DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1-11, 13-17, 21-22 and 24 of U.S. Patent No. 10 699 012. Although the claims at issue are not identical, they are not patentably distinct from each other because the current claims a broader version of the allowed claims.


Allowable Subject Matter
Claim 18 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-5, 7-17 and 19-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Mudda, patent number: US 9 516 053.

As per claim 1, Mudda teaches a method for implementation by one or more data processors forming part of at least one computing device, the method comprising:
monitoring, by at least one data processor, a plurality of events associated with each of a plurality of computing nodes forming part of a network topology, the network topology comprising antivirus tools to detect malicious software prior to it accessing one of the computing nodes (monitoring a network with nodes and a gateway, col. 19, lines 40-47, gateway, col. 21, lines 30-50);

providing, by at least one data processor, data characterizing the determination (Providing relevant information in the form of graphs, col. 67, lines 44-51).

As per claim 2, Mudda teaches wherein providing data characterizing the determination includes at least one of: display the data in an electronic visual display, loading the data into memory, storing the data in physical persistence, or transmitting the data to a remote computing device (providing relevant information in the form of graphs, col. 67, lines 44-51).

As per claim 3, Mudda teaches further comprising:
identifying, by at least one data processor, a source of the malicious activity;


As per claim 4, Mudda teaches further comprising:
isolating a node corresponding to the identified source of the malicious activity from communication with other nodes (Isolating nodes, col. 48, lines 54-68).

As per claim 5, Mudda teaches further comprising:
initiating remediation at the node corresponding to the identified source of the malicious activity to prevent further damage to the node and/or the network topology (retraining, col. 48, lines 54-68).

As per claim 7, Mudda teaches wherein the antivirus tools comprise at least one of: antivirus software or a computer network gateway appliance (gateway, col. 21, lines 30-50). 



As per claim 9, Mudda teaches wherein at least one of the plurality of machine learning models uses supervised learning and has labels origination from a source selected from a group consisting of: existing label corpuses associated with executable files, indicators of compromise, or deterministic finite automata tailored to recognize particular tactics, techniques and procedures (TTPs) (Known patterns, col. 37, lines 22-37).

As per claim 10, Mudda teaches wherein at least one of the plurality of machine learning models uses unsupervised learning methods that characterize qualitative 
As per claim 11, Mudda teaches wherein the unsupervised learning methods are selected from a group consisting of: clustering, anomaly detection or latent variable models (anomaly detection, Fig. 30, col. 63, lines 33-53).

As per claim 12, Mudda teaches wherein different types of malicious activity identified by the machine learning packs are selected from a group consisting of: memory-based attacks, POWERSHELL / macro-based exploits, privilege escalation, lateral movement, data exfiltration, anti-analysis efforts, password stealer, backdoor / tunnel, or insider threat (priviledge escalation, col. 104, lines 44-58).

As per claim 13, Mudda teaches wherein at least one machine learning pack is self- configured dynamically on a corresponding node based on communications with at least one of: another node or a remote computing system (Sharing, col. 17, lines 20-35).

As per claim 14, Mudda teaches wherein at least one machine learning pack on a corresponding node is updated based on communications with at least one of: another node or a remote computing system (Sharing, col. 17, lines 20-35).

As per claim 15, Mudda teaches wherein at least one of the plurality of machine learning models is dynamically updated based on the monitored events (retraining, col. 48, lines 54-67).

As per claim 16, Mudda teaches further comprising:
imputing, using at least one generative model, missing data providing context of at least one event indicative of the malicious activity (composite relationship, col. 68, lines 33-44).

As per claim 17, Mudda teaches further comprising:
preventing the malicious software from continuing to execute (automatically triggering action, col. 12, lines 9-22)

As per claims 19 and 20, Mudda teaches a non-transitory computer program product storing instructions which, when executed by at least one data processor forming part of at least one computing device, implement operations comprising:

determining, using a plurality of machine learning models, that at least one of the events is indicative of malicious activity that has circumvented or bypassed the antivirus tools, the plurality of machine learning models being embodied in a plurality of machine learning packs, each pack being separate and distinct and identifying different types of malicious activity (different kinds of machine learning models, col. 64, lines 5-17); and
preventing, based on the determining, the malicious software from continuing to execute (automatically triggering action, col. 12, lines 9-22).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Mudda, patent number: US 9 516 053 in view of Hamann, publication number: US 2014/0324352.

As per claim 6, Mudda teaches a learning system that monitors activities to detect
issues in the system.

Mudda further teaches retraining systems in col. 48, lines 54 — 67. 
Mudda does not teach remediation utilizes at least one reinforcement learning method selected from a group consisting of: multi-armed bandits, Q-learning, or Bayesian optimization.

In an analogous art, Hamann teaches remediation utilizes at least one reinforcement learning method selected from a group consisting of: multi-armed bandits, Q-learning, or
Bayesian optimization (remediation using Bayesian optimization, [0033]).

Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to modify Mudda’s data monitoring system to include a learning improvement system using Bayesian optimization as described in Hamann’s machine learning prediction system for the advantages of improving the learning system.

Conclusion





Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLUGBENGA O IDOWU whose telephone number is (571)270-1450. The examiner can normally be reached Monday-Friday 8am - 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 5712723804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and 





/OLUGBENGA O IDOWU/Primary Examiner, Art Unit 2494