PNG
    media_image1.png
    172
    172
    media_image1.png
    Greyscale
United States Patent and Trademark Office
    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE BOARD OF PATENT APPEALS 
AND INTERFERENCES


Application Number: 15/930,770
Filing Date: August 13, 2021
Appellant(s): Dan Hu et al. 



__________________
Ross A. Dannenberg
For Appellant












EXAMINER’S ANSWER


This is in response to the appeal brief filed 8/13/2021 appealing from the Office action mailed 3/12/2021.

(1) Grounds of Rejection to be Reviewed on Appeal
Every ground of rejection set forth in the Office action dated 3/12/2021 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”
(2) Response to Argument

1. 	Independent Claims 1, 11 and 18 and Dependent Claims 2-5, 7, 9, 10, 12-14, 16, 18-24,
Appellants argues: Argument 1 On page 5 of the Appeal Brief the Examiner fails to show that the references Leone in view of Kumar teach “identifying,…based on the series of event, a relationship between the first event and the second event.” (Brief, page 5) Argument 2, On page 7 of the Appeal Brief the Examiner fails to show that the (Brief, page 7) 
Argument 3, On page 10 of the Appeal Brief the Examiner fails to teach “the rationale or motivation for combining Leone and Kumar since the technology between Leone and Kumar are substantially different.” (Brief, page 10)



2.	Response to argument (1):	With regards to argument (1) pertaining to the examiner’s failure to satisfy the requirement of teaching “identifying,…based on the series of event, a relationship between the first event and the second event”, Leone discloses in paragraph 0084 that a system may be monitored for determining the plurality of anomalous events resulting from software being installed on a mobile terminal. Moreover, Leone further discloses in paragraphs 0084 and 0091 that the plurality of events are correlated by an anomaly detection or intrusion detection tool. Implicitly, the process of performing a correlation between inputs produces results that establishes a degree of relationship between the plurality of event inputs. Therefore, performing a correlation on the prior events results in a generated output that quantifies the relationship between the event inputs 

Response to argument (2): 	With regards to argument (2) pertaining to the examiner’s failure to satisfy the requirement of teaching “determining…that the first event is potentially malicious activity based on a comparison between the identified relationship and other series or events previously determined to be malicious activity”, Kumar discloses in paragraphs 0019 and 0020 that systems may be continuously monitored for determining malware by establishing correlations between a series of low-and-slow attacks, wherein malware may operate through a series of benign actions. Paragraphs 0145, 0147, and 0148 additionally disclose that rules may be used to initially identify suspected anomalous behavior of potential anomalous processes. Subsequently, the suspected anomalous process(es) are further subjected to additional evaluation by an event correlator and activity correlator in order to establish evidence of malicious behavior of suspected processes. Implicitly, the act of performing a correlation necessarily requires a step of performing a comparison of inputs in order to determine how closely the inputs are related to each other. Kumar discloses in paragraph 0030 that several correlation measurements are performed, wherein the output from a correlation operation yields a score value that’s inversely proportional to the degree of deviation from a prescribed value. Therefore, a determination of potential malicious activity in a system is based on evaluating anomalous behavior in previous system events by correlating a systems behavior with previous events. 

Response to argument (3):


Therefore, the Examiner submits that all the grounds of rejection for Claims 1-5, 7, 9-14, 16, and 18-24 were proper in the final Office action mailed on 3/12/2021.

For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,
/GREGORY A LANE/Examiner, Art Unit 2438                                                                                                                                                                                                        

Conferees:
                                                                                                                                                                                                        /David J Pearson/Primary Examiner, Art Unit 2438                                                                                                                                                                                                        
                                                                                                                                                                                             
Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.