3Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments have been fully considered but are moot in view of
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Examiner incorporates Peters US 11,303,666 to reject the claims as amended.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-6, 8-13, 15-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jang US 2020/0145442 in view of Dong US 2022/0385673 in view of Peters US 11,303,666.
As per claims 1, 8, 15. Jang teaches A method for identifying nodes for threat investigation, the method comprising:
Jang teaches receiving data regarding one or more previously determined malicious nodes; designating the one or more previously determined malicious nodes as a first set of seed nodes; receiving network relationship data; [0049][0050] (receiving a set of nodes from security data including security offenses)
Jang teaches constructing a first Risk Map Graph (RMG) based on the network relationship data and the first set of seed nodes;[0049][0050][0053] (generating a knowledge graph)
Jang teaches selecting one or more nodes for investigation based on the first RMG; [0050][0055][0056] (graph provided to a SOC analyst for investigation)
Jang teaches in response to receiving from the investigation service data indicating that one or more malicious nodes of the first set of selected nodes are malicious designating one or more of the selected nodes as a second set of seed nodes; and constructing a second RMG based on the relationship data, the first set of seed nodes and the second set of seed nodes. [0053]-[0056] (graph and nodes are explored, new nodes discovered, process is iterated upon and new graphs created)
Jang teaches using telemetry data associate with network traffic between trusted and untrusted networks and generating relationship data based on interactions between the networks [0042][0043][0047][0057] (teaches using network traffic data and activity data to construct a risk graph)
Jang teaches generating a report associated with top scored entities of the first RMG and the second RMG [0054][0055] (report provided to SOC included with scores and nodes in a graph)
Dong teaches receiving telemetry data associated with network traffic between a trusted network and one or more untrusted networks wherein the trusted network comprises trusted network nodes and the untrusted network comprises untrusted network node: generating network relationship data based on interactions between the trusted network nodes and the untrusted network nodes wherein the interactions are included in the telemetry data. [0025] [0056]-[0059][0064](teaches risk score generation based on network telemetry or network traffic data for nodes, teaches differentiating between trusted network nodes and suspicious network nodes, teaches that the communication is between a “domain” and a client, as is known in the art, domains are different networks than a client.
Dong teaches wherein the first RMB includes first threat scores assigned to the untrusted nodes. [0025][0032][0033][0126] (teaches generating a risk score and assigning it to suspicious nodes in a graph)
Dong teaches the first threat scores are determined based on a number of the first set of seed nodes that a respective untrusted network node of the first RMG interacts with divided by a total number of entities that the respective untrusted network node of the first RMG interacts with [0082][0084] (teaches a risk score based on a set of new/seed nodes a node interacts with divided by the total number of nodes the node interacts with).
It would have been obvious to one of ordinary skill in the art to use the teaching of Dong with the prior art because it more clearly assigns security scores to a user.
Peters teaches analyzing the first set of nodes by a threat prioritization agent comprising multiple weak learner models wherein the threat prioritization agent uses different weak learner models for different threat types in order to generate first prioritized threat data and convicting event evidence. (Column 17 lines 10-45) (teaches use of a plurality of machine learning models each trained to analyze a distinct security threat type, which are then used to report security threat data. Peters teaches that the security report type included by the plurality of machine learning models includes severity and priority. (Column 16 lines 23-67) Peters teaches a cyber security investigation service (Column 7 lines 45-67)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the current application to use the teachings of Peters with the prior art because it increases security.
As per claims 2, 9, 16. Jang teaches the method as in claim 1, further comprising:
in response to receiving data indicating that the selected one or more nodes are benign, keeping the selected one or more nodes for calculating an RMG and removing the selected one or more benign nodes from evaluation by the investigation service. [0049][0050][0053]-[0056][0063]-[0066] [0068][0070][0072](teaches investigation of nodes, selecting nodes that are malicious and expanding a RMG, and selecting nodes that are not relevant, or benign and removing them from a graph)
As per claims 3, 10, 17. Jang teaches further comprising selecting a second set of nodes for investigation based on the RMG. [0053]-[0055] (nodes in an extended offense graph)
Dong teaches the threat scores are determined based on a number of the first set of seed nodes and the second set of seed nodes that a respective untrusted network node of the second RMG interacts with divided by a total number of entities that the respective untrusted network node of the second RMG interacts with. [0082][0084] (teaches a risk score based on a set of new/seed nodes a node interacts with divided by the total number of nodes the node interacts with).
As per claims 4, 11, 18. Jang teaches The method as in claim 3, further comprising: sending data regarding the second set of selected nodes to the investigation service; receiving from the investigation service, data indicating that the second set of selected nodes are malicious; [0053]-[0057][0064][0068] (teaches an iterative process and repeat subgraphs and extending offense graphs, further exploration, as needed thus including a third set of seed nodes and third RMG)
Peters teaches analyzing nodes by a threat prioritization agent comprising multiple weak learner models wherein the threat prioritization agent uses different weak learner models for different threat types in order to generate first prioritized threat data and convicting event evidence. (Column 17 lines 10-45) (teaches use of a plurality of machine learning models each trained to analyze a distinct security threat type, which are then used to report security threat data. Peters teaches that the security report type included by the plurality of machine learning models includes severity and priority. (Column 16 lines 23-67) Peters teaches a cyber security investigation service for requesting and reporting security issues (Column 7 lines 45-67)
As per claims 5, 12, 19. Jang teaches the method as in claim 2, wherein the data regarding the second set of selected nodes includes an indication that the second set of selected nodes are potentially malicious and includes convicting evidence. [0053]-[0055] [0068][0070] (evidence obtained that present activities)
Jang teaches in response to receiving from the investigation service data indicating that one or more malicious nodes of the first set of selected nodes are malicious designating one or more of the selected nodes as a second set of seed nodes; and constructing a second RMG based on the relationship data, the first set of seed nodes and the second set of seed nodes. [0053]-[0056] (graph and nodes are explored, new nodes discovered, process is iterated upon and new graphs created)
Dong teaches generating network relationship data based on interactions between the trusted network nodes and the untrusted network nodes wherein the interactions are included in the telemetry data. [0025] [0056]-[0059][0064](teaches risk score generation based on network telemetry or network traffic data for nodes, teaches differentiating between trusted network nodes and suspicious network nodes, teaches that the communication is between a “domain” and a client, as is known in the art, domains are different networks than a client. )
As per claims 6, 13, 20. Jang teaches the method as in claim 5, further comprising determining that a security budget has been met, and in response to determining that the security budget has been met terminating further identification of nodes. [0049][0050][0053]
Examiner takes official notice that it is well known that if a service is not paid for then the service stops.
Claim(s) 7, 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jang US 2020/0145442 in view of Dong US 2022/0385673 in view of Peters US 11,303,666 in view of Davis US 2020/0252422
As per claims 7, 14. Davis teaches the method as in claim 1, wherein the RMG is a bipartite graph including network nodes, network devices and connection between the network devices and network nodes. [0045][0050] Fig 3. (bipartite graph)
It would have been obvious for one of ordinary skill in the art at the time the invention was filed to use the teaching of Davis with the prior art because it increases the security of the system.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439