DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1. Claims 1 – 20 are currently pending in this application.
Claims 1 and 11 are amended as filed on 09/08/2025.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-6, 8-16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Akella et al. (Pre-Grant Publication No. US 2021/0281582 A1), hereinafter Akella, in view of Crabtree et al. (Pre-Grant Publication No. US 2022/0078210 A1), hereinafter Crabtree.
2. With respect to claim 1, Akella taught an apparatus, comprising: a device linking service configured to unify data streams from different sources of access into a network to get a composite picture of a behavior of an individual physical network device (0052 & 0097, where the different access sources are taught, at least, by the wired vs wireless connection) that has different device identifiers from the different sources of access into the network via cross-referencing information from the different sources of access into the network (0184, where the different MAC address teaches the different identifiers), where the device linking service is configured to create a unified network device identifier for the different device identifiers from the different sources of access into the network (0097), where the device linking service is configured to supply the unified network device identifier and associated information with the different device identifiers from the different sources of access into the network to a prediction engine (0007) and where any instructions for the device linking service and the prediction engine are stored in an executable format on one or more non-transitory computer readable mediums, which are executable by one or more processors (0181 & 0049).
However, Akella did not explicitly state that the prediction engine is configured to run a simulation of attack paths for the network attack paths for the network by at least generating a virtual network represented by a graph of nodes representing devices within the network and simulating how a cyberattack could progress within the network based on at least a normal behavior of the devices and a current operational state of each of the devices associated with the nodes. On the other hand, Crabtree did teach that the prediction engine is configured to run a simulation of attack paths for the network attack paths for the network by at least generating a virtual network represented by a graph of nodes representing devices within the network and simulating how a cyberattack could progress within the network based on at least a normal behavior of the devices and a current operational state of each of the devices associated with the nodes (0023, where a graph, in computer science, is an abstract data structure that consists of a set of vertices/nodes that connect pairs of vertices/nodes. A graph is not inherently displayed visually to a human user and, in this case, is represented by the organized virtual node connections that are received and produced by the simulation engine). Both of the systems of Akella and Crabtree are directed towards provided attack prevention tools and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Akella, to utilize simulating an attack path, as taught by Crabtree, in order to provide a more detailed protection to coincide with a device’s modeled behavior.
3. With respect to claim 11, Akella taught a non-transitory computer readable medium configured to store instructions in an executable format in the non-transitory computer readable medium, which when executed by one or more processors cause operations (0181 & 0049), comprising: providing a device linking service to unify data streams from different sources of access into a network to get a composite picture of a behavior of an individual physical network device that has different device identifiers from the different sources of access into the network via cross-referencing information from the different sources of access into the network (0052 & 0097), providing the device linking service to create a unified network device identifier for the different device identifiers from the different sources of access into the network (0184), and providing the device linking service to supply the unified network device identifier and associated information with the different device identifiers from the different sources of access into the network to a prediction engine (0007).
However, Akella did not explicitly state that the prediction engine is configured to run a simulation of attack paths for the network attack paths for the network by at least generating a virtual network represented by a graph of nodes representing devices within the network and simulating how a cyberattack could progress within the network based on at least a normal behavior of the devices and a current operational state of each of the devices associated with the nodes, and providing the device linking service to then link the unified network device identifier with a user in the network. On the other hand, Crabtree did teach that the prediction engine is configured to run a simulation of attack paths for the network attack paths for the network by at least generating a virtual network represented by a graph of nodes representing devices within the network and simulating how a cyberattack could progress within the network based on at least a normal behavior of the devices and a current operational state of each of the devices associated with the nodes (0023, where a graph, in computer science, is an abstract data structure that consists of a set of vertices/nodes that connect pairs of vertices/nodes. A graph is not inherently displayed visually to a human user and, in this case, is represented by the organized virtual node connections that are received and produced by the simulation engine), and providing the device linking service to then link the unified network device identifier with a user in the network (0103). Both of the systems of Akella and Crabtree are directed towards provided attack prevention tools and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Akella, to utilize simulating an attack path, as taught by Crabtree, in order to provide a more detailed protection to coincide with a device’s modeled behavior.
4. As for claims 2 and 12, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Akella taught where the device linking service is configured to create a meta entity identifier from the unified network device identifier and one or more user identifiers associated with the different device identifiers from the different sources of access into the network, where the device linking service is configured to supply the meta entity identifier and associated information to a cyber security appliance configured to detect the cyber threat in the network, and where the cyber security appliance is configured to use the meta entity identifier and information associated with the unified network device identifier and the one or more user identifiers associated with the different device identifiers to create multiple models of a pattern of life for the meta entity identifier in order to detect the cyber threat (0052, where the fingerprint is the meta identifier under broadest reasonable interpretation).
5. As for claims 3 and 13, they are rejected on the same basis as claims 2 and 12 (respectively). In addition, Akella taught where the cyber security appliance is configured to have an autonomous response module to autonomously respond to mitigate the cyber threat as well as to cooperate with the prediction engine in order to determine how to properly autonomously respond to a cyber-attack by the cyber threat based upon simulations run in the prediction engine modelling the attack paths into and through the network (0063).
6. As for claims 4 and 14, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Akella taught where the device linking service is configured to cooperate with a firewall configuration ingester and the prediction engine, where the prediction engine is configured to monitor traffic into the network in order to map all of the paths into and through the network taken by the monitored traffic, where the firewall configuration ingester is configured to ingest firewall rules to determine theoretically possible paths through the network in accordance with the firewall rules and a mapping of nodes of the network, and where the prediction engine is configured to combine all of the paths into and through the network taken by the monitored traffic with the possible paths through the network theoretically possible in accordance with the firewall rules from the firewall configuration ingester in light of the unified network device identifier with a user entity in the network from the device linking service to determine possible attack paths when running the simulation of attack paths for the network that the cyber threat may take (0083, where the firewall and simulations can be further seen in 0118).
7. As for claims 5 and 15, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Akella taught where the device linking service is configured to passively monitor the data streams from different sources having access into the network as well as to actively query third party platforms to gather and ingest device data, user data, and activity data from multiple third party vendors and then analyze the ingested data, and then pass the ingested data into the prediction engine to perform the simulation of attack paths for the network that the cyber threat may take (0080-0081, where the third-party vendors can be seen in Crabtree: 0115, wherein the sources within the confines of the business teaches the local network and the external cloud based sources outside of the client business teaches the external third party vendor sources under BRI. See also: 0118).
8. As for claims 6 and 16, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Akella taught where the device linking service is configured to maintain data from the data streams in their generic format as well as put relevant data into a uniform analysis format in a central data store via translation and mapping and then using the central data store to store the relevant data for the uniform analysis format (0231, the tensor format).
9. As for claims 8 and 18, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Crabtree taught where the device linking service is configured to aggregate network presence information about a user of the network and their different user accounts on different third-party applications served from third-party platforms external to the network, who is then also associated with this particular individual physical network device (0115, where the web is crawled).
10. As for claims 9 and 19, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Crabtree taught further comprising: a firewall configuration ingester configured to cooperate with the device linking service, where the firewall configuration ingester is configured to examine rules of firewall configurations and their settings to model changes in these rules over time to detect unusual rules over time to the firewall configurations that cause new attack path modelling routes into the network (0107).
11. As for claims 10 and 20, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Akella taught further comprising: a firewall configuration ingester configured to cooperate with the device linking service and the prediction engine, where the firewall configuration ingester is configured to examine firewall rules implemented by a firewall to identify routes into the network allowed by a current firewall rules and supply the prediction engine with a set of possible routes that a cyber-attack by the cyber threat may take into the network and permitted reasons into the network (0109).
Claim(s) 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Akella, in view of Crabtree, and in further view of MAJKOWSKI et al. (Pre-Grant Publication No. US 2021/0306371 A1), hereinafter Majkowski.
12. As for claims 7 and 17, they are rejected on the same basis as claims 1 and 11 (respectively). In addition, Akella taught where the device linking service is configured to apply using a central data store to store data points organized by how the data points relate to another data point (0231). However, Akella did not explicitly state to apply at least one of string matching and fuzzy logic to cross-reference information from the different sources of access into the network. On the other hand, Majkowski did teach apply at least one of string matching and fuzzy logic to cross-reference information from the different sources of access into the network (0075, where this, at least, teaches the fuzzy logic limitation). Both of the systems of Akella and Majkowski are directed towards provided attack prevention tools and therefore, it would have been obvious to a person having ordinary skill in the art, at the time of the effective filing of the invention, to modify the teachings of Akella, to utilize fuzzy logic as part of the learning algorithm, as fuzzy logic was a standard programming technique for processing data.
Response to Arguments
Applicant’s arguments with respect to the claim(s) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
13. It should be noted that although the newly applied reference is from the same inventor as the previously applied reference (Crabtree), it is indeed a different reference with differently applied teachings and citations. Also, it is to be noted that the a graph is not inherently a visually displayed graph and in computer science, is generally represented as mathematical data points used to connect vertices and/or nodes.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSEPH L GREENE whose telephone number is (571)270-3730. The examiner can normally be reached Monday - Thursday, 10:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas R. Taylor can be reached at 571 272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JOSEPH L GREENE/Primary Examiner, Art Unit 2443