DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-7 and 21-33 as submitted on 11/13/25 were examined.
Response to Arguments
Applicant's arguments filed 11/13/25 have been fully considered but they are not persuasive.
Applicant appears to argue that Cohen and Di Pietro do not teach the first three “determining” limitations recited in claim 1. Applicant the appears to summarize what Cohen and Di Pietro teach. However, it does not appear that applicant provided any explanation as to why the portions of Cohen and Di Pietro cited in the last Office action does not teach the limitations under contention. As such, it does not appear that applicant’s assertions that Cohen and Di Pietro regarding the three “determining” limitations comply with 37 CFR 1.111(b), thus fails to overcome the rejection of those limitations on record.
Applicant argues Di Pietro does not teach “training, based on the one or more datasets, a predictive model”. Applicant admits that Di Pietro’s invention may be trained using a set of training data, such as traffic and/or network characteristics and that the set of training data may include both data that indicates an attack and data that indicates normal operation of the network. Applicant argues that Di Pietro classifies observed traffic behavior, not “one or more actions of each node of the one or more nodes accessing at least one node of the one or more nodes”. Applicant also argues that Cohen simply teaches an attack simulation system that creates attack graphs by performing algorithmic constraint evaluation using a moving front-line algorithm.
In response, it is submitted that applicant is considering the references on a piece-meal basis rather than considering what the combined teachings of the references would make obvious to one of ordinary skill in the art before the effective filing date of applicant’s claimed invention. Note that the test for obviousness is what the combined teachings of the references would have suggested to those of ordinary skill in the art. See In re Kahn, F.3d 977, 987-88; In re Young, 927 F.2d 588, 591 (Fed. Cir. 1991); In re Keller, 642 F.2d 413, 425 (CCPA 1981).
As applicant admits, Di Pietro’s invention trains a predictive model, i.e. Artificial Neural Network, using training data/a dataset. It does not matter what type of dataset is utilized by Di Pietro’s invention. What matters is that when Di Pietro’s teachings are incorporated with Cohen’s invention, one of ordinary skill in the art would have found it obvious to use Cohen’s particular type of dataset to train an AI predictive model as per Di Pietro’s teachings. Thus, even if Cohen’s invention uses a rule-based and deterministic risk detection system, it could instead be modified using Di Pietro’s teachings so that it utilizes an AI predictive model trained based on the dataset already used by Cohen. Thus, the limitation being argued is obvious over the combined teachings of Cohen and Di Pietro.
Applicant argues that the motivation to combine the references is not properly supported because the Office action deconstructs the argued features of claims 1, 23, and 29 and uses them as a roadmap to locate each component part in disparate teachings of Cohen and Di Pietro. In other words, as best as can be understood, it appears that applicant is arguing that the examiner used hindsight reasoning thus the motivation provided in the prior Office action is not valid.
In response to applicant's argument that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning. But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper. See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-7 and 21-33 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cohen et al (US 2005/0193430) in view of Di Pietro et al (US 20016/0028750).
Claims 1, 12, and 29:
As per claim 1, Cohen discloses:
determining, by a computing device, one or more network topology datasets indicative of one or more nodes of one or more networks (paragraphs 12 and 28; and claim 29; Network topology detected/determined).
determining one or more activity datasets indicative of one or more actions of each node of the one or more nodes accessing at least one node of the one or more nodes (paragraphs 30, 69, 73, 87; and claim 29; Network activities of nodes in the network are determined in accordance with things such as network services defined for each nodes and information collected from such things as firewalls, scanners, and intrusion detection systems as discussed in paragraph 69 in particular);
determining, based on the one or more network topology datasets and the one or more activity datasets, one or more datasets associated with one or more groups of network topology datasets and one or more groups of activity datasets (paragraphs 48, 50, 52; and claim 29; Actual vulnerabilities and attack graphs are calculated); and
creating, based on the one or more datasets, a predictive model (paragraphs 37, 50, 53, 66 and claims 29-33; Various predictions are calculated, such as attack simulations, attack consequences, risk information threat information, and potential targets).
Cohen does not explicitly disclose, but Di Pietro discloses training, based on the one or more datasets, a predictive model (paragraphs 19, 40, and 74; Machine learning is used to create a normal/predictive model of a system during a learning/training phase. If during a monitoring phase, a deviation from the normal predictive model is detected, a new type of attack is determined).
Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Cohen’s invention using Di Pietro’s teachings to not only create, based on the one or more datasets, a predictive model, but also to train, based on the one or more datasets, a predictive model. One of ordinary skill in the art would have been motivated to do so as it would allow for the detecting of new attacks and automatically generate/label a new attack class (Di Pietro: paragraph 74).
The rejection of claim 1 applies, mutatis mutandis, to claims 23 and 29.
Claim 2:
Cohen further discloses wherein each network topology dataset of the one or more network topology datasets is further indicative of one or more connections of each node of each network (paragraphs 30 and 34-37).
Claims 3 and 24:
As per claim 3, Cohen further discloses wherein each node of the one or more nodes comprises one or more of a user device, a server, or a router (paragraphs 26, 28, and 32).
The rejection of claim 3 applies, mutatis mutandis, to claim 24.
Claims 4, 25, and 30:
As per claim 4, Cohen further discloses wherein the predictive model is configured to output an indication, associated with potential malicious activity, of one or more candidate network paths associated with at least one node of one or more nodes of a network (paragraphs 13, 30, and 46; Attack graphs).
The rejection of claim 4 applies, mutatis mutandis, to claims 25 and 30.
Claim 5:
Cohen further discloses wherein each candidate network path of the one or more candidate network paths is scored based on a quantity of nodes of the at least one node of each candidate network path and a probability associated with each node of each candidate network path (paragraphs 38-48, 50, and 61).
Claim 6:
Cohen further discloses wherein the probability is based on a risk associated with each node, wherein the risk associated with each node is based on one or more of one or more security measures implemented by each node, the node being frequently used by a targeted user, the node containing targeted information, or the node being associated with a connection to another network or system (paragraphs 29, 35, 37, 47-48, 50, 55, 61, 69, and 87).
Claims 7, 26, and 31:
As per claim 7, Cohen further discloses receiving network topology data associated with a network; determining, based on an application of the predictive model to the network topology data associated with the network, a likelihood of one or more candidate network paths being associated with potential malicious activity of the network; and sending an indication, associated with the potential malicious activity, of the one or more candidate network paths (paragraphs 28, 30, 34-36, 46, 48, and 50; Attack paths and probability of attacks are determined).
The rejection of claim 7 applies, mutatis mutandis, to claims 26 and 31.
Claims 21, 27, and 32:
As per claim 21, Cohen further discloses determining, based on a comparison of the indication and activity data of a node, the activity data is associated with malicious activity, wherein the activity data is indicative of one or more actions of the node accessing at least one node of the one or more nodes of the network. (paragraphs 29-30, 46, and 52-53; Topology information and vulnerability information used to simulate attacks to create attack graphs corresponding to nodes in the network).
The rejection of claim 21 applies, mutatis mutandis, to claims 27 and 32.
Claims 22, 28, and 33:
As per claim 22, Cohen further discloses causing, based on the activity data being associated with malicious activity, one or more remedial actions, wherein the one or more remedial actions comprise one or more of isolating the malicious activity, deactivating a node, generating an alert, quarantining the malicious activity during an evaluation process of the malicious activity, or disabling an account of a user device (paragraphs 56, 58, 62-63, and 83; Alert is generated).
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The examiner can normally be reached M-F 9am-5pm EST, 10am-6pm during Daylight Savings Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/PONNOREAY PICH/Primary Examiner, Art Unit 2495