DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim 1, 11 have been amended. Claim 4, 14 have been cancelled.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1-8, 10-18, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sellars et al. (US20240223596) in view of Vasseur et al.(US20150188935).
Regarding claim 1, 11 Sellars teaches A non-transitory storage medium having stored therein instructions that are executable by one or more hardware processors to perform operations ([0055]“The apparatus 200 comprises a memory 206, and a processor 208. The processor 208 is communicatively coupled to the memory 206”, [0074] “the processor 210 may instruct or cause the autonomous response module 140 (or any other appropriate module) to take appropriate action to protect the network. In any case, the apparatus 200 may provide an instruction”)) comprising:
determining, ([0119] “The profiles can be matched up based on their characteristics to see if they match up to known past threat actors, and how similar they are, and if based on their similarity, raise up the rank of how threatening they are”, [0194] “The deeper analysis may assist in confirming an analysis to determine that indeed a cyber threat has been detected. The analyzer module 115 can also look at factors of how rare the endpoint connection is, how old the endpoint is, where geographically the endpoint is located, how a security certificate associated with a communication is verified only by an endpoint device or by an external 3rd party, just to name a few additional factors. The analyzer module 115 (and similarly the cyber threat analyst module 120) can then assign weighting given to these factors in the machine learning that can be supervised based on how strongly that characteristic has been found to match up to actual malicious sites in the training”);
when the nodes match with the nodes expected to be affected by the anticipated ([0119] “The profiles can be matched up based on their characteristics to see if they match up to known past threat actors, and how similar they are, and if based on their similarity, raise up the rank of how threatening they are”, [0194] “The deeper analysis may assist in confirming an analysis to determine that indeed a cyber threat has been detected. The analyzer module 115 can also look at factors of how rare the endpoint connection is, how old the endpoint is, where geographically the endpoint is located, how a security certificate associated with a communication is verified only by an endpoint device or by an external 3rd party, just to name a few additional factors. The analyzer module 115 (and similarly the cyber threat analyst module 120) can then assign weighting given to these factors in the machine learning that can be supervised based on how strongly that characteristic has been found to match up to actual malicious sites in the training”, [0233] “The attack path modeling component in the simulated attack module 950 cooperating with the other modules in the prediction engine 900 are configured to determine the key pathways within the network and the vulnerable network nodes in the network that the cyberattack would use during the cyberattack, via the modeling of the cyberattack on at least one of 1) the simulated device version and 2) the virtual device version of the network under analysis via using the actual detected vulnerabilities of each network node),
providing, by the ([0204] “a close match to known cyber threats, then the analyzer module can make a final determination to confirm that a cyber threat likely exists and send that cyber threat to the assessment module to assess the threat score associated with that cyber threat. Certain model breaches will always trigger a potential cyber threat that the analyzer will compare and confirm the cyber threat”, [0213] “then cooperates with the autonomous response module 140 to take an autonomous action such as i) deny access in or out of the device or the network ii) shutdown activities involving a detected malicious agent, iii) restrict devices and/or user's to merely operate within their particular normal pattern of life” );
and when the nodes do not match with the nodes expected to be affected by the anticipated ([0204] “The analyzer module 115 cooperates with the one or more of the AI model(s) 160 trained on cyber threats to determine whether an anomaly such as the abnormal behavior and/or suspicious activity is either 1) malicious or 2) benign when the potential cyber threat under analysis is previously unknown to the cyber security appliance 100 … a close match to known cyber threats, then the analyzer module can make a final determination to confirm that a cyber threat likely exists and send that cyber threat to the assessment module to assess the threat score associated with that cyber threat. Certain model breaches will always trigger a potential cyber threat that the analyzer will compare and confirm the cyber threat”, [0213] “then cooperates with the autonomous response module 140 to take an autonomous action such as i) deny access in or out of the device or the network ii) shutdown activities involving a detected malicious agent, iii) restrict devices and/or user's to merely operate within their particular normal pattern of life”, (Examiner’s Note: benign or not a threat is equivalent to not match because according to [0204] when a close match occurs that means a cyber threat is detected”).
Sellars does not teach receiving, by an anti-jamming module, information indicating that nodes of a communication network are unreachable, and the information is received while a jamming attack is underway; by the anti-jamming module, jamming attack.
Vasseur teaches receiving, by an anti-jamming module ([0085] “500 for attack mitigation using learning machines, particularly from the perspective of a management device. The procedure 500 may start at step 505, and continue to step 510 where, as described above, a management device may receive network traffic data for a computer network”, (Examiner’s Note: anti-jamming module is equivalent to learning machine), information indicating that nodes of a communication network are unreachable, and the information is received while a jamming attack is underway ([0070] “When the DoS is not-so-subtle and every single packet destined to a node N1 is jammed by the malicious node M, the node N1 stops receiving traffic from say the node N2, N3, etc. leading to making the node effectively down. As soon as any node that belongs to the sub-DAG rooted at node N1 generates traffic traversing the node N1, the link layer or other type of keep-alive mechanisms (at layer 2, 3 or above) detects a lack of connectivity with N1 and the routing protocol will modify the routing topology, leading to rerouting the traffic, [0071] “Yet another subtle attack might be to systematically attack such nodes but for a short enough period of time so that traffic gets impacted but the routing metric does not change fast enough to trigger a reroute. The techniques herein specify a mechanism for closed loop control fed by the Learning Machine (LM) in use such as an ANN using routing in order to mitigate these attacks”, (Examiner’s Note: Learning Machine receives the traffic data, which includes time periods where traffic is impacted);
by the anti-jamming module ([0085] “500 for attack mitigation using learning machines, particularly from the perspective of a management device. The procedure 500 may start at step 505, and continue to step 510 where, as described above, a management device may receive network traffic data for a computer network”, (Examiner’s Note: anti-jamming module is equivalent to learning machine),
jamming attack ([0070] “When the DoS is not-so-subtle and every single packet destined to a node N1 is jammed by the malicious node M, the node N1 stops receiving traffic from say the node N2, N3, etc. leading to making the node effectively down. As soon as any node that belongs to the sub-DAG rooted at node N1 generates traffic traversing the node N1, the link layer or other type of keep-alive mechanisms (at layer 2, 3 or above) detects a lack of connectivity with N1 and the routing protocol will modify the routing topology, leading to rerouting the traffic, [0071] “Yet another subtle attack might be to systematically attack such nodes but for a short enough period of time so that traffic gets impacted but the routing metric does not change fast enough to trigger a reroute. The techniques herein specify a mechanism for closed loop control fed by the Learning Machine (LM) in use such as an ANN using routing in order to mitigate these attacks”).
It would have been obvious for one ordinary skill in the art before the effective filing date of the claimed invention to have modified Sellars to incorporate the teachings of Vasseur. One of ordinary skill in the art would have been motivated to make this modification in order to allow for the system to mitigate predicted attacks.
Regarding claim 2, 12, Sellars teaches wherein the anticipated ([0224-225] “The simulated attack module 950 in the prediction engine 900 may be implemented via i) a simulator to model the system being protected and/or ii) a clone creator to spin up a virtual network and create a virtual clone of the system being protected configured to pen-test one or more defenses provided by the cyber security appliance 100. The prediction engine 900 may include and cooperate with one or more AI models 987 trained with machine learning on the contextual knowledge of the organization, such as those in the cyber security appliance 100 or have its own separate model trained with machine learning on the contextual knowledge of the organization and each user's and device's normal pattern of behavior”).
Sellar does not teach
Vasseur teaches jamming attack ([0069] “a learning machine detecting that a node N is under DoS attack with a probability p may send a unicast IPv6 message (e.g., an attack notification message) to the node N (or a set of nodes in which case the IPv6 message is multicast) using the layer-2 broadcast slot. Upon receiving the message, the node may trigger a routing update notifying all nodes in its sub-DAG. All notified nodes may then examine alternate disjoint paths, and according to the policy for each class of services, the path cost increase and the probability p, decide of rerouting traffic along alternate paths”, [0073] “when a set of nodes are being attacked, the LM may send a newly defined multicast IPv6 message (e.g., an attack notification message) using a multicast well-known layer-3 address (learned by nodes when registering).
It would have been obvious for one ordinary skill in the art before the effective filing date of the claimed invention to have modified Sellars to incorporate the teachings of Vasseur. One of ordinary skill in the art would have been motivated to make this modification in order to allow for the system to mitigate predicted attacks.
Regarding claim 3, 13, Sellars does not explicitly teach wherein the communication network route changes are generated prior to detection of the anticipated jamming attack.
Vasseur teaches wherein the communication network route changes are generated prior to detection of the anticipated jamming attack ([0075] “Knowing that one of their ancestors is under attack with a probability p based on receiving the attack mitigation reroute request, the node would then look for alternative paths. A local configurable timer T1 is armed. In one embodiment, each node would then keep the last path cost advertised by candidate best next hops. In another embodiment, the node may search for locally reachable neighbors (e.g. for example sending a DIS message) in order to search for alternative paths. T1 is used to ensure that other candidate paths do not comprise the node under attack”, (Examiner’s Note:keep the last path cost advertised by candidate best next hop is equivalent to prior to).
It would have been obvious for one ordinary skill in the art before the effective filing date of the claimed invention to have modified Sellars to incorporate the teachings of Vasseur. One of ordinary skill in the art would have been motivated to make this modification in order to allow for the system to mitigate predicted attacks.
Regarding claim 5, 15, Sellars does not teach wherein the communication network route changes, and the other communication network route changes, do not include the unreachable nodes.
Vasseur teaches wherein the communication network route changes, and the other communication network route changes, do not include the unreachable nodes ([0075] “Knowing that one of their ancestors is under attack with a probability p based on receiving the attack mitigation reroute request, the node would then look for alternative paths. A local configurable timer T1 is armed. In one embodiment, each node would then keep the last path cost advertised by candidate best next hops. In another embodiment, the node may search for locally reachable neighbors (e.g. for example sending a DIS message) in order to search for alternative paths. T1 is used to ensure that other candidate paths do not comprise the node under attack”).
It would have been obvious for one ordinary skill in the art before the effective filing date of the claimed invention to have modified Sellars to incorporate the teachings of Vasseur. One of ordinary skill in the art would have been motivated to make this modification in order to allow for the system to mitigate predicted attacks.
Regarding claims 6, 16, Sellars teaches wherein the communication network is a wireless communication network ([0192] “Initially, in this example of activity in an IT network analysis, the rare JA3 hash and/or rare user agent connections for this network coming from a new or unusual process are factored just like in the first wireless domain suspicious wireless signals are considered”).
Regarding claim 7, 17, Sellars teaches wherein the communication network route changes were identified, prior to receipt of the information ([0222] “uses Artificial Intelligence algorithms configured and trained to perform a fourth machine-learned task of Artificial Intelligence-based simulations of cyberattacks to assist in determining 1) how a simulated cyberattack might occur in the system being protected, and 2) how to use the simulated cyberattack information to preempt possible escalations of an ongoing actual cyberattack”).
Sellars does not teach concerning the nodes that are unreachable
Vasseur teaches concerning the nodes that are unreachable ([0070] “When the DoS is not-so-subtle and every single packet destined to a node N1 is jammed by the malicious node M, the node N1 stops receiving traffic from say the node N2, N3, etc. leading to making the node effectively down. As soon as any node that belongs to the sub-DAG rooted at node N1 generates traffic traversing the node N1, the link layer or other type of keep-alive mechanisms (at layer 2, 3 or above) detects a lack of connectivity with N1 and the routing protocol will modify the routing topology, leading to rerouting the traffic), jamming attacks ([0070] “When the DoS is not-so-subtle and every single packet destined to a node N1 is jammed by the malicious node M, the node N1 stops receiving traffic from say the node N2, N3, etc. leading to making the node effectively down. As soon as any node that belongs to the sub-DAG rooted at node N1 generates traffic traversing the node N1, the link layer or other type of keep-alive mechanisms (at layer 2, 3 or above) detects a lack of connectivity with N1 and the routing protocol will modify the routing topology, leading to rerouting the traffic.
It would have been obvious for one ordinary skill in the art before the effective filing date of the claimed invention to have modified Sellars to incorporate the teachings of Vasseur. One of ordinary skill in the art would have been motivated to make this modification in order to allow for the system to mitigate predicted attacks.
Regarding claim 8, 18, Sellars teaches wherein when the nodes do not match with the nodes expected to be affected by the anticipated ([0204] “The analyzer module 115 cooperates with the one or more of the AI model(s) 160 trained on cyber threats to determine whether an anomaly such as the abnormal behavior and/or suspicious activity is either 1) malicious or 2) benign when the potential cyber threat under analysis is previously unknown to the cyber security appliance 100 … a close match to known cyber threats, then the analyzer module can make a final determination to confirm that a cyber threat likely exists and send that cyber threat to the assessment module to assess the threat score associated with that cyber threat. Certain model breaches will always trigger a potential cyber threat that the analyzer will compare and confirm the cyber threat”, [0213] “then cooperates with the autonomous response module 140 to take an autonomous action such as i) deny access in or out of the device or the network ii) shutdown activities involving a detected malicious agent, iii) restrict devices and/or user's to merely operate within their particular normal pattern of life”, (Examiner’s Note: benign or not a threat is equivalent to not match because according to [0204] when a close match occurs that means a cyber threat is detected”).
Sellar does not teach jamming attack, a jamming attack that caused the nodes to be unreachable.
Vasseur teaches jamming attack, a jamming attack that caused the nodes to be unreachable ([0070] “When the DoS is not-so-subtle and every single packet destined to a node N1 is jammed by the malicious node M, the node N1 stops receiving traffic from say the node N2, N3, etc. leading to making the node effectively down. As soon as any node that belongs to the sub-DAG rooted at node N1 generates traffic traversing the node N1, the link layer or other type of keep-alive mechanisms (at layer 2, 3 or above) detects a lack of connectivity with N1 and the routing protocol will modify the routing topology, leading to rerouting the traffic).
It would have been obvious for one ordinary skill in the art before the effective filing date of the claimed invention to have modified Sellars to incorporate the teachings of Vasseur. One of ordinary skill in the art would have been motivated to make this modification in order to allow for the system to mitigate predicted attacks.
Regarding claim 10, 20 Sellars does not explicitly teach wherein communications in the communication network are rerouted based on either the communication network route changes, or the other communication network route changes.
Vasseur teaches wherein communications in the communication network are rerouted based on either the communication network route changes, or the other communication network route changes ([0080] “n contrast with existing rerouting techniques, the routing topology is left unchanged. The traffic is rerouted onto another path avoiding the node suspected to be under attack, effectively not following the shortest path (the routing topology is thus unchanged, which is of the utmost importance to prevent such attacks from triggering routing oscillations)”).
It would have been obvious for one ordinary skill in the art before the effective filing date of the claimed invention to have modified Sellars to incorporate the teachings of Vasseur. One of ordinary skill in the art would have been motivated to make this modification in order to allow for the system to mitigate predicted attacks.
Claim(s) 9, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sellars in view of Vasseur further in view of Thai (US20120051239).
Regarding claim 9, 19, Sellars and Vasseur does not teach wherein the anticipated jamming attack was identified by optimization of a maximal covering location problem.
Thai teaches wherein the anticipated jamming attack was identified by optimization of a maximal covering location problem([0038] “When modeling a jamming attack, a set of jammers J are considered to exist at unknown locations in the network. Each jammer 20 is considered to have a transmission range of at most R=αr (where α>1) during an attack (transmitting noise) and a transmission range of r during the listening mode. For the basic attacker model, jammer nodes keep idle until they sense any ongoing legitimate transmissions and then broadcast interference signals to jam all the sensors in distance R on this specific channel. The maximum damage caused by the jammer nodes are limited to the interferences toward specific sensor nodes on specific transmission channels for a short period, instead of long-term disabling of the sensors. The motivation behind this assumption arises from the basic goal of reactive jamming, which is to disrupt the message delivery with minimum energy cost”)
It would have been obvious for one ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Sellars, Vasseur to incorporate the teachings of Thai. One of ordinary skill in the art would have been motivated to make this modification in efficiently mitigate jamming attacks.
Response to Arguments
Applicant's arguments filed 10/29/2025 have been fully considered but they are not persuasive.
Applicant’s Argument
Applicant remarks Vasseur fails to disclose, at least, the claim elements [1] "... receiving, by an anti- jamming module, information indicating that nodes of a communication network are unreachable..." and [2] the information is received while a jamming attack is underway.
Examiner’s Response
Examiner respectfully disagrees. The combination of Sellars and Vasseur teaches the limitation. More specifically, Vasseur shows claim elements [1] "... receiving, by an anti- jamming module, information indicating that nodes of a communication network are unreachable..." and [2] the information is received while a jamming attack is underway.
In [0070-0071].
For example, [0070] ] When the DoS is not-so-subtle and every single packet destined to a node N1 is jammed by the malicious node M, the node N1 stops receiving traffic from say the node N2, N3, etc. leading to making the node effectively down. As soon as any node that belongs to the sub-DAG rooted at node N1 generates traffic traversing the node N1, the link layer or other type of keep-alive mechanisms (at layer 2, 3 or above) detects a lack of connectivity with N1 and the routing protocol will modify the routing topology, leading to rerouting the traffic. N1 is unreachable, and the any node that belongs to the sub-DAG rooted at node N1 generates traffic traversing the node N1, the link layer or other type of keep-alive mechanisms (at layer 2, 3 or above) detects a lack of connectivity is the information about N1 being unreachable, and this occurs when a not so subtle jamming attack is occurring.
Another example is [0071] Yet another subtle attack might be to systematically attack such nodes but for a short enough period of time so that traffic gets impacted but the routing metric does not change fast enough to trigger a reroute. The techniques herein specify a mechanism for closed loop control fed by the Learning Machine (LM) in use such as an ANN using routing in order to mitigate these attacks. It is contemplated that the LM may be hosted on any capable node (e.g., a NMS, FAR, etc.).The in question node is still able to send some traffic. While the subtle attack is occurring which is equivalent to a jamming attack. [0072] goes into more dept about the subtle attack. The anti jamming unit assumes there could possible be an attack based on a probability and tries to contact the node. “Such an IPv6 unicast packet comprises various information such as the probability that the node is indeed under attack, and is sent using the broadcast layer-2 frame (indeed, if the node N1 is being attacked, it may not be able to receive any traffic but the broadcast traffic as explained previously)”. Based on [0072], if N1 is actually being attacked it is not able to receive the usual traffic, so at that point in time the node could be broadly reasonably interpreted as unreachable.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KEITH TRAN-DANH FOLLANSBEE whose telephone number is (571)272-3071. The examiner can normally be reached 10am -6 pm M-Th.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Derrick Ferris can be reached at 571-272-3123. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/K.T.F./Examiner, Art Unit 2411
/DERRICK W FERRIS/Supervisory Patent Examiner, Art Unit 2411