PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 15/368,845
Filing Date: 5 Dec 2016
Appellant(s): Park et al.



__________________
David H. Judson (30,467)
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed 04/15/2021.
(1) Grounds of Rejection to be Reviewed on Appeal
Every ground of rejection set forth in the Office action dated 05/21/2020 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”

(2) Response to Argument
As in initial matter, it is noted that many (if not all) of the arguments here are repeated in the prior responses by the Appellants in their arguments.  Each argument has already been responded to and addressed in the prior Office Actions, and the appellants have not responded accordingly.  Appellants continue to present the same arguments here.  Many of the responses from the Examiner presented below are verbatim from the Office Actions.  

Group I


“First”

Appellants initially argue that the office action contradicts itself, saying that the office action states the Brezinski does not explicitly teach a limitation, and then goes on to say that the limitation is taught.  However, such statements do not contradict one another.  The prior office action states that Brezinski does not “explicitly” teach that limitation (“curated by a domain expertise.” However, the limitations are implicit and can be inferred from the example Brezinski provides.  As appellants have been contending what  “curated by a domain expertise” may be, the Examiner, to expedite prosecution, has further provided an additional reference to 
Appellants continue to argue that Brezinski does not teach the limitations as Brezinski’s “event data” is not security and threat information from one or more structured data sources (wherein the structured data sources are curated by a domain expertise.”  Appellants argue that Brezinski’s event data is merely raw data.  This is not persuasive for several reasons.  
First, all the different devices working together can be considered a structured data source as all the systems (host device, intermediate device, event data storage system, etc as seen in claim 1) work together as a unified security system to gather and process data.  The reference is directed toward a security system, and thus, as such, this security system and all its components may be considered as structured data sources and the data it provides is structured.  
Second, the intermediate devices by themselves can be considered a domain expert and the information it provides is curated. As seen in col. 13 lines 10-25, the intermediate device may include devices such as the analysis device.  Analysis devices, as seen throughout the reference, and also in col. 8 lines 5-30, gather information and generate structured data such as graphs relating events.  In addition, the intermediate devices, as described in col. 13 lines 20-30, may gather information and generate log files, etc.  This is clearly an example of curated information from a structured data source. Thus, it is implicit that Brezinski’s information is curated by a domain expertise.  

Fourth, the rejection clearly teaches structured data curated by a domain expertise, in accordance with the appellant’s own specification.  On page 30 of the Appellant’s specification, the specification recites “Typically, structured data sources are carefully curated by domain experts.  Examples include, without limitation, IBM X-Force Exchange, Virus Total, blacklists, Common Vulnerability Scoring System scores, and others…. While modern security tools (e.g., SIEM) can consult structured data sources directly, they do not have the capability to understand information in “unstructured text.”  As seen in Roundy, in paragraphs 47, Roundy teaches receiving information from a SIEM system, and also other sources such as an antivirus system, intrusion-detection system, vulnerability scanner, etc.  These examples found in the Roundy reference teach exactly what is taught in the applicant’s specification. Thus, Roundy teaches collecting data from structured data sources curated by domain experts, as defined in the appellant’s specification.



“Second”
Appellants argue that Brezinski does not teach wherein one or more entities identified in the initial version of the knowledge graph are then used to obtain additional security and threat intelligence information extracted from one or more data sources.  This is not persuasive.  As seen in Figure 1, the event data 110 is collected.  This data can be from multiple host devices 102 and intermediate devices.  As further seen in Figure 1, a graph is generated, and this graph has vertices corresponding to entities which include “host devices.”  This information can be collected from other host devices or intermediate devices to build event data 110.  The event data collected by the host devices are events that are occurring on that device, and thus, the entities identified in the initial version of the knowledge graph are used to obtain additional security and threat intelligence information as the information gathered is constantly updated.  Thus, the cause/effect relationship of using the identified entities in the initial version of the knowledge graph to receive additional information is clearly taught.    

“Third”


“Fourth”
Appellants argue that Brezinski does not teach receiving the additional security information which includes text in which the one or more entities appear.  In response to applicant's arguments against the references individually, one cannot show non-obviousness by attacking references individually where the rejections are based on combinations of In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  Brezinski was used to teach receiving additional information, and further taught that information is related to the devices in which entities appear (see 2nd argument above).  The secondary reference, Stephan, was used to show that it would have been obvious to utilize information from textual data, such as data received from  data mining.  Further, note Zhang to address the “natural language-based unstructured data source.”  As Brezinski teaches receiving additional information and teaches that information is related to the devices in which they appear, Stephen teaches data mining textual data, and Zhang further teaches deriving information from natural based language, the limitation of retrieving information with a natural language source which includes text in which an entity appears would have been obvious to one of ordinary skill in the art.

“Fifth”
Appellants argue that the references do not teach processing the text to extract relationships involving the one or more entities to generate entities and relationships extracted from the unstructured data sources.  Again, appellant’s argument against the references individually are not persuasive (see arguments above).   This was addressed in the prior response and reiterated here.  The primary reference already teaches building knowledge graphs and modifying the knowledge graphs based on information and updated information received from different sources.  Stephan was used to further teach that the data may be from unstructured data sources.  And, as the prior rejection showed, Stephan renders extracting information from text would have been obvious as Stephan teaches data mining, in which data 

“Sixth”
Appellants argue that Zhang does not make up for the above deficiencies.  However, as seen in the arguments above, the combination of the Zhang reference render the claimed invention obvious.  As seen above, appellant’s argument against the references individually are not persuasive.   

“Seventh”
                Appellants argue that Roundy does not teach curation, nor does it teach curation by a domain expertise.  As mentioned above, Brezinski already implicitly teaches such limitations and infers this.  Roundy was used to supplement the rejection.  Further, Roundy by itself clearly shows the obviousness receiving security and threat intelligence information from one or more structured data sources, with one of the structured data sources curated by a domain expertise.  Paragraph 47 explicitly recites “detecting module 104 may receive information about a suspicious event from a system designed to detect, collect, and/or manage information about suspicious events.”  This clearly teaches an expert (security system designed to collect) and curation (collect and/or manage information about suspicious events).  Further, as seen in paragraph 47, such information can come from antivirus systems, firewalls, intrusion-detection 
                Appellants also argue that the motivation to combine Brezinski with Stephan is in error as Brezinski already teaches security and one of ordinary skill in the art would not be motivated to provide another system to provide security.  This is not persuasive.  See MPEP 2144.06: "It is prima facie obvious to combine two compositions each of which is taught by the prior art to be useful for the same purpose, in order to form a third composition to be used for the very same purpose.... [T]he idea of combining them flows logically from their having been individually taught in the prior art." In re Kerkhoven, 626 F.2d 846, 850, 205 USPQ 1069, 1072 (CCPA 1980).

Group II

Appellants argue that the combined references (now including the Shahar reference) does not teach the amended limitations as the Shahar reference is only directed toward “patterns” and “threat patterns,” and does not include the claimed limitations of “contextual and structural features of the text.”  
As seen in the response to arguments above, appellants are attacking the references individually.  One cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  As seen in the prior office action and in the responses above, the combined references already teach extracting information from unstructured data sources and from textual information (for example, Stephan paragraph 21 already teaches data mining; see Zhang col. 5 lines 40-51 

Group III

Appellants argue that the Examiner has made a procedural error, as claim 4 is dependent on claim 3, and thus should have been rejected under Brezinski, Stephan, Zhang, Roundy, Shahar, and Srinivasa.  Appellants argue that claim 4 was only rejected under Brezinski, Stephan, Zhang, Roundy, and Srinvasa (and not Shahar).  However, appellants have mistakenly made the wrong assumption.  As seen in the prior office action, these claims were rejected under the “Brezinski” combination.  The “Brezinski combination” covers all of the references applied respectively up to this point, and thus the “Brezinski combination” refers to all the applied references (Brezinski, Stephan, Zhang, Roundy, and Shahar).  Appellant’s interpretation is thus incorrect, and thus the claims are rejected correctly.  
Further, appellants argue that the rejection should be reversed for the same reason as indicated in Group II above.  However, appellant’s arguments are not persuasive for the same reasons as indicated above.

Group IV

Appellants argue that the combined references do not teach the claimed limitations, as the Stephan reference does not teach weighting text patterns, ranking weighted text patterns, 



For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,

/JASON K GEE/Primary Examiner, Art Unit 2495                                                                                                                                                                                                        
Conferees:
/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495        
                                                                                                                                                                                                /FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495                                                                                                                                                                                                        
Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an