DETAILED ACTION
This application has been examined. Claims 1-25 are pending. Claim 25 is submitted as a new claim.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
The effective date of the claims described in this application is 7/31/2023.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 11/17/2025 has been entered.
Response to Arguments
Applicant's arguments filed 11/17/2025 have been fully considered but they are moot in view of the new grounds for rejection.
Cummins disclosed (re. Claim 1) obtain, via a user interface, a criteria scope that identifies a subset of network assets of a network to be visualized (Cummins-Paragraph 66, generate in a display 210 a visual representation of accessibility of a selected node or nodes, or a group of nodes, such as a subnet, Paragraph 86, user interface 230 may be operable to select in the map 500 one or more boundary 525 graphically represents one or more network enclaves 125 defined by one or more corresponding firewall 115, and responsive to such selection, or a further input using the display 210 and user interface 230, or otherwise, to generate the dynamic accessibility diagram 800 with one or more pairs of concentric rings 802 corresponding to the same one or more firewall 115.)
obtain, via the user interface, a grouping criteria that indicates a multi-level grouping for the subset of network assets, (Cummins-Paragraph 82, the outer concentric ring 804 and/or the inner concentric ring 806 may be ordered so as to group together circumferentially the ACL parameter segments 812 corresponding to different respective VLANs defined by the corresponding firewall configuration 120,Paragraph 81, responsive to selections or other actions by a user using the display 210 using the user interface 230, inasmuch as the ordering of the ACL parameters segments 812 of a given pair of concentric rings 802 which optimally facilitates visual understanding of the network security configuration may be different depending on such selections or other user actions)
wherein the grouping criteria includes a user- defined primary grouping and a user-defined secondary grouping based on respective device attributes of the network assets automatically determine a network topology for the subset of network assets,(Cummins-Paragraph 83, selection of an ACL parameter segment 812 of the outer concentric ring 804, and re-ordering of the ACL parameter segments 812 of the inner concentric ring 806)
automatically generate, based at least in part on the network topology and the grouping criteria, (Cummins-Figure 4, Paragraph 56, for one or more of the network enclaves 125, the map may be generated to include a visual boundary 525 enclosing the icons 505 of the nodes 105 belonging to the network enclave 125) a network topology visualization of the subset of network assets for the network, (Cummins-Paragraph 45, identify each enclave 125 as constituting a group of nodes 105 which is characterized by an identical, or substantially similar, accessibility, inbound and/or outbound, to other nodes 105 in the network 100, and/or external to the network 100) wherein the network topology visualization comprises:
a group visualization frame that visually groups the network assets into a plurality of primary group regions corresponding to the user-defined primary grouping, and within each primary group region further visually organizes the network assets according to the user-defined secondary grouping; (Cummins-Paragraph 83, selection of an ACL parameter segment 812 of the outer concentric ring 804, and re-ordering of the ACL parameter segments 812 of the inner concentric ring 806) and
a detailed device information frame that, in response to selection of a particular network asset in the group visualization frame, presents (a) a device table comprising device-level information for a plurality of network assets including at least a device identifier, a profile, a subnet, a number of security risks, (Cummins-Paragraph 55, provides the user with the ability to visualize key characteristics about a given node, group, or network within the context of the security risk posture.) and
one or more applications installed or running on each network asset, and (b) a connections table comprising connection-level information for the particular network asset including identifiers, profiles, and subnets of devices connected to the particular network asset (Cummins-Paragraph 57,Paragraph 59, enables such a user 202 quickly to identify a traffic flow between two nodes 105 with different security sensitivity values, or in different enclaves 125, or otherwise intended not to be capable of accessing each other, but through an unintended combination of the security configurations 120 of different security appliances 110 access is nevertheless technically possible,Paragraph 84, accessibility curves 850 and traffic curves may be rendered in the dynamic accessibility diagram 800 together, or separately)
While Cummins substantially disclosed the claimed invention Cummins does not disclose (re. Claim 1) wherein the network topology for the subset of network assets is determined based at least in part on network logs and device-discovery metadata obtained from the network.
Kannan Column 2 Lines 1-5 disclosed wherein processing of data feeds (e.g., alerts and logs) and the deployment of corresponding detection rules may be deployed at the SIEM to mitigate threats against enterprise networks and computer systems.
Kannan disclosed (re. Claim 1) wherein the network topology for the subset of network assets is determined based at least in part on network logs and device-discovery metadata obtained from the network.( Kannan-Column 2 Lines 1-5,processing of data feeds (e.g., alerts and logs) and the deployment of corresponding detection rules may be deployed at the SIEM to mitigate threats against enterprise networks, Column 7 Lines 60-65,assessment, recommendation and mitigation manager 101 can automatically track the dynamic threat landscape, Column 11 Lines 15-25,identify specific alerts and specific log entries generated by various components in the enterprise level security system 303, and map them to specific threat components in the tracked dynamic threat landscape )
Cummins and Kannan are analogous art because they provide concepts and practices regarding network security risk assessments. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Kannan into Cummins. The motivation for the said combination would have been enable the assessment, recommendation and mitigation manager 101 to assess the threat response capability of the enterprise level security system 303, and quantify the effectiveness thereof (e.g., how capably is the SOC 111 able to respond to threats after they have been detected). (Kannan-Column 17 Lines 20-35)
Regarding Claim 25
Cummins-Kannan disclosed (re. Claim 25) wherein the one or more processors are further configured to: for each of a plurality of network assets represented in the network topology visualization, determine whether the network asset is a security risk based at least in part on the network topology and device-level information for the network asset; (Cummins-Paragraph 55, provides the user with the ability to visualize key characteristics about a given node, group, or network within the context of the security risk posture.) and in response to determining that the network asset is a security risk, update the network topology visualization to emphasize the network asset and to present, within the detailed device information frame, an active measure recommendation for remediating the security risk for the network asset. (Kannan-Column 17 Lines 20-35,the assessment, recommendation and mitigation manager 101 may automatically assess the threat response capability of the enterprise level security system 303, and quantifying the effectiveness thereof (e.g., how capably is the SOC 111 able to respond to threats after they have been detected). Responding to a threat can comprise controlling the threat by taking actions to prevent the threat from being able to penetrate the enterprise and/or compromise its resources, such as changing firewall settings or fixing vulnerabilities that enable the threat to successfully attack the enterprise.)
Information Disclosure Statement
The Applicant is respectfully reminded that each individual associated with the filing and prosecution of a patent application has a duty of candor and good faith in dealing with the Office, which includes a duty to disclose to the Office all information known to that individual to be material to patentability as defined in 37 CFR 1.56.
There were no information disclosure statements filed with this application.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-2,4-22,24-25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cummins (USPGPUB 2022/0116423) further in view of Kannan (US Patent 12107869)
Regarding Claim 1
Cummins Paragraph 45 disclosed an enclave determination module 265 to identify and determine security enclaves 125 in the computer network 100 based at least in part on the standardized firewall configurations (step 415). For example, and as noted above, each enclave 125 may be regarded as a security VLAN, an Electronic Security Perimeter, or network segment, and the computing device 200 may identify each enclave 125 as constituting a group of nodes 105 which is characterized by an identical, or substantially similar, accessibility, inbound and/or outbound, to other nodes 105 in the network 100, and/or external to the network 100.
Cummins disclosed (re. Claim 1) a system for visualizing network topology, comprising: one or more processors configured to:
automatically generate a network topology visualization of network assets for a network; (Cummins-Figure 4, Paragraph 56, for one or more of the network enclaves 125, the map may be generated to include a visual boundary 525 enclosing the icons 505 of the nodes 105 belonging to the network enclave 125)
and
group the network assets into a plurality of groupings (Cummins-Paragraph 56, icons 505 corresponding to nodes 105 belonging respectively to one or more corresponding network enclaves 125 may be positioned close together, or in other words grouped together, relative to the icons 505 of other nodes 105 ) based on at least two user-selected distinct criteria;(Cummins-Paragraph 75, using the display 210 and user interface 230, to receive from the user 202 a selection of one or more of the ACL parameter segments 812 graphically rendered in the dynamic accessibility diagram 800,Paragraph 78, ACL parameter segment 842 corresponding to the ACL parameter related to local subnet 157.547.2.0 is selected, Paragraph 55,Figure 4, The placement of each icon 505 relative to the center 514 and the outer perimeter 516 of the region 512 in the background 510 may be based on the corresponding security sensitivity value. For example, icons 505 of nodes 105 having relatively higher (more sensitive, more restricted) security sensitivity values may be positioned closer to the center 514 of the region 512 relative to icons 505 of nodes 105 having relatively lower security sensitivity values. The concentric perimeters 517A, 5176, 517C may signify and illustrate different ranges of security sensitivity values) and
a memory coupled to the one or more processors and configured to provide the one or more processors with instructions.
Cummins disclosed (re. Claim 1) obtain, via a user interface, a criteria scope that identifies a subset of network assets of a network to be visualized (Cummins-Paragraph 66, generate in a display 210 a visual representation of accessibility of a selected node or nodes, or a group of nodes, such as a subnet, Paragraph 86, user interface 230 may be operable to select in the map 500 one or more boundary 525 graphically represents one or more network enclaves 125 defined by one or more corresponding firewall 115, and responsive to such selection, or a further input using the display 210 and user interface 230, or otherwise, to generate the dynamic accessibility diagram 800 with one or more pairs of concentric rings 802 corresponding to the same one or more firewall 115.)
obtain, via the user interface, a grouping criteria that indicates a multi-level grouping for the subset of network assets, (Cummins-Paragraph 82, the outer concentric ring 804 and/or the inner concentric ring 806 may be ordered so as to group together circumferentially the ACL parameter segments 812 corresponding to different respective VLANs defined by the corresponding firewall configuration 120,Paragraph 81, responsive to selections or other actions by a user using the display 210 using the user interface 230, inasmuch as the ordering of the ACL parameters segments 812 of a given pair of concentric rings 802 which optimally facilitates visual understanding of the network security configuration may be different depending on such selections or other user actions)
wherein the grouping criteria includes a user- defined primary grouping and a user-defined secondary grouping based on respective device attributes of the network assets automatically determine a network topology for the subset of network assets,(Cummins-Paragraph 83, selection of an ACL parameter segment 812 of the outer concentric ring 804, and re-ordering of the ACL parameter segments 812 of the inner concentric ring 806)
automatically generate, based at least in part on the network topology and the grouping criteria, (Cummins-Figure 4, Paragraph 56, for one or more of the network enclaves 125, the map may be generated to include a visual boundary 525 enclosing the icons 505 of the nodes 105 belonging to the network enclave 125) a network topology visualization of the subset of network assets for the network, (Cummins-Paragraph 45, identify each enclave 125 as constituting a group of nodes 105 which is characterized by an identical, or substantially similar, accessibility, inbound and/or outbound, to other nodes 105 in the network 100, and/or external to the network 100) wherein the network topology visualization comprises:
a group visualization frame that visually groups the network assets into a plurality of primary group regions corresponding to the user-defined primary grouping, and within each primary group region further visually organizes the network assets according to the user-defined secondary grouping; (Cummins-Paragraph 83, selection of an ACL parameter segment 812 of the outer concentric ring 804, and re-ordering of the ACL parameter segments 812 of the inner concentric ring 806) and
a detailed device information frame that, in response to selection of a particular network asset in the group visualization frame, presents (a) a device table comprising device-level information for a plurality of network assets including at least a device identifier, a profile, a subnet, a number of security risks, (Cummins-Paragraph 55, provides the user with the ability to visualize key characteristics about a given node, group, or network within the context of the security risk posture.) and
one or more applications installed or running on each network asset, and (b) a connections table comprising connection-level information for the particular network asset including identifiers, profiles, and subnets of devices connected to the particular network asset (Cummins-Paragraph 57,Paragraph 59, enables such a user 202 quickly to identify a traffic flow between two nodes 105 with different security sensitivity values, or in different enclaves 125, or otherwise intended not to be capable of accessing each other, but through an unintended combination of the security configurations 120 of different security appliances 110 access is nevertheless technically possible,Paragraph 84, accessibility curves 850 and traffic curves may be rendered in the dynamic accessibility diagram 800 together, or separately)
While Cummins substantially disclosed the claimed invention Cummins does not disclose (re. Claim 1) wherein the network topology for the subset of network assets is determined based at least in part on network logs and device-discovery metadata obtained from the network.
Kannan Column 2 Lines 1-5 disclosed wherein processing of data feeds (e.g., alerts and logs) and the deployment of corresponding detection rules may be deployed at the SIEM to mitigate threats against enterprise networks and computer systems.
Kannan disclosed (re. Claim 1) wherein the network topology for the subset of network assets is determined based at least in part on network logs and device-discovery metadata obtained from the network.( Kannan-Column 2 Lines 1-5,processing of data feeds (e.g., alerts and logs) and the deployment of corresponding detection rules may be deployed at the SIEM to mitigate threats against enterprise networks, Column 7 Lines 60-65,assessment, recommendation and mitigation manager 101 can automatically track the dynamic threat landscape, Column 11 Lines 15-25,identify specific alerts and specific log entries generated by various components in the enterprise level security system 303, and map them to specific threat components in the tracked dynamic threat landscape )
Cummins and Kannan are analogous art because they provide concepts and practices regarding network security risk assessments. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Kannan into Cummins. The motivation for the said combination would have been enable the assessment, recommendation and mitigation manager 101 to assess the threat response capability of the enterprise level security system 303, and quantify the effectiveness thereof (e.g., how capably is the SOC 111 able to respond to threats after they have been detected). (Kannan-Column 17 Lines 20-35)
Regarding Claim 20
Claim 20 (re. method) recites substantially similar limitations as Claim 1. Claim 20 is rejected on the same basis as Claim 1.
Regarding Claim 21
Claim 21 (re. computer program) recites substantially similar limitations as Claim 1. Claim 21 is rejected on the same basis as Claim 1.
Regarding Claim 2
While Cummins substantially disclosed the claim invention Cummins does not disclose (re. Claim 2) wherein the network is an enterprise network.
Kannan Column 2 Lines 1-5 disclosed wherein processing of data feeds (e.g., alerts and logs) and the deployment of corresponding detection rules may be deployed at the SIEM to mitigate threats against enterprise networks and computer systems.
Kannan disclosed (re. Claim 2) wherein the network is an enterprise network.( Kannan-Column 2 Lines 1-5,processing of data feeds (e.g., alerts and logs) and the deployment of corresponding detection rules may be deployed at the SIEM to mitigate threats against enterprise networks)
Cummins and Kannan are analogous art because they provide concepts and practices regarding network security risk assessments. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Kannan into Cummins. The motivation for the said combination would have been enable the assessment, recommendation and mitigation manager 101 to assess the threat response capability of the enterprise level security system 303, and quantify the effectiveness thereof (e.g., how capably is the SOC 111 able to respond to threats after they have been detected). (Kannan-Column 17 Lines 20-35)
Regarding Claim 4
Cummins-Kannan disclosed (re. Claim 4) determine a potential security risk with the network based at least in part on one or more of the plurality of groupings.(Cummins-Paragraph 55, provides the user with the ability to visualize key characteristics about a given node, group, or network within the context of the security risk posture.)
Regarding Claim 5
While Cummins substantially disclosed the claim invention Cummins does not disclose (re. Claim 5) in response to detecting the potential security risk, provide a recommendation for an active measure to be performed to remediate the potential security risk.
Kannan Column 17 Lines 20-35 disclosed wherein the assessment, recommendation and mitigation manager 101 may automatically assess the threat response capability of the enterprise level security system 303, and quantifying the effectiveness thereof (e.g., how capably is the SOC 111 able to respond to threats after they have been detected). Responding to a threat can comprise controlling the threat by taking actions to prevent the threat from being able to penetrate the enterprise and/or compromise its resources, such as changing firewall settings or fixing vulnerabilities that enable the threat to successfully attack the enterprise.
Kannan disclosed (re. Claim 5) wherein the one or more processors are further configured to: in response to detecting the potential security risk, provide a recommendation for an active measure to be performed to remediate the potential security risk.( Kannan-Column 17 Lines 20-35,the assessment, recommendation and mitigation manager 101 may automatically assess the threat response capability of the enterprise level security system 303, and quantifying the effectiveness thereof (e.g., how capably is the SOC 111 able to respond to threats after they have been detected). Responding to a threat can comprise controlling the threat by taking actions to prevent the threat from being able to penetrate the enterprise and/or compromise its resources, such as changing firewall settings or fixing vulnerabilities that enable the threat to successfully attack the enterprise.)
Cummins and Kannan are analogous art because they provide concepts and practices regarding network security risk assessments. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Kannan into Cummins. The motivation for the said combination would have been to enable the assessment, recommendation and mitigation manager 101 to assess the threat response capability of the enterprise level security system 303, and quantify the effectiveness thereof (e.g., how capably is the SOC 111 able to respond to threats after they have been detected). (Kannan-Column 17 Lines 20-35)
Regarding Claim 6
Cummins-Kannan disclosed (re. Claim 6) wherein the recommendation for the active measure is automatically generated based on threat research. (Kannan-Column 17 Lines 20-35,the assessment, recommendation and mitigation manager 101 may automatically assess the threat response capability of the enterprise level security system 303, and quantifying the effectiveness thereof (e.g., how capably is the SOC 111 able to respond to threats after they have been detected). Responding to a threat can comprise controlling the threat by taking actions to prevent the threat from being able to penetrate the enterprise and/or compromise its resources, such as changing firewall settings or fixing vulnerabilities that enable the threat to successfully attack the enterprise.)
Regarding Claim 7
Cummins-Kannan disclosed (re. Claim 7) wherein the active measure includes one or more of: (i) install a patch on a particular network asset, (ii) invoke a password change for the particular network asset, (iii) cause a network configuration change to close a particular port, (iv) generate and provide an alert to a user associated with the network asset. (Kannan-Column 17 Lines 20-35,the assessment, recommendation and mitigation manager 101 may automatically assess the threat response capability of the enterprise level security system 303, and quantifying the effectiveness thereof (e.g., how capably is the SOC 111 able to respond to threats after they have been detected). Responding to a threat can comprise controlling the threat by taking actions to prevent the threat from being able to penetrate the enterprise and/or compromise its resources, such as changing firewall settings or fixing vulnerabilities that enable the threat to successfully attack the enterprise.)
Regarding Claim 8
Cummins-Kannan disclosed (re. Claim 8) update the network topology visualization of network assets based at least in part on one or more of the plurality of groupings.(Cummins- Paragraph 62, configuration modification module 297 may be further configured to implement the changes by formulating the command sets appropriate to each corresponding firewall 115 (step 625) and transmitting the command sets to the corresponding security devices 110 with authentication and encryption as required)
Regarding Claim 9
Cummins-Kannan disclosed (re. Claim 9) wherein the network topology visualization of network assets is updated to identify a subset of devices that satisfy a selected interest criteria. (Cummins-Paragraph 75, using the display 210 and user interface 230, to receive from the user 202 a selection of one or more of the ACL parameter segments 812 graphically rendered in the dynamic accessibility diagram 800,Paragraph 78, ACL parameter segment 842 corresponding to the ACL parameter related to local subnet 157.547.2.0 is selected)
Regarding Claim 10
Cummins-Kannan disclosed (re. Claim 10) wherein the subset of devices is identified based on causing the subset of network assets to be visualized more emphatically than other network assets for the network.(Cummins-Paragraph 59, generates a visual representation of the network security configuration which renders such defects immediately apparent to the eye of a network security administrator of ordinary skill.)
Regarding Claim 11
Cummins-Kannan disclosed (re. Claim 11) wherein the network topology visualization of network assets is updated to comprise a set of visualization indicators based on risks associated with one or more of the network assets for the network.(Cummins-Paragraph 59, enables such a user 202 quickly to identify a traffic flow between two nodes 105 with different security sensitivity values, or in different enclaves 125, or otherwise intended not to be capable of accessing each other, but through an unintended combination of the security configurations 120 of different security appliances 110 access is nevertheless technically possible.)
Regarding Claim 12
Cummins-Kannan disclosed (re. Claim 12) wherein the network assets are grouped according to at least two or more of: a network segmentation, a subnet, (Cummins-Paragraph 78, ACL parameter segment 842 corresponding to the ACL parameter related to local subnet 157.547.2.0 is selected) a device type, and a vendor. (Cummins-Paragraph 37, The different security appliances 110 may include a number of different security appliance types, and may require correspondingly different inputs in order to retrieve the firewall configuration 120 of its corresponding firewall 115.)
Regarding Claim 13
Cummins-Kannan disclosed (re. Claim 13) wherein the network assets comprise one or more of a network device, an Internet of Things (IoT) device, and a commercial operational technology (OT) device. (Cummins-Paragraph 37, The different security appliances 110 may include a number of different security appliance types, and may require correspondingly different inputs in order to retrieve the firewall configuration 120 of its corresponding firewall 115.)
Regarding Claim 14
Cummins-Kannan disclosed (re. Claim 14) wherein the one or more processors are further configured to receive a user input associated with the network topology visualization. (Cummins-Paragraph 75, using the display 210 and user interface 230, to receive from the user 202 a selection of one or more of the ACL parameter segments 812 graphically rendered in the dynamic accessibility diagram 800,Paragraph 78, ACL parameter segment 842 corresponding to the ACL parameter related to local subnet 157.547.2.0 is selected)
Regarding Claim 15
Cummins-Kannan disclosed (re. Claim 15) in response to determining that the user input is a zoom in request, updating the network visualization to include different information pertaining to one or more of the network assets.(Cummins-Paragraph 86, graphical expansions, elaborations, magnifications—or, in colloquial terms, “zooming-in”—of boundaries 525)
Regarding Claim 16
Cummins-Kannan disclosed (re. Claim 16) wherein the different information comprises more granular detailed information for the network assets. (Cummins-Paragraph 86, graphical expansions, elaborations, magnifications—or, in colloquial terms, “zooming-in”—of boundaries 525)
Regarding Claim 17
Cummins-Kannan disclosed (re. Claim 17) in response to determining that the user input corresponds to a selection of a particular network asset, configuring a user interface to include detailed information for the particular network asset. (Cummins-Paragraph 86, graphical expansions, elaborations, magnifications—or, in colloquial terms, “zooming-in”—of boundaries 525)
Regarding Claim 18
Cummins-Kannan disclosed (re. Claim 18) wherein the detailed information comprises information pertaining to communications to/from the particular network asset.(Cummins-Paragraph 57, map 500 may be generated to show one or more of the network traffic flows between corresponding first and second nodes 105 in the network 100, or external to the network 100.)
Regarding Claim 19
Cummins-Kannan disclosed 45 disclosed (re. Claim 19) in response to determining that the user input corresponds to a selection of a particular network asset, configuring a user interface to with which a user updates a configuration of the network asset in response to receipt of another user input. (Cummins- Paragraph 62, configuration modification module 297 may be further configured to implement the changes by formulating the command sets appropriate to each corresponding firewall 115 (step 625) and transmitting the command sets to the corresponding security devices 110 with authentication and encryption as required)
Regarding Claim 22
Cummins-Kannan disclosed (re. Claim 22) dynamically update the network topology visualization in response to user interaction and changes in grouping criteria.(Cummins-Paragraph 61, enable a user 202 to use the user interface 230 to select and move, e.g. drag-and-drop, in the map 500 an icon 505 representing a node 105 from a first location in the map 500 within a visual boundary 525 corresponding to an enclave 125, e.g. a first enclave 126 to a second location in the map 500 outside of the visual boundary 525 of the first enclave 126.)
Regarding Claim 24
Cummins-Kannan disclosed (re. Claim 24) provide to the user a recommendation of one or more grouping criteria (Kannan-Column 17 Lines 20-35,the assessment, recommendation and mitigation manager 101 may automatically assess the threat response capability of the enterprise level security system 303, and quantifying the effectiveness thereof (e.g., how capably is the SOC 111 able to respond to threats after they have been detected). Responding to a threat can comprise controlling the threat by taking actions to prevent the threat from being able to penetrate the enterprise and/or compromise its resources, such as changing firewall settings or fixing vulnerabilities that enable the threat to successfully attack the enterprise.) based on detected security risk trends. (Cummins-Paragraph 55, provides the user with the ability to visualize key characteristics about a given node, group, or network within the context of the security risk posture.)
Regarding Claim 25
Cummins-Kannan disclosed (re. Claim 25) wherein the one or more processors are further configured to: for each of a plurality of network assets represented in the network topology visualization, determine whether the network asset is a security risk based at least in part on the network topology and device-level information for the network asset; (Cummins-Paragraph 55, provides the user with the ability to visualize key characteristics about a given node, group, or network within the context of the security risk posture.) and in response to determining that the network asset is a security risk, update the network topology visualization to emphasize the network asset and to present, within the detailed device information frame, an active measure recommendation for remediating the security risk for the network asset. (Kannan-Column 17 Lines 20-35,the assessment, recommendation and mitigation manager 101 may automatically assess the threat response capability of the enterprise level security system 303, and quantifying the effectiveness thereof (e.g., how capably is the SOC 111 able to respond to threats after they have been detected). Responding to a threat can comprise controlling the threat by taking actions to prevent the threat from being able to penetrate the enterprise and/or compromise its resources, such as changing firewall settings or fixing vulnerabilities that enable the threat to successfully attack the enterprise.)
Claim(s) 3 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cummins (USPGPUB 2022/0116423) further in view of Kannan (US Patent 12107869) further in view of Gourisetti (US Patent 12107869)
Regarding Claim 3
While Cummins-Kannan substantially disclosed the claim invention Cummins-Kannan does not disclose (re. Claim 3) wherein the network is an industrial network.
Gourisetti Paragraph 73 disclosed wherein graphical interfaces provide a way for a user to observe the interconnections and how the different moving parts are connected together.
Gourisetti Figure 3, Paragraph 74,Paragraph 87 disclosed power grid utilities having multiple entities responsible for various business functions and multiple facilities that carry out various engineering tasks or that house various assets.
Gourisetti disclosed (re. Claim 3) wherein the network is an industrial network.(Gourisetti-Figure 3, Paragraph 74,Paragraph 87,power grid utilities having multiple entities responsible for various business functions and multiple facilities that carry out various engineering tasks or that house various assets.)
Cummins,Kannan and Gourisetti are analogous art because they provide concepts and practices regarding network security risk assessments. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Gourisetti into Cummins-Kannan. The motivation for the said combination would have been to enable users to use the graphical mapping of the interconnectedness to make informed, strategic decisions about how to operate the system, such as a power grid utility, or to make related investment decisions to mitigate risks. The assets that are the most vulnerable can be identified so that balanced decisions regarding where upfront investment should be placed to safeguard the system against cyberattack or other bad events. (Gourisetti-Paragraph 72,Paragraph 73)
Claim(s) 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cummins (USPGPUB 2022/0116423) further in view of Kannan (US Patent 12107869) further in view of Adamson (US Patent 12341797)
Regarding Claim 23
While Cummins-Kannan substantially disclosed the claim invention Cummins-Kannan does not disclose (re. Claim (re. Claim 23) filter the network assets within the network topology visualization based on a time-based activity parameter.
Adamson Column 24 Lines 50-60 disclosed wherein graphs created by graph generator 146 may be written to data store 30 and cached for further processing. A graph may be a summary of all activity that happened in a particular time interval. As each graph corresponds to a distinct period of time, different rows can be aggregated to find summary information over a larger timestamp. In some examples, picking two different graphs from two different timestamps can be used to compare different periods. If necessary, graph generator 146 can parallelize its workload (e.g., where its backlog cannot otherwise be handled within a particular time period, such as an hour, or if is required to process a graph spanning a long time period).
Adamson disclosed (re. Claim 23) filter the network assets within the network topology visualization based on a time-based activity parameter.(Adamson-Column 24 Lines 50-60,graphs created by graph generator 146 may be written to data store 30 and cached for further processing. A graph may be a summary of all activity that happened in a particular time interval.)
Cummins,Kannan and Adamson are analogous art because they provide concepts and practices regarding network security risk assessments. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Adamson into Cummins-Kannan. The motivation for the said combination would have been to enable generating a polygraph such as is depicted in FIG. 2C to establish a baseline of behavior (e.g., at the one-hour level), allowing for the future detection of deviations from that baseline. (Adamson-Column 19 Lines 45-50)
Conclusion
Examiner’s Note: In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREG C BENGZON whose telephone number is (571)272-3944. The examiner can normally be reached on Monday - Friday 8 AM - 4:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached on (571) 272-3964. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GREG C BENGZON/ Primary Examiner, Art Unit 2444