Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


The term “…a reward is assigned to the at least one software agent, based at least in part on a degree of correspondence between the one or more predicted inputs and one or more subsequent inputs received from the attacker following the modifying…” in claims 3, 10 and 16 is a relative term which renders the claim indefinite. The term “in part on a degree of correspondence” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.

Information Disclosure Statement
The information disclosure statement (IDS) is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101 (Abstract Idea)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


8.	Claims 1, 2, 4 – 9, 11 – 15 and 17 – 20 is / are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more analyzed according to 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”). The claim detecting and recording an input attempt from an attacker, generate state representation and predict inputs and modify the state of application based on predicted inputs.
Step 1: The claims 1, 8 and 14 do fall into one of the four statutory categories of method and system claims. Nevertheless the claims still is/are considered as abstract idea for the following prongs and reasons.
Step 2A: Prong 1: The limitation of claims 1, 8 and 14 recites: detecting and recording an input attempt from an attacker, generate state representation and predict inputs and modify the state of application based on predicted inputs, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the human mind and / or with pen and paper without a generic computer. Except for system claims that recite non-transitory medium, memory and processor, there is nothing in the claim element precludes the step from practically being performed in human mind and/or with pen and paper. For example, checking manual data input traffic and obtaining various information, in any office or campus can also be perceived to be done manually by human in an orderly fashion. In the context of these claims encompasses assigning scores, taking remedial measures accordingly. 

Prong 2: This judicial exception is not integrated into a practical application. In particular, the claims do not recite any additional element to perform beyond routine steps of: detecting and recording an input attempt from an attacker, generate state representation and predict inputs and modify the state of application based on predicted inputs. The steps are recited at a high-level of generality (i.e., as generic terms performing generic computer functions (Fig. 4) such that it amounts no more than mere instructions to apply the exception using generic computer components). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore the claims is directed to an abstract idea.
Step 2B: The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, detecting and recording an input attempt from an attacker, generate state representation and predict inputs and modify the state of application based on predicted inputs amounts to no more than mere instructions to apply the exception using a generic computer terms. Mere instructions to apply an exception using a generic not patent eligible. Therefore all the corresponding dependent claims 2, 4 – 9, 11 – 15 and 17 – 20 are also rejected for the same rationale.
Note: Claims 3, 10 and 16 are statutory as the software is configured to run which is not a mental step.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 2, 4 – 9, 11 – 15 and 17 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kraus et al (US 20200285737), hereafter Kra and Gertner et al (US 9503470), hereafter Ger.
Claim 1: Kra teaches a computer-implemented method of adapting a software application on a network in response to an unauthorized access attempt against the software application, the computer-implemented method comprising: detecting, by at least one computer processor, the unauthorized access attempt, wherein the unauthorized access attempt is associated with an attacker; ([006, 27] sequence anomalies detection code obtains a list of events from the event listing source, and heuristically extracts an ordered event sequence from the list of events, documents unauthorized activity, and [0193] likely associated with a threat actor);
recording, by the at least one computer processor, an input log comprising a plurality of inputs received from the attacker; ([0243, fig. 3] logs such as syslog format logs, event tracing logs, application logs, logs generated by kernels, transaction logs, and other records of events ([193-194] based on actor requests) which occurred or report state of one or more machines);
([0177-179] generating about a state or event detected in a computing system... by moving on to process a different detected state or detected event instead of pursuing additional processing of the action(s) associated with the accepted risk);
computing, by the at least one computer processor, one or more predicted inputs, based at least in part on the input log and the state representation; ([028] given a new input sequence (one previously unseen, or one considered in a new context) and given the user's history profile, a sequence anomaly algorithm predicts the likelihood that the input sequence is abnormal);
Kra is silent on and modifying, by the at least one computer processor via at least one software agent, the execution state of at least the software application, based at least in part on the one or more predicted inputs.
But analogous art Ger teaches and modifying, by the at least one computer processor via at least one software agent, the execution state of at least the software application, based at least in part on the one or more predicted inputs. (C5L58-62: ability to repair damage-Even after a node is known to have been attacked, the SDI-SCAM agent is given access privileges such that it can aid the system administrator in controlling and repairing whatever damage has resulted).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kra to include the idea of modifying execution state of application based on prediction as taught by Ger so that thus, in determining probability of infection or intrusion, it is useful to apply SDI-SCAM's probabilistic modeling to the assessment of detection (C26L14-16).
Claim 8: Kra teaches a non-transitory computer readable storage medium storing instructions that, when executed by at least one computer processor, cause the at least one computer processor to perform operations of adapting a software application on a network in response to an unauthorized access attempt against the software application, the operations comprising (Fig. 1): detecting the unauthorized access attempt, wherein the unauthorized access attempt is associated with an attacker; recording an input log comprising a plurality of inputs received from the attacker; generating a state representation corresponding to an execution state of at least one software application; computing one or more predicted inputs, based at least in part on the input log and the state representation; ([006, 27] sequence anomalies detection code obtains a list of events from the event listing source, and heuristically extracts an ordered event sequence from the list of events, documents unauthorized activity, and [0193] likely associated with a threat actor; [0243, fig. 3] logs such as syslog format logs, event tracing logs, application logs, logs generated by kernels, transaction logs, and other records of events ([193-194] based on actor requests) which occurred or report state of one or more machines; [0177-179] generating about a state or event detected in a computing system... by moving on to process a different detected state or detected event instead of pursuing additional processing of the action(s) associated with the accepted risk; [028] given a new input sequence (one previously unseen, or one considered in a new context) and given the user's history profile, a sequence anomaly algorithm predicts the likelihood that the input sequence is abnormal).
Kra is silent on and modifying, via at least one software agent, the execution state of at least the software application, based at least in part on the one or more predicted inputs.
(C5L58-62: ability to repair damage-Even after a node is known to have been attacked, the SDI-SCAM agent is given access privileges such that it can aid the system administrator in controlling and repairing whatever damage has resulted).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kra to include the idea of modifying execution state of application based on prediction as taught by Ger so that thus, in determining probability of infection or intrusion, it is useful to apply SDI-SCAM's probabilistic modeling to the assessment of detection (C26L14-16).
Claim 14: Kra teaches a system configured to adapt a software application on a network in response to an unauthorized access attempt to the software application, the system comprising: a memory; and at least one computer processor configured to execute instructions, stored in the memory, that cause the at least one computer processor to perform operations comprising (Fig. 1): detecting the unauthorized access attempt, wherein the unauthorized access attempt is associated with an attacker; recording an input log comprising a plurality of inputs received from the attacker; generating a state representation corresponding to an execution state of at least one software application; computing one or more predicted inputs, based at least in part on the input log and the state representation; ([006, 27] sequence anomalies detection code obtains a list of events from the event listing source, and heuristically extracts an ordered event sequence from the list of events, documents unauthorized activity, and [0193] likely associated with a threat actor; [0243, fig. 3] logs such as syslog format logs, event tracing logs, application logs, logs generated by kernels, transaction logs, and other records of events ([193-194] based on actor requests) which occurred or report state of one or more machines; [0177-179] generating about a state or event detected in a computing system... by moving on to process a different detected state or detected event instead of pursuing additional processing of the action(s) associated with the accepted risk; [028] given a new input sequence (one previously unseen, or one considered in a new context) and given the user's history profile, a sequence anomaly algorithm predicts the likelihood that the input sequence is abnormal).
Kra is silent on and modifying, via at least one software agent, the execution state of at least the software application, based at least in part on the one or more predicted input.
But analogous art Ger teaches and modifying, via at least one software agent, the execution state of at least the software application, based at least in part on the one or more predicted input. (C5L58-62: ability to repair damage-Even after a node is known to have been attacked, the SDI-SCAM agent is given access privileges such that it can aid the system administrator in controlling and repairing whatever damage has resulted).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kra to include the idea of modifying execution state of application based on prediction as taught by Ger so that thus, in determining probability of infection or intrusion, it is useful to apply SDI-SCAM's probabilistic modeling to the assessment of detection (C26L14-16).
Claim 2: the combination of Kra and Ger teaches the computer-implemented method of claim 1, the computing further comprising: selecting, by the at least one computer processor via the network, the one or more predicted inputs from a set of candidate inputs derived using a reward function from a reinforcement-learning model, wherein the reinforcement-learning model is Kra: [0150-153]  code which upon execution selects an anchor event of a sequence during extraction of the sequence from an event list condition used in model or sequence anomaly detection code, machine learning model hyperparameter, and which is imposed independently of the model's content and status as opposed to learned parameters which is derived automatically from datasets used in training/testing/tuning the model, [271]  training the machine learning model using vectorized event sequences without using any association of particular event sequences with particular user accounts, includes training the machine learning model using vectorized event sequences without using logged session ids).
Claim 4: the combination of Kra and Ger teaches the computer-implemented method of claim 1, wherein: the software application is cloned from a corresponding application of a production system, the software application is configured to run separately from the production system, and the computer-implemented method further comprises routing, by the at least one computer-processor via the network, the attacker away from the production system and toward the software application in response to the detecting the unauthorized access attempt. (Ger: C24L42-47: files are accessed from a honey pot trap or such Trojans may (via SDI SCAM administration) be strategically selected and positioned within the network to maximize the likelihood of a likely attacker to upload the Trojan containing the SDI SCAM agent, C10, 11L64-67, 1-5: simulates the environment of the system that is being protected. The hacker, believing that he has actually broken into the system, is then monitored by SDI-SCAM, as his behavior might give clues to his location, identity, and motives and incriminatory evidence, if desired).
C26L14-16).
Claim 5: the combination of Kra and Ger teaches the computer-implemented method of claim 4, wherein the software application is further configured to provide to the attacker access to simulated data in lieu of production data. (Ger: C17L1-3: the user account automatically set up as a honey pot trap to acquire just enough information about who the suspect entity is in order to catch him in an inappropriate act of fraud or deception).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kra to include the idea of separate simulation of application as taught by Ger so that thus, in determining probability of infection or intrusion, it is useful to apply SDI-SCAM's probabilistic modeling to the assessment of detection (C26L14-16).
Claim 6: the combination of Kra and Ger teaches the computer-implemented method of claim 1, further comprising: identifying, by the at least one computer processor, a type of the unauthorized access attempt; (Kra: [0193] risk a likelihood that a threat actor will exploit a vulnerability to gain unauthorized access to a resource of a computing system).
Ger teaches modifying, by the at least one computer processor, the execution state of at least the software application, based at least in part on the one or more predicted inputs and the type of the unauthorized access attempt. (Ger: C25L41-46: one of the present SDI-SCAM objectives is adapting the defensive and counteroffensive strategy by better selecting the response and making the response more targeted, confident and appropriate to the target entity, its actions and intervening circumstances/conditions in view of associated probabilities).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kra to include the idea of response action as taught by Ger so that thus, in determining probability of infection or intrusion, it is useful to apply SDI-SCAM's probabilistic modeling to the assessment of detection (C26L14-16).
Claim 7: the combination of Kra and Ger teaches the computer-implemented method of claim 6, wherein: the software application comprises at least one web service, and the type of the unauthorized access attempt comprises cross-site scripting, cross-site request forgery, SQL injection, code injection, brute-force attack, buffer-overflow attack, or a combination thereof. (Kra: [0108] applications such as word processors, web browsers, spreadsheets, games, email tools, [003] detects financial fraud, insider threats, targeted attacks from external sources, and other malicious behaviors in the context of routine and authorized behaviors, [296-297, 335] identifying anomalous event sequences and detects abnormal reads of large data volumes).
Claim 9: the combination of Kra and Ger teaches the non-transitory computer readable storage medium of claim 8, wherein the computing operation further comprises selecting the one or more predicted inputs from a set of candidate inputs derived using a reward function from a reinforcement-learning model, and wherein the reinforcement-learning model is trained based at least in part on the plurality of inputs received from the attacker, a plurality of test inputs from an authorized penetration tester, a plurality of known inputs from a given dataset, or a combination thereof. (Kra: [0150-153]  code which upon execution selects an anchor event of a sequence during extraction of the sequence from an event list condition used in model or sequence anomaly detection code, machine learning model hyperparameter, and which is imposed independently of the model's content and status as opposed to learned parameters which is derived automatically from datasets used in training/testing/tuning the model, [271]  training the machine learning model using vectorized event sequences without using any association of particular event sequences with particular user accounts, includes training the machine learning model using vectorized event sequences without using logged session ids).
Claim 11: the combination of Kra and Ger teaches the non-transitory computer readable storage medium of claim 8, wherein: the software application is cloned from a corresponding application of a production system, the software application is configured to run separately from the production system, and the operations further comprise routing the attacker away from the production system and toward the software application in response to the detecting the unauthorized access attempt, wherein the software application is further configured to provide to the attacker access to simulated data in lieu of production data. (Ger: C24L42-47: files are accessed from a honey pot trap or such Trojans may (via SDI SCAM administration) be strategically selected and positioned within the network to maximize the likelihood of a likely attacker to upload the Trojan containing the SDI SCAM agent, C10, 11L64-67, 1-5: simulates the environment of the system that is being protected. The hacker, believing that he has actually broken into the system, is then monitored by SDI-SCAM, as his behavior might give clues to his location, identity, and motives and incriminatory evidence, if desired; C17L1-3: the user account automatically set up as a honey pot trap to acquire just enough information about who the suspect entity is in order to catch him in an inappropriate act of fraud or deception).
C26L14-16).
Claim 12: the combination of Kra and Ger teaches the non-transitory computer readable storage medium of claim 8, the operations further comprising: identifying, by the at least one computer processor, a type of the unauthorized access attempt; (Kra: [0193] risk a likelihood that a threat actor will exploit a vulnerability to gain unauthorized access to a resource of a computing system).
Ger teaches modifying, by the at least one computer processor, the execution state of at least the software application, based at least in part on the one or more predicted inputs and the type of the unauthorized access attempt. (Ger: C25L41-46: one of the present SDI-SCAM objectives is adapting the defensive and counteroffensive strategy by better selecting the response and making the response more targeted, confident and appropriate to the target entity, its actions and intervening circumstances/conditions in view of associated probabilities).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kra to include the idea of response action as taught by Ger so that thus, in determining probability of infection or intrusion, it is useful to apply SDI-SCAM's probabilistic modeling to the assessment of detection (C26L14-16).
Claim 13: the combination of Kra and Ger teaches the non-transitory computer readable storage medium of claim 12, wherein: the software application comprises at least one web service, and the type of the unauthorized access attempt comprises cross-site scripting, cross-site request Kra: [0108] applications such as word processors, web browsers, spreadsheets, games, email tools, [003] detects financial fraud, insider threats, targeted attacks from external sources, and other malicious behaviors in the context of routine and authorized behaviors, [296-297, 335] identifying anomalous event sequences and detects abnormal reads of large data volumes).
Claim 15: the combination of Kra and Ger teaches the system of claim 14, wherein the computing operation further comprises selecting the one or more predicted inputs from a set of candidate inputs derived using a reward function from a reinforcement-learning model, and wherein the reinforcement-learning model is trained based at least in part on the plurality of inputs received from the attacker, a plurality of test inputs from an authorized penetration tester, a plurality of known inputs from a given dataset, or a combination thereof. (Kra: [0150-153]  code which upon execution selects an anchor event of a sequence during extraction of the sequence from an event list condition used in model or sequence anomaly detection code, machine learning model hyperparameter, and which is imposed independently of the model's content and status as opposed to learned parameters which is derived automatically from datasets used in training/testing/tuning the model, [271]  training the machine learning model using vectorized event sequences without using any association of particular event sequences with particular user accounts, includes training the machine learning model using vectorized event sequences without using logged session ids).
Claim 17: the combination of Kra and Ger teaches the system of claim 14, wherein: the software application is cloned from a corresponding application of a production system, the software application is configured to run separately from the production system, and the operations further Ger: C24L42-47: files are accessed from a honey pot trap or such Trojans may (via SDI SCAM administration) be strategically selected and positioned within the network to maximize the likelihood of a likely attacker to upload the Trojan containing the SDI SCAM agent, C10, 11L64-67, 1-5: simulates the environment of the system that is being protected. The hacker, believing that he has actually broken into the system, is then monitored by SDI-SCAM, as his behavior might give clues to his location, identity, and motives and incriminatory evidence, if desired).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kra to include the idea of separate run of application as taught by Ger so that thus, in determining probability of infection or intrusion, it is useful to apply SDI-SCAM's probabilistic modeling to the assessment of detection (C26L14-16).
Claim 18: the combination of Kra and Ger teaches the system of claim 17, wherein: the software application is further configured to provide to the attacker access to simulated data in lieu of production data. (Ger: C17L1-3: the user account automatically set up as a honey pot trap to acquire just enough information about who the suspect entity is in order to catch him in an inappropriate act of fraud or deception).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kra to include the idea of separate simulation of application as taught by Ger so that thus, in determining probability of infection or intrusion, it is useful to apply SDI-SCAM's probabilistic modeling to the assessment of detection (C26L14-16).
Claim 19: the combination of Kra and Ger teaches the system of claim 14, the operations further comprising: identifying, by the at least one computer processor, a type of the unauthorized access attempt; (Kra: [0193] risk a likelihood that a threat actor will exploit a vulnerability to gain unauthorized access to a resource of a computing system).
Ger teaches modifying, by the at least one computer processor, the execution state of at least the software application, based at least in part on the one or more predicted inputs and the type of the unauthorized access attempt. (Ger: C25L41-46: one of the present SDI-SCAM objectives is adapting the defensive and counteroffensive strategy by better selecting the response and making the response more targeted, confident and appropriate to the target entity, its actions and intervening circumstances/conditions in view of associated probabilities).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Kra to include the idea of response action as taught by Ger so that thus, in determining probability of infection or intrusion, it is useful to apply SDI-SCAM's probabilistic modeling to the assessment of detection (C26L14-16).
Claim 20: the combination of Kra and Ger teaches the system of claim 19, wherein: the software application comprises at least one web service, and the type of the unauthorized access attempt comprises cross-site scripting, cross-site request forgery, SQL injection, code injection, brute-force attack, buffer-overflow attack, or a combination thereof. (Kra: [0108] applications such as word processors, web browsers, spreadsheets, games, email tools, [003] detects financial fraud, insider threats, targeted attacks from external sources, and other malicious behaviors in the context of routine and authorized behaviors, [296-297, 335] identifying anomalous event sequences and detects abnormal reads of large data volumes).

Allowable Subject Matter
Claims 3, 10 and 16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) 







/BADRINARAYANAN /Examiner, Art Unit 2496.