DETAILED ACTION
Remarks
Claims 1-25 have been examined and rejected. This Office action is responsive to the amendment filed on 11/11/2025, which has been entered in the above identified application.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-25 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Regarding claim 1, claim 1 recites “wherein the at least one parameter or restriction comprises a limit of a quantity of intermediate nodes between the source or destination controls determined by the mapping manager based on a predetermined range being outside the limit”. The relationship between these elements is unclear. It is unclear whether “determined by the mapping manager” is intended to modify only the destination controls. It is unclear whether determined by the mapping manager is intended to modify the parameter, the restriction, the limit, or the quantity. For the purposes of examination, this limitation is interpreted as: wherein the at least one parameter or restriction comprises a limit of a quantity of intermediate nodes between the source or destination controls, wherein a determination by the mapping manager is based on a predetermined range being outside the limit
Regarding claims 8, 15, 22 and 24, claims 8, 15, 22 and 24 contain substantially similar limitations to those found in claim 1. Consequently, claims 8, 15, 22 and 24 are rejected for the same reasons.
Regarding claims 2-7, 9-14, 16-21, 23, and 25, claims 2-7, 9-14, 16-21, 23, and 25 are also rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for depending on an indefinite parent claim.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 8-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
Regarding claim 8, claim 8 recites a computer readable storage device with program code. However, the specification does not define what type of medium is included in the computer readable storage device. According to MPEP 2111, examiner is obliged to give the terms or phrases their broadest interpretation definition awarded by one of an ordinary skill in the art unless applicant has provided some indication of the definition of the claimed terms or phrases. Therefore, examiner interprets the computer-readable memory device as including any type of medium which includes carrier medium such as signals. Signals are directed to a non-statutory subject matter. Thus, claim 8 is rejected under 35 U.S.C. 101 for directing to a non-statutory subject matter. Applicant is advised to amend to “non-transitory computer-readable memory device” to overcome this rejection.
Regarding claims 9-14, claims 9-14 merely recite additional functionality that can be performed by the instructions on the medium. Thus, claims 9-14 fail to recite statutory matter under 35 U.S.C 101.
Claims 1-25 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Claims 1, 8, 15, 22, and 24
Step 1: Claims 1, 8, 15, 22, and 24 recite methods, systems, and a computer program product; therefore, they are directed to the statutory categories of methods, machines, and a manufacture.
Step 2A Prong 1: The claims recite, inter alia:
identify at least one candidate control associated with a corresponding standard Under its broadest reasonable interpretation in light of the specification, this limitation encompasses the mental process of identifying a control, which is an evaluation or observation that is practically capable of being performed in the human mind with the assistance of pen and paper, or is a mathematical concept that is achievable through mathematical computation.
traversing a map comprising source and destination controls, including: identifying the at least one candidate control in the map; traversing the source and destination controls of the map to identify at least one mapped control associated with the target standard; traverse the map based on at least one parameter or restriction and re-traverse source and destination controls based on a change to the at least one parameter or restriction; identifying a quantity of identified mapped controls; re-traversing the source and destination controls of the map using the changed parameter; wherein the at least one parameter or restriction comprises a limit of a quantity of intermediate nodes between the source or destination controls determined by the mapping manager based on a predetermined range being outside the limit; Under its broadest reasonable interpretation in light of the specification, this limitation encompasses the mental process of evaluating a map based on parameters determined by a range being outside a limit, which is an evaluation or observation that is practically capable of being performed in the human mind with the assistance of pen and paper, or is a mathematical concept that is achievable through mathematical computation.
when a verification reveals the mapped control is an acceptable match for the target specification; Under its broadest reasonable interpretation in light of the specification, this limitation encompasses the mental process of verifying an acceptable match, which is an evaluation or observation that is practically capable of being performed in the human mind with the assistance of pen and paper.
Step 2A Prong 2: This judicial exception is not integrated into a practical application. The additional elements of “A computer system comprising: a processor operatively coupled to memory; and a platform in communication with the processor and the memory”, “A computer program product comprising a computer readable storage device”, “A method”, “leveraging an artificial intelligence (AI) manager”, “a mapping manager”, and “a training manager” amount to no more than generally linking the use of a judicial exception to a particular technological environment or field of use (see MPEP § 2106.05(h). The claimed computer components are recited at a high level of generality and are merely invoked as tool to perform the abstract idea. The additional elements of “satisfying a first parameter”, wherein the at least one parameter or restriction comprises a limit of a quantity of intermediate nodes between the source or destination controls, and “selectively changing a parameter of the traversal” amount to insignificant extra-solution activity in the form of mere data gathering and output (see MPEP § 2106.05(g)). The additional elements of specifications, standards, controls, “the AI model configured to” and “selectively training the AI model” are well known in the art (see background and [0030-0031] of the instant specification) and amount to no more than adding insignificant extra-solution activity to the judicial exception - see MPEP 2106.05(g). Even when viewed in combination, these additional element do not integrate the abstract idea into a practical application and the claims are thus directed to the abstract idea.
Step 2B: The claims do not contain significantly more than the judicial exception. “A computer system comprising: a processor operatively coupled to memory; and a platform in communication with the processor and the memory”, “A computer program product comprising a computer readable storage device”, “A method”, “leveraging an artificial intelligence (AI) manager”, “a mapping manager”, and “a training manager” amount to no more than generally linking the use of a judicial exception to a particular technological environment or field of use (see MPEP § 2106.05(h)). Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The additional elements of “satisfying a first parameter”, wherein the at least one parameter or restriction comprises a limit of a quantity of intermediate nodes between the source or destination controls, and “selectively changing a parameter of the traversal” amounts to insignificant extra-solution activity in the form of mere data gathering and output (see MPEP § 2106.05(g)), and is a well-understood, routine, conventional activity (see MPEP § 2106.05(d); “Receiving or transmitting data over a network”). The additional elements of specifications, standards, controls, “the AI model configured to” and “selectively training the AI model” are well-understood, routine, conventional activity (see MPEP § 2106.05(d); see background of instant specification and [0030-0031]). Nothing in the claims provides significantly more than that abstract idea. As such, the claims are ineligible.
Claims 2-7, 9-14, 16-21, 23, and 25
Step 1: Claims 2-7, 9-14, 16-21, 23, and 25 recite methods, systems, and computer program products; therefore, they are directed to the statutory categories of methods, machines, and manufactures.
Step 2A Prong 1: claims 2-7, 9-14, 16-21, 23, and 25, merely narrow the previously recited abstract idea limitations. For the reasons described above with respect to claims 1, 8, 15, 22, and 24, this judicial exception is not meaningfully integrated into a practical application, or significantly more than the abstract idea. The claims disclose similar limitations described for the independent claims above and do not provide anything more than the mental processes that are practically capable of being performed in the human mind with the assistance of pen and paper and mathematical concepts that are achievable through mathematical computation.
Step 2A Prong 2: This judicial exception is not integrated into a practical application.
Claims 2-7, 9-14, 16-21, 23, and 25 recite the additional elements of specifications, standards, and controls. These elements are well-understood, routine, conventional activity (see MPEP § 2106.05(d); see background of instant specification).
Claims 2, 9, 16, 23 and 25 recite the additional element of “the AI model”. These elements are well-understood, routine, conventional activity (see MPEP § 2106.05(d); see background and [0030-0031] of instant specification).
Claims 2, 3, 5, and 23 recite the additional elements of “the mapping manager”. These elements amount to no more than generally linking the use of a judicial exception to a particular technological environment or field of use (see MPEP § 2106.05(h). The claimed computer components are recited at a high level of generality and are merely invoked as tool to perform the abstract idea.
Claims 3, 10, and 17 recite the additional elements of “at least one parameter”. These elements amounts to insignificant extra-solution activity in the form of mere data gathering and output (see MPEP § 2106.05(g)), and is a well-understood, routine, conventional activity (see MPEP § 2106.05(d); “Receiving or transmitting data over a network”).
Claims 4, 11, and 18 recite the additional elements of “the at least one parameter comprises a relationship confidence rating, the limit of a quantity of intermediate nodes between the source or destination controls, or a combination thereof”. These elements amounts to insignificant extra-solution activity in the form of mere data gathering and output (see MPEP § 2106.05(g)), and is a well-understood, routine, conventional activity (see MPEP § 2106.05(d); “Receiving or transmitting data over a network”).
Claims 5, 12, and 19 recite the additional elements of “change the at least one parameter”. These elements amounts to insignificant extra-solution activity in the form of mere data gathering and output (see MPEP § 2106.05(g)), and is a well-understood, routine, conventional activity (see MPEP § 2106.05(d); “Receiving or transmitting data over a network”).
Claims 6 and 7 recite the additional elements of “a scoring manager”. These elements amount to no more than generally linking the use of a judicial exception to a particular technological environment or field of use (see MPEP § 2106.05(h). The claimed computer components are recited at a high level of generality and are merely invoked as tool to perform the abstract idea.
Step 2B: The claims do not contain significantly more than the judicial exception.
Claims 2-7, 9-14, 16-21, 23, and 25 recite the additional elements of specifications, standards, and controls. These elements are well-understood, routine, conventional activity (see MPEP § 2106.05(d); see background of instant specification).
Claims 2, 9, 16, 23 and 25 recite the additional element of “the AI model”. These elements are well-understood, routine, conventional activity (see MPEP § 2106.05(d); see background and [0030-0031] of instant specification).
Claims 2, 3, 5, and 23 recite the additional elements of “the mapping manager”. These elements amount to no more than generally linking the use of a judicial exception to a particular technological environment or field of use (see MPEP § 2106.05(h)). Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.
Claims 3, 10, and 17 recite the additional elements of “at least one parameter”. These elements amounts to insignificant extra-solution activity in the form of mere data gathering and output (see MPEP § 2106.05(g)), and is a well-understood, routine, conventional activity (see MPEP § 2106.05(d); “Receiving or transmitting data over a network”).
Claims 4, 11, and 18 recite the additional elements of “the at least one parameter comprises a relationship confidence rating, a limit of a quantity of intermediate nodes between the source or destination controls, or a combination thereof”. These elements amounts to insignificant extra-solution activity in the form of mere data gathering and output (see MPEP § 2106.05(g)), and is a well-understood, routine, conventional activity (see MPEP § 2106.05(d); “Receiving or transmitting data over a network”).
Claims 5, 12, and 19 recite the additional elements of “change the at least one parameter”. These elements amounts to insignificant extra-solution activity in the form of mere data gathering and output (see MPEP § 2106.05(g)), and is a well-understood, routine, conventional activity (see MPEP § 2106.05(d); “Receiving or transmitting data over a network”).
Claims 6 and 7 recite the additional elements of “a scoring manager”. These elements amount to no more than generally linking the use of a judicial exception to a particular technological environment or field of use (see MPEP § 2106.05(h)). Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-25 are rejected under 35 U.S.C. 103 as being unpatentable over Bhatia et al. (US 20200272741 A1, published 08/27/2020), hereinafter Bhatia, in view of Zeng et al. (US 20210191930 A1, published 06/24/2021), hereinafter Zeng, in further view of Brdiczka (US 20120136812 A1, published 05/31/2012).
Regarding claim 24, Bhatia teaches the claim comprising:
A method comprising (Bhatia Figs. 1-16; [0008], a method is provided, in a data processing system comprising at least one processor and at least one memory, wherein the at least one memory comprises instructions which are executed by the at least one processor and specifically configure the at least one processor to implement an advanced rule analyzer; [0035], The illustrative embodiments provide an Advanced Rule Analyzer (ARA) that provides a machine learning solution to the SIEM rule management issues of known STEM tools in computing systems):
leveraging an artificial intelligence (AI) manager with respect to a target specification for a target standard, the AI model configured to identify at least one candidate control associated with a corresponding standard (Bhatia Figs. 1-16; [0034], there is no current mechanism that aligns an enterprise's SIEM rule set with the rules in these standard repositories to provide guidance to human analysts as to potential rules in the standard repositories that may be added to the enterprise's STEM rule set, i.e. those rules in the standard repositories that do not align well with STEM rules in the enterprise's STEM rule set may be candidates for addition to the enterprise's SIEM rule set, to improve the enterprise's STEM rule set; [0035], The illustrative embodiments provide an Advanced Rule Analyzer (ARA) that provides a machine learning solution to the SIEM rule management issues of known STEM tools in computing systems; a machine learning or cognitive computing model that operates to analyze rules used by a SOC in an enterprise environment, e.g., a client or customer environment, to determine if the rule set being used includes any duplicate or substantially similar rules that may be eliminated or merged together to reduce the rule set being utilized; [0039], the ARA provides mechanisms for aligning rules with frameworks, such as those specified by standards organizations, e.g., National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO); [0043], the ARA is trained using known threat characteristics and known rules with their corresponding conditions, to learn how human analysts compose rules to address threats, e.g., when these threat characteristics are present, human analysts uses these rule conditions to address those threat characteristics. Based on this learning, through a supervised machine learning process, the RNN is trained such that when given input threat characteristics and/or rule conditions that are satisfied by a threat, the RNN generates a new SIEM rule based on its machine learning; [0059], as shown in FIG. 1, the ARA receives inputs from a variety of different sources of SIEM rule information including, but not limited to: a) multiple STEM tools (such as QRadar, ArcSight, Splunk, or the like) 190; b) log sources 180; c) an enterprise (client) computing environment 130 comprising a security operations center (SOC) or other STEM rules execution and management computing device 132; d) security control frameworks or standards (such as those available from NIST, ISO, or the like) source computing systems 140; e) standard rules repositories 150, such as the IBM Use Case Library or the like which provides rule definitions, thresholds and the like; f) threat intelligence feeds (such as X-Force, Xchange, or the like) source computing devices 160; and g) other external source computing devices 170 providing sources of attack or threat information (such as Mitre ATT&CK models, NVC CVE database, and the like); [0063], FIG. 3 is an example diagram illustrating a parsed and reformatted version of the STEM rule set data structure shown in FIG. 2. As shown in FIG. 3, the STEM rules are reformatted into various characteristics of the corresponding SIEM rules, including a rule name, tests performed by the rule, and other features identified in the content of the rule definition in the SIEM rule data structure 134 identified via the parsing; [0072], the SIEM rule comparison and similarity analysis may be performed across multiple STEM rule sets from the same or different enterprises; [0076], FIG. 7 is an example diagram illustrating a portion of a graphical user interface through which a user may specify criteria for identifying substantially similar STEM rules and obtain a visualization of the substantially similar STEM rules according to the user specified criteria. As shown in FIG. 7, a first portion 710 of the graphical user interface provides fields for entering a SIEM rule identifier, which in this case is a numerical value, and a threshold level of similarity, which in this case is specified as a percentage value. In this depicted example, the STEM rule set comprises 419 rules numbered 0 to 418 and thus, a user may specify a numerical value between 0 and 418 to specify a SIEM rule of interest to the user; the user also specifies a threshold level of similarity score needed for a pairing to be included in the results, e.g., 70% in this depicted example; [0089], an alignment of rules to framework categories and topics is generated that can be used to identify which framework categories and topics are addressed by the rules in the SIEM rule set data structure 134 used by the enterprise computing environment 130, as well as, for each rule, which of the categories and topics that rule addresses. It should be appreciated that this process may be performed with regard to multiple different frameworks or with specific frameworks of interest selected by a user via a user interface, for example) ;
traversing a map comprising source and destination controls, including: identifying the at least one candidate control in the map; traversing the source and destination controls of the map to identify at least one mapped control associated with the target standard, the at least one mapped control satisfying a first parameter; traverse the map based on at least one parameter or restriction; wherein the at least one parameter or restriction comprises a limit between the source or destination controls; identifying a quantity of identified mapped controls (Bhatia Figs. 1-16; [0034], there is no current mechanism that aligns an enterprise's SIEM rule set with the rules in these standard repositories to provide guidance to human analysts as to potential rules in the standard repositories that may be added to the enterprise's STEM rule set, i.e. those rules in the standard repositories that do not align well with STEM rules in the enterprise's STEM rule set may be candidates for addition to the enterprise's SIEM rule set, to improve the enterprise's STEM rule set; [0036], The illustrative embodiments further provide a mechanism for visualization of the similarity between rules in the rule set(s) in order to present a visual representation easily understandable by human analysts for decision making purposes; [0067], Having identified the statistically significant portions of text in the SIEM rule set data structure 134 and generated the vector representations, each of the STEM rules in the SIEM rule set data structure 134 is paired with another SIEM rule in the STEM rule set data structure 134 and a similarity analysis is performed on the pairing based on the statistically significant portions of text, e.g., a cosine similarity on the vector representations of the paired rules with regard to the statistically significant portions of text. The similarity engine 104 generates, for each pairing of STEM rules, a corresponding similarity score value indicating how similar the paired STEM rules are to one another based on the particular conditions specified in the test portion of the SIEM rule definitions, such as by using the cosine similarity evaluation of the corresponding vector representations; [0070], FIG. 5 is an example diagram of a portion of a graphical user interface in which similarity scores are represented with regard to pairings of rules in a SIEM rule set data structure; [0075], the similarity visualization engine 106 may present a user interface through which the human analyst can specify a SIEM rule of interest and a threshold level of similarity that the human analyst is interested in. That is, the human analyst, via the user interface, may specify that they wish to be informed of what other rules Y in the SIEM rule set are similar to a specified rule X at a minimum level of similarity Z. The similarity visualization engine 106 may then search the pairings of STEM rules; [0076-0077], In a second portion 720 of the graphical user interface, a listing of the rules that are paired with the specified rule (e.g., rule 38 in the depicted example), and which have a similarity score equal to or above the threshold level of similarity score are represented; see also [0059])
and selectively changing a parameter of the traversal and traversing the source and destination controls of the map using the changed parameter (Bhatia Figs. 1-16; [0037], in some illustrative embodiments, user interfaces are provided for permitting a user to specify criteria for controlling the operations of the ARA with regard to required levels of similarity, actions to be performed, and the like. For example, a user may specify a rule of interest, against which the user wishes to find other duplicate or similar rules. The user may also specify a threshold similarity score required by the user for identification of similar rules, e.g., 70% meaning that the user wants to be informed of other rules in the STEM rule set that have a similarity of 70% or more to the rule of interest; [0075], the similarity visualization engine 106 may present a user interface through which the human analyst can specify a SIEM rule of interest and a threshold level of similarity that the human analyst is interested in; [0076-0077], a first portion 710 of the graphical user interface provides fields for entering a SIEM rule identifier, which in this case is a numerical value, and a threshold level of similarity, which in this case is specified as a percentage value. In this depicted example, the STEM rule set comprises 419 rules numbered 0 to 418 and thus, a user may specify a numerical value between 0 and 418 to specify a SIEM rule of interest to the user. In this example, the user also specifies a threshold level of similarity score needed for a pairing to be included in the results, e.g., 70% in this depicted example);
when a verification reveals the mapped control is an acceptable match for the target specification (Bhatia Figs. 1-16; [0034], there is no current mechanism that aligns an enterprise's SIEM rule set with the rules in these standard repositories to provide guidance to human analysts as to potential rules in the standard repositories that may be added to the enterprise's STEM rule set, i.e. those rules in the standard repositories that do not align well with STEM rules in the enterprise's STEM rule set may be candidates for addition to the enterprise's SIEM rule set, to improve the enterprise's STEM rule set; [0036], The illustrative embodiments further provide a mechanism for visualization of the similarity between rules in the rule set(s) in order to present a visual representation easily understandable by human analysts for decision making purposes; [0067], Having identified the statistically significant portions of text in the SIEM rule set data structure 134 and generated the vector representations, each of the STEM rules in the SIEM rule set data structure 134 is paired with another SIEM rule in the STEM rule set data structure 134 and a similarity analysis is performed on the pairing based on the statistically significant portions of text, e.g., a cosine similarity on the vector representations of the paired rules with regard to the statistically significant portions of text; [0070], FIG. 5 is an example diagram of a portion of a graphical user interface in which similarity scores are represented with regard to pairings of rules in a SIEM rule set data structure; [0075], the similarity visualization engine 106 may present a user interface through which the human analyst can specify a SIEM rule of interest and a threshold level of similarity that the human analyst is interested in; [0076-0077], In a second portion 720 of the graphical user interface, a listing of the rules that are paired with the specified rule (e.g., rule 38 in the depicted example), and which have a similarity score equal to or above the threshold level of similarity score are represented; [0107], The visualization output may be provided to an authorized user, such as a system administrator or the like associated with the computing environment, so that decisions regarding SIEM rule deduplication and/or merging may be performed by the authorized user (step 1250); [0108], the visualization output may provide graphical user interface elements through which the authorized user may specify which SIEM rules to deduplicate and/or merge, and thereby initiate such deduplication and merging of SIEM rules; [0112], The visualization output may be provided to an authorized user, such as a system administrator or the like associated with the computing environment, so that decisions regarding integration of standard SIEM rules from the standard SIEM rules repository into the SIEM rule set data structure may be performed by the authorized user; [0113], the visualization output may provide graphical user interface elements through which the authorized user may specify which standard SIEM rules to integrate into the SIEM rule set data structure from the standard SIEM rules repository, and thereby initiate a modification of the SIEM rule set data structure; see also [0059])
Bhatia does not expressly disclose re-traverse source and destination controls based on a change to the at least one parameter or restriction and selectively changing a parameter of the traversal and re-traversing the source and destination controls of the map using the changed parameter. However, Bhatia does disclose that a user interfaces are provided for permitting a user to specify criteria for controlling the operations of the ARA with regard to required levels of similarity ([0037]). Bhatia discloses a user may specify a rule of interest, against which the user wishes to find other duplicate or similar rules. Bhatia also discloses the user may also specify a threshold similarity score required by the user for identification of similar rules, e.g., 70% meaning that the user wants to be informed of other rules in the STEM rule set that have a similarity of 70% or more to the rule of interest ([0037]). Bhatia discloses user interfaces (Figs. 4-7) where a user may selectively enter rules and thresholds to cause the system to traverse the mappings. Responsive to the user selections, the similarity visualization engine 106 may then search the pairings of STEM rules ([0075]). Bhatia disclose a plurality of different selectable thresholds, such as 60% (Fig. 7) and 70% ([0037]). Bhatia further discloses there are a plurality of searchable rules ([0076-0077]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have incorporated re-traverse source and destination controls based on a change to the at least one parameter or restriction; selectively changing a parameter of the traversal and re-traversing the source and destination controls of the map using the changed parameter as suggested in Bhatia ([0034-0037], [0067], [0070], [0075-0077]). Doing so would be desirable because SIEM rules require constant tuning and upkeep as new systems come online, new software releases are deployed, and new vulnerabilities are discovered ([0006]). An SIEM environment amasses several hundred rules, many of which may be duplicates, or near duplicates, since different SIEM specialists may be involved in creation of rules and/or the rule set may be so large as to be difficult for a human being to identify similar rules already existing in the rule set ([0031]). It can be appreciated that the listing of pairings of SIEM rules may be quite extensive as the size of the STEM rule set is increased. It may be quite unwieldy to identify duplicate and/or substantially similar STEM rules ([0071]). By providing the user data entry fields to flexibly select and update multiple search parameters, the system would be better able to assist the user performing similarity analysis for a large number of different rules across multiple rule sets, thereby increasing the usefulness of the system and improving the user experience.
Bhatia does not expressly disclose selectively training the AI model with the at least one mapped control and the target standard. However, Bhatia does disclose the ARA provides a machine learning solution to the SIEM rule management issues. The system is specifically directed to a machine learning or cognitive computing model that operates to analyze rules to determine if the rule set being used includes any duplicate or substantially similar rules that may be eliminated or merged together to reduce the rule set being utilized ([0035]). The ARA model comprises a parsing and natural language processing engine 102, a similarity determination engine 104, a rule similarity visualization engine 106, a rule deduplication and merging engine 108, a rule alignment engine 110, a rule decomposition engine 120, and a rule generation engine 122 ([0058]). Bhatia discloses the ARA trains a machine learning or cognitive computing system comprising machine learning mechanisms, such as a Recurrent Neural Network (RNN) or the like, to learn to generate new rules ([0043]). The ARA uses natural language processing (NLP) techniques, statistical analysis, similarity analysis, topic modeling, principal component analysis (PCA) to identify and eliminate duplicate rules, combine similar rules together into “super rules,” decompose the rules and their conditions into principal components for use in automatically generating new STEM rules, and train a machine learning model, such as a Recurrent Neural Network (RNN), to generate automated rules based on specific threat intelligence and learning of rule components that correspond to threat characteristics ([0059]). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have incorporated selectively training the AI model with the at least one mapped control and the target standard as suggested in Bhatia ([0034-0037], [0043], [0058-0059]). Doing so would be desirable because Currently, SIEM rules are created, tested, and applied to a system manually and sourced from out of the box rules ([0005]). SIEM rules require constant tuning and upkeep as new systems come online, new software releases are deployed, and new vulnerabilities are discovered ([0006]). Rule generation is currently a manual process requirement many hours of human analyst time, and human analyst expertise, to accomplish. Rule generation is also generally a reactionary endeavor in reaction to newly identified threats. Thus, the number of hours a human analyst must spend generating new rules to address the newly identified threats means that there is a period of time that the new threats are not being identified as they proliferate in enterprise computing environments. There is currently no automated mechanism to generate new SIEM rules ([0032]). Additionally, training the ARA model based on known controls and standards, such as the same rules and standards used in the de-deduplication and merge process ([0059]), would ensure that the model closely aligns with the needs of the enterprise.
However, Bhatia fails to expressly disclose wherein the at least one parameter or restriction comprises a limit of a quantity of intermediate nodes between the source or destination controls determined by the mapping manager based on a predetermined range being outside the limit. In the same field of endeavor, Zeng teaches:
wherein the at least one parameter or restriction comprises a limit of a quantity of intermediate nodes between the source or destination controls determined by the mapping manager based on a predetermined range being outside the limit (Zeng Figs. 1-4; [0024], aspects of the present disclosure may display any number of levels, tiers, or “hops” between node connections (e.g., display only direct connections, display up to three levels or tiers of connections, etc.) and the number may be user-selectable; [0025], Examples of the data records may include a dependency matrix, a system level block diagram, a system architecture diagram, an organizational chart, a network diagram, network topology information, a data structure, document configuration management data, hardware or software transition plans, policy documents, compliance documents; aspects of the present disclosure may interpolate or decipher connections between nodes based on a relationship analysis; information regarding nodes and their connections may be consolidated from multiple data sources, and the consolidated information may be presented in a cohesive and simple interface; [0032], FIG. 1C illustrates a display or GUI showing an example of filtering nodes based on a set of criteria; Example criteria may include total edge count (e.g., the number of links between applications); [0035], FIG. 1F illustrates a display or GUI showing an example of expanding the map view of nodes based on a number of hops associated with a selected node. As shown in FIG. 1F, the interface 100 may include a display options section 114 in which the number of hops shown can be adjusted by a slider 116 (e.g., the hops shown for the selected PTR node). As described herein, a “hop” may include an edge, level, or tier associated with the selected node. Thus, when one hop is selected, the interface 100 may present only the nodes in direct connection with the selected PTR node (e.g., nodes having an edge that connects directly to the PTR node, which may be known as hop 1 nodes). When two hops are selected, the interface 100 may change to show an expanded network that includes the hop 1 nodes, and the nodes in direct connection with the hop 1 nodes (e.g., nodes having an edge that connects directly to a hop 1 node, which may be known as hope 2 nodes); [0043], the data records may include a dependency matrix, a system level block diagram, a system architecture diagram, an organizational chart, a network diagram, a data structure, document configuration management data, hardware or software transition plans, policy documents, compliance documents (e.g., GDPR policy documents), or the like. As described above, the system visualization server 210 may access and consolidate these data records, standardize the records, and present them in a user interface (e.g., in the form of a network map, force direction graph, table, etc.); [0047], As shown in FIG. 3, process 300 includes receiving source data records (block 310). In various implementations, a source data record may include a dependency matrix, a system level block diagram, a system architecture diagram, an organizational chart, a network diagram, a data structure, document configuration management data, hardware or software transition plans, policy documents, compliance documents (e.g., GDPR policy documents), or the like; [0049], Process 300 further includes extracting information identifying nodes, connections and attributes from the source data records (block 330). For example, the system visualization server 210 may analyze the source data records and apply the formatting and structure information to those data records to extract specific information and attributes from the data records, such as information regarding connections to other devices, documents, etc. Also, the system visualization server 210 may combine information from multiple different data sources to identify nodes, connections, attributes, and the like. Additionally, or alternatively, the system visualization server 210 may extract information from the data records and/or data sources using other techniques. For example, in a scenario in which a data record is a document, the system visualization server 210 may extract information using text parsing, natural language processing, and/or other text analysis techniques to identify node names, attributes, and connections; [0052], the level of impact of other nodes may be determined (e.g., based on the number of hops between connected nodes and affected node, a measure of similarity between the connected nodes and the affected node, etc.); a level of commonality between two nodes may be based on the number and types of attributes that the nodes have in common, and/or the degree to which two nodes are similar)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have incorporated wherein the at least one parameter or restriction comprises a limit of a quantity of intermediate nodes between the source or destination controls determined by the mapping manager based on a predetermined range being outside the limit as suggested in Zeng into Bhatia. Doing so would be desirable because an organization or enterprise can be complex in structure, including many types of elements, such as resources, infrastructure, hardware/software, and other “moving parts.” Effective system management at the enterprise level may involve effectively identifying how one element in a system is affected by changes made to another component, even when the two elements may seem unrelated (see Zeng [0002]). Aspects of the present disclosure may include a system and/or method that consolidates information across multiple different data sources, and visually presents, e.g., using a GUI, connections between nodes in which each node represents any variety of elements (see Zeng [0019]). Aspects of the present disclosure may automatically consolidate information regarding nodes and their connections from multiple data sources, and present the consolidated information in a cohesive and simple interface that is less cluttered than a conventional graph interface. In this way, system management, planning, and decision-making is improved by providing a technically improved interface to easily identify all of the “moving parts” in a complex system (see Zeng [0020]). In a situation in which hundreds, thousands, or more nodes may be interlinked, aspects of the present disclosure provide a simple and effective technique for visually identifying the relationships between the nodes, which is not available in conventional directed graph displays. That is, aspects of the present disclosure may present a “big picture” view of relationships and/or dependencies between nodes (see Zeng [0021]). Aspects of the present disclosure may provide easily understandable visual representations of nodes and node connections (see Zeng [0026]). Additionally, the system of Zeng would improve the system of Bhatia by providing a user interface in which any contemplated variety of criteria may be presented in the filtering section 108 such that nodes and/or edges of interest that meet the criteria are displayed (see Zeng [0032]).
However, Bhatia in view of Zeng fails to expressly disclose selectively training the AI model with the at least one mapped control and the target standard when a verification reveals the mapped control is an acceptable match for the target specification. In the same field of endeavor, Brdiczka teaches:
selectively training the AI model with the at least one mapped control and the target standard when a verification reveals the mapped control is an acceptable match for the target specification (Brdiczka Figs. 1-5; abs. During operation, the system presents a collection of similar documents to a user, collects feedback on the similarity of the documents from the user, generates generic rules for calculating document similarity, and filters documents with customized similarity calculation based on the feedback provided by the user; [0032], The objective of phase one optimization is to enhance the global similarity calculation by incorporating user feedback. In phase one, the system presents the collection of similar documents related to the source document to the system users, and collects feedback on the similarity of the documents from them. The users may indicate documents in the collection that are falsely included, as well as additional similar documents from the original candidates that are not included in the collection. The users' feedback is provided to a machine-learning subsystem as the training data for supervised learning; [0033], an iterative process in which the user may give feedback constantly to improve the similarity calculation. This phase involves harvesting an individual user's feedback and applying a supervised machine-learning algorithm to the user feedback. Classification rules generated by the machine-learning algorithm can be used to filter similar documents for the respective user; [0034], the user feedback comprises an indication of documents in the collection that are falsely included, and/or an indication of additional similar documents not included in the collection; [0035], Supervised machine learning is the task of inferring classification rules from supervised training data. A supervised learning algorithm analyzes the training data to extract features or properties of the data, and produce the classifier; [0036], the system optimizes the calculation of document similarity based on collected user feedback. The user feedback includes additional similar documents and documents falsely marked as similar documents. The supervised learning algorithm analyzes these documents and extracts a list of document attributes or features that most likely separate similar from non-similar documents. The outcome of the supervised learning is a set of classification rules or a decision tree, which can be integrated into the entity-based document-similarity calculation algorithm. The generic classification rules based on the users' feedback can be deployed to optimize system performance, whereas the classification rules inferred from feedback of a respective user facilitate customized similarity calculation for the user. In another embodiment, a user interface is provided for user input of document features for the machine-learning algorithm; [0037], FIG. 3 presents a flowchart illustrating the process of calculating document similarities based on machine-learning in accordance with an embodiment of the present invention; [0038], Supervised learning is the task of inferring classification rules from supervised training data consisting of a set of training examples. In order to improve in finding similar documents, the system collects user feedback which indicates documents in the collection that are falsely included, and/or additional similar documents that are not included in the collection. The user feedback provides training data for the supervised machine learning, so that the supervised machine-learning algorithm may analyze the user feedback and infer a set of classification rules)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have incorporated selectively training the AI model with the at least one mapped control and the target standard when a verification reveals the mapped control is an acceptable match for the target specification as suggested in Brdiczka into Bhatia in view of Zeng. Doing so would be desirable because modern workers often deal with large numbers of documents (see Brdiczka [0008]). Existing methods for identifying similarities among documents assume a global relationship between semantic entity occurrences in documents and their similarity. The definition of a global formula of relationship leads to correct identification of similar documents. However, such approaches do not consider varying user preferences and user configurations. A customized similarity calculation is necessary to cope with differences across multiple users (see Brdiczka [0009]). To improve the future decision on document similarity and customize similarity calculation across users, the proposed method consists of two phases: optimization and customization (see Brdiczka [0031]). The objective of phase one optimization is to enhance the global similarity calculation by incorporating user feedback (see Brdiczka [0032]). The second customization phase aims at providing individual tuning for finding similar documents for a respective user. This phase is an iterative process in which the user may give feedback constantly to improve the similarity calculation (see Brdiczka [0033]). In order to improve in finding similar documents, the system collects user feedback which indicates documents in the collection that are falsely included, and/or additional similar documents that are not included in the collection. The user feedback provides training data for the supervised machine learning, so that the supervised machine-learning algorithm may analyze the user feedback and infer a set of classification rules. The inferred classification rules can be used in predicting similarities of future documents (see Brdiczka [0038]).
Regarding claims 1, 8, 15, and 22, claims 1, 8, 15, and 22 contain substantially similar limitations to those found in claim 24. Consequently, claims 1, 8, 15, and 22 are rejected for the same reasons.
Regarding claim 2, Bhatia in view of Zeng in further view of Brdiczka teaches all the limitations of claim 1, further comprising:
the AI model is configured to assess a score corresponding to the candidate control, the score representing similarity between the target specification and the candidate control; and the mapping manager is configured to traverse the map responsive to the standard associated with the at least one candidate control being different than the target standard and/or to the corresponding score not satisfying a first threshold (Bhatia Figs. 1-16; [0036], The illustrative embodiments further provide a mechanism for visualization of the similarity between rules in the rule set(s) in order to present a visual representation easily understandable by human analysts for decision making purposes; [0059], The ARA uses natural language processing (NLP) techniques, statistical analysis, similarity analysis, topic modeling, principal component analysis (PCA), and rule visualization on the STEM rules information, threat intelligence information, log source information, framework information, and the like, obtained from these various sources to identify and eliminate duplicate rules, combine similar rules together into “super rules,” align STEM rules with frameworks and/or standard rules from standard rules repositories; [0067], Having identified the statistically significant portions of text in the SIEM rule set data structure 134 and generated the vector representations, each of the STEM rules in the SIEM rule set data structure 134 is paired with another SIEM rule in the STEM rule set data structure 134 and a similarity analysis is performed on the pairing based on the statistically significant portions of text, e.g., a cosine similarity on the vector representations of the paired rules with regard to the statistically significant portions of text. The similarity engine 104 generates, for each pairing of STEM rules, a corresponding similarity score value indicating how similar the paired STEM rules are to one another based on the particular conditions specified in the test portion of the SIEM rule definitions, such as by using the cosine similarity evaluation of the corresponding vector representations; [0070], FIG. 5 is an example diagram of a portion of a graphical user interface in which similarity scores are represented with regard to pairings of rules in a SIEM rule set data structure; [0075], the similarity visualization engine 106 may present a user interface through which the human analyst can specify a SIEM rule of interest and a threshold level of similarity that the human analyst is interested in. That is, the human analyst, via the user interface, may specify that they wish to be informed of what other rules Y in the SIEM rule set are similar to a specified rule X at a minimum level of similarity Z. The similarity visualization engine 106 may then search the pairings of STEM rules; [0076-0077], a user may specify a numerical value between 0 and 418 to specify a SIEM rule of interest to the user; the user also specifies a threshold level of similarity score needed for a pairing to be included in the results, e.g., 70% in this depicted example; see also [0034-0035])
Regarding claims 9, 16, 23 and 25, claims 9, 16, 23 and 25 contain substantially similar limitations to those found in claim 2. Consequently, claims 9, 16, 23 and 25 are rejected for the same reasons.
Regarding claim 3, Bhatia in view of Zeng in further view of Brdiczka teaches all the limitations of claim 1, further comprising:
wherein the mapping manager is further configured to subject the traversal of the map to at least one parameter (Bhatia Figs. 1-16; [0036], The illustrative embodiments further provide a mechanism for visualization of the similarity between rules in the rule set(s) in order to present a visual representation easily understandable by human analysts for decision making purposes; [0067], Having identified the statistically significant portions of text in the SIEM rule set data structure 134 and generated the vector representations, each of the STEM rules in the SIEM rule set data structure 134 is paired with another SIEM rule in the STEM rule set data structure 134 and a similarity analysis is performed on the pairing based on the statistically significant portions of text, e.g., a cosine similarity on the vector representations of the paired rules with regard to the statistically significant portions of text. The similarity engine 104 generates, for each pairing of STEM rules, a corresponding similarity score value indicating how similar the paired STEM rules are to one another based on the particular conditions specified in the test portion of the SIEM rule definitions, such as by using the cosine similarity evaluation of the corresponding vector representations; [0070], FIG. 5 is an example diagram of a portion of a graphical user interface in which similarity scores are represented with regard to pairings of rules in a SIEM rule set data structure; [0075], the similarity visualization engine 106 may present a user interface through which the human analyst can specify a SIEM rule of interest and a threshold level of similarity that the human analyst is interested in. That is, the human analyst, via the user interface, may specify that they wish to be informed of what other rules Y in the SIEM rule set are similar to a specified rule X at a minimum level of similarity Z. The similarity visualization engine 106 may then search the pairings of STEM rules; [0076-0077], a user may specify a numerical value between 0 and 418 to specify a SIEM rule of interest to the user; the user also specifies a threshold level of similarity score needed for a pairing to be included in the results, e.g., 70% in this depicted example; see also [0034-0035])
Regarding claims 10 and 17, claims 10 and 17 contain substantially similar limitations to those found in claim 3. Consequently, claims 10 and 17 are rejected for the same reasons.
Regarding claim 4, Bhatia in view of Zeng in further view of Brdiczka teaches all the limitations of claim 3, further comprising:
wherein the at least one parameter comprises a relationship confidence rating, the limit of a quantity of intermediate nodes between the source or destination controls, or a combination thereof (Bhatia Figs. 1-16; [0036], The illustrative embodiments further provide a mechanism for visualization of the similarity between rules in the rule set(s) in order to present a visual representation easily understandable by human analysts for decision making purposes; [0067], Having identified the statistically significant portions of text in the SIEM rule set data structure 134 and generated the vector representations, each of the STEM rules in the SIEM rule set data structure 134 is paired with another SIEM rule in the STEM rule set data structure 134 and a similarity analysis is performed on the pairing based on the statistically significant portions of text, e.g., a cosine similarity on the vector representations of the paired rules with regard to the statistically significant portions of text. The similarity engine 104 generates, for each pairing of STEM rules, a corresponding similarity score value indicating how similar the paired STEM rules are to one another based on the particular conditions specified in the test portion of the SIEM rule definitions, such as by using the cosine similarity evaluation of the corresponding vector representations; [0070], FIG. 5 is an example diagram of a portion of a graphical user interface in which similarity scores are represented with regard to pairings of rules in a SIEM rule set data structure; [0075], the similarity visualization engine 106 may present a user interface through which the human analyst can specify a SIEM rule of interest and a threshold level of similarity that the human analyst is interested in. That is, the human analyst, via the user interface, may specify that they wish to be informed of what other rules Y in the SIEM rule set are similar to a specified rule X at a minimum level of similarity Z. The similarity visualization engine 106 may then search the pairings of STEM rules; [0076-0077], a user may specify a numerical value between 0 and 418 to specify a SIEM rule of interest to the user; the user also specifies a threshold level of similarity score needed for a pairing to be included in the results, e.g., 70% in this depicted example; see also [0034-0035]; examiner note: per the instant specification [0036], a confidence reflects a similarity)
Regarding claims 11 and 18, claims 11 and 18 contain substantially similar limitations to those found in claim 4. Consequently, claims 11 and 18 are rejected for the same reasons.
Regarding claim 5, Bhatia in view of Zeng in further view of Brdiczka teaches all the limitations of claim 3, further comprising:
wherein the mapping manager is further configured to change the at least one parameter and traverse the map responsive to the changed parameter (Bhatia Figs. 1-16; [0036], The illustrative embodiments further provide a mechanism for visualization of the similarity between rules in the rule set(s) in order to present a visual representation easily understandable by human analysts for decision making purposes; [0067], Having identified the statistically significant portions of text in the SIEM rule set data structure 134 and generated the vector representations, each of the STEM rules in the SIEM rule set data structure 134 is paired with another SIEM rule in the STEM rule set data structure 134 and a similarity analysis is performed on the pairing based on the statistically significant portions of text, e.g., a cosine similarity on the vector representations of the paired rules with regard to the statistically significant portions of text. The similarity engine 104 generates, for each pairing of STEM rules, a corresponding similarity score value indicating how similar the paired STEM rules are to one another based on the particular conditions specified in the test portion of the SIEM rule definitions, such as by using the cosine similarity evaluation of the corresponding vector representations; [0070], FIG. 5 is an example diagram of a portion of a graphical user interface in which similarity scores are represented with regard to pairings of rules in a SIEM rule set data structure; [0075], the similarity visualization engine 106 may present a user interface through which the human analyst can specify a SIEM rule of interest and a threshold level of similarity that the human analyst is interested in. That is, the human analyst, via the user interface, may specify that they wish to be informed of what other rules Y in the SIEM rule set are similar to a specified rule X at a minimum level of similarity Z. The similarity visualization engine 106 may then search the pairings of STEM rules; [0076-0077], a user may specify a numerical value between 0 and 418 to specify a SIEM rule of interest to the user; the user also specifies a threshold level of similarity score needed for a pairing to be included in the results, e.g., 70% in this depicted example; see also [0034-0035])
Regarding claims 12 and 19, claims 12 and 19 contain substantially similar limitations to those found in claim 5. Consequently, claims 12 and 19 are rejected for the same reasons.
Regarding claim 6, Bhatia in view of Zeng in further view of Brdiczka teaches all the limitations of claim 1, further comprising:
the mapping manager is further configured to map the at least one candidate control to a plurality of mapped controls associated with the target standard; and the platform further comprises a scoring manager configured to rank the mapped controls (Bhatia Figs. 1-16; [0036], The illustrative embodiments further provide a mechanism for visualization of the similarity between rules in the rule set(s) in order to present a visual representation easily understandable by human analysts for decision making purposes; [0067], Having identified the statistically significant portions of text in the SIEM rule set data structure 134 and generated the vector representations, each of the STEM rules in the SIEM rule set data structure 134 is paired with another SIEM rule in the STEM rule set data structure 134 and a similarity analysis is performed on the pairing based on the statistically significant portions of text, e.g., a cosine similarity on the vector representations of the paired rules with regard to the statistically significant portions of text. The similarity engine 104 generates, for each pairing of STEM rules, a corresponding similarity score value indicating how similar the paired STEM rules are to one another based on the particular conditions specified in the test portion of the SIEM rule definitions, such as by using the cosine similarity evaluation of the corresponding vector representations; [0070], FIG. 5 is an example diagram of a portion of a graphical user interface in which similarity scores are represented with regard to pairings of rules in a SIEM rule set data structure; the similarity score value in column 530 is calculated using a cosine similarity algorithm applied to vector representations of the SIEM rules specified in columns 510 and 520. Again, the columns are sortable through user interactions with the graphical user interface to sort the entries 500 according to ascending/descending numerical order, alphabetical order, or any other sorting criteria; [0071], for a SIEM rule set having 200 STEM rules, each rule is paired with each of the other 199 SIEM rules and corresponding similarity scores are generated such that each may be represented in the portion of the graphical user interface shown in FIG. 5; a sort on column 530 for similarity scores of descending order may make this easier; [0075], the similarity visualization engine 106 may present a user interface through which the human analyst can specify a SIEM rule of interest and a threshold level of similarity that the human analyst is interested in. That is, the human analyst, via the user interface, may specify that they wish to be informed of what other rules Y in the SIEM rule set are similar to a specified rule X at a minimum level of similarity Z. The similarity visualization engine 106 may then search the pairings of STEM rules; [0076-0077], a user may specify a numerical value between 0 and 418 to specify a SIEM rule of interest to the user; the user also specifies a threshold level of similarity score needed for a pairing to be included in the results, e.g., 70% in this depicted example; see also [0034-0035])
Regarding claims 13 and 20, claims 13 and 20 contain substantially similar limitations to those found in claim 6. Consequently, claims 13 and 20 are rejected for the same reasons.
Regarding claim 7, Bhatia in view of Zeng in further view of Brdiczka teaches all the limitations of claim 1, further comprising:
wherein the platform further comprises a scoring manager configured to assess a score representing similarity between the at least one mapped control and the target specification (Bhatia Figs. 1-16; [0036], The illustrative embodiments further provide a mechanism for visualization of the similarity between rules in the rule set(s) in order to present a visual representation easily understandable by human analysts for decision making purposes; [0067], Having identified the statistically significant portions of text in the SIEM rule set data structure 134 and generated the vector representations, each of the STEM rules in the SIEM rule set data structure 134 is paired with another SIEM rule in the STEM rule set data structure 134 and a similarity analysis is performed on the pairing based on the statistically significant portions of text, e.g., a cosine similarity on the vector representations of the paired rules with regard to the statistically significant portions of text. The similarity engine 104 generates, for each pairing of STEM rules, a corresponding similarity score value indicating how similar the paired STEM rules are to one another based on the particular conditions specified in the test portion of the SIEM rule definitions, such as by using the cosine similarity evaluation of the corresponding vector representations; [0070], FIG. 5 is an example diagram of a portion of a graphical user interface in which similarity scores are represented with regard to pairings of rules in a SIEM rule set data structure; [0075], the similarity visualization engine 106 may present a user interface through which the human analyst can specify a SIEM rule of interest and a threshold level of similarity that the human analyst is interested in. That is, the human analyst, via the user interface, may specify that they wish to be informed of what other rules Y in the SIEM rule set are similar to a specified rule X at a minimum level of similarity Z. The similarity visualization engine 106 may then search the pairings of STEM rules; [0076-0077], a user may specify a numerical value between 0 and 418 to specify a SIEM rule of interest to the user; the user also specifies a threshold level of similarity score needed for a pairing to be included in the results, e.g., 70% in this depicted example; see also [0034-0035])
Regarding claims 14 and 21, claims 14 and 21 contain substantially similar limitations to those found in claim 7. Consequently, claims 14 and 21 are rejected for the same reasons.
Response to Arguments
The Examiner acknowledges the Applicant’s amendments to claims 1, 8, 15, 22, and 24.
Applicant alleges this amended language above is respectfully believed to bring independent claims 1, 8, 15, 22, & 24, and their dependent claims, within the standard for eligibility under the Revised Patent Subject Matter Eligibility Guidance (see remarks p. 16). Examiner respectfully disagrees.
As discussed in the rejection above, the claim is directed to an abstract idea that encompasses mental processes including evaluations or observations that are practically capable of being performed in the human mind with the assistance of pen and paper, and mathematical concepts that are achievable through mathematical computation. The claim places no limits on how the steps are performed. That is, nothing in the claim element precludes the step from practically being performed in the mind.
Applicant further alleges when analyzing Example 39, for example, the Office acknowledges that "training a neural network" is considered eligible, as such a functionality does not recite a judicial exception. Applicants respectfully contend that the implementation of machine learning logic and the iterative training thereof of the present invention is at least analogously similar in some regard (see remarks p. 16). Examiner respectfully disagrees.
With respect to Subject Matter Eligibility Example 39, this example was found to not recite any of the judicial exceptions enumerated in the 2019 PEG (Mathematical Concepts, Mental Processes, Certain Methods Of Organizing Human Activity). Similar to claim 2 of Example 47, instant claim 1 includes limitations that recite abstract ideas, such as Mental Processes and Mathematical Concepts. As discussed above, claim 1 recites limitations encompassing mental processes including evaluation and observation that are practically capable of being performed in the human mind with the assistance of pen and paper, and mathematical concepts that are achievable through mathematical computation. As discussed above, the additional elements of claim 1 do not integrate the abstract idea into a practical application and the claim is thus directed to the abstract idea. As further discussed above, nothing in the claim provides significantly more than that abstract idea. As such, the claim is ineligible.
Applicant further alleges that Applicant’s original disclosure provides an example of a mapping manager determining a restriction of the mapping parameters. For example, raising the minimum confidence rating or level and/or lowering the intermediate node limit. In a hierarchal structure not all nodes are directly connected to one another by a single edge (see remarks p. 16). Therefore, the mapping manager adjusts the acceptable quantity of intermediate nodes by establishing a parameter or restriction that comprises a limit of a quantity of intermediate nodes between the source or destination controls. Thus, the present invention is not directed to only training a neural network or machine learning model, but also the present invention improves the field of computing by directly improving transfer learning operations (see remarks. p 17). The limitations preclude the aforementioned functionalities from being performed in the mind are similar in that both essentially require the surrender of control to the machine itself so that the machine learning model can utilize logic to establish the parameter or restriction and specify a limit of a quantity of intermediate nodes between the source or destination controls. The actual derivation of the operative/controlling logic occurs entirely within the confines of the machine itself, unaltered by the mind. The claimed functionality cannot be performed within the mind. The process recited in the claims cannot possibly be provided by a mental process and is beyond a mere abstract idea because it not only provides an improvement in computer-related technology, but also cannot possibly be performed in the human mind. Therefore, the human mind alone cannot practically perform the features of Applicant’s amended claim 1 (see remarks. p 17). Examiner respectfully disagrees.
As discussed in the rejection above, the claim is directed to an abstract idea that encompasses mental processes including evaluations or observations that are practically capable of being performed in the human mind with the assistance of pen and paper, and mathematical concepts that are achievable through mathematical computation. The claims places no limits on how the controls are identified, how the map is traversed, how the acceptable quantity of intermediate nodes is determined, how the parameter or restriction that comprises a limit of a quantity of intermediate nodes between the source or destination controls is established. That is, nothing in the claim element precludes the step from practically being performed in the mind. Even when considered in combination, the additional elements do not integrate the recited judicial exception into a practical application (Step 2A, Prong Two) and represent mere instructions to apply an exception and insignificant extra-solution activity, and therefore do not provide an inventive concept (Step 2B). The claim is not eligible.
One way to determine integration into a practical application is when the claimed invention improves the functioning of a computer or improves another technology or technical field. To evaluate an improvement to a computer or technical field, the specification must set forth an improvement in technology and the claim itself must reflect the disclosed improvement. See MPEP 2106.04(d)(1) and 2106.05(a). The consideration of whether the claim as a whole includes an improvement to a computer or to a technological field requires an evaluation of the specification and the claim to ensure that a technical explanation of the asserted improvement is present in the specification, and that the claim reflects the asserted improvement.
While the disclosure states that “Ensuring compliance with various security-related and privacy-related requirements that may apply to a given organization requires an exercise of due diligence in not only implementing adequate protections, but maintaining and updating such protections as regulations, laws, etc. are amended, rewritten, rescinded, and promulgated, and as new surreptitious attack means are identified. To meet these requirements, security and privacy controls (hereinafter collectively referred to as “controls”) have been developed and implemented by organizations, both in the private sector and the public sector, and by individuals to safeguard information technology and other systems, computing platforms, devices, and products. Organizations or individuals select and implement controls to satisfy security-related and privacy-related requirements” ([0004]). The specification further states “It would therefore be advantageous to provide a system, a computer program product, and a method that promote leveraging of an artificial intelligence (AI) model for identifying security and privacy controls, and for incorporating standards mapping into training of the AI model to advance and improve the AI model's technological effectiveness” ([0007]). However, the claims do not recite an is no improvement to the functioning of a computer nor to any other technology. At best, the claimed combination amounts to an improvement to the abstract idea of control identification rather than to any technology. See MPEP 2106.05(a).
Regarding independent claim 1, the Applicant further alleges that Bhatia as described in the previous Office action, does not explicitly amended claim 1. Examiner has therefore rejected independent claim 1 under 35 U.S.C § 103 as unpatentable over Bhatia in view of Zeng in further view of Brdiczka.
Specifically, applicant alleges Bhatia and Zeng fails to teach or otherwise disclose the at least one parameter or restriction comprising a limit of a quantity of intermediate nodes between the source or destination controls determined by the mapping manager based on a predetermined range being outside the limit, much less taking the next step of utilizing a training manager configured to selectively train the AI model with the mapped control and the target standard when a verification reveals the mapped control is an acceptable match for the target specification. Zeng is introduced to allegedly disclose wherein the at least one parameter or restriction comprises a limit of a quantity of intermediate nodes between the source or destination controls. However, Zeng is directed towards visually mapping nodes, and is not sophisticated enough to establish a predetermined range or limit. At best, the system of Zeng is configured to identify the degree to which one node is connected to another. However, Zeng fails to teach or otherwise disclose a mapping manager establishing a limit of intermediate nodes, artificial intelligence/machine learning, and the concept of utilizing a mapping manager to determine one parameter or restriction comprising a limit of a quantity of intermediate nodes between the source or destination controls based on a predetermined range being outside the limit. Furthermore due to Bhatia failing to account for a limit of a quantity of intermediate nodes it would not make sense to combine Bhatia with Zeng in order to ascertain the presently claimed invention (see remarks p. 19). Examiner respectfully disagrees.
Bhatia discloses leveraging an artificial intelligence (AI) manager with respect to a target specification for a target standard, the AI model configured to identify at least one candidate control associated with a corresponding standard (Bhatia Figs. 1-16; [0034-0035], [0043], [0059], [0063], [0072], [0076], [0089]); traversing a map comprising source and destination controls, including: identifying the at least one candidate control in the map; traversing the source and destination controls of the map to identify at least one mapped control associated with the target standard, the at least one mapped control satisfying a first parameter; traverse the map based on at least one parameter or restriction; wherein the at least one parameter or restriction comprises a limit between the source or destination controls; identifying a quantity of identified mapped controls (Bhatia Figs. 1-16; [0034], [0036], [0059], [0067], [0070], [0075-0077]) and selectively changing a parameter of the traversal and traversing the source and destination controls of the map using the changed parameter (Bhatia Figs. 1-16; [0037], [0075], [0075-0077]); when a verification reveals the mapped control is an acceptable match for the target specification (Bhatia Figs. 1-16; [0034], [0036], [0067], [0070], [0076-0077], [0107-0113], [0059]). As discussed in the rejection, based on the disclosure of Bhatia, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have incorporated re-traverse source and destination controls based on a change to the at least one parameter or restriction; selectively changing a parameter of the traversal and re-traversing the source and destination controls of the map using the changed parameter as suggested in Bhatia ([0034-0037], [0067], [0070], [0075-0077]) and selectively training the AI model with the at least one mapped control and the target standard as suggested in Bhatia ([0034-0037], [0043], [0058-0059]). Zeng is cited to teach wherein the at least one parameter or restriction comprises a limit of a quantity of intermediate nodes between the source or destination controls determined by the mapping manager based on a predetermined range being outside the limit (Zeng Figs. 1-4; [0024-0025], [0032], [0035], [0043], [0047], [0049], [0052]). Brdiczka is cited to teach a training manager configured to selectively train the AI model with the mapped control and the target standard when a verification reveals the mapped control is an acceptable match for the target specification (Brdiczka Figs. 1-5; abs. [0032-0038]). Thus, the combination of Bhatia in view of Zeng in further view of Brdiczka is considered to teach claim 1.
Bhatia discloses a system to align an enterprise's SIEM rule set with the rules in these standard repositories to provide guidance to human analysts as to potential rules in the standard repositories that may be added to the enterprise's STEM rule set ([0034]). A machine learning or cognitive computing model that operates to analyze rules used by a SOC in an enterprise environment, e.g., a client or customer environment, to determine if the rule set being used includes any duplicate or substantially similar rules that may be eliminated or merged together to reduce the rule set being utilized ([0035]). The ARA provides mechanisms for aligning (mapping) rules with frameworks ([0039]) and receives inputs from a variety of different sources, such as security control frameworks or standards ([0059]).
Zeng discloses a system including an interface that displays any number of levels, tiers, or “hops” between node connections ([0024]) for a variety of different data records ([0025]). FIG. 1C illustrates a display or GUI showing an example of filtering nodes based on a set of criteria such as total edge count (e.g., the number of links between applications) ([0032]). As shown in FIG. 1F, the interface 100 may include a display options section 114 in which the number of hops shown can be adjusted by a slider 116 (e.g., the hops shown for the selected PTR node) ([0035]). As shown and described, the user may set a parameter/restriction (shown to be a predetermined range) on a quantity of intermediate nodes, such that predetermined ranges of nodes that are outside the limit are not displayed.
Examiner notes the claims place limitations on what the predetermined range must comprise. Thus Zeng’s disclosure of wherein the at least one parameter or restriction comprises a limit of a quantity of intermediate nodes between the source or destination controls determined by the mapping manager based on a predetermined range being outside the limit (Zeng Figs. 1-4; [0024-0025], [0032], [0035], [0043], [0047], [0049], [0052]) is considered within the broadest reasonable interpretation of the claimed limitations.
Similar arguments have been presented for claims 1, 8, 15, 22, and 24 and thus, Applicant’s arguments are not persuasive for the same reasons.
Applicant states that the dependent claims recite all the limitations of the independent claims, and thus, are allowable in view of the remarks set forth regarding the independent claims. However, as discussed above, Bhatia in view of Zeng is considered to teach the independent claims, and consequently, the dependent claims are rejected.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Xiang (US 20210158209 A1) see Figs. 1-22 and [0099-0111].
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN T REPSHER III whose telephone number is (571)272-7487. The examiner can normally be reached Monday - Friday, 8AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jennifer Welch can be reached at (571) 272-7212. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JOHN T REPSHER III/ Primary Examiner, Art Unit 2143
Prosecution Insights