MULTI-LAYERED GRAPH MODELING FOR SECURITY RISK ASSESSMENT

§101 §103

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION This office action is in response to the application filed on 08/31/2022. Claim(s) 1-20 is/are pending and are examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statement (IDS) submitted on 08/31/2022 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Rejections - 35 USC § 101 Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to judicial exception (an abstract idea) without significantly more. The following is Examiner’s analysis of the claimed invention. Step 1 Is the claim to a process, machine, manufacture, or composition of matter? Claim 1 (and dependent claims 2-8) recites a method (process), Claim 9 (and dependent claims 10-15) recites a system(machine), and claim 16 (and dependent claims 17-20) recites a non-transitory computer medium (manufacture). Step 2A Prong one: Does the claim recite an abstract idea, law of nature, or natural phenomenon? The claim recites the steps of, “identifying hardware and software components of a system architecture; generating a multi-layered graph based on the hardware and software components… extracting one or more properties of the multi-layered graph; computing one or more security metrics based on the one or more properties; and quantifying a security risk of the system architecture based on the one or more security metrics.” Which fall with the “Mental Processes” grouping as concepts performed in the human mind (including observation, evaluation, judgment, and opinion). Each of these steps of identifying components, generating a graph, extracting one or more properties, computing one or more security metrics, and quantifying a security risk is a mental process that can practically be performed in the human mind; therefore, the claimed limitations fall within the mental processes grouping, and the claims recite an abstract idea. Step 2A Prong two: Does the claim recite additional elements that integrate the judicial exception into a practical application? The claimed preamble, “security risk analysis” generally links the use of the judicial exception to a particular technological environment, therefore the claim as a whole is no more than a drafting effort designed to monopolize the exception. Claim 2, 10, and 17 “comparing the security risk of the system architecture against one or more other security risks of one or more other system architectures.”, is so broad as to cover insignificant extra-solution activity. Step 2B Does the claim recite additional elements that amount to significantly more than the judicial exception? The elements recited in claims 2-8, 10-15, and 17-20 recite further details of relationships in the graph, identifying vulnerabilities and countermeasures, and assessment of the vulnerabilities, which amounts to no more than mental processes. Claim 9 using a non-transitory computer readable medium which amounts to no more than mere instructions to apply the exception using a generic computer component. See Two-Way Media Ltd. V. Comcast Cable Communications, LLC, 2017 U.S. App. LEXIS 21706 at 14 (Fed. Cir. Nov. 1, 2017) finding “simply implementing an abstract concept on a computer without meaningful limitations to that concept, does not transform a patent-ineligible claim into a patent-eligible one.” Accenture Global Service v. Guidewire Software, Inc., 728 F.3d 1336 (Fed. Cir. 2013) at 1345; see also the prohibition against patenting an abstract principle by attempting to limit the use of the [principle] to a particular technological environment; Classen an example case identifying a mental process. Specifically, “[c]oncepts relating to data comparisons that can be performed mentally or are analogous to human mental work.” See MPEP 2106.04(a)(2), sections III and III A. Therefore, additionally recited limitations individually or in combination as a whole in Claims 1-20 fail to amount to significantly more than the abstract idea. The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claim and have not resolved the deficiencies. Therefore, they are rejected based on the same rationale as applied to their parent claims above. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-6, 8-13, 16-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chari (US 10,503,911 B2), hereinafter Chari in view of Parla (US 2024/0031394 A1), hereinafter Parla. Regarding Claim(s) 1, 9, and 16 Chari teaches: A method for security risk analysis, comprising: (Chari Col. 1 Ln. 43-45 teaches, computer Implemented method for generating an attack graph to protect sensitive data objects located on a network from attack is provided. Fig. 2 teaches, a system for running the method.) identifying hardware and software components of a system architecture; (Chari Co. 12 Ln. 6-17 teaches, application 242 may collect, process, and manage personal medical information, which is regulated by HIPAA, for an insurance company that processes medical claims. Sensitive data manager may identify components of application. Col. 7 Ln. 5-17 teaches, sensitive data manager 218 also may identify which components in data processing system hardware components 240 and components 244 of application 242 perform one or more activities associated with sensitive data in sensitive data 222 corresponding to the regulated service.) generating a multi-layered graph based on the hardware and software components, wherein the multi-layered graph includes a hardware layer (Chari Col. 7 Ln. 46-62 teaches, Sensitive data manager 218 generates attack graph 232 based on topology graph of service 220, sensitive data 222, regulatory compliance requirements 224, normal authorized sensitive data activity 226, vulnerability and risk metrics 228, and sensitivity, integrity, and criticality ranks 230. (i.e., multi-layered graph) Attack graph 232 includes nodes 250, edges 252, and labels 254. Nodes 250 represent components of the regulated service. (i.e., identified hardware and software as cited above.) Edges 252 represent paths between related components. Sensitive data manager 218 may attach labels 254 to nodes 250 and/or edges 252. Labels 254 represent relevant information associated with an attached node or edge.) extracting one or more properties of the multi-layered graph; (Chair Col. 7 Ln. 35-46 teaches, to calculate risk score 234 for each component (i.e. properties) of the regulated service. (i.e., quantifying a risk)) computing one or more security metrics based on the one or more properties; and (Chair Col. 7 Ln. 35-46 teaches, to calculate risk score 234 for each component of the regulated service. (i.e., quantifying a risk) Sensitivity rank of a component indicates how sensitive that particular component is to an attack. (i.e., security metrics) Integrity rank of a component indicates how resistant that particular component is to alteration or modification without proper authorization. Criticality rank of a component indicates how critical that particular component is to an operation of the regulated service.) quantifying a security risk of the system architecture based on the one or more security metrics. (Chair Col. 7 Ln. 35-46 teaches, to calculate risk score 234 for each component of the regulated service. (i.e., quantifying a risk) Sensitivity rank of a component indicates how sensitive that particular component is to an attack. (i.e., security metrics) Integrity rank of a component indicates how resistant that particular component is to alteration or modification without proper authorization. Criticality rank of a component indicates how critical that particular component is to an operation of the regulated service.) Chari does not appear to explicitly teach but in related art: representing a lowest level of hardware architecture of the system architecture; (Parla ¶ 51 teaches, CPU technologies produce CPU telemetry that represents executions of a process in terms of CPU instructions. Telemetry feeds from different CPUs may be represented in a CFDG representation that allows any CPU technology, regardless of format, language, or specific embodiment, to provide instruction level monitoring at the CPU telemetry level across devices.) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Chari with Parla, to modify the method for the automatic generation of data-centric attack graphs with the method for making control flow graphs from CPU telemetry of Parla. The motivation to do so, Parla ¶ 153, for providing better performance and improved security. Regarding Claim(s) 2, 10, and 17 Chari in view of Parla teaches: The method of claim 1, further comprising: (Chari in view of Parla teaches the parent claim above.) comparing the security risk of the system architecture against one or more other security risks of one or more other system architectures. (Parla ¶ 185-186 teaches, valuable insights that may help identify and get ahead of exploits and vulnerabilities before they are widespread by enabling comparison across peers and industries.) The motive given in Claim 1 is equally applicable to the above claim. Regarding Claim(s) 3, 11, and 18 Chari in view of Parla teaches: The method of claim 1, (Chari in view of Parla teaches the parent claim above.) wherein the multi-layered graph comprises one or more vertices representing the hardware and software components, one or more edges representing actual or possible interactions between the hardware and software components, and one or more layers representing one or more levels of abstraction of the hardware and software components. (Cari Col. 7 Ln. 46-62 and Fig. 5 teaches, attack graph includes nodes, edges, and labels. Nodes represent components of the regulated service. Edges represent paths between related components. Sensitive data manager may attach labels to nodes and/or edges. Labels represent relevant information associated with an attached node or edge. Fig. 5 clearly shows components that would belong to different abstraction layers.) Regarding Claim(s) 4 and 12 Chari in view of Parla teaches: The method of claim 3, further comprising: (Chari in view of Parla teaches the parent limitation above.) identifying one or more vulnerabilities (Chari Col. 14 Ln. 47-65 teaches, For each component, illustrative embodiments may collect vulnerability and risk metrics from, for example: 1) CVE identifiers, CVSS scores, Common Weakness Enumeration (CWE) that provides a measurable set of source code and operational system weaknesses, National Vulnerability Database (NVD) that enables automation of vulnerability management, security measurement, and compliance, and blog information; 2) vulnerability information obtained from penetration testing, application source code scanning, and network scanning; and 3) other sources, such as inputs from application developers, system administrators, and security/risk analysts.) and one or more countermeasures of the system architecture. (Parla ¶ 216 teaches, includes excluding the tainted control flow directed graph from the learned control flow directed graph to generate a revised control flow diagram. (i.e., identified countermeasure) Excluding the tainted control flow directed graph may include generating a revised SBOM excluding the code portion. At 1914, the process 1900 includes executing the process based on the revised control flow diagram to prevent execution of the vulnerability.) Regarding Claim(s) 5 and 13 Chari in view of Parla teaches: The method of claim 4, (Chari in view of Parla teaches the parent limitation) wherein the one or more vulnerabilities comprise at least one of the vertices representing a potential attack surface (Chari Col. 15 Ln. 5-20 teaches, graph and assign locally aggregated risk scores to each node (i.e., each component) in the attack graph based on the vulnerability and risk metrics and the sensitivity, integrity, and criticality ranks identified above for each component of the regulated service.) and at least one of the edges representing a potential attack path. (Chari Col. 16 Ln. 24-31 teaches, generate multi-step attack paths, where illustrative embodiments connect one vulnerability to another vulnerability. Such a path containing two or more edges) Regarding Claim(s) 8 Chari in view of Parla teaches: The method of claim 1, (Chari in view of Parla teaches the parent claim above.) wherein the security risk analysis is automated. (Chari Col. 7 Ln. 45-67 teaches, Sensitive data manager 218 may utilize attack graph 232 to determine how an attacker may access some or all of sensitive data 222 through one or more components of the regulated service. It should be noted that attack graph 232 changes over time. (i.e., done automatically)) Regarding Claim 19 Chari in view of Parla teaches: The computer program product of claim 18 wherein the program instructions executable by the processor further cause the processor to: (Chari in view of Parla teaches the parent limitation above.) identifying one or more vulnerabilities (Chari Col. 14 Ln. 47-65 teaches, For each component, illustrative embodiments may collect vulnerability and risk metrics from, for example: 1) CVE identifiers, CVSS scores, Common Weakness Enumeration (CWE) that provides a measurable set of source code and operational system weaknesses, National Vulnerability Database (NVD) that enables automation of vulnerability management, security measurement, and compliance, and blog information; 2) vulnerability information obtained from penetration testing, application source code scanning, and network scanning; and 3) other sources, such as inputs from application developers, system administrators, and security/risk analysts.) and one or more countermeasures of the system architecture. (Parla ¶ 216 teaches, includes excluding the tainted control flow directed graph from the learned control flow directed graph to generate a revised control flow diagram. (i.e., identified countermeasure) Excluding the tainted control flow directed graph may include generating a revised SBOM excluding the code portion. At 1914, the process 1900 includes executing the process based on the revised control flow diagram to prevent execution of the vulnerability.) wherein the one or more vulnerabilities comprise at least one of the vertices representing a potential attack surface (Chari Col. 15 Ln. 5-20 teaches, graph and assign locally aggregated risk scores to each node (i.e., each component) in the attack graph based on the vulnerability and risk metrics and the sensitivity, integrity, and criticality ranks identified above for each component of the regulated service.) and at least one of the edges representing a potential attack path. (Chari Col. 16 Ln. 24-31 teaches, generate multi-step attack paths, where illustrative embodiments connect one vulnerability to another vulnerability. Such a path containing two or more edges) Claim(s) 6-7, 14-15, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chari in view of Parla as applied to claim 1 above, and further in view of Smart (US 2015/0347480 A1), hereinafter Smart. Regarding Claim(s) 6 and 14 Chari in view of Parla teaches: The method of claim 4, further comprising: (Chari in view of Parla teaches the parent claim above.) including one or more isolation layers in the multi-layered graph. (Smart ¶ 156 teaches, As a result of these transformations, Layer B enables the creation of an extremely strong security isolation barrier to prevent unauthorized data breaches, vulnerability-inducing data or cyber contamination (e.g. malware transmission), or usurpation of control (e.g. hacking) This barrier establishes a trust boundary above which Layer C analytic processing can be performed, but without compromise to any constituent Layer A source components.) It would have been obvious to one with ordinary skill the art, prior to the applicant's earliest effective filing date, to combine the teachings of Chari in view of Parla with Smart, to modify the method for the automatic generation of data-centric attack graphs with the method for making control flow graphs from CPU telemetry of Parla with the isolation layer of Smart. The motivation to do so, Smart ¶ 156, to prevent unauthorized data breaches. Regarding Claim(s) 7 and 15 Chari-Parla-Smart teaches: The method of claim 6, further comprising: (Chari-Parla-Smart teaches the parent limitation above.) reassessing the one or more security metrics after the one or more vulnerabilities and the one or more countermeasures are identified. (Chari Col. 7 Ln. 45-67 teaches, Sensitive data manager 218 may utilize attack graph 232 to determine how an attacker may access some or all of sensitive data 222 through one or more components of the regulated service. It should be noted that attack graph 232 changes over time. (i.e., reassessed)) The motive given in Claim 6 is equally applicable to the above claim. Regarding Claim 20 Chari-Parla-Smart teaches: The computer program product of claim 19, wherein the program instructions executable by the processor further cause the processor to: (Chari-Parla-Smart teaches the parent limitation above.) include one or more isolation layers in the multi-layered graph; (Smart ¶ 156 teaches, As a result of these transformations, Layer B enables the creation of an extremely strong security isolation barrier to prevent unauthorized data breaches, vulnerability-inducing data or cyber contamination (e.g. malware transmission), or usurpation of control (e.g. hacking) This barrier establishes a trust boundary above which Layer C analytic processing can be performed, but without compromise to any constituent Layer A source components.) and reassess the one or more security metrics after the one or more vulnerabilities and the one or more countermeasures are identified. (Chari Col. 7 Ln. 45-67 teaches, Sensitive data manager 218 may utilize attack graph 232 to determine how an attacker may access some or all of sensitive data 222 through one or more components of the regulated service. It should be noted that attack graph 232 changes over time. (i.e., reassessed)) The motive given in Claim 6 is equally applicable to the above claim. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 2022/0345481 A1 - Graphical User Interface System For Providing Comprehensive Cloud Environment Risk Inventory Visualization, Has Processor For Causing Display To Present Asset Categories And Receiving Selection Of Particular Asset Category Through Input Device Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB BENEDICT KNACKSTEDT whose telephone number is (703)756-5608. The examiner can normally be reached Monday-Friday 8:00 am - 5:00 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached on (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /J.B.K./Examiner, Art Unit 2408 /LINGLAN EDWARDS/Supervisory Patent Examiner, Art Unit 2408