Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a final office action in response to the communication received December 11, 2025. Claims 1, 3, 5, 8, 9 and 12 have been amended. Claims 7 and 11 have been canceled. Therefore, claims 1-6, 8-10 and 12 are pending and addressed below.
Response to Amendment
Applicant’s amendment and response to the claims are sufficient to overcome the 35 USC 112(d) rejection and the claim objections set forth in the previous office action. Examiner has withdrawn the rejection under 35 USC 112(d) and the claim objections as applicant amended the claims.
Response to Arguments
Applicant's arguments filed December 11, 2025 have been fully considered but they are not persuasive for the following reasons:
Applicant’s arguments with respect to the rejections of amended claims 1, 5 and 9 under 35 U.S.C 102(a)(1) have been fully considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. A new ground of rejection under 35 U.S.C 103 is made in view of the combination of prior art of Yamamoto et al (US PG-PUB No. 20190294803 A1), and Roundy et al (US PG-PUB No. 20160103992 A1). (see below rejection details)
Therefore, claims 1, 5 and 9 are rejected under 35 U.S.C 103. As claims 2-4 are dependent directly or indirectly on claim 1, claims 6 and 8 are dependent directly or indirectly on claim 5, claims 10 and 12 are dependent directly or indirectly on claim 9, applicant’s argument with respect to the rejections of claim 2-4, 6, 8, 10 and 12 are moot.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-6, 8-10 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Yamamoto et al (US PG-PUB No. 20190294803 A1) in view of Roundy et al (US PG-PUB No. 20160103992 A1).
Regarding claim 1, claim 5 and claim 9, Yamamoto teaches an attack analysis assistance apparatus, a method and non-transitory computer-readable recording medium, the apparatus comprising at least one memory storing instructions; and at least one processor configured to execute the instructions to: extract, from information regarding a plurality of targeted attacks, respective pieces of comparison information that are related to a set guideline and are to be used for comparison; and receive, as input, the pieces of comparison information extracted from the information regarding the plurality of targeted attacks, and calculate a similarity between the plurality of targeted attacks (Paragraph [0033]: “The evaluation device 100 (attack analysis assistance apparatus comprising at least one processor and memory) is a computer. The evaluation device 100 includes a processor 101 and also other pieces of hardware such as a memory 102”; Paragraph [0034] further discloses: “The evaluation device 100 includes an attack generation unit 111, a comparison unit 112 (comprising a feature extraction unit 221, a score calculation unit 222, a score comparison unit 223, and a feature adjustment unit 224, as disclosed in paragraph [0051]), and a verification unit 113 as functional components.”; Paragraph [0110]: “At step S31, the feature extraction unit 221 extracts the feature of the attack sample 131 generated by the attack generation unit 111.”; Paragraph [0111] further discloses: “Specifically, the feature extraction unit 221 extracts, from the attack sample 131 (extract, from information regarding a plurality of targeted attacks), a feature of a type identical to that modeled by the normal state model 132 prepared in advance (respective pieces of comparison information that are related to a set guideline and to be used for comparison), and generates a feature vector of the attack sample 131.”; Paragraph [0112]: “At step S32, the feature extraction unit 221 checks whether a feature vector identical to the extracted one is registered in the checked feature vector database 121 (receive, as input the pieces of comparison information extracted from the information regarding the plurality of targeted attacks). If registered, the operation of the comparison unit 112 ends. If not registered, the process at step S33 is performed.”; Paragraph [0113]: “At step S33, the score calculation unit 222 calculates a score indicating a similarity between the feature extracted by the feature extraction unit 221 and the feature of the normal state model 132 (calculate a similarity between the plurality of targeted attacks).”).
Yamamoto is not relying on, but Roundy teaches comparing functions executed in the plurality of targeted attacks to identify a number of matching functions, and calculate a similarity between the plurality of targeted attacks based on the number of matching functions (Paragraph [0066]: “Additionally or alternatively, classification module 108 may label any malicious executables involved in and/or related to security event 210 and/or the targeted attack (the apparatus compare functions executed in the plurality of targeted attacks).”; Paragraph [0006]: “In one example, the method may also include identifying a plurality of features of the security event (identifying functions as comparison information from the security event). In this example, the method may further include comparing the plurality of features of the security event against the plurality of characteristics identified in the targeted-attack taxonomy (compare functions executed in the plurality of targeted attacks).”; Paragraph [0007]: “In one example, the method may also include determining the number of features of the security event that match corresponding characteristics identified in the targeted-attack taxonomy (identify a number of matching functions).”; Paragraph [0008]: “In one example, the method may also include calculating a taxonomy score that represents the likelihood that the security event is targeting the organization based at least in part on comparing the security event against the targeted-attack taxonomy (calculate a similarity between the plurality of targeted attacks based on the number of matching functions).”).
Yamamoto and Roundy are both considered to be analogous to the claimed invention because they both teach attack analysis. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the solution disclosed by Yamamoto with adding comparing functions executed in the plurality of targeted attacks to identify a number of matching functions, and calculating a similarity between the plurality of targeted attacks based on the number of matching functions disclosed by Roundy.
One of the ordinary skills in the art would have been motivated to make this modification in order to accurately classify security events as targeted attacks, as suggested by Roundy in paragraph [0003].
Regarding claim 2, claim 3, claim 6 and claim 10, Yamamoto and Roundy teach all of the features with respect to claim 1, claim 1, claim 5 and claim 9, as outlined above.
Yamamoto further teaches wherein the information regarding each of the plurality of targeted attacks includes information regarding an attack procedure in which functions executed in the targeted attack are defined in time series and information regarding execution of the targeted attack, and at least one of a function executed in a targeted attack, a timing when a targeted attack was executed, and whether or not a targeted attack was executed successfully is set as the guideline (Paragraph [0084]: “That is, the verification unit 113 verifies whether the attack sample 131 similar to the normal state model 132 keeps an attack function (functions in attack procedure to verify whether or not a targeted attack was executed successfully).” Paragraphs [0085], [0086], [0087] and [0088] disclose when the detection technique implemented in the security product as an evaluation target, it is checked that a process intended by the attacker is successful (whether or not a targeted attack function is executed successfully) by the attack. Paragraph [0142]: “At step S63, the basic function monitoring unit 231 checks whether a certain time has elapsed (attack procedure in which functions executed in the targeted attack are defined in time series). If a certain time has elapsed, the operation of the basic function monitoring unit 231 ends. If a certain time has not elapsed, the process at step S64 is performed.”).
Regarding claim 4, claim 8 and claim 12, Yamamoto and Roundy teaches all of the features with respect to claim 3, claim 6 and claim 10, as outlined above.
Yamamoto further teaches wherein, when two or more guidelines are set, the guideline setting means further sets a weight for each of the two or more set guidelines, further at least one processor configured to execute the instructions to: extract the pieces of comparison information from the information regarding the plurality of targeted attacks, for each of the two or more guidelines, and calculate the similarities for the two or more respective guidelines, and calculates an integrated similarity using the similarities and weights for the respective guidelines (Paragraph [0113]: “At step S33, the score calculation unit 222 calculates a score (weight) indicating a similarity between the feature extracted by the feature extraction unit 221 and the feature of the normal state model 132 (calculate the similarities using the similarities and weights).”).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. (see PTO-892 form)
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASMINE DAY whose telephone number is (571)272-0204. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/J.M.D./Examiner, Art Unit 2499 /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499