DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 01/09/2026 has been entered.
Response to Arguments
The office action is in response to the applicant’s filing of a Remarks on 01/09/2026. Claims 1, 15, and 19-21 have been amended, and claim 14 has been cancelled. Claims 16 and 17 have been previously cancelled. Claims 1-13, 15, and 18-21 are currently pending.
Applicant’s amendments and arguments with respect to claims 1, 19, 20, and 21 with regards 35 USC 103 under Yadav et al. (US PGPub No. 20160359872-A1) in Savchuk view of et al. (US PGPub No. 20150264072-A1), Woodford et al. (US PGPub No. 20190260794-A1), Mantripragada et al. (US Pat No. 8730946-B2), and Gilley et al. (US PGPub No. 20170093700-A1 ) have been fully considered and are persuasive, specifically to the amended limitation. Therefore, the rejection has withdrawn. However, upon further consideration, a news ground of rejection is made in view of Varsanyi et al. (US PGPub No. 20140201838-A1).
The office action has been updated reflecting the claims as currently presented.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1-13, 15, 18-21 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claims 1, 19, 20, and 21 includes the limitation of “…apply one or more analytic models to the data model…”. The analytic models was never further defined with the Specification. ¶0072 only discloses wherein “an analytic model 360 that identifies a particular behavior in data model 350 may also be referred to herein as a "behavioral" model. An analytic model360 may comprise an algorithm, including potentially a machine-learning or other artificial intelligence (AI) algorithm, a ruleset, and/or any other set of instructions that analyzes some aspect of data model 350.”which merely invoking AI, ML, or analytics without disclosing implementations details is insufficient to demonstrate possession of the invention. Further, ¶0133-0184 are not provide sufficient details how the analytic models identify structured data stores or detect an attack. The specifications does not provide specific algorithm, training data, model architecture, features used, thresholds, detection logic, ruleset contents or even how to create/configure such a model.
Claims 2-18 do not overcome the rejection of their respective base claims that have been rejected above, and therefore rejected under the same grounds provided to claim 1.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1, 2, 12, 15, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Varsanyi et al. (US PGPub No. 20140201838-A1) in Savchuk view of et al. (US PGPub No. 20150264072-A1), Woodford et al. (US PGPub No. 20190260794-A1), Mantripragada et al. (US Pat No. 8730946-B2), and Gilley et al. (US PGPub No. 20170093700-A1 ).
With respect to claim 1, Varsanyi teaches a method comprising using at least one hardware processor to: (Abstract: Systems, methods, and computer-readable media for detecting threats on a network. In an embodiment, target network traffic being transmitted between two or more hosts is captured. The target network traffic comprises a plurality of packets, which are assembled into one or more messages. The assembled message(s) may be parsed to generate a semantic model of the target network traffic. The semantic model may comprise representation(s) of operation(s) or event(s) represented by the message(s). ¶0017-0018: In another embodiment, a system for detecting threats on a network is disclosed. The system comprises: at least one hardware processor;);
receive a plurality of transport sessions that have been assembled from captured raw packets being transmitted in a network; (¶0155: The disclosed systems are limited to analyzing traffic and building models for a single pair of network agents. Rather, the systems and methods are able to simultaneously monitor many session between many pairs of network agents. Furthermore, traffic may be captured simultaneously from a plurality of capture mechanism in real time or from play-back. The system methods may differentiate between network agents based on transport addresses, as well as other attributes, such as MAC addresses, IP addresses, TCP port numbers, VLAN tags, application-layer-specific identifiers (e.g., service name, SID for Oracle.TM. protocols, etc.), and/or physical ingress port tags. );
incorporate the extracted data into a data model of the network, wherein the data model comprises tallies of traffic within the network grouped according to a plurality of dimensions, (¶0375-0384: Figure 13 illustrates a diagram of a system for monitoring traffic for potential attacks. In an embodiment, tally system 1345 keeps summary for all traffic aligned, for example, on five-minute boundaries. This summary data can be used to create summaries of traffic for learning system 1360 (data model of the network) , outputting interfaces 1395. In an embodiment, operations and events can be grouped together in tally groups (plurality of dimensions) based on one or ore the following: (1) SQL template identifier from the feed. (2) time identifier, which is a five-minute span (or other predetermined time span) identified by how many five-minute time periods (or time periods of another predetermined time length) had occurred between a certain time (e.g., Dec. 31, 1969 Universal Coordinate Time (UTC)) and the time in question. (3) user identifier from a session login record.);
wherein each of at least a subset of the tallies of traffic represents a database operation; and (¶0393: As seen in Figure 19, illustrates inputs to a time-based learning system and a summary of byproducts of learning. In the illustrated embodiment, log module 1350 receives binds, literals, and execution details (e.g., from feed 1315) by time (i.e., for one or more time spans), and tally module receives statements (e.g., SQL statements) by time. Log module 1350 and tally module 1345 then pass output data (e.g., summary data 1355) to a learning manager 1368 of learning system 1360. Further in ¶0177 demonstrates in Events represented in the semantic traffic model are passed by semantic traffic model generator 1315 through a language processing module 1325 (also referred to herein as a "language system") that extracts lexical, syntactic, and semantic data from the provided database operations (e.g., SQL statements) using lexical analysis module 1330, syntactic analysis module 1335, and semantic analysis module 1340, respectively, each of which may be integral or external to language system 1325.);
Varsanyi does not disclose:
for each of the plurality of transport sessions, extract data from each of two or more encapsulation layers in a payload of the transport session;
However, Savchuk teaches for each of the plurality of transport sessions, extract data from each of two or more encapsulation layers in a payload of the transport session; (¶0035: As illustrated in Figure 1, packets are captured (102) from a network. The packet types are determined (104) and the packets are decoded in block 106. The system may be suitable for a variety of applications, for example, accessing all layers of network traffic including the content of TCP/IP and UDP data exchanges. Packet type information and the decoded packets are sent to block 108 for session reassembly. Next, layered session decoding is performed in block 110. Block 110 may also accept captured (112) data from SMTP mail hub, or Web proxy servers. Metadata is extracted in block 114 in accordance with a configuration profile (116) using the layered session decoding information and layered packet decoding information.);
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Savchuk of extracting data from each of two or more encapsulation layers in a payload of the transport session to the method of Varsanyi in order to provide advanced threat detection on network and better analyze real-time network traffic (Savchuk: ¶0008 ¶0030-0032).
Varsanyi in view of Savchuk does not disclose:
apply one or more analytic models to the data model, wherein at least one of the one or more analytic models utilizes the tallies of traffic to identify structured data stores within the network,
However, Woodford teaches apply one or more analytic models to the data model, wherein at least one of the one or more analytic models utilizes the tallies of traffic to identify structured data stores within the network, (¶0057-0058: In addition, the one or more machine learning models can use the comparison of i) the normal pattern of life for that system corresponding to the historical normal distribution of alerts and events for that system mapped out in the same multiple dimension space to ii) the current chain of individual alerts and events behavior under analysis. The plotting and comparison are a way to filter out what is normal for that system and then be able to focus the analysis on what is abnormal or unusual for that system. Then for each hypothesis of what could be happening with the chain of unusual events or alerts, the gather module may gather additional metrics from the data store including the pool of metrics originally considered ‘normal behavior’ to support or refute each possible hypothesis of what could be happening with this chain of unusual behavior under analysis. ).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Woodford of the analytic models to the method of Varsanyi in view of Savchuk in order to prevent malware (e.g., virus) from roaming and attacking the network by damaging or stealing sensitive data (Woodford: ¶0006).
Varsanyi in view of Savchuk and Woodford does not disclose:
wherein the one or more analytic models are applied to the data model in real time to either detect an attack in progress within at least one of the plurality of transport sessions ,
in which case the method further comprises using the at least one hardware processor to block or redirect the attack, or detect a violation of a network-level policy within a connection of at least one of the plurality of transport sessions,
in which case the method further comprises using the at least one hardware processor to block or proxy the connection.
However, Mantripragada wherein the one or more analytic models are applied to the data model in real time to either detect an attack in progress within at least one of the plurality of transport sessions , (¶0051-0052: Figure 5 illustrates a block diagram of an exemplary behavioral learning system 500 which contains four analysis modules: traffic analysis module 511, content analysis module 512, structural analysis module 513, and behavioral analysis module 514. Behavioral learning system 500 inspects untrusted flow streams 501 including transport streams 501a and application streams 501a and application streams 501b using combination of the following inspection methods. Positive flow model inspection 531 determines whether an incoming untrusted flow stream 501 corresponds to a positive flow model. Positive flow models of various applications on which behavioral learning system 500 operates define legitimate flow streams to distinguish them from potential attacks or bad behaviors.)
in which case the method further comprises using the at least one hardware processor (¶0130: As seen in Figure 8 illustrates an exemplary computer architecture 800 for use with the present system, according to one embodiment. Computer architecture 800 can be used to implement a UCTM system 105 with all or a part of the components shown in FIG. 8. One embodiment of architecture 800 comprises a system bus 820 for communicating information, and a processor 810 coupled to bus 820 for processing information. Architecture 800 further comprises a random access memory (RAM) or other dynamic storage device 825 (referred to herein as main memory), coupled to bus 820 for storing information and instructions to be executed by processor 810.) to block or redirect the attack, or detect a violation of a network-level policy within a connection of at least one of the plurality of transport sessions, (¶0063: According to one embodiment, behavior analysis module 514 includes session controller 541 and global controller 542. Session controller 541 is responsible for maintaining, updating, purging, and retrieving session AOR records to ensure that the memory and performance characteristics are observed. Session controller 541 is also responsible for blocking replay, hijacking, manipulation, and tampering or poisoning of a session such that the AOR session tables created by structural analysis module 513 are preserved in pristine order.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Mantripragada of the analytic models to the method of Varsanyi in view of Savchuk and Woodford in order to offer real-time responses to security threats and better security and reliability (Mantripragada ¶0007-0011).
Varsanyi in view of Savchuk, Woodford, and Mantripragada does not disclose:
in which case the method further comprises using the at least one hardware processor to block or proxy the connection.
However, Gilley teaches in which case the method further comprises using the at least one hardware processor (¶0054: DSE includes utility programs to manage its infrastructure, relieving programs, of the need to manage infrastructure. The utility programs serve to schedule other programs, authorize programs to use resources such as real-time distributed data and/or stored data, filter data prior to distributing it, route data, provision DSE such as with more processors or memory, manage provisioned resources such as deleting unused or under-utilized resources, provide a user interface so that humans or programs can query the resources of DSE, manage the configuration of DSE such as distributing workload across different data centers, and encapsulate data and functions as appropriate. ) to block or proxy the connection. (¶0145: As seen in Figure 7B, if the authentication fails, at step 652, auth service 144 closes the connection, asymmetrically disconnecting the unauthorized application from DSE 100A and preventing further access from that connection to help block a denial-of-service attack, or similar.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Gilley of blocking or proxy the connection to the method of Varsanyi in view of Savchuk, Woodford, and Mantripragada in order to prevent further access from that connection and to help block a denial-of-service attack (Gilley ¶0145).
With respect to claim 2, the combination of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley teaches the method of claim 1 (see rejection of claim 1 above) wherein extracting data from each of two or more encapsulation layers comprises, (Savchuk: ¶0035: As seen in Figure 1, the packet types are determined (104) and the packets are decoded in block 106. The system may be suitable for a variety of applications, for example, accessing all layers of network traffic including the content of TCP/IP and UDP data exchanges.);
for each of the two or more encapsulation layers: classifying the encapsulation layer into a protocol; and extracting the data from the encapsulation layer based on the protocol. (Savchuk ¶0036: The system 100 digs deep (classifying) into every network exchange and decodes application protocols and file formats while they are in progress from off-line source. The system 100 typically stores (120) the metadata information about each network exchange. In addition to the common session attributes like IP addresses and ports, the system is capable of extracting all the application protocols used, IP tunneling if used, user names, file names, HTTP referrers and request URLS, server return codes and so on, as specified in the user configuration. Non-session based protocols like DNS are decoded on per-packet basis and the metadata is sent for storage similar to the session-based protocols.)
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Savchuk of extracting data from each of two or more encapsulation layers in a payload of the transport session to the method of Varsanyi in view of Woodford, Mantripragada, and Gilley in order to provide advanced threat detection on network and better analyze real-time network traffic (Savchuk: ¶0008 ¶0030-0032).
With respect to claim 12, the combination of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley teaches the method of claim 1 (see rejection of claim 1 above) wherein incorporating the extracted data into the data model comprises folding the extracted data into the data model according to the plurality of dimensions, wherein one of the plurality of dimensions is a time bucket representing a time span. (Varsanyi ¶0375-0378: In Figure 13 shows the tally system 1345 keeps summary data for all traffic aligned, for example, on five-minute boundaries (or some other boundary duration). In an embodiment, operations and events can be grouped together in tally groups based on one or more of the following: (2) time identifier, which is a five-minute span (or other predetermined time span) identified by how many five-minute time periods (or time periods of another predetermined time length) had occurred between a certain time (e.g., Dec. 31, 1969 Universal Coordinate Time (UTC)) and the time in question.).
With respect to claim 15, the combination of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley teaches the method of claim 1 (see rejection of claim 1 above), wherein the database operations comprises a Structured Query Language (SQL) or a remote procedure call (RPC). (Varsanyi : ¶0177: Events represented in the semantic traffic model are passed by semantic traffic model generator 1315 through a language processing module 1325 (also referred to herein as a "language system") that extracts lexical, syntactic, and semantic data from the provided database operations (e.g., SQL statements) using lexical analysis module 1330, syntactic analysis module 1335, and semantic analysis module 1340, respectively, each of which may be integral or external to language system 1325.).
With respect to claim 19, Varsanyi teaches a system comprising: at least one hardware processor; and one or more software modules that are configured to, when executed by the at least one hardware processor, (Abstract: Systems, methods, and computer-readable media for detecting threats on a network. In an embodiment, target network traffic being transmitted between two or more hosts is captured. The target network traffic comprises a plurality of packets, which are assembled into one or more messages. The assembled message(s) may be parsed to generate a semantic model of the target network traffic. The semantic model may comprise representation(s) of operation(s) or event(s) represented by the message(s). ¶0017-0018: In another embodiment, a system for detecting threats on a network is disclosed. The system comprises: at least one hardware processor;);
receive a plurality of transport sessions that have been assembled from captured raw packets being transmitted in a network, (¶0155: The disclosed systems are limited to analyzing traffic and building models for a single pair of network agents. Rather, the systems and methods are able to simultaneously monitor many session between many pairs of network agents. Furthermore, traffic may be captured simultaneously from a plurality of capture mechanism in real time or from play-back. The system methods may differentiate between network agents based on transport addresses, as well as other attributes, such as MAC addresses, IP addresses, TCP port numbers, VLAN tags, application-layer-specific identifiers (e.g., service name, SID for Oracle.TM. protocols, etc.), and/or physical ingress port tags. );
incorporate the extracted data into a data model of the network, wherein the data model comprises tallies of traffic the network grouped according to a plurality of dimensions, (¶0375-0384: Figure 13 illustrates a diagram of a system for monitoring traffic for potential attacks. In an embodiment, tally system 1345 keeps summary for all traffic aligned, for example, on five-minute boundaries. This summary data can be used to create summaries of traffic for learning system 1360 (data model of the network) , outputting interfaces 1395. In an embodiment, operations and events can be grouped together in tally groups (plurality of dimensions) based on one or ore the following: (1) SQL template identifier from the feed. (2) time identifier, which is a five-minute span (or other predetermined time span) identified by how many five-minute time periods (or time periods of another predetermined time length) had occurred between a certain time (e.g., Dec. 31, 1969 Universal Coordinate Time (UTC)) and the time in question. (3) user identifier from a session login record.);
wherein each of at least a subset of the tallies of traffic represents a database operation, and (¶0393: As seen in Figure 19, illustrates inputs to a time-based learning system and a summary of byproducts of learning. In the illustrated embodiment, log module 1350 receives binds, literals, and execution details (e.g., from feed 1315) by time (i.e., for one or more time spans), and tally module receives statements (e.g., SQL statements) by time. Log module 1350 and tally module 1345 then pass output data (e.g., summary data 1355) to a learning manager 1368 of learning system 1360. Further in ¶0177 demonstrates in Events represented in the semantic traffic model are passed by semantic traffic model generator 1315 through a language processing module 1325 (also referred to herein as a "language system") that extracts lexical, syntactic, and semantic data from the provided database operations (e.g., SQL statements) using lexical analysis module 1330, syntactic analysis module 1335, and semantic analysis module 1340, respectively, each of which may be integral or external to language system 1325.);
Varsanyi does not disclose:
for each of the plurality of transport sessions, extract data from each of two or more encapsulation layers in a payload of the transport session,
However, Savchuk teaches for each of the plurality of transport sessions, extract data from each of two or more encapsulation layers in a payload of the transport session, (¶0035: As illustrated in Figure 1, packets are captured (102) from a network. The packet types are determined (104) and the packets are decoded in block 106. The system may be suitable for a variety of applications, for example, accessing all layers of network traffic including the content of TCP/IP and UDP data exchanges. Packet type information and the decoded packets are sent to block 108 for session reassembly. Next, layered session decoding is performed in block 110. Block 110 may also accept captured (112) data from SMTP mail hub, or Web proxy servers. Metadata is extracted in block 114 in accordance with a configuration profile (116) using the layered session decoding information and layered packet decoding information.)
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Savchuk of extracting data from each of two or more encapsulation layers in a payload of the transport session to the method of Varsanyi in order to provide advanced threat detection on network and better analyze real-time network traffic (Savchuk: ¶0008 ¶0030-0032).
Varsanyi in view of Savchuk does not disclose:
apply one or more analytic models to the data model, wherein at least one of the one or more analytic models utilizes the tallies of traffic to identify structured data stores within the network,
However, Woodford teaches apply one or more analytic models to the data model, wherein at least one of the one or more analytic models utilizes the tallies of traffic to identify structured data stores within the network, (¶0057-0058: In addition, the one or more machine learning models can use the comparison of i) the normal pattern of life for that system corresponding to the historical normal distribution of alerts and events for that system mapped out in the same multiple dimension space to ii) the current chain of individual alerts and events behavior under analysis. The plotting and comparison are a way to filter out what is normal for that system and then be able to focus the analysis on what is abnormal or unusual for that system. Then for each hypothesis of what could be happening with the chain of unusual events or alerts, the gather module may gather additional metrics from the data store including the pool of metrics originally considered ‘normal behavior’ to support or refute each possible hypothesis of what could be happening with this chain of unusual behavior under analysis. ).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Woodford of the analytic models to the method of Varsanyi in view of Savchuk in order to prevent malware (e.g., virus) from roaming and attacking the network by damaging or stealing sensitive data (Woodford: ¶0006).
Varsanyi in view of Savchuk and Woodford does not disclose:
wherein the one or more analytic models are applied to the data model in real time to either detect an attack in progress within at least one of the plurality of transport sessions, in which case the one or more software modules are further configured to block or redirect the attack, or detect a violation of a network-level policy within a connection of at least one of the plurality of transport sessions, in which case the one or more software modules are further configured to block or proxy the connection.
However, Mantripragada wherein the one or more analytic models are applied to the data model in real time to either detect an attack in progress within at least one of the plurality of transport sessions , (¶0051-0052: Figure 5 illustrates a block diagram of an exemplary behavioral learning system 500 which contains four analysis modules: traffic analysis module 511, content analysis module 512, structural analysis module 513, and behavioral analysis module 514. Behavioral learning system 500 inspects untrusted flow streams 501 including transport streams 501a and application streams 501a and application streams 501b using combination of the following inspection methods. Positive flow model inspection 531 determines whether an incoming untrusted flow stream 501 corresponds to a positive flow model. Positive flow models of various applications on which behavioral learning system 500 operates define legitimate flow streams to distinguish them from potential attacks or bad behaviors.)
in which case the method further comprises using the at least one hardware processor (¶0130: As seen in Figure 8 illustrates an exemplary computer architecture 800 for use with the present system, according to one embodiment. Computer architecture 800 can be used to implement a UCTM system 105 with all or a part of the components shown in FIG. 8. One embodiment of architecture 800 comprises a system bus 820 for communicating information, and a processor 810 coupled to bus 820 for processing information. Architecture 800 further comprises a random access memory (RAM) or other dynamic storage device 825 (referred to herein as main memory), coupled to bus 820 for storing information and instructions to be executed by processor 810.) to block or redirect the attack, or detect a violation of a network-level policy within a connection of at least one of the plurality of transport sessions, (¶0063: According to one embodiment, behavior analysis module 514 includes session controller 541 and global controller 542. Session controller 541 is responsible for maintaining, updating, purging, and retrieving session AOR records to ensure that the memory and performance characteristics are observed. Session controller 541 is also responsible for blocking replay, hijacking, manipulation, and tampering or poisoning of a session such that the AOR session tables created by structural analysis module 513 are preserved in pristine order.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Mantripragada of the analytic models to the method of Varsanyi in view of Savchuk and Woodford in order to offer real-time responses to security threats and better security and reliability (Mantripragada ¶0007-0011).
Varsanyi in view of Savchuk, Woodford, and Mantripragada does not disclose:
in which case the method further comprises using the at least one hardware processor to block or proxy the connection.
However, Gilley teaches in which case the method further comprises using the at least one hardware processor (¶0054: DSE includes utility programs to manage its infrastructure, relieving programs, of the need to manage infrastructure. The utility programs serve to schedule other programs, authorize programs to use resources such as real-time distributed data and/or stored data, filter data prior to distributing it, route data, provision DSE such as with more processors or memory, manage provisioned resources such as deleting unused or under-utilized resources, provide a user interface so that humans or programs can query the resources of DSE, manage the configuration of DSE such as distributing workload across different data centers, and encapsulate data and functions as appropriate. ) to block or proxy the connection. (¶0145: As seen in Figure 7B, if the authentication fails, at step 652, auth service 144 closes the connection, asymmetrically disconnecting the unauthorized application from DSE 100A and preventing further access from that connection to help block a denial-of-service attack, or similar.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Gilley of blocking or proxy the connection to the method of Varsanyi in view of Savchuk, Woodford, and Mantripragada in order to prevent further access from that connection and to help block a denial-of-service attack (Gilley ¶0145).
With respect to claim 20, Varsanyi teaches a non-transitory computer-readable medium having instructions stored therein, wherein the instructions, when executed by a processor, cause the processor to: (Abstract: Systems, methods, and computer-readable media for detecting threats on a network. In an embodiment, target network traffic being transmitted between two or more hosts is captured. The target network traffic comprises a plurality of packets, which are assembled into one or more messages. The assembled message(s) may be parsed to generate a semantic model of the target network traffic. The semantic model may comprise representation(s) of operation(s) or event(s) represented by the message(s). ¶0017-0019: In another embodiment, a non-transitory computer-readable medium having one or more instructions stored thereon for detecting threats on a network is disclosed);
receive a plurality of transport sessions that have been assembled from captured raw packets being transmitted in a network; (¶0155: The disclosed systems are limited to analyzing traffic and building models for a single pair of network agents. Rather, the systems and methods are able to simultaneously monitor many session between many pairs of network agents. Furthermore, traffic may be captured simultaneously from a plurality of capture mechanism in real time or from play-back. The system methods may differentiate between network agents based on transport addresses, as well as other attributes, such as MAC addresses, IP addresses, TCP port numbers, VLAN tags, application-layer-specific identifiers (e.g., service name, SID for Oracle.TM. protocols, etc.), and/or physical ingress port tags. );
incorporate the extracted data into a data model of the network, wherein the data model comprises tallies of traffic within the network grouped according to a plurality of dimensions, (¶0375-0384: Figure 13 illustrates a diagram of a system for monitoring traffic for potential attacks. In an embodiment, tally system 1345 keeps summary for all traffic aligned, for example, on five-minute boundaries. This summary data can be used to create summaries of traffic for learning system 1360 (data model of the network) , outputting interfaces 1395. In an embodiment, operations and events can be grouped together in tally groups (plurality of dimensions) based on one or ore the following: (1) SQL template identifier from the feed. (2) time identifier, which is a five-minute span (or other predetermined time span) identified by how many five-minute time periods (or time periods of another predetermined time length) had occurred between a certain time (e.g., Dec. 31, 1969 Universal Coordinate Time (UTC)) and the time in question. (3) user identifier from a session login record.);
wherein each of at least a subset of the tallies of traffic represents a database operation; (¶0393: As seen in Figure 19, illustrates inputs to a time-based learning system and a summary of byproducts of learning. In the illustrated embodiment, log module 1350 receives binds, literals, and execution details (e.g., from feed 1315) by time (i.e., for one or more time spans), and tally module receives statements (e.g., SQL statements) by time. Log module 1350 and tally module 1345 then pass output data (e.g., summary data 1355) to a learning manager 1368 of learning system 1360. Further in ¶0177 demonstrates in Events represented in the semantic traffic model are passed by semantic traffic model generator 1315 through a language processing module 1325 (also referred to herein as a "language system") that extracts lexical, syntactic, and semantic data from the provided database operations (e.g., SQL statements) using lexical analysis module 1330, syntactic analysis module 1335, and semantic analysis module 1340, respectively, each of which may be integral or external to language system 1325.);
Varsanyi does not disclose:
for each of the plurality of transport sessions, extract data from each of two or more encapsulation layers in a payload of the transport session;
However, Savchuk teaches for each of the plurality of transport sessions, extract data from each of two or more encapsulation layers in a payload of the transport session; (¶0035: As illustrated in Figure 1, packets are captured (102) from a network. The packet types are determined (104) and the packets are decoded in block 106. The system may be suitable for a variety of applications, for example, accessing all layers of network traffic including the content of TCP/IP and UDP data exchanges. Packet type information and the decoded packets are sent to block 108 for session reassembly. Next, layered session decoding is performed in block 110. Block 110 may also accept captured (112) data from SMTP mail hub, or Web proxy servers. Metadata is extracted in block 114 in accordance with a configuration profile (116) using the layered session decoding information and layered packet decoding information.)
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Savchuk of extracting data from each of two or more encapsulation layers in a payload of the transport session to the method of Varsanyi in order to provide advanced threat detection on network and better analyze real-time network traffic (Savchuk: ¶0008 ¶0030-0032).
Varsanyi in view of Savchuk does not disclose:
apply one or more analytic models to the data model, wherein at least one of the one or more analytic models utilizes the tallies of traffic to identify structured data stores within the network.
However, Woodford teaches apply one or more analytic models to the data model, wherein at least one of the one or more analytic models utilizes the tallies of traffic to identify structured data stores within the network, (¶0057-0058: In addition, the one or more machine learning models can use the comparison of i) the normal pattern of life for that system corresponding to the historical normal distribution of alerts and events for that system mapped out in the same multiple dimension space to ii) the current chain of individual alerts and events behavior under analysis. The plotting and comparison are a way to filter out what is normal for that system and then be able to focus the analysis on what is abnormal or unusual for that system. Then for each hypothesis of what could be happening with the chain of unusual events or alerts, the gather module may gather additional metrics from the data store including the pool of metrics originally considered ‘normal behavior’ to support or refute each possible hypothesis of what could be happening with this chain of unusual behavior under analysis. ).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Woodford of the analytic models to the method of Varsanyi in view of Savchuk in order to prevent malware (e.g., virus) from roaming and attacking the network by damaging or stealing sensitive data (Woodford: ¶0006).
Varsanyi in view of Savchuk and Woodford does not disclose:
wherein the one or more analytic models are applied to the data model in real time to either detect an attack in progress within at least one of the plurality of transport sessions, in which case the instructions further cause the processor block or redirect the attack, or detect a violation of a network-level policy within a connection of at least one of the plurality of transport sessions, in which case the instructions further cause the processor to block or proxy the connection.
However, Mantripragada wherein the one or more analytic models are applied to the data model in real time to either detect an attack in progress within at least one of the plurality of transport sessions , (¶0051-0052: Figure 5 illustrates a block diagram of an exemplary behavioral learning system 500 which contains four analysis modules: traffic analysis module 511, content analysis module 512, structural analysis module 513, and behavioral analysis module 514. Behavioral learning system 500 inspects untrusted flow streams 501 including transport streams 501a and application streams 501a and application streams 501b using combination of the following inspection methods. Positive flow model inspection 531 determines whether an incoming untrusted flow stream 501 corresponds to a positive flow model. Positive flow models of various applications on which behavioral learning system 500 operates define legitimate flow streams to distinguish them from potential attacks or bad behaviors.)
in which case the method further comprises using the at least one hardware processor (¶0130: As seen in Figure 8 illustrates an exemplary computer architecture 800 for use with the present system, according to one embodiment. Computer architecture 800 can be used to implement a UCTM system 105 with all or a part of the components shown in FIG. 8. One embodiment of architecture 800 comprises a system bus 820 for communicating information, and a processor 810 coupled to bus 820 for processing information. Architecture 800 further comprises a random access memory (RAM) or other dynamic storage device 825 (referred to herein as main memory), coupled to bus 820 for storing information and instructions to be executed by processor 810.) to block or redirect the attack, or detect a violation of a network-level policy within a connection of at least one of the plurality of transport sessions, (¶0063: According to one embodiment, behavior analysis module 514 includes session controller 541 and global controller 542. Session controller 541 is responsible for maintaining, updating, purging, and retrieving session AOR records to ensure that the memory and performance characteristics are observed. Session controller 541 is also responsible for blocking replay, hijacking, manipulation, and tampering or poisoning of a session such that the AOR session tables created by structural analysis module 513 are preserved in pristine order.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Mantripragada of the analytic models to the method of Varsanyi in view of Savchuk and Woodford in order to offer real-time responses to security threats and better security and reliability (Mantripragada ¶0007-0011).
Varsanyi in view of Savchuk, Woodford, and Mantripragada does not disclose:
in which case the method further comprises using the at least one hardware processor to block or proxy the connection.
However, Gilley teaches in which case the method further comprises using the at least one hardware processor (¶0054: DSE includes utility programs to manage its infrastructure, relieving programs, of the need to manage infrastructure. The utility programs serve to schedule other programs, authorize programs to use resources such as real-time distributed data and/or stored data, filter data prior to distributing it, route data, provision DSE such as with more processors or memory, manage provisioned resources such as deleting unused or under-utilized resources, provide a user interface so that humans or programs can query the resources of DSE, manage the configuration of DSE such as distributing workload across different data centers, and encapsulate data and functions as appropriate. ) to block or proxy the connection. (¶0145: As seen in Figure 7B, if the authentication fails, at step 652, auth service 144 closes the connection, asymmetrically disconnecting the unauthorized application from DSE 100A and preventing further access from that connection to help block a denial-of-service attack, or similar.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Gilley of blocking or proxy the connection to the method of Varsanyi in view of Savchuk, Woodford, and Mantripragada in order to prevent further access from that connection and to help block a denial-of-service attack (Gilley ¶0145).
Claims 3-5 are rejected under 35 U.S.C. 103 as being unpatentable over Varsanyi et al. (US PGPub No. 20140201838-A1) in Savchuk view of et al. (US PGPub No. 20150264072-A1), Woodford et al. (US PGPub No. 20190260794-A1), Mantripragada et al. (US Pat No. 8730946-B2), Gilley et al. (US PGPub No. 20170093700-A1), and Anderson et al. (US PGPub No.20200267164-A1).
With respect to claim 3, the combination of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley teaches the method of claim 2 (see rejection of claim 2 above) but does not disclose wherein, when the protocol is a cryptographic protocol, extracting the data from the encapsulation layer comprises extracting cryptographic metadata from the encapsulation layer.
However, Anderson teaches extracting the data from the encapsulation layer comprises extracting cryptographic metadata from the encapsulation layer (¶0050-0053: A seen in Figure 4, captured traffic data 402 may generally include information from analysis of the observed traffic flows. From example, captured traffic data 402 may include traffic characteristics such as, but not limited to, TLS-related information of the flows (e.g., the cipher suite used, the advertised extensions, etc.) (extracting cryptographic metadata from the encapsulation layer) , DNS-related information, HTTP header fields (e.g., proxy, user agent, etc.), an advertised security extension, a proxy-related header field, packet length information (e.g., a network maximum transmission unit (MTU) in use by the flow packets, a network maximum segment size (MSS) in use by the flow etc.), inter-packet timing information, a Hypertext Transfer Protocol (HTTP) header field, or any other information that can be captured through the analysis of the packets of the traffic flows)).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Anderson of extracting the data from the encapsulation layer comprises extracting cryptographic metadata from the encapsulation layer to the teachings of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley in order to detect potential malicious traffic flow within a network (Anderson: ¶0040-0043).
With respect to claim 4, the combination in view of Varsanyi in view of Savchuk, Woodford, Mantripragada, Gilley, and Anderson teaches the method of claim 3 (see rejection of claim 3 above) wherein the cryptographic metadata comprises a certificate. (Anderson: ¶0053-0056: By way of consider the case of TLS-related parameters. A feature vector based on such parameters can be generalized to produce two subsets of features: 1) Features that are associated with the TSL protocol that are invariant to the underlying/source environment. For example, the server certificate associated with a traffic flow is not typically dependent on the sandbox environment.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Anderson of cryptographic metadata to the teachings of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley in order to detect potential malicious traffic flow within a network (Anderson: ¶0040-0043).
With respect to claim 5, the combination in view of Varsanyi in view of Savchuk, Woodford, Mantripragada, Gilley, and Anderson teaches the method of claim 3 (see rejection of claim 3 above) wherein the cryptographic metadata comprises one or more cryptographic parameters. (Anderson: ¶0053-0057: By way of example, consider the case of TLS-related parameters. A feature vector based on such parameters can be generalized to produce two subsets of features: 2.) Features that are also associated with the TLS protocol, but are artifacts of the underlying/source environment. For example, if the malware sample used the Windows™-provided SChannel, the artifact features would include the corresponding cipher suites and extensions offered.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Anderson of cryptographic metadata to the teachings of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley in order to detect potential malicious traffic flow within a network (Anderson: ¶0040-0043).
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Varsanyi et al. (US PGPub No. 20160359872-A1) in Savchuk view of et al. (US PGPub No. 20150264072-A1), Woodford et al. (US PGPub No. 20190260794-A1), Mantripragada et al. (US Pat No. 8730946-B2), Gilley et al. (US PGPub No. 20170093700-A1), and Wang et al. (US Pat No.10805320-B1).
With respect to claim 6, the combination of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley teaches the method of claim 2 (see rejection of claim 2 above) but does not disclose wherein the cryptographic metadata is extracted from a handshake of the cryptographic protocol.
However, Wang teaches wherein the cryptographic metadata is extracted from a handshake of the cryptographic protocol (¶0015-0028: As seen in Figure 2, the TLS application 211 is an application program that communicates over a computer network in accordance with the TLS cryptographic protocol. Generally speaking, the TLS cryptographic protocol has a handshake phase and a data transfer phase. As further seen in Figure 3, during the handshake phase, the agent 210 receives a server handshake message in the form of a Server Hello message that is sent by the server device 260 (step 305). The Server Hello message includes the digital certificate of the server device 260. The agent 210 extracts the digital certificate of the server device 260 from the Server Hello message (step 306).).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Wang of a handshake to the method of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley in order to better inspect network traffic and overall network security (Wang ¶0002-0004).
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Y Varsanyi et al. (US PGPub No. 20140201838-A1) in Savchuk view of et al. (US PGPub No. 20150264072-A1), Woodford et al. (US PGPub No. 20190260794-A1), Mantripragada et al. (US Pat No. 8730946-B2), Gilley et al. (US PGPub No. 20170093700-A1), and Goldfarb et al. (US PGPub No. 20170364702-A1).
With respect to claim 7, the combination of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley teaches the method of claim 2 (see rejection of claim 2 above) wherein one of the two or more encapsulation layers is nested within another one of the two or more encapsulation layers, and classification of each encapsulation layer into a protocol is performed recursively. (Savchuk: ¶0053: The system 100 digs deep into every network exchange and decodes application protocols and file formats while they are in progress or from off-line source. )
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Savchuk of extracting data from each of two or more encapsulation layers in a payload of the transport session to the method of Varsanyi in view of Woodford, Mantripragada, and Gilley in order to provide advanced threat detection on network and better analyze real-time network traffic (Savchuk: ¶0008 ¶0030-0032).
Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley does not disclose:
wherein one of the two or more encapsulation layers is nested within another one of the two or more encapsulation layers
However, Goldfarb teaches wherein one of the two or more encapsulation layers is nested within another one of the two or more encapsulation layers (¶0049-0052:As seen in Figure 2, some embodiments may decapsulate the network traffic through multiple layers of a network protocol stack (nested encapsulation layers) with the decapsulation modules 40 and 42. For example, the network traffic physical layer encapsulation may be decapsulated by the traffic ingest module 38 to produce network-layer packets, having headers with source and destination Internet Protocol addresses.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Goldfarb of nested encapsulation layers to the method of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley in order to detect potential malicious traffic flow within a network (Goldfarb: ¶0040-0043).
Claims 8-9 are rejected under 35 U.S.C. 103 as being unpatentable over Varsanyi et al. (US PGPub No. 20140201838-A1) in Savchuk view of et al. (US PGPub No. 20150264072-A1), Woodford et al. (US PGPub No. 20190260794-A1), Mantripragada et al. (US Pat No. 8730946-B2), Gilley et al. (US PGPub No. 20170093700-A1), and Varney et al. (US PGPub No. 20140344453-A1).
With respect to claim 8, the combination of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley teaches the method of claim 2 (see rejection of claim 2 above) but does not disclose wherein classifying the encapsulation layer into a protocol comprises: executing a plurality of plugins that each represent one of a plurality of protocols, wherein each of the plurality of plugins is configured to analyze one or more characteristics of data in the encapsulation layer to determine whether or not the encapsulation layer matches the represented protocol; and determining the protocol into which the encapsulation layer is classified based on the determinations by the plurality of plugins.
However, Varney teaches wherein classifying the encapsulation layer into a protocol comprises: executing a plurality of plugins that each represent one of a plurality of protocols, (¶1458: As seen in Figure 19, the fill manager’s role is to balance and prioritize and outgoing network activity between all strategizes, and operate protocol handlers (plurality of plugins) for a supported set of protocols (one of plurality of protocols). In particular, the HTTP fills, the strategizer will create an HTTP fill request in internal format, and the fill service will format that request using the HTTP formatter 1916, send it to the appropriate target host, and manage the data transfer.).
wherein each of the plurality of plugins is configured to analyze one or more characteristics of data in the encapsulation layer (¶1445-1447: Although the Incoming Connection Manager 1918 is described here as a single component, it should be appreciated that this is merely one logical depiction of functionality in the cache e.g., in a present implementation there is a listener task which, after receiving a new connection, runs a sequence of handlers (plurality of plugins is configured one or more characteristics of data) which are configured for that particular listener. Those handlers may apply policies, perform a TLS upgrade if appropriate, etc.) to determine whether or not the encapsulation layer matches the represented protocol; and (¶1520-1529: As seen in Figure 22-A, the cache obtains data (an incoming connection at a port and parses sufficient incoming data (at 2202) to determine the data correspond to an appropriate type of request (e.g., HTTP). ] In order to determine whether or not it can serve the request, the cache server needs to compare information associated with the request with information in the global configuration object (GCO). The cache server therefore needs to determine whether it has a valid GCO (at 2204). Once the cache has a valid GCO it tries to find a match for the input URL in the GCO (at 2208). Next the port and protocol are looked up, then, longest path prefix wins.).
determining the protocol into which the encapsulation layer is classified based on the determinations by the plurality of plugins. (¶1340-1350:As seen in Figure 15-G, of first sequence in which a handler launches two other sequences. A handler’s behavior may be classified into three broad groups: One-Shot, Intelligent, and Persistent. In this example, the handlers are "http-conn" and "http-session", and the parameter for the listener task is "address=`*.80`". A sequence control object 1301' corresponding to this listener sequence is shown in FIG. 15-H. This listener task provides a bare TCP or cleartext connection It should be appreciated that the listener is just providing the communication channel to the client, and the same basic listener code could be used with different handlers to implement protocols other than HTTP (e.g., FTP).).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Varney of classifying the encapsulation layer into protocol comprising of a plurality of plugins to the method of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley in order to allocated system resources optimally (Varney: ¶1336).
With respect to claim 9, the combination of Varsanyi in view of Savchuk, Woodford, Mantripragada, Gilley, and Varney teaches the method of claim 8 (see rejection of claim 8 above wherein analyzing one or more characteristics of data in the encapsulation layer comprises parsing messages in a message stream encapsulated by the encapsulation layer according to a state machine to determine whether or not the messages represent a sequence of operations that is specific to the represented protocol. (Varney ¶1445-1446: As seen in Figure 19, the client task invokes the HTTP Parser 1915 to read data from the connection, locate the message boundaries, and parse the HTTP into a request object with a convenient internal format. Messages may remain in this internal format as long as they are within the cache system (the CDN), even if they are migrated to another cache. It should be appreciated that cache-to-cache messages may be in other formats, e.g., in some cases, messages may be sent from cache-to-cache in their standard text format.) to determine whether or not the messages represent a sequence of operations that is specific to the represented protocol. (Varney ¶1447-1449: The request object may next be processed by the rule base 1932, to assign customer-specific handling policies and normalize the URL associated with the request. The policy might indicate, e.g., that the request requires manipulation by a customer-defined script. In that case, the request rewriter 1920 executes the script. In a present implementation a table (the GCO) is used, in conjunction with the apparent target of the request, to decide whether or not it is worth it to continue further processing at all (i.e., whether the request is associated with a valid customer). At this point, the system checks whether there is a programmed sequence of handlers appropriate for that customer.)
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Varney of wherein analyzing one or more characteristics of data in the encapsulation layer comprises parsing messages to the method of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley in order to determine whether the request is associated with a valid customer (Varney: ¶1447).
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Varsanyi et al. (US PGPub No. 20140201838-A1) in Savchuk view of et al. (US PGPub No. 20150264072-A1), Woodford et al. (US PGPub No. 20190260794-A1), Mantripragada et al. (US Pat No. 8730946-B2), Gilley et al. (US PGPub No. 20170093700-A1), and Paster et al. (US PGPub No. 20100088670-A1).
With respect to claim 10, the combination of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley teaches the method of claim 1 (see rejection of claim 1 above) does not disclose wherein extracting data from each of two or more encapsulation layers comprises, for each of the two or more encapsulation layers, if classification of the encapsulation layer into a protocol fails, sending the encapsulation layer to a metrics process that collects one or more measurements.
However, Paster teaches wherein extracting data from each of two or more encapsulation layers comprises, for each of the two or more encapsulation layers, if classification of the encapsulation layer into a protocol fails, (¶0102: As seen in Figure 8, in step 810, network traffic (e.g., one or more packets) is parsed. For example, identification can be made of various individual data points, such as source IP address, source port, destination IP address, destination port, protocol type, URL, hostname, domain name, or the like. If SIP signature testing provides a failure results in step 815, in step 825, the network traffic may be further parsed. For example, identification may be made of a combination of data points. )
sending the encapsulation layer to a metrics process that collects one or more measurements. (¶103-105:As seen in Figure 8, if MIP signature testing provides a pass result in step 830, in step 835, the MIP signature is released providing an indication of a detected application. If MIP signature testing provides a failure result in step 830, in step 840, pluggable custom dissector generation is performed. In step 845, MIP/Custom Dissector testing is performed. If MIP/Custom Dissector testing provides a failure result in step 845, in step 850, further evaluation is performed using custom dissector code. For example, the application detection engine may employ each of a plurality of detectors that, in a first tier of analysis, inspect one data point for the purposes of detecting an application. Based on pass/fail results by individual detectors, the application detection engine may employ a plurality of detectors that, in a second tier of analysis, inspect multiple data points for the purposes of detecting applications (collecting one or more measurements.) Based on pass/fail results by individual detectors, the application detection engine may employ one or more custom dissectors that, in a third tier of analysis, cover false positive/false negative scenarios or other application-specific protocols.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Varney of if classification of the encapsulation layer into a protocol fails, sending the encapsulation layer to a metrics process that collects one or more measurements to the method of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley in order to identify a network-based application from network traffic and further analyze the network traffic (Paster: ¶0101).
Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Varsanyi et al. (US PGPub No. 20140201838-A1) in Savchuk view of et al. (US PGPub No. 20150264072-A1), Woodford et al. (US PGPub No. 20190260794-A1), Mantripragada et al. (US Pat No. 8730946-B2), Gilley et al. (US PGPub No. 20170093700-A1), and Ababtain et al. (US PGPub No. 20200162498-A1).
With respect to claim 11, the combination of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley teaches the method of claim 1 (see rejection of claim 1 above) but does not disclose wherein each of the tallies of traffic indicate an amount of traffic.
However, Ababtain teaches wherein each of the tallies of traffic indicate an amount of traffic. (¶0010: The network utilization data can comprise an amount of traffic value T.sub.i that represents an amount of data traffic passing through or received by the computing resource asset. ¶0064-0065: According to a non-limiting example of the disclosure, the network traffic adjustment value can be, for example, “0”, “1.0”, or “2.0.” In this example, the common vulnerability score can be modified based on the network traffic adjustment value to add 0, 1.0, or 2.0 to each score, depending on the traffic data for the associated computing resource asset. The traffic data can include information about the amount of traffic to/from the computing resource asset relative to other computing resource assets in the user environment.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Ababtain of the tallies indicating an amount of traffic to the method of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley in order to better detect, identify, and accurately accessing vulnerabilities in computing resources (Ababtain: ¶0003).
Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over in view of Varsanyi et al. (US PGPub No. 20140201838-A1) in Savchuk view of et al. (US PGPub No. 20150264072-A1), Woodford et al. (US PGPub No. 20190260794-A1), Mantripragada et al. (US Pat No. 8730946-B2), Gilley et al. (US PGPub No. 20170093700-A1), and Sreevalsan et al. (US PGPub No.20200274815-A1).
With respect to claim 13, the combination of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley teaches the method of claim 1 (see rejection of claim 1 above) wherein the data model represents objects in the network as data structures, and wherein the data structure that represents at least one object comprises an unsure parameter that indicates whether or not a datum in the data structure that represents the at least one object has been inferred.
However, Sreevalsan teaches wherein the data model represents objects in the network as data structures, and wherein the data structure that represents at least one object comprises an unsure parameter that indicates whether or not a datum in the data structure that represents the at least one object has been inferred. (¶0111-0112: Each model generally has an independent mechanism of inference based on the pre-trained flow attributes, the inference when made also includes the confidence (Ci) expressed in percentage that the model has on that particular inference. Where 100% implies the model is completely sure of the inference based on its knowledge and anything lower implying that there are varying degrees of uncertainty.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Sreevalsan of an unsure parameter to the method of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley in order to better protect from spoofing or masquerading of traffic flow (Sreevalsan: ¶0050).
Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Varsanyi et al. (US PGPub No. 20140201838-A1) in Savchuk view of et al. (US PGPub No. 20150264072-A1), Woodford et al. (US PGPub No. 20190260794-A1), Mantripragada et al. (US Pat No. 8730946-B2), Gilley et al. (US PGPub No. 20170093700-A1), and Urias et al. (US PGPub No. 20210152590-A1).
With respect to claim 18, the combination of Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley teaches the method of claim 1 (see rejection of claim 1 above) but does not disclose further comprising using the at least one hardware processor to generate a data web that represents the identified structured data stores and data flow to or from the identified structured data stores.
However, Urias teaches further comprising using the at least one hardware processor to generate a data web that represents the identified structured data stores and data flow to or from the identified structured data stores. (¶0034-0035: Examples of various data stores that might house the data sources 230 might include mySQL, MongoDB, and Splunk index. In this illustrative example, different data stores might offer different advantages. For example, data stored in MongoDB might include asset inventory and personnel databases. Application Programming Interface (API) 202 in risk analysis system 200 is able to pull data from data sources 230. API 202 might be Data-Source-Agnostic Select (DSAS). API 202 might provide calls and logic to support “enhancement,” which enables incorporation of data from DSAS data stores into a displayed model. ¶0054-0055:Further in Figure 5, shows wherein process 500 begins by passively collecting data regarding how the devices access the network (step 502). Passively collecting data might comprise accessing a number of network data sources and providing an API to gather data from the data source, wherein the API is database agnostic and capable of incorporating data from the data source into a display model. The data stores might comprise at least one of mySQL, MongoDB, or a Splunk Indexer. The process in Figure 5 can be implemented in hardware, software, or both. When implemented in software, the process can take the form of program code that is run by one of more processor units located in one or more hardware devices in one or more computer systems. Process 500 might be implemented in risk analysis system 200 shown in Figure 2 ).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Urias of a data web to the method Varsanyi in view of Savchuk, Woodford, Mantripragada, and Gilley in order to sense, detect, enumerate, identify and visualize security within a network (Urias: ¶0019-0020).
Claims 21 is rejected under 35 U.S.C. 103 as being unpatentable over Varsanyi et al. (US PGPub No. 20140201838-A1) in view of Savchuk et al. (US PGPub No. 20150264072-A1), Woodford et al. (US PGPub No. 20190260794-A1), Anderson et al. (US PGPub No. 20200267164-A1), and Goldfarb et al. (US PGPub No. 20170364702-A1), Zou et al. (US PGPub No. 20190260787-A1 ), Urias et al. (US PGPub No. 20210152590-A1), Mantripragada et al. (US Pat No. 8730946-B2), and Gilley et al. (US PGPub No. 20170093700-A1 ).
With respect to claim 21, Varsanyi teaches a method comprising using at least one hardware processor to: (Abstract: Systems, methods, and computer-readable media for detecting threats on a network. In an embodiment, target network traffic being transmitted between two or more hosts is captured. The target network traffic comprises a plurality of packets, which are assembled into one or more messages. The assembled message(s) may be parsed to generate a semantic model of the target network traffic. The semantic model may comprise representation(s) of operation(s) or event(s) represented by the message(s). ¶0017-0018: In another embodiment, a system for detecting threats on a network is disclosed. The system comprises: at least one hardware processor;);
receive a plurality of transport sessions that have been assembled from captured raw packets being transmitted in a network; (¶0155: The disclosed systems are limited to analyzing traffic and building models for a single pair of network agents. Rather, the systems and methods are able to simultaneously monitor many session between many pairs of network agents. Furthermore, traffic may be captured simultaneously from a plurality of capture mechanism in real time or from play-back. The system methods may differentiate between network agents based on transport addresses, as well as other attributes, such as MAC addresses, IP addresses, TCP port numbers, VLAN tags, application-layer-specific identifiers (e.g., service name, SID for Oracle.TM. protocols, etc.), and/or physical ingress port tags. );
wherein the data model comprises tallies of traffic within the network grouped according to a plurality of dimensions, (¶0375-0384: Figure 13 illustrates a diagram of a system for monitoring traffic for potential attacks. In an embodiment, tally system 1345 keeps summary for all traffic aligned, for example, on five-minute boundaries. This summary data can be used to create summaries of traffic for learning system 1360 (data model of the network) , outputting interfaces 1395. In an embodiment, operations and events can be grouped together in tally groups (plurality of dimensions) based on one or ore the following: (1) SQL template identifier from the feed. (2) time identifier, which is a five-minute span (or other predetermined time span) identified by how many five-minute time periods (or time periods of another predetermined time length) had occurred between a certain time (e.g., Dec. 31, 1969 Universal Coordinate Time (UTC)) and the time in question. (3) user identifier from a session login record.);
wherein each of at least a subset of the tallies of traffic represents a database operations; (¶0393: As seen in Figure 19, illustrates inputs to a time-based learning system and a summary of byproducts of learning. In the illustrated embodiment, log module 1350 receives binds, literals, and execution details (e.g., from feed 1315) by time (i.e., for one or more time spans), and tally module receives statements (e.g., SQL statements) by time. Log module 1350 and tally module 1345 then pass output data (e.g., summary data 1355) to a learning manager 1368 of learning system 1360. Further in ¶0177 demonstrates in Events represented in the semantic traffic model are passed by semantic traffic model generator 1315 through a language processing module 1325 (also referred to herein as a "language system") that extracts lexical, syntactic, and semantic data from the provided database operations (e.g., SQL statements) using lexical analysis module 1330, syntactic analysis module 1335, and semantic analysis module 1340, respectively, each of which may be integral or external to language system 1325.);
Varsanyi does not disclose:
for each of the plurality of transport sessions, for a cryptographic encapsulation layer, classify the cryptographic encapsulation layer into a cryptographic protocol, and
However, Savchuk teaches for each of the plurality of transport sessions, for a cryptographic encapsulation layer, (¶0035: As illustrated in Figure 1, packets are captured (102) from a network. The packet types are determined (104) and the packets are decoded in block 106. The system may be suitable for a variety of applications, for example, accessing all layers of network traffic including the content of TCP/IP and UDP data exchanges. Packet type information and the decoded packets are sent to block 108 for session reassembly. Next, layered session decoding is performed in block 110. Block 110 may also accept captured (112) data from SMTP mail hub, or Web proxy servers. Metadata is extracted in block 114 in accordance with a configuration profile (116) using the layered session decoding information and layered packet decoding information.);
classify the cryptographic encapsulation layer into a cryptographic protocol, and (¶0036: The system 100 digs deep (classifying) into every network exchange and decodes application protocols and file formats while they are in progress from off-line source. The system 100 typically stores (120) the metadata information about each network exchange. In addition to the common session attributes like IP addresses and ports, the system is capable of extracting all the application protocols used, IP tunneling if used, user names, file names, HTTP referrers and request URLS, server return codes and so on, as specified in the user configuration. Non-session based protocols like DNS are decoded on per-packet basis and the metadata is sent for storage similar to the session-based protocols.)
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Savchuk of extracting data from each of two or more encapsulation layers in a payload of the transport session to the method of Varsanyi in order to provide advanced threat detection on network and better analyze real-time network traffic (Savchuk: ¶0008 ¶0030-0032).
Varsanyi in view of Savchuk does not disclose:
extract cryptographic metadata from the cryptographic encapsulation layer, wherein the cryptographic metadata comprises at least one of a certificate or one or more cryptographic parameters, and,
However, Anderson teaches extract cryptographic metadata from the cryptographic encapsulation layer, (¶0050-0053: A seen in Figure 4, captured traffic data 402 may generally include information from analysis of the observed traffic flows. From example, captured traffic data 402 may include traffic characteristics such as, but not limited to, TLS-related information of the flows (e.g., the cipher suite used, the advertised extensions, etc.) (extracting cryptographic metadata from the encapsulation layer) , DNS-related information, HTTP header fields (e.g., proxy, user agent, etc.), an advertised security extension, a proxy-related header field, packet length information (e.g., a network maximum transmission unit (MTU) in use by the flow packets, a network maximum segment size (MSS) in use by the flow etc.), inter-packet timing information, a Hypertext Transfer Protocol (HTTP) header field, or any other information that can be captured through the analysis of the packets of the traffic flows)).
wherein the cryptographic metadata comprises at least one of a certificate or one or more cryptographic parameters, and, (¶0053-0057: By way of consider the case of TLS-related parameters. A feature vector based on such parameters can be generalized to produce two subsets of features: 1) Features that are associated with the TSL protocol that are invariant to the underlying/source environment. For example, the server certificate associated with a traffic flow is not typically dependent on the sandbox environment.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Anderson to the teachings of Varsanyi in view of Savchuk in order to detect potential malicious traffic flow within a network (Anderson: ¶0040-0043).
Varsanyi in view of Savchuk and Anderson does not disclose:
for at least one nested encapsulation layer that is encapsulated within the cryptographic encapsulation layer, classify the nested encapsulation layer, and extract data from the nested encapsulation layer; incorporate the extracted cryptographic metadata from the cryptographic encapsulation layer and the extracted data from the nested encapsulation layer into a data model of the network,
However, Goldfarb teaches for at least one nested encapsulation layer that is encapsulated within the cryptographic encapsulation layer, (¶0049-0052: As seen in Figure 2, some embodiments may decapsulate the network traffic through multiple layers of a network protocol stack (nested encapsulation layers) with the decapsulation modules 40 and 42. For example, the network traffic physical layer encapsulation may be decapsulated by the traffic ingest module 38 to produce network-layer packets, having headers with source and destination Internet Protocol addresses.).
classify the nested encapsulation layer, and extract data from the nested encapsulation layer; (¶0049-0056: Thus, some embodiments, with modules 38, 40, and 42, may process ingested network traffic to produce a variety of different parallel data streams (or these data streams may be intermingled to maintain associations between data in different protocol layers) corresponding to different layers of a protocol stack. In some embodiments, these different streams may be input into the classifiers 44, 46, and 48, which may apply various rules, having different criteria, specifying different patterns to identify rules that are satisfied by the ingested network traffic feeds.).
incorporate the extracted cryptographic metadata from the cryptographic encapsulation layer and the extracted data from the nested encapsulation layer into a data model of the network, (¶0052: In some embodiments, criteria may reference outputs of another function, such as a predictive model trained on past network behavior of a given user, computing device, or protocol, or combination thereof. For instance, some embodiments may log network traffic and train a recurrent neural network or hidden Markov model to predict sequences of exchanges, e.g., with a model per unit of profiling (like a user/computing device/protocol combination). Some embodiments may then convert later traffic into a vector and determine whether in inferred sender predicted by the model matches a sending unit of profiling. Classifiers may take as inputs scores indicative of confidents, mismatches, errors, or fitness from these models to detect anomalous behavior.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Goldfarb of cryptographic metadata to the teachings of Varsanyi in view of Savchuk and Anderson in order to detect potential malicious traffic flow within a network (Goldfarb: ¶0040-0043).
Varsanyi n view of Savchuk, Anderson, and Goldfarb does not disclose:
apply one or more analytic models to the data model, wherein at least one of the one or more analytic models utilizes the tallies of traffic to identify structured data stores within the network; and
However, Woodford teaches apply one or more analytic models to the data model, wherein at least one of the one or more analytic models utilizes the tallies of traffic to identify structured data stores within the network; and (¶0057-0058: In addition, the one or more machine learning models can use the comparison of i) the normal pattern of life for that system corresponding to the historical normal distribution of alerts and events for that system mapped out in the same multiple dimension space to ii) the current chain of individual alerts and events behavior under analysis. The plotting and comparison are a way to filter out what is normal for that system and then be able to focus the analysis on what is abnormal or unusual for that system. Then for each hypothesis of what could be happening with the chain of unusual events or alerts, the gather module may gather additional metrics from the data store including the pool of metrics originally considered ‘normal behavior’ to support or refute each possible hypothesis of what could be happening with this chain of unusual behavior under analysis. ).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Woodford of the analytic models to the method of Varsanyi in view of Savchuk, Anderson, and Goldfarb in order to prevent malware (e.g., virus) from roaming and attacking the network by damaging or stealing sensitive data (Woodford: ¶0006).
Varsanyi in view of Savchuk, Anderson, Goldfarb, and Woodford does not disclose:
generate a data web that represents the identified structured data stores and data flow to or from the identified data stores,
However, Urias teaches generate a data web that represents the identified structured data stores and data flow to or from the identified structured data stores. (¶0034-0035: Examples of various data stores that might house the data sources 230 might include mySQL, MongoDB, and Splunk index. In this illustrative example, different data stores might offer different advantages. For example, data stored in MongoDB might include asset inventory and personnel databases. Application Programming Interface (API) 202 in risk analysis system 200 is able to pull data from data sources 230. API 202 might be Data-Source-Agnostic Select (DSAS). API 202 might provide calls and logic to support “enhancement,” which enables incorporation of data from DSAS data stores into a displayed model. ¶0054-0055:Further in Figure 5, shows wherein process 500 begins by passively collecting data regarding how the devices access the network (step 502). Passively collecting data might comprise accessing a number of network data sources and providing an API to gather data from the data source, wherein the API is database agnostic and capable of incorporating data from the data source into a display model. The data stores might comprise at least one of mySQL, MongoDB, or a Splunk Indexer. The process in Figure 5 can be implemented in hardware, software, or both. When implemented in software, the process can take the form of program code that is run by one of more processor units located in one or more hardware devices in one or more computer systems. Process 500 might be implemented in risk analysis system 200 shown in Figure 2 ).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Urias of a data web to the method of Varsanyi in view of Savchuk, Anderson, and Goldfarb and Woodford in order to sense, detect, enumerate, identify and visualize security within a network (Urias: ¶0019-0020).
Varsanyi in view of Savchuk, Anderson, Goldfarb, Woodford, and Urias does not disclose:
wherein the one or more analytic models are applied to the data model in real time to either detect an attack in progress within at least one of the plurality of transport sessions, in which case the method further comprises using the at least one hardware processor to block or redirect the attack, or detect a violation of a network-level policy within a connection of at least one of the plurality of transport sessions, in which case the method further comprises using the at least one hardware processor to block or proxy the connection.
However, Mantripragada wherein the one or more analytic models are applied to the data model in real time to either detect an attack in progress within at least one of the plurality of transport sessions , (¶0051-0052: Figure 5 illustrates a block diagram of an exemplary behavioral learning system 500 which contains four analysis modules: traffic analysis module 511, content analysis module 512, structural analysis module 513, and behavioral analysis module 514. Behavioral learning system 500 inspects untrusted flow streams 501 including transport streams 501a and application streams 501a and application streams 501b using combination of the following inspection methods. Positive flow model inspection 531 determines whether an incoming untrusted flow stream 501 corresponds to a positive flow model. Positive flow models of various applications on which behavioral learning system 500 operates define legitimate flow streams to distinguish them from potential attacks or bad behaviors.)
in which case the method further comprises using the at least one hardware processor (¶0130: As seen in Figure 8 illustrates an exemplary computer architecture 800 for use with the present system, according to one embodiment. Computer architecture 800 can be used to implement a UCTM system 105 with all or a part of the components shown in FIG. 8. One embodiment of architecture 800 comprises a system bus 820 for communicating information, and a processor 810 coupled to bus 820 for processing information. Architecture 800 further comprises a random access memory (RAM) or other dynamic storage device 825 (referred to herein as main memory), coupled to bus 820 for storing information and instructions to be executed by processor 810.) to block or redirect the attack, or detect a violation of a network-level policy within a connection of at least one of the plurality of transport sessions, (¶0063: According to one embodiment, behavior analysis module 514 includes session controller 541 and global controller 542. Session controller 541 is responsible for maintaining, updating, purging, and retrieving session AOR records to ensure that the memory and performance characteristics are observed. Session controller 541 is also responsible for blocking replay, hijacking, manipulation, and tampering or poisoning of a session such that the AOR session tables created by structural analysis module 513 are preserved in pristine order.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Mantripragada of the analytic models to the method of Varsanyi in view of Savchuk, Anderson, Goldfarb, Woodford, and Urias in order to offer real-time responses to security threats and better security and reliability (Mantripragada ¶0007-0011).
Varsanyi in view of Savchuk, Anderson, Goldfarb, Woodford, Urias, and Mantripragada does not disclose:
in which case the method further comprises using the at least one hardware processor to block or proxy the connection.
However, Gilley teaches in which case the method further comprises using the at least one hardware processor (¶0054: DSE includes utility programs to manage its infrastructure, relieving programs, of the need to manage infrastructure. The utility programs serve to schedule other programs, authorize programs to use resources such as real-time distributed data and/or stored data, filter data prior to distributing it, route data, provision DSE such as with more processors or memory, manage provisioned resources such as deleting unused or under-utilized resources, provide a user interface so that humans or programs can query the resources of DSE, manage the configuration of DSE such as distributing workload across different data centers, and encapsulate data and functions as appropriate. ) to block or proxy the connection. (¶0145: As seen in Figure 7B, if the authentication fails, at step 652, auth service 144 closes the connection, asymmetrically disconnecting the unauthorized application from DSE 100A and preventing further access from that connection to help block a denial-of-service attack, or similar.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Gilley of blocking or proxy the connection to the method of Varsanyi in view of Savchuk, Anderson, Goldfarb, Woodford, Urias, and Mantripragada in order to prevent further access from that connection and to help block a denial-of-service attack (Gilley ¶0145).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Joll et al. (US PGPub No. 20140157405-A1) teaches a scalable cyber-security system for identification of malware and malicious behavior in a computer network by aggregating host flow, host port usage, host information, and network data at the application, and transport and network layers. The system then use aggregated data to identify a network behavior such as the presence of malicious code.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TAYLOR P VU whose telephone number is (703)756-1218. The examiner can normally be reached MON - FRI (7:30 - 5:00).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/T.P.V./ Examiner, Art Unit 2437
/MENG LI/ Primary Examiner, Art Unit 2437
Prosecution Insights