DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1 and 15 are independent. Claims 6, 14, and 20 are canceled. Claims 1, 7, 9, 11, 13, 15, and 16 are amended. Claims 1-5, 7-13, and 15-19 are pending and rejected. Amendment to the claims have been accepted.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/13/2025 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Response to Arguments
Applicant’s arguments, see pp. 7-8 (pp. 1-2 of Remarks), filed 11/13/2025, with respect to the rejection(s) of claim(s) 1-4, 6-10, 13, 15-18, and 20 under 35 U.S.C. § 101 have been fully considered and are persuasive. The rejection(s) of claim(s) 1-4, 6-10, 13, 15-18, and 20 under 35 U.S.C. § 101 has been withdrawn.
Applicant’s arguments, see pp. 8-10 (pp. 2-4 of Remarks), filed 11/13/2025, with respect to the rejection(s) of claim(s) 1-4, 8-10, 12, and 15-18 under 35 U.S.C. § 102 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of 35 U.S.C. § 103, under Petersen in view of Simpson and Baragaba.
Applicant’s arguments, see p. 10 (p. 4 of Remarks), filed 11/13/2025, with respect to the rejection(s) of claim(s) 5, 11, and 19 under 35 U.S.C. § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of 35 U.S.C. § 103, under Petersen in view of Simpson, Baragaba, and Makovsky.
Applicant’s arguments, see p. 10-12 (p. 4-6 of Remarks), filed 11/13/2025, with respect to the rejection(s) of claim(s) 6, 13, and 20 under 35 U.S.C. § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of 35 U.S.C. § 103, under Petersen in view of Simpson and Baragaba.
Applicant’s arguments, see p. 12-13 (p. 6-7 of Remarks), filed 11/13/2025, with respect to the rejection(s) of claim(s) 7 and 14 under 35 U.S.C. § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of 35 U.S.C. § 103, under Petersen in view of Simpson and Baragaba.
Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claim(s) 1-4, 7-10, 12-13, and 15-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Petersen (Petersen et al., US 20120131185 A1, cited in prior office action) in view of Simpson (Simpson et al., US 20210081541 A1) and Baragaba (Baragaba et al., US 20220038486 A1, cited in prior office action).
Regarding Claim 1 and substantially claim 15, Petersen teaches a computer-implemented method for determining one or more control insights corresponding to an entity, the method comprising:
receiving one or more event datasets corresponding to a plurality of cybersecurity events associated with an entity during a first time period ([0047]-[0049] a log manager receives a collection of data from root data sources, the collection of data being log entries/messages on occurrences such as attacks (cybersecurity events) on a computer system, up to thousands or millions per day (first time period));
enriching, based on a respective event type corresponding to each of the plurality of cybersecurity events, the one or more event datasets with a plurality of indicators mapped to the plurality of cybersecurity events ([0055], the log entries are processed to form parsed metadata that are attached to, and thus enriching, each original log entry/message based on the appropriate expression syntax for the message (event type));
comparing the plurality of indicators of the one or more enriched data sets to a plurality of rules; ([0054], the AIE contains a plurality of rule blocks with 'conditions' that process facts (enriched events) to determine if the condition, such as a threshold volume of transferred data being exceeded (indicating a comparison with those rule blocks), is satisfied and thus generates an event. [0056], the facts are a subset of the parsed metadata (first subset of the plurality of indicators))
determining, based on the comparison of the plurality of indicators of the one or more enriched event datasets and the plurality of rules, the one or more control insights corresponding to the entity, wherein each of the one or more control insights provides an indication of a state of a respective cybersecurity control mechanism of one or more cybersecurity control mechanisms corresponding to the entity, wherein at least one rule of the plurality of rules is defined by (i) a rule type and (ii) a first subset of the plurality of indicators that is provided as an input to the at least one rule ([0012], "When the conditions of all of the one or more rule blocks of an AIE rule have been satisfied, an "event" is generated that is indicative of satisfaction of all the rule blocks and which may be stored for use by personnel or the like." [0054], the AIE contains a plurality of rule blocks with 'conditions' (rule types) that process facts (input to the at least one rule) to determine if the condition, such as a threshold volume of transferred data being exceeded, is satisfied and thus generates an event (determining based on the comparison of the facts and a plurality of rules, one or more control insights corresponding to the entity). [0005], “Some of these attempts involve processing logs against one or more rules in an attempt to identify "events" that may be further analyzed by administrators and troubleshooters.”, [0051], [0052], “advanced intelligence engine (AIE) 50 that is broadly operable to analyze and process… data which has been processed by one or more log managers 30… using one or more log processing, structured data, or AIE rules to detect what may be complex events”, events generated from processed facts (events of Petersen are control insights) provide insight into the network, such as whether there are any attacks on the computer (one or more control insights provides an indication of a state of a respective cybersecurity control mechanism of one or more cybersecurity control mechanisms corresponding to the entity). [0056], the facts are a subset of the parsed metadata (first subset of the plurality of indicators)).
Petersen does not teach but in an analogous art, Simpson teaches that at least one control insight of the one or more control insights comprises (i) a natural language description of the state of the respective cybersecurity control mechanism, and (ii) a positive, neutral, or negative assessment of the state of the respective cybersecurity control mechanism (Simpson, Fig. 3, [0035], a summarized description of the vulnerability states (one or more control insights) is displayed to the users. Fig. 3, [0019], vulnerability states can be positive or negative descriptions of the state of the vulnerability, such as OK, out-of-date, or no data) and generating for display, based on the one or more control insights, an action that when executed by the entity is configured to improve a state of at least one of the cybersecurity control mechanisms (Simpson, [0034], [0008] the displayed report encourages updates and displays a clickable link to a security bulletin that can help with the update to fix the vulnerabilities of the devices).
It would be obvious to one of ordinary skill in the art prior to the effective filing date of the invention to modify Petersen using Simpson to use natural language as an insight into the assessment of the state of respective cybersecurity control mechanism because it creates a more robust vulnerability state report and can aid in firmware update decision making (Simpson, [0012]).
Petersen in view of Simpson does not teach but, in an analogous art, Baragaba teaches that the displayed action is determined based on a control framework corresponding to the at least one of the cybersecurity control mechanisms (Baragaba, [0003], "The method further includes transmitting, by the computer processor and based on the cybersecurity maturity score, a remediation command that adjusts a configuration setting of the network.", [0016] "Furthermore, a cybersecurity assessment may determine whether infrastructure, endpoints, and other organization aspects comply with one or more security standards as well as an overall level of cybersecurity maturity with the organization…. More specifically, a cybersecurity assessment may use one or more maturity models that provide a metric for analyzing specific cybersecurity areas of an organization as well as for determining an overall cybersecurity picture of the organization against one or more cybersecurity standards or frameworks.". [0030], a command to initiate the remediation action is displayed via GUI).
It would be obvious to one of ordinary skill in the art prior to the effective filing date of the invention to modify Petersen in view of Simpson using Baragaba to generate a remediation action for the infrastructure of the network based on a cybersecurity framework because assessing the cybersecurity state against an internation framework allows for the identification of how compliant with recommended practices they are and where the areas of improvement are, and responding to them to improve the state (Baraga, [0001]).
Regarding Claim 2 and substantially claim 16, Petersen in view of Simpson and Baragaba teaches the method of claim 1, wherein the plurality of cybersecurity events are associated with one or more entity computing systems corresponding to the entity (Petersen, [0047]-[0049] a log manager receives a collection of data from root data sources, the collection of data being log entries/messages on occurrences such as attacks on a computer system) and are derived from one or more of: malware sinkhole data, honeypot data, port scanning data, vulnerability scanning data (Petersen, [0011], "The analyses may be performed in real time to identify suspicious activity and known issues… providing various analysis technique such as correlative analyses (e.g., generating an event if events a, b or c… corroborative analysis (e.g., creating an event if an attack is observed against a system known to be vulnerable to a)…"), service configuration scanning data, actively and/or passively collected domain name system (DNS) data (Petersen, [0109], "For instance, if primary criteria such as a particular domain and a particular log message direction (e.g., inbound or outbound) were specified, then all log messages collected and/or used by the RB would necessarily be associated with the particular criteria and particular log message direction."), advertising and marketing telemetry data, application-based endpoint behavior data (Petersen, [0047]. Other examples of occurrences or developments that may cause the generation of log messages include, inter alia, application launch failures…"), mobile application security assessment result data, domain name system (DNS) log data (Petersen, [0109], "For instance, if primary criteria such as a particular domain and a particular log message direction (e.g., inbound or outbound) were specified, then all log messages collected and/or used by the RB would necessarily be associated with the particular criteria and particular log message direction."), authentication log data (Petersen, [0011], "The analyses may be performed in real time to identify suspicious activity and known issues… providing various analysis technique such as… behavioral analyses (e.g., creating an event if a user is observed authenticating to a network during timeframes that are significantly different than previously established usage patterns)"), netflow log data (Petersen, [0049], "In this regard, the log manager 30 may use various protocols (e.g., syslog protocols, Netflow protocols) to communicate with the root data sources 14."), web proxy log data, and firewall log data (Petersen, [0034], "For instance, log messages and/or other data may be generated by a variety of network platforms including, for instance, Windows servers, Linux servers, UNIX servers, routers, switches, firewalls,").
Regarding Claim 3 and substantially claim 17, Petersen in view of Simpson and Baragaba teaches the method of claim 1, further comprising: determining a plurality of event types for the plurality of cybersecurity events, wherein each cybersecurity event is mapped to a respective event type of the plurality of event types that identifies the cybersecurity event (Petersen, [0034], "Fields of information within such log messages can be identified and the messages can be selectively processed in accordance with rules based on those fields.").
Regarding Claim 4 and substantially claim 18, Petersen in view of Simpson and Baragaba teaches the method of claim 1, wherein each cybersecurity event is mapped to a respective subset of the plurality of indicators comprising contextual information for the cybersecurity event (Petersen, [0055], metadata (contextual information for the cybersecurity event) is parsed (mapped to a respective subset of the plurality of indicators) from each log entry/message).
Regarding Claim 7, Petersen in view of Simpson and Baragaba teaches the method of claim 1. Baragaba further teaches that the control framework is selected from the group consisting of: a Center for Internet Security Top 20 Critical Security Controls (CIS20) framework, a National Institute of Standards and Technology (NIST) framework, (Baragaba, [0003], [0027], a cybersecurity maturity score (control insight) is determined use a maturity model that could work along the lines of the NIST cyber security framework) and an International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27001 framework. (see claim 1 for motivation to combine)
Regarding Claim 8, Petersen in view of Simpson and Baragaba teaches the method of claim 1, wherein the at least one rule of the plurality of rules is further defined based on at least one characteristic corresponding to the entity and by (i) the rule type, (ii) the first subset of the plurality of indicators, and (iii) at least one threshold value ((Petersen, [0054], the AIE contains a plurality of rule blocks with 'conditions' (rule types) that process facts (input to the at least one rule) to determine if the condition, such as a threshold volume (at least one threshold value) of transferred data being exceeded, is satisfied. [0056], the facts are a subset of the parsed metadata (first subset of the plurality of indicators). [0117], the threshold is for the facts (enriched events, characteristic) that corresponds to the computer)).
Regarding Claim 9, Petersen in view of Simpson and Baragaba teaches the method of claim 1, wherein the plurality of rules comprise a plurality of conditional statements, and wherein the determining the one or more control insights corresponding to the entity further comprises: determining, based on the comparison of the plurality of indicators to the plurality of rules, the first subset of the plurality of indicators satisfying the at least one rule of the plurality of rules; and deriving, based on the first subset of the plurality of indicators satisfying the at least one rule, at least one control insight of the one or more control insights that is mapped to the at least one rule (Petersen, [0054], the AIE contains a plurality of rule blocks with 'conditions' that process facts (enriched events) to determine if the condition, such as a threshold volume of transferred data being exceeded, is satisfied and thus generates an event (control insight)).
Regarding Claim 10, Petersen in view of Simpson and Baragaba teaches the method of claim 9, wherein the at least one rule is further defined by at least one threshold value, and further comprising: determining one or more values from the first subset of the plurality of indicators; comparing, based on the rule type of the at least one rule, the one or more values to the at least one threshold value; and determining, based on the comparison of the one or more values to the at least one threshold value, the plurality of indicators satisfies the rule to derive the at least one control insight (Petersen, [0054], the AIE contains a plurality of rule blocks with 'conditions' that process facts (enriched events) to determine if the condition, such as a threshold volume of transferred data being exceeded, is satisfied and thus generates an event).
Regarding Claim 12, Petersen in view of Simpson and Baragaba teaches the method of claim 1, wherein each of the plurality of cybersecurity events comprises a respective timestamp indicative of a time at which the cybersecurity event was observed, and further comprising: filtering, based on the timestamps of the plurality of cybersecurity events, the one or more event datasets by removing, from the one or more event datasets, a subset of the plurality of cybersecurity events comprising timestamps that are external to the first time period (Petersen, [0063], "Another filter may be a day/time filter 172 where a fact 124 must fall within any specified day of week and/or time of day filters (as determined by any appropriate time stamp associated with the fact 124)", [0074], "Furthermore, the filtering results 188 in the metadata 184 of the pending event 128' (see FIG. 3) may include various types of information such as the specific quantitative field(s) and threshold(s) observed or not observed, the specific value of the particular quantitative field reached upon or before generation of the pending event 128', the time limit or period within which the threshold was observed or not observed, time stamps, and/or the like.").
Regarding Claim 13, Petersen in view of Simpson and Baragaba teaches the method of claim 1. Simpson further teaches that the one or more control insights comprise two or more control insights, wherein the two or more control insights provide respective indications of the state of the same cybersecurity control mechanism (Simpson, [0019], the same device (cybersecurity control mechanism) has multiple vulnerability states (two or more)), and determining, by an evaluation model and based on the two or more control insights, a perception of the same cybersecurity control mechanism (Simpson, [0019], the prioritization (perception) of a main vulnerability state for a device is based (determined by an evaluation model) on the most severe vulnerability state of the multiple vulnerability states).
It would be obvious to one of ordinary skill in the art prior to the effective filing date of the invention to further modify Petersen in view of Simpson and Baragaba using Simpson to create multiple control insights and combine them to evaluate the state of a cybersecurity control mechanism because it allows for prioritization of devices based on their most severe vulnerability (Simpson, [0019]).
Claim(s) 5, 11, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Petersen in view of Simpson and Baragaba as applied to claim 1, 15 above, and further in view of Makovsky (US 20180302272 A1, cited in prior office action).
Regarding Claim 5 and substantially claim 19, Petersen in view of Simpson and Baragaba teaches the method of claim 1. Petersen in view of Simpson and Baragaba does not but in an analogous art, Makovsky teaches receiving a user input comprising a selection of a second subset of a plurality of indicators corresponding to at least one cybersecurity event of a plurality of cybersecurity events; and enriching the at least one cybersecurity event with the second subset of the plurality of indicators (Makovsky, [0031], "Implementations of this disclosure provide technological improvements particular to computer networks, for example, those concerning the generation of alerts based on events received from event sources monitoring the components of computer networks…. For example, implementations of this disclosure include graphical user interfaces for sequentially receiving user input used to identify attributes of particular components that will be associated with an alert and to enrich the alert using attributes of those components.", user input is received identifying attributes of particular components (a selection of a second subset of the plurality of indicators) and enriching an alert (cybersecurity event), which is part of a plurality of alerts/events).
It would be obvious to one of ordinary skill in the art prior to the effective filing date of the invention to modify Petersen in view of Simpson and Baragaba using Makovsky to enrich the event using user-input indicators because it facilitates the generation of alerts that include meaningful output (Makovsky, [0031], "Implementations of this disclosure can thus introduce new and efficient improvements in the ways in which events are processed for computer networks, such as by facilitating the generation of alerts including meaningful output for resolving issues occurring within the computer networks.").
Regarding Claim 11, Petersen in view of Simpson and Baragaba teaches the method of claim 1. Petersen in view of Simpson and Baragaba does not but in an analogous art, Makovsky teaches receiving a user input comprising a selection of the type and the first subset of the indicators for the at least one rule of the plurality of rules (Makovsky, [0031], "Implementations of this disclosure provide technological improvements particular to computer networks, for example, those concerning the generation of alerts based on events received from event sources monitoring the components of computer networks…. For example, implementations of this disclosure include graphical user interfaces for sequentially receiving user input used to identify attributes of particular components that will be associated with an alert and to enrich the alert using attributes of those components. The event rules are testable without generating false alert data for the computer network. When an event is later received from an event source, it is processed using the event rule by binding an alert generated therefor to the component identified in the event rule and enriching the alert using attributes of that component.", user input is received identifying attributes (a selection of the first subset of the indicators) of particular components (selection of the type), which is used for an event rule (the at least one rule of the plurality of rules)).
It would be obvious to one of ordinary skill in the art prior to the effective filing date of the invention to modify Petersen in view of Simpson and Baragaba using Makovsky to receive a user input of the selection of the type of event/rule and indicators for that event because it facilitates the generation of alerts that include meaningful output (Makovsky, [0031], "Implementations of this disclosure can thus introduce new and efficient improvements in the ways in which events are processed for computer networks, such as by facilitating the generation of alerts including meaningful output for resolving issues occurring within the computer networks.").
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Poulin (Poulin et al., US 12353563 B2) teaches the determination of a cybersecurity action plan, by receiving indications of how well an entity is complying with a cybersecurity framework such as NIST or ISO, and outputting the action plan to users.
Yumer (Yumer et al., US 10410158 B1) teaches the identification of telemetry data (i.e. events) and searching the data for indicators (enriching it) and performing the calculation of the quantitative risk of the events in view of the indicators, before performing cybersecurity actions in response to the risk.
Linn (Linn et al., US 10862926 B2) teaches the identification of threats and the analysis of indicators of suspicious activity within them, using those threats to determine possible attack paths the adversaries may take and recommend countermeasures against those adversaries.
Sweeney (Sweeney et al., US 20190207981 A1) teaches the enriching of events according to its metadata (Sweeney, [0008], [0089], Fig. 2) and classifying those events to security controls (rules) before calculating activity metric and control maturity (control insights) based on those control for the events based on a framework (Sweeney, [0006], [0141]), presenting them to a user afterwards.
Sudhakar (Sudhakar et al., US 20190364060 A1) teaches enriching events according to external information, and using those events to determine feature and anomaly scores to present to users via visual analytics.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMIR MAHDI HAJIABBASI whose telephone number is (703)756-5511. The examiner can normally be reached M-F 7:30-5 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Catherine Thiaw can be reached at (571) 270-1138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/A.M.H./
Amir Mahdi HajiabbasiExaminer, Art Unit 2407
/Catherine Thiaw/Supervisory Patent Examiner, Art Unit 2407 12/17/2025