NETWORK PROTECTION

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments with respect to claim(s) 1-18 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Examiner has incorporated Guri US 2018/0181752 into the rejection of claims 1, 11, and 12 to meet the claims as amended. Examiner does not concede that Crabtree fails to teach this, but Guri more explicitly states as such. Examiner incorporates Guri in an effort to expedite prosecution. Examiner has incorporated Nanda US 20200045069 to teach a network defense system that uses AI, Q learning, and feedback rewards to meet new claims 14-18. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-5 11, 12, 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree US 2021/0168175 in view of Guri US 2018/0181752 As per claims 1, 11, 12. (Currently Amended) Crabtree teaches A computer implemented method for protecting a network comprising a plurality of computer systems, the method comprising: receiving an indication that one or more anomalies which have been determined to be associated with a threat have been detected within the network; [0116] (teaches detecting anomalous behavior) Crabtree teaches generating a model of the network for simulating propagation of the threat within the network, the model comprising one or more properties representing an incidence of the threat within the network; [0096][0118]-[0120 (teaches calculating blast radius of resources at risk based on detection and simulation of intrusion, mapping a cyber physical graph) Crabtree teaches training an intelligent agent to generate a response to the threat, the intelligent agent being trained using a reinforcement learning technique by using the model of the network to evaluate effectiveness of taking different actions to counter the threat based on a simulated propagation of the threat within the model, the simulated propagation being determined based on a threat propagation model and the one or more properties representing the incidence of the threat within the network; [0140]-[0143] (machine learning simulator, to simulate and determine successful defenses based on attacks and improving mitigation) Crabtree teaches using the intelligent agent to determine a response to the threat, the response comprising one or more actions to be taken in relation to the network; and applying the response to the network by causing the one or more actions to be taken in relation to the network. [0117][0118] [0058][0059] [0140]-[0143] (teaches mitigation actions to apply in response to an attack and applying said actions) Guri explicitly teaches classifying a threat as a known threat or unknown threat. [0027][0028][0078][0079] (teaches classification model to determine if the exploit exists and is stored, or is unknown.) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Guri with the prior art because it improves response to unknown threats. As per claim 2. (Currently Amended) Guri teaches The method of claim 1 further comprising determining whether a predetermined response to the threat is available, wherein: the predetermined response is applied to the network in response to determining that the predetermined response is available; and the steps of generating the model of the network, training the intelligent agent and using the intelligent agent to determine the response to the threat are performed in response to a determination that no predetermined response is available. [0039][0078]-[0084] (teaches determining a classification of a threat, and applying a defensive action upon successful classification, or determining a response and action if no classification is found, and the threat is classified as “zero day” or unknown, and training the AI on the new threat) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Guri with the prior art because it improves response to unknown threats. As per claim 3. (Currently Amended) Guri teaches the method of claim 1, further comprising storing the response to the threat that was determined by the intelligent agent to be used as predetermined response to the threat in the future. [0039][0078]-[0084] (teaches updating the ML model and classification to map to defensive reactions) As per claim 4. (Currently Amended) Guri teaches the method of claim 1, wherein the intelligent agent that is trained is an intelligent agent that has already been trained to generate a response to a previous threat within the network and the training serves to adapt the intelligent agent to respond to the detected threat. [0039][0078]-[0084] (teaches updating the ML model and classification to map to defensive reactions) As per claim 5. (Currently Amended) Guri teaches the method of claim 1,further comprising causing a predetermined initial response to be applied to the network prior to determining the response to the threat using the intelligent agent. [0019][0074] (teaches halting of malicious code prior to classification to machine learning responses) As per claim 13. (New) The method of claim 1, Guri teaches wherein the threat classified as a known threat is further classified according to a type of known threat. [0027][0028][0076][0078][0079] (teaches classification model to determine if the exploit exists and is stored, or is unknown, teaches classifying the particular type or category of exploit/threat) Claim(s) 6-8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree US 2021/0168175 in view of Guri US 2018/0181752 in view of Cam US 2021/0352095. As per claim 6. (Currently Amended) Cam teaches the method of claim 1,further comprising: estimating a propagation rate of the threat in the network from the one or more anomalies; and configuring the threat propagation model to reflect the estimated propagation rate of the threat in the network. [0005][0010][0049][0071][0073][0084]-[0086][0088] (teaches using AI model to detect and predict malware spread, and mitigation techniques (predicting malware propagation through model, and including real-time reports, and including temporal analysis) Crabtree does not explicitly teach details of malware detection, although it does teach simulation of malware and mitigation techniques. It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Cam with the prior art because it helps improve security against malware infection. As per claim 7. Cam teaches (Currently Amended) The method of claim 1, wherein the threat is a malware threat and the one or more properties representing the incidence of the threat comprise a respective status of each of the plurality of computer systems indicating whether that computer system has been determined to have been infected by the malware. [0005][0010][0049][0071][0084]-[0086] (teaches determining what nodes have been infected) As per claim 8. Cam teaches (Currently Amended) The method of claim 7, wherein the one or more actions comprise one or more of: isolating a computer system from the network; upgrading a network defense level; downgrading a network defense level; running enhanced detection on one or more computer systems; deploying an intrusion detection system; or changing one or more firewall rules. [0063] (isolating, blocking infected node) Claim(s) 9, 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree US 2021/0168175 in view of Guri US 2018/0181752 in view of Koral US 2021/0306372. As per claim 9. (Currently Amended) Koral teaches the method of claim 1, wherein the threat is a Distributed Denial-of-Service(DDoS) attack and the one or more properties representing the incidence of the threat comprise an indication of a respective bandwidth utilization for each link in the network. [0045][0046][0048] (teaches detection of DDOS based at least in part on bandwidth utilization, or amount of data sent/received) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teachings of Koral with the prior art because it increases effectiveness at stopping DDOS attacks. As per claim 10. (Currently Amended) The method of claim 9, Koral teaches wherein the one or more actions comprise one or more of: isolating a computer system from the network; reconfiguring the network to remove one or more links; reconfiguring the network to reroute traffic; or reconfiguring the network to add one or more additional links [0045][0046][0048] (teaches isolating/blocking the computer system) Claim(s) 14-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree US 2021/0168175 in view of Guri US 2018/0181752 in view of Nanda US 2020/0045069 As per claim 14. (New) The method of claim 1, Nanda teaches wherein the reinforcement learning technique used by the intelligent agent uses a reward function to generate the response to the threat. [0096] [0101][ 0107]-[111] (teaches ranking courses of action, and Q learning which incorporates weighted rewards into decision policy to obtain maximum Q value) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Nanda with the prior art because it improves finding the best corrective action per network anomaly. As per claim 15. (New) The method of claim 14, Nanda teaches wherein the reward function includes a score and the intelligent agent receives a higher score by aiming to minimize a number of the plurality of computer systems affected by the threat. [0096][0101][0116]-[0119] (teaches intelligent learning agent receives and ranks courses of actions in response to an anomaly, including that allowing traffic is better than completely blocking traffic) As per claim 16. (New) The method of claim 14, Nanda teaches wherein the reward function includes a score and the intelligent agent receives a higher score by aiming to avoid isolating any of the plurality of computer systems affected by the threat from the network. [0096][0116]-[0119] (teaches intelligent learning agent receives and ranks courses of actions in response to an anomaly, including that allowing traffic is better than completely blocking traffic) As per claim 17. (New) The method of claim 14, Nanda teaches wherein the reward function includes a score and the intelligent agent receives a higher score by considering a relative value of at least one of the plurality of computer systems within the network. [0096] [0101][ 0107]-[111] [0118] (teaches ranking courses of action, and Q learning which incorporates weighted rewards into decision policy to obtain maximum Q value) As per claim 18. (New) The method of claim 14, Nanda teaches wherein the reward function causes the intelligent agent to generate the response to the threat, based on the simulated propagation of the threat within the model, that maximizes a reward to the intelligent agent. [0096] [0101][ 0107]-[111] (teaches ranking courses of action, and Q learning which incorporates weighted rewards into decision policy to obtain maximum Q value) Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439