PNG
    media_image1.png
    172
    172
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE BOARD OF PATENT APPEALS 
AND INTERFERENCES


Application Number: 16/224,194
Filing Date: December 18, 2018
Appellant(s): Mugambi et al. 



__________________
Douglas M. Hamilton (Reg. No. 47,629)
For Appellant








EXAMINER’S ANSWER





October 25, 2021 appealing from the office action mailed August 9, 2021. 


(1) Grounds of Rejection to be Reviewed on Appeal
Every ground of rejection set forth in the Office action dated August 9, 2021 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”


(2) Response to Argument
The examiner summarizes the various points raised by the appellant and addresses replies individually.

As per appellants’ arguments filed October 25, 2021, the appellant(s) argue in substance: 
A. That the combination of Pratt and Johnson fails to render claims 1, 2, 6-8, 10-12, 16-18, and 20 obvious under 35 USC 103.  Specifically, with respect to independent claims 1, 11, and 21, the appellant(s) asserts that Pratt does not disclose, teach, or suggest “identifying users of the network exhibiting a first suspicious behavior in a form of login failures where each user of the first set of users is associated with a source computer” and “identifying a subset of the first set of source computers exhibiting a second suspicious behavior in the form of a new computer connections” (see Argument, pages 12-16).

In response to A., the examiner disagrees.  

Pratt explicitly teaches the various types of suspicious behavior such as login failure, new connection initiated, series of consecutive connections, etc. (see Pratt, [0064]: “Examples of anomalies include alarms, blacklisted applications/domains/IP addresses, domain name anomalies, excessive uploads or downloads, website attacks, land speed violations, machine generated beacons, login errors, multiple outgoing connections, unusual activity time/sequence/file access/network activity, etc.”, emphasis added).  
Pratt also teaches that these events are associated with time (see Pratt, [0049]: “An event comprises a portion of the machine-generated data and is associated with a specific point in time. For example, events may be derived from "time series data," where the time series data comprises a sequence of data points (e.g., performance measurements from a computer system, etc.) that are associated with successive points in time. In general, each event can be associated with a timestamp that is derived from the raw data in the event, determined through interpolation between temporally proximate events having known timestamps, or determined based on other configurable rules for associating timestamps with events, etc”).
Furthermore, according to Pratt, a user is associated with an entity such as a client device, therefore any information pertaining to a user action with respect to a network is essentially an action electronically performed by a computing device such as a client device (see Pratt, [0004], “In various public and private computer networks, users employ devices such as desktop computers, laptop computers, tablets, smart phones, browsers, etc. to interact with others through computers and servers that are coupled to the network”; [0044]: “In general, machine-generated data can also include performance data, diagnostic information, and many other types of data that can be analyzed to diagnose performance problems, monitor user interactions, and to derive other insights”; and [0065]: “Threat indicators and threats are escalations of events of concern. Examples of threats include data exfiltration (e.g., by compromised account, by malware, or by a suspicious user or device), public-facing website attack, suspicious behavior by an insider, and breach of a rule (e.g. access by a blacklisted user or an unauthorized file transfer). Like an anomaly, a threat can be associated with one or more entities, including users, devices, and applications”, emphasis added).
Clearly, from the teachings above, it is evident that Pratt discloses, teaches, and suggests “identifying users of the network exhibiting a first suspicious behavior in a form of login failures where each user of the first set of users is associated with a source computer”.
With respect to the claim element “identifying a subset of the first set of source computers exhibiting a second suspicious behavior in the form of a new computer connections”, it is noted above that Pratt explicitly teaches “exhibiting a second suspicious behavior in the form of a new computer connections” (see Pratt, [0064]: “multiple outgoing connections”).
Pratt further teaches in paragraph [0066], “a process of escalation from detecting anomalies to identifying threats” by “hundreds of millions of events including data from various data sources may be analyzed to yield 100 anomalies, which may be analyzed to yield 10 threat indicators associated with potential security threats, which may again be analyzed to yield one or two actual security threats”.  Clearly, Pratt teaches the functionality of yielding threats from a subset.
From the explanation above and the teachings of Pratt, one of ordinary skill in the art would clearly understand the “process of detecting anomalies to identifying threats” (Pratt, [0066]), by out of a plurality of events (login failures) “may be analyzed to yield 100 anomalies” (new computer connection), “which may be analyzed to yield 10 threat indicators associated with potential security threats” (new connections in a sequence), which may again be analyzed to yield one or two actual security threats”. According to Pratt, the number of time the analysis is performed and to what degree is subjective.
For the above reasons above and with respect to the rejections set forth in the Final Office Action, the rejection of independent claims 1, 10, and 21 should be sustained.  Furthermore with respect to the rejections set forth in the Final Office Action, dependent claims 2-10 and 12-20 should also be sustained.


Respectfully submitted,
/Michael Won/Primary Examiner, Art Unit 2449                                                                                                                                                                                                        

Conferees:
/THUONG NGUYEN/Primary Examiner, Art Unit 2449                  
                                                                                                                                                                                      /HUA FAN/Primary Examiner, Art Unit 2449                                                                                                                                                                                                        

Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.