DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 2/9/2026 has been entered.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 4/3/2023 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.
Response to Arguments
Applicant’s arguments, see page(s) 7, filed 2/9/2026, with respect to the objection(s) to claim(s) 3 and 8 have been fully considered and are persuasive. The associated objection(s) to the listed claim(s) has/have been withdrawn.
Applicant’s arguments, see page(s) 7 and 8, filed 2/9/2026, with respect to the rejection of claim(s) 3, 8, and 11-13 under 35 USC 112(a) have been fully considered and are persuasive. The associated rejection(s) to the listed claim(s) has/have been withdrawn.
Regarding the arguments directed to claim 12:
The argument recites that claim 12 was cancelled. Examiner notes on the record that in the current draft of the claims, claim 12 is amended to recite different subject matter, and is not cancelled. If the applicant intended for claim 12 to be cancelled, the claims must be re-submitted and must indicate the claim as cancelled using the proper markup.
Applicant's arguments, see pages 9-11, filed 2/9/2026, with respect to the rejection of claims 1-14 under 35 USC 112(b) have been fully considered.
Regarding the argument:
“With respect to claims 1 and 6, the Examiner has alleged that the claims are indefinite because they recite calculating "an evaluation score" in the singular but later reference "evaluation scores" in the plural. Applicant has amended claim 1 to recite "calculating respective evaluation scores for each piece of attack strategy and technique information" in place of "calculating an evaluation score," and has similarly amended claim 6. …”
This argument is persuasive, and the associated portion of the rejection is withdrawn.
Regarding the argument:
“The Examiner has also alleged that the meaning of "pieces of' information is ambiguous. Applicant has amended claims 1 and 6 … in place of "selecting multiple pieces of attack strategy and technique information." The specification discloses that "an attack scenario includes a plurality of pieces of the attack strategy/technique information 500, that is, a combination of these." …”
Examiner notes that while the term “pieces of attack strategy and technique information” was removed from its original position in the amendments, it was added to a previous limitation (“… calculating respective evaluation scores for each piece of attack strategy and technique information based on the evaluation …”) in the same amendments, and comes with the same issues described in the previous office action. This rejection is maintained.
Regarding the argument:
“With respect to claims 2 and 7, the Examiner has alleged that the claims are indefinite because they recite "a highest score" while the parent claims recite calculation of a single score. The parent claims 1 and 6 as amended now recite "calculating a threat evaluation score indicating an evaluation result for the threat information," and the specification describes evaluating multiple pieces of threat information for each constituent, with selection based on evaluation points. See As-Filed Specification, paragraph [0030]. The reference to "highest score" in claims 2 and 7 refers to selecting among threat evaluation results for different threat information items, which is consistent with the parent claims' recitation of threat evaluation.”
Examiner respectfully disagrees. Parent claims 2 and 6 as amended still refer to a single “threat evaluation score”, where claims 2 and 7 recite “using the evaluation result having a highest score for the threat” (emphasis added). In addition to the claims each referring to a single threat and associated score, the claims are further unclear because “evaluation result” is attributed in the parent claims as referring to the evaluation of the attack strategy and technique information. This rejection is maintained.
Regarding the argument:
“With respect to claim 11, the Examiner has alleged that the claim is in conflict with claim 1 because they each associate the "device role" with a different score. Applicant has amended claim 11 to recite "the threat evaluation score is calculated by assigning higher evaluation points to constituents having higher security risks based on their device roles." …”
This argument is persuasive, and the associated portion of the rejection is withdrawn.
Regarding the argument:
“With respect to claim 12, Applicant has canceled claim 12 in its entirety, thereby rendering moot the Examiner's indefiniteness rejection regarding hierarchy information and entry routes.”
As noted above, claim 12 has not been cancelled in the current draft of the claims, but has been amended to recite different subject matter. The amended claim does, however, address the rejection, and thus the associated portion of the rejection is withdrawn.
Regarding the argument:
“… Applicant has amended claim 13 to recite "the strategy evaluation point is calculated by multiplication or a difference in the technical evaluation points of corresponding attack techniques." … The amended claim 13 now recites that "the strategy evaluation point is calculated" rather than "the evaluation score is calculated using a strategy evaluation point," which clarifies that the claim is directed to how the strategy evaluation point itself is calculated. The amendment also clarifies the relationship between strategy and technique information by specifying that the strategy evaluation point is calculated using "technical evaluation points of corresponding attack techniques."”
Examiner respectfully disagrees. Several points in the rejection have not been addressed sufficiently, or at all. It is still what relationship exists between the “attack techniques” and the “strategy evaluation point,” as the term, “technical evaluation point” does not occur elsewhere in the claims, and it is unclear to what it refers. The amended claim is also still incompatible with its depended-on claim for the same reasons provided in the previous and current office action. This rejection is maintained.
Regarding the argument:
“With respect to claim 14, the Examiner has alleged that the claim is indefinite because the relationship between "malware countermeasure information" and "countermeasure status" is unclear. … The "malware countermeasure information" recited in claim 14 provides additional specificity to the "countermeasure status" recited in claim 6, clarifying that the countermeasure status includes information about malware countermeasures. The claim language establishes that malware countermeasure information is a type of countermeasure status information, providing further detail rather than conflicting with the parent claim.”
Examiner respectfully disagrees. The claims do not indicate that “countermeasure status includes information about malware countermeasures”. The parent claim 6 recites, “… the threat evaluation score is calculated based on a device role and countermeasure status of each constituent …”. Claim 14 recites, “based on device role information and malware countermeasure information of each constituent …”. There is no claim language which describes the relationship between “malware countermeasure information” and “countermeasure status.” The claim fails to “particularly point out and distinctly claim” this relationship; the claim is thus indefinite. This rejection is maintained.
Applicant’s arguments, see pages 11-15, filed 2/9/2026, with respect to the rejection of claims 1-14 under 35 USC 103 have been fully considered but they are not persuasive.
Regarding the argument:
“Applicant respectfully submits that SATO does not disclose or teach generating an attack scenario … as recited by amended claims 1 and 6. SATO discloses that "the risk evaluation unit 24 calculates the evaluation value of each test scenario in response to the test scenario output result 1200 …" … This demonstrates that SATO evaluates scenarios after they have already been generated, rather than … as recited by amended claims 1 and 6. … This post-generation evaluation is fundamentally different from the claimed approach of generating attack scenarios by combining attack strategy and technique information …”
Examiner respectfully disagrees. As evidenced in the record, the various iterations of the claims have thus far been unsuccessful in clearly communicating the overall inventive concept of the instant application. The claims, based on a plain text reading, seem to gather information about an attack in order to generate a scenario create the same attack again. The prior art of SATO clearly maps to the broadest reasonable interpretation of those limitations to which it is mapped. This rejection is maintained.
Regarding the arguments directed to CASHIN, KITO, ASHKENAZY, and MACHADO:
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Examiner notes that additional arguments are directed to the alleged allowability of claims based on their dependency to already-argued claims, and will not be addressed.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim(s) 1-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. As drafted, the claim limitations are processes that, under their broadest reasonable interpretation, may be performed in the mind. That is, nothing in the claim elements precludes the steps from practically being performed in the mind (or with pen and paper).
If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claims recite an abstract idea.
The claims, minus their recited generic computer components, are summarized as follows:
Claim(s) 1 and 6 recite(s):
Receiving various pieces of information.
Evaluating effectiveness of an attack.
Calculating various scores.
Selecting combinations of parameters based on criteria.
Generating an “attack scenario” with the selected parameters.
Displaying generated scenarios.
Claim(s) 2 and 7 recite(s):
Evaluating a threat.
Generating an “attack scenario” based on parameters and the evaluation.
Claim(s) 3 and 8 recite(s):
Analyzing a “trend of the cyber attack.”
“Using” the analysis result in other evaluations.
Claim(s) 4 and 9 recite(s):
Performing “narrowing” on various pieces of information.
Evaluating the “narrowed” information.
Claim(s) 5 and 10 recite(s):
Generating “attack scenarios.”
Outputting the scenarios based on evaluations.
Claim(s) 11 recite(s):
Calculating a score using points for devices based on their roles.
Claim(s) 12 recite(s):
Selecting “constituents” of a computer system and threat information based on a score.
Selecting information that “realizes” other information.
Claim(s) 13 recite(s):
Calculating a score by multiplying or subtracting other values.
Selecting information based on comparing the score to a threshold.
Claim(s) 14 recite(s):
Calculate a score based on “device role information and malware countermeasure information.”
Give higher scores to devices “responsible for data saving.”
This judicial exception is not integrated into a practical application because other aspects of the claims’ limitations amount no more than mere instructions to apply the exception using generic computer components and functions (computer system, storage device, processor, memory). Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea.
Regarding the generic computer components, patents may be directed to abstract ideas where they disclose the use of an already available technology, with its already available basic functions, to use as a tool in executing the claimed process.
The claims further do not include additional elements that amount to significantly more than the judicial exception because there is nothing in the claims, whether considered individually or in their ordered combination, that would transform the application into something “significantly more” than the abstract idea of collecting data, processing and evaluating data, and generating scenarios. Further, the claims do not contain steps through which the invention represents an improvement to computer technology, to include improvement over computers or developing scenarios for penetration testing. The claims are not patent eligible.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
Claim(s) 1-14 is/are rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement. The claim(s) contain(s) subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the application was filed, had possession of the claimed invention.
Regarding claim(s) 1 and 6:
Claim 1 recites, “… evaluating effectiveness of the cyber attack …”. Claim(s) 6 recite(s) similar language. The specification fails to adequately describe this limitation. The specification does recite that an “… evaluation point indicates effectiveness of an attack in each piece of the attack strategy/technique information 500.” in ¶ 0016; however, the specification teaches only that this “evaluation point” is calculated based on “information of the system configuration storage unit,” and not how it is used to evaluate the “effectiveness” of an attack, nor any other guidance vis a vie how the claimed evaluation is performed.
Claim 1 also recites, “… calculating a threat evaluation score indicating an evaluation result for the threat information …”. Claim(s) 6 recite(s) similar language. The specification fails to adequately describe this limitation. The specification does recite that an “… the threat evaluation unit 105 calculates, for example, an evaluation point indicating a risk.” in ¶ 0015; however, the specification teaches only that this “evaluation point” is calculated based on “information of the system configuration storage unit,” and not how it is used to calculate the “threat evaluation score.” There is a portion of an algorithm found in ¶ 0058, “In the example of FIG. 17, … Group A is selected as a threat trend from the trend analysis information 1600. … Furthermore, … Group A is a group with the risk level 1650 of "high" associated with threat information of "falsification of data". For this reason, in the threat evaluation point 1730, 12 obtained by multiplying the original value 4 by three is set as a threat evaluation point of "falsification of data" of Threat identification number 1.” A careful reading indicates that the value of ‘4’ is obtained from Fig. 10, but there is no indication from where the value of ‘3’ is obtained to achieve the result of ’12.’
Claim 1 also recites, “… calculating respective evaluation scores for each piece of attack strategy and technique information …”. Claim(s) 6 recite(s) similar language. The specification fails to adequately describe this limitation. The specification does recite that “… in Step S703, an evaluation point for the read attack strategy/technique information 500 is calculated” in ¶ 0034; however, the specification gives no detail vis a vie how this calculation is performed.
Regarding claims 1, 6, and 14:
Claim 1 recites, “… the threat evaluation score is calculated based on a device role and countermeasure status of each constituent …”. Claim(s) 6 recite(s) similar language. Claim 14 similarly recites, “… calculates the threat evaluation score based on device role information and malware countermeasure information of each constituent …”. The specification fails to adequately describe this limitation. The specification does recite using “… information indicating a countermeasure status in Step S602 and Step S703 for performing each evaluation” in ¶ 0025; however, the specification provides no details vis a vie how this “countermeasure” status is actually used in the claimed calculations.
Regarding claims 3 and 8:
Claim 3 recites, “… analyzing a trend of the cyber attack …”. Claim(s) 8 recite(s) similar language. The specification fails to adequately describe this limitation for largely the same reasons as detailed in the rejection of claims 1 and 6 above vis a vie “evaluating effectiveness of the cyber attack.” The specification provides no description of how the claimed trend analysis is performed.
Regarding claims 4 and 9:
Claim 4 recites, “… executing evaluation of the attack strategy and technique information …”. Claim(s) 8 recite(s) similar language. The specification fails to adequately describe this limitation for largely the same reasons as detailed in the rejection of claims 1 and 6 above vis a vie “calculating respective evaluation scores for each piece of attack strategy and technique information.” The specification provides no description of how the claimed trend analysis is performed.
Regarding claim 13:
Claim 13 recites, “… a strategy evaluation point is calculated by multiplication or a difference in technical evaluation points of corresponding attack techniques …”. The specification fails to adequately describe this limitation. The specification does recite that “… there is also a method of calculating an evaluation point by addition with, multiplication by, or a difference from an evaluation point up to a previous stage …” in ¶ 0048; however, there is no indication how this is performed, or to what “previous stage” is being referred.
These rejections can be overcome by amending the claim(s) such that they recite only that subject matter which is has adequate description in the original disclosure.
It is important to note that in regards to an adequate written description, “It is not enough that one skilled in the art could write a program to achieve the claimed function because the specification must explain how the inventor intends to achieve the claimed function to satisfy the written description requirement. See, e.g., Vasudevan Software, Inc. v. MicroStrategy, Inc., 782 F.3d 671, 681-683, 114 USPQ2d 1349, 1356, 1357 (Fed. Cir. 2015)” (MPEP 2161.01).
Regarding claims 2, 5, 7, and 10-12:
They are dependent on one or more rejected claims, and thus inherit those rejections. This rejection could be overcome by overcoming the rejection(s) to any claims upon which these claims depend, or by amending the claims such that they are no longer dependent on any rejected claim.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION. — The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claims 1-14 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Regarding claims 1-14:
The claims are generally indefinite because the metes and bounds of the claims, taken, as a whole, cannot be determined. The claims, by their plain wording, recite a method of:
Read a pair of data objects.
One of the objects is labeled “attack strategy.”
The other is labeled “technique information.”
Read a data object labeled “threat information.”
Calculate a “threat evaluation score,” which is calculated based on a device role and “countermeasure status” of each “constituent of the computer system”, which somehow “indicates” the result of an evaluation of the threat information.
Somehow evaluate effectiveness of the attack, somehow involving each of the “attack strategy” and “technique information”.
Use this effectiveness evaluation to somehow calculate evaluation scores for each member of the “attack strategy” and “technique information”.
Somehow select “multiple combinations” of “attack strategy” and “technique information” – despite only ever having read a single instance of each from storage – based on the pair’s evaluation scores being above a threshold.
Somehow generate an “attack scenario,” which involves combining the selected combinations based on their score and the “threat evaluation score,” where somehow generating the scenario determines the effectiveness of the attack against undefined “specific constituents.”
Display a list of generated scenarios, each with a “total evaluation score” which is the sum of the evaluation scores for each of the “attack strategy” and “technique information”.
These steps are not sufficiently explained to enable one of skill in the art to determine how these steps are being performed, or in some cases, what steps are being performed at all. The invention as claimed ultimately seems to receive parameters for a cyber-attack which both has and has not yet happened, in order to use those parameters to generate a scenario for the attack, where the attack then uses those parameters. At various points throughout the claims, the core parameters (strategy and technique) are treated as a single immutable pair, a pair among many pairs, or independent data objects. Many terms used in the claims do not appear in the specification, and those that do largely lack any specific definitions which would aid in understanding the claims. The claims are overall inscrutable and indefinite.
Regarding claims 1 and 6:
Claim 1 recites, “… a scenario generation device that generates a scenario of a cyber attack …”. It also recites, “… evaluating effectiveness of the cyber attack in each of the attack strategy and technique information …”. Claim 6 recites similar language. It is firstly unclear how the effectiveness of a cyber-attack may be evaluated if the claimed generating of the scenario for the attack has not yet been performed. It is further unclear how effectiveness is evaluated “in each of the attack strategy and technique information.” This is not typical English phrasing, and whatever action is being performed and its relationship to the attack strategy and technique information cannot be determined. The claim is indefinite because the metes and bounds of the limitation are not clear.
Claim 1 also recites, “… calculating respective evaluation scores for each piece of attack strategy and technique information …”. Claim 6 recites similar language. The meaning of “pieces of” information is ambiguous. A “piece” of information is not a common term in the art, and neither the claim nor specification elaborate on the term. The claim is indefinite because it cannot be determined whether a “piece” refers to a portion (and further, which portion) or the whole of either or both strategy or technique information.
Claim 1 also recites, “selecting multiple combinations of attack strategy and attack technique, wherein the attack strategy and technique information includes an attack strategy identification number, a strategy name, a technique identification number, and a technique name …”. Claim 6 recites similar language. It is unclear what this selecting entails. Previously, the claim recites (emphasis added), “reading, from a storage device, attack strategy and technique information in which an attack strategy indicating an action for executing the cyber attack and an attack technique indicating a method of realizing the attack strategy are associated”. If “strategy and technique information” is a bound pair of information objects, such as a strategy name and number paired with a technique name and number, it is unclear how “selecting” them is functionally distinct from this previously indicated pairing. Additionally, as only one of each strategy and technique information are read, it is unclear what other selection could even be possible where only two pieces of information are considered. The claim is indefinite because the metes and bounds of the limitation are not clear.
Regarding claims 1, 6, and 13:
The claims vacillate between the terms “technique information” and “attack technique.” The inconsistency makes it unclear whether these terms are interchangeable or whether they are distinct from each other. For the sake of readability and clarity, the claims should be amended such that it is clear whether the terms are equivocal or distinct.
Regarding claims 2 and 7:
Claim 2 recites, “generating the attack scenario by … using the evaluation result having a highest score for the threat.” Claim 7 recites similar language. Claim 1, and similarly claim 6, on which these claims depend, recites, “… calculating a threat evaluation score indicating an evaluation result for the threat information …”. Where the depended-on claim recites the calculation of a single score, this claim recites a “highest score,” implying a selection from a plurality of threat evaluation scores. This inconsistency makes the claim ambiguous and therefore indefinite.
Regarding claim 13:
The claim recites, “… a strategy evaluation point is calculated by multiplication or a difference in technical evaluation points of corresponding attack techniques …”. The claim is indefinite because the term “technical evaluation points” lacks antecedent basis. It is unclear from where these “technical evaluation points” are obtained and/or how they are calculated.
The claim also recites, “… the attack strategy and technique information is selected by comparing the strategy evaluation point to the predetermined threshold.” The claim is further indefinite because it is incompatible with its depended-on claim. Claim 1, on which this claim depends, recites, “… the attack strategy and technique information is selected based on having evaluation scores above a predetermined threshold according to a result of the evaluation score …”. Whatever relationship may exist between the “attack strategy information,” “technique information,” “strategy evaluation point,” “predetermined threshold,” and “evaluation score” is indecipherable based on the current draft of the claims.
Regarding claim 14:
The claim recites, “… the attack strategy and technique evaluation unit calculates the threat evaluation score based on device role information and malware countermeasure information of each constituent …”. The claim is indefinite because depended-on claim 6 recites “… the threat evaluation score is calculated based on a device role and countermeasure status of each constituent …”. It is unclear whether the “malware countermeasure information” used in the calculation of claim 14 is meant to be used in addition to the “device role” and “countermeasure status” of claim 6, meant to supersede either or both, or whether “malware countermeasure information” and “countermeasure status” are meant to be equivocal. If they are meant to be equivocal, it is unclear what additional limitation or clarification is intended with this limitation.
The claim further recites, “… constituents responsible for data saving are assigned higher threat evaluation scores for data-related threats …”. This limitation may not warrant a rejection for indefiniteness taken alone, but in combination with the issue detailed above, it is more appropriate to include it here. The metes and bounds of the limitation are not clear.
“Constituents responsible for data-saving” is not a phrase understood in the art. Multiple conflicting interpretations are possible, where “responsible for data-saving” may refer to a storage manager which directs (“saving”) data traffic to storage; a storage device on which data is stored, or “saved;” or, in the claim’s context of malware countermeasures, protecting, or “saving” data, from malware or unauthorized acts.
As to “data-related threats,” any threat directed to any device which processes data in some way can be said to be “data-related.” Other than loosely directing the claim to the general field of computer security, it is otherwise so broad that it effectively offers no further limitation on the invention.
Regarding claims 3-5 and 8-12:
They are dependent on one or more rejected claims, and thus inherit those rejections. This rejection could be overcome by overcoming the rejection(s) to any claims upon which these claims depend, or by amending the claims such that they are no longer dependent on any rejected claim.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-12 are rejected under 35 U.S.C. 103 as being unpatentable over SATO et al (Doc ID US 20200311284 A1), and further in view of CASHIN (Doc ID US 8683598 B1) and KITO et al (Doc ID US 20230137325 A1).
Regarding claim 1:
SATO teaches:
A cyber attack scenario generation method using a scenario generation device that generates a scenario of a cyber attack on a computer system, the cyber attack scenario generation method comprising: reading, from a storage device, attack strategy and technique information in which an attack strategy indicating an action for executing the cyber attack ([0054] "… Each ... scenario pattern information 800 has the fields of pattern number 801 ..., and scenario pattern 802 which stores the execution order of the attack method ...") and an attack technique indicating a method of realizing the attack strategy are associated ([0048] "The attack classification information ... stores an identifier for identifying the type of attack, and ... stores information indicating the classification of the attack ...");
reading threat information from the storage device (Fig. 10 and [0059] "The element name 901 stores information indicating the constituent elements configuring the evaluation target.");
evaluating effectiveness of the cyber attack in each of the attack strategy and technique information ([0070] "The test scenario priority evaluation result 1300 is configured from … the fields of priority 1301, attack target 1302, test scenario 1303, and evaluation value 1304.");
calculating respective evaluation scores for each piece of attack strategy and technique information based on the evaluation of effectiveness indicating an evaluation result for the attack strategy and technique information ([0070] "The test scenario priority evaluation result 1300 … has the fields of priority 1301, attack target 1302, test scenario 1303, and evaluation value 1304.");
wherein the attack strategy and technique information includes an attack strategy identification number, a strategy name, a technique identification number, and a technique name (Fig. 9 and Fig. 7), and
generating an attack scenario by combining the selected multiple combinations of attack strategy and attack technique based on both the evaluation score for the attack strategy and technique information and the threat evaluation score for the threat information to determine attack effectiveness against specific constituents ([0089] "… step S407, the scenario creation unit 23 … assigns the test scenario created in step S405, and which was not deleted in step S406, as the test scenario 1203 of the test scenario output result 1200."); and
displaying a list of generated attack scenarios sorted by their respective total evaluation scores in descending order, where each total evaluation score is indicated by a sum of evaluation scores of combinations of attack strategy and attack technique included in the generated attack scenario (Fig. 13 and [0070] "The test scenario priority evaluation result 1300 ... has the fields of priority 1301, attack target 1302, test scenario 1303, and evaluation value 1304."),
CASHIN teaches the following limitations not taught by SATO:
calculating a threat evaluation score indicating an evaluation result for the threat information ((9) Col 3 lines 13-18 "… a security score is calculated for an individual computing system, which takes into account various aspects of installed security components, system activity, and end-user activity …");
wherein the threat evaluation score is calculated based on a device role and countermeasure status of each constituent of the computer system ((9) Col 3 lines 13-18 "… a security score is calculated for an individual computing system, which takes into account various aspects of installed security components, system activity, and end-user activity …").
Retrieving attack information, assessing an attack, generating attack scenarios, and displaying them to a user are known techniques in the art, as demonstrated by SATO. Further, calculating an additional score based on a device role and countermeasures is a known technique in the art, as demonstrated by CASHIN. It would have been obvious to a person having ordinary skill in the art (PHOSITA) before the effective filing date of the claimed invention to modify the cyber-attack scenario generator of SATO with the security score of CASHIN with the motivation to provide to the system additional information in the form of target information detailing its ability to defend itself against attack.
KITO teaches the following limitations not taught by the combination of SATO and CASHIN:
selecting multiple combinations of attack strategy and attack technique ([0053] "In step S13, the means selection unit 120 selects an attack means … using the score value of each attack means of the plurality of attack means and the threshold 173." Examiner notes that "attack means" represents an aggregation of multiple attack steps.),
wherein the attack strategy and technique information is selected based on having evaluation scores above a predetermined threshold according to a result of the evaluation score ([0053] "In step S13, the means selection unit 120 selects an attack means … using the score value of each attack means of the plurality of attack means and the threshold 173."), and
Selecting attack measures based on their scores is a known technique in the art, as demonstrated by KITO. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the cyber-attack scenario generator of SATO and CASHIN with the score-based measure selection of KITO with the motivation to automate the process of choosing attack measures to use in the attack scenario.
Regarding claim 2:
The combination of SATO, CASHIN, and KITO teaches:
The cyber attack scenario generation method according to claim 1, further comprising: evaluating, for each constituent of the computer system, the threat that is stored in the storage device (SATO [0061] "… In the example shown in FIG. 11, the attack route information 1100 is created as a separate table for each asset that may be attacked."); and
generating the attack scenario by using the attack strategy and technique information and, in addition to the attack strategy and technique information, using the evaluation result having a highest score for the threat (KITO [0053] "In step S13, the means selection unit 120 selects an attack means … using the score value of each attack means of the plurality of attack means and the threshold 173.").
Taking the highest-evaluated measured from among the selected measures for use in an attack scenario is a known technique in the art, as demonstrated by KITO. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the cyber-attack scenario generator of SATO, CASHIN, and KITO with the score-based measure selection of KITO with the motivation to automate the process of choosing attack measures to use in the attack scenario.
Regarding claim 3:
The combination of SATO, CASHIN, and KITO teaches:
The cyber attack scenario generation method according to claim 2, further comprising: analyzing a trend of the cyber attack (SATO [0054] "... Each record … stores the pattern number for uniquely identifying a pattern, and scenario pattern 802 which stores the execution order of the attack method …"); and
using an analysis result of the trend in evaluation for the attack strategy and technique information and evaluation for the threat (SATO [0054] "… The scenario pattern 802 stores the order of the attacks expressed using the attack classification ...").
Regarding claim 4:
The combination of SATO, CASHIN, and KITO teaches:
The cyber attack scenario generation method according to claim 1, further comprising: executing narrowing processing on the attack strategy and technique information according to a predetermined criterion (SATO [0068] "… the method of expression of the test scenario may be based on abbreviated codes such as in this embodiment… "); and
executing evaluation of the attack strategy and technique information on which the narrowing processing is executed (SATO [0070] "The test scenario priority evaluation result 1300 … has the fields of priority 1301, attack target 1302, test scenario 1303, and evaluation value 1304.").
Regarding claim 5:
The combination of SATO, CASHIN, and KITO teaches:
The cyber attack scenario generation method according to claim 1, further comprising: generating a plurality of attack scenarios (SATO [0087] "... the test scenarios of all combinations of the element number information and the attack classification information ... are created."); and
outputting a plurality of generated scenarios according to a result of the effectiveness evaluation (SATO [0089] "... the scenario creation unit 23 ... assigns the test scenario created in step S405, and which was not deleted in step S406, as the test scenario 1203 of the test scenario output result 1200. Subsequently, the scenario creation unit 23 stores the attack target 1202 corresponding to each test scenario ...").
Regarding claim 6:
SATO teaches:
A scenario generation device that generates a scenario of a cyber attack on a computer system, the scenario generation device comprising: a processor coupled to a memory storing instructions for the processor to execute ([0032] "The test scenario generation device 1, ... comprise a CPU ..., a memory 303 as a volatile storage area, an external storage device 304 such as a hard disk …"):
The remainder of this claim's limitations are rejected with the same prior art mapping and justification, mutatis mutandis, as its counterpart claim 1.
Regarding claims 7-10:
These claims are rejected with the same justification, mutatis mutandis, as their counterpart claims 2-5 above.
Regarding claim 11:
The combination of SATO, CASHIN, and KITO teaches:
The cyber attack scenario generation method according to claim 1, wherein the threat evaluation score is calculated by assigning higher evaluation points to constituents having higher security risks based on their device roles (CASHIN (9) Col 3 lines 19-22 "This security score provides a mechanism to quantify the difference in security posture between user devices with a same software configuration, but taking different actions, within an organization.").
Assessing different device roles with different evaluation scores is a known technique in the art, as demonstrated by CASHIN. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the cyber-attack scenario generator of SATO, CASHIN, and KITO with the device role scoring adjustment of CASHIN with the motivation to reflect differences in security posture of different devices in their respective evaluations.
Regarding claim 12:
The combination of SATO, CASHIN, and KITO teaches:
The cyber attack scenario generation method according to claim 1, wherein generating the attack scenario comprises: selecting a combination of a constituent of the computer system and the threat information based on the threat evaluation score (SATO [0092] "… The element name 502 selected here becomes the asset as the attack target in the attack route information 1100, and is stored in the attack target 1102."); and
selecting the attack strategy and technique information that realizes threat content of the selected threat information for the selected constituent (SATO [0097] "… generates a plurality of test scenarios in which a combination of the constituent elements and the attack classification is arranged in an order of the entry routes …").
Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over SATO et al (Doc ID US 20200311284 A1), CASHIN (Doc ID US 8683598 B1), and KITO et al (Doc ID US 20230137325 A1) as applied to claim 1 above, and further in view of ASHKENAZY et al (Doc ID US 10382473 B1).
Regarding claim 13:
The combination of SATO, CASHIN, and KITO teaches:
The cyber attack scenario generation method according to claim 1,
ASHKENAZY teaches the following limitations not taught by the combination of SATO, CASHIN, and KITO:
wherein a strategy evaluation point is calculated by multiplication or a difference in technical evaluation points of corresponding attack techniques ((48) Col 27 lines 58-63 "… For each given path of attack, determine the cost of exploitation of the given path of attack to be the sum of the costs of exploitation of all attacker steps included in the given path of attack."), and
wherein the attack strategy and technique information is selected by comparing the strategy evaluation point to the predetermined threshold ((93) Col 17 lines 9-12 "… the second Boolean condition is true if and only if the sum of remediation costs of all members of the list of attacker steps satisfies one member of the conditions group consisting of: higher than a pre-determined threshold …").
Using various previous evaluations to determine a total score for an evaluation is a known technique in the art, as demonstrated by ASHKENAZY. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the cyber-attack scenario generator of SATO, CASHIN, and KITO with the scoring system of ASHKENAZY with the motivation to use a more granular system which gives weight to the smaller details of the assessment.
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over SATO et al (Doc ID US 20200311284 A1), CASHIN (Doc ID US 8683598 B1), and KITO et al (Doc ID US 20230137325 A1) as applied to claim 6 above, and further in view of MACHADO et al (Doc ID US 11256828 B1).
Regarding claim 14:
The combination of SATO, CASHIN, and KITO teaches:
The cyber attack scenario generation method according to claim 1, wherein the attack strategy and technique evaluation unit calculates the threat evaluation score based on device role information and malware countermeasure information of each constituent (CASHIN (9) Col 3 lines 13-18 "… a security score is calculated for an individual computing system, which takes into account various aspects of installed security components, system activity, and end-user activity …"), and
MACHADO teaches the following limitations not taught by the combination of SATO, CASHIN, and KITO:
wherein constituents responsible for data saving are assigned higher threat evaluation scores for data-related threats ((29) Col 8 lines 14-29 "... the discovery engine 106 may be configured to generate a risk score … based on the device type … a higher risk score indicates that that device is transmitting relatively more data and/or more sensitive types of data.").
Assigning a higher risk (threat) score to a device engaged in data operations is a known technique in the art, as demonstrated by MACHADO. It would have been obvious to a PHOSITA before the effective filing date of the claimed invention to modify the cyber-attack scenario generator of SATO, CASHIN, and KITO with the device role scoring of MACHADO with the motivation to give greater weight to the risk assessed for a device which engages in data operations.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
CRABTREE et al (US 20220201042 A1) teaches a similar system of cyber-attack scenario generation. However, CRABTREE probes vulnerabilities in order to decide which attacks to use, instead of the attack strategy retrieval claimed in the instant application.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRANDON BINCZAK whose telephone number is (703)756-4528. The examiner can normally be reached M-F 0800-1700.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BB/Examiner, Art Unit 2437
/ALEXANDER LAGOR/Supervisory Patent Examiner, Art Unit 2437