PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 15/623,125
Filing Date: 14 Jun 2017
Appellant(s): International Business Machines Corporation



__________________
David H. Judson (Reg. No. 30,467)
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed on 4/25/2022.

(1) Grounds of Rejection to be Reviewed on Appeal
Every ground of rejection set forth in the Office action dated on 4/25/2022 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”

(2) Response to Argument

Claims 1, 3-6, 9, 11-14, 17, and 19-22 are rejected under 35 U.S.C. 103 as being unpatentable over Kataoka (US 20180083988 A1) in view of Saxe (US 9690938 B1) in further view of Zorlular (US 20180183827 A1).

Claims 2, 10, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Kataoka in view of Saxe and Zorlularin further view of Gates(US 10091231 B1).

Claims 7, 15, and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Kataoka in view of Saxe, and Zorlular in further view of Gates and Muddu (US 9516053 B1, provided in IDS).

Claims 8, 16, and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Kataoka in view of Saxe, and Zorlular in further view of Muddu.
Claim 25 is rejected under 35 U.S.C. 103 as being unpatentable over Kataoka (US 20180083988 A1) in view of Gates (US 10091231 B1) in further view of Saxe (US 9690938 B1)in further view of Zorlular (US 20180183827 A1).

Claim 26 is rejected under 35 U.S.C. 103 as being unpatentable over Kataoka in view of Gates, Saxe, Zorlular, in further view of Muddu (US 9516053 B1, provided in IDS).

Argument 1:	Appellant alleges on page 7 of the Appeal Brief that Kataoka fails to teach a machine learning model built from information about historical security threats, including historical disposition of one more alerts associated with the historical security threats.
	In response to the above argument, Examiner respectfully disagrees with Appellant’s allegations.  Kataoka teaches a machine learning model that is generated based on cyber threat data labeled by security professionals (Kataoka: paragraphs 0006, 0023 and 0060-0061, “Machine learning software can be used to analyze cyber threat data labeled by security professionals and generate models that can be used to score threats in unlabeled data.  The labeled data, with threat scores ranging from 0.0 to 1.0 in this case, is referred to as the ground truth”… “With regards to regression prediction with machine learning, the data with the computed ground truth is used for machine learning analysis (threats 101 and 102 in FIG. 7), which is then used to score the unlabeled data (threats 103 and 104). After the system builds the model”).  Examiner broadly interprets the labeled data/ground truth recited in Kataoka as the information about historical security threats recited in the claims.  Examiner notes that on page 22 of the appellant’s specification, the historical security threats are also defined as labeled data.  Furthermore, the labeled data/ground truth is a historic information regarding the occurred cyber threats is mapped to historical disposition of one more alerts associated with the historical security threats.  The labeled data/ground truth is used to generate the machine learning model recited in Kataoka reference is mapped to building the machine learning model as recited in the claims.  When the threats are detected, messages are generated regarding the threat events and provided to the learning machine model for score generation is broadly interpreted as alerts as recited in the claims.  This interpretation is consistent with the appellant’s specification (see page 24, “for each threat detected (e.g. by a SIEM, an enterprise security Tool, any other Big Data tool) and presented to the SOC analyst in the threat monitoring console 506 as an alert”).  Therefore, Kataoka reference does teach the disputed limitation.

Argument 2:
Appellant alleges on page 8 of the Appeal Brief that Saxe at most teaches that the final threat score there is based on an effectiveness of the threat model itself, but the “final threat score” is not based on whether any prior threat detection score was or was not effective in predicting “a particular historical disposition associated with the alert”.
In response to the above argument, Examiner respectfully disagrees.  Saxe does teach the threat disposition score (TDS) based in part on an effectiveness of a prior calculated TDS to predict a particular historical disposition associated with the alert (Saxe: column 20 lines 18-67, “For example, the threat analyzer 114 can analyze results generated from a particular threat model (e.g., can determine an error rate, and/or a similar effectiveness metric), based on user and/or system feedback on the results generated by that threat model. When a potentially malicious file is received, the threat analyzer 114 can select a particular Bayesian and/or similar calibration function, from a set of stored and/or known Bayesian and/or similar calibration functions, that can adjust a final threat score, so as to reduce and/or eliminate an error rate, and/or otherwise affect an effectiveness metric, of the threat model”).  The adjusted final threat score recited in Saxe reference is broadly interpreted as the threat disposition score (TDS) of the claimed invention.  The adjusted final threat score is produced or generated based on the threat model score (Saxe: column 17 lines 43-47, “the threat analyzer 114 can apply a calibration and/or normalization function (e.g., a Bayesian calibration function) to the threat model score, to produce a final score indicating a probability that the potentially malicious file sample is malware”).  The threat model score recited in Saxe is mapped to the prior calculated TDS recited in the claims.  Furthermore, the final score is used predict the probability that the potentially malicious file sample is malware which is mapped to the threat disposition score (TDS) to predict a particular historical disposition associated with the alert recited in the claims.  Therefore, Appellant’s allegation is not persuasive.  Saxe does teach the disputed limitation.

Argument 3:
On page 9 of the Appeal Brief, Appellant alleges that Zorlular fails to teach “feedback from a second security analyst on handling of the at least one alert by a first security analyst.”… Moreover, the information provided is not used for calculating a score of any type.
	In response to the above argument, Zorlular does teach the disputed limitation “feedback from a second security analyst on handling of the at least one alert by a first security analyst” (Zorlular: paragraphs 0102 and 0107, “Specifically, an analyst may use the feedback box to include information related to the user's activity when escalating an alert, thus facilitating that a supervisor reviewing the escalated alert or another analyst investigating an alert is presented with the contextual information as provided by the warning system as well as any remarks or annotations by the analyst having already reviewed the alert.”).  The user recited in Zorlular reference is mapped to the first security analyst as recited in the claims.  The analyst recited in Zorlular reference is mapped to the second security analyst recited in the claims.  The analyst recited in Zorlular reference uses the feedback box to escalate the alert to the supervisor (i.e., a third security analyst) is broadly interpreted as feedback from a second security analyst on handling of the at least one alert.  
	Zorlular further teaches the information provided is used for calculating a score of any type (Zorlular: paragraphs 0020, 0102 and 107, “the risk score of each resource may be determined by combining the risk estimates for each event and alert associated with the resource”).  Therefore, Zorlular does teach the disputed limitations.


Argument 4:
	On page 10 of the Appeal Brief, Appellant alleges that the combination of Saxe in view Kataoka is based on hindsight reconstruction, which is not permissible.  
In response to the above argument, Appellant alleges that the combination of Saxe in view Kataoka is based on hindsight reconstruction.  However, there is no evident to support the Appellant’s allegation.
Furthermore, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning.  But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the appellant's disclosure, such a reconstruction is proper.  See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971).  

Argument 5:
Appellant alleges on pages 12 and 13 that the combined teachings do not teach 1) an alert enriched to also include how the security has been handled previously and 2) the combined teachings are impermissible hindsight.
In response to the first allegation, Examiner disagrees because Gates does teach an alert enriched to also include how the security has been handled previously (Gates, in Col. 14 L. 48-54 and Col. 15 L. 24-35, discloses notifying the client through a notification (i.e. enriched alert) of information about the prediction of how the model set of client machines would respond to the threat incident, which includes information used to generate the prediction (i.e. historical information about how the threat had been handled historically)).
In response to the second allegation, Appellant alleges that the combined teaches are based on hindsight reconstruction.  However, there is no evident to support the Appellant’s allegation.
Furthermore, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning.  But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the appellant's disclosure, such a reconstruction is proper.  See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971).

Argument 6:
	Appellant alleges that the combination of Kataoka, Saxe and Zorlular fails to teach the feedback is generated following the at least one alert having been escalated from the first security analyst to the second security analyst.
	In response to the above argument, Examiner respectfully disagrees.  Zorlular does teach the feedback is generated following the at least one alert having been escalated from the first security analyst to the second security analyst (Zorlular: paragraphs 0102 and 0107, “Specifically, an analyst may use the feedback box to include information related to the user's activity when escalating an alert, thus facilitating that a supervisor reviewing the escalated alert or another analyst investigating an alert is presented with the contextual information as provided by the warning system as well as any remarks or annotations by the analyst having already reviewed the alert.”).  Therefore, the combine teachings do teach the disputed limitation.

Argument 7:
	Appellant argues on page 14 of the Appeal Brief that 1) the confidence level mentioned in Gate has nothing to do with the threat disposition score (TDS).  As with Group II, 2) the stated motivation to include Gates in the combination is also impermissible hindsight given that Kataoka’s system is provided for just for that purpose.
	In response to the first allegation, Examiner respectfully disagrees.  Gate does teach a confidence level associated with the TDS (Gates, in Fig. 4 and column 8 lines 59-67, discloses the indication (i.e. TDS) including an estimated degree of confidence (i.e. confidence level)).
In response to second allegation that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning.  But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the appellant's disclosure, such a reconstruction is proper.  See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971).

Argument 8:
	Appellant alleges on page 15 of the Appeal Brief that claims 8, 16 and 24 are said to be obvious over Kataoka-Saxe-Zorlular, further in view of Muddu, U.S. Patent No. 9,516,053, which provides for escalating a security threat (C15L64 through C16L20).  While Applicant does not question this particular Muddu finding, the reference is not cited with respect to any of the other Graham differences that have been identified above with respect to the Kataoka, Saxe and Zorlular teachings.  Thus, the same Graham differences (and errors with respect to the reasons to combine Saxe and Kataoka) that were found with respect to the Group I claims are also present with respect to the claims in this Group.
	Appellant alleges that the proposed combination on record was in error. However, Appellant does not provide any argument why the proposed combination was in error.  Appellant is reminded that one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981 ); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  Therefore, no response can be provided with respect to the unspecified "a combination of references".

Argument 9:
	Appellant alleges on page 15 of the Appeal Brief that a skilled person would not combine the Saxe and Gates teachings with Kataoka for the reasons advanced above, which reasons are incorporated herein by reference.
	Appellant alleges that the proposed combination on record was not combinable. However, Appellant does not provide any argument why the proposed combination was not combinable.  Appellant is reminded that one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981 ); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  Therefore, no response can be provided with respect to the unspecified "a combination of references".

Argument 10:
	Appellant alleges on page 16 of the Appeal Brief that Muddu fails to teach wherein inclusion of the threat disposition score reduces an alert disposition error rate associated with the first security analyst.
	In response to the above argument, Examiner respectfully disagrees.  Muddu does teach wherein inclusion of the threat disposition score reduces an alert disposition error rate associated with the first security analyst (Muddu, in Column 9 Lines 7-21 and Column 12 Lines 8-22, discloses using feedback to update the model, where the scored risk ratings improve threat detection (i.e. reduces error rate)).  Therefore, Muddu reference does teach the disputed limitation.

For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,
/TRANG T DOAN/Primary Examiner, Art Unit 2431   

                                                                                                                                                                                                     Conferees:
/MICHAEL R VAUGHAN/Primary Examiner, Art Unit 2431 

/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431                                                                                                                                                                                                        
                                                                                                                                                                                                       
Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.