Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-15 are pending.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-15 are rejected under 35 U.S.C. 103 as being unpatentable over Zorlular et al (US Pub. No. 20018/0183827), hereafter, “Zorlular,” in view of Boyer et al (US Pub. No. 2024/0414211), hereafter, “Boyer.”
As to claim 1, Zorlular discloses a computer-implemented method for processing information representing indicators of compromise for automatic cyberthreat assessment and remediation (Abstract), the method comprising:
automatically accessing, by at least one computing device configured by executing instructions, information representing indicators of compromise (Fig. 2, label 204, and [0080], particularly, “At block 204, the warning system accesses indicators of a potential cyber attack related to the resource. Examples of such indicators include proxy logs 182, email logs 172, data loss prevention logs 194, application firewall logs 161, etc.”);
automatically identifying, by the at least one computing device, a subset of at least some of the information representing the indicators of compromise (Fig. 2, label 204-206, [0080], particularly, “At block 206 the warning system matches the indicators accessed in block 204 against a set of rules that correspond to different types of activity potentially related to a cyber attack against a resource to determine a set of events reflecting such activity.” See also, [0022], particularly, “The automated analysis of the indicators may include an automated application of various criteria or rules so as to generate a visual display of the groups of related indicators so that the analyst may quickly and efficiently evaluate the alerts. In particular, the indicators may be dynamically re-grouped and/or filtered in an interactive user interface so as to enable an analyst to quickly navigate among information associated with various alerts and efficiently evaluate the groups of alerts in the context of, for example, an audit for data breach or other activity related to a cyber attack against a resource.” Which describes “identifying…a subset of at least some of the information representing the indicators of compromise” perhaps more clearly);
automatically generating, by the at least one computing device using the identified subset, a request for contextual information (Fig. 2, label 208 and [0082], “In block 208, contextual data associated with the events potentially related to a cyber attack on the resource is determined. For example, in an embodiment the resource event history 154 may be queried to determine whether similar events related to a potential cyber attack on the resource have occurred in the past, and if so, whether those were determined by an analyst to be false positives or genuine causes for concern. As another example, some of the contextual data associated with a potential cyber attack on the resource may include information about events related to potential cyber attacks on other resources”);
automatically transmitting, by the at least one computing device to a database, the request (Fig. 2, labels 154, 208 and [0082], “In block 208, contextual data associated with the events potentially related to a cyber attack on the resource is determined. For example, in an embodiment the resource event history 154 may be queried to determine whether similar events related to a potential cyber attack on the resource have occurred in the past, and if so, whether those were determined by an analyst to be false positives or genuine causes for concern. As another example, some of the contextual data associated with a potential cyber attack on the resource may include information about events related to potential cyber attacks on other resources”);
automatically receiving, from the database in response to the request, a plurality of structured data records including the contextual information (Fig. 2, label 208 and [0082], “In block 208, contextual data associated with the events potentially related to a cyber attack on the resource is determined. For example, in an embodiment the resource event history 154 may be queried to determine whether similar events related to a potential cyber attack on the resource have occurred in the past, and if so, whether those were determined by an analyst to be false positives or genuine causes for concern. As another example, some of the contextual data associated with a potential cyber attack on the resource may include information about events related to potential cyber attacks on other resources”)
automatically determining, by the at least one computing device, that at least one of the structured data records includes contextual information associated with a malicious cyberthreat (Fig. 2, label 206-210 and [0084], particularly, “In block 210 the information about the resource, the contextual data associated with the resource and the indicators of a potential cyber attack related to the resource as determined in block 204 are combined to determine, for each event, a risk estimate that indicates how much the resource is being put at risk by the event.”);
automatically output, by the at least one computing device, information representing the contextual information included in the at least one of the structured data records and the indicators of compromise associated with the at least some of the data records (Figs 8 and 9, [0109], particularly, “When alerts are presented to a human analyst, contextual information, such as other events associated with the resource, is presented with the alert.”) and
automatically taking remedial action, by the at least one computing device, using the output information (Fig. 2, label 204).
However, Zorlular does not explicitly disclose automatically taking remedial action, by the at least one computing device, using the output information.
But, Boyer discloses automatically taking remedial action, by at least one computing device, using output information (Fig. 2 and [0047], particularly, “FIG. 2 shows the LLMs 188 cooperating and communicating with a number of cyber security components including i) a cyber security appliance 100 with a cyber threat detect engine to detect a cyber threat in one or more of an email system, an Information Technology network, a cloud network, and any combination of these, ii) a proactive threat notification service 182 to publicize new and ongoing cyber threats, iii) a cyber threat autonomous response engine 140 to take one or more actions to mitigate a detected cyber threat, iv) a cyberattack simulator 105 to simulate a cyberattack, and v) a cyber-attack restoration engine 190 to restore network components back to an operational state prior to the cyberattack.”).
Therefore it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine Zorlular with Boyer in order to provide an autonomous system which would decrease the workload for network administrators.
As to claim 8, it is rejected by a similar rationale to that set forth in claim 1’s rejection.
As to claim 2 and 9, the teachings of Zorlular and Boyer as combined for the same reasons set forth in claim 1’s rejection and further disclose the structured data record is a Javascript Object Notation (“JSON”) object, the request is transmitted in an application programming interface (“API”) call, and the output is a comma separated value (“CSV”) file (Zorlular, [0066] and Boyer, [0025]).
As to claim 3 and 10, the teachings of Zorlular and Boyer as combined for the same reasons set forth in claim 1’s rejection and further disclose processing, by the at least one computing device, each of a plurality of JSON objects in parallel (Boyer, [0025]).
As to claim 4 and 11, the teachings of Zorlular and Boyer as combined for the same reasons set forth in claim 1’s rejection and further disclose the database includes contextual information is provided from a plurality of data sources (Zorlular, Fig. 2, label 208 and [0082], “In block 208, contextual data associated with the events potentially related to a cyber attack on the resource is determined. For example, in an embodiment the resource event history 154 may be queried to determine whether similar events related to a potential cyber attack on the resource have occurred in the past, and if so, whether those were determined by an analyst to be false positives or genuine causes for concern. As another example, some of the contextual data associated with a potential cyber attack on the resource may include information about events related to potential cyber attacks on other resources”).
As to claim 5 and 12, the teachings of Zorlular and Boyer as combined for the same reasons set forth in claim 1’s rejection and further disclose the data sources include open source intelligence Zorlular, [0055]-[0066]; “open source” data sources would be expected given this description).
As to claim 6 and 13, the teachings of Zorlular and Boyer as combined for the same reasons set forth in claim 1’s rejection and further disclose at least some of the contextual information includes at least one of a file name, a hash value, a domain address, and an internet protocol address (Zorlular, [0023], see also [0080]).
As to claims 7 and 14, the teachings of Zorlular and Boyer as combined for the same reasons set forth in claim 1’s rejection and further disclose the contextual information in the database represents the indicators of compromise as malicious, non-malicious, or falsely positive (Zorlular, [0081]-[0082]).
As to claim 15, the teachings of Zorlular and Boyer as combined for the same reasons set forth in claim 1’s rejection and further disclose the remedial action includes detecting and containing a cyberthreat (Boyer, (Fig. 2 and [0047], particularly, “FIG. 2 shows the LLMs 188 cooperating and communicating with a number of cyber security components including i) a cyber security appliance 100 with a cyber threat detect engine to detect a cyber threat in one or more of an email system, an Information Technology network, a cloud network, and any combination of these, ii) a proactive threat notification service 182 to publicize new and ongoing cyber threats, iii) a cyber threat autonomous response engine 140 to take one or more actions to mitigate a detected cyber threat, iv) a cyberattack simulator 105 to simulate a cyberattack, and v) a cyber-attack restoration engine 190 to restore network components back to an operational state prior to the cyberattack.”).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS J DAILEY whose telephone number is (571)270-1246. The examiner can normally be reached 9:30am-6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571-270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THOMAS J DAILEY/ Primary Examiner, Art Unit 2458