclose the system of claim 10, where in the one or more processors, when verifying whether the identified SaaS application is unmanaged, are configured to:
enrich traffic data; (Kirti; [0074]; “Data analysis system 236 may perform operations to identify domain information about a domain of a service provider that provides an application.” Kirti discloses augments to raw network traffic data with application domain details and organization information)
Kirti does not explicitly disclose but Liao teaches in the same field of endeavor:
calculate usage statistics for users over a pre-determined time period, wherein usage statistics include data about user interactions with SaaS applications; (Liao; [0101]; [0130]; “utilize statistical- based algorithms based on heuristic performance to detect outliers in user behavior, such as a large number of file downloads or uploads that deviate from a user's normal usage behavior, including brute force and malicious insider actions… The decay curve is based on a decay window of 90 days” Liao calculates usage statistics for users, including data about user interactions with SaaS applications, over a 90-day decay window)
compare a selected user’s interactions with the identified SaaS application to similar users’ interactions with the identified SaaS application (Liao; [0111]; [0123]; “A group which is too small (usually less than 100 people or 10% of the organization population), or too large (usually more than 500 people or 80% of the whole organization population) will not be considered… user’s latest behavior compared with the baseline statistical models of the same user and their peer group in order to identify anomalies.” Liao discloses comparison of selected user’s SaaS interaction behaviors against the statistical baseline profiles of peer group users).
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kirti’s user interaction verification with Liao’s usage statistics calculation and peer-normalized usage statistics to more accurately analyze and distinguish unmanaged SaaS usage from legitimate use.
Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over 35 U.S.C. 103 as being unpatentable over US Publication US 20170251013 A1, Kirti et al. (hereinafter Kirti), in view of WIPO Publication 2022246131 A1, Liao et al. (hereinafter Liao), further in view of US Publication US 20250148289 A1, Mukherjee et al. (hereinafter Mukherjee).
Regarding claim 7, Kirti in view of Liao discloses the method of claim 3,
Kirti in view of Liao does not explicitly disclose but Mukherjee teaches in the same field of endeavor:
generating a prompt for a generative Al (genAl) system, wherein the prompt includes at least traffic data and a prompt template; (Mukherjee; [0061] – [0062]; “a standardized prompt template 610 is constructed, embedding the user’s original query 604 within it… This prompt template is then channeled to the LLM 612. The dataframe 608 also provides tools 613 to the agent 605 to aid in shaping the ultimate reply.” Mukherjee constructs a standardized prompt template embedding network data within it and channels the prompt to one or more LLMs (generative AI systems)
and executing the prompt, by the genAl system, to determine enrichment information relevant to the traffic data (Mukherjee; [0025]; “telemetry and inventory data are joined in a manner which provides a more comprehensive dataset that includes both dynamic telemetry data and static inventory details.” Mukherjee channels the standardized prompt template to one or more LLMs and uses the LLM output to produce a more comprehensive enriched dataset).
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Murkherjee’s prompt template/LLM enrichment methodology to Kirti’s traffic enrichment step in order to yield the predictable result of richer, semantically annotated traffic data for downstream SaaS identification.
Regarding claim 14, Kirti in view of Liao discloses the method of claim 13,
Kirti in view of Liao does not explicitly disclose but Mukherjee teaches in the same field of endeavor:
generate a prompt for a generative Al (genAl) system, wherein the prompt includes at least traffic data and a prompt template; (Mukherjee; [0061] – [0062]; “a standardized prompt template 610 is constructed, embedding the user’s original query 604 within it… This prompt template is then channeled to the LLM 612. The dataframe 608 also provides tools 613 to the agent 605 to aid in shaping the ultimate reply.” Mukherjee constructs a standardized prompt template embedding network data within it and channels the prompt to one or more LLMs (generative AI systems)
and execute the prompt, by the genAl system, to determine enrichment information relevant to the traffic data (Mukherjee; [0025]; “telemetry and inventory data are joined in a manner which provides a more comprehensive dataset that includes both dynamic telemetry data and static inventory details.” Mukherjee channels the standardized prompt template to one or more LLMs and uses the LLM output to produce a more comprehensive enriched dataset).
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Murkherjee’s prompt template/LLM enrichment methodology to Kirti’s traffic enrichment step in order to yield the predictable result of richer, semantically annotated traffic data for downstream SaaS identification.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NGUYEN-DUY KYLE NHAC NGUYEN whose telephone number is (571)270-0130. The examiner can normally be reached 7:30-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at (571) 270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/NGUYEN-DUY KYLE NGUYEN/ Examiner, Art Unit 2435
/J. BRANT MURPHY/ Primary Examiner, Art Unit 2435