SYSTEM AND METHOD FOR COMBINING CYBER-SECURITY THREAT DETECTIONS

§102 §103 §112

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION This action is in response to the communication filed on 11/25/25. Claims 1 – 3, 5 – 10, 12 – 17, and 19 – 21 are pending. All objections and rejections not set forth below have been withdrawn. Drawings The drawings are objected to under 37 CFR 1.83(a). The drawings must show every feature of the invention specified in the claims. Therefore, the features of “…each threat detector configured to detect a respective condition in network traffic and generate a corresponding signal mapped to a corresponding node…” must be shown or the feature(s) canceled from the claim(s). No new matter should be entered. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance. Specification The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter. See 37 CFR 1.75(d)(1) and MPEP § 608.01(o). Correction of the following is required: The applicant’s original disclosure fails to teach “…each threat detector configured to detect a respective condition in network traffic and generate a corresponding signal mapped to a corresponding node…” and “…each of the activated subset of nodes associated with a respective one of the triggered threat detectors…” (e.g. see claims 1, 8, 15) Specifically, the applicant’s disclosure fails to teach any particular configuration of threat detectors, such that each one is configured to detect a respective condition in network traffic. Additionally, the applicant’s disclosure fails to teach any particular configuration of threat detectors, such that each one is configured to generate a corresponding signal that is mapped to a corresponding node. Furthermore, the applicant’s disclosure fails to teach each of the activated subset of nodes associated with a respective one of the triggered threat detectors Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1 – 4, 6 – 11, 13 – 18, 20, and 21 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. See above objection to the Specification. The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1 – 4, 6 – 11, 13 – 18, 20, and 21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Regarding claims 1, 8, and 15, the recitation of “…one or more threat detectors … activate, based on corresponding signals from a subset of the one or more threat detectors …” renders the scope of the claims indefinite. Specifically, the examiner notes that the claims are broadly limited to only one threat detector (i.e. “one or more threat detectors”). Thus, it is unclear to one of ordinary skill in the art as to how a “subset” of threat detectors would be identified from a universe of only one, or a single, threat detector. This claim language renders the scope of the claims ambiguous, as it would appear that, despite the explicit wording of the claim, the scope of the claim must actually be limited, in its broadest form, to a plurality of threat detectors, such that a “subset” of threat detectors can exist. Depending claims are rejected by virtue of dependency. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1 – 3, 6 – 10, 13 – 17, 20, and 21 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Bassett, US 2019/0373005 A1. Regarding claim 1, Bassett discloses: A computer system comprising: a memory; and at least one processor coupled to the memory and configured to (e.g. Bassett, par. 127): detect triggering of one or more threat detectors (e.g. Bassett, par. 6, 33, 65, 94; fig. 6:605; claim 3 - Herein one or more “threat detectors” (i.e. various sensors and attack detector) are “triggered” by the observation of data, conditions, and events within a network), each threat detector configured to detect a respective condition in network traffic (e.g. Bassett, claim 3; par. 94, 95, 101) and generate a corresponding signal mapped to a corresponding node (e.g. Bassett, Abstract; par. 65 – observations from the “threat detectors” are mapped to respective nodes of a graph), wherein at least one threat detector is configured to detect one or more properties of a user associated with an action corresponding to the network traffic (e.g. Bassett, Abstract; par. 71, 94, 95, 101); activate, based on corresponding signals from a subset of the one or more threat detectors including the at least one threat detector, a subset of nodes from a plurality of nodes in a Bayesian network, each of the activated subset of nodes associated with a respective one of the triggered threat detectors (e.g. Bassett, par. 33, 34, 58, 59, 61, 81, 93 - 96; fig. 1). Herein, one or more likely attack paths of nodes (i.e. a subset of nodes) are identified (i.e. “activated”). calculate a probability of malicious action using the Bayesian network to combine probabilities associated with the activated subset of nodes, wherein the probability of the malicious action is calculated based at least in part on the one or more properties of the user associated with the action corresponding to the network traffic (e.g. Bassett, par. 56, 60, 61, 76 – 81, 91, 93- 95, 101). Herein, conditional probability tables, CPTs, are calculated for the identified nodes within the attack path – the attack paths being based upon the hacker’s malicious actions within the network. determine that the probability exceeds a threshold value (e.g. Bassett, par. 18, 81, 86, 88, 96, 97, 99, 101). Herein, attack likelihoods (i.e. probabilities) are compared to various threshold values, such as previous likelihoods values for the prioritization of risk, qualitative values (e.g. low, medium, high risks), and/or differential measurements, in order to determine if an attack has/or is likely to have occurred. and perform a security action in response to the determination (e.g. Bassett, par. 22, 98, 99). Regarding claim 2, Bassett discloses: wherein each node of the plurality of nodes of the Bayesian network is configured to provide a probability of detection and a probability of false alarm of the threat associated with the each node (e.g. Bassett, par. 41 – 43, 56). Regarding claim 3, Bassett discloses: wherein the each node is associated with a threat objective and with one or more threat techniques, the threat techniques associated with the threat objective and with one of the threat detectors (e.g. Bassett, par. 6, 17, 18, 94; table 5). Herein, attributes (i.e. threat techniques) of a graph node are associated with corresponding attackers/threat actors (i.e. threat objective), each of which are detected by network sensors (i.e. threat detectors). Regarding claim 6, Bassett discloses: wherein the at least one processor is further configured to select the threshold value based on a tradeoff between a probability of detection of the malicious action and a probability of false alarm of the malicious action (e.g. Bassett, par. 18, 81, 86, 88, 96, 97, 99, 101). Herein, attack threshold values (e.g. low, medium, high risks and/or prioritized probability rankings, and/or differential measurements) are all based upon an attack probability, i.e. a tradeoff or likelihood between an attack being correctly detected or falsely detected (i.e. “false alarm”). Regarding claim 7, Bassett discloses: wherein the at least one processor is further configured to create and update the plurality of nodes of the Bayesian network based on provisioning of threat detectors and provisioning of threat detector performance data (e.g. Bassett, par. 6, 33, 65, 79, 94; fig. 6:605; claim 3). Herein, nodes of the Bayesian network are created and updated through the detections of the GUI and system sensors, i.e. “threat detectors”. Regarding claims 8 – 10, 13 – 17, 20, and 21, they are method and medium claims essentially corresponding to the system claims above, and they are rejected, at least, for the same reasons. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 5, 12, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Bassett, US 2019/0373005 A1 in view of Mittal et al. (Mittal), US 2025/0007937 A1. Regarding claim 5, Bassett discloses a system for using Bayesian probability to detect attacks based upon collected information, however does not appear to explicitly teach that such collected information could include a geolocation of the user or reputation data associated with an internet provider employed by the user. However, Mittal also teaches a system for using Bayesian probability to detect attacks based upon collected information (e.g. Mittal, par. 79), and further teaches that such collected information can include a geolocation of the user and reputation data associated with an internet provider employed by the user (e.g. Mittal, par. 76, e.g. geo-location and the reputation of the attackers IP addresses used to provide connection to the internet, i.e. reputation data associated with the attacker’s internet provider). It would have been obvious to include the teachings of Mittal for collecting information such as a user’s geolocation and data associated with a reputation of an internet provider within the system of Bassett for using collected information to detect attacks using Bayesian probability. This would have been obvious because one of ordinary skill in the art would have been motivated by the teachings that better resource protection can be achieved by collecting and using such metadata (e.g. Mittal, par. 73 – 76). Thus, the combination enables wherein the properties include a geolocation of the user and reputation data associated with an internet provider employed by the user (e.g. Mittal, par. 76). Regarding claims 12 and 19, they are method and medium claims essentially corresponding to the system claims above, and they are rejected, at least, for the same reasons. Response to Arguments Applicant's arguments filed 11/25/25 have been fully considered but they are not persuasive. Applicant argues or alleges essentially that: … First … … However, the cited passages fail to specify that each of the one or more threat detectors is configured to detect a respective condition in network traffic and generate a corresponding signal, nevermind that the signal is mapped to a corresponding node as recited in amended claim 1. … … (Remarks, pg. 2) Examiner respectfully responds: The examiner respectfully disagrees. Bassett clearly teaches that the various “threat detectors” (i.e. sensors and/or attack detector) make observations of respective network conditions (e.g. Bassett, claim 3; par. 94, 95, 101), wherein such observations are conveyed as signals to be integrated into graphical form by mapping them to corresponding nodes on a graph (e.g. Bassett, claim 1, claim 3; par. 65, 94 – 96). Applicant argues or alleges essentially that: … Second, … … However, the cited passages at most describe observable attributes relating to the traffic as noted above (such as IP addresses, browser headers, and time of day), not one or more properties of a user associated with an action corresponding to the network traffic. Rather, and if anything, the attributes described in Bassett relate to the action itself, and not a user associated with the action as recited in amended claim 1. … (Remarks, pg. 3) Examiner respectfully responds: The examiner respectfully disagrees, at least, for the reason that Bassett explicitly teaches that the observable attributes (such as network events and conditions) pertain to the network activity of hackers and other malicious “actors” (i.e. someone who performs malicious actions) (e.g. Bassett, par. 69-73; 101, 104). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY L WILLIAMS whose telephone number is (571)272-7965. The examiner can normally be reached 7:30 am - 4:00 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495