DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claim 17 is objected to because of the following informalities:  The claim ends with a semicolon instead of a period.  Appropriate correction is required.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 2, 4, 8, 9, and 13 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 3, 5, 6, 9, and 17 of copending Application No. 16/367,616. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the ‘616 application in that they claims of the ‘616 application contain all of the limitations of the instant application.  Claims 1, 2, 4, 8, 9, and 13 of the instant application therefore is not patentably distinct from the ‘616 application, and is therefore unpatentable for obvious-type double patenting.

16/367,561
16/367,616
1. A method of determining that a first event of a plurality of events is associated with a security violation, wherein: the plurality of events further includes a second event associated with a security violation; the first event is associated with a monitored computing device; each event of the plurality of events is associated with a respective command-line record; and the method comprises: for each event of the plurality of events, determining a respective event vector based at least in part on at least a portion of the respective command-line record and on a trained representation mapping, wherein each event vector has a first number of elements; determining a respective reduced event vector for each of the respective event vectors, wherein each reduced event vector has a second number of elements smaller than the first number of elements; clustering the reduced event vectors to determine a respective cluster identifier for each of the reduced event vectors, wherein the first event is associated with a first cluster identifier 



2. The method according to claim 1, further comprising: receiving event data from the monitored computing device via a network, the event data comprising at least some of the command-line record associated with the first event; and in response to the determining that the first cluster identifier matches the second cluster identifier, transmitting a security command to the monitored computing device to cause the monitored computing device to perform a mitigation action. 

























. 


This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1 and 3-19 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Boros et al, US 2020/0106789.

As per claim 1, it is taught of a method of determining that a first event of a plurality of events (paragraph 0015, lines 3-14) is associated with a security violation, wherein:
the plurality of events further includes a second event associated with a security violation (paragraph 0052, lines 1-12 and paragraph 0054, lines 1-12);

each event of the plurality of events is associated with a respective command-line record (paragraph 0019, lines 1-12 and paragraph 0052, lines 1-8); and
the method comprises:
for each event of the plurality of events, determining a respective event vector based at least in part on at least a portion of the respective command-line record and on a trained representation mapping, wherein each event vector has a first number of elements (paragraph 0019, lines 1-12 and paragraph 0052, lines 1-8);
determining a respective reduced event vector for each of the respective event vectors, wherein each reduced event vector has a second number of elements smaller than the first number of elements (the reduced event vector set having a second number of elements smaller that the first number of elements is interpreted as the anomalous data)(paragraph 0052, lines 1-12 and paragraph 0054, lines 1-12);
clustering the reduced event vectors to determine a respective cluster identifier for each of the reduced event vectors, wherein the first event is associated with a first cluster identifier and the second event is associated with a second cluster identifier (paragraph 0019, lines 1-14 and paragraph 0054, lines 1-12); and
determining that the first event is associated with a security violation based at least in part on the first cluster identifier matching the second cluster identifier (paragraph 0019, lines 4-8 and paragraph 0039, lines 1-7).
As per claim 3, it is disclosed wherein: the plurality of events comprises a first cluster of the events; each event in the first cluster is associated with the first cluster identifier (paragraph 0019, lines 1-14); and the method further comprises determining that the first event is associated with a security 
As per claim 4, it is disclosed wherein:
the trained representation mapping comprises an x2vec mapping (paragraph 0019, lines 8-12); and
the method comprises:
determining the reduced event vectors at least partly by determining a t-Distributed Stochastic Neighbor Embedding (t-SNE) of the event vectors in a space having a number of dimensions equal to the second number of elements; and the clustering comprises clustering the reduced event vectors using Hierarchical Density-Based Spatial Clustering of Applications with Noise (HDBSCAN)(paragraph 0036, lines 1-20 and paragraph 0054, lines 1-12).
As per claim 5, it is taught wherein:
the respective command-line record for each event comprises at least two command lines associated with that event (paragraph 0019, lines 1-8 and paragraph 0052, lines 1-8); and
the at least two command lines associated with the event comprise:
a command line of a first process, the first process being a process that triggered the event (paragraph 0052, lines 1-8);
a command line of a second process that is a parent process of the first process (paragraph 0019, lines 1-8 and paragraph 0052, lines 1-8); and
a command line of a third process that is a parent process of the second process (paragraph 0019, lines 1-8 and paragraph 0052, lines 1-8).
As per claim 6, it is disclosed of further comprising:

As per claim 7, it is taught wherein:
the respective command-line record for each event comprises at least two command lines associated with that event (paragraph 0019, lines 1-8); and
the method further comprises extracting the at least two terms at least partly by:
extracting, from a first command line of the at least two command lines, a contiguous sequence of non-punctuation characters as a first term of the at least two terms (paragraph 0032, lines 1-12); and
extracting, from the first command line, a contiguous sequence of punctuation characters as a second term of the at least two terms (paragraph 0019, lines 1-8 and paragraph 0032, lines 1-12).
As per claim 8, it is disclosed of at least one tangible, non-transitory computer-readable medium having stored thereon instructions executable by at least one processor to cause the at least one processor to perform operations comprising:
receiving, via a communications interface, a plurality of command-line records associated with respective events of a plurality of events (paragraph 0019, lines 1-12 and paragraph 0052, lines 1-8), wherein:
each of the command-line records is associated with a corresponding monitored computing device of a plurality of monitored computing devices (paragraph 0019, lines 1-12 and paragraph 0052, lines 1-8);
determining a plurality of event vectors based at least in part on a trained representation mapping and on respective command-line records of the plurality of command-line records (paragraph 0019, lines 1-12 and paragraph 0052, lines 1-8);

determining that the first cluster comprises at least a relatively larger first group of events associated with a first classification (normal data) and a relatively smaller second group of events associated with a second, different classification (the reduced event vector set having a second number of elements smaller that the first number of elements is interpreted as the anomalous data)(paragraph 0052, lines 1-12 and paragraph 0054, lines 1-12);
determining that the first cluster satisfies a predetermined criterion based at least in part on at least:
the number of events in the first group of events;
or the number of events in the second group of events (paragraph 0054, lines 1-12); and
providing, via the communications interface and in response to the determining that the first cluster satisfies the predetermined criterion, an indication of a first event in the second group of events (paragraph 0054, lines 1-12).
As per claim 9, it is taught wherein the operations further comprising:
determining each event vector having a first number of elements (paragraph 0052, lines 1-8);
clustering the events at least partly by:
determining a respective reduced event vector for each of the event vectors, wherein each reduced event vector has a second number of elements smaller than the first number of elements (the reduced event vector set having a second number of elements smaller that the first number of elements is interpreted as the anomalous data)(paragraph 0052, lines 1-12 and paragraph 0054, lines 1-12); and

As per claim 10, it is disclosed wherein the operations further comprising:
determining the reduced event vectors at least partly by determining a t-Distributed Stochastic Neighbor Embedding (t-SNE) of the event vectors in a space having a number of dimensions equal to the second number of elements; and clustering the reduced event vectors using Hierarchical Density-Based Spatial Clustering of Applications with Noise (HDBSCAN)(paragraph 0036, lines 1-20 and paragraph 0054, lines 1-12).
As per claim 11, it is taught wherein the plurality of command-line records comprises:
a first command-line record associated with a first monitored computing device of the plurality of monitored computing devices (paragraph 0019, lines 1-12 and paragraph 0054, lines 1-12); and
a second command-line record associated with a second, different monitored computing device of the plurality of monitored computing devices (paragraph 0027, lines 1-18 and paragraph 0054, lines 1-12).
As per claim 12, it is disclosed wherein the operations further comprising:
receiving, via the communications interface (paragraph 0019, lines 4-8):
a first command-line record of the plurality of command-line records, the first command-line record associated with the first event (paragraph 0054, lines 1-12); and
an indication that the first event is benign (normal and expected, paragraph 0054, lines 1-12); and
subsequently, providing the indication that the first event is associated with a security violation (paragraph 0039, lines 1-7).
As per claim 13, it is taught of a method comprising:

each command-line record represents a respective event of a plurality of events (paragraph 0019, lines 1-12 and paragraph 0052, lines 1-8);
each event of the plurality of events is associated with a respective command-line record, with a corresponding monitored computing device, and with a corresponding session at the corresponding monitored computing device (paragraph 0019, lines 1-12 and paragraph 0052, lines 1-8); and
each event is associated with a respective classification (paragraph 0019, lines 4-8);
determining a plurality of event vectors using a stored representation mapping and based at least in part on respective command-line records of the plurality of command-line records (paragraph 0019, lines 1-12 and paragraph 0052, lines 1-8);
clustering the events of the plurality of events based at least in part on the plurality of event vectors to assign each event to a cluster of a plurality of clusters, wherein each cluster of a first subset of the plurality of clusters includes at least one event that is associated with a first session (paragraph 0052, lines 1-8 and paragraph 0054, lines 1-12);
determining, for each cluster in the first subset of the plurality of clusters, whether that cluster is associated with a security violation based at least in part on at least some of the classifications of the events included in that cluster (paragraph 0019, lines 1-14 and paragraph 0054, lines 1-12); and
determining that the first session is associated with a security violation based at least in part on the first subset of the plurality of clusters satisfying a predetermined criterion (paragraph 0019, lines 1-14 and paragraph 0054, lines 1-12).
As per claim 14, it is disclosed of further comprising determining that a first cluster of the plurality of clusters is associated with a security violation based at least in part on the respective 
As per claim 15, it is taught wherein:
the predetermined criterion is satisfied by at least a predetermined percentage (good circles are larger than anomaly circles) of the clusters in the first subset of the plurality of clusters being associated with a security violation (paragraph 0039, lines 1-7; and paragraph 0054, lines 1-12);
the predetermined percentage is at least thirty percent (paragraph 0054, lines 1-12);
the second predetermined criterion is satisfied by at least a second predetermined percentage of the events in the first cluster being associated with a security violation (paragraph 0039, lines 1-7; and paragraph 0054, lines 1-12); and
the second predetermined percentage is at least thirty percent (paragraph 0054, lines 1-12).
As per claim 16, it is disclosed of further comprising:
determining that a second cluster of the plurality of clusters includes an event associated with the first session, wherein the first subset of the plurality of clusters excludes the second cluster (paragraph 0027, lines 10-18 and paragraph 0054, lines 1-12); and
determining, in response to the determining that the first session is associated with a security violation and to the determining that the second cluster of the plurality of clusters includes an event associated with the first session, that the second cluster is associated with a security violation (paragraph 0027, lines 10-18; paragraph 0039, lines 1-7; and paragraph 0054, lines 1-12).
As per claim 17, it is taught wherein:
each event is associated with a respective process that has a respective ancestor process (paragraph 0019, lines 1-12 and paragraph 0060, lines 1-12);
each command-line record comprises a respective first command line associated with the process (paragraph 0019, lines 1-12 and paragraph 0060, lines 1-12);

As per claim 18, it is disclosed wherein:
the first session comprises a non-daemon process and a daemon process (process description, paragraph 0060, lines 1-12); and
the non-daemon process is the process that spawned the daemon process (paragraph 0060, lines 1-12).
As per claim 19, it is taught wherein each of the event vectors has a first number of elements and the method further comprises:
determining respective reduced event vectors for each of the plurality of event vectors, each of the reduced event vectors having a second number of elements less than the first number of elements, at least partly by determining a t-Distributed Stochastic Neighbor Embedding (t-SNE) of the event vectors in a space having a number of dimensions equal to the second number of elements; and clustering the events at least partly by clustering the reduced event vectors using Hierarchical Density-Based Spatial Clustering of Applications with Noise (HDB SCAN)(paragraph 0036, lines 1-20 and paragraph 0054, lines 1-12).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 2 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Boros et al, US 2020/0106789 in view of Jusko et al, US 2020/0092306.

As per claim 2, it is taught by Boros et al of further comprising:
receiving event data from the monitored computing device via a network, the event data comprising at least some of the command-line record associated with the first event; and in response to the determining that the first cluster identifier matches the second cluster identifier (paragraph 0019, lines 1-14 and paragraph 0054, lines 1-12), however Boros fails to disclose of transmitting a security command to the monitored computing device to cause the monitored computing device to perform a mitigation action.  In a related teaching, it is taught by Jusko et al of transmitting a security command to the monitored computing device to cause the monitored computing device to perform a mitigation action (paragraph 0073, lines 1-20).  It would have been obvious to a person of ordinary skill in the art at the time of the claimed invention to have been motivated to apply mitigation actions so that action can be taken in response to a detected security incident.  The teachings of Jusko et al disclose of performing any number of mitigation actions in response to the detection of suspected malware (see paragraph 0046) by using the automated process (see paragraph 0037).  The teachings of Boros et al are suggestive of modifying the anomaly detection module, within the scope of the invention (paragraph 0039, lines 7-10), whereby the teachings of Jusko et al add the concept of performing mitigation actions based upon the detection of malware.  The claim would have been obvious because a person of ordinary skill in the art would have been motivated to combine the prior art to achieve the claimed invention and that there would have been a reasonable expectation of success.
As per claim 20, it is disclosed by Boros et al of further comprising, in response to the determining that the first session is associated with a security violation (paragraph 0039, lines 1-7), however the teachings fail to disclose of transmitting a security command to monitored computing .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Weizman et al, US 2021/0064749 is relied upon for disclosing of watching for commands that frequently appear in cyberattacks, see abstract.
Nguyen et al, US 2020/0159916 is relied upon for disclosing of viewing event data related to command lines, see paragraph 0126.
Rao et al, U.S. Patent 10,565,373 is relied upon for clustering features, such as command lines (see column 7, lines 29-37) which can be flagged as a potential security risk (see column 7, line 64 through column 8, line 4.

Marin et al, “A Hybrid Approach to the Profile Creation and Intrusion Detection” is relied upon for creating user profiles based upon command line arguments, applying expert rules to reduce the dimensionality of the data, and classifying activity that acts outside of the collected data as anomalous, see abstract.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794.  The examiner can normally be reached on 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431