GLOBAL SIGNAL ANALYTICS

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION This Office Action is in response to the application US 18/522,868 in response to the Remarks filed on 09/11/2025. Claims 1-4, 7-11, 13-18, and 20-25 have been examined and are pending in this application. Claims 1, 4, 8, 11, 15 and 18 have been Amended, claims 5, 6, 12, 13 and 19 have been cancelled and claims 21-25 have been newly added. This Action is made FINAL. Response to Arguments Applicant’s arguments in the instant Amendment, filed on 09/11/2025, with respect to claim(s) 1, 8 and 15 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. The Examiner respectfully suggests that the claim be further amended; details in the specification be incorporated, to distinguish the claimed invention over prior art of record. Should the Applicant desire an interview to further clarify the claim interpretation/rejections, please contact the Examiner at (571) 272-1531 to schedule an interview. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-2, 8-9 and 15-16 are rejected under 35 U.S.C 103 as be unpatentable Scheidell (US 2004/0098623 A1) in view of Duan (US 2020/0358743 A1). Regarding Claim 1 Scheidell discloses: A method for protecting an internal network, comprising: receiving a first set of signals from an internal component of the internal network (Scheidell ¶43-44: Describes a system in which a security platform (HackerTrap) is installed at the client’s internal network perimeter and configured to monitor event data from internal components such as firewalls and IDS. The system captures and analyzes this internal traffic to detect threats.); upon determining that the first set of signals comprises an attack, receiving a second set of signals from an external component of an external network discrete from the internal network (Scheidell ¶44-45: Describes a system in which, after detecting an attack through internal signals such as firewall or IDS alerts, the edge manager receives data from an external edge network composed of intrusion alert generators located on networks separate from the client’s own. These external signals are used to determine whether the attack is also occurring elsewhere.); upon determining that the second set of signals comprises the attack, identifying the attack as untargeted (Scheidell ¶45: Describes a system in which the edge manager analyzes external signals from other client networks within the edge network. If the same attack is detected across multiple clients, the system classifies the attack as a general or untargeted attack.); upon determining that the second set of signals is absent the attack, identifying the attack as targeted (Scheidell ¶45: Describes a system in which, after detecting an attack on a client network, the edge manager queries an external edge network. If the same attack is not observed in that external network, the system determines the attack is specific to the client.); and upon the attack being identified as targeted, initiating a targeted attack mitigation response on the internal network (Scheidell ¶58: Describes a system where, upon identifying an attack as targeted based on its absence in the edge network, the managed security service notifies the internal IT manager and may trigger protective actions such as blocking the source IP or increasing monitoring.) Scheidell is silent on teaching “wherein the first set of signals is associated with an Internet Protocol (IP) address or range of addresses allocated to the internal network and the second set of signals is associated with an IP address or range of addresses different from that of the internal network.” Duan teaches distinguishing and controlling network traffic based on IP address association with internal and external networks. Specifically, Duan teaches collecting and analyzing network traffic logs that include source and destination IP addresses (Duan ¶35) and applying network security policies of a private network to traffic associated with IP address ranges allocated to the internal network while separately inspecting, logging, and controlling traffic associated with IP addresses over the internet that are different from the internal network IP space (Duan ¶31-32). Duan further teaches classifying IP addresses based on IP address ranges, including overlapping ranges, and assigning different treatment level accordingly (Duan ¶33). Once Duan has associated a first set of signals with internal network IP address ranges and a second set of signals with IP addresses different from the internal network there is no need to treat all network traffic uniformly. Applying Duan’s IP-range based traffic classification and policy enforcement to Scheidell’s targeted-attack determination yields predictable results by enabling differentiated security handling for internal versus external network traffic. Regarding Claim 2 Scheidell discloses: The method of claim 1, wherein: receiving the second set of signals from the external component of the external network comprises receiving a plurality of the second set of signals from a corresponding plurality of components corresponding to a plurality of external networks (Scheidell ¶45: Describes a system in which the edge manager receives data from a distributed edge network composed of multiple intrusion alert generators located on separate client networks. These distinct clients function as external components providing independent signals about observed attacks. This aligns with the claim limitation by disclosing receipt of a plurality of second sets of signals from a corresponding plurality of external components, each associated with different external networks.); upon determining that a previously determined threshold number of the plurality of the second set of signals comprise the attack, identifying the attack as untargeted (Scheidell ¶45 and 47–50: Describes a system that uses accumulators and multiple predetermined thresholds to classify events, generating alerts only when certain signal activity levels are reached. When the first or second threshold is exceeded, corresponding alert levels are triggered to indicate moderate or high activity rates. This aligns with the claim limitation by disclosing a method that determines whether a threshold number of external signals comprise or are absent the attack to classify it as untargeted or targeted. The thresholds and alert logic are configurable, supporting dynamic classification based on the volume of matching signals.); and upon determining that the previously determined threshold number of the plurality of the second set of signals are absent the attack, identifying the attack as targeted (Scheidell ¶45 and 47-50: Describes a system that uses accumulators and multiple predetermined thresholds to classify events, generating alerts only when certain signal activity levels are reached. This aligns with the claim limitation by disclosing a method that determines whether a threshold number of external signals comprise or are absent the attack to classify it as untargeted or targeted. The thresholds and alert logic are configurable, supporting dynamic classification based on the volume of matching signals.). Regarding Claim 8 Claim 8 is directed to a method corresponding to the computing platform recited in claim 1. Claim 8 is similar in scope to claim 1 and is therefore rejected under similar rationale. Regarding Claim 9 Claim 9 is directed to a method corresponding to the computing platform recited in claim 2. Claim 9 is similar in scope to claim 2 and is therefore rejected under similar rationale. Regarding Claim 15 Claim 15 is directed to a method corresponding to the computing platform recited in claim 1. Claim 15 is similar in scope to claim 1 and is therefore rejected under similar rationale. Regarding Claim 16 Claim 16 is directed to a method corresponding to the computing platform recited in claim 2. Claim 16 is similar in scope to claim 2 and is therefore rejected under similar rationale. Regarding Claim 22 Scheidell discloses: The system of claim 15, wherein the first set of signals is also associated with the internal component under a first ownership or management entity and the second set of signals is also associated with the external component under a second ownership or management entity different from the first ownership or management entity (Scheidell ¶41-45 and 54-58: describes receiving attack signals from internal components of a client network managed by an IT manager, and comparing those signals with attack signals collected by an edge detection network and managed security service from other client networks coupled to the internet. The other client network are separate from the client network indicating that the first set of signals is associated with an internal component under a first ownership or management entity and the second set of signals is associated with external components under different ownership or management entities.). Regarding Claim 24 Claim 24 is directed to a system corresponding to the computing platform recited in claim 22. Claim 24 is similar in scope to claim 22 and is therefore rejected under similar rationale.7 Claims 3-4, 10-11 and 17-18 are rejected under 35 U.S.C 103 as be unpatentable Scheidell (US 2004/0098623 A1) in view of Duan (US 2020/0358743 A1) as applied to claims 1, 8 and 15 above, and in further view of Haq (US 2015/0096024 A1). Regarding Claim 3 Scheidell and Duan do not disclose the following limitation “identifying an origin of the attack; identifying attack types associated with the origin of the attack; and applying the targeted attack mitigation response to attack components of the internal network that correspond to an attack type of the attack” However, in an analogous art, Haq discloses identifying attack types associated with the origin of the attack. Haq (¶117-118) describes a system that extracts features from suspect objects to identify their origin, including geographic location, IP address, or URL, and compares this origin information against known sources of prior APT attacks or campaigns stored in an intelligence database. Haq (¶117-118 and 126) further describes a system that extracts and stores origin information as features of a suspicious object, and maps those origins to known APT campaigns or attacker profiles stored in a database. This enables identification of attack types associated with the origin. The system then uses post-detection logic to apply targeted actions such as profiling, trend detection, or attribution, which correspond to applying mitigation responses to internal components aligned with the identified attack type. Given the teachings of Haq, a person having ordinary skill in the art before the effective filing date of the claimed invention would have recognized the desirability of modifying the teachings of Scheidell and Duan to identify the origin of an attack, determine associated attack types based on that origin, and apply targeted mitigation to internal network components matching the attack type. Haq discloses extracting origin information from suspicious objects such as IP address or geographic location and comparing it against known sources of APT campaigns to identify the likely type of attack (Haq ¶117–118). Haq further teaches applying tailored post-detection actions, including profiling and attribution, based on this mapping (Haq ¶126). These steps align with the claimed limitation and would have been an expected use of known threat intelligence and response mechanisms. Regarding Claim 4 Scheidell and Duan do not disclose the following limitation “wherein identifying the origin of the attack comprises identifying a country of origin of the attack, an IP address of origin of the attack or a network port of the attack associated with the origin of the attack.” However, in an analogous art, Haq discloses identifying the origin of the attack location. Haq (¶117-118) Describes a system that extracts features from a suspect object to identify its origin, including geographic location such as a country, based on metadata like IP address or URL. Given the teachings of Haq, a person having ordinary skill in the art before the effective filing date of the claimed invention would have recognized the desirability of modifying the teachings of Scheidell and Duan to extracts features from a suspect object to identify its origin, including geographic location such as a country, based on metadata like IP address or URL. This teaches the concept of determining the country of origin of network activity. While the claim limitation is tied specifically to identifying an attack’s origin, it would have been obvious to a person of ordinary skill in the art to apply the same IP-based geolocation techniques disclosed in the reference to determine the country associated with the source of an attack, especially since IP geolocation is a well-known method for attributing network events to physical regions. The motivation would be to better localize and respond to cyber threats based on their geographic origin, which enhances incident response and risk assessment (Haq ¶117-118). Regarding Claim 10 Claim 10 is directed to a method corresponding to the computing platform recited in claim 3. Claim 10 is similar in scope to claim 3 and is therefore rejected under similar rationale. Regarding Claim 11 Claim 11 is directed to a method corresponding to the computing platform recited in claim 4. Claim 11 is similar in scope to claim 4 and is therefore rejected under similar rationale. Regarding Claim 17 Claim 17 is directed to a method corresponding to the computing platform recited in claim 3. Claim 17 is similar in scope to claim 3 and is therefore rejected under similar rationale. Regarding Claim 18 Claim 18 is directed to a method corresponding to the computing platform recited in claim 4. Claim 18 is similar in scope to claim 4 and is therefore rejected under similar rationale. Claims 7, 14 and 20 is/are rejected under 35 U.S.C. 103 as unpatentable Scheidell (US 2004/0098623 A1) in view of Duan (US 2020/0358743 A1) as applied to claims 1, 8 and 15 above, and in further view of Holar (US 2009/0064307 A1). Regarding Claim 7 Scheidell and Duan do not disclose the following limitation “wherein the internal network and the external network are interconnected exclusively via a public network” However, in an analogous art, Holar discloses a reverse-HTTP gateway that allows a system to communication between the internal and external networks. Holar (¶2-3) describes a system where communication between the internal and external networks is routed exclusively through a reverse-HTTP gateway located in a DMZ. The internal network is fully protected behind an internal firewall, and external access occurs only via standard Internet protocols over public channels. Given the teachings of Holar, a person having ordinary skill in the art before the effective filing date of the claimed invention would have recognized the desirability of modifying the teachings of Scheidell and Duan to configure a system in which the internal and external networks are interconnected exclusively via a public network. Holar discloses that communication between an internal and external network occurs solely through a reverse-HTTP gateway positioned in a demilitarized zone (DMZ), with all traffic flowing over standard Internet protocols via public channels. The internal network is fully protected behind an internal firewall, ensuring that all inter-network communication is funneled through the public network. It would have been obvious to implement such an architecture to leverage the scalability and ubiquity of public network infrastructure while maintaining strict access control through the gateway and firewall mechanisms, thereby satisfying the claim limitation (Holar ¶2-3). Regarding Claim 14 Claim 14 is directed to a method corresponding to the computing platform recited in claim 7. Claim 14 is similar in scope to claim 7 and is therefore rejected under similar rationale. Regarding Claim 20 Claim 20 is directed to a method corresponding to the computing platform recited in claim 7. Claim 20 is similar in scope to claim 7 and is therefore rejected under similar rationale. Claims 21, 23 and 25 is/are rejected under 35 U.S.C. 103 as unpatentable Scheidell (US 2004/0098623 A1) in view of Duan (US 2020/0358743 A1) as applied to claims 1, 8 and 15 above, and in further view of Filatov (US 20230344797 A1). Regarding Claim 21 Scheidell and Duan do not disclose the following limitation “wherein the second set of responses further comprises updating passwords for users of the internal network.” However, in an analogous art, Filatov teaches determining a threat mitigation action in response to detecting a cyber threat, wherein the mitigation action includes updating passwords to remediate compromised credentials (Filatov ¶95, 10, 109). It would have been obvious to a person of ordinary skill in the art to incorporate the password-updating mitigation taught by Filatov into the targeted attack mitigation response of Scheidell and Duan in order to remediate credential-based compromises and prevent further unauthorized access, yielding predictable security improvement. Regarding Claim 23 Claim 23 is directed to a method corresponding to the computing platform recited in claim 21. Claim 23 is similar in scope to claim 21 and is therefore rejected under similar rationale. Regarding Claim 25 Claim 25 is directed to a system corresponding to the computing platform recited in claim 21. Claim 25 is similar in scope to claim 21 and is therefore rejected under similar rationale. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Mishra US 2023/0421596 A1 - teaches inserting a backdoor into a hardware-focused machine learning model by combining it with a payload model that responds to specific circuit features, enabling hidden behavior during cyberattack classification. Reybok US 10,686,805 B2 - teaches a system that aggregates threat data from multiple client networks, groups clients by industry or service commonality, identifies threats affecting specific groups, and distributes alerts including indicators and mitigation rules to at-risk clients. It uses trend analysis, cryptographic verification, and collaborative feedback (e.g., local threat scores) to adaptively update threat intelligence and improve coordinated defense. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Saad Abdullah whose telephone number is (571) 272-1531. The examiner can normally be reached on Monday through Friday, 8:30 AM - 5:00 PM (EST). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SAAD AHMAD ABDULLAH/ Examiner, Art Unit 2431 /MICHAEL R VAUGHAN/ Primary Examiner, Art Unit 2431