Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments / Arguments
Regarding the rejection(s) of claims under 35 USC 103:
Applicant’s arguments, filed 01/29/2026, in view of the amended claims, have been fully considered and are not persuasive.
Applicant argues that paragraphs [0049]-[0050] of Narula fail to teach the claimed reward function. For instance, Applicant argues that "instead of simply copying the actions taken by the analyst as they are, the machine learning model of the Narula is trained using such actions and enhances its reasoning for the more accurate suggestion," and that Narula "merely discuss the training of the machine learning model during its development and provides no particular teachings for treating the machine learning model after the development thereof is completed."
In response, it is noted that the claim does not require copying expert countermeasures "as they are," nor does it exclude a learned model; the claim recites only that the reward function is "set to copy existing countermeasures rendered by the experts during development of the playbook." Paragraphs [0049]-[0051] of Narula recite a learning mechanism in which the security actions taken by the analyst ( the expert) are captured and used by the machine learning model to generate workflows for similar incidents. A reward function trained to reproduce expert rendered actions when generating a workflow teaches the claimed reward function "set to copy existing countermeasures rendered by the experts," because the function is configured such that its output favors the actions the expert previously rendered. Applicant's characterization of the model as one that "enhances its reasoning" does not distinguish the claim, as the claim is silent regarding any prohibition on enhancement and the recited "copy" function reads on a model whose reward favors reproducing expert actions.
Applicant argues that the Common Event Format (CEF) of Forte [0012] "is merely the format for the log data" and "even fails to relate to the categorized and comprehensive information for various attacks like the TTP information"; that the "attack episodes 174" of Oliveira [0069], [0082] "are the combination of the attacks specifically designed and stored in advance"; and that Boteanu (col. 7, lines 39-51) "merely discloses that MITRE framework is used to develop the specific threat models and methodologies" and "fails to teach any generating of the countermeasures."
In response, it is noted that the rejection does not rely on Forte's CEF fields alone to teach the claimed "extract TTP information." Forte [0002]-[0003] and [0012] teach receiving and considering structured incident information describing artifacts inside incidents (CEF fields), and Oliveira [0069] and [0082] teach extracting and structuring threat information from attack data for use by the system. The claimed "TTP information" is not defined in the claim with any particular structure or format beyond information used to identify a threatening factor; accordingly, the structured artifact and threat information of Forte and Oliveira reads on extracting information from which a threatening factor is identified. Applicant's distinction between CEF as a "logging format" and TTP as "categorized" attack information is a distinction in degree of categorization not recited in the claim, and is therefore not commensurate in scope with the claim language.
Regarding the MITRE framework analysis, it is noted that Boteanu (col. 7, lines 39-51) teaches the use of the MITRE ATT&CK framework for threat analysis, which framework inherently maps adversary tactics and techniques (attack methods) to mitigations (defense methods). The claimed "generate a most suitable countermeasure from the attack and defense methods by applying the TTP information" is taught by the combination: Boteanu provides the MITRE-based mapping of attack and defense methods, while Forte [0091] teaches generating a playbook based on recommended actions (countermeasures).
Applicant argues that Oliveira [0023], [0065]-[0066], [0082]-[0087] "even fails to disclose any determination of the connectivity between the inputs and the outputs of the components in the generated playbook"; that Chen "merely teaches the comparisons between the graphs of the generated workflow and the model workflow, and thus also fails to disclose the claimed determination of the connectivity between the input and the output of the components"; and that "none of the applied references teaches that the generated playbook is manually adjusted based on the similarity and the connectivity."
In response, it is noted that Chen teaches representing each workflow as a graph in which components (phases) are connected by transitions, where the transitions define the order in which the output of one component flows to the next component (Chen [0026]-[0040], FIG. 6 and FIG. 7). The claimed "determine connectivity between the input and the output of the components... by determining whether an output value of one component can be provided as an input value to another connected component" reads on Chen's graph based representation of components linked by directed transitions, because a directed transition between two components in Chen's flowchart represents that the preceding component's output is provided to the succeeding component. Further, Crabtree [0055]-[0065] teaches analyzing connectivity among components based on graph theory using directed graphs, which directed connectivity between components teaches determining whether one component is connected to provide its output to another.
Regarding "confirm the connectivity and the component execution by actually executing the components," it is noted that Forte [0020], [0125], [0161] teaches that the incident response platform automatically executes playbooks corresponding to detected events, i.e., actually executing the components of the playbook, which execution confirms component execution.
Regarding "the generated playbook is manually adjusted based on the similarity and the connectivity used to verify the effectiveness," it is noted that Narula [0045], [0046], [0063-0065], [0081], [0072]-[0076] teaches that when a recommended workflow is rejected or deviated from, the playbook is manually adjusted/revised by the analyst and stored for subsequent use.
Therefore, the identified claim language is considered to be taught by the combined references, and the rejection is maintained. Further, since Applicant has not presented additional arguments concerning the dependent claims, their rejections are likewise maintained. It is further noted that the 112(f) claim interpretation is maintained. The three module limitations ("playbook automatic-generation module," "playbook verification and management module," and "playbook execution module") continue to be interpreted under 112(f), as each remains a generic placeholder coupled with functional language without reciting sufficient structure to perform the recited function. Applicant's Remarks address only the 103 rejections and neither amend these limitations to recite sufficient structure nor present any showing that the limitations recite sufficient structure to avoid interpretation under 112(f). Accordingly, because Applicant has not addressed the 112(f) interpretation, it is maintained.
DETAILED ACTION
This is a reply to the arguments filed on 01/29/2026, in which, claims 1, 4, 6-10, 13 and 15 are pending. Claims 1 and 10 are independent. Claims 2-3, 5, 11-12, 14 and 16-17 are canceled.
When making claim amendments, the applicant is encouraged to consider the references in their entireties, including those portions that have not been cited by the examiner and their equivalents as they may most broadly and appropriately apply to any particular anticipated claim amendments.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
This application includes one or more claim limitations that do not use the word "means," but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: "playbook automatic-generation module; playbook verification and management module; playbook execution module" in claims 1-9.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. For instance, the specification describes these modules as implemented by a processor and memory executing specific algorithms. The playbook automatic-generation module is described in paragraphs [0009]-[0011], the playbook verification and management module in paragraph [0013], and the playbook execution module in paragraphs [0014]-[0018]. Each module is described with specific steps and algorithms for performing their respective functions.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 4, 6-10, 13 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Forte et al. (US 20210398001 A1referred to as Forte), in view of Oliveira et al. (US 20210377307 A1, referred to as Oliveira) in further view of Narula et al. (US 20210306352 A1, referred to as Narula) in further view of Crabtree et al. (US 20210168175 A1, referred to as Crabtree) in further view of Chen et al (US 20190050776 A1, referred to as Chen) in further view of Boteanu (US 12088609 B1, referred to as Boteanu).
In reference to claim 1, a playbook automatic-generation module configured to be connected to external devices via a network to receive information from the external devices and to generate a playbook for counteracting a threat based on a template by utilizing an artificial learning model (Forte: [0005], [0019] and [0080] Provides for a system that automates threat analysis using artificial intelligence (machine learning) to generate custom playbooks based on based on templates and historical incidents.)
A playbook database configured to be connected to the playbook verification and management module and to save the playbook (Forte: [0048]-[0050] Provides for databases used to store playbooks and related data. Verified playbooks are saved and used for future incident responses.) A playbook execution module configured to be connected to the playbook database and to select and automatically execute a corresponding playbook for to a detected event from the playbook database (Forte: [0020], [0125] and [0161] Provides for the incident response platform automatically presents and can execute playbooks corresponding to detected incidents.) Wherein to generate the playbook, the playbook automatic-generation module is further configured to: receive cyber threat intelligence (CTI) information from a data integration management system (Forte: [0002]-[0003] Provides for cybersecurity incident response systems receiving incident-related information.)
Extract TTP information from the CTI information (Forte: [0012] Provides for the system's ability to consider CEF fields, which describe artifacts inside incidents.)
Identify a threatening factor by applying the extracted TTP information to a network to be protected (Forte: [0012] Provides for applying the considered fields describing incident artifacts to identify threatening factors against the protected system.)
Generate the playbook based on the playbook template through a connection with the TTP information (Forte: [0091] Provides that the system generates playbooks based on recommended actions connected to the threat information.) Although Forte teaches a system for managing and improving playbooks based on user feedback (Forte, [0006]) Forte does not explicitly mention a verification module and wherein the playbook saved to the playbook database was verified. However, Oliveira Teaches:
A playbook verification and management module configured to be connected to the playbook automatic-generation module and to verify effectiveness of the playbook generated by the playbook automatic-generation module (Oliveira: [0023] and [0065]-[0066] Provides for reward-based reinforcement learning for verifying effectiveness of responses. Oliveira [0082]-[0087] further provides for a reward function for the selection of inputs (solutions).)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Forte, which teaches a system for generating and managing playbooks for cybersecurity incident response, including a method for improving playbooks based on user feedback, with the teachings of Oliveira, which discloses a system that uses reinforcement learning to verify and improve the effectiveness of cybersecurity responses through a reward-based methodology. One of ordinary skill in the art would recognize the ability to incorporate Oliveira's reinforcement learning and reward-based verification method into Forte's playbook verification and management module. One of ordinary skill in the art would be motivated to make this modification in order to enhance the effectiveness of the playbooks by automatically verifying and improving their performance based on real-world outcomes, thereby creating a more adaptive cybersecurity response system that can continuously learn from attack patterns.
Forte in view of Oliveira does not explicitly teach what the playbook automatic-generation module is configured to do. However Narula discloses:
Wherein the playbook automatic-generation module is configured to: receive countermeasure history data inputted by a controller, as playbook generation information (Narula: [0032]-[0041] Provides for receiving historical data about countermeasures (security actions taken by analysts) through a controller (enforcement engine), which is then used as generation information for future recommendations.)
Extract counteractions for removing the threat from the countermeasure history data as components (Narula: [0032]-[0042] Provides for extracting specific actions (components) from the historical data that were used to address threats.)
Decide order of the components based reinforcement learning (Narula: [0041]-[0050] Provides for using machine learning to determine the sequence of steps in a workflow.)
Generate a playbook template which is a general procedure for counteracting the threat, by arranging the components according to the decided order of the components (Narula: [0039]-[0048] Provides for generating a recommended sequence (general procedure) by arranging components (actions) in a specific order to address security threats.)
Generate the playbook based on the playbook template (Narula: [0044] and [0068] Provides for generating a playbook based on the recommended sequence, which functions as a template for future incidents.)
Wherein to decide the order of the components the playbook automatic-generation module is further configured to apply a reward function generated by the reinforcement learning, which is set to copy existing countermeasures rendered by the experts during development of the playbook and is set by evaluation marks from the experts after the development of the playbook is completed (Narula: [0049]-[0051] Provides for a learning mechanism that captures the security actions rendered by expert analysts and uses them to generate workflows for similar incidents, such that the reward function is set to favor reproducing the expert-rendered countermeasures during development of the playbook; Narula: [0045], [0046], [0063-0065], [0081], [0072]-[0076] further provides for adjusting the playbook scores based on analyst acceptance and evaluation after the workflow is generated., the reward function being set by evaluation marks from the experts after development of the playbook is completed.)
Wherein when the generated playbook fails to pass the verification, the generated playbook is manually adjusted based on the similarity and the connectivity used to verify the effectiveness (Narula: [0045], [0046], [0063-0065], [0081], [0072]-[0076] Provides for manually adjusting/revising the recommended workflow by the analyst when the recommended flow is rejected or deviated.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Forte in view of Oliveira, which provides a system for generating, verifying, and executing cybersecurity playbooks, with the teachings of Narula, which introduces specific methods for extracting, ordering, and organizing countermeasure components to generate playbook templates. One of ordinary skill in the art would recognize the ability to incorporate Narula's structured playbook generation approach into the combined system to enhance the quality and effectiveness of automatically generated playbooks. One of ordinary skill in the art would be motivated to make this modification in order to create more effective and practical playbooks by leveraging historical countermeasure data, ensure logical and efficient ordering of security response actions.
Forte in view of Oliveira in further view of Narula does not explicitly teach analyzing connectivity among the extracted components based on graph theory and generates a component set including the component based on the analyzed connectivity. However, Crabtree discloses:
Analyze connectivity among the extracted components based on graph theory and generate a component set including the component based on the analyzed connectivity (Crabtree: [0055]-[0065] Provides for using directed graphs (graph theory) to model the networked system and analyze connectivity between components.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Forte in view of Oliveira and Narula, which together provide a system for generating, verifying, and organizing cybersecurity playbooks based on historical data, with the teachings of Crabtree, which introduces the use of graph theory to analyze connectivity among components. One of ordinary skill in the art would recognize the ability to incorporate Crabtree's graph-based analysis into the combined system to better understand relationships between different security actions. One of ordinary skill in the art would be motivated to make this modification in order to improve understanding of dependencies and relationships between different security actions.
Forte in view of Oliveira in view of Narula in view of Crabtree do not explicitly disclose verifying the effectiveness of playbooks by generating graphs of the generated playbook and the model playbook and analyzing the similarity between the first and second graphs. However, Chen discloses: Wherein the playbook verification and management module is configured to decide whether the effectiveness passes verification through an analysis on similarity between the generated playbook, and a model playbook and an analysis on effectiveness of component execution in the generated playbook (Chen: [0040]-[0046] Provides for compares user-customized workflows against model workflows using similarity analysis. The comparison determines differences between generated and model workflows.)
Wherein, in order to verify the effectiveness of the generated playbook using the analysis on the similarity,, the playbook verification and management module is further configured to: Receive the generated playbook from the playbook automatic-generation module (Chen: [0023] and [0040]-[0046] Provides for receiving user-customized workflow data.)
Prepare a first graph of the generated playbook, wherein the first graph displays the components to be executed which are inked in the decided order (Chen: [0035]-[0040] Fig.6 and Fig.7 Provides for creating graphical representations (flowcharts) of workflows showing components (phases) and their execution order (transitions/connectivity)
Select the model playbook generated by experts from the playbook database and prepare a second graph of the selected model playbook (Chen: [0013], [0023] and [0036]-[0038] provides for selecting model workflows (provided by vendors, analogous to experts) from a data source/database and displays them graphically as flowcharts showing components and connectivity.)
Analyze similarity between the first and second graphs (Chen: [0046]-[0053] and FIG. 7 Provides for analyzing similarity between user-customized and model workflows using quantitative measures.)
Wherein in order to verify the effectiveness of the generated playbook using the analysis on the effectiveness of the component execution, the playbook verification and management module is further configured to: analyze types of inputs and outputs of the components in the generated playbook (Chen: [0026]-[0040] and Fig. 6 Provides for representing each component (phase) of the workflow together with its associated transitions, wherein the transitions characterize the inputs and outputs by which one phase connects to another phase.)
Determine connectivity between the inputs and the outputs of the components in the generated playbook by determining whether an output value of one component can be provided as an input value to another connected component (Chen: [0028]-[0029], [0035]-[0040], [0046]-[0053] and Fig. 6 and Fig. 7 Provides for directed transitions linking one phase to a succeeding phase, wherein a directed transition represents that an output of a preceding component is provided to the succeeding connected component, such that the connectivity between the inputs and outputs of the components is determined from the graphical representation.)
Confirm the connectivity and the component execution by actually executing the components (Chen: [0029], [0040]-[0046] and [0058] Provides for executing the user-customized workflow and comparing the executed workflow against the model workflow, thereby confirming the connectivity and the execution of the components.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Forte in view of Oliveira, Narula, and Crabtree, which together provide a comprehensive system for generating, verifying, and organizing cybersecurity playbooks using historical data and graph-based connectivity analysis, with the teachings of Chen, which introduces graphical similarity analysis between generated and model playbooks for effectiveness verification. One of ordinary skill in the art would recognize the ability to incorporate Chen's graph-based comparison methodology into the combined playbook verification system to provide objective, quantifiable measures of playbook quality. One of ordinary skill in the art would be motivated to make this modification in order to enhance playbook verification by providing systematic comparison between automatically generated and expert-created playbooks. Forte in view of Oliveira in view of Narula in view of Crabtree in view of Chen do not explicitly disclose performing a MITRE framework analysis on the identified threatening factor, provide an attack method and a defense method mapped with the threatening factor through the MITRE framework analysis, and generate a most suitable countermeasure from the attack and defense methods by applying the TTP information. However, Boteanu discloses: Perform a MITRE framework analysis on the identified threatening factor, provide an attack method and a defense method mapped with the threatening factor through the MITRE framework analysis, and generate a most suitable countermeasure from the attack and defense methods by applying the TTP information (Boteanu: Col. 7 Lines 39-51 Provides for using the MITRE ATT&CK framework for threat analysis and TTP information, which framework maps adversary tactics and techniques (attack methods) to corresponding mitigations (defense methods) and provides a countermeasure for the identified threatening factor.)
In reference to claim 4, The system of claim 1, wherein to reinforce the generated playbook the playbook automatic-generation module is further configured to: receive a result of executing the playbook from a data integration management system (Narula: [0026] and [0043]-[0044] Provides for collect execution results to inform future recommendations, showing a feedback mechanism.)
Extract a reinforcement learning feature from the result of executing the playbook (Narula: [0050] and [0076]-[0077] Provides for extracting features from execution results.)
Perform evaluation on the playbook based on the extracted reinforcement learning feature (Narula: [0050] and [0072]-[0076] Provides for evaluating playbooks based on analyst feedback and updating their scores accordingly.)
Decide whether or not to apply reinforcement learning based on a result of evaluating the playbook (Narula: [0072]-[0076] Provides for a decision point for whether to apply additional learning based on evaluation results.)
Adjust the playbook by applying a reward function when the reinforcement learning is decided to be applied (Narula: [0072]-[0076] Provides for adjusting playbook scores (increasing them) when accepted.)
Generate an adaptable playbook via a reinforcement learning process when the reinforcement learning is decided not to be applied (Narula: [0072]-[0076] Provides for generating revised playbooks when deviations occur.)
In reference to claim 6, The system of claim 1, wherein the playbook execution module is configured to: generate materialized information on a playbook execution process (Forte: [0050] Provides for saving performances measurements and playbooks played for each incident. ) Transmit a result of matching the corresponding playbook with the detected event to a decision-making support system and Transmit a result of executing the playbook to the data integration management system (Forte: [0126] Provides for transmitting proposed actions for incidents.)
In reference to claim 7, The system of claim 1, wherein the playbook execution is further configured to: module request decision-making support system to select an event to be preferentially processed among events which are ready for analysis when the components in the playbook cease to operate (Oliveira: [0021] Provides for prioritizing certain responses.) Request the decision-making support system to render a most suitable countermeasure, when countermeasures for a certain event are different with regard to different target to be protected (Oliveira: [0083] Provides for determining the best next action based on reinforcement learning.)
In reference to claim 8, The system of claim 1, wherein the playbook execution module is further configured to: request a security threat automatic-response system to apply a security policy when it is necessary to apply the security policy (Forte: [0161] Provides for automated execution of workflows.)
In reference to claim 9, The system of claim 1, wherein the playbook execution module is further configured to: request decision-making support system to render a most suitable countermeasure, and to transmit a result of executing the playbook to a data integration management system (Forte: [0082] Provides for recommending actions and records the results of incident response.)
In reference to claim 10, A method of automatizing a threat analysis based on artificial intelligence, the method comprising: generating a playbook for counteracting a threat based on a template by utilizing an artificial learning model (Forte: [0005], [0019] and [0080] Provides for a system that automates threat analysis using artificial intelligence (machine learning) to generate custom playbooks based on based on templates and historical incidents.)
A playbook database configured to be connected to the playbook verification and management module and to save the playbook (Forte: [0048]-[0050] Provides for databases used to store playbooks and related data. Verified playbooks are saved and used for future incident responses.) A playbook execution module configured to be connected to the playbook database and to select and automatically execute a corresponding playbook for to a detected event from the playbook database (Forte: [0020], [0125] and [0161] Provides for the incident response platform automatically presents and can execute playbooks corresponding to detected incidents.) Wherein to generate the playbook, the playbook automatic-generation module is further configured to: receive cyber threat intelligence (CTI) information from a data integration management system (Forte: [0002]-[0003] Provides for cybersecurity incident response systems receiving incident-related information.)
Extract TTP information from the CTI information (Forte: [0012] Provides for the system's ability to consider CEF fields, which describe artifacts inside incidents.)
Identify a threatening factor by applying the extracted TTP information to a network to be protected (Forte: [0012] Provides for applying the considered fields describing incident artifacts to identify threatening factors against the protected system.)
Generate the playbook based on the playbook template through a connection with the TTP information (Forte: [0091] Provides that the system generates playbooks based on recommended actions connected to the threat information.) Although Forte teaches a system for managing and improving playbooks based on user feedback (Forte, [0006]) Forte does not explicitly mention a verification module and wherein the playbook saved to the playbook database was verified. However, Oliveira Teaches:
A playbook verification and management module configured to be connected to the playbook automatic-generation module and to verify effectiveness of the playbook generated by the playbook automatic-generation module (Oliveira: [0023] and [0065]-[0066] Provides for reward-based reinforcement learning for verifying effectiveness of responses. Oliveira [0082]-[0087] further provides for a reward function for the selection of inputs (solutions).)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Forte, which teaches a system for generating and managing playbooks for cybersecurity incident response, including a method for improving playbooks based on user feedback, with the teachings of Oliveira, which discloses a system that uses reinforcement learning to verify and improve the effectiveness of cybersecurity responses through a reward-based methodology. One of ordinary skill in the art would recognize the ability to incorporate Oliveira's reinforcement learning and reward-based verification method into Forte's playbook verification and management module. One of ordinary skill in the art would be motivated to make this modification in order to enhance the effectiveness of the playbooks by automatically verifying and improving their performance based on real-world outcomes, thereby creating a more adaptive cybersecurity response system that can continuously learn from attack patterns.
Forte in view of Oliveira does not explicitly teach what the playbook automatic-generation module is configured to do. However Narula discloses:
Wherein the playbook automatic-generation module is configured to: receive countermeasure history data inputted by a controller, as playbook generation information (Narula: [0032]-[0041] Provides for receiving historical data about countermeasures (security actions taken by analysts) through a controller (enforcement engine), which is then used as generation information for future recommendations.)
Extract counteractions for removing the threat from the countermeasure history data as components (Narula: [0032]-[0042] Provides for extracting specific actions (components) from the historical data that were used to address threats.)
Decide order of the components based reinforcement learning (Narula: [0041]-[0050] Provides for using machine learning to determine the sequence of steps in a workflow.)
Generate a playbook template which is a general procedure for counteracting the threat, by arranging the components according to the decided order of the components (Narula: [0039]-[0048] Provides for generating a recommended sequence (general procedure) by arranging components (actions) in a specific order to address security threats.)
Generate the playbook based on the playbook template (Narula: [0044] and [0068] Provides for generating a playbook based on the recommended sequence, which functions as a template for future incidents.)
Wherein to decide the order of the components the playbook automatic-generation module is further configured to apply a reward function generated by the reinforcement learning, which is set to copy existing countermeasures rendered by the experts during development of the playbook and is set by evaluation marks from the experts after the development of the playbook is completed (Narula: [0049]-[0051] Provides for a learning mechanism that captures the security actions rendered by expert analysts and uses them to generate workflows for similar incidents, such that the reward function is set to favor reproducing the expert-rendered countermeasures during development of the playbook; Narula: [0045], [0046], [0063-0065], [0081], [0072]-[0076] further provides for adjusting the playbook scores based on analyst acceptance and evaluation after the workflow is generated., the reward function being set by evaluation marks from the experts after development of the playbook is completed.)
Wherein when the generated playbook fails to pass the verification, the generated playbook is manually adjusted based on the similarity and the connectivity used to verify the effectiveness (Narula: [0045], [0046], [0063-0065], [0081], [0072]-[0076] Provides for manually adjusting/revising the recommended workflow by the analyst when the recommended flow is rejected or deviated.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Forte in view of Oliveira, which provides a system for generating, verifying, and executing cybersecurity playbooks, with the teachings of Narula, which introduces specific methods for extracting, ordering, and organizing countermeasure components to generate playbook templates. One of ordinary skill in the art would recognize the ability to incorporate Narula's structured playbook generation approach into the combined system to enhance the quality and effectiveness of automatically generated playbooks. One of ordinary skill in the art would be motivated to make this modification in order to create more effective and practical playbooks by leveraging historical countermeasure data, ensure logical and efficient ordering of security response actions.
Forte in view of Oliveira in further view of Narula does not explicitly teach analyzing connectivity among the extracted components based on graph theory and generates a component set including the component based on the analyzed connectivity. However, Crabtree discloses:
Analyze connectivity among the extracted components based on graph theory and generate a component set including the component based on the analyzed connectivity (Crabtree: [0055]-[0065] Provides for using directed graphs (graph theory) to model the networked system and analyze connectivity between components.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Forte in view of Oliveira and Narula, which together provide a system for generating, verifying, and organizing cybersecurity playbooks based on historical data, with the teachings of Crabtree, which introduces the use of graph theory to analyze connectivity among components. One of ordinary skill in the art would recognize the ability to incorporate Crabtree's graph-based analysis into the combined system to better understand relationships between different security actions. One of ordinary skill in the art would be motivated to make this modification in order to improve understanding of dependencies and relationships between different security actions.
Forte in view of Oliveira in view of Narula in view of Crabtree do not explicitly disclose verifying the effectiveness of playbooks by generating graphs of the generated playbook and the model playbook and analyzing the similarity between the first and second graphs. However, Chen discloses: Wherein the playbook verification and management module is configured to decide whether the effectiveness passes verification through an analysis on similarity between the generated playbook, and a model playbook and an analysis on effectiveness of component execution in the generated playbook (Chen: [0040]-[0046] Provides for compares user-customized workflows against model workflows using similarity analysis. The comparison determines differences between generated and model workflows.)
Wherein, in order to verify the effectiveness of the generated playbook using the analysis on the similarity,, the playbook verification and management module is further configured to: Receive the generated playbook from the playbook automatic-generation module (Chen: [0023] and [0040]-[0046] Provides for receiving user-customized workflow data.)
Prepare a first graph of the generated playbook, wherein the first graph displays the components to be executed which are inked in the decided order (Chen: [0035]-[0040] Fig.6 and Fig.7 Provides for creating graphical representations (flowcharts) of workflows showing components (phases) and their execution order (transitions/connectivity)
Select the model playbook generated by experts from the playbook database and prepare a second graph of the selected model playbook (Chen: [0013], [0023] and [0036]-[0038] provides for selecting model workflows (provided by vendors, analogous to experts) from a data source/database and displays them graphically as flowcharts showing components and connectivity.)
Analyze similarity between the first and second graphs (Chen: [0046]-[0053] and FIG. 7 Provides for analyzing similarity between user-customized and model workflows using quantitative measures.)
Wherein in order to verify the effectiveness of the generated playbook using the analysis on the effectiveness of the component execution, the playbook verification and management module is further configured to: analyze types of inputs and outputs of the components in the generated playbook (Chen: [0026]-[0040] and Fig. 6 Provides for representing each component (phase) of the workflow together with its associated transitions, wherein the transitions characterize the inputs and outputs by which one phase connects to another phase.)
Determine connectivity between the inputs and the outputs of the components in the generated playbook by determining whether an output value of one component can be provided as an input value to another connected component (Chen: [0028]-[0029], [0035]-[0040], [0046]-[0053] and Fig. 6 and Fig. 7 Provides for directed transitions linking one phase to a succeeding phase, wherein a directed transition represents that an output of a preceding component is provided to the succeeding connected component, such that the connectivity between the inputs and outputs of the components is determined from the graphical representation.)
Confirm the connectivity and the component execution by actually executing the components (Chen: [0029], [0040]-[0046] and [0058] Provides for executing the user-customized workflow and comparing the executed workflow against the model workflow, thereby confirming the connectivity and the execution of the components.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Forte in view of Oliveira, Narula, and Crabtree, which together provide a comprehensive system for generating, verifying, and organizing cybersecurity playbooks using historical data and graph-based connectivity analysis, with the teachings of Chen, which introduces graphical similarity analysis between generated and model playbooks for effectiveness verification. One of ordinary skill in the art would recognize the ability to incorporate Chen's graph-based comparison methodology into the combined playbook verification system to provide objective, quantifiable measures of playbook quality. One of ordinary skill in the art would be motivated to make this modification in order to enhance playbook verification by providing systematic comparison between automatically generated and expert-created playbooks. Forte in view of Oliveira in view of Narula in view of Crabtree in view of Chen do not explicitly disclose performing a MITRE framework analysis on the identified threatening factor, provide an attack method and a defense method mapped with the threatening factor through the MITRE framework analysis, and generate a most suitable countermeasure from the attack and defense methods by applying the TTP information. However, Boteanu discloses: Perform a MITRE framework analysis on the identified threatening factor, provide an attack method and a defense method mapped with the threatening factor through the MITRE framework analysis, and generate a most suitable countermeasure from the attack and defense methods by applying the TTP information (Boteanu: Col. 7 Lines 39-51 Provides for using the MITRE ATT&CK framework for threat analysis and TTP information, which framework maps adversary tactics and techniques (attack methods) to corresponding mitigations (defense methods) and provides a countermeasure for the identified threatening factor.)
In reference to claim 13, The method of claim 10, wherein to reinforce the generated playbook, the generating of the playbook further includes: receiving a result of executing the playbook from a data integration management system (Narula: [0026] and [0043]-[0044] Provides for collect execution results to inform future recommendations, showing a feedback mechanism.)
Extracting a reinforcement learning feature from the result of executing the playbook (Narula: [0050] and [0076]-[0077] Provides for extracting features from execution results.)
Performing evaluation on the playbook based on the extracted reinforcement learning feature (Narula: [0050] and [0072]-[0076] Provides for evaluating playbooks based on analyst feedback and updating their scores accordingly.)
Deciding whether or not to apply reinforcement learning based on a result of evaluating the playbook (Narula: [0072]-[0076] Provides for a decision point for whether to apply additional learning based on evaluation results.)
Adjusting the playbook by applying a reward function when the reinforcement learning is decided to be applied (Narula: [0072]-[0076] Provides for adjusting playbook scores (increasing them) when accepted.)
Generating an adaptable playbook via a reinforcement learning process when the reinforcement learning is decided not to be applied (Narula: [0072]-[0076] Provides for generating revised playbooks when deviations occur.)
In reference to claim 15, The method of claim 10, wherein the automatically executing of the playbook includes: generating materialized information about a process of executing the playbook (Forte: [0050] Provides for saving performances measurements and playbooks played for each incident.) transmitting a result of matching the corresponding playbook with the detected event to a decision-making support system and transmitting a result of playbook execution to the data integration management system (Forte: [0126] Provides for transmitting proposed actions for incidents.)
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892.
Applicant’s amendment necessitated the new ground(s) of rejection presented in this office action. Accordingly, THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AIDAN EDWARD SHAUGHNESSY whose telephone number is (703)756-1423. The examiner can normally be reached on Monday-Friday from 7:30am to 5pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson, can be reached at telephone number (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center and Private PAIR for authorized users only. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/usptoautomated-interview-request-air-form.
/A.E.S./Examiner, Art Unit 2432
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432