Patent Application 18222393 - DETERMINING THE IMPACT OF MALICIOUS PROCESSES IN

Title: DETERMINING THE IMPACT OF MALICIOUS PROCESSES IN IT INFRASTRUCTURE

Application Information

• Invention Title: DETERMINING THE IMPACT OF MALICIOUS PROCESSES IN IT INFRASTRUCTURE
• Application Number: 18222393
• Submission Date: 2025-05-15T00:00:00.000Z
• Effective Filing Date: 2023-07-14T00:00:00.000Z
• Filing Date: 2023-07-14T00:00:00.000Z
• National Class: 726
• National Sub-Class: 022000
• Examiner Employee Number: 80054
• Art Unit: 2447
• Tech Center: 2400

Rejection Summary

• 102 Rejections: 1
• 103 Rejections: 6

Cited Patents

The following patents were cited in the rejection:

• US 3772004🔗

Office Action Text

    Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1.        Claims 1 - 20 are pending.  Claims 1, 15, 20 are independent.    File date on 7-14-2023.  

Claim Rejections - 35 USC § 102
2.        The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless -
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
3.        Claims 1 - 3, 5, 6, 14, 15, 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Jusko et al. (US PGPUB No. 20200076832).     
 
Regarding Claim 1, Jusko discloses a method comprising: 
a)  tracking data communication between a plurality of computer processes; (Jusko ¶ 011: a service receives a plurality of process hashes for processes executed by a plurality of devices. The service receives traffic data indicative of traffic between the plurality of devices and a plurality of remote server domains.; ¶ 052: construct a malware detection service in a network (e.g., a local service in the local network or cloud-based service) that detects polymorphic malware using both client-level and network-level information. In particular, using the network monitoring techniques described previously, the service can receive traffic data indicative of traffic between the plurality of client devices being monitored and a plurality of remote server domains. In addition, the service can receive client-level data from a monitoring process on each client device, such as an anti-malware program, to identify the binary on the client devices that initiated a given server connection.)      
b)  identifying that at least one process of the plurality of computer processes is an anomalous computer process with respect to at least some of the plurality of computer processes; (Jusko ¶ 011: The service causes performance of a mitigation action in the network based on the identified subset of processes identified as exhibiting polymorphic malware behavior.)      
c)  identifying a first computer process of the plurality of computer processes that is affected by the anomalous computer process based on at least a portion of the tracking; (Jusko ¶ 011: The service identifies, based on the bipartite graph, a subset of the plurality of processes (identification of process exhibiting malware) as exhibiting polymorphic malware behavior. The service causes performance of a mitigation action in the network based on the identified subset of processes identified as exhibiting polymorphic malware behavior.) and 
d)  providing an indication of the identified first computer process that is affected by the anomalous computer process.  (Jusko ¶ 068: the mitigation action may entail sending an alert to a user display, so as to notify a network administrator, security expert, or other interested party of the detected infection.; ¶ 031: security process 248 may execute one or more machine learning-based classifiers to classify encrypted traffic in the network (and its originating application) for any number of purposes. In one embodiment, security process 248 may assess captured telemetry data regarding one or more traffic flows, to determine whether a given traffic flow or set of flows are caused by malware in the network, such as a particular family of malware applications. )    

Regarding Claim 2, Jusko discloses the method of claim 1, further comprising: 
a)  collecting a plurality of sets of process metadata, wherein a set of process metadata included in the plurality of sets of process metadata corresponds to one of the plurality of computer processes; and b) grouping the plurality of computer processes into a plurality of clusters based on the is collected plurality of sets of process metadata using a machine learning cluster analysis. (Jusko ¶ 031: classify encrypted traffic in the network (and its originating application) for any number of purposes. In one embodiment, security process 248 may assess captured telemetry data regarding one or more traffic flows, to determine whether a given traffic flow or set of flows are caused by malware in the network, such as a particular family of malware applications. Example forms of traffic that can be caused by malware may include, but are not limited to, traffic flows reporting exfiltrated data to a remote entity, spyware or ransomware-related flows, command and control (C2) traffic that oversees the operation of the deployed malware, traffic that is part of a network attack, such as a zero day attack or denial of service (DoS) attack)      

Regarding Claim 3, Jusko discloses the method of claim 2, further comprising: identifying the anomalous computer process based on the plurality of clusters, wherein at least one of the plurality of clusters corresponds to non-malicious computer processes, and wherein at least one of the plurality of clusters corresponds to malicious computer processes. (Jusko ¶ 031: classify encrypted traffic in the network (and its originating application) for any number of purposes. In one embodiment, security process 248 may assess captured telemetry data regarding one or more traffic flows, to determine whether a given traffic flow or set of flows are caused by malware in the network, such as a particular family of malware applications. Example forms of traffic that can be caused by malware may include, but are not limited to, traffic flows reporting exfiltrated data to a remote entity, spyware or ransomware-related flows, command and control (C2) traffic that oversees the operation of the deployed malware, traffic that is part of a network attack, such as a zero day attack or denial of service (DoS) attack; (subset of processes designated malicious, remaining processes non-malicious))        

Regarding Claim 5, Jusko discloses the method of claim 1, further comprising: receiving via a user interface a confirmation that the anomalous computer process is malicious. (Jusko ¶ 068: the service may cause the performance of a mitigation action in the network based on the identified subset of processes identified as exhibiting polymorphic malware behavior,; mitigation action may entail sending an alert to a user display (user interface; alert confirmation of malicious), so as to notify a network administrator, security expert, or other interested party of the detected infection.)      

Regarding Claim 6, Jusko discloses the method of claim 1, further comprising: receiving via a user interface a confirmation that the anomalous computer process is non-malicious. (Jusko ¶ 068: the service may cause the performance of a mitigation action in the network based on the identified subset of processes identified as exhibiting polymorphic malware behavior,; mitigation action may entail sending an alert to a user display (user interface; alert confirmation of malicious), so as to notify a network administrator, security expert, or other interested party of the detected infection.)      

Regarding Claim 14, Jusko discloses the method of claim 1, wherein tracking the data communication includes identifying one or more network connections between the plurality of computer processes. (Jusko ¶ 011: a service receives a plurality of process hashes for processes executed by a plurality of devices. The service receives traffic data indicative of traffic between the plurality of devices and a plurality of remote server domains.; ¶ 012: A computer network is a geographically distributed collection of nodes interconnected by communication links and segments for transporting data between end nodes, such as personal computers and workstations, or other devices, such as sensors, etc.; The nodes typically communicate over the network by exchanging discrete frames or packets of data according to predefined protocols, such as the Transmission Control Protocol/Internet Protocol (TCP/IP).)

Regarding Claim 15, Jusko discloses a system, comprising: a processor configured to: 
a) track data communication between a plurality of computer processes; (Jusko ¶ 011: a service receives a plurality of process hashes for processes executed by a plurality of devices. The service receives traffic data indicative of traffic between the plurality of devices and a plurality of remote server domains.; ¶ 052: construct a malware detection service in a network (e.g., a local service in the local network or cloud-based service) that detects polymorphic malware using both client-level and network-level information. In particular, using the network monitoring techniques described previously, the service can receive traffic data indicative of traffic between the plurality of client devices being monitored and a plurality of remote server domains. In addition, the service can receive client-level data from a monitoring process on each client device, such as an anti-malware program, to identify the binary on the client devices that initiated a given server connection.)        
b)  identify that at least one process of the plurality of computer processes is an anomalous computer process with respect to at least some of the plurality of computer processes; (Jusko ¶ 011: The service causes performance of a mitigation action in the network based on the identified subset of processes identified as exhibiting polymorphic malware behavior.)      
c)  identify a first computer process of the plurality of computer processes that is affected by the anomalous computer process based on at least a portion of the tracking; (Jusko ¶ 011: The service identifies, based on the bipartite graph, a subset of the plurality of processes (identification of process exhibiting malware) as exhibiting polymorphic malware behavior. The service causes performance of a mitigation action in the network based on the identified subset of processes identified as exhibiting polymorphic malware behavior.)    and
d)  provide an indication of the identified first computer process that is affected by the anomalous computer process; (Jusko ¶ 068: the mitigation action may entail sending an alert to a user display, so as to notify a network administrator, security expert, or other interested party of the detected infection.; ¶ 031: security process 248 may execute one or more machine learning-based classifiers to classify encrypted traffic in the network (and its originating application) for any number of purposes. In one embodiment, security process 248 may assess captured telemetry data regarding one or more traffic flows, to determine whether a given traffic flow or set of flows are caused by malware in the network, such as a particular family of malware applications.) and
e)   a memory coupled to the processor and configured to provide the processor with instructions. (Jusko ¶ 029: The memory 240 comprises a plurality of storage locations that are addressable by the processor(s) 220 and the network interfaces 210 for storing software programs and data structures associated with the embodiments described herein. The processor 220 may comprise necessary elements or logic adapted to execute the software programs and manipulate the data structures 245.)      

Regarding Claim 20, Jusko discloses a computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: 
a)  tracking data communication between a plurality of computer processes; (Jusko ¶ 011: a service receives a plurality of process hashes for processes executed by a plurality of devices. The service receives traffic data indicative of traffic between the plurality of devices and a plurality of remote server domains.; ¶ 052: construct a malware detection service in a network (e.g., a local service in the local network or cloud-based service) that detects polymorphic malware using both client-level and network-level information. In particular, using the network monitoring techniques described previously, the service can receive traffic data indicative of traffic between the plurality of client devices being monitored and a plurality of remote server domains. In addition, the service can receive client-level data from a monitoring process on each client device, such as an anti-malware program, to identify the binary on the client devices that initiated a given server connection.)       
b)  identifying that at least one process of the plurality of computer processes is an anomalous computer process with respect to at least some of the plurality of computer processes; (Jusko ¶ 011: The service causes performance of a mitigation action in the network based on the identified subset of processes identified as exhibiting polymorphic malware behavior.)          
c)  identifying a first computer process of the plurality of computer processes that is affected by the anomalous computer process based on at least a portion of the tracking; (Jusko ¶ 011: The service identifies, based on the bipartite graph, a subset of the plurality of processes (identification of process exhibiting malware) as exhibiting polymorphic malware behavior. The service causes performance of a mitigation action in the network based on the identified subset of processes identified as exhibiting polymorphic malware behavior.) and 
d)  providing an indication of the identified first computer process that is affected by the anomalous computer process. (Jusko ¶ 068: the mitigation action may entail sending an alert to a user display, so as to notify a network administrator, security expert, or other interested party of the detected infection.; ¶ 031: security process 248 may execute one or more machine learning-based classifiers to classify encrypted traffic in the network (and its originating application) for any number of purposes. In one embodiment, security process 248 may assess captured telemetry data regarding one or more traffic flows, to determine whether a given traffic flow or set of flows are caused by malware in the network, such as a particular family of malware applications. )     

Claim Rejections - 35 USC § 103
4.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
5.        Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Jusko in view of Chen et al. (US PGPUB No. 20160330226).     

Regarding Claim 4, Jusko discloses the method of claim 2. 
Chen does not explicitly disclose the set of process metadata comprises one or more of the following: a command name, an application name, a process name, or a command-line argument.
However, Chen discloses wherein the set of process metadata comprises one or more of the following: a command name, an application name, a process name, or a command-line argument. (Chen ¶ 024: A process signature anomaly detection module 308 takes process names and signatures as input from data distributor 41 and detects processes with suspicious signatures. Finally, a malicious process path discovery module 310 takes current active processes from the data distributor 41 as starting points and tracks all of the possible process paths by combing the incoming and previous events in a time window. The malicious process path discovery module 310 detects anomalous process sequences/paths as described in greater detail below.; (selected: process name))   
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Jusko for the set of process metadata comprises one or more of the following: a command name, an application name, a process name, or a command-line argument as taught by Chen. One of ordinary skill in the art would have been motivated to employ the teachings of Chen for the flexibility of a system that enables multiple types of information such as process names in the processing of security information.  (Chen ¶ 024)  

6.        Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Jusko in view of Sakae et al. (US Patent No. 12,118,476).     

Regarding Claim 7, Jusko discloses the method of claim 1. 
Jusko does not explicitly disclose the suggested action comprises one or more of the following: terminating the anomalous computer process, or opening a change request to respond to the anomalous computer process.
However, Sakae discloses wherein further comprising: providing a suggested action corresponding to the anomalous computer process via a user interface, wherein the suggested action comprises one or more of the following: terminating the anomalous computer process, or opening a change request to respond to the anomalous computer process. (Sakae col 8, ll 19-45: The anomaly handling part 137 is configured to retrieve the final anomaly detection result 128 from the storage part 120 and, based on the retrieved final anomaly detection result, automatically handle a detected anomaly. For example, the anomaly handling part 137 disconnects a computer in which an anomaly is detected from the network.; Alternatively, the anomaly handling part 137 disconnects a process in which an anomaly is detected from a computer on which the process is operating. Alternatively, the anomaly handling part 137 changes the settings of the firewall or controls the SDN so as not to allow communication from a process in which an anomaly is detected. Alternatively, the anomaly handling part 137 forcibly terminates a process in which an anomaly is detected.; (selected: terminating the anomalous process))
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Jusko for the suggested action comprises one or more of the following: terminating the anomalous computer process, or opening a change request to respond to the anomalous computer process as taught by Sakae. One of ordinary skill in the art would have been motivated to employ the teachings of Sakae for the flexibility of a system that enables multiple mitigation actions to be taken such as termination of an anomalous process. (Sakae col 8, ll 19-45)

7.        Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Jusko in view of Guo et al. (US PGPUB No. 20230262074).      

Regarding Claim 8, Jusko discloses the method of claim 1, further comprising: 
Jusko does not explicitly disclose providing an indication of a level of impact to an information technology (IT) infrastructure caused by the anomalous computer process.
However, Guo discloses wherein automatically providing an indication of a level of impact to an information technology (IT) infrastructure caused by the anomalous computer process. (Guo ¶ 080: Risks can be identified using predefined sets of rules, heuristics, machine learning, or other techniques. Identified risky behavior (e.g., behavior that matches a particular rule, or is similar to a learned malicious behavior) can have an associated risk score, with behaviors that are more suspicious or more likely to malicious having higher risk scores than activities that may be relatively benign.)      
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Jusko for providing an indication of a level of impact to an information technology (IT) infrastructure caused by the anomalous computer process as taught by Guo. One of ordinary skill in the art would have been motivated to employ the teachings of Guo for the flexibility of a system that manages processing of multiple levels of security risks.  (Guo ¶ 080) 

8.        Claims 9, 10, 16, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Jusko in view of Sohail et al. (US Patent No. 10,419,931).      

Regarding Claim 9, Jusko discloses the method of claim 1, further comprising: 
a)  classifying relationships between the plurality of computer processes including by analyzing the data communication between the plurality of computer processes using a machine learning model; (Jusko ¶ 031: security process 248 may execute one or more machine learning-based classifiers to classify encrypted traffic in the network (and its originating application) for any number of purposes. In one embodiment, security process 248 may assess captured telemetry data regarding one or more traffic flows, to determine whether a given traffic flow or set of flows are caused by malware in the network, such as a particular family of malware applications.) and
d)  providing an indication of the identified second computer process. (Jusko ¶ 068: the mitigation action may entail sending an alert to a user display, so as to notify a network administrator, security expert, or other interested party of the detected infection.; ¶ 031: security process 248 may execute one or more machine learning-based classifiers to classify encrypted traffic in the network (and its originating application) for any number of purposes. In one embodiment, security process 248 may assess captured telemetry data regarding one or more traffic flows, to determine whether a given traffic flow or set of flows are caused by malware in the network, such as a particular family of malware applications. )      

Jusko does not explicitly disclose for b) discovering an existence of a service provided by a functional group of computer processes, and for c) identifying a computer process that is affected by anomalous computer process based on discovered service.
However, Sohail discloses:
b)  based at least in part on the classified relationships between the plurality of computer processes, automatically discovering an existence of a service provided by a functional group of computer processes included in the plurality of computer processes;    
c)   identifying a second computer process of the plurality of computer processes that is affected by the anomalous computer process based on the automatically discovered service. (Sohail col 20, ll 12-25: the smart security agent 270 will report breaches of security and detected anomalies and attacks to the service provider of the IoT computing platform 140 (block 616). This allows the IoT cloud server provider to enrich or otherwise update a library with new types of network attacks or anomalous behaviors of network devices which were previously unknown. Moreover, the smart security agent 270 can receive updates from the IoT cloud service provider with regard to newly discovered types of network attacks or anomalous behaviors of network devices which were previously unknown, thereby providing information to the smart security agent 270 which can be used to monitor for such newly discovered types of network attacks and anomalous device behaviors.)         
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Kisko for b) discovering an existence of a service provided by a functional group of computer processes, and for c) identifying a computer process that is affected by anomalous computer process based on discovered service as taught by Sohail. One of ordinary skill in the art would have been motivated to employ the teachings of Sohail for the flexibility of a system that enables the discovery of new malicious processes in the processing of security information.  (Sohail col 20, ll 12-25)  

Regarding Claim 10, Jusko discloses the method of claim 9.
Jusko does not explicitly disclose identifying second computer process based on anomalous computer process being connected to discovered service.
However, Sohail discloses wherein further comprising: identifying the second computer process based on the anomalous computer process being connected to the automatically discovered service and further based on the automatically discovered service comprising the second computer process. (Sohail col 20, ll 12-25: the smart security agent 270 will report breaches of security and detected anomalies and attacks to the service provider of the IoT computing platform 140 (block 616). This allows the IoT cloud server provider to enrich or otherwise update a library with new types of network attacks or anomalous behaviors of network devices which were previously unknown. Moreover, the smart security agent 270 can receive updates from the IoT cloud service provider with regard to newly discovered types of network attacks or anomalous behaviors of network devices which were previously unknown, thereby providing information to the smart security agent 270 which can be used to monitor for such newly discovered types of network attacks and anomalous device behaviors.)      
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Kisko for identifying second computer process based on anomalous computer process being connected to discovered service as taught by Sohail. One of ordinary skill in the art would have been motivated to employ the teachings of Sohail for the flexibility of a system that enables the discovery of new malicious processes in the processing of security information.  (Sohail col 20, ll 12-25)
Regarding Claim 16, Jusko discloses the system of claim 15, wherein the processor is further configured to:
a)  classify relationships between the plurality of computer processes including by analyzing the data communication between the plurality of computer processes using a machine learning model; (Jusko ¶ 031: security process 248 may execute one or more machine learning-based classifiers to classify encrypted traffic in the network (and its originating application) for any number of purposes. In one embodiment, security process 248 may assess captured telemetry data regarding one or more traffic flows, to determine whether a given traffic flow or set of flows are caused by malware in the network, such as a particular family of malware applications.) and
d)  provide an indication of the identified second computer process. (Jusko ¶ 068: the mitigation action may entail sending an alert to a user display, so as to notify a network administrator, security expert, or other interested party of the detected infection.; ¶ 031: security process 248 may execute one or more machine learning-based classifiers to classify encrypted traffic in the network (and its originating application) for any number of purposes. In one embodiment, security process 248 may assess captured telemetry data regarding one or more traffic flows, to determine whether a given traffic flow or set of flows are caused by malware in the network, such as a particular family of malware applications. )       

Jusko does not explicitly disclose for b) discovering an existence of a service provided by a functional group of computer processes, and for c) identifying a computer process that is affected by anomalous computer process based on discovered service
However, Sohail discloses:
b)  based at least in part on the classified relationships between the plurality of computer processes, automatically discover an existence of a service provided by a functional group of computer processes included in the plurality of computer processes; c) identify a second computer process of the plurality of computer processes that is affected by the anomalous computer process based on the automatically discovered service; (Sohail col 20, ll 12-25: the smart security agent 270 will report breaches of security and detected anomalies and attacks to the service provider of the IoT computing platform 140 (block 616). This allows the IoT cloud server provider to enrich or otherwise update a library with new types of network attacks or anomalous behaviors of network devices which were previously unknown. Moreover, the smart security agent 270 can receive updates from the IoT cloud service provider with regard to newly discovered types of network attacks or anomalous behaviors of network devices which were previously unknown, thereby providing information to the smart security agent 270 which can be used to monitor for such newly discovered types of network attacks and anomalous device behaviors.)  
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Jusko for b) discovering an existence of a service provided by a functional group of computer processes, and for c) identifying a computer process that is affected by anomalous computer process based on discovered service as taught by Sohail. One of ordinary skill in the art would have been motivated to employ the teachings of Sohail for the flexibility of a system that enables the discovery of new malicious processes in the processing of security information.  (Sohail col 20, ll 12-25)

Regarding Claim 17, Jusko discloses the system of claim 16.
Jusko does not explicitly disclose identify computer process based on the anomalous computer process being connected to discovered service.
However, Sohail discloses wherein the processor is further configured to: identify the second computer process based on the anomalous computer process being connected to the automatically discovered service and further based on the automatically discovered service comprising the second computer process. (Sohail col 20, ll 12-25: the smart security agent 270 will report breaches of security and detected anomalies and attacks to the service provider of the IoT computing platform 140 (block 616). This allows the IoT cloud server provider to enrich or otherwise update a library with new types of network attacks or anomalous behaviors of network devices which were previously unknown. Moreover, the smart security agent 270 can receive updates from the IoT cloud service provider with regard to newly discovered types of network attacks or anomalous behaviors of network devices which were previously unknown, thereby providing information to the smart security agent 270 which can be used to monitor for such newly discovered types of network attacks and anomalous device behaviors.)   
         It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Jusko for identify computer process based on the anomalous computer process being connected to discovered service as taught by Sohail. One of ordinary skill in the art would have been motivated to employ the teachings of Sohail for the flexibility of a system that enables the discovery of new malicious processes in the processing of security information.  (Sohail col 20, ll 12-25) 

9.        Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Jusko in view of Morrison et al. (US PGPUB No. 20220109731).      

Regarding Claim 11, Jusko discloses the method of claim 9.
Jusko does not explicitly disclose predicting a confidence score using the machine learning model.
However, Morrison discloses wherein further comprising: predicting a confidence score using the machine learning model for at least one discovered connection between at least two of the functional group of computer processes. (Morrison ¶ 037: real-time monitor 216 may also calculate a score for each client device, such as    …   In other implementations, server 202 may execute a machine learning engine 220, which may comprise a classifier, such as a k-NN classifier, Bayes classifier, support vector machine, decision tree, neural network, or any other type and form of classifier to generate a score for a client device according to monitor data 218. As discussed above, in some implementations, metrics measured by a real-time monitor 216 may be provided to machine learning engine 220 for predicting a score, classification, predicting an anomalous or specified behavior,)      
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Jusko for predicting a confidence score using the machine learning mode as taught by Morrison. One of ordinary skill in the art would have been motivated to employ the teachings of Morrison for the flexibility of a system that enables the utilization of multiple types of parameters such as a confidence score prediction associated with the processing of security information.   (Morrison ¶ 037)  

10.        Claims 12, 13, 18, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Jusko in view of Brown et al. (Patent No. EP 3772004 A1).      

Regarding Claim 12, Jusko discloses the method of claim 9. 
Jusko does not specifically disclose generating a visual map.
However, Brown discloses wherein further comprising automatically generating a visual map, wherein the visual map indicates that the anomalous computer process is connected to the automatically discovered service and the second computer process. (Brown ¶ 004: generating a visual representation of the possible malicious incidents. For example, a system can monitor the host device and detect an incident of potential malicious behavior associated with an event (e.g., a process, a thread, and the like). The system may generate visual imagery (e.g., a graph or a map just to name a few) associated with the incident and output the visual imagery on a display device to represent one or more events and associated incidents of potential malicious behavior at the host device.)       
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Jusko for generating a visual map as taught by Brown. One of ordinary skill in the art would have been motivated to employ the teachings of Brown for the flexibility of a system that enables multiple types of information such as visual maps to be utilized in the processing of security information. (Brown ¶ 004) 

Regarding Claim 13, Jusko discloses the method of claim 12. 
Jusko does not specifically disclose generating a visual map.
However, Brown discloses wherein the automatically generated visual map includes nodes corresponding to one or more of the plurality of computer processes and connections between the nodes corresponding to network connections between the nodes corresponding to the one or more of the plurality of computer processes. (Brown ¶ 004: generating a visual representation of the possible malicious incidents. For example, a system can monitor the host device and detect an incident of potential malicious behavior associated with an event (e.g., a process, a thread, and the like). The system may generate visual imagery (e.g., a graph or a map just to name a few) associated with the incident and output the visual imagery on a display device to represent one or more events and associated incidents of potential malicious behavior at the host device.)       
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Jusko for generating a visual map as taught by Brown. One of ordinary skill in the art would have been motivated to employ the teachings of Brown for the flexibility of a system that enables multiple types of information such as visual maps to be utilized in the processing of security information.  (Brown ¶ 004)   

Regarding Claim 18, Jusko discloses the system of claim 16. 
Jusko does not specifically disclose generate a visual map.
However, Brown discloses wherein the processor is further configured to: automatically generate a visual map, wherein the visual map indicates that the anomalous computer process is connected to the automatically discovered service and the second computer process. (Brown ¶ 004: generating a visual representation of the possible malicious incidents. For example, a system can monitor the host device and detect an incident of potential malicious behavior associated with an event (e.g., a process, a thread, and the like). The system may generate visual imagery (e.g., a graph or a map just to name a few) associated with the incident and output the visual imagery on a display device to represent one or more events and associated incidents of potential malicious behavior at the host device.)   
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Jusko for generate a visual map, was taught by Brown. One of ordinary skill in the art would have been motivated to employ the teachings of Brown for the flexibility of a system that enables multiple types of information such as visual maps to be utilized in the processing of security information.  (Brown ¶ 004)      

Regarding Claim 19, Jusko discloses the system of claim 18. 
Jusko does not explicitly disclose generated visual map includes nodes corresponding to the plurality of computer processes and connections between nodes corresponding to network connections.
However, Brown discloses wherein the automatically generated visual map includes nodes corresponding to one or more of the plurality of computer processes and connections between the nodes corresponding to network connections between the nodes corresponding to the one or more of the plurality of computer processes. (Brown ¶ 004: generating a visual representation of the possible malicious incidents. For example, a system can monitor the host device and detect an incident of potential malicious behavior associated with an event (e.g., a process, a thread, and the like). The system may generate visual imagery (e.g., a graph or a map just to name a few) associated with the incident and output the visual imagery on a display device to represent one or more events and associated incidents of potential malicious behavior at the host device.)       
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Jusko for generated visual map includes nodes corresponding to the plurality of computer processes and connections between nodes corresponding to network connections as taught by Brown. One of ordinary skill in the art would have been motivated to employ the teachings of Brown for the flexibility of a system that enables multiple types of information such as visual maps to be utilized in the processing of security information.  (Brown ¶ 004)      


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kyung H Shin whose telephone number is (571)272-3920. The examiner can normally be reached M - F: 12pm - 8pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon H Hwang can be reached at 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KYUNG H SHIN/                                                                                                           5-11-2025Primary Examiner, Art Unit 2447