Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 28, 42, and 47 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Regarding claim 28
Step 1: The claim recites the steps of a process.
Step 2A Prong 1: Claim 28 recites the limitations of monitoring a radar system by collecting and analyzing reports, identifying anomalies, identifying correlations to recognize cyber attacks, and having a response to identifying a cyber attack. These limitations, as drafted, is a process that, under the broadest reasonable interpretation, covers limitations that can be performed by the human mind. The concepts of monitoring, collecting, analyzing, and identifying, as recited in the claim, are observations, evaluations, judgements, and/or opinions, which fall into the mental process group of abstract ideas (e.g., a person can look at data reports to see that a velocity changes in an un-physical way). Nothing in the claim precludes them from being performed in the human mind, with or without the aid of a physical aid such as a pen and appear (See MPEP 2016.04(a))
Step 2A Prong 2: The judicial exception is not integrated into a practical application because the claim does not receipt any additional elements that amount to significantly more than the judicial exception. Claim 1 recites the additional elements of a processor-memory circuit/device, a radar device, and several other modules. The modules that send reports are engaging in data gathering of their respective metrics. The processor-memory and radar simply link the use of the abstract idea to the environment of anomaly/cyber attack checking on sensory equipment. For at least the above reasons, the additional elements do not integrate the abstract idea into a practical application.
Step 2B: The claim does not provide an inventive concept because as recited in the previous paragraphs above, the claim recites the additional elements of a processor-memory circuit/device, a radar device, and several other modules, an insignificant extra-solution activity that does not amount to an inventive concept See 2015.06. The particular type of data/information does not make the performance of a cyber attack check other than abstract. Moreover, the additional elements do not reflect an improvement to a technology or technical field, or include the use of a particular machine or particular transformation. The additional elements, taken individually and in combination, do not result in the claim as a whole amounting to significantly more than n abstract idea itself (See MPEP 2106.05). Therefore, the claim is not eligible under 35 U.S.C. 101. Similarly claims 42 and 47 are also not eligible under 35 U.S.C. 101.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claim(s) 28, 30, 31, 42, 46, 47 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Ryon (US 10182065 B1).
Regarding claim 28 Ryon discloses
A computer-implemented method for detecting a cyber attack in a radar system, the radar system comprising a number of modules configured to produce data reports on their performance, the number of modules including at least one radar, the method performed by a processor and memory circuitry (PMC) (Column 4 lines 48-52, "The IDS system computing device may include a processor configured to execute instructions of an IDS engine (e.g., an IDS correlation engine) to analyze the reports from the augmented vetronics computing devices to determine whether a cyber security threat exists."; Column 10 lines 44-54, "Referring now to FIG. 3, the aircraft sensors 122 of FIG. 1 are shown. Each of the aircraft sensors 122 may be configured to sense a particular condition(s) external to the aircraft 102 or within the aircraft 102 and output data associated with particular sensed condition(s) to one or more onboard devices or onboard systems (e.g., the communication system 104, the computing devices 112, the aircraft sensors 122, the input/output devices 124, or a combination thereof). For example, the aircraft sensors 122 may include an inertial measurement unit 302, a radio altimeter 304, weather radar 306"; Column 5 lines 1-9, "The first computing device may include a memory and a processor. The first computing device may be configured to receive, from each of the avionics computing devices, the cyber security report associated with the one or more received messages determined to include the aberrant data. Based at least on the received cyber security report, the first computing device may be configured to determine an occurrence of a cyber security threat at least with respect to one or more of the avionics computing devices.") and comprising:- monitoring operation of the radar system by collecting and processing the data reports from said modules, including the radar reports from said at least one radar (Column 4 lines 48-52, "The IDS system computing device may include a processor configured to execute instructions of an IDS engine (e.g., an IDS correlation engine) to analyze the reports from the augmented vetronics computing devices to determine whether a cyber security threat exists" where a radar is included in the vetronics devices as cited above), - detecting one or more local anomalies at least in said radar reports, - analyzing the detected local anomalies for identifying one or more correlations between said local anomalies, - in case of identifying said correlations, determining the detected anomalies as cyber anomalies, thereby detecting the cyber attack (Column 4 lines 48-52, "The IDS system computing device may include a processor configured to execute instructions of an IDS engine (e.g., an IDS correlation engine) to analyze the reports from the augmented vetronics computing devices to determine whether a cyber security threat exists" where the IDS is a correlation machine), - upon detecting the cyber attack, performing at least one predetermined action to respond thereto (Column 13 lines 48-58, " in response to determining the occurrence of the cyber security threat, the processor 114-1 may be configured to generate and output cyber security threat data associated with the determined cyber security threat to another computing device (which may be interfaceable by a user), to an input/output device (e.g., a display) configured to present (e.g., graphically present) the data associated with the determined cyber security threat to a user, and/or to a computer-readable medium (e.g., memory 116-1 and/or storage 118-1) to be stored (e.g., maintained)").
Regarding claim 30 Ryon discloses
The method according to claim 28, wherein said one or more correlations include one or more combinations, sequences and/or dependencies of the local anomalies (Column 4 lines 48-52, "The IDS system computing device may include a processor configured to execute instructions of an IDS engine (e.g., an IDS correlation engine) to analyze the reports from the augmented vetronics computing devices to determine whether a cyber security threat exists"; Column 5 lines 1-9, "The first computing device may include a memory and a processor. The first computing device may be configured to receive, from each of the avionics computing devices, the cyber security report associated with the one or more received messages determined to include the aberrant data. Based at least on the received cyber security report, the first computing device may be configured to determine an occurrence of a cyber security threat at least with respect to one or more of the avionics computing devices.").
Regarding claim 31 Ryon discloses
The method according to claim 28, wherein the step of analyzing the local anomalies comprises correlating based at least partly on a Machine Learning (ML) algorithm (Column 4 lines 48-52, "The IDS system computing device may include a processor configured to execute instructions of an IDS engine (e.g., an IDS correlation engine) to analyze the reports from the augmented vetronics computing devices to determine whether a cyber security threat exists"; Column 14 lines 1-9, "In some embodiments, the processor 114-1 or another processor of the system 100 may be configured to analyze the filtered received data (e.g., filtered reports), for example, by analyzing (e.g., statistically analyzing, correlating, applying a machine learning algorithm, and/or recognizing patterns in) previously filtered received data and verified cyber security threat data and/or missed false positive cyber security threat data corresponding to false positives which passed the filtering according to the predetermined filter rules").
Regarding claim 42 Ryon discloses
A processor and memory circuitry (PMC) designed for detecting a cyber attack in a radar system having a number of modules configured to produce data reports on their performance, said modules including at least one radar (Column 4 lines 48-52, "The IDS system computing device may include a processor configured to execute instructions of an IDS engine (e.g., an IDS correlation engine) to analyze the reports from the augmented vetronics computing devices to determine whether a cyber security threat exists."; Column 10 lines 44-54, "Referring now to FIG. 3, the aircraft sensors 122 of FIG. 1 are shown. Each of the aircraft sensors 122 may be configured to sense a particular condition(s) external to the aircraft 102 or within the aircraft 102 and output data associated with particular sensed condition(s) to one or more onboard devices or onboard systems (e.g., the communication system 104, the computing devices 112, the aircraft sensors 122, the input/output devices 124, or a combination thereof). For example, the aircraft sensors 122 may include an inertial measurement unit 302, a radio altimeter 304, weather radar 306"; Column 5 lines 1-9, "The first computing device may include a memory and a processor. The first computing device may be configured to receive, from each of the avionics computing devices, the cyber security report associated with the one or more received messages determined to include the aberrant data. Based at least on the received cyber security report, the first computing device may be configured to determine an occurrence of a cyber security threat at least with respect to one or more of the avionics computing devices."); said PMC being configured to be operatively connected to and to establish data communication with said modules for performing the following steps: - monitoring operation of the radar system by collecting and processing the data reports from said modules, including the radar reports from said at least one radar (Column 4 lines 48-52, "The IDS system computing device may include a processor configured to execute instructions of an IDS engine (e.g., an IDS correlation engine) to analyze the reports from the augmented vetronics computing devices to determine whether a cyber security threat exists" where a radar is included in the vetronics devices as cited above), - detecting one or more local anomalies at least in said radar reports, - analyzing the local anomalies detected for identifying one or more correlations between said local anomalies, - in case of identifying said correlations, determining the detected anomalies as cyber anomalies, thus detecting the cyber attack (Column 4 lines 48-52, "The IDS system computing device may include a processor configured to execute instructions of an IDS engine (e.g., an IDS correlation engine) to analyze the reports from the augmented vetronics computing devices to determine whether a cyber security threat exists" where the IDS is a correlation machine), - upon detecting the cyber attack, performing at least one predetermined action to respond thereto (Column 13 lines 48-58, " in response to determining the occurrence of the cyber security threat, the processor 114-1 may be configured to generate and output cyber security threat data associated with the determined cyber security threat to another computing device (which may be interfaceable by a user), to an input/output device (e.g., a display) configured to present (e.g., graphically present) the data associated with the determined cyber security threat to a user, and/or to a computer-readable medium (e.g., memory 116-1 and/or storage 118-1) to be stored (e.g., maintained)").
Regarding claim 46 Ryon discloses
A radar system comprising the PMC according to Claim 42 (Column 4 lines 48-52, "The IDS system computing device may include a processor configured to execute instructions of an IDS engine (e.g., an IDS correlation engine) to analyze the reports from the augmented vetronics computing devices to determine whether a cyber security threat exists."; Column 10 lines 44-54, "Referring now to FIG. 3, the aircraft sensors 122 of FIG. 1 are shown. Each of the aircraft sensors 122 may be configured to sense a particular condition(s) external to the aircraft 102 or within the aircraft 102 and output data associated with particular sensed condition(s) to one or more onboard devices or onboard systems (e.g., the communication system 104, the computing devices 112, the aircraft sensors 122, the input/output devices 124, or a combination thereof). For example, the aircraft sensors 122 may include an inertial measurement unit 302, a radio altimeter 304, weather radar 306"; Column 5 lines 1-9, "The first computing device may include a memory and a processor. The first computing device may be configured to receive, from each of the avionics computing devices, the cyber security report associated with the one or more received messages determined to include the aberrant data. Based at least on the received cyber security report, the first computing device may be configured to determine an occurrence of a cyber security threat at least with respect to one or more of the avionics computing devices").
Regarding claim 47 Ryon discloses
A non-transitory computer readable storage medium (Abstract, “A computing device may include a non-transitory computer-readable medium and a processor communicatively coupled to the non-transitory computer-readable medium”) comprising computer-implementable instructions and data for causing a processor and memory circuitry (PMC) of a radar system to perform the method steps including: - monitoring operation of the radar system by collecting and processing data reports from modules of the system, including radar reports from at least one radar (Column 4 lines 48-52, "The IDS system computing device may include a processor configured to execute instructions of an IDS engine (e.g., an IDS correlation engine) to analyze the reports from the augmented vetronics computing devices to determine whether a cyber security threat exists."; Column 10 lines 44-54, "Referring now to FIG. 3, the aircraft sensors 122 of FIG. 1 are shown. Each of the aircraft sensors 122 may be configured to sense a particular condition(s) external to the aircraft 102 or within the aircraft 102 and output data associated with particular sensed condition(s) to one or more onboard devices or onboard systems (e.g., the communication system 104, the computing devices 112, the aircraft sensors 122, the input/output devices 124, or a combination thereof). For example, the aircraft sensors 122 may include an inertial measurement unit 302, a radio altimeter 304, weather radar 306"; Column 5 lines 1-9, "The first computing device may include a memory and a processor. The first computing device may be configured to receive, from each of the avionics computing devices, the cyber security report associated with the one or more received messages determined to include the aberrant data. Based at least on the received cyber security report, the first computing device may be configured to determine an occurrence of a cyber security threat at least with respect to one or more of the avionics computing devices"), - detecting one or more local anomalies at least in said radar reports, - analyzing the local anomalies detected for identifying one or more correlations between said local anomalies, - in case of identifying said correlations, determining the detected anomalies as cyber anomalies, thus detecting the cyber attack (Column 4 lines 48-52, "The IDS system computing device may include a processor configured to execute instructions of an IDS engine (e.g., an IDS correlation engine) to analyze the reports from the augmented vetronics computing devices to determine whether a cyber security threat exists" where the IDS is a correlation machine), - upon detecting the cyber attack, performing at least one predetermined action to respond thereto (Column 13 lines 48-58, " in response to determining the occurrence of the cyber security threat, the processor 114-1 may be configured to generate and output cyber security threat data associated with the determined cyber security threat to another computing device (which may be interfaceable by a user), to an input/output device (e.g., a display) configured to present (e.g., graphically present) the data associated with the determined cyber security threat to a user, and/or to a computer-readable medium (e.g., memory 116-1 and/or storage 118-1) to be stored (e.g., maintained)").
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 29 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ryon (US 10182065 B1) in view of Gopalakrishnan (US 9524648 B1).
Regarding claim 29 Ryon discloses
The method according to Claim 28, performed for one or more entities online (Column 1 lines 48-59, "An HIDS is typically implemented with a separate application running on a computing device that attempts to detect intrusions by monitoring an operating system (OS) and applications running on the computing device…typically limited connectivity of vetronics devices prevents rules signatures from being updated in a real-time manner, which significantly increases the time to update new signatures for recently discovered intrusions" where a host intrusion detection system operates online). Ryon does not disclose wherein said one or more entities are selected from a non-exhaustive list comprising a track, a plot, an entity at least partially related to energy consumption.
Gopalakrishnan discloses
Wherein said one or more entities are selected from a non-exhaustive list comprising a track, a plot, an entity at least partially related to energy consumption (Column 16 line 57-Column 17 line 4, "The compromise module 136 may generate the UAV compromise data 138 based on energy consumption of one or more systems or devices of the UAV 102…The compromise module 136 may generate the UAV compromise data 138 in response to a determination that the amount of energy consumed by the one or more rotors 228 is greater than or equal to a threshold value. In another example, the compromise module 136 may access data indicative of previous amounts of energy consumed by the one or more rotors 228. The compromise module 136 may compare the current energy consumption amount of the rotors 228 with the previous amounts of energy consumed" where the compromise module determines if there is a threat).
Ryon discusses monitoring several modules of a vehicle/aircraft but does not specify monitoring the energy consumption of a module. Monitoring the energy consumption is advantageous in that it is a more specific implementation of the intrusion detection system, IDS, which would facilitate the use of this patent. More specifically, using the energy monitoring can be one method for tracking and double checking anomalies/cyber attacks between multiple methods. Additionally, monitoring the energy consumption of a module can recognize not only cyber attacks but also malfunctions. An aircraft with a malfunctioning, or attacked, weather radar can be disastrous. As such, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Gopalakrishnan to add in energy consumption monitoring to facilitate an anomaly detection method that can be double checked with another method, and to facilitate a way to check that a vital component, such as a weather radar, is functioning properly.
Claim(s) 32, 35, 37 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ryon (US 10182065 B1) in view of Gopalakrishnan (US 9524648 B1) further in view of Sirianni (US 10885393 B1).
Regarding claim 32 the combination of Ryon and Gopalakrishnan discloses
The method according claim 29. Ryon discloses wherein at the step of detecting one or more local anomalies, a local anomality is detected based on checking at least one current set of characteristic features per entity (Column 4 lines 48-52, "The IDS system computing device may include a processor configured to execute instructions of an IDS engine (e.g., an IDS correlation engine) to analyze the reports from the augmented vetronics computing devices to determine whether a cyber security threat exists"; Column 13 lines 48-56, " in response to determining the occurrence of the cyber security threat, the processor 114-1 may be configured to generate and output cyber security threat data associated with the determined cyber security threat to another computing device (which may be interfaceable by a user), to an input/output device (e.g., a display) configured to present (e.g., graphically present) the data associated with the determined cyber security threat to a user”). Ryon does not disclose said step comprising: - extracting from said reports a first, current set of local characteristic features for a specific entity, - checking said first, current set by using a second, reference set of respective local characteristic features, wherein said reference set is relevant to a similar type of entities during normal operation of the radar system, - determining one or more local anomalies whenever said first set of the characteristic features does not correspond to said second set.
Sirianni discloses
Said step comprising: - extracting from said reports a first, current set of local characteristic features for a specific entity, - checking said first, current set by using a second, reference set of respective local characteristic features, wherein said reference set is relevant to a similar type of entities during normal operation of the radar system, - determining one or more local anomalies whenever said first set of the characteristic features does not correspond to said second set (Column 3 lines 59-64, "Over time anomaly detection module 106 may develop a statistical profile of behavior. By looking at the current statistics and comparing them to historical data sets anomaly detection module 106 detect whether there are changes and then investigate the changes based upon how widely they diverge from history").
Ryon discloses finding anomalies but it does not disclose using reference/historical information to detect anomalies. Using reference data in anomaly detection can speed up the detection of an anomaly, for example, while using a machine learning algorithm. Additionally, having references of what is normal can reduce false positives as some data may not fall withing an average value but it is still considered the data of normal operation. Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Sirianni to add in the use of reference data to facilitate expediting the recognition of anomalies and reducing false positives.
Regarding claim 35 the combination of Ryon, Gopalakrishnan, and Sirianni discloses
The method according to Claim 32. Ryon does not disclose wherein the step of checking said first, current set of characteristic features is performed by applying an expected behavioral model of the similar type of entities, wherein said expected behavioral model is created for the radar system free of cyber attacks and is associated with said second, reference set of characteristic features.
Sirianni discloses
Wherein the step of checking said first, current set of characteristic features is performed by applying an expected behavioral model of the similar type of entities, wherein said expected behavioral model is created for the radar system free of cyber attacks and is associated with said second, reference set of characteristic features (Column 3 lines 59-64, "Over time anomaly detection module 106 may develop a statistical profile of behavior. By looking at the current statistics and comparing them to historical data sets anomaly detection module 106 detect whether there are changes and then investigate the changes based upon how widely they diverge from history"; Column 3 lines 66-Column 4 line 2, "The processed data may also be used to bootstrap machine learning models 122, while finding issues with older models that were trained on historical data and have become less accurate at predication").
Ryon discloses finding anomalies but it does not disclose using reference/historical models to detect anomalies. Using reference models in anomaly detection can speed up the machine learning detection of an anomaly, additionally having references of what is normal can reduce false positives as some data may not fall withing an average value but it is still characterisitc of normal operation. Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Sirianni to add in the use of reference data to facilitate expediting the recognition of anomalies and reducing false positives.
Regarding claim 37 the combination of Ryon, Gopalakrishnan, and Sirianni discloses
The method according to Claim 32. Ryon discloses using machine learning algorithms (Column 14 lines 1-9, "In some embodiments, the processor 114-1 or another processor of the system 100 may be configured to analyze the filtered received data (e.g., filtered reports), for example, by analyzing (e.g., statistically analyzing, correlating, applying a machine learning algorithm, and/or recognizing patterns in) previously filtered received data and verified cyber security threat data and/or missed false positive cyber security threat data corresponding to false positives which passed the filtering according to the predetermined filter rules."). Ryon does not disclose wherein said expected behavioral models are built by applying a Machine Learning (ML) algorithm using a Big Data infrastructure.
Sirianni discloses
Wherein said expected behavioral models are built by applying a Machine Learning (ML) algorithm using a Big Data infrastructure (Column 6 lines 60-66, "Incident-response system 100 may provide real-time threat protection from advanced adversaries. Incident-response system 100 may include a big data storage and analytic software product. Unlike existing machine-generated anomaly detection tools, which use limiting storage and processing techniques, incident-response system 100 may be built on a distributed architecture").
Ryon discloses the use of machine learning but it does not specify the use of big data architecture. Using big data infrastructure allows the system to processes larger and more complex datasets; this helps the system to recognize more complex patterns, which is helpful for recognizing more complex and/or new attack patterns. Additionally, if the big data architecture is based on cloud storage this can facilitate more lightweight hardware on the aircraft. As such, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Sirianni to add in big data infrastructure for the machine learning to improve the recognizing of complex patterns and to use less hardware/have a lighter aircraft.
Claim(s) 33, 38 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ryon (US 10182065 B1) in view of Gopalakrishnan (US 9524648 B1) further in view of Sirianni (US 10885393 B1) further in view of Huang (US 20220043441 A1).
Regarding claim 33 the combination of Ryon, Gopalakrishnan, and Sirianni discloses
The method according to Claim 32. Ryon does not disclose wherein the reference set of characteristic features for an entity comprises one or more features from the following non-exhaustive list: type of entity, classification of a target, estimated accepted ranges and/or value of location, height, velocity, jerk, turn angle, maneuvering index.
Huang discloses
Wherein the reference set of characteristic features for an entity comprises one or more features from the following non-exhaustive list: type of entity, classification of a target, estimated accepted ranges and/or value of location, height, velocity, jerk, turn angle, maneuvering index (Paragraph 0038, “The output anomaly detection 234 may be configured to verify that the information input to the navigation subsystem 122 and the AI/ML algorithms 250 (e.g., the sensor data 202 and the processed data 204) does not contain any errors or anomalies. For example, if the outputs 206 include information that is out of a normal range of values or that is inconsistent with safe operating conditions (e.g., speed of operation, turn radius, etc.) of the autonomous system 110, an anomaly may be detected. As another example, if the GPS data previously indicated the autonomous system 110 was at a first location and GPS data received for a current time period does not include GPS location data, the output anomaly detection analysis may determine that GPS communication is not working properly. When problems are detected by the output anomaly detection 234, one or more failsafe operations may be executed to modify operation of the autonomous system 110”).
Ryon discloses using different variables/statistics of the several modules to detect an anomaly, but it does not specify the non-exhaustive list of attributes for the radar. Using the attributes such as a storm velocity or a GPS location to determine an anomaly/cyber attack would be advantageous in that a user can recognize the problem and know that these vital functions are compromised so that they can begin to remedy the problem. As such, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Huang to add in the use of storm velocities and GPS locations to detect anomalies/cyber attacks to improve the safety features and functioning of an aircraft.
Regarding claim 38 the combination of Ryon, Gopalakrishnan, and Sirianni discloses
The method according to Claim 33. Ryon does not disclose wherein the entity is a track, and wherein the second reference set of characteristic features comprises one or more additional features from the following non-exhaustive list: an expected range of GPS/space shift of a track, an expected time shift of a track, an expected type of the numeric pattern of a track, an expected range of energy spent by a radar per building a track.
Sirianni discloses
The second reference set of characteristic features (Column 3 lines 59-64, "Over time anomaly detection module 106 may develop a statistical profile of behavior. By looking at the current statistics and comparing them to historical data sets anomaly detection module 106 detect whether there are changes and then investigate the changes based upon how widely they diverge from history.")
Ryon discloses finding anomalies but it does not disclose using reference/historical information to detect anomalies. Using reference data in anomaly detection can speed up the detection of an anomaly, for example, while using a machine learning algorithm. Additionally, having references of what is normal can reduce false positives as some data may not fall withing an average value but it is still considered the data of normal operation. Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Sirianni to add in the use of reference data to facilitate expediting the recognition of anomalies and reducing false positives.
Huang discloses
Wherein the entity is a track (Paragraph 0034, “The fault detection logic 118 may also receive network data 208 from the communication interface(s) 116 and other data 210. The other data 210 may include … tracking surveillance drones, GPS satellites, or other types of data obtained from external sensors. The fault detection logic 118 may analyze the sensor data 202, the processed data 204, the output data 206, the network data 208, and the other data 210 to detect anomalies”),
Ryon discloses finding anomalies and using weather radar but it does not specifically mention tracking an entity. Weather radar is capable of tracking and predicting the trajectory of storms which would be advantageous for planning and/or adjust flight paths. As such, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Huang to add in the use of tracks with the weather radar to improve the pilot’s ability to plane/adjust routes.
Gopalakrishnan discloses
Wherein the second reference set of characteristic features comprises one or more additional features from the following non-exhaustive list: an expected range of GPS/space shift of a track, an expected time shift of a track, an expected type of the numeric pattern of a track, an expected range of energy spent by a radar per building a track (Column 16 line 57-Column 17 line 4, "The compromise module 136 may generate the UAV compromise data 138 based on energy consumption of one or more systems or devices of the UAV 102…The compromise module 136 may generate the UAV compromise data 138 in response to a determination that the amount of energy consumed by the one or more rotors 228 is greater than or equal to a threshold value. In another example, the compromise module 136 may access data indicative of previous amounts of energy consumed by the one or more rotors 228. The compromise module 136 may compare the current energy consumption amount of the rotors 228 with the previous amounts of energy consumed" where the compromise module determines if there is a threat).
Ryon discloses detecting anomalies and a weather radar but not tracking the energy consumption of the radar as it is tracking an entity. Ryon could incorporate (as discussed above) the second references of Sirianni and/or the use of a range of values (as in Huang) with tracking the energy consumption of the weather radar as it is tracking a storm. This would be advantageous as it could recognize an attack on a vital instrument and notify a user of, for example, active jamming occurring with the weather radar. As such, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Gopalakrishnan to monitor a weather radar’s energy consumption as it is tracking a storm to notify the user/pilot of an active attack/jamming so they can react appropriately
Claim(s) 34, 36, 43 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ryon (US 10182065 B1) in view of Sirianni (US 10885393 B1).
Regarding claim 34 Ryon discloses
The method according to Claim 28 including recognizing one or more anomalies in a radar report. Ryon also discloses the use of machine learning models (Column 14 lines 1-9, "In some embodiments, the processor 114-1 or another processor of the system 100 may be configured to analyze the filtered received data (e.g., filtered reports), for example, by analyzing (e.g., statistically analyzing, correlating, applying a machine learning algorithm, and/or recognizing patterns in) previously filtered received data and verified cyber security threat data and/or missed false positive cyber security threat data corresponding to false positives which passed the filtering according to the predetermined filter rules"). Ryon does not disclose wherein the step of detecting one or more local anomalies in radar reports comprises applying one or more expected behavioral models created for the radar system free of cyber attacks.
Sirianni discloses
Wherein the step of detecting one or more local anomalies in radar reports comprises applying one or more expected behavioral models created for the radar system free of cyber attacks (Column 3 lines 59-64, "Over time anomaly detection module 106 may develop a statistical profile of behavior. By looking at the current statistics and comparing them to historical data sets anomaly detection module 106 detect whether there are changes and then investigate the changes based upon how widely they diverge from history"; Column 3 lines 51-55, "Probability distribution module 120 may include an unsupervised learning module configured to find the common values of features and outliers to model constraints that are considered anomalous"; Column 3 lines 66-Column 4 line 2, "The processed data may also be used to bootstrap machine learning models 122, while finding issues with older models that were trained on historical data and have become less accurate at predication").
Ryon discloses detecting anomalies and using machine learning to do so but it does not specify the use of reference or historical models to detect anomalies. Using reference models in anomaly detection can speed up the machine learning detection of an anomaly, additionally having references of what is normal can reduce false positives as some data may not fall withing an average value but it is still characteristic of normal operation. Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Sirianni to add in the use of reference data to facilitate expediting the recognition of anomalies and reducing false positives.
Regarding claim 36 the combination of Ryon and Sirianni discloses
The method according to Claim 34. Ryon does not disclose wherein said at least one expected behavioral model is built in the radar system based on historical radar data collected in the absence of cyber attacks.
Sirianni discloses
Wherein said at least one expected behavioral model is built in the radar system based on historical radar data collected in the absence of cyber attacks (Column 3 lines 66-Column 4 line 2, "The processed data may also be used to bootstrap machine learning models 122, while finding issues with older models that were trained on historical data and have become less accurate at predication").
Ryon discloses detecting anomalies and using machine learning to do so but it does not specify the use of reference or historical models to detect anomalies. Using reference models in anomaly detection can speed up the machine learning detection of an anomaly, additionally having references of what is normal can reduce false positives as some data may not fall withing an average value but it is still characteristic of normal operation. Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Sirianni to add in the use of reference data to facilitate expediting the recognition of anomalies and reducing false positives.
Regarding claim 43 Ryon discloses
The PMC according to Claim 42. Ryon discloses comprising: - a feature extraction unit for extracting a set of current characteristic features per entity, - an anomaly detection unit, for detecting local anomalies per entity, based on the extracted set of current characteristic features (Column 4 lines 48-52, "The IDS system computing device may include a processor configured to execute instructions of an IDS engine (e.g., an IDS correlation engine) to analyze the reports from the augmented vetronics computing devices to determine whether a cyber security threat exists"; Column 13 lines 48-56, " in response to determining the occurrence of the cyber security threat, the processor 114-1 may be configured to generate and output cyber security threat data associated with the determined cyber security threat to another computing device (which may be interfaceable by a user), to an input/output device (e.g., a display) configured to present (e.g., graphically present) the data associated with the determined cyber security threat to a user”), - a unit for analyzing local anomalies by correlating the detected local anomalies so as to reveal at least one correlation in the form of a combination, sequence and/or dependency of the local anomalies,- a cyber discriminator unit for analysis of said correlation if revealed (Column 4 lines 48-52, "The IDS system computing device may include a processor configured to execute instructions of an IDS engine (e.g., an IDS correlation engine) to analyze the reports from the augmented vetronics computing devices to determine whether a cyber security threat exists"; Column 5 lines 1-9, "The first computing device may include a memory and a processor. The first computing device may be configured to receive, from each of the avionics computing devices, the cyber security report associated with the one or more received messages determined to include the aberrant data. Based at least on the received cyber security report, the first computing device may be configured to determine an occurrence of a cyber security threat at least with respect to one or more of the avionics computing devices."), and for issuing a predetermined action in case of detecting said correlation of the local anomalies (Column 13 lines 48-58, " in response to determining the occurrence of the cyber security threat, the processor 114-1 may be configured to generate and output cyber security threat data associated with the determined cyber security threat to another computing device (which may be interfaceable by a user), to an input/output device (e.g., a display) configured to present (e.g., graphically present) the data associated with the determined cyber security threat to a user, and/or to a computer-readable medium (e.g., memory 116-1 and/or storage 118-1) to be stored (e.g., maintained)"). Ryon does not disclose comprising: - a feature extraction unit for extracting a set of current characteristic features per entity, and using a reference set of characteristic features or an expected behavioral model.
Sirianni discloses
A feature extraction unit for extracting a set of current characteristic features per entity, and using a reference set of characteristic features or an expected behavioral model (Column 3 lines 59-64, "Over time anomaly detection module 106 may develop a statistical profile of behavior. By looking at the current statistics and comparing them to historical data sets anomaly detection module 106 detect whether there are changes and then investigate the changes based upon how widely they diverge from history").
Ryon discloses finding anomalies but it does not disclose using reference/historical information to detect anomalies. Using reference data in anomaly detection can speed up the detection of an anomaly, for example, while using a machine learning algorithm. Additionally, having references of what is normal can reduce false positives as some data may not fall withing an average value but it is still considered the data of normal operation. Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Sirianni to add in the use of reference data to facilitate expediting the recognition of anomalies and reducing false positives.
Claim(s) 39, 44 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ryon (US 10182065 B1) in view of Priller (US 20220245260 A1).
Regarding claim 39 Ryon discloses
The method according to claim 28, including using correlations and identifying cyber attacks. Ryon does not disclose further comprising analyzing said correlations with reference to preliminarily known cyber attack vectors for detecting the cyber attack.
Priller discloses
Analyzing said correlations with reference to preliminarily known cyber attack vectors for detecting the cyber attack (Abstract, "assigning known vulnerabilities to components of the model variants; defining an attack aim; creating at least one attack model, based on the attack aim"; Paragraph 0004, "Due to the complexity and the multitude of communication interfaces, such vehicles create a large attack surface for cyber attacks. Attacks can take place not only via the actual communication interfaces, but also via sensors such as a LI DAR or radar system"; Paragraph 0163, "For this purpose, known vulnerabilities are assigned to the individual alternative model variants 103. The identified features and the assumptions made are compared with collections of known vulnerabilities…according to which multiple references 104 to known vulnerabilities are given and assigned to a particular model node").
Ryon discloses recognizing cyber attacks through anomalies, but does not disclose recognizing cyber attack signatures. A system using the attack signature of a cyber attack could speed up the recognition process as there would be more examples of normal operation signatures/models to compare to than there are signatures of attacks. As such it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Priller to add in recognizing cyber attack signatures in order to speed up the recognition process, which can lead to faster responses and less damage done.
Regarding claim 44 Ryon discloses
The PMC according to Claim 42. Ryon does not disclose comprising a database storing at least attack-free historical data for creating references in detection of cyber attacks.
Priller discloses
Comprising a database storing at least attack-free historical data for creating references in detection of cyber attacks (Abstract, "assigning known vulnerabilities to components of the model variants; defining an attack aim; creating at least one attack model, based on the attack aim"; Paragraph 0004, "Due to the complexity and the multitude of communication interfaces, such vehicles create a large attack surface for cyber attacks. Attacks can take place not only via the actual communication interfaces, but also via sensors such as a LI DAR or radar system"; Paragraph 0163, "For this purpose, known vulnerabilities are assigned to the individual alternative model variants 103. The identified features and the assumptions made are compared with collections of known vulnerabilities…according to which multiple references 104 to known vulnerabilities are given and assigned to a particular model node").
Ryon discloses recognizing cyber attacks through anomalies, but does not disclose recognizing cyber attack signatures. A system using the attack signature of a cyber attack could speed up the recognition process as there would be more examples of normal operation signatures/models to compare to than there are signatures of attacks. This attack signature recognizing device would have storage for said signatures wither on site or in cloud storage. As such it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Priller to add in recognizing cyber attack signatures in order to speed up the recognition process, which can lead to faster responses and less damage done.
Claim(s) 40 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ryon (US 10182065 B1) in view of Herman (US 20220121210 A1).
Regarding claim 40 Ryon discloses
The method according to Claim 28 including recognizing anomalies. Ryon does not disclose wherein identifying said correlations of the local anomalies comprises detecting one or more combinations of the local anomalies and wherein the one or more anomaly combinations are selected from the following non-exhaustive list:- Replacing data of all or a plurality of plot points with similar numbers - A GPS spoofing-influenced group of tracks created in a radar system - A common bias in space or in time to a group of tracks - Atypical energy consumption for tracks created in the radar system.
Herman discloses
Wherein identifying said correlations of the local anomalies comprises detecting one or more combinations of the local anomalies and wherein the one or more anomaly combinations are selected from the following non-exhaustive list:- Replacing data of all or a plurality of plot points with similar numbers - A GPS spoofing-influenced group of tracks created in a radar system - A common bias in space or in time to a group of tracks - Atypical energy consumption for tracks created in the radar system (Paragraph 0002, "While ADAS is developed to provide efficient, effortless, and safe driving to a user sitting inside the vehicle, the system could be subject to spoofing" where the ADAS uses radar; Paragraph 0037, "In the case of spoofing, a miscreant's transmitter, that is a malicious actor's transmitter, may be a source for the GPS sensor for providing data corresponding to the false location. To determine if the GPS error is due to spoofing or fault, the processor 120 may have to further perform a lookup to detect spoofing").
Ryon discloses recognizing cyber attacks and using radar and GPS but it does not specifically mention recognizing GPS spoofing. A plane attacked by GPS spoofing can create positional confusion which affects the weather radars calculations and can create incorrect weather readings. It would be advantageous to recognize the spoofing in order to mitigate or respond to the negative effects on navigation and the weather radar. As such, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Priller to add in recognizing GPS spoofing to mitigate incorrect navigation and weather radar information.
Claim(s) 41, 45 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ryon (US 10182065 B1) in view of Sirianni (US 10885393 B1) further in view of Priller (US 20220245260 A1).
Regarding claim 41 Ryon discloses
The method according Claim 28. Ryon does not disclose additionally comprising a step of collecting attack-related historical data for use in express detection of cyber attacks, and initialization, based on the attack-related historical data, one or more attack-related behavioral models and/or attack-related reference sets of features, for performing express detection of a cyber attack.
Sirianni discloses
The use of historical data to recognize anomalies (Column 3 lines 59-64, "Over time anomaly detection module 106 may develop a statistical profile of behavior. By looking at the current statistics and comparing them to historical data sets anomaly detection module 106 detect whether there are changes and then investigate the changes based upon how widely they diverge from history").
Ryon discloses recognizing anomalies and cyber attacks but does not disclose using historical data. Using historical data can be useful in that it provides real world data for your machine learning model to use for recognition, which would be more accurate than simulated data. As such it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Sirianni to add in the use of historical data for a more accurate analysis.
Priller discloses
A step of collecting attack-related data for use in express detection of cyber attacks, and initialization, based on the attack-related data, one or more attack-related behavioral models and/or attack-related reference sets of features, for performing express detection of a cyber attack (Abstract, "assigning known vulnerabilities to components of the model variants; defining an attack aim; creating at least one attack model, based on the attack aim"; Paragraph 0004, "Due to the complexity and the multitude of communication interfaces, such vehicles create a large attack surface for cyber attacks. Attacks can take place not only via the actual communication interfaces, but also via sensors such as a LI DAR or radar system"; Paragraph 0163, "For this purpose, known vulnerabilities are assigned to the individual alternative model variants 103. The identified features and the assumptions made are compared with collections of known vulnerabilities…according to which multiple references 104 to known vulnerabilities are given and assigned to a particular model node").
Ryon discloses recognizing cyber attacks through anomalies, but does not disclose recognizing cyber attack signatures. A system using the attack signature of a cyber attack could speed up the recognition process as there would be more examples of normal operation signatures/models to compare to than there are signatures of attacks. Additionally, in using historical/previous data the attack signatures would be more accurate to a real world scenario. As such it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Priller to add in recognizing cyber attack signatures in order to speed up, and improve the accuracy of the recognition process, which can lead to faster responses and less damage done.
Regarding claim 45 the combination of Ryon and Priller discloses
The PMC according to Claim 44. Ryon does not disclose wherein the database storing also attack-related historical data for creating references in express detection of cyber attacks.
Sirianni discloses
Historical data sets (Column 3 lines 59-64, "Over time anomaly detection module 106 may develop a statistical profile of behavior. By looking at the current statistics and comparing them to historical data sets anomaly detection module 106 detect whether there are changes and then investigate the changes based upon how widely they diverge from history.").
Ryon discloses finding anomalies but it does not disclose using reference/historical information to detect anomalies. Using reference data in anomaly detection can speed up the detection of an anomaly, for example, while using a machine learning algorithm. Additionally, having historical references of what is normal can reduce false positives as some data may not fall withing an average value but it is still considered the data of normal operation. Also, the machine learning analysis will be more accurate as it is using real world data instead of simulated data. Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Sirianni to add in the use of historical data to facilitate expediting the recognition of anomalies and reducing false positives.
Priller discloses
Wherein the database storing also attack-related data for creating references in express detection of cyber attacks (Abstract, "assigning known vulnerabilities to components of the model variants; defining an attack aim; creating at least one attack model, based on the attack aim"; Paragraph 0004, "Due to the complexity and the multitude of communication interfaces, such vehicles create a large attack surface for cyber attacks. Attacks can take place not only via the actual communication interfaces, but also via sensors such as a LI DAR or radar system"; Paragraph 0163, "For this purpose, known vulnerabilities are assigned to the individual alternative model variants 103. The identified features and the assumptions made are compared with collections of known vulnerabilities…according to which multiple references 104 to known vulnerabilities are given and assigned to a particular model node").
Ryon discloses recognizing cyber attacks through anomalies, but does not disclose recognizing cyber attack signatures. A system using the attack signature of a cyber attack could speed up the recognition process as there would be more examples of normal operation signatures/models to compare to than there are signatures of attacks. Additionally, in using historical/previous data the attack signatures would be more accurate to a real world scenario. As such it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Ryon with Priller to add in recognizing cyber attack signatures in order to speed up, and improve the accuracy of the recognition process, which can lead to faster responses and less damage done.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PETER D DOZE whose telephone number is (571)272-0392. The examiner can normally be reached Monday-Friday 7:40am - 5:40pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vladimir Magloire can be reached at (571) 270-5144. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/PETER DAVON DOZE/Examiner, Art Unit 3648
/VLADIMIR MAGLOIRE/Supervisory Patent Examiner, Art Unit 3648