DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The following is a Final Office Action in response to applicant’s filing on
November 18, 2025. Claims 1-20 are pending.
Response to Amendment
The amendment filed 11/18/2025 has been entered. Applicant’s amendment regarding the specification obviates the specification objection, therefore the specification objection is withdrawn.
Applicant’s arguments, do not obviate the claim interpretation, therefore the claim interpretation under 35 U.S.C. § 112(f) is maintained.
Applicant’s arguments regarding claims 1, 8, and 15 do not obviate the claim rejection, therefore the claim rejection under 35 U.S.C. § 112(a) is maintained.
Applicant’s arguments regarding claims 1, 8, and 15 do not obviate the claim rejection, therefore the claim rejection under 35 U.S.C. § 112(b) is maintained.
Response to Arguments
In view of the remarks submitted on November 18, 2025, applicant’s arguments have been carefully and respectfully considered but they are not persuasive.
Claim Interpretation"-35 U.S.C. § 112(f)
On pages 7-8 of the Remarks, Applicant argues that “To a person of ordinary skill in the art of computer networking, "packet capture module" connotes a definite class of structure…”. The examiner disagrees. The term “packet capture module” uses the nonce term “module”, which does not , by itself connote a definite class of structure to one of ordinary skill in the art. Federal Circuit precedent makes clear that terms such as “module”, “unit”, “mechanism”, and similar functional placeholders are presumptively subjected to 112(f) when they fail to recite sufficiently define structure. The specification reinforces that “packet capture” is presented as a high level of abstraction. In Fig. 1, “packet capture 166” provides no structural detail regarding packet capture component, such as the internal architecture of the packet capture component. Moreover, the specification does not identify any specific hardware capture circuitry, nor any algorithm for capturing. Applicant asserts that "packet capture module" connotes a definite class of structure…”. While “packet capture” may describe a known function in the networking, However, the term “module” does not convert the term into a structural component. Therefore, the term “packet capture module” does not recite sufficiently define structure and must be construed under 35 U.S.C. § 112(f).
Claim Rejections -35 U.S.C. § 112(a)
On pages 8-10 of the Remarks, Applicant argues that “The claims do not require any specific internal training algorithm beyond "training a machine learning model" to generate packets corresponding to the identified scenarios, nor do they require non-routine parameters unique to any attack type…”. The examiner disagrees. The claim is directed not merely to generic “training”, but to producing realistic IP packet data suitable for cyberwarfare training environment. Claim 4 recites “a machine learning model is trained to generate the data packets corresponding to a brute-force dictionary attack”. The specification, however, does not provide sufficient written description explaining how the machine learning model is trained to generate packet data corresponding to “a brute-force dictionary attack”.
Claim 5 recites “a machine learning model is trained to generate the data packets corresponding to a directory search attack”. The specification, however, does not provide sufficient written description explaining how the machine learning model is trained to generate packet data corresponding to “a directory search attack”.
Claim 6 recites “n machine learning model is trained to generate the data packets corresponding to an industrial control system attack”. The specification, however, does not provide sufficient written description explaining how the machine learning model is trained to generate packet data corresponding to “an industrial control system attack”.
Thus, the specification does not disclose any specific machine learning algorithm or architecture, any training hyperparameter, any evaluation metrices for “realistic” generation. Instead, the specification merely states at a high level that a machine learning model is trained on historical packet data and then used to generate realistic packets. Accordingly, fails to provide any algorithmic teaching explaining how the model is trained to generate the claimed realistic internet protocol data packet corresponding to the identified scenarios. Thus, the examiner maintains the rejection under 35 U.S.C. § 112(a).
Claim Rejections -35 U.S.C. § 112(b)
One pages 10-11 of Remarks, Applicant argues that “"Realistic" is a term of degree that is permissible where the specification provides objective boundaries for its scope as understood by a person of ordinary skill in the art.”. The examiner disagrees with Applicant. The terms of degree such as “realistic” may be permissible when the specification provides objective boundaries for their scope, However, the specification fails to provide such objective standards.
The disclosure states that “the machine learning model generates “realistic” internet protocol packets” (see abstract and summary). However, the specification does not define what constitutes “realistic” in measurable terms. Fig. 8 merely shows high level process steps such as training and generating internet protocol data packets. Because the specification provides no objective boundaries, a person ordinary skill in the art would not be reasonably as to the scope of the term.
Accordingly, the term “realistic” renders the claim indefinite under 35 U.S.C. § 112(b), as the metes and bounds of the claim cannot be determined with reasonable certainty.
Claim Rejections-35 U.S.C. § 103
On pages of Remarks, Applicant argues that “Neither Somol nor Jia teaches or suggests training a machine learning model to generate Internet Protocol data packets. … Somol does not disclose a generator trained to emit IP packet sequences (with protocol headers, flags, and timing), nor that its "data indistinguishable from real data" ( [0060])”. The examiner disagrees and has a different view of prior art teachings and claim interpretation.
Claim 1 recites (A computer-implemented method of generating realistic cyberwarfare network data for enhanced cyberwarfare training realism, the method comprising: receiving, via a packet capture module, historical Internet Protocol data packets; storing, via one or more processors, the historical Internet Protocol data packets in an electronic database; training, via one or more processors, a machine learning model to generate realistic Internet Protocol data packets by processing the historical Internet Protocol data packets; and providing, via an electronic network, the generated realistic Internet Protocol data packets to an emulated networking environment used for cyberwarfare training). The claim does not recite “generator, IP packet sequences, protocol headers, flags, and timing”. It is noted that the patentability must be evaluated based on the language of the claims, not on features argued by applicant but not recited. Accordingly, the proper analysis must apply to the broadest reasonable interpretation (BRI) of the actual claim language. Somol expressly discloses training neural network-based model using input features derived from network telemetry and traffic data. Fig. 7 shows “train model”, and further, Somol in Fig. 3 and paragraph [0037] discloses telemetry data can be captured for assessment by device 200. As shown, assume that client node 10 initiates a traffic flow with remote server 154 that includes any number of packets 302. Any number of networking devices along the path of the flow may analyze and assess packet 302, to capture telemetry data regarding the traffic flow. For example, as shown, router CE-2 through which the traffic between node 10 and server 154 flows may capture telemetry data regarding the traffic flow. In turn, these networking devices can provide the captured telemetry data to a particular device (e.g., a device 200) for assessment by analysis process 248.
Further, Somol in paragraphs [0059]-[0060] teaches generator 502 may attempt to generate data that is indistinguishable from real data 508, given noise 506. Under BRI, data that is “indistinguishable from real data” corresponds to “realistic”. Somol’s GAN-based system expressly generates synthetic data based on learned network behavior patterns and real data training input.
Furthermore, Applicant argues that the combination also fails to teach or suggest "providing, via an electronic network, the generated realistic Internet Protocol data packets to an emulated networking environment used for cyberwarfare training". The examiner disagrees. Somol teaches the use of a GAN in the manner proposed herein may operate under the assumption that there are known definitions of malware in terms of their behaviors. It is also assumed that, while the overall training criterion can remain the fit of model to data (e.g., the ability to generate samples unrecognizable from real samples in the case of a. GAN), the idea of pre-specified patterns in neurons actually enables to “encode” known malicious behaviors and their combinations into the overall model. Some forms of semi-supervised generative models may enable the use of a limited number of labels, in addition to the training data itself. This would fit well with cybersecurity use cases where labels are often scarce and expensive while the data itself can be quite large, see paragraph [0062]. Under BRI, training a system to detect and analyze malicious behaviors using synthetic attack data constitutes, use for cybersecurity or cyberwarfare training purposes.
Regarding the combination of Somol and Jia with respect to claims 1, 8, and 15, it is applicant’s opinion that adding the Jia references provides no reasonable combination. However, a person of ordinary skill is also a person of ordinary creativity, not an automaton, and in many cases will be able to fit teaching of multiple patents together like pieces of a puzzle. Furthermore, “The test for obviousness is not whether the feature of secondary reference may be bodily incorporated into the structure of the primary reference…Rather, the test is what the combined teachings of those references would have suggested to those of ordinary skill in the art”. In the instant case Jia provides additional information that would suggest a modification of Somol.
As to the dependent claims 2-7, 9-14 and 16-20, these claims remain rejected by virtue of dependency to their independent claims.
Therefore, the examiner maintains the rejection under 35 USC § 103.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) ELEMENT IN CLAIM FOR A COMBINATION. — An element in a claim for a
combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as "configured to" or "so that"; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: “a packet capture module” in claim 1.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL. — The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 4-6, 11-13, and 18-19 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 4 recites “wherein training the machine learning model to generate the realistic Internet Protocol data packets by processing the historical Internet Protocol data packets includes training the machine learning model to generate data packets corresponding to a brute-force dictionary attack”. Regarding the limitation of claim 5, there is no disclosure as to how a machine learning model is trained to generate the data packets corresponding to a brute-force dictionary attack, (i.e., the machine learning module 170 may be provided with real examples of data packets generated during an attack to train a machine learning model to generate data packets corresponding to an attack. As discussed below, these data packets may relate to offensive activities (e.g., brute force attacks, side channel attacks, industrial control system attacks, etc.). Any suitable attack types may be modeled, see paragraph [0075]).
Further, claim 5 recites “training the machine learning model to generate realistic data packets corresponding to a directory search attack”. Regarding the limitation of claim 5, there is no disclosure as to how a machine learning model is trained to generate the data packets corresponding to a directory search attack, (i.e., in some aspects, training the machine learning model to generate the realistic Internet Protocol data packets by processing the historical Internet Protocol data packets includes training the machine learning model to generate realistic data packets corresponding to a directory search attack. In some aspects, training the machine learning model to generate the realistic Internet Protocol data packets by processing the historical Internet Protocol data packets includes training the machine learning model to generate realistic data packets corresponding to an industrial control system attack. see paragraph [0130]).
Furthermore, claim 6 recites “training the machine learning model to generate realistic data packets corresponding to an industrial control system attack; …”. Given that the limitation of claim 6, there is no disclosure as to how a machine learning model is trained to generate the data packets corresponding to an industrial control system attack, (i.e., As discussed below, these data packets may relate to offensive activities (e.g., brute force attacks, side channel attacks, industrial control system attacks, etc.). Any suitable attack types may be modeled. Likewise, the machine learning model 170 may be provided with real examples of data packets generated during other stages of cyberwarfare training activities (e.g., defensive operations) to specifically train a model to generate data packets corresponding to defensive actions., see paragraph [0075]).
The level of detail required to satisfy the written description requirement varies depending on the nature and scope of the claims and on the complexity and predictability of the relevant technology. Ariad, 598 F.3d at 1351, 94 USPQ2d at 1172; Capon v. Eshhar, 418 F.3d 1349, 1357-58, 76 USPQ2d 1078, 1083-84 (Fed. Cir. 2005). Computer-implemented inventions are often disclosed and claimed in terms of their functionality. For computer-implemented inventions, the determination of the sufficiency of disclosure will require an inquiry into the sufficiency of both the disclosed hardware and the disclosed software due to the interrelationship and interdependence of computer hardware and software. The critical inquiry is whether the disclosure of the application relied upon reasonably conveys to those skilled in the art that the inventor had possession of the claimed subject matter as of the filing date. Vasudevan Software, Inc. v. MicroStrategy, Inc., 782 F.3d 671, 682. 114 USPQ2d 1349, 1356 (citing Ariad Pharm., Inc. V. Eli Lilly & Co, 598 F.3d 1336, 1351, 94 USPQ2d 1161, 1172 (Fed. Cir. 2010) in the context of determining possession of a claimed means of accessing disparate databases).
dependent claims 11-13 and 18-19 are similarly rejected.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION. — The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites the limitation “realistic internet protocol data packet” renders the claim indefinite because the language is a relative terminology. The term “realistic” is vague and subjective. In addition, the language does not define a certainty and the metes and bounds of the claim are unascertainable. Therefore, it is unclear as to what exactly is the generated realistic Internet Protocol data by processing the historical Internet Protocol data packets.
Independent claims 8 and 15 are similarly rejected. Claims 2-7, 9-14 and 16-20 which
are dependent to claims 1, 8, and 15 are similarly rejected.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-3, 7-10, 14-17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Somol et al. (US 20210306350 A1), hereinafter Somol in view of Jia et al. (US 11,714,903 B1) hereinafter Jia.
In regards to claim 1, Somol discloses a computer-implemented method of generating realistic cyberwarfare network data for enhanced cyberwarfare training realism, the method comprising (Somol, Para. 0102, Bank Trojans, more specific behaviors, such as Bank typosquatting or scareware, were found. Such a scenario may entail a device infected with a scareware delivering a message to the user about a suspicious activity on his/her account, together with a link to the bank. That link would be typosquatted or generated and would actually lead to fake domain that would probably look similar to real bank homepage. Furthermore, some malicious RAT can be delivered through that link or even the user him/herself can be asked to install it in case he/she encounters any issues and it all can still look like a legitimate communication with the bank support service):
training, via one or more processors, a machine learning model to generate realistic Internet Protocol data packets by processing the historical Internet Protocol data packets (Somol, Para. 0060, During the learning/training phase, generator 502 may attempt to generate data that is indistinguishable from real data 508, given noise 506. Conversely, discriminator 504 may attempt to distinguish the data generated by generator 502 and real data 504. In other words, discriminator 504 will attempt to assess how well generator 502 is able to model real data 508); and
providing, via an electronic network, the generated realistic Internet Protocol data packets to an emulated networking environment used for cyberwarfare training (Somol, Para. 0102, some malicious RAT can be delivered through that link or even the user him/herself can be asked to install it in case he/she encounters any issues and it all can still look like a legitimate communication with the bank support service. Thus, the techniques herein are able to link such information together in such a way that allows a user to better understand the behaviors involved in such a malicious condition) and (Somol, Para. 0015, Data packets 140 (e.g., traffic/messages) may be exchanged among the nodes/devices of the computer network 100 over links using pre-defined network communication protocols such as the Transmission Control Protocol/Internet Protocol (TCP/IP), User Datagram Protocol (UDP), Asynchronous Transfer Mode (ATM) protocol, Frame Relay protocol, or any other suitable protocol. Those skilled in the art will understand that any number of nodes, devices, links, etc. may be used in the computer network, and that the view shown herein is for simplicity) and (Somol, Para. 0062, the use of a GAN in the manner proposed herein may operate under the assumption that there are known definitions of malware in terms of their behaviors. It is also assumed that, while the overall training criterion can remain the fit of model to data (e.g., the ability to generate samples unrecognizable from real samples in the case of a. GAN), the idea of pre-specified patterns in neurons actually enables to “encode” known malicious behaviors and their combinations into the overall model. Some forms of semi-supervised generative models may enable the use of a limited number of labels, in addition to the training data itself. This would fit well with cybersecurity use cases where labels are often scarce and expensive while the data itself can be quite large).
Somol does not explicitly disclose receiving, via a packet capture module, historical Internet Protocol data packets; storing, via one or more processors, the historical Internet Protocol data packets in an electronic database.
However, Jia teaches Jia receiving, via a packet capture module, historical Internet Protocol data packets (Jia, Col. 14, Lines 27-31, The IPS signature-based detection component of detection system 402 receives the network traffic associated with the executed samples (e.g., packet capture (pcap) data associated with a given sample) as shown at 412); storing, via one or more processors, the historical Internet Protocol data packets in an electronic database (Jia, Col. 13, Lines 40-44, the log/network data can be stored as a temporary file on analysis system 300, and can also be stored more permanently (e.g., using HDFS or another appropriate storage technology or combinations of technology, such as MongoDB)).
Somol and Jia are both considered to be analogous to the claim invention because they are in the same field of generating a fake domain for the network traffic for enhanced cyber network traffic training. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Somol to incorporate the teachings of Jia to include receiving, via a packet capture module, historical Internet Protocol data packets (Jia, Col. 14, Lines 27-31); storing, via one or more processors, the historical Internet Protocol data packets in an electronic database (Jia, Col. 13, Lines 40-44). Doing so would aid to facilitate detection of more samples as malware to improve existing sandbox solutions that would generate false negatives. The self-learning ML-based feedback system can enhance the detection system to facilitate detection of new malware or new malware variants based on monitored network traffic activity associated with a sample executed in the emulation/sandbox environment (Jia, Col. 4, Lines 48-56).
In regards to claim 2, the computer-implemented method of the computer-implemented method of wherein receiving the historical Internet Protocol data packets includes labeling the historical Internet Protocol data packets as corresponding to at least one of (i) a cyberwarf are attack scenario, or (ii) a cyberwarf are defense scenario (Somol, Para. 0049, neural network 400 may include an output layer of ANN nodes 402 that represent the high level patterns 408 (e.g., behaviors) of interest. Often, these take the form of classification labels that can be applied to different sets of input features 404. For example, one high level pattern 408 may be “legitimate,” while another may be to “generic trojan.”), and
wherein training the machine learning model to generate the realistic Internet Protocol data packets by processing the historical Internet Protocol data packets includes selecting the historical Internet Protocol data based on the labeling (Somol, Para. 0062, the idea of pre-specified patterns in neurons actually enables to “encode” known malicious behaviors and their combinations into the overall model. Some forms of semi -supervised generative models may enable the use of a limited number of labels, in addition to the training data itself).
In regards to claim 3, the combination of Somol and Jia teaches the computer-implemented method of claim 1, wherein storing the historical Internet Protocol data packets in the electronic database includes storing the historical Internet Protocol data packets as pcap files (Jia, Col. 13, Lines 35-45, Network traffic associated with the emulator is also captured (e.g., using pcap). The log/network data can be stored as a temporary file on analysis system 300, and can also be stored more permanently (e.g., using HDFS or another appropriate storage technology or combinations of technology, such as MongoDB)).
In regards to claim 7, the combination of Somol and Jia teaches the computer-implemented method of claim 1, wherein the machine learning model is a generative adversarial network (Somol, Para. 0062, the use of a GAN in the manner proposed herein may operate under the assumption that there are known definitions of malware in terms of their behaviors. It is also assumed that, while the overall training criterion can remain the fit of model to data (e.g., the ability to generate samples unrecognizable from real samples in the case of a. GAN), the idea of pre-specified patterns in neurons actually enables to “encode” known malicious behaviors and their combinations into the overall model).
In regards to claim 8, the computing system of claim 8 is similarly analyzed and rejected as the method claim 1.
In regards to claim 9, the combination of Somol and Jia teaches the computing system of claim 8, the one or more memories having stored thereon computer-executable instructions that, when executed by the one or more processors, cause the computing system to: select the historical Internet Protocol data packets based on a respective label associated with the historical Internet Protocol data packets (Somol, Para. 0049, neural network 400 may include an output layer of ANN nodes 402 that represent the high level patterns 408 (e.g., behaviors) of interest. Often, these take the form of classification labels that can be applied to different sets of input features 404. For example, one high level pattern 408 may be “legitimate,” while another may be to “generic trojan.” Thus, the neurons formed during the training of neural network 400 between ANN nodes 402 may represent the associations between the input features obtained from the network or device under scrutiny, the low level patterns/behaviors exhibited by the network or device, and the high level patterns/behaviors that categorize the low level patterns/behaviors).
In regards to claim 10, the computing system of claim 10 is similarly analyzed and rejected as the method claim 3.
In regards to claim 14, the computing system of claim 14 is similarly analyzed and rejected as the method claim 7.
In regards to claim 15, the non-transitory computer-readable medium of claim 15 is similarly analyzed and rejected as the method claim 1 and computing system claim 8.
In regards to claim 16, the combination of Somol and Jia teaches the non-transitory computer-readable medium of claim 15, having stored thereon computer-executable instructions that, when executed by the one or more processors, cause a computer to: select the historical Internet Protocol data packets based on a respective label associated with the historical Internet Protocol data packets (Somol, Para. 0049, neural network 400 may include an output layer of ANN nodes 402 that represent the high level patterns 408 (e.g., behaviors) of interest. Often, these take the form of classification labels that can be applied to different sets of input features 404. For example, one high level pattern 408 may be “legitimate,” while another may be to “generic trojan.” Thus, the neurons formed during the training of neural network 400 between ANN nodes 402 may represent the associations between the input features obtained from the network or device under scrutiny, the low level patterns/behaviors exhibited by the network or device, and the high level patterns/behaviors that categorize the low level patterns/behaviors).
In regards to claim 17, the non-transitory computer-readable medium of claim 17 is similarly analyzed and rejected as the method claim 3 and computing system claim 10.
In regards to claim 20, the non-transitory computer-readable medium of claim 20 is similarly analyzed and rejected as the method claim 7 and computing system claim 14.
Claims 4, 11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Somol et al. (US 20210306350 A1), hereinafter Somol in view of Jia et al. (US 11,714,903 B1) hereinafter Jia, further in view of the article entitled “Presenting New Dangers: A Deep Learning Approach to Password Cracking” by Chen .
In regards to claim 4, the combination of Somol and Jia does not explicitly teach the computer-implemented method of claim 1, wherein training the machine learning model to generate the realistic Internet Protocol data packets by processing the historical Internet Protocol data packets includes training the machine learning model to generate data packets corresponding to a brute-force dictionary attack.
However, Chen teaches wherein training the machine learning model to generate the realistic Internet Protocol data packets by processing the historical Internet Protocol data packets includes training the machine learning model to generate data packets corresponding to a brute-force dictionary attack ( Chen, Page 3, by setting these two networks up as adversaries, G tries to fool D while D tries to distinguish the samples from the real world and G. Each network tries to master its own task through thousands of iterations, with no manual intervention. In the end, there is a model that creates true-looking fakes and another that can detect most fakes from reals. A simple version of this process can be seen in Figure 1.0).
Somol, Jia and Chen are all considered to be analogous to the claim invention because they are in the same field of generating a fake domain for the network traffic for enhanced cyber network traffic training. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Somol and Jia to incorporate the teachings of Chen to include wherein training the machine learning model to generate the realistic Internet Protocol data packets by processing the historical Internet Protocol data packets includes training the machine learning model to generate data packets corresponding to a brute-force dictionary attack ( Chen, Page 3). Doing so would aid to Doing so would aid to demonstrate how deep learning can be effectively applied to password cracking, and the dangers it presents to the cybersecurity world given this new development (Chen, Page 2).
In regards to claim 11, the computing system of claim 11 is similarly analyzed and rejected as the method claim 4.
In regards to claim 18, the non-transitory computer-readable medium of claim 18 is similarly analyzed and rejected as the method claim 4 and computing system claim 11.
Claims 5, and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Somol et al. (US 20210306350 A1), hereinafter Somol in view of Jia et al. (US 11,714,903 B1) hereinafter Jia, further in view of LEE et al. (US 2020/0336507 A1).
In regards to claim 5, the combination of Somol and Jia does not explicitly teach the computer-implemented method of claim 1, wherein training the machine learning model to generate the realistic Internet Protocol data packets by processing the historical Internet Protocol data packets includes training the machine learning model to generate realistic data packets corresponding to a directory search attack.
However, LEE teaches the computer-implemented method of claim 1, wherein training the machine learning model to generate the realistic Internet Protocol data packets by processing the historical Internet Protocol data packets includes training the machine learning model to generate realistic data packets corresponding to a directory search attack (LEE, Para. 0041, the GAN includes a generator model 208 that generates payloads 242 for attack vectors 218 identified as viable by classification engine 204, as well as a discriminator model 210 that outputs predictions 244 of payloads 242 as real or fake) and (LEE, Para. 0022, testing framework 120 generates payloads 124 that are delivered via attack vectors 122 and allow the target system to be exploited. Continuing with the above example, payloads 124 that exploit vulnerabilities of the web environment include, but are not limited to, Structured Query Language (SQL) statements used in SQL injection attacks; client-side scripts used in cross-site scripting (XSS) attacks; user-supplied data in command injection attacks; URLs in Server-Side Request Forgery (SSRF) attacks; and/or session tokens, cookies, or parameters in authentication bypass attacks. Payloads 124 also, or instead, include file references in path or directory traversal attacks, state-changing requests in Cross-Site Request Forgery (CSRF) attacks, XPath queries in XPath injection attacks, Extensible Markup Language (XML) in XML External Entity (XXE) injection attacks, techniques for accessing sensitive files, and/or techniques for accessing misconfigured web services). Somol, Jia and LEE are all considered to be analogous to the claim invention because they are in the same field of generating a fake domain for the network traffic for enhanced cyber network traffic training. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Somol and Jia to incorporate the teachings of LEE to include wherein training the machine learning model to generate the realistic Internet Protocol data packets by processing the historical Internet Protocol data packets includes training the machine learning model to generate realistic data packets corresponding to a directory search attack (LEE, Para. 0041). Doing so would aid the ability to identify viable attack vectors without requiring manual labeling of anomalies or vulnerabilities in the reconnaissance data. Another advantage includes the ability to dynamically and automatically adapt payloads to different targets, services, configurations, and/or topologies in the environment under test. Consequently, the disclosed techniques provide improvements in computer systems, applications, tools, and/or technologies that identify attack vectors and generate payloads for use in penetration testing (LEE, Para. 0008).
In regards to claim 12, the computing system of claim 12 is similarly analyzed and rejected as the method claim 5.
Claims 6, 13, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Somol et al. (US 20210306350 A1), hereinafter Somol in view of Jia et al. (US 11,714,903 B1) hereinafter Jia, further in view of Lyle et al. (US 2023/0168646 A1), hereinafter Lyle.
In regards to claim 6, the combination of Somol and Jia does not explicitly teach the computer-implemented method of claim 1, wherein training the machine learning model to generate the realistic Internet Protocol data packets by processing the historical Internet Protocol data packets includes training the machine learning model to generate realistic data packets corresponding to an industrial control system attack.
However, Lyle teaches the computer-implemented method of claim 1, wherein training the machine learning model to generate the realistic Internet Protocol data packets by processing the historical Internet Protocol data packets includes training the machine learning model to generate realistic data packets corresponding to an industrial control system attack (Lyle, Para. 0029, additionally, the supporting software 114 is configured to simulate functions of an ICS. Simulations, as part of the supporting software 114 may be pre-configured to complete a certain task (e.g., cyber-security threat, system failure, etc.) or may include computer algorithms (e.g., machine learning, artificial intelligence, etc.) configured to create varied scenarios for simulation. The supporting software 114 may be stored on data storage within the virtual environment 110 or may be stored on data storage within the computing system 102. In some embodiments, the supporting software may be part of the simulated model 112. In some embodiments, the supporting software 114 may be stored in a software bank within the virtual environment 110. For example, only supporting software 114 that is needed is accessed from the software bank during testbed system 100 operation). Somol, Jia and Lyle are all considered to be analogous to the claim invention because they are in the same field of generating a fake domain for the network traffic for enhanced cyber network traffic training. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Somol and Jia to incorporate the teachings of Lyle to include wherein training the machine learning model to generate the realistic Internet Protocol data packets by processing the historical Internet Protocol data packets includes training the machine learning model to generate realistic data packets corresponding to an industrial control system attack (Lyle, Para. 0029). Doing so would aid to provide industrial systems with a range for testing systems and identifying vulnerabilities early, before a potential attack or failure. In some embodiments, the testbed system 100 may be reconfigured, on the fly, for educational and research purposes. For example, the testbed system 100 may be used for teaching a group of students about industrial processes and potential vulnerabilities. Additionally, the testbed system 100 may communicate across a centralized hub for cross-platform use between labs, academia, and industry (Lyle, Para. 0029).
In regards to claim 13, the computing system of claim 13 is similarly analyzed and rejected as the method claim 6.
In regards to claim 19, the non-transitory computer-readable medium of claim 19 is similarly analyzed and rejected as the method claim 6 and computing system claim 13.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892.
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571)272-0248. The examiner can normally be reached Monday- Friday 9:00 am- 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached at (571)272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GITA FARAMARZI/Examiner, Art Unit 2496
/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496