Intelligent Attack Vector Analysis and Mitigation System

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-20 are presented for examination. Response to Arguments In view of Applicant’s arguments and amendments, filed 12/23/25, with respect to the rejection of claims 1-20 under 35 USC 102 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground of rejection is made in view of 35 USC 103. As per claims 1, 8, and 15, “generate, based on the aggregated network access information and a plurality of attack scenarios and characteristic attack behavior patterns”, it is unclear what is being generated in this step. In response to the amendment “by securing hypermedia API functionalities”, the “securing” step is considered a desired outcome or functional result. The courts have consistently distinguished between claiming a functional result and claiming a specific technical solution. In order to further expedite prosecution, the examiner recommends further detailing an inventive concept, such as how the functionalities are secured by including technical steps taken to achieve the security. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 2023/0370439 to Crabtree et al, and further in view of US 2020/0213336 to Yu et al. Regarding claim 1, Crabtree teaches a system comprising: a federated identity system managing user authentication processes for an enterprise network (0124: the advanced cyber decision platform, a specifically programmed usage of the business operating system, continuously monitors a client enterprise's normal network activity for behaviors); an attack vector analysis and mitigation platform, comprising: a processor; and memory storing computer-readable instructions that, when executed by the processor, cause the attack vector analysis and mitigation platform to: aggregate, from a plurality of network sources, network access information corresponding to a plurality of users attempting to access the enterprise network (0105: Sensor nodes generate a vast amount of log data, especially when multiple sensor nodes are deployed. Correlating and aggregating logs from different sensor nodes helps identify patterns that may span across multiple instances. By combining logs, analysts can gain a broader view of attacker activities, recognize coordinated attacks, and identify patterns that may be missed when examining individual logs in isolation. In some embodiments, these patterns might include specific attack signatures, recurring IP addresses or ranges, common attack vectors, or known exploit attempts.); generate, based on the aggregated network access information and a plurality of attack scenarios and characteristic attack behavior patterns (0105: As new logs are generated and more data is collected over time, the analysis should be continuously updated to adapt to evolving attacker techniques and patterns. Additionally, incorporating threat intelligence from external sources can provide valuable context and enhance the effectiveness of log analysis for identifying patterns in attackers' behavior.). Crabtree lacks or does not expressly disclose simulate, using an attack simulation model and while simulating one or more malicious users performing actions on the enterprise network, and focusing on specific attack vectors related to federated identity and a hypermedia application programming interface (API). However, Yu teaches using an attack simulation model and while simulating one or more malicious users performing actions on the enterprise network, and focusing on specific attack vectors related to federated identity and a hypermedia application programming interface (API) (0054: SIEM tool resulting in a locational organization which can be used for simulations of security threats, operational analyses of firewall filters, and other applications. Fig. 6 and 0089: a neural network (NN) classifier 608 is incorporated and trained on the log data 606, as well as data that is generated by the system to simulate access requests that violate a policy (e.g., a set of “terms and conditions” associated with access to the web application). 0004 and 0044: hypermedia API). It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Crabtree with Yu to include an attack model simulation, simulating one or more malicious users performing actions on the enterprise network, in order to detect inappropriate activity in the presence of unauthenticated API requests, as taught by YU, abstract. Crabtree, as modified above, further teaches using an attack simulation model, the plurality of attack scenarios using the characteristic behavior patterns to identify one or more attack vectors targeting the federated identity system (Fig. 32: Sensor node 3200 may be configured to operate as a lightweight honeypot that can simulate limited services or functionalities, emulating vulnerabilities or weak points in systems. 0095: sensor node 3200 comprises an emulation engine 3210 configured to simulate various systems, services, and/or processes in order to entice potential attackers or intruders to interact with sensor node 3200. Emulation engine 3210 may comprise one or more modules configured to provide use-case specific emulation capabilities.); identify, based on information corresponding to the one or more attack vectors targeting the federated identity system, attack effectiveness information and impact information on the federated identity system (0101: The information gathered from sensor node 3200 can significantly contribute to incident response and threat intelligence efforts. Sensor node 3200 can serve as early warning systems, detecting attacks in their early stages, and providing valuable alerts to security teams. Sensor nodes 3200 capture detailed information about the tactics, techniques, and procedures (TTPs) employed by attackers.); determine, based on the attack effectiveness information and the impact information, a data security risk; and implement, automatically and at the federated identity system, a risk mitigation process based on an identified data security risk by securing hypermedia AP functionalities (0102: contextual information (and various other data collected by sensor node 3200) may be processed or otherwise transformed prior to storage. In some implementations, the contextual information may be vectorized and stored in vector data, wherein the stored vector data may be used as inputs to or to develop one or more machine learning algorithms configured to analyze attack methodologies, identify and classify emerging threats, and develop effective countermeasures.). Regarding claim 2, Crabtree, as modified above, further discloses the system of claim 1, wherein the aggregated network access information comprises one or more of behavioral information, tactic, techniques, and procedure (TTP) information, attack pattern information, and network compromise information (0100: Sensor node 3200 may further comprise a dummy operating system (OS) 3220 and one or more dummy applications 3250 which function deceive attackers and gather information about their techniques, tactics, and behaviors.). Regarding claim 3, Crabtree, as modified above, further discloses the system of claim 1, wherein the instructions cause the attack vector analysis and mitigation platform to integrate real-time threat intelligence feeds with the aggregated network access information (0124: he advanced cyber decision platform, a specifically programmed usage of the business operating system, continuously monitors a client enterprise's normal network activity for behaviors such as but not limited to normal users on the network, resources accessed by each user, access permissions of each user, machine to machine traffic on the network, sanctioned external access to the core network and administrative access to the network's identity and access management servers in conjunction with real-time analytics informing knowledge of cyberattack methodology.). Regarding claim 4, Crabtree, as modified above, further discloses the system of claim 1, wherein the plurality of attack scenarios and characteristic attack behavior patterns are generated via a generative artificial intelligence-based system (0134: usage pattern analyses, in conjunction with additional data concerning an enterprise's network topology; gateway firewall programming; internal firewall configuration; directory services protocols and configuration; and permissions profiles for both users and for access to sensitive information, just to list a few non-exclusive examples may then be analyzed further within the automated planning service module 130, where machine learning techniques which include but are not limited to information theory statistics 130a may be employed and the action outcome simulation module 125, specialized for predictive simulation of outcome based on current data 125a may be applied to formulate a current, up-to-date and continuously evolving baseline network usage profile 202). Regarding claim 5, Crabtree, as modified above, further discloses the system of claim 1, wherein the instructions cause the attack vector analysis and mitigation platform to process, using the attack simulation model, the plurality of attack scenarios using the characteristic behavior patterns to identify one or more attack vectors targeting utilizing a hypermedia application programming interface (API) (0142: a DCG 500 may comprise a pipeline orchestrator 501 that may be used to perform a variety of data transformation functions on data within a processing pipeline, and may be used with a messaging system 510 that enables communication with any number of various services and protocols, relaying messages and translating them as needed into protocol-specific API system calls for interoperability with external systems (rather than requiring a particular protocol or service to be integrated into a DCG 500).). Regarding claim 6, Crabtree, as modified above, further discloses the system of claim 5, wherein the instructions cause the attack vector analysis and mitigation platform to identify, based on information corresponding to the one or more attack vectors utilizing the hypermedia API, the attack effectiveness information, and the impact information on hypermedia API functionality (0188: . Cloud-based services are typically accessed via application programming interfaces (APIs) which are software interfaces which provide access to computing services within the cloud-based service via API calls, which are pre-defined protocols for requesting a computing service and receiving the results of that computing service. 0105: incorporating threat intelligence from external sources can provide valuable context and enhance the effectiveness of log analysis for identifying patterns in attackers' behavior.). Regarding claim 7, Crabtree, as modified above, further discloses the system of claim 6, wherein the instructions cause the attack vector analysis and mitigation platform to implement, automatically and to the hypermedia API, a risk mitigation process based on the identified data security risk (0188: . Cloud-based services are typically accessed via application programming interfaces (APIs) which are software interfaces which provide access to computing services within the cloud-based service via API calls, which are pre-defined protocols for requesting a computing service and receiving the results of that computing service.). As per claims 8-14 and 15-20 this is a method and media version of the claimed system discussed above in claims 1-7 wherein all claimed limitations have also been addressed and/or cited as set forth above. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached at 571-270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /AUBREY H WYSZYNSKI/Examiner, Art Unit 2434