METHOD FOR SHARING CYBERSECURITY THREAT ANALYSIS AND DEFENSIVE MEASURES AMONGST A COMMUNITY

§103 §DP

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant's arguments filed 12/2/25 have been fully considered but they are not persuasive. Applicant argues that Claim 21 distinguishes itself from the Reybok reference because “behavioral parameters of a network entity, such as a user or device, certainly does have personally identifiable information”. Examiner disagrees. While Applicant may be their own lexicographer, the instant specification mentions personally identifiable information only a few times, and nowhere in the specification is it defined. Examiner asserts that one of ordinary skill in the art would understand that personally identifiable information includes such data as social security number, age, name, address, etc. None of this information is included in a “behavioral parameter of a network entity”. Additionally, Examiner has cited in multiple locations of Reybok that profiles are A) anonymous, and B) “sensitive information is filtered out”. Applicant argues that the prior art fails to teach sending “the inoculation notice to the target device on another network protected by an affiliated cyber threat defense system, via at least one output port, where an inoculation module uses incident data describing a breach state by a user or a device, acting as the network entity to warn other computing devices of the potential cyber threat.” Examiner disagrees. Reybok teaches As per claim 24, Applicant argues that Reybok fails to teach identifying whether the breach state and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to a cyber threat and sending the inoculation notice. Applicant asserts that a SEIM alerts fails to teach a security professional to identify a potential cyber security threat. Examiner disagrees. Examiner asserts that this is exactly the purpose of a SEIM alert. By definition a SEIM alert includes “event description”, “severity”, “source IP” “timestamp” and context”. Event descriptions include “login attempts”, “user behavior” “unusual traffic” and “malware detection”. Applicants argument is unpersuasive on this matter. Applicant argues that the definition of “chain of behavioral parameters” is not met by Reybok. Applicant correctly points to Examiners citation of remediation of a “cyber kill chain”, which Examiner used to illustrate inoculation. However, that is not all of what Reybok teaches. Applicant asserts that the specification [0056] and [0136] teach “behavioral pattern analysis”, including such details as machine learning models. Examiner may not import full details of the instant specification into the claim as stated, the language which recites “chain of behavioral parameters”. As stated in Applicant’s response, the “chain of parameters” is otherwise known as a “behavior pattern”. Examiner cited Reybok [0087]. Paragraph [0087] states “malware patterns” which result in a security vulnerability kill chain. Reybok [0021] was also cited, which teaches that “An IoC may convey specific observable patterns combined with contextual information to represent behaviors of interest” Examiner asserts that a “pattern behavior of interest” would meet the claim limitation as stated, and in combination with analysis the distribution of inoculation will prevent any malicious behavior from further compromising targets or networks. However, if the argument with regard to Reybok is unpersuasive, Examiner additionally points to Puri which provides for anomaly detection. Puri states “event chains with highly anomalous attributes based on learned behaviors, to identify patterns that suggest more complicated circumstances” (Column 3 lines 20-30). This portion of Puri was previously cited in part to teach claim 21. Examiner asserts that this would clearly meet the “chain of relevant behavioral parameters” as Applicant intended. Therefore claim 24 is anticipated by the current art of record. Examiner has noted but not relied upon Versteeg US 2018/0063099, [0014]-[0016][0038] which states that PII “descriptors” of a breach may be disclosed, but not the PII itself, so that actions/inoculation may be enforced against malicious actors using said PII. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 21-41 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11,799,898. Although the claims at issue are not identical, they are not patentably distinct from each other because The claims of US Patent 11,799,898 anticipate all of the current claims at issue. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 21, 24, 25, 27, 31, 34, 36, 40 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 10,043,006 in view of Reybok JR US 2018/0324207 in view of Srivastava US 2016/0261621. As per claims 21, 31. (New) Puri teaches A method for a cyber threat defense system, comprising: analyzing a plurality of behavioral parameters associated with a network entity to determine whether the network entity is deviating from a normal benign behavior to denote a potential cyber threat and is in a breach state of a normal behavior benchmark, wherein the normal behavior benchmark is based on parameters corresponding to a normal pattern of activity for the network entity; (Column 2 lines 22-45; Column 3 lines 1-28; Column 4 lines 36-42) (teaches analyzing a plurality of behaviors to denote a cyberthreat in breach of normal behavior for the entity using behavior models and machine learning) Reybok teaches generating an inoculation pattern using the cyber threat as a template by describing the breach state and the plurality of behavioral parameters [0019] [0021] [0084]-[0087] [0108][0109] [0113]-[0115] (teaches distributing alerts and identification of kill chain threats based on security analysis and mitigation measures) Reybok teaches anonymizing the inoculation pattern to remove personally identifiable information associated with a specific network entity from the inoculation pattern [0017][0018][0020][0075][0105] (anonymizing messages or requests from anonymous profiles, SIEM alerts, filtering out sensitive information from reports) Reybok teaches using a communication module to send the inoculation notice to the target device on another network protected by an affiliated cyber threat defense system via at least one output port, where an inoculation module uses incident data describing the breach state by a user or a device, acting as the network entity, to warn other computing devices of the potential cyber threat. [0017]-[0021][0059]-[0061] (Teaches that customers may send “observables” including indicators of compromise, patterns of behavior, files, including context, and sharing *anonymously without PII* to a central instance cyber defense system which sends this data to a target to warn them of a cyber threat) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Rebok with Puri because it improves security. Srivastava teaches anonymizing the inoculation pattern to remove personally identifiable information for the network entity from the inoculation pattern; and sending an inoculation notice having the inoculation pattern to a target device to warn of a potential cyber threat. [0021][0022][0052][0066][0081][0084][0134] (teaches anonymizing private and personal identifying data for a security system including modeling behavior and remedial actions) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Srivastava with the prior art because it enhances user privacy. As per claim 24. (New) Reybok teaches The method of Claim 21 The method of identifying whether the breach state and a chain of relevant behavioral parameters deviating from the normal benign behavior of that network entity correspond to a cyber threat; and sending the inoculation notice having the inoculation pattern describing the breach state and the chain of relevant behavioral parameters to the target device to warn of the potential cyber threat. [0019] [0021] [0084]-[0087] [0108][0109] [0113]-[0115] (teaches distributing alerts and identification of kill chain threats based on security analysis of properties and mitigation measures) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Rebok with Puri because it improves security. As per claim 25, 34 (New) Reybok teaches The method of claim 21, where an inoculation module uses a communication module to send the inoculation notice to the target device, on another network protected by an affiliated cyber threat defense system, via at least one output port, where the inoculation module uses incident data describing the breach state by a user or device, acting as the network entity, to warn other computing devices of potential cyber threats, and where the inoculation module anonymizes the inoculation pattern to remove any personally identifiable information for the network entity from the inoculation pattern. [0019] [0021] [0084]-[0087] [0108][0109] [0113]-[0115] Srivastava teaches anonymizing the inoculation pattern to remove personally identifiable information for the network entity from the inoculation pattern; and sending an inoculation notice having the inoculation pattern to a target device to warn of a potential cyber threat. [0021][0022][0052][0066][0081][0084][0134] (teaches anonymizing private and personal identifying data for a security system including modeling behavior and remedial actions) As per claims 27, 36 (New) Reybok teaches The method of claim 21 further comprising: allowing a user interface module to receive at least one of a triggering input and a blocking input from a user analyst, where the triggering input directs transmission of the inoculation notice to the target device and a blocking input prevents transmission of the inoculation notice to the target device. [0020][0021] (teaches sharing security data or not) As per claim 40. (New) Puri teaches A cyber threat defense system, comprising: a cyber threat module implemented in logic and configured to identify whether a breach state of a normal behavior benchmark representing a malicious incident or confidential data exposure and a plurality of behavioral parameters, deviating from normal benign behavior of a network entity as detected by at least one machine- learning model trained on the normal benign behavior of the network entity, correspond to a cyber threat; (Column 2 lines 22-45; Column 3 lines 1-28; Column 4 lines 36-42) (teaches analyzing a plurality of behaviors to denote a cyberthreat in breach of normal behavior for the entity using behavior models and machine learning) Reybok teaches an inoculation module implemented in logic and configured to generate an inoculation pattern using the cyber threat as a template, wherein the inoculation pattern describing the breach state and the plurality of behavioral parameters corresponding to the cyber threat identified by the cyber threat module, 0019] [0021] [0084]-[0087] [0108][0109] [0113]-[0115] (teaches distributing alerts and identification of kill chain threats based on security analysis and mitigation measures) Reybok teaches generating an inoculation pattern using the cyber threat as a template by describing the breach state and the plurality of behavioral parameters [0019] [0021] [0084]-[0087] [0108][0109] [0113]-[0115] (teaches distributing alerts and identification of kill chain threats based on security analysis and mitigation measures) Reybok teaches using a communication module to send the inoculation notice to the target device on another network protected by an affiliated cyber threat defense system via at least one output port, where an inoculation module uses incident data describing the breach state by a user or a device, acting as the network entity, to warn other computing devices of the potential cyber threat. [0017]-[0021][0059]-[0061] (Teaches that customers may send “observables” including indicators of compromise, patterns of behavior, files, including context, and sharing *anonymously without PII* to a central instance cyber defense system which sends this data to a target to warn them of a cyber threat) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Rebok with Puri because it improves security. Srivastava teaches to anonymize the inoculation pattern to remove personally identifiable information for the network entity from the inoculation pattern, to generate a remediation action instruction including at least one action to remediate the breach state, and to store the inoculation pattern in an inoculation record in a network-accessible inoculation database. [0021][0022][0052][0066][0081][0084][0134] (teaches anonymizing private and personal identifying data for a security system including modeling behavior and remedial actions) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Srivastava with the prior art because it enhances user privacy. Claim(s) 22, 23, 26, 32, 33, 35, 41. is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 10,043,006 in view of Reybok JR US 2018/0324207 in view of Srivastava US 2016/0261621 in view of Cohen US 2018/0234425 As per claims 22, 32, (New) Puri teaches The method of claim 21 further comprising:causing a cyber threat module to reference machine-learning models that are trained on the normal behavior of network activity and user activity associated with a network, where a cyber threat module determines a threat risk parameter that factors in 'what is a likelihood of a chain of one or more unusual behaviors of email activity, network activity, and user activity under analysis that fall outside of being a normal benign behavior;' and thus, are likely malicious behavior, (Column 2 lines 22-45; Column 3 lines 1-28; Column 4 lines 36-42) (teaches analyzing a plurality of behaviors to denote a cyberthreat in breach of normal behavior for the entity using behavior models and machine learning) Cohen teaches performing one or more autonomous actions by an autonomous response module to contain the cyber threat when the threat risk parameter determined by the cyber threat module is equal to or above an actionable threshold, wherein the threat risk parameter comprises a set of values describing aspects of the cyber threat. [0035][0052][0054][0090][0091] (teaches automatic remediation based on threshold and policy) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Cohen with the prior art because it expedites security issue resolutions. As per claims 23, 33 (New) Cohen teaches The method of claim 22, wherein the performing of the one or more autonomous actions comprises i) conducting at least a first autonomous response of the one or more autonomous responses included as part of the inoculation pattern with a minimum level of disruption to stop an attack by the cyber threat without affecting normal organizational activity, and ii) adapting to conduct at least a second autonomous responses to impose further controls on the network entity when an attack associated with the cyber threat a) changes in nature or b) becomes more aggressive than initially determined. [0030]-[0035][0052][0054][0084][0091][0091] (teaches reviewing options to cause minimum disruption and responses based on changes in threat input) As per claim 26, 35. (New) Cohen teaches The method for of claim 21, further comprising:creating and sharing an inoculation package including one or more digital antibodies for previously unknown cyber threats with the one or more autonomous responses to be conducted in response to an attack associated with the cyber threat; and where a first digital antibody encapsulates an identity of the cyber threat, characteristics to identify that cyber threat, and the autonomous one or more autonomous responses to defend the network against this cyber threat. [0087][0094][0095] (automatically create new responses for unknown attacks) As per claim 41. (New) Cohen teaches The cyber threat defense system of claim 40 further comprising:an autonomous response module implemented in logic and configured to cooperate with the inoculation module, to cause one or more autonomous actions to be performed to contain the cyber threat when a threat risk parameter from the cyber threat module is equal to or above an actionable threshold. [0035][0052][0054][0090][0091] (teaches automatic remediation based on threshold and policy) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Cohen with the prior art because it expedites security issue resolutions. Claim(s) 28, 37 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 10,043,006 in view of Reybok JR US 2018/0324207 in view of Srivastava US 2016/0261621 in view of Jou US 2018/0052993 As per claim 28, 37. (New) Jou teaches The method for of claim 21 further comprising:populating the threat risk parameter with at least one of i) a confidence score indicating a threat likelihood describing a probability that the breach state is the cyber threat, ii) a severity score indicating a percentage that the network entity in the breach state is deviating from the at least one model, or iii) a consequence score indicating a severity of damage attributable to the cyber threat. [0003][0008][0027][0051-[0054] (Teaches score and percentage likelihood a breach has occurred.) Rebok teaches a severity score [0079] It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the percent comparison of Jou with the previous art because it provides extra information on the probability of breach. Claim(s) 29, 30, 38, 39 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 10,043,006 in view of Reybok JR US 2018/0324207 in view of Srivastava US 2016/0261621in view of Rajasekhara US 2019/0044963 As per claim 29, 38. (New) Rajasekhara teaches The method of claim 21 further comprising: comparing the threat risk parameter to a benchmark matrix having a set of benchmark scores for use in determining whether to send the inoculation notice. [0013][0030]-[0032] (teaches comparing behavior model to threshold calculating weighted risk scores) As per claim 30, 39. (New) The method of claim 29, wherein each benchmark score of the set of benchmark scores is assigned a weight representing a relative importance for that benchmark score. [0013][0030]-[0032] (teaches comparing behavior model to threshold calculating weighted risk scores) Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439