Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's arguments filed on 12/04/2025 have been fully considered but they are not persuasive for the following reasons:
Applicant’s Argument:
“Simply put, the combination of Wei and dos Santos fails to teach all of the limitations of instant claim 1. For example, neither of these cited documents discloses:
- the generation and storage in memory of a fourth computer file, based on a third computer file indicating the presence or absence of a risk of corruption on at least each piece of input data included in the second file; or that
- the fourth file indicates, among the input data, input data to be protected that are both associated with critical transitions and a risk of corruption; or
- the use of a minimized finite-state transducer for determining in the application of the method.
Indeed, neither of these cited documents suggests the identification of input data values to be protected that are both associated with critical transitions and at risk of corruption, the identification being performed by a minimized finite state transducer and based on a computer file indicating the presence or absence of a risk of corruption.
For at least these reasons, Applicant respectfully submits that the combination of Wei and dos Santos fails to establish prima facie obviousness of claim 1, which claim is therefore in
suitable condition for allowance. Furthermore, claims 2-5, 9 and 11-13 are also in suitable condition for allowance by virtue of their dependence upon claim 1.”
Examiner’s Response:
The examiner respectfully disagrees. As explained by examiner’s response in office action mailed on 09/05/2024, the combination of Wei-dos Santos teaches:
the generation and storage in memory of a fourth computer file, based on a third computer file indicating the presence or absence of a risk of corruption on at least each piece of input data included in the second file ([0031] “The risk score of an entity may be defined as the likelihood of an event happening multiplied by the impact of the event for each type of risk considered. The types of risk, used in computing the risk score, can include cyber-security or cyber-attack risk…” The risk score (fourth computer file), is based on a third computer file indicating the presence or not of a risk of corruption (proximity to infected entities).);
the fourth file indicates, among the input data, input data to be protected that are both associated with critical transitions and a risk of corruption ([0031] “The risk score of an entity may be defined as the likelihood of an event happening multiplied by the impact of the event for each type of risk considered. The types of risk… can include cyber-security or cyber-attack risk and operational failure risk. The cyber-attack likelihood factors can include …vulnerabilities, direct connectivity with a public entity (in other words, exposure to and from the Internet), and proximity to infected/vulnerable entities. The likelihood of operational failure can be based on alerts indicating operational malfunction, misconfiguration, and misuse, among others. For example, the risk of an entity may be based on a severity of alerts associated with the entity, whether the entity has Internet connectivity, the proximity of the entity to other infected entities.”, [0032] “The cyber-attack impact can be based on entity criticality (e.g., how critical an entity is), network criticality (e.g., how an entity is networked with one or more critical entities or whether it is located in a mission-critical area of the network), and proximity to critical devices… The operational failure impact can be based on entity criticality and network criticality.” The fourth computer file, or risk score, indicates among the input data, data to be protected associated with critical transitions (operational failure impact based on entity/network criticality) and with a risk of corruption (proximity to infected entities));
the use of a minimized finite-state transducer for determining in the application of the method ([0007] “In some embodiments of the aforementioned system, the virtual patching engine security application performs symbolic execution of control code executed by the industrial automation device to determine future consequences of running one or more configurations of the industrial automation device in combination with one or more control commands.”, [0031] “The virtual patch engine may additionally collect system relevant information such as… PLC specific information such as read and written memory blocks, system configuration changes, alarm status change, the scan time, block execution time, etc.”)
Therefore, Wei-dos Santos is analogous art as to demonstrate "the identification of input data values to be protected that are both associated with critical transitions and at risk of corruption, the identification being performed by a minimized finite state transducer and based on a computer file indicating the presence or absence of a risk of corruption.", and Wei-dos Santos is clearly pertinent to the problem the claimed invention is trying to solve.
For the above reasons, the examiner maintains that the cited references teach every and each limitation as currently recited.
Allowable Subject Matter
Claims 7-8 and 10 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-5, 9, 11-13 are rejected under 35 U.S.C. 103 as being unpatentable over WEI (US 20190317465 A1), hereafter WEI in view of dos Santos (US 20210203673 A1), hereafter dos Santos.
Regarding claim 1, WEI teaches:
A method of identification of risks of cyberattacks on a programmable logic controller ([0004] “Embodiments of the present invention address and overcome one or more of the above shortcomings and drawbacks, by providing methods, systems, and apparatuses related to virtual patching and automated distribution of security context information for control systems.”, [0005] “The app container is configured to collect system information generated by the industrial automation device during operation, and apply the one or more virtual patches to the system information to identify one or more security attacks.”), the method being implemented by a data processing device comprising a processing unit and a memory ([0040] “More generally, a processor as used herein is a device for executing machine-readable instructions stored on a computer readable medium, for performing tasks and may comprise any one or combination of, hardware and firmware. A processor may also comprise memory storing machine-readable instructions executable for performing tasks.”), the method comprising: generating, by the device, a digital representation of a minimized finite-state transducer based on a specification of a controller logic of the programmable logic controller ([0007] “In some embodiments of the aforementioned system, the virtual patching engine security application performs symbolic execution of control code executed by the industrial automation device to determine future consequences of running one or more configurations of the industrial automation device in combination with one or more control commands.”, [0031] “The virtual patch engine may additionally collect system relevant information such as… PLC specific information such as read and written memory blocks, system configuration changes, alarm status change, the scan time, block execution time, etc.”),
Further regarding claim 1, WEI teaches the limitations previously demonstrated; WEI does not appear to explicitly teach, but in related art DOS SANTOS teaches:
the minimized finite-state transducer comprising a set of source states, a set of destination states, and a set of transitions, each transition starting from a source state to a destination state ([0056] In some embodiments, if each of the events composing the issue have a high severity, then the issue will be marked as high priority. High risk events (e.g., events whose source or destination are associated with a high risk score) and a high number of the vulnerabilities (e.g., above a threshold, for instance, a customized or predefined threshold) can contribute to an issue being high priority.) based on a input data value ([0040] “For example, operations that often happen in a network can include a change in the logic of a controller that directly impact the process of a plant. This change of the logic can trigger multiple events (e.g., the network monitor entity can see that a controller stopped working, that it's firmware has been updated, that it was not responding for a while and then it restarted).”, [0055] “The priority of an issue can be based on a variety of factors, including the severity of an event (e.g., high security risk or high operational risk of the event source entity)”); generating and storing into the memory of a second computer file, based on a first computer file comprising a subset of sensitive states among the set of states ([0075] “Advantageously, embodiments are configured for reducing or preventing event flooding by correlating events into issues, which reflect high level occurrences (e.g., attacks) on a network. The issues may further be categorized (e.g., as security or operational)”), the second computer file comprising a list of critical transitions associated with the sensitive states ([0075] “The issues may further be categorized (e.g., as security or operational) and prioritized (e.g., critical, high, medium, low, informational) to allow ranking of issues. Embodiments thus enable more effective response to events.”), and for each transition, a list of the input data ([0115] “In various embodiments, events that are not correlated into an issue may counted, listed, displayed, etc., to allow for user analysis.”, [0181] “FIG. 7 depicts an example listing of a plurality of issues and associated details.”); and generating and storing into the memory of a fourth computer file, based on a third computer file indicating the presence or not of a risk of corruption on at least each input data element contained in the second computer file ([0031] “The risk score of an entity may be defined as the likelihood of an event happening multiplied by the impact of the event for each type of risk considered. The types of risk, used in computing the risk score, can include cyber-security or cyber-attack risk…” The risk score (fourth computer file), is based on a third computer file indicating the presence or not of a risk of corruption (proximity to infected entities).), the fourth computer file indicating, among the input data, input data to be protected which are both associated with critical transitions and with a risk of corruption, these input data being at risk for a cyberattack ([0031] “The risk score of an entity may be defined as the likelihood of an event happening multiplied by the impact of the event for each type of risk considered. The types of risk… can include cyber-security or cyber-attack risk and operational failure risk. The cyber-attack likelihood factors can include …vulnerabilities, direct connectivity with a public entity (in other words, exposure to and from the Internet), and proximity to infected/vulnerable entities. The likelihood of operational failure can be based on alerts indicating operational malfunction, misconfiguration, and misuse, among others. For example, the risk of an entity may be based on a severity of alerts associated with the entity, whether the entity has Internet connectivity, the proximity of the entity to other infected entities.”, [0032] “The cyber-attack impact can be based on entity criticality (e.g., how critical an entity is), network criticality (e.g., how an entity is networked with one or more critical entities or whether it is located in a mission-critical area of the network), and proximity to critical devices… The operational failure impact can be based on entity criticality and network criticality.” The fourth computer file, or risk score, indicates among the input data, data to be protected associated with critical transitions (operational failure impact based on entity/network criticality) and with a risk of corruption (proximity to infected entities)).
Since both WEI and DOS SANTOS are from the same field of endeavor as both are directed to network security and surveilling traffic present on a computer- which is within the same field of endeavor as the claimed invention. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify and combine the teachings of WEI and DOS SANTOS by incorporating the teachings of DOS SANTOS into WEI for security and surveillance as claimed. The motivation to combine is to improve the security and analysis thereof for computer networks (WEI, [AB]; DOS SANTOS, [AB]). This reasoning and rationale for combination is equally applicable to rejections hereafter relying on WEI-DOS SANTOS.
Regarding claim 2, WEI-DOS SANTOS teaches:
The method according to claim 1, wherein the generation of the second computer file comprises: identifying in the digital representation of the minimized finite-state transducer, by a processing unit of the device, first transitions from a source state not identified as sensitive, in the first computer file, to a destination state identified as sensitive (DOS SANTOS [0052] “Embodiments can detect a reconfiguration of an entity, which can be a potentially dangerous operation… For example, when a PLC, functioning as an industrial controller in a plant, has its firmware changed by an operator or an attacker can be a dangerous operation.”, [0053] “Embodiments can further identify networking issues or problems that are hampering an entity from communicating within a network. For example, embodiments may determine an issue that a PLC or other controller is experiencing a problem communicating based on identifying a certain number of events that are happening... embodiments can determine an entity is having a problem communicating. The problem in communication could be due an actual malfunction of the entity or could be due to an attack that is trying to disrupt operation of the entity (e.g., a distributed denial-of-service (DDOS) attack).”, [0066] “Events associated with blacklisted credentials, weak security protocols, failed connections, and compliance issues may be bucketed or grouped together. Buckets can be used for simple correlation between threat intelligence data, e.g., blacklisted IP addresses and periodic events. This allows increasing the severity associated with an event when a destination IP address of a periodic event is blacklisted.”); and writing the first transitions into the second computer file ([0133] “In some embodiments, an event chain includes an ordered collection of entities and an ordered collection of events (e.g., alerts) which link the entities. Event chaining associates or chains events together over time to build a sequence of events. The sequence of events may be treated as or determined to be an issue, as described herein.”).
Regarding claim 3, WEI-DOS SANTOS teaches:
The method according to claim 2, wherein the generation of the second computer file further comprises: identifying in the finite-state transducer, by the processing unit, of second transitions from a source state identified as sensitive in the first computer file to a destination state not identified as sensitive (DOS SANTOS [0060] “In some embodiments, the aggregation includes a similarity based approach. For example, this can include clustering alerts with the same port number and MAC address if the alerts exceed a time window threshold)… Checks for an inside attacker can be detected based on the correlation of the source IP address and destination IP address class or subnet.”, [0174] “The various events shown in example GUI 500 are events related to logins or authentication including failed authentications, blacklisted login attempts, successful authentications, and blacklisted login successes. The successful authentications may be part of the entity 10.128.0.231 controlling entity 10.120.0.14. The failed authentications may be part of events of entity 10.128.0.231 trying to take control of entity 10.128.0.11 and failing to do so.” ); and writing the second transitions into the first computer file ([0133] “In some embodiments, an event chain includes an ordered collection of entities and an ordered collection of events (e.g., alerts) which link the entities. Event chaining associates or chains events together over time to build a sequence of events. The sequence of events may be treated as or determined to be an issue, as described herein.”).
Regarding claim 4, WEI-DOS SANTOS teaches:
The method according to claim 2, wherein the generation of the second computer file further comprises: for each first transition, identifying, by the processing unit of the device, in the digital representation of the minimized finite-state transducer, of first input data having a blocking of their value inhibiting the transition to the associated destination state (DOS SANTOS [0174] “The various events shown in example GUI 500 are events related to logins or authentication including failed authentications, blacklisted login attempts, successful authentications, and blacklisted login successes… The failed authentications may be part of events of entity 10.128.0.231 trying to take control of entity 10.128.0.11 and failing to do so.”); and writing the first input data into the second computer file ([0133] “In some embodiments, an event chain includes an ordered collection of entities and an ordered collection of events (e.g., alerts) which link the entities. Event chaining associates or chains events together over time to build a sequence of events. The sequence of events may be treated as or determined to be an issue, as described herein.”).
Regarding claim 5, WEI-DOS SANTOS teaches:
The method according to claim 4, wherein the generation of the second computer file further comprises: identifying in the finite-state transducer, by the processing unit, of second transitions from a source state identified as sensitive in the first computer file to a destination state not identified as sensitive (DOS SANTOS [0060] “In some embodiments, the aggregation includes a similarity based approach. For example, this can include clustering alerts with the same port number and MAC address if the alerts exceed a time window threshold)… Checks for an inside attacker can be detected based on the correlation of the source IP address and destination IP address class or subnet.”, [0174] “The various events shown in example GUI 500 are events related to logins or authentication including failed authentications, blacklisted login attempts, successful authentications, and blacklisted login successes. The successful authentications may be part of the entity 10.128.0.231 controlling entity 10.120.0.14. The failed authentications may be part of events of entity 10.128.0.231 trying to take control of entity 10.128.0.11 and failing to do so.”; the writing the second transitions into the first computer file ([0133] “In some embodiments, an event chain includes an ordered collection of entities and an ordered collection of events (e.g., alerts) which link the entities. Event chaining associates or chains events together over time to build a sequence of events. The sequence of events may be treated as or determined to be an issue, as described herein.”); and for each second transition, identifying in the digital representation of the minimized finite-state transducer, of second input data having the modification of their value, in the associated source state, causing said second transition ([0050] “In some embodiments, the correlation component is configured to correlate events by leveraging information of the network (e.g., OT network, IT network, etc.). The correlation component may correlate alerts related to a process in a network within an OT network together. For example, events related to a reconfiguration of a network controller can be correlated together. The events can include when one network controller is configured, a message is sent through the network to change its firmware configuration.”).
Regarding claim 9, WEI-DOS SANTOS teaches:
The method according to claim 1, further comprising a risk analysis, the analysis comprising, for each element of the fourth computer file: identifying, by the processing unit, of a feared event occurring in case of an attack on the element (DOS SANTOS [0030] “The risk score of an entity can be based on a risk framework that is designed to identify the entities that deserve the most analyst attention. For example, the risk framework described in U.S. patent with Ser. No. 16/454,729, entitled Comprehensive Risk Assessment, may be used. This may be based on the security risk and operational risk associated with an entity.”); calculating, by the processing unit, of a probability of occurrence of the event ([0032] “The resulting risk score is a more powerful metric that allows users to prioritize a response based on the probability of something happening (e.g., vulnerabilities, connectivity to public entities, proximity to infected entities), current evidence of something happening (e.g., alerts), and the impact of the problem or threat.”); determining, by the processing unit, of a level of the risk based on a consequence value of the event and on the probability ([0031] “The risk score of an entity may be defined as the likelihood of an event happening multiplied by the impact of the event for each type of risk considered. The types of risk, used in computing the risk score, can include cyber-security or cyber-attack risk and operational failure risk. The cyber-attack likelihood factors can include alerts, vulnerabilities, direct connectivity with a public entity (in other words, exposure to and from the Internet), and proximity to infected/vulnerable entities. The likelihood of operational failure can be based on alerts indicating operational malfunction, misconfiguration, and misuse, among others. For example, the risk of an entity may be based on a severity of alerts associated with the entity, whether the entity has Internet connectivity, the proximity of the entity to other infected entities.”).
Regarding claim 11, WEI-DOS SANTOS teaches:
The method according to claim 9, wherein the risk level of a feared event is equal to a product of the probability of the event and of its consequence value (DOS SANTOS [0031] “The risk score of an entity may be defined as the likelihood of an event happening multiplied by the impact of the event for each type of risk considered. The types of risk, used in computing the risk score, can include cyber-security or cyber-attack risk and operational failure risk. The cyber-attack likelihood factors can include alerts, vulnerabilities, direct connectivity with a public entity (in other words, exposure to and from the Internet), and proximity to infected/vulnerable entities. The likelihood of operational failure can be based on alerts indicating operational malfunction, misconfiguration, and misuse, among others. For example, the risk of an entity may be based on a severity of alerts associated with the entity, whether the entity has Internet connectivity, the proximity of the entity to other infected entities.”).
Regarding claim 12, WEI-DOS SANTOS teaches
A non-transient memory configured to store instructions configured to implement the method of identification of cyberattack risks of claim 1 when they are executed by a processing unit (WEI [0040] “More generally, a processor as used herein is a device for executing machine-readable instructions stored on a computer readable medium, for performing tasks and may comprise any one or combination of, hardware and firmware. A processor may also comprise memory storing machine-readable instructions executable for performing tasks.”).
Regarding claim 13, WEI-DOS SANTOS teaches
A data processing device comprising a processing unit and a memory, the device being configured to implement the method of identification of cyberattack risks of claim 1 (WEI [0040] “More generally, a processor as used herein is a device for executing machine-readable instructions stored on a computer readable medium, for performing tasks and may comprise any one or combination of, hardware and firmware. A processor may also comprise memory storing machine-readable instructions executable for performing tasks.”).
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over WEI-dos Santos, in view of NASSOR (US 20210160323 A1) hereafter NASSOR.
Regarding Claim 6, WEI-dos Santos teaches the limitations previously demonstrated in claim 1; WEI-dos Santos does not appear to explicitly teach, but in related art NASSOR teaches:
wherein the identified risk associated with an element of the second computer file, in the third computer file, takes the form of an indication value coded over at least 2 bits ([0164-0165] “The Role Trust Level may also take a predetermined number of values (e.g., 4, coded in a 2-bit subfield) corresponding to different levels, for instance:/a value set to 0 (high trust level) for ITS stations relative to law role (authorities) such as traffic management, Roadside Surveillance Monitoring System, law enforcement, state or municipal, police.”).
Since both WEI-dos Santos and NASSOR are from the same field of endeavor as both are directed to network security and surveilling traffic present on a computer- which is within the same field of endeavor as the claimed invention. It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify and combine the teachings of WEI-dos Santos and NASSOR by incorporating the teachings of NASSOR into WEI-dos Santos for security and surveillance as claimed. The motivation to combine is to improve the security and analysis thereof for computer networks (WEI, [AB]; DOS SANTOS, [AB]; NASSOR, [AB]).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kamryn Gillespie whose telephone number is 703-756-5498. The examiner can normally be reached on Monday through Thursday from 9am to 6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached on (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pairdirect.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/K.J.G./Examiner, Art Unit 2408
/LINGLAN EDWARDS/Supervisory Patent Examiner, Art Unit 2408