DETAILED ACTION
Notice of Pre-AIA or AIA Status
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
2. The Amendment filed March 10, 2026 has been entered. Claims 1-3, 5-9, 11-15, 17 and 18 have been amended. Claims 4, 10 and 16 have been canceled. Claim 1-3, 5-9, 11-15, 17 and 18 are presented for examining. Applicant’s amendments to claims 2-6, 8, 12, 14, 15 and 18 have overcome the claim objections previously set forth in the Non-Final Office Action mailed December 16, 2025. The objection of claims 2-6, 8, 12, 14, 15 and 18 has been withdrawn.
Response to Arguments
3. Applicant’s amendments to claim 6 have overcome the U.S.C. § 112(b) or U.S.C. § 112 (pre-AIA ), Second Paragraph rejection previously set forth in the Non-Final Office Action mailed December 16, 2025. The rejection of claim 6 under 35 USC 112(b) has been withdrawn.
4. Applicant’s arguments, see pages 9-12, filed March 10, 2026, with respect to the rejection of claims 1, 2, 7, 8, 13 and 14 under 35 U.S.C. § 102 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of newly found prior art reference(s). The claims (as amended) do not overcome the new ground of rejection made in view of newly found prior art reference(s).
5. Applicant’s arguments, see pages 9-12, filed March 10, 2026, with respect to the rejection of claims 3, 5, 6, 9, 11, 12, 15, 17 and 18 under 35 U.S.C. § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of newly found prior art reference(s). The claims (as amended) do not overcome the new ground of rejection made in view of newly found prior art reference(s).
Claim Rejections - 35 USC § 112
6. The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
7. Claims 5, 11 and 17 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
8. Regarding claims 5, 11 and 17, the claims recite “…by a combination of types of traces”, “…if all types of the identified traces are included…”, and “the combination of types of traces representing…”. The addition of the word "type" to an otherwise definite expression extends the scope of the expression so as to render it indefinite. See MPEP § 2173.05(b).
Claim Rejections - 35 USC § 103
9. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
10. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
11. Claims 1, 2, 7, 8, 13 and 14 are rejected under 35 U.S.C. § 102(a)(2) as being unpatentable over Takahashi, (WO 2020/255359 A1, machine translation of patent application from European Patent Office website), hereafter Takahashi, in view of Yang et al., (CN 115051873A, machine translation of patent application from European Patent Office website), hereafter Yang.
Regarding claim 1, Takahashi discloses an information processing apparatus comprising: at least one memory storing instructions; and at least one processor configured to execute the instructions to: {Takahashi [Para. 0063] “The attack command server 40 is a server device that executes a virtual targeted attack in accordance with the targeted attack scenario generated by the security training support device 30, and includes an attack execution unit 41.” [Para. 0083, FIG. 10] “The computer 110 includes a CPU 111, a main memory 112, a storage device 113.” [Para. 0084] “The CPU 111 loads the programs (codes) of this embodiment stored in the storage device 113 into the main memory 112 and executes them…”}
acquire a set of logs from a computing system that has been subjected to a cyberattack, {Takahashi [Para. 0063] “When the attack execution unit 41 receives information on the format-converted software, for example, a command sequence that can be executed by an attack agent, as the process content from the attack command server 40, the attack execution unit 41 transmits the received command sequence to the terminal 50 where the attack agent 51 is located. As a result, an attack agent 51 residing in the terminal 50 is activated, executes the transmitted command sequence, and attacks another terminal 52.” [Para. 0064] “On terminal 50, attack agent 51 acquires logs from each terminal 52, files collected by each terminal 52, etc., and sends these to attack execution unit 41 as information indicating the results of the attack (hereinafter referred to as "attack result information"). In addition, the attack execution unit 41 transmits the attack result information transmitted from the attack agent 51 to the security training support device 30.”} Terminal 52 was subjected to a cyberattack.
identify, from the acquired set of logs, a trace indicating a result of the cyberattack by using history data indicating an execution history of the cyberattack; {Takahashi [Para. 0065] “When the attack result information is transmitted, the attack control unit 31 in the security training support device 30 acquires the attack result information and passes the acquired attack result information to the state identification unit 13.” [Para. 0066] “The state identification unit 13 identifies the information acquired by the hypothetical attacker based on the attack result information received from the attack control unit 31.”} Information acquired by the attacker corresponds to a trace indicating a result of the cyberattack. Logs collected from terminal 52 include history data the indicates execution history of the cyberattack.
However, Takahashi does not teach compare the identified trace with a preset correct solution condition, and determine based on a result of the comparison, whether or not the identified trace is correct.
However, Yang teaches compare the identified trace with a preset correct solution condition, and determine based on a result of the comparison, whether or not the identified trace is correct. {Yang [Para. 0033] “Traffic monitor 103 extracts and analyzes these traffic (hereinafter referred to as target traffic) from attacker terminal 101 in real time or after the fact, first determining whether these target traffic are attack traffic… If these target traffics are determined to be attack traffic, the traffic monitor 103… extracts the attack commands from the attack traffic and simulates the execution of the attack commands in a real network environment to obtain simulated execution data of the attack commands. After obtaining the simulated execution data of the attack command, the traffic monitor 103 compares the simulated execution data of the attack command with preset results to determine whether the target traffic has successfully carried out the attack in the real network environment. For example, it compares the network behavior implemented after the attack command is executed in the simulated network environment with the preset network behavior and/or compares the echo information after the attack command is executed in the simulated network environment with the preset response packet. If the similarity between the network behavior implemented after the attack command is executed in the simulated network environment and the preset network behavior exceeds a first preset similarity threshold, and/or if the similarity between the echo information after the attack command is executed in the simulated network environment and the preset response packet exceeds a second preset similarity threshold, then it is determined that the target traffic has successfully carried out the attack in the real network environment. After confirming that the target traffic has successfully carried out an attack in a real network environment, the traffic monitor 103 identifies the target traffic as a threat event.”} Yang’s system identifies and extracts commands from malicious traffic, then executes them in a simulated environment to generate execution data. By comparing this data against preset results, the system determine whether the attack would be successful in a real-world scenario. If the similarity between the simulated execution data and the preset results exceeds a predefined threshold, the system confirms a successful attack within the real network environment. This high similarity validates that the extracted attack commands and their simulated execution data (e.g., identified traces) are correct, representing authentic cyberattack traces.
Yang is analogous art because each of Takahashi and Yang pertains to performing cyber-attack analysis. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Takahashi to include Yang’s teaching of the limitations of claim 1, listed above. Doing so “can accurately detect behaviors that have actually been successfully carried out as network attacks” (Yang, para. 0005).
Claim 2:
Regarding claim 2, Takahashi and Yang teach the elements of claim 1 as stated above.
However, Takahashi further discloses wherein the at least one processor is configured to execute the instructions to: execute the cyberattack constituted by a plurality of stages on the computing system; and generate the history data. {Takahashi [Para. 0063] “An attack agent 51 residing in the terminal 50 is activated, executes the transmitted command sequence, and attacks another terminal 52.” [Para. 0064] “On terminal 50, attack agent 51 acquires logs from each terminal 52, files collected by each terminal 52, etc., and sends these to attack execution unit 41 as information indicating the results of the attack.” [Para. 0016] “The term "targeted attack" as used here refers to an attack by a hypothetical attacker that consists of multiple steps in chronological order, with each step having a defined process to be executed.”} An attack agent 51 executes a multi-stage cyberattack on terminal 52.
Claims 7 and 8:
Regarding claims 7 and 8, the claims are directed to an information processing method comprising the operations recited by claims 1 and 2. Therefore the rejections applied to claims 1 and 2 also applies to claims 7 and 8. Claims 1 and 2 are rejected under the same rationale as claims 7 and 8.
Claim 7 further recites an information processing method comprising: the operations recited by claim 1. {Takahashi [Para. 0067] “In the second embodiment, the security training support method is implemented by operating the security training support device 10.”}
Claims 13 and 14:
Regarding claims 13 and 14, the claim are directed to a non-transitory computer readable recording medium containing instructions for implementing the operations recited by claims 1 and 2. Therefore the rejections applied to claims 1 and 2 also applies to claims 13 and 14. Claims 1 and 2 are rejected under the same rationale as claims 13 and 14.
Claim 13 further recites a non-transitory computer readable recording medium that comprises s a program recorded thereon, the program comprising instructions that causes a computer to carry out: the operations recited by claim 1. {Takahashi [Para. 0083] “The computer 110 includes a CPU 111, a main memory 112, a storage device 113.” [Para. 0084] “The CPU 111 loads the programs (codes) of this embodiment stored in the storage device 113 into the main memory 112 and executes them in a predetermined order to perform various calculations. The program in this embodiment is provided in a state stored in a computer-readable recording medium 120.”}
12. Claims 5, 11 and 17 are rejected under 35 U.S.C. § 103 as being unpatentable over Takahashi and Yang as applied to claims 1, 7 and 13, and further in view of Kawauchi. (US 2016/0239661 A1), hereafter Kawauchi.
Regarding claim 5, Takahashi teaches the elements of claim 1 as outlined above.
However, Takahashi does not teach wherein the preset correct solution condition is represented by a combination of types of traces, and wherein the at least one processor is configured to execute the instructions to: determine that the identified trace is correct if all types of the identified trace are included in the combination of types of traces representing the preset correct solution condition.
However, Kawauchi teaches wherein the preset correct solution condition is represented by a combination of types of traces, and wherein the at least one processor is configured to execute the instructions to: determine that the identified trace is correct if all types of the identified trace are included in the combination of types of traces representing the preset correct solution condition. {Kawauchi [Para. 0132] “When an event that matches the event 220 is observed, the attack detection apparatus 101 searches for the attack activity definition information 205 which describes the same event 220 as the observed event.” [Para. 0133] “Then, the attack detection apparatus 101 searches for other attack activity definition information that depend on the achieved phenomenon described in the attack activity definition information 205 which has been searched for.” [Para. 0141] “After having searched for other attack activity definition information 201 and 204 which depend on the achieved phenomenon described in the attack activity definition information 205, the attack detection apparatus 101 then checks whether all preconditions are satisfied for each of the attack activity definition information 201 and 204.” [Para. 0143] “Then, the attack detection apparatus 101 extracts an event 219 described in the attack activity definition information 204, as one event that may occur next (observation predicted event).” [Para. 0149] “When attack activity definition information for which all the preconditions are satisfied is found, the attack detection apparatus 101 extracts an event defined in that attack activity definition information, as an event (observation predicted event) that may occur next (an event 217 and an event 218 are extracted in FIG. 3).”}
Kawauchi is analogous art because each of Takahashi, Yang and Kawauchi pertains to performing cyber-attack analysis. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Takahashi and Yang to include Kawauchi’s teaching of the limitations of claim 5, listed above. Doing so would “detect an attack when a series of attack activities occur, without exhaustively preparing attack scenarios or trees in advance” (Kawauchi, para. 0057).
Claim 11:
Regarding claim 11, the claim is rejected to an information processing method comprising the operations recited by claim 5. Therefore the rejections applied to claim 5 also applies to claims 11. Claim 5 is rejected under the same rationale as claim 11.
Claim 17:
Regarding claim 17, the claim is directed to a non-transitory computer readable recording medium containing instructions for implementing the operations recited by claim 5. Therefore the rejections applied to claim 5 also applies to claim 17. Claim 5 is rejected under the same rationale as claim 17.
13. Claims 6, 12 and 18 are rejected under 35 U.S.C. § 103 as being unpatentable over Takahashi and Yang as applied to claims 1, 7 and 13, and further in view of Asai et al., (WO 2023/228399A1, machine translation of patent application from European Patent Office website), hereafter Asai.
Regarding claim 6, Kawauchi teaches the elements of claim 4 as outlined above.
However, Takahashi and Kawauchi do not teach compare at least one trace of the cyberattack that is input as external information with the identified trace; and calculate a score based on a proportion by which the compared traces match.
However, Asai teaches wherein the at least one processor is configured to execute the instructions to: compare at least one trace of the cyberattack that is input as external information with the identified trace; and calculate a score based on a proportion by which the compared traces match. {Asai [Para. 0031] “The likelihood calculation unit 233 calculates the similarity between the target attack scenario and each past scenario identified in step S42. Attack scenarios and past scenarios show the chronological flow of attack techniques. In other words, the attack scenarios and past scenarios are sequential data with a time sequence. Therefore, the possibility calculation unit 233 calculates the similarity between the attack scenario and the past scenario using an evaluation method for evaluating the similarity of sequence data. Such evaluation methods include a method using the Levenshtein distance and a method using dynamic time warping. The evaluation targets are the sequence data and the individual data that make up the sequence data. Here, the sequence data is attack scenarios and past scenarios. Each piece of data is an attack technique that constitutes an attack scenario and a past scenario.” [Para. 0032] “Therefore, the possibility calculation unit 233 calculates the inverse of the Levenshtein distance as the similarity. That is, in this case, the similarity is 0.16 (≈1/6).”} See para. 0032 of Asai for more details.
Asai is analogous art because each of Takahashi, Yang and Asai pertains to performing cyber-attack analysis. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Takahashi and Yang to include Asai’s teaching of the limitations of claim 6, listed above. Doing so would “reduce the technical difficulty of identifying the likelihood of a threat occurring” (Asai, para. 0009).
Claim 12:
Regarding claim 12, the claim is directed to an information processing method comprising the operations recited by claim 6. Therefore the rejections applied to claim 6 also applies to claim 12. Claim 6 is rejected under the same rationale as claim 12.
Claim 18:
Regarding claim 18, the claim is directed to a non-transitory computer readable recording medium containing instructions for implementing the operations recited by claim 6. Therefore the rejections applied to claim 6 also applies to claim 18. Claim 6 is rejected under the same rationale as claim 18.
14. Claims 3, 9 and 15 are rejected under 35 U.S.C. § 103 as being unpatentable over Takahashi and Yang as applied to claims 1, 2, 7, 8, 13 and 14, and further in view of Shachar et al. (US 2023/0262089 A1), hereafter Shachar, and further in view of Sakakibara et al, (US 2015/0256554 A1), hereafter Sakakibara.
Regarding claim 3, Takahashi teaches the elements of claim 2 as stated above.
However, Takahashi and Yang do not explicitly teach wherein the history data comprises attack commands for each stage of the plurality of stages of the cyberattack, and wherein the at least one processor is configured to execute the instructions to: compare the history data with a template in which information indicating a trace of an attack for each of the attack commands is registered; identify information indicating the trace of the attack based on the attack commands included in the history data; and identify the trace of the cyberattack from the set of logs based on the identified information.
However, Shachar teaches wherein the history data comprises attack commands for each stage of the plurality of stages of the cyberattack, {Shachar [Para. 0055] “At block 320, an SMB file sharing commands is received from the user by the FSS 9 (file sharing system). At 325, the user-issued SMB ((Server Message Blocks) command is executed by the FSS, which may include any of the operations supported by the FSS that are authorized under the session ID under which the user is operating. Some of the commands may be indicative of being part of an ongoing ransomware attack. In order to determine whether a user is issuing commands as part of such an attack, the FSS monitors the user’s SMB commands. Accordingly, an FSS according to embodiments records each command issued by each user.”}
and wherein the at least one processor is configured to execute the instructions to: compare the history data with a template in which information indicating a trace of an attack for each of the attack commands is registered; identify information indicating the trace of the attack based on the attack commands included in the history data; {Shachar [Para. 0059] “At block 345, in scenarios where the user activity is determined to be deviating from a normal behavior, recent SMB (Server Message Blocks) commands issued by the user are compared to a library of threat command patterns. In some embodiments, artificial intelligence (AI) algorithms may be used to assess whether the anomalous user activity has features in common with activity which has been designated as patterns of ransomware activity. The patterns of ransomware activity may include patterns of attempts by malicious actors to gain access to the FSS and patterns of ongoing ransomware activity, thus enabling the ability to detect a ransomware attack during any interval at which it may exhibit a distinct pattern of activity.” [Para. 0060]”Recent SMB commands issued by a user are compared to patterns of command activity that are indicative of ransomware activity and that have been saved in the threat library.” [Para. 0062] “At block 355, in scenarios where the recent SMB commands issued by the user match a pattern of a ransomware attack that is defined in the ransomware library, the FSS immediately terminates the user’ SMB session.”}
Shachar is analogous art because each of Takahashi, Yang and Shachar pertains to performing cyber-attack analysis. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Takahashi and Yang to include Shachar’s teaching of the limitations of claim 3, listed above. Doing so would detect emerging ransomware attacks and “preventing any further loss of data” (Shachar, para. 0062).
However, Shachar also does not teach identify the trace of the cyberattack from the set of logs based on the identified information.
However, Sakakibara teaches identify the trace of the cyberattack from the set of logs based on the identified information. {Sakakibara [Para. 0055] “(4) The log analysis cooperation apparatus 1 requests the log analysis apparatus 903 to perform a scheduled search 915 in order to search a log for a trace of the attack c.” [Para. 0056] “(5) The log analysis apparatus 903 executes a scheduled search 916 of the logger 901, based on the request for the scheduled search 915.” [Para. 0058] “(7) The log analysis apparatus 903 transmits the received search result 917 to the log analysis cooperation apparatus 1 as a search result 918.” [Para 0059] “(8) The log analysis cooperation apparatus 1 receives the result of (7), and executes a process according to the result of (7) (a log information analysis step, or a log information analysis process).” [Para. 0061] “When the attack c is detected based on the result of (7), the log analysis log cooperation apparatus 1 notifies to an operator that the attack c has been searched for, on a GUI. Upon receipt of this notification, the operator analyzes the trace of the attack c and so forth in further detail, using the log analysis apparatus 903.”} Also see para. 0045 for additional information.
Sakakibara is analogous art because each of Takahashi, Yang, Shachar and Sakakibara pertains to performing cyber-attack analysis. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Takahashi, Yang and Shachar to include Sakakibara’s teaching of identifying a trace of the cyberattack from a set of logs based on identified information. Doing so would enable “discovering, from the log information, a trace of the attack that may occur in the future” (Sakakibara, para. 0023).
Claim 9:
Regarding claim 9, the claim is directed to an information processing method comprising the operations recited by claim 3. Therefore the rejections applied to claim 3 also applies to claim 9. Claim 3 is rejected under the same rationale as claim 9.
Claim 15:
Regarding claim 15, the claim is directed to a non-transitory computer readable recording medium containing instructions for implementing the operations recited by claim 3. Therefore the rejections applied to claim 3 also applies to claim 15. Claim 3 is rejected under the same rationale as claim 15.
Conclusion
15. Any inquiry concerning this communication or earlier communications from the examiner should be directed to BIN QING ZHENG whose telephone number is (703)756-1535. The examiner can normally be reached on M-F 9:30 am -5:30 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip J. Chea can be reached on 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BIN QING ZHENG/
Examiner, Art Unit 2499
Prosecution Insights