DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to amendments filed on 01/07/2026. Claims 1-2, 4-6, 8-11, 13-16, and 18-20 are currently pending in the application.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/23/2025 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Response to Arguments
Applicant’s arguments with respect to claims 1, 10, and 15 regarding “wherein the notable event record further contains an association of the potential security threat with a threat object and an association of the potential security threat with a network attack tactic” have been considered, but are not persuasive. The reason being that the prior art of record, ESMAN (US 20180316695) discloses the limitations as amended in paragraphs 245, 70, 151, and 202. The fraudulent behavior or transactions by one or more users or computers interacting with the computer system in paragraph 202 is interpreted as the claimed attack tactics in modern cybersecurity, often classified under social engineering, phishing, or impersonation attacks).
The argued limitation of “wherein the threat object is a delivery pathway of malicious content identified using one or more user-specified rules and persisted in metadata added to event data of the notable event record” is taught by Moore (US 20200106742) in paragraphs 41-43, and 47 hereby incorporated in the rejections made below and partly by ESMAN (US 20180316695) in paragraph 245 wherein the IP address and browser are interpreted as delivery pathway for malicious contents.
The limitation of “identifying a particular risk object by performing a rule-based search on the plurality of notable event records including the metadata, corresponding with the threat object, added to the event data of the notable event record” as amended is disclosed by Moore in paragraph 61 and 69 respectively.
The limitation of “based on the first threat object being associated with the threshold number of risk objects, generating a threat report that identifies the particular risk object, wherein the threat report indicates an association between the particular risk object and the first threat object and a number of risk objects associated with the first threat object” is disclosed by Shahbaz (US 20180091528) in paragraphs 246-247, 177, and 264. Paragraph 247 discloses threshold number of computing devices that receive an email. The email is the threat object and the threshold number of computing devices are the risk objects which is in accordance with ¶0195-¶0196 of applicant’s specification. The generation of visible report based on the threshold number of computing devices receiving the email (security threats) is disclosed in paragraph 177.
Paragraph 264 discloses an occurrence of malware (threat object) potentially present on a particular endpoint device (risk object) which necessitates the triggering condition upon which the visible report of threats found in the enterprise infrastructure is generated.
Consequently, the examiner maintains the rejections of the aforementioned limitations.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 5-6, 8-11, 14-16, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over US PGPub. No. 20180316695 to ESMAN; Gleb (hereinafter ESMAN) in view of US PGPub. No. 20200106742 to Moore et al. (hereinafter Moore) and further in view of US PGPub. No. 20180091528 to Shahbaz et al. (hereinafter Shahbaz).
Regarding claim 1, ESMAN discloses a method implemented using a computing device (¶0008, Various embodiments of the present invention set forth a computer implemented method for monitoring risk in a computing system”), comprising:
generating a plurality of notable event records (¶0191, SPLUNK® IT SERVICE INTELLIGENCE™ provides a visualization for incident review showing detailed information for notable events. The incident review visualization may also show summary information for the notable events over a time frame, such as an indication of the number of notable events at each of a number of severity levels”) based on a plurality of event records (¶0066, “In the SPLUNK® ENTERPRISE system, machine-generated data are collected and stored as “events.” An event comprises a portion of the machine-generated data and is associated with a specific point in time”),
wherein an event record is a record of activity of an entity on a computer network (¶0199, “the risk monitoring system 1116 may receive and analyze any form of computer data, including “event data,” raw machine data, network traffic data, network traffic packet data, and any other form of computer data that reflects activity in an information technology (IT) environment…”),
wherein a notable event record is indicative of a potential security threat associated with a respective entity on the computer network (¶0151, “the SPLUNK® APP FOR ENTERPRISE SECURITY facilitates detecting “notable events” that are likely to indicate a security threat”), (¶0153, “…These notable events can include: (1) a single event of high importance, such as any activity from a known web attacker; or (2) multiple events that collectively warrant review, such as a large number of authentication failures on a host followed by a successful authentication…”, wherein the host and system component associated with the event are the entities),
wherein the notable event record contains an association of the respective entity with a risk object (¶0202, “threats of fraudulent behavior or transactions by one or more users or computers interacting with the computer system. Further, the risk monitoring system 1116 may search for and analyze computer data related to security, where the criteria determine which computer data is relevant to breaches or threats to the security associated with one or more users or computers interacting with the computer system”), and
wherein the notable event record further contains an association of the potential security threat with a threat object and an association of the potential security threat with a network attack tactics, wherein the threat object is a delivery pathway of malicious content identified using one or more rules (¶0245, “Further, as shown, portion 1450 of the canvas portion 1420 displays a first risk object 1451 as represented by a title 1451A that identifies that the risk object is associated with an anomalous IP address for a user, along with a first risk score 1451B showing a risk score equal to 38. In addition, as shown, portion 1450 of the canvas portion 1420 also displays a second generated risk object 1452 as represented by a title 1452A that identifies that the risk object is associated with an anomalous browser used by a user, along with a first risk score 1452B showing a risk score equal to 35”, wherein the IP address and browser are threat objects because both are delivery pathway for malicious content in line with applicant disclosure in ¶0219 of the specification which states …), (¶0151, “During operation, the SPLUNK® APP FOR ENTERPRISE SECURITY facilitates detecting “notable events” that are likely to indicate a security threat…”), (¶0202, “…the risk monitoring system 1116 may search for and analyze computer data related to fraud, where the criteria determine which computer data is relevant to incidents or threats of fraudulent behavior or transactions by one or more users or computers interacting with the computer system…”, wherein fraudulent behavior or transactions by one or more users or computers interacting with the computer system is interpreted as attack tactics in modern cybersecurity, often classified under social engineering, phishing, or impersonation attacks), (¶0070, “…the fields are defined by extraction rules (e.g., regular expressions) that derive one or more values from the portion of raw machine data in each event that has a particular field specified by an extraction rule. The set of values so produced are semantically-related (such as IP address)…”), (¶0272, “the dashboard screen 1700 being displayed includes an actions portion 1750 for displaying actions to be performed when a rule or triggering condition is met and a threat is detected…”);
identifying a particular risk object (¶0201, “The risk monitoring system 1116 identifies computer data that represents potential risks…”) by performing a rule-based search on the plurality of notable event records (¶0202, “…the risk monitoring system 1116 may search for and analyze computer data related to fraud, where the criteria determine which computer data is relevant to incidents or threats of fraudulent behavior or transactions by one or more users or computers interacting with the computer system.”, wherein the criteria are the rules guiding the search), wherein the rule-based search defines a characteristic of the particular risk object (¶0182, “a service such as corporate e-mail may be defined in terms of the entities employed to provide the service, such as host machines and network devices. Each entity is defined to include information for identifying all of the event data that pertains to the entity, whether produced by the entity itself or by another machine, and considering the many various ways the entity may be identified in raw machine data (such as by a URL, an IP address, or machine name”);
based on the first threat object being associated with the threshold number of risk objects, (¶0295, “At optional step 2053, the risk monitoring system 1116 applies one or more count-based logical operators to operate on or combine the risk objects and/or groups of risk objects based on the how many of the risk objects meet certain specified conditions. For instance, the risk monitoring system 1116 may determine that, in order for a triggering condition to be met and thus for a “threat” to be detected, a certain number of risk objects must meet certain conditions, and/or a risk object must meet a certain number of conditions. For instance, one exemplary triggering condition could require that three out of four risk objects must be evaluated as “true,” or a risk score for three out of four risk objects must exceed a particular threshold.”)
generating a threat report that identifies the particular risk object (¶0146, “…SPLUNK®
APP FOR ENTERPRISE SECURITY provides the security practitioner with visibility into security-relevant threats found in the enterprise infrastructure by capturing, monitoring, and reporting on data from enterprise security devices, systems, and applications”, wherein the security devices and applications are the risk objects (refer to ¶0195 of applicant’s specification), (¶0231, “the risk monitoring program 1230 may cause a representation of one or more logical operators for operating on and/or combining the one or more selected risk objects and/or groups of risk objects to be displayed via the UI…”), wherein the threat report indicates an association between the particular risk object and the first threat object and a number of risk objects associated with the first threat object (FIG. 14C, ¶0245, “…Further, as shown, portion 1450 of the canvas portion 1420 displays a first risk object 1451 as represented by a title 1451A that identifies that the risk object is associated with an anomalous IP address for a user, along with a first risk score 1451B showing a risk score equal to 38. In addition, as shown, portion 1450 of the canvas portion 1420 also displays a second generated risk object 1452 as represented by a title 1452A that identifies that the risk object is associated with an anomalous browser used by a user, along with a first risk score 1452B showing a risk score equal to 35…”, see also FIGs. 15B-15E, ¶0249,), (¶0259, “…the second group of selected risk objects 1581 is displayed with a title 1582. Specifically, as shown, the title 1582 describes the second group of selected risk objects 1581 as being associated with “Risky and Anomalous Session Activity.” Those skilled in the art will understand that the title 1582 is displayed as a particular title by way of example only and may include any kind of descriptions of the second group of selected risk objects 1581.”); and
outputting the threat report for display (¶0152, “…FIG. 8A illustrates an example key indicators view 800 that comprises a dashboard, which can display a value 801, for various security-related metrics, such as malware infections 802. It can also display a change in a metric value 803, which indicates that the number of malware infections increased by 63 during the preceding interval”).
However, ESMAN does not explicitly disclose the following limitation:
wherein the threat object is a delivery pathway of malicious content identified using one or more user-specified rules and persisted in metadata added to event data of the notable event record;
identifying a particular risk object by performing a rule-based search on the plurality of notable event records including the metadata, corresponding with the threat object, added to the event data of the notable event record,
determining that a first threat object is associated with the particular risk object and a number of other risk objects that collectively satisfy a threshold number of risk objects based on the plurality of notable event records;
based on the first threat object being associated with the threshold number of risk objects
Moore discloses wherein the threat object is a delivery pathway of malicious content identified using one or more user-specified rules and persisted in metadata added to event data of the notable event record (¶0041, “…TIG 220 may be an inline TCP/IP packet filter that applies packet filtering rules to packet traffic, wherein the packet filtering rules have been derived from cyber threat intelligence (CTI) and from CTI metadata. CTI may include Internet network addresses—in the form of IP addresses, IP address ranges, L3/L4 ports and protocols, domain names, URLs, and the like—of resources controlled/operated by threat actors. CTI metadata may be, for example, the threat type, the threat name, the threat risk score, the threat actor, and the like…”, wherein including IP addresses, IP address ranges, L3/L4 ports and protocols, domain names, URLs, and the like in the cyber threat intelligence (CTI) metadata is interpreted as persisting the threat object in the metadata), (¶0042-¶0043, “…When a communication matches one or more rules, the threat metadata of the matching rule may be used to signal other logical components of the NPS gateway, for example, to make decisions regarding handling, processing, and/or reporting of the (threat) communication…These cyber analysis systems may also be configured with rules, which may be supplied by rule servers 130, 132, and 134 hosted by various providers and services. The NPS gateway 200 cyber analysis systems 230-234 may access these servers, download analysis rules and metadata associated with the rules, and apply the analysis rules to network communications.”), (¶0047, “… cyber threat intelligence (CTI) providers may enrich their CTI with threat metadata, such as the type of threat, the name of the threat, the identity of the actors associated with the threat, the discovery date of the threat, a risk score for the threat, a remedial action for the threat, the CTI provider name and other provenance information, and the like. This threat metadata may be included with the CTI when it is downloaded to the TIG 220. The TIG 220 may determine and may generate packet filtering rules from the CTI. Threat metadata may be associated with the rules so that it can be included in any signal messages between NPS gateway components and in any log files that record the (threat) communication events and associated actions by the NPS gateway…”, wherein including the threat metadata associated with the rules in log files that record the (threat) communication events is interpreted as persisting the threat object in the metadata added to event data of the notable event record);
identifying a particular risk object by performing a rule-based search on the plurality of notable event records including the metadata, corresponding with the threat object, added to the event data of the notable event record (¶0061, “…Reactive protections may be, for example, identifying malware-infected hosts and reporting those malware-infected hosts to network authorities. Protection system 242 or outside network authorities may malware-sweep the hosts, and/or quarantine malware-infected hosts. The TIG 220 may be configured with rules that block any network communications with source or destination IP addresses of a host identified as a malware-infected host…”), (¶0069, “the origin host 114 IP address, target domain name, target URL—and sending the CTI and dispositions to the TIG 220, which may generate new rules and may add them to its network protection policy. In Step 7-7, protector 242 may reactively protect network 102 by reporting the origin host 114 IP address and the attack type in the threat metadata, and may then send the log to a log storage unit and a SIEM device or application (for reviewing and reporting), connected to network 102 via the management interface MGMT OF 280. Network authorities or management devices may then take protective actions…”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of ESMAN to include persisting the identified threat object in metadata added to event data of the notable event record as disclosed by Moore and be motivated in doing so in order to increase the speed of search for the threat metadata in the event record.
The combination of ESMAN and Moore does not explicitly disclose the following limitations:
determining that a first threat object is associated with the particular risk object and a number of other risk objects that collectively satisfy a threshold number of risk objects based on the plurality of notable event records;
based on the first threat object being associated with the threshold number of risk objects,
Shahbaz discloses determining that a first threat object is associated with the particular risk object and a number of other risk objects that collectively satisfy a threshold number of risk objects based on the plurality of notable event records (¶0247, “…if a user desires to create a modular alert related to phishing email attacks, the user might create a query which searches for event data corresponding to received email messages, where an associated triggering condition is based on detecting that a threshold number of computing devices having received an email including an attachment matching a known signature within a specified time interval…”, wherein the email is the threat object and the threshold number of computing devices are the risk objects in accordance with ¶0195-¶0196 of applicant’s specification);
Shahbaz also teaches based on the first threat object being associated with the threshold number of risk objects (¶0246-¶0247, FIG. 18, “…, a modular alert generally represents functionality of a network security application which enables users to define a query and an associated triggering condition, and to further associate one or more actions to be performed by the network security application based on data identified by the query satisfying the triggering condition. In an embodiment, the graphical user interface may be generated by a search head 210, an indexer 206, or any other component of a data intake and query system 108…”)
generating a threat report that identifies the particular risk object (¶0177, “…SPLUNK®
APP FOR ENTERPRISE SECURITY provides the security practitioner with visibility into security-relevant threats found in the enterprise infrastructure by capturing, monitoring, and reporting on data from enterprise security devices, systems, and applications…”), wherein the threat report indicates an association between the particular risk object and the first threat object and a number of risk objects associated with the first threat object (¶0264, “…in response to a triggering condition indicating an occurrence of malware potentially present on a particular endpoint device, a search action may be performed directly in response to detection of the triggering condition to identify additional information about the endpoint device (e.g., the search may locate data indicating recent emails received by the device, recent file system changes, etc.)”), (¶0247, “… if a user desires to create a modular alert related to phishing email attacks, the user might create a query which searches for event data corresponding to received email messages, where an associated triggering condition is based on detecting that a threshold number of computing devices having received an email including an attachment matching a known signature within a specified time interval…”);
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of ESMAN and Moore to include an association between a threat object such as received email and threshold number of risk objects such as endpoints or devices as disclosed by Shahbaz with the rationale of use of known technique to improve similar devices (methods, or products) in the same way such as identification and mitigation of threats in a network system.
Regarding claim 2, ESMAN in view of Moore and further in view of Shahbaz discloses the method of claim 1.
ESMAN further discloses wherein the characteristic of the particular risk object (¶0182, “a service such as corporate e-mail may be defined in terms of the entities employed to provide the service, such as host machines and network devices. Each entity is defined to include information for identifying all of the event data that pertains to the entity, whether produced by the entity itself or by another machine, and considering the many various ways the entity may be identified in raw machine data (such as by a URL, an IP address, or machine name”) is a count of threat objects associated with the particular risk object (¶0152, “The SPLUNK® APP FOR ENTERPRISE SECURITY provides various visualizations to aid in discovering security threats, such as a “key indicators view” that enables a user to view security metrics, such as counts of different types of notable events. For example, FIG. 8A illustrates an example key indicators view 800 that comprises a dashboard, which can display a value 801, for various security-related metrics, such as malware infections 802...”, wherein the malware is the threat object and the devices infected with the malware are the risk objects), (¶0153, “multiple events that collectively warrant review, such as a large number of authentication failures on a host followed by a successful authentication”, wherein a large number of authentication failures on a host is interpreted as a count of threat objects associated with the risk object, the host being the risk object). .
Regarding claim 5, ESMAN in view of Moore and further in view of Shahbaz discloses the method of claim 1.
ESMAN further discloses wherein the threat report groups the plurality of notable event records pertaining to the particular risk object together (¶0146, “…SPLUNK® APP FOR ENTERPRISE SECURITY provides the security practitioner with visibility into security-relevant threats found in the enterprise infrastructure by capturing, monitoring, and reporting on data from enterprise security devices, systems, and applications…”), (¶0151, “These notable events can be detected in a number of ways: (1) a user can notice a correlation in the data and can manually identify a corresponding group of one or more events as “notable;” or (2) a user can define a “correlation search” specifying criteria for a notable event, and every time one or more events satisfy the criteria, the application can indicate that the one or more events are notable…”), (¶0153, “…These notable events can include: (1) a single event of high importance, such as any activity from a known web attacker; or (2) multiple events that collectively warrant review, such as a large number of authentication failures on a host followed by a successful authentication…”, wherein the host or the system component associated with the event represents the risk object.) and (¶0096, “…Data store 208 may contain events derived from machine data from a variety of sources all pertaining to the same component in an IT environment”, wherein the events derived from machine data from variety of sources include plurality of notable events and are pertaining to the particular risk object (same component in an IT environment).
Regarding claim 6, ESMAN in view of Moore and further in view of Shahbaz discloses the method of claim 1.
ESMAN further discloses wherein the plurality of notable event records are defined by a search query (¶0151, “a user can define a “correlation search” specifying criteria for a notable event, and every time one or more events satisfy the criteria, the application can indicate that the one or more events are notable”), wherein the search query includes parameters describing risk objects and threat objects to associate with event records identified by the search query (¶0193, “the data intake and query system 108 described in conjunction with FIGS. 1-10 can be used in conjunction with a risk monitoring system, described in conjunction with FIGS. 11-20B, in order to search and analyze computer data based on certain criteria determined to be relevant to a particular risk or condition associated with the computer system”) and (¶0194, “the risk monitoring system causes representations of these risk definitions, corresponding risk objects which represent searches based on the risk definitions…”).
Regarding claim 8, ESMAN in view of Moore and further in view of Shahbaz discloses the method of claim 1.
ESMAN further discloses wherein the threat report further indicates network attack tactics associated with the first threat object (¶0202, “…the risk monitoring system 1116 may search for and analyze computer data related to fraud, where the criteria determine which computer data is relevant to incidents or threats of fraudulent behavior or transactions by one or more users or computers interacting with the computer system. Further, the risk monitoring system 1116 may search for and analyze computer data related to security, where the criteria determine which computer data is relevant to breaches or threats to the security associated with one or more users or computers interacting with the computer system”, see ¶0245 or ¶0249 for the first threat object disclosure).
Regarding claim 9, ESMAN in view of Moore and further in view of Shahbaz discloses the method of claim 1.
ESMAN further discloses wherein the rule-based search (¶0118, “In response to receiving the search query, search head 210 uses extraction rules to extract values for the fields associated with a field or fields in the event data being searched…”) determines one or more characteristics of the particular risk object (¶0278, “As described herein, the risk object may be represented by a UI element that includes any type of risk score or other characteristics associated with the risk object, including, without limitation, a risk score, a risk severity level, a risk probability level, an order of precedence indicator, and so forth”) using multiple notable events from the plurality of notable event records (¶0153, “These visualizations can also include an “incident review dashboard” that enables a user to view and act on “notable events”. These notable events can include: (1) a single event of high importance, such as any activity from a known web attacker; or (2) multiple events that collectively warrant review, such as a large number of authentication failures on a host followed by a successful authentication…”, wherein multiple notable events is inherently included in the multiple events which is included in the notable events), wherein each of the multiple notable events are associated with the particular risk object (¶0096, “…Data store 208 may contain events derived from machine data from a variety of sources all pertaining to the same component in an IT environment”, wherein the events derived from machine data from variety of sources include plurality of notable events and are associated (pertaining) to the particular risk object (same component in an IT environment).
Regarding claim 10, ESMAN discloses a computing device (¶0075, “computing devices”), comprising:
a processor (¶0075, “hardware processors”); and a
non-transitory computer-readable medium having stored thereon instructions that, when executed by the processor, cause the processor to perform operations including (claim 18, “A non-transitory computer-readable storage medium including instructions that, when executed by a processor, cause the processor to perform the steps of”):
generating a plurality of notable event records (¶0191, SPLUNK® IT SERVICE INTELLIGENCE™ provides a visualization for incident review showing detailed information for notable events. The incident review visualization may also show summary information for the notable events over a time frame, such as an indication of the number of notable events at each of a number of severity levels”) based on a plurality of event records (¶0066, “In the SPLUNK® ENTERPRISE system, machine-generated data are collected and stored as “events.” An event comprises a portion of the machine-generated data and is associated with a specific point in time”),
wherein an event record is a record of activity of an entity on a computer network (¶0199, “the risk monitoring system 1116 may receive and analyze any form of computer data, including “event data,” raw machine data, network traffic data, network traffic packet data, and any other form of computer data that reflects activity in an information technology (IT) environment…”),
wherein a notable event record is indicative of a potential security threat associated with a respective entity on the computer network (¶0151, “the SPLUNK® APP FOR ENTERPRISE SECURITY facilitates detecting “notable events” that are likely to indicate a security threat”), (¶0153, “…These notable events can include: (1) a single event of high importance, such as any activity from a known web attacker; or (2) multiple events that collectively warrant review, such as a large number of authentication failures on a host followed by a successful authentication…”, wherein the host and system component associated with the event are the entities),
wherein the notable event record contains an association of the respective entity with a risk object (¶0202, “threats of fraudulent behavior or transactions by one or more users or computers interacting with the computer system. Further, the risk monitoring system 1116 may search for and analyze computer data related to security, where the criteria determine which computer data is relevant to breaches or threats to the security associated with one or more users or computers interacting with the computer system”), and
wherein the notable event record further contains an association of the potential security threat with a threat object and an association of the potential security threat with a network attack tactics, wherein the threat object is a delivery pathway of malicious content identified using one or more rules (¶0245, “Further, as shown, portion 1450 of the canvas portion 1420 displays a first risk object 1451 as represented by a title 1451A that identifies that the risk object is associated with an anomalous IP address for a user, along with a first risk score 1451B showing a risk score equal to 38. In addition, as shown, portion 1450 of the canvas portion 1420 also displays a second generated risk object 1452 as represented by a title 1452A that identifies that the risk object is associated with an anomalous browser used by a user, along with a first risk score 1452B showing a risk score equal to 35”, wherein the IP address and browser are threat objects because both are delivery pathway for malicious content in line with applicant disclosure in ¶0219 of the specification which states …), (¶0151, “During operation, the SPLUNK® APP FOR ENTERPRISE SECURITY facilitates detecting “notable events” that are likely to indicate a security threat…”), (¶0202, “…the risk monitoring system 1116 may search for and analyze computer data related to fraud, where the criteria determine which computer data is relevant to incidents or threats of fraudulent behavior or transactions by one or more users or computers interacting with the computer system…”, wherein fraudulent behavior or transactions by one or more users or computers interacting with the computer system is interpreted as attack tactics in modern cybersecurity, often classified under social engineering, phishing, or impersonation attacks). (¶0070, “…the fields are defined by extraction rules (e.g., regular expressions) that derive one or more values from the portion of raw machine data in each event that has a particular field specified by an extraction rule. The set of values so produced are semantically-related (such as IP address)…”), (¶0272, “the dashboard screen 1700 being displayed includes an actions portion 1750 for displaying actions to be performed when a rule or triggering condition is met and a threat is detected…”);
identifying a particular risk object (¶0201, “The risk monitoring system 1116 identifies computer data that represents potential risks…”) by performing a rule-based search on the plurality of notable event records (¶0202, “…the risk monitoring system 1116 may search for and analyze computer data related to fraud, where the criteria determine which computer data is relevant to incidents or threats of fraudulent behavior or transactions by one or more users or computers interacting with the computer system.”, wherein the criteria are the rules guiding the search), wherein the rule-based search defines a characteristic of the particular risk object (¶0182, “a service such as corporate e-mail may be defined in terms of the entities employed to provide the service, such as host machines and network devices. Each entity is defined to include information for identifying all of the event data that pertains to the entity, whether produced by the entity itself or by another machine, and considering the many various ways the entity may be identified in raw machine data (such as by a URL, an IP address, or machine name”);
based on the first threat object being associated with the threshold number of risk objects, (¶0295, “At optional step 2053, the risk monitoring system 1116 applies one or more count-based logical operators to operate on or combine the risk objects and/or groups of risk objects based on the how many of the risk objects meet certain specified conditions. For instance, the risk monitoring system 1116 may determine that, in order for a triggering condition to be met and thus for a “threat” to be detected, a certain number of risk objects must meet certain conditions, and/or a risk object must meet a certain number of conditions. For instance, one exemplary triggering condition could require that three out of four risk objects must be evaluated as “true,” or a risk score for three out of four risk objects must exceed a particular threshold.”)
generating a threat report that identifies the particular risk object (¶0146, “…SPLUNK®
APP FOR ENTERPRISE SECURITY provides the security practitioner with visibility into security-relevant threats found in the enterprise infrastructure by capturing, monitoring, and reporting on data from enterprise security devices, systems, and applications”, wherein the security devices and applications are the risk objects (refer to ¶0195 of applicant’s specification), (¶0231, “the risk monitoring program 1230 may cause a representation of one or more logical operators for operating on and/or combining the one or more selected risk objects and/or groups of risk objects to be displayed via the UI…”), wherein the threat report indicates an association between the particular risk object and the first threat object and a number of risk objects associated with the first threat object (FIG. 14C, ¶0245, “…Further, as shown, portion 1450 of the canvas portion 1420 displays a first risk object 1451 as represented by a title 1451A that identifies that the risk object is associated with an anomalous IP address for a user, along with a first risk score 1451B showing a risk score equal to 38. In addition, as shown, portion 1450 of the canvas portion 1420 also displays a second generated risk object 1452 as represented by a title 1452A that identifies that the risk object is associated with an anomalous browser used by a user, along with a first risk score 1452B showing a risk score equal to 35…”, see also FIGs. 15B-15E, ¶0249,), (¶0259, “…the second group of selected risk objects 1581 is displayed with a title 1582. Specifically, as shown, the title 1582 describes the second group of selected risk objects 1581 as being associated with “Risky and Anomalous Session Activity.” Those skilled in the art will understand that the title 1582 is displayed as a particular title by way of example only and may include any kind of descriptions of the second group of selected risk objects 1581.”); and
outputting the threat report for display (¶0152, “…FIG. 8A illustrates an example key indicators view 800 that comprises a dashboard, which can display a value 801, for various security-related metrics, such as malware infections 802. It can also display a change in a metric value 803, which indicates that the number of malware infections increased by 63 during the preceding interval”).
However, ESMAN does not explicitly disclose the following limitation:
wherein the threat object is a delivery pathway of malicious content identified using one or more user-specified rules and persisted in metadata added to event data of the notable event record;
identifying a particular risk object by performing a rule-based search on the plurality of notable event records including the metadata, corresponding with the threat object, added to the event data of the notable event record,
determining that a first threat object is associated with the particular risk object and a number of other risk objects that collectively satisfy a threshold number of risk objects based on the plurality of notable event records;
based on the first threat object being associated with the threshold number of risk objects
Moore discloses wherein the threat object is a delivery pathway of malicious content identified using one or more user-specified rules and persisted in metadata added to event data of the notable event record (¶0041, “…TIG 220 may be an inline TCP/IP packet filter that applies packet filtering rules to packet traffic, wherein the packet filtering rules have been derived from cyber threat intelligence (CTI) and from CTI metadata. CTI may include Internet network addresses—in the form of IP addresses, IP address ranges, L3/L4 ports and protocols, domain names, URLs, and the like—of resources controlled/operated by threat actors. CTI metadata may be, for example, the threat type, the threat name, the threat risk score, the threat actor, and the like…”, wherein including IP addresses, IP address ranges, L3/L4 ports and protocols, domain names, URLs, and the like in the cyber threat intelligence (CTI) metadata is interpreted as persisting the threat object in the metadata), (¶0042-¶0043, “…When a communication matches one or more rules, the threat metadata of the matching rule may be used to signal other logical components of the NPS gateway, for example, to make decisions regarding handling, processing, and/or reporting of the (threat) communication…These cyber analysis systems may also be configured with rules, which may be supplied by rule servers 130, 132, and 134 hosted by various providers and services. The NPS gateway 200 cyber analysis systems 230-234 may access these servers, download analysis rules and metadata associated with the rules, and apply the analysis rules to network communications.”), (¶0047, “… cyber threat intelligence (CTI) providers may enrich their CTI with threat metadata, such as the type of threat, the name of the threat, the identity of the actors associated with the threat, the discovery date of the threat, a risk score for the threat, a remedial action for the threat, the CTI provider name and other provenance information, and the like. This threat metadata may be included with the CTI when it is downloaded to the TIG 220. The TIG 220 may determine and may generate packet filtering rules from the CTI. Threat metadata may be associated with the rules so that it can be included in any signal messages between NPS gateway components and in any log files that record the (threat) communication events and associated actions by the NPS gateway…”, wherein including the threat metadata associated with the rules in log files that record the (threat) communication events is interpreted as persisting the threat object in the metadata added to event data of the notable event record);
identifying a particular risk object by performing a rule-based search on the plurality of notable event records including the metadata, corresponding with the threat object, added to the event data of the notable event record (¶0061, “…Reactive protections may be, for example, identifying malware-infected hosts and reporting those malware-infected hosts to network authorities. Protection system 242 or outside network authorities may malware-sweep the hosts, and/or quarantine malware-infected hosts. The TIG 220 may be configured with rules that block any network communications with source or destination IP addresses of a host identified as a malware-infected host…”), (¶0069, “the origin host 114 IP address, target domain name, target URL—and sending the CTI and dispositions to the TIG 220, which may generate new rules and may add them to its network protection policy. In Step 7-7, protector 242 may reactively protect network 102 by reporting the origin host 114 IP address and the attack type in the threat metadata, and may then send the log to a log storage unit and a SIEM device or application (for reviewing and reporting), connected to network 102 via the management interface MGMT OF 280. Network authorities or management devices may then take protective actions…”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of ESMAN to include persisting the identified threat object in metadata added to event data of the notable event record as disclosed by Moore and be motivated in doing so in order to increase the speed of search for the threat metadata in the event record.
The combination of ESMAN and Moore does not explicitly disclose the following limitations:
determining that a first threat object is associated with the particular risk object and a number of other risk objects that collectively satisfy a threshold number of risk objects based on the plurality of notable event records;
based on the first threat object being associated with the threshold number of risk objects,
Shahbaz discloses determining that a first threat object is associated with the particular risk object and a number of other risk objects that collectively satisfy a threshold number of risk objects based on the plurality of notable event records (¶0247, “…if a user desires to create a modular alert related to phishing email attacks, the user might create a query which searches for event data corresponding to received email messages, where an associated triggering condition is based on detecting that a threshold number of computing devices having received an email including an attachment matching a known signature within a specified time interval…”, wherein the email is the threat object and the threshold number of computing devices are the risk objects in accordance with ¶0195-¶0196 of applicant’s specification);
Shahbaz also teaches based on the first threat object being associated with the threshold number of risk objects (¶0246-¶0247, FIG. 18, “…, a modular alert generally represents functionality of a network security application which enables users to define a query and an associated triggering condition, and to further associate one or more actions to be performed by the network security application based on data identified by the query satisfying the triggering condition. In an embodiment, the graphical user interface may be generated by a search head 210, an indexer 206, or any other component of a data intake and query system 108…”)
generating a threat report that identifies the particular risk object (¶0177, “…SPLUNK®
APP FOR ENTERPRISE SECURITY provides the security practitioner with visibility into security-relevant threats found in the enterprise infrastructure by capturing, monitoring, and reporting on data from enterprise security devices, systems, and applications…”), wherein the threat report indicates an association between the particular risk object and the first threat object and a number of risk objects associated with the first threat object (¶0264, “…in response to a triggering condition indicating an occurrence of malware potentially present on a particular endpoint device, a search action may be performed directly in response to detection of the triggering condition to identify additional information about the endpoint device (e.g., the search may locate data indicating recent emails received by the device, recent file system changes, etc.)”), (¶0247, “… if a user desires to create a modular alert related to phishing email attacks, the user might create a query which searches for event data corresponding to received email messages, where an associated triggering condition is based on detecting that a threshold number of computing devices having received an email including an attachment matching a known signature within a specified time interval…”);
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of ESMAN and Moore to include an association between a threat object such as received email and threshold number of risk objects such as endpoints or devices as disclosed by Shahbaz with the rationale of use of known technique to improve similar devices (methods, or products) in the same way such as identification and mitigation of threats in a network system.
Regarding claim 11, ESMAN in view of Moore and further in view of Shahbaz discloses the computing device of claim 10.
ESMAN further discloses wherein the characteristic of the particular risk object is a count of threat objects associated with the risk object (¶0182, “a service such as corporate e-mail may be defined in terms of the entities employed to provide the service, such as host machines and network devices. Each entity is defined to include information for identifying all of the event data that pertains to the entity, whether produced by the entity itself or by another machine, and considering the many various ways the entity may be identified in raw machine data (such as by a URL, an IP address, or machine name”) is a count of threat objects associated with the particular risk object (¶0152, “The SPLUNK® APP FOR ENTERPRISE SECURITY provides various visualizations to aid in discovering security threats, such as a “key indicators view” that enables a user to view security metrics, such as counts of different types of notable events. For example, FIG. 8A illustrates an example key indicators view 800 that comprises a dashboard, which can display a value 801, for various security-related metrics, such as malware infections 802...”), (¶0153, “multiple events that collectively warrant review, such as a large number of authentication failures on a host followed by a successful authentication”, wherein a large number of authentication failures on a host is interpreted as count of threat objects associated with the risk object, the host being the risk object). .
Regarding claim 14, ESMAN in view of Moore and further in view of Shahbaz discloses the computing device of claim 10.
ESMAN further discloses wherein the threat report further indicates network attack tactics associated with the threat object (¶0202, “…the risk monitoring system 1116 may search for and analyze computer data related to fraud, where the criteria determine which computer data is relevant to incidents or threats of fraudulent behavior or transactions by one or more users or computers interacting with the computer system…”, wherein fraudulent behavior is interpreted as attack tactics).
Regarding claim 15, ESMAN discloses a non-transitory computer-readable medium having stored thereon instructions that, when executed by one or more processors, cause the one or more processor to perform operations including (claim 18, “A non-transitory computer-readable storage medium including instructions that, when executed by a processor, cause the processor to perform the steps of”):
generating a plurality of notable event records (¶0191, SPLUNK® IT SERVICE INTELLIGENCE™ provides a visualization for incident review showing detailed information for notable events. The incident review visualization may also show summary information for the notable events over a time frame, such as an indication of the number of notable events at each of a number of severity levels”) based on a plurality of event records (¶0066, “In the SPLUNK® ENTERPRISE system, machine-generated data are collected and stored as “events.” An event comprises a portion of the machine-generated data and is associated with a specific point in time”),
wherein an event record is a record of activity of an entity on a computer network (¶0199, “the risk monitoring system 1116 may receive and analyze any form of computer data, including “event data,” raw machine data, network traffic data, network traffic packet data, and any other form of computer data that reflects activity in an information technology (IT) environment…”),
wherein a notable event record is indicative of a potential security threat associated with a respective entity on the computer network (¶0151, “the SPLUNK® APP FOR ENTERPRISE SECURITY facilitates detecting “notable events” that are likely to indicate a security threat”), (¶0153, “…These notable events can include: (1) a single event of high importance, such as any activity from a known web attacker; or (2) multiple events that collectively warrant review, such as a large number of authentication failures on a host followed by a successful authentication…”, wherein the host and system component associated with the event are the entities),
wherein the notable event record contains an association of the respective entity with a risk object (¶0202, “threats of fraudulent behavior or transactions by one or more users or computers interacting with the computer system. Further, the risk monitoring system 1116 may search for and analyze computer data related to security, where the criteria determine which computer data is relevant to breaches or threats to the security associated with one or more users or computers interacting with the computer system”), and
wherein the notable event record further contains an association of the potential security threat with a threat object and an association of the potential security threat with a network attack tactics, wherein the threat object is a delivery pathway of malicious content identified using one or more rules (¶0245, “Further, as shown, portion 1450 of the canvas portion 1420 displays a first risk object 1451 as represented by a title 1451A that identifies that the risk object is associated with an anomalous IP address for a user, along with a first risk score 1451B showing a risk score equal to 38. In addition, as shown, portion 1450 of the canvas portion 1420 also displays a second generated risk object 1452 as represented by a title 1452A that identifies that the risk object is associated with an anomalous browser used by a user, along with a first risk score 1452B showing a risk score equal to 35”, wherein the IP address and browser are threat objects because both are delivery pathway for malicious content in line with applicant disclosure in ¶0219 of the specification which states …), (¶0151, “During operation, the SPLUNK® APP FOR ENTERPRISE SECURITY facilitates detecting “notable events” that are likely to indicate a security threat…”), (¶0202, “…the risk monitoring system 1116 may search for and analyze computer data related to fraud, where the criteria determine which computer data is relevant to incidents or threats of fraudulent behavior or transactions by one or more users or computers interacting with the computer system…”, wherein fraudulent behavior or transactions by one or more users or computers interacting with the computer system is interpreted as attack tactics in modern cybersecurity, often classified under social engineering, phishing, or impersonation attacks). (¶0070, “…the fields are defined by extraction rules (e.g., regular expressions) that derive one or more values from the portion of raw machine data in each event that has a particular field specified by an extraction rule. The set of values so produced are semantically-related (such as IP address)…”), (¶0272, “the dashboard screen 1700 being displayed includes an actions portion 1750 for displaying actions to be performed when a rule or triggering condition is met and a threat is detected…”);
identifying a particular risk object (¶0201, “The risk monitoring system 1116 identifies computer data that represents potential risks…”) by performing a rule-based search on the plurality of notable event records (¶0202, “…the risk monitoring system 1116 may search for and analyze computer data related to fraud, where the criteria determine which computer data is relevant to incidents or threats of fraudulent behavior or transactions by one or more users or computers interacting with the computer system.”, wherein the criteria are the rules guiding the search), wherein the rule-based search defines a characteristic of the particular risk object (¶0182, “a service such as corporate e-mail may be defined in terms of the entities employed to provide the service, such as host machines and network devices. Each entity is defined to include information for identifying all of the event data that pertains to the entity, whether produced by the entity itself or by another machine, and considering the many various ways the entity may be identified in raw machine data (such as by a URL, an IP address, or machine name”);
based on the first threat object being associated with the threshold number of risk objects, (¶0295, “At optional step 2053, the risk monitoring system 1116 applies one or more count-based logical operators to operate on or combine the risk objects and/or groups of risk objects based on the how many of the risk objects meet certain specified conditions. For instance, the risk monitoring system 1116 may determine that, in order for a triggering condition to be met and thus for a “threat” to be detected, a certain number of risk objects must meet certain conditions, and/or a risk object must meet a certain number of conditions. For instance, one exemplary triggering condition could require that three out of four risk objects must be evaluated as “true,” or a risk score for three out of four risk objects must exceed a particular threshold.”)
generating a threat report that identifies the particular risk object (¶0146, “…SPLUNK®
APP FOR ENTERPRISE SECURITY provides the security practitioner with visibility into security-relevant threats found in the enterprise infrastructure by capturing, monitoring, and reporting on data from enterprise security devices, systems, and applications”, wherein the security devices and applications are the risk objects (refer to ¶0195 of applicant’s specification), (¶0231, “the risk monitoring program 1230 may cause a representation of one or more logical operators for operating on and/or combining the one or more selected risk objects and/or groups of risk objects to be displayed via the UI…”), wherein the threat report indicates an association between the particular risk object and the first threat object and a number of risk objects associated with the first threat object (FIG. 14C, ¶0245, “…Further, as shown, portion 1450 of the canvas portion 1420 displays a first risk object 1451 as represented by a title 1451A that identifies that the risk object is associated with an anomalous IP address for a user, along with a first risk score 1451B showing a risk score equal to 38. In addition, as shown, portion 1450 of the canvas portion 1420 also displays a second generated risk object 1452 as represented by a title 1452A that identifies that the risk object is associated with an anomalous browser used by a user, along with a first risk score 1452B showing a risk score equal to 35…”, see also FIGs. 15B-15E, ¶0249,), (¶0259, “…the second group of selected risk objects 1581 is displayed with a title 1582. Specifically, as shown, the title 1582 describes the second group of selected risk objects 1581 as being associated with “Risky and Anomalous Session Activity.” Those skilled in the art will understand that the title 1582 is displayed as a particular title by way of example only and may include any kind of descriptions of the second group of selected risk objects 1581.”); and
outputting the threat report for display (¶0152, “…FIG. 8A illustrates an example key indicators view 800 that comprises a dashboard, which can display a value 801, for various security-related metrics, such as malware infections 802. It can also display a change in a metric value 803, which indicates that the number of malware infections increased by 63 during the preceding interval”).
However, ESMAN does not explicitly disclose the following limitation:
wherein the threat object is a delivery pathway of malicious content identified using one or more user-specified rules and persisted in metadata added to event data of the notable event record;
identifying a particular risk object by performing a rule-based search on the plurality of notable event records including the metadata, corresponding with the threat object, added to the event data of the notable event record,
determining that a first threat object is associated with the particular risk object and a number of other risk objects that collectively satisfy a threshold number of risk objects based on the plurality of notable event records;
based on the first threat object being associated with the threshold number of risk objects
Moore discloses wherein the threat object is a delivery pathway of malicious content identified using one or more user-specified rules and persisted in metadata added to event data of the notable event record (¶0041, “…TIG 220 may be an inline TCP/IP packet filter that applies packet filtering rules to packet traffic, wherein the packet filtering rules have been derived from cyber threat intelligence (CTI) and from CTI metadata. CTI may include Internet network addresses—in the form of IP addresses, IP address ranges, L3/L4 ports and protocols, domain names, URLs, and the like—of resources controlled/operated by threat actors. CTI metadata may be, for example, the threat type, the threat name, the threat risk score, the threat actor, and the like…”, wherein including IP addresses, IP address ranges, L3/L4 ports and protocols, domain names, URLs, and the like in the cyber threat intelligence (CTI) metadata is interpreted as persisting the threat object in the metadata), (¶0042-¶0043, “…When a communication matches one or more rules, the threat metadata of the matching rule may be used to signal other logical components of the NPS gateway, for example, to make decisions regarding handling, processing, and/or reporting of the (threat) communication…These cyber analysis systems may also be configured with rules, which may be supplied by rule servers 130, 132, and 134 hosted by various providers and services. The NPS gateway 200 cyber analysis systems 230-234 may access these servers, download analysis rules and metadata associated with the rules, and apply the analysis rules to network communications.”), (¶0047, “… cyber threat intelligence (CTI) providers may enrich their CTI with threat metadata, such as the type of threat, the name of the threat, the identity of the actors associated with the threat, the discovery date of the threat, a risk score for the threat, a remedial action for the threat, the CTI provider name and other provenance information, and the like. This threat metadata may be included with the CTI when it is downloaded to the TIG 220. The TIG 220 may determine and may generate packet filtering rules from the CTI. Threat metadata may be associated with the rules so that it can be included in any signal messages between NPS gateway components and in any log files that record the (threat) communication events and associated actions by the NPS gateway…”, wherein including the threat metadata associated with the rules in log files that record the (threat) communication events is interpreted as persisting the threat object in the metadata added to event data of the notable event record);
identifying a particular risk object by performing a rule-based search on the plurality of notable event records including the metadata, corresponding with the threat object, added to the event data of the notable event record (¶0061, “…Reactive protections may be, for example, identifying malware-infected hosts and reporting those malware-infected hosts to network authorities. Protection system 242 or outside network authorities may malware-sweep the hosts, and/or quarantine malware-infected hosts. The TIG 220 may be configured with rules that block any network communications with source or destination IP addresses of a host identified as a malware-infected host…”), (¶0069, “the origin host 114 IP address, target domain name, target URL—and sending the CTI and dispositions to the TIG 220, which may generate new rules and may add them to its network protection policy. In Step 7-7, protector 242 may reactively protect network 102 by reporting the origin host 114 IP address and the attack type in the threat metadata, and may then send the log to a log storage unit and a SIEM device or application (for reviewing and reporting), connected to network 102 via the management interface MGMT OF 280. Network authorities or management devices may then take protective actions…”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of ESMAN to include persisting the identified threat object in metadata added to event data of the notable event record as disclosed by Moore and be motivated in doing so in order to increase the speed of search for the threat metadata in the event record.
The combination of ESMAN and Moore does not explicitly disclose the following limitations:
determining that a first threat object is associated with the particular risk object and a number of other risk objects that collectively satisfy a threshold number of risk objects based on the plurality of notable event records;
based on the first threat object being associated with the threshold number of risk objects,
Shahbaz discloses determining that a first threat object is associated with the particular risk object and a number of other risk objects that collectively satisfy a threshold number of risk objects based on the plurality of notable event records (¶0247, “…if a user desires to create a modular alert related to phishing email attacks, the user might create a query which searches for event data corresponding to received email messages, where an associated triggering condition is based on detecting that a threshold number of computing devices having received an email including an attachment matching a known signature within a specified time interval…”, wherein the email is the threat object and the threshold number of computing devices are the risk objects in accordance with ¶0195-¶0196 of applicant’s specification);
Shahbaz also teaches based on the first threat object being associated with the threshold number of risk objects (¶0246-¶0247, FIG. 18, “…, a modular alert generally represents functionality of a network security application which enables users to define a query and an associated triggering condition, and to further associate one or more actions to be performed by the network security application based on data identified by the query satisfying the triggering condition. In an embodiment, the graphical user interface may be generated by a search head 210, an indexer 206, or any other component of a data intake and query system 108…”)
generating a threat report that identifies the particular risk object (¶0177, “…SPLUNK®
APP FOR ENTERPRISE SECURITY provides the security practitioner with visibility into security-relevant threats found in the enterprise infrastructure by capturing, monitoring, and reporting on data from enterprise security devices, systems, and applications…”), wherein the threat report indicates an association between the particular risk object and the first threat object and a number of risk objects associated with the first threat object (¶0264, “…in response to a triggering condition indicating an occurrence of malware potentially present on a particular endpoint device, a search action may be performed directly in response to detection of the triggering condition to identify additional information about the endpoint device (e.g., the search may locate data indicating recent emails received by the device, recent file system changes, etc.)”), (¶0247, “… if a user desires to create a modular alert related to phishing email attacks, the user might create a query which searches for event data corresponding to received email messages, where an associated triggering condition is based on detecting that a threshold number of computing devices having received an email including an attachment matching a known signature within a specified time interval…”);
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of ESMAN and Moore to include an association between a threat object such as received email and threshold number of risk objects such as endpoints or devices as disclosed by Shahbaz with the rationale of use of known technique to improve similar devices (methods, or products) in the same way such as identification and mitigation of threats in a network system.
Regarding claim 16, ESMAN in view of Moore and further in view of Shahbaz discloses the computer-readable medium of claim 15.
ESMAN further discloses wherein the characteristic of the particular risk object (¶0278, “the risk object may be represented by a UI element that includes any type of risk score or other characteristics associated with the risk object,”) is a number of threat objects associated with the particular risk object (¶0153, “multiple events that collectively warrant review, such as a large number of authentication failures on a host followed by a successful authentication”, wherein a large number of authentication failures on a host is interpreted as a number of threat objects associated with the risk object, the host being the risk object).
Regarding claim 19, ESMAN in view of Moore and further in view of Shahbaz discloses the computer-readable medium of claim 15.
ESMAN further discloses wherein the threat report groups the plurality of notable event records pertaining to the particular risk object together (¶0146, “…SPLUNK® APP FOR ENTERPRISE SECURITY provides the security practitioner with visibility into security-relevant threats found in the enterprise infrastructure by capturing, monitoring, and reporting on data from enterprise security devices, systems, and applications…”), (¶0151, “These notable events can be detected in a number of ways: (1) a user can notice a correlation in the data and can manually identify a corresponding group of one or more events as “notable;” or (2) a user can define a “correlation search” specifying criteria for a notable event, and every time one or more events satisfy the criteria, the application can indicate that the one or more events are notable…”), (¶0153, “…These notable events can include: (1) a single event of high importance, such as any activity from a known web attacker; or (2) multiple events that collectively warrant review, such as a large number of authentication failures on a host followed by a successful authentication…”, wherein the host or the system component associated with the event represents the risk object.) and (¶0096, “…Data store 208 may contain events derived from machine data from a variety of sources all pertaining to the same component in an IT environment”, wherein the events derived from machine data from variety of sources include plurality of notable events and are pertaining to the particular risk object (same component in an IT environment).
Regarding claim 20, ESMAN in view of Moore and further in view of Shahbaz discloses the computer-readable medium of claim 15.
ESMAN further discloses wherein the threat report further indicates network attack tactics associated with the first threat object (¶0202, “…the risk monitoring system 1116 may search for and analyze computer data related to fraud, where the criteria determine which computer data is relevant to incidents or threats of fraudulent behavior or transactions by one or more users or computers interacting with the computer system…”, wherein fraudulent behavior is interpreted as attack tactics).
Claims 4, 13, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over US PGPub. No. 20180316695 to ESMAN; Gleb (hereinafter ESMAN) in view of US PGPub. No. 20200106742 to Moore et al. (hereinafter Moore) and further in view of US PGPub. No. 20180091528 to Shahbaz et al. (hereinafter Shahbaz) and further in view of US PGPub. No. 20210352099 to Rogers; Kenneth Allen (hereinafter Rogers).
Regarding claim 4, ESMAN in view of Moore and further in view of Shahbaz discloses the method of claim 1.
However, ESMAN even though discloses representing the risk object graphically to be displayed to a user via a user interface (¶0276, ¶0299 for examples), in view of Moore and Shahbaz does not explicitly disclose:
further comprising: generating for display a node graph wherein the particular risk object is represented by a first node and the first threat object is linked to the particular risk object represented by a corresponding node connected by a corresponding edge to the first node.
Rogers discloses this limitation (¶0029, “The user device executing a graph query and display app, which renders a graphical user interface on a display of the user device and generates risk information based on input from a user via an input mechanism of the user device…”) and (¶0027-¶0028, “…each of the resulting scores for each calculation is stored for each risk object as a node in the risk hierarchy with an edge connecting the risk score node to the risk object node…”), (¶0268, “This query searches the graph 162 for any nodes of type EC2 Instance with the attribute component Grp as ‘null’ and having a relationship with a Network Interface node that, in turn, has a relationship with an IP Addr node that, in turn, has a relationship with a Subnet node”, wherein an IP address (the first threat object) has a relationship with a network interface node).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of ESMAN, Moore, and Shahbaz to include representing risk object in a node graph as disclosed by Rogers and be motivated in doing so in order to make the analysis of interactions of risk objects and the corresponding risks associated with them easier which will help in forecasting future risk associated with a particular risk object.
Regarding claim 13, ESMAN in view of Moore and further in view of Shahbaz discloses the computing device of claim 10.
However, ESMAN even though discloses representing the risk object graphically to be displayed to a user via a user interface (¶0276, ¶0299 for examples), in view of Moore and Shahbaz does not explicitly disclose:
wherein the performed operations further include: generating for display a node graph wherein the particular risk object is represented by a first node and the first threat object is linked to the particular risk object represented by a corresponding node connected by a corresponding edge to the first node.
Rogers discloses this limitation (¶0029, “The user device executing a graph query and display app, which renders a graphical user interface on a display of the user device and generates risk information based on input from a user via an input mechanism of the user device…”) and (¶0027-¶0028, “…each of the resulting scores for each calculation is stored for each risk object as a node in the risk hierarchy with an edge connecting the risk score node to the risk object node…”), (¶0268, “This query searches the graph 162 for any nodes of type EC2 Instance with the attribute component Grp as ‘null’ and having a relationship with a Network Interface node that, in turn, has a relationship with an IP Addr node that, in turn, has a relationship with a Subnet node”, wherein an IP address (the first threat object) has a relationship with a network interface node).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the computing device of ESMAN, Moore, and Shahbaz to include representing risk object in a node graph as disclosed by Rogers and be motivated in doing so in order to make the analysis of interactions of risk objects and the corresponding risks associated with them easier which will help in forecasting future risk associated with a particular risk object.
Regarding claim 18, ESMAN in view of Moore and further in view of Shahbaz discloses the computer-readable medium of claim 15.
However, ESMAN even though discloses representing the risk object graphically to be displayed to a user via a user interface (¶0276, ¶0299 for examples), in view of Moore, and Shahbaz does not explicitly disclose:
wherein the performed operations further include: generating for display a node graph wherein the particular risk object is represented by a first node and the first threat object is linked to the particular risk object represented by a corresponding node connected by a corresponding edge to the first node.
Rogers discloses this limitation (¶0029, “The user device executing a graph query and display app, which renders a graphical user interface on a display of the user device and generates risk information based on input from a user via an input mechanism of the user device…”) and (¶0027-¶0028, “…each of the resulting scores for each calculation is stored for each risk object as a node in the risk hierarchy with an edge connecting the risk score node to the risk object node…”), (¶0268, “This query searches the graph 162 for any nodes of type EC2 Instance with the attribute component Grp as ‘null’ and having a relationship with a Network Interface node that, in turn, has a relationship with an IP Addr node that, in turn, has a relationship with a Subnet node”, wherein an IP address (the first threat object) has a relationship with a network interface node).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the computer-readable medium of ESMAN, Moore, and Shahbaz to include representing risk object in a node graph as disclosed by Rogers and be motivated in doing so in order to make the analysis of interactions of risk objects and the corresponding risks associated with them easier which will help in forecasting future risk associated with a particular risk object.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495
/MAUNG T LWIN/Primary Examiner, Art Unit 2495