DETAILED ACTION
Applicant’s Response to Election/Restriction filed 11/6/2025 has been fully considered.
Claims 1-23 have been examined. Claims 24-25 have been withdrawn.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 2-3, 11-12 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claims 2-3, 11-12 recite the limitation "the corresponding responses". There is insufficient antecedent basis for this limitation in the claims.
This is not intended to be a complete list of such indefiniteness issues.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-23 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) generating values, i.e. scores, and combining them to create a consolidated score.
This judicial exception is not integrated into a practical application because they are broad enough to cover generating the scores in the mind, other than the generic computer components or a mathematical concept. This validating steps and granting access steps, as drafted, is a process that under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components or “using” a model. That is, other than reciting “computer implemented”, “a model”, “a processor”, nothing in the claim element precludes the step from practically being performed in the human mind. For example, but for the “computer implemented” language, the claims encompasses a user calculating scores based on given information.
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the claims only use generic computer components. Mere instructions to apply an exception using generic components cannot provide an inventive concept. Additionally, the mere nominal recitation of a generic processor does not take the claim limitation out of the mental processes grouping. Thus, the claims recite a mental process and are not patent eligible.
The claims are directed to well-understood, routine, and conventional activity as evidenced by the “background of the invention” section and references applied hereinbelow.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5, 7-12, 14, 16-19, 21, and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Phatak (20220006899), and further in view of Costea (20210136089).
Regarding claims 1, 10, and 18, Phatak teaches A computer-implemented method, comprising, in response to detecting a current cybersecurity event: / A computer program product, comprising a computer readable storage medium having program instructions embodied therewith, the program instructions readable by a processor, executable by the processor, or readable and executable by the processor, to cause the processor to, in response to detecting a current cybersecurity event: / An advanced threat prioritization system, comprising: a processor; and logic integrated with the processor, executable by the processor, or integrated with and executable by the processor, the logic being configured to, in response to detecting a current cybersecurity event (abstract):
causing a historical risk score to be generated for the current cybersecurity event; causing an anomaly risk score to be generated for the current cybersecurity event; causing a sigma rule detection score to be generated for the current cybersecurity event; causing an Indicator of Compromise (IoC) score to be generated for the current cybersecurity event (par.40-47, 73-80, apply different models to event to calculate different risk scores for the event, based on suspicion, anomalies, impact, historical aspects); and
using a machine learning model to: evaluate the different scores, and create a consolidated risk score corresponding to: the multiple scores (par.13-14, 73-76, ML architecture to evaluate and generate scores, and combine them to a combined threat risk score).
Phatak does not expressly disclose, however, Costea further teaches causing a sigma rule detection score to be generated for the current cybersecurity event; causing an Indicator of Compromise (IoC) score to be generated for the current cybersecurity event (par.40-47, 61-64, calculate different risk scores for the event/cluster, based on suspicion, anomalies, impact, historical aspects), and
evaluate the historical risk score, the sigma rule detection score, the anomaly risk score, and the IoC score, and create a consolidated risk score corresponding to: the current cybersecurity event, the consolidated risk score incorporating the historical risk score, the sigma rule detection score, the anomaly risk score, and the IoC score (par.38-45).
Therefore, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify Phatak to use additional models and scores as taught by Costea.
One of ordinary skill in the art would have been motivated to perform such a modification to protect resources against additional threats (Costea, par.30-40).
Regarding claims 2 and 11, Phatak/Costea teaches wherein causing the historical risk score to be generated for the current cybersecurity event includes: using a second machine learning model to compare the current cybersecurity event to historical cybersecurity events; and determining the historical risk score based at least in part on the comparison and the corresponding responses to the historical cybersecurity events (Costea, 38-42, 61-67).
Regarding claims 3 and 12, Phatak/Costea teaches wherein determining the historical risk score includes: applying a time decay to the historical cybersecurity events and the corresponding responses (Phatak, 101-104).
Regarding claims 5, 14, and 21, Phatak/Costea teaches wherein causing the anomaly risk score to be generated for the current cybersecurity event includes: inspecting information associated with the current cybersecurity event; identifying anomalies in the information; and determining a numeric value for each of the anomalies, the numeric values indicating an amount that the respective anomaly deviates from a majority of the information associated with the current cybersecurity event (Costea, 36-41, 79-81).
Regarding claims 7, 16, and 23, Phatak/Costea teaches wherein using the machine learning model to create the consolidated risk score includes: generating a weighted value for each of: the historical risk score, the sigma rule detection score, the anomaly risk score, and the IoC score; applying the weighted values to the respective historical risk score, sigma rule detection score, anomaly risk score, and IoC score; and combining the weighted historical risk score, the weighted sigma rule detection score, the weighted anomaly risk score, and the weighted IoC score to form the consolidated risk score (Phatak, 39-45, 79-84).
Regarding claims 8 and 17, Phatak/Costea teaches wherein the machine learning model is trained using random forest classifiers and/or permutation importance algorithms to generate weighted values for each of the historical risk score, the sigma rule detection score, the anomaly risk score, and the IoC score (Phatak, 67-71, 84-88, Costea, 38-41, 66-70).
Regarding claim 9, Phatak/Costea teaches wherein the operations are performed by an advanced threat prioritization system having a historical risk score module configured to generate the historical risk score, a sigma rule detection score module configured to generate the sigma rule detection score, an anomaly risk score module configured to generate the anomaly risk score, and an IoC score module configured to generate the IoC score (Phatak, 10-11, 98-103, Costea, 42-45, 74-77).
Regarding claim 19, Phatak/Costea teaches wherein causing the historical risk score to be generated for the current cybersecurity event includes: using a second machine learning model to compare the current cybersecurity event to historical cybersecurity events; and determining the historical risk score based at least in part on the comparison and the corresponding responses to the historical cybersecurity events (Costea, 38-42, 61-67),
wherein comparing the current cybersecurity event to the historical cybersecurity events includes comparing features selected from the group consisting of: log severity scores, model escalation probabilities, rare scores, and observable scores (Costea, 64-67, 77-80, Phatak, 156-158).
Claims 4, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Phatak/Costea, and further in view of Lin (10841338).
Regarding claims 4, 13, and 20, Phatak/Costea teaches normalizing the determined risk score (Phatak, 93-105) but does not expressly disclose, however, Lin teaches wherein causing the sigma rule detection score to be generated for the current cybersecurity event includes: identifying a number of rules that have been fired as a result of the current cybersecurity event; determining a risk score based at least in part on the number of fired rules (col.3, 10-65).
Therefore, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify Phatak/Costea to use additional attributes of events as taught by Reich.
One of ordinary skill in the art would have been motivated to perform such a modification to further protect access to resources (Reich, par.2-8, 45-52).
Claims 6, 15, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Phatak/Costea, and further in view of Reich (20250260715).
Regarding claims 6, 15, and 22, Phatak/Costea does not expressly disclose, however, Reich teaches wherein causing the IoC score to be generated for the current cybersecurity event includes: inspecting information associated with the current cybersecurity event; identifying one or more types of IoCs in the information; comparing the identified IoCs to information associated with historical cybersecurity events; and determining the IoC score based at least in part on overlaps between the identified IoCs and the information associated with the historical cybersecurity events, wherein the one or more types of IoCs identified in the information are determined based on the current cybersecurity event (par.46-52, 79-86).
Therefore, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify Phatak/Costea to use additional attributes of events as taught by Reich.
One of ordinary skill in the art would have been motivated to perform such a modification to further protect access to resources (Reich, par.2-8, 45-52).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the remaining references put forth on the PTO-892 form are directed to cybersecurity events detection and processing using machine learning.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to David García Cervetti whose telephone number is (571)272-5861. The examiner can normally be reached Monday-Friday 8AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, HADI S ARMOUCHE can be reached at (571)270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/David Garcia Cervetti/Primary Examiner, Art Unit 2409