AMPLIFICATION OF FORMAL METHOD AND FUZZ TESTING TO ENABLE SCALABLE ASSURANCE FOR COMMUNICATION SYSTEM

§101 §103 §112 §DP

DETAILED ACTION -Claims 3-6, 14-16 and 20 are amended. -Objection to Figure 43 is withdrawn based on the replacement figure. -The previous claim objections are withdrawn based on the claim amendments. -The double patenting rejection is withdrawn based on the filed and approved terminal disclaimer. -Claims 1-20 are pending. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s Remarks filed on 2/4/2026 have been fully considered. -With respect to the 112(b) rejection regarding the scope of the term “formal”, Examiner is not persuaded. The fact that the term “formal” has been used almost 300 hundred times adds to the ambiguity of this term because that term has been loosely used in multiple contexts with no clear definition. In addition, context in itself is not a definition. Applicant’s definition in paragraph 6 of the attribution letter defines an indefinite term with another indefinite term “rigorous”. In addition, the specification does not support mathematical analysis for “formal model”, “formal fuzzing classification”, “formal reasoning”, “formal model”, “formal space identification”, “formal vulnerability searching”, “formal guided fuzzing classification”, “formal analysis” and “formal design assumptions”. As such, the provided definition is not sufficient to overcome the 112(b) rejection. The remaining 112(b) rejections are withdrawn based on the amendments. -With respect to the 101 abstract idea rejection, Applicant’s Remarks were not persuasive. The claims do not recite any specific computational techniques instead they recite a plurality of “formal” techniques which Applicant admits are mathematical processes. In addition, the claims do not recite any privacy preserving protocols or any steps to stop malicious actors or prevent attacks. The argument that “code basis” and “pilot stacks” require physical computing components is not persuasive, first because no physical components are recited in the claims, and second, even if they were, a mere recitation of generic computer components is not sufficient to overcome an abstract idea rejection. The argument that the current invention improves the operation of fuzz-testing by making it more effective or scalable is not persuasive because testing and simulating appears to be for detecting within “formal models” and “abstracted assumptions of formal reasoning of… data” which does provide a proof of efficiency or scalability. As such, the 101 rejection is maintained. -With respect to the reference Yang, although the Declaration of Attribution is sufficient to overcome the co-authorship, it is not sufficient to overcome the reference as being valid prior art because the date of the publication was indicated on Applicant’s IDS of 6/26/2024 as being published in 2021 and now Applicant is providing a different statement that the reference was published in 2023, these are two contradictory statements without evidence to show which statement is correct. The publication itself shows a date of 2021 at the bottom of page 1 and Applicant did not provide a publication showing the correct date as evidence and did not provide a new IDS showing the correct date. The arXiv date is not the original IEEE publication date and therefore it is not evidence of the actual publication date. Upon filing a corrected IDS and a correctly dated publication, the evidence will be re-assessed. As such, the current rejection is being maintained. -Note that, as stated by Applicant, the provisional filing date is not the effective filing date of the current application because although it appears provide support for claim 1, it does not provide sufficient support for most of the subject matter in the remaining claims. As such, the effective filing date accorded to the current application is 4/5/2024. -Note that a corrected 6/26/2024 IDS is being attached to cross out the incorrectly dated reference and to cross out an additional reference which was listed on the IDS but not provided. Applicant is asked to file a corrected IDS and to file the missing document. Claim Objections Claim 15 is objected to because the amendment added “layer.” Without deleting the existing recitation of “layer.” As such, the claim is considered as ending with “layer. layer.”. Correction is required. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 USC 101 because the claimed invention is directed to abstract ideas without significantly more. Claims 1, 11 and 16 recite generating a model, detecting vulnerabilities within abstracted assumptions of formal reasoning, formal fuzzing classification, using additional models such as machine-learning models, determining unintended behaviors, fuzz testing by generating an additional model and fuzzing vulnerability detection. These are all mental steps of manipulating data to obtain additional data. This judicial exception is not integrated into a practical application because it is not evident what is the scalability pertains to and how it is achieved or how the fuzzing vulnerability detection is applicable to prevent attacks. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because a machine learning model or the training of a model in itself is model for updating data based on previous data. The dependent claims further define the above abstract ideas for example by defining the search space, the fuzz testing techniques, and therefore do not integrate into a practical application and do not add elements that amount to significantly more. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claims 1, 3, 11, 16 and 20 recite the word “formal model”, “formal fuzzing classification”, “formal reasoning”, “formal model”, “formal space identification”, “formal vulnerability searching”, “formal guided fuzzing classification”, “formal analysis”, “formal design assumptions”. It is not clear what the scope of “formal” is and the specification does not provide a clear definition for what is formal or what is not. The dependent claims inherit the above rejection. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-15 are rejected under 35 U.S.C. 103 as being unpatentable over Yang et al “Systematic Meets Unintended: Prior Knowledge Adaptive 5G Vulnerability Detection via Multi-Fuzzing”, IEEE Journal of LaTeX Class Files, 2021, provided in Applicant’s IDS. Re Claim 1. Yang discloses a method for applying multiple dimension multi-layer protocol-independent fuzzing to data (i.e. we propose a multiple dimension multi-layer protocol-independent fuzzing framework based on digital twin system, which is combined with machine learning algorithms aiming to detect protocol vulnerabilities and unintended emergent behaviors) [Yang, p.2, col.2, last sentence], comprising the steps of: setting a size of formal model searching space of said data (i.e. for each input size, we average the accuracy, precision, and recall over 100 runs. Each run includes 30 epochs, and each epoch includes 10 batches) [Yang, p.8, col.2, first paragraph]; dividing said formal model searching space into potential attack trace, attack derivative, and clean area designations [Yang, p.3, Fig.1, the “not illegal and not valid” yellow zone is interpreted as a “potential attack trace area”, the “illegal not valid” red zone is an “attack derivative area” and the “valid states” green zone is a “clean area”, see also p.4, col.2, first paragraph]; identifying a high-risk area of said formal model searching space (i.e. The output of the system contains the identification of high-risk states and transactions, the detected vulnerabilities, and the prediction of the vulnerable path) [Yang, p.4, col.1, first paragraph]; detecting vulnerabilities within abstracted assumptions of formal reasoning of said data (i.e. When our proposed system has no prior knowledge or understanding of protocols, the system will try to detect and predict vulnerabilities without any domain knowledge) [Yang, p.6, col.1]; automatically assessing unintended behaviors in an out-of-assumption domain (i.e. as illustrated in Fig. 1. ‘Legal’ indicates whether a command can pass the integrity check, while ‘valid’ refers to whether the command can function as intended. For example, states in the not illegal and not valid zone are those that do not trigger the defense mechanism but can introduce potential threats. Compared to intended attacks, which are defined in the protocol and located in the red zone, unintended vulnerabilities are more challenging to detect in 5G wireless communication. Therefore, our focus is on detecting unintended vulnerabilities) [Yang, p.3, col.1 last paragraph and col.2 first paragraph]; performing fuzz testing on said formal model searching space by [extending said formal model searching space] to an out-of-assumption space search (i.e. Based on the fuzzing probability system, illustrated in the following section, the relay will take command-level and bit-level fuzzing strategies to modify the message to detect vulnerabilities…………..With the updated probability system by status monitors in UE and gNB, the relay can efficiently learn the threat patterns and detect the vulnerabilities) [Yang, p.4, col.2, Section B], (i.e. Compared to intended attacks, which are defined in the protocol and located in the red zone, unintended vulnerabilities are more challenging to detect in 5G wireless communication. Therefore, our focus is on detecting unintended vulnerabilities) [Yang, p.3, col.1 last paragraph and col.2 first paragraph]; Yang does not explicitly disclose “by extending said formal model searching space”, however Yang teaches starting with the formal model search space to reach the out-of-assumption space search (i.e. First, attack model configuration is required as input, where we can define the security goals and target high risk protocols or modules in a specific software stack based on contextual information and domain knowledge. Then, Given the input, the system could identify fuzzing locations and generate appropriate attack models) [Yang, p.4, col.1, section A]. Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Yang to obtain that the out-of-assumption space is an extension of the formal model search space because obtaining one model based on another yields the expected result that the obtained model is an extension of the base model. Yang further discloses: and achieving scalability by associating fuzzing results with said vulnerabilities (i.e. the system proves the ability to detect vulnerabilities in black-box environment. Especially to discover and mitigate vulnerabilities and unintended emergent behaviors in the 5G stack with sufficient automation and adequate scalability, we design a protocol independent Listen-and-Learn (LAL) based fuzzing system…………..fuzzing approach that can reduce the average number of fuzzing cases expected to detect a vulnerability from linear to logarithmic growth, resulting in significant scalability and efficiency improvements for complex systems) [Yang, p.6, col.1 and p.3, col.2, item 2]. Re Claim 2. Yang teaches the method of Claim 1, wherein data collected in an in-space is used for classification model training (i.e. we use 20% of the dataset as testing data and 0.001 as the learning rate of the model) [Yang, p.8, col.2, first paragraph], (i.e. we incorporate an LSTM model based on rapid vulnerability detection. This prediction mode enables proactive defenses against potential attacks through learning the early-stage abnormal state transaction paths) [Yang, p.6, col.2, first paragraph]. Re Claim 3. Yang teaches the method of Claim 2, wherein a trained model derived from said classification model training (i.e. we use 20% of the dataset as testing data and 0.001 as the learning rate of the model) [Yang, p.8, col.2, first paragraph] is used to identify high-risk out-assumption regions (i.e. based on the attack model, the fuzzing strategy function will generate the fuzzing sequences ordered by the priorities. The output of the system contains the identification of high-risk states and transactions, the detected vulnerabilities, and the prediction of the vulnerable path) [Yang, p.4, col.1, Section A and col.2 first paragraph] to trigger a subsequent round of formal models (i.e. Each run includes 30 epochs, and each epoch includes 10 batches) [Yang, p.8, col.2] or revise one or more formal design assumptions. Re Claims 4, 5 and 6. Yang teaches the method of Claim 1, wherein a Listen-and-Learn, a source-and-Learn or a Sync-and-Learn fuzzing strategy is applied (i.e. Taking into account the attacker strategies with different levels of prior knowledge, we design three fuzzing strategies named LAL, SyAL, and SoAL. These strategies offer an efficient and comprehensive solution for vulnerability detection in 5G specifications and stacks) [Yang, p.3, col.2, item 1]. Re Claim 7. Yang teaches the method of Claim 1, wherein a probability-based fuzzing approach is applied (i.e. We propose a probability-based fuzzing approach that can reduce the average number of fuzzing cases expected to detect a vulnerability from linear to logarithmic growth, resulting in significant scalability and efficiency improvements for complex systems) [Yang, p.3, col.2, item 2]. Re Claim 8. Yang teaches the method of Claim 1, further comprising the step of adapting to a level of knowledge (i.e. The proposed system is scenario-adaptive to different levels of knowledge) [Yang, p.4, col.1]. Re Claim 9. Yang teaches the method of Claim 8, wherein said adapting step comprises the steps of identifying a no knowledge condition and choosing a black box approach (i.e. The proposed system is scenario-adaptive to different levels of knowledge background, from no knowledge (black box) to thorough knowledge (white-box)) [Yang, p.4, col.1, first paragraph]. Re Claim 10. Yang teaches the method of Claim 8, wherein said adapting step comprises the steps of identifying a thorough knowledge condition and choosing a white box approach (i.e. The proposed system is scenario-adaptive to different levels of knowledge background, from no knowledge (black box) to thorough knowledge (white-box)) [Yang, p.3, col.2, item 1]. Re Claim 11. In a manner similar to the rejection of claims 1 and 2, Yang teaches method for vulnerability detection and unintended-emergent-behavior assessment of data, comprising the steps of: conducting formal reasoning methods for vulnerabilities detection; performing formal-model-based fuzz testing for unintended emergent behavior discovery and assessment [in a pilot stack]; training machine-learning models results from said fuzz-testing; Yang does not explicitly disclose “pilot stack”, however Yang discloses pilot protocols (i.e. A proof-of-concept of the designed framework piloting Radio Resource Control (RRC) protocols in the srsRAN platform is developed) [Yang, p.3, col.2]. It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Yang’s “pilot protocols” to “pilot stack” because it is expected for communication protocols to have a protocol stack. Yang further discloses: and actuating automated recognition and discovery of relevant models and properties (i.e. in each fuzzing case, the system uses the proposed digital twin MITM attacker to generate fuzzing cases based on the value of the command-level fuzzing probability matrix D) [yang, p.11, col.1] from extant code bases using said machine-learning models (i.e. The digital twin solution can directly scale to other existing and future open-source and commercial 5G platforms and protocols other than RRC………. in Figure 5, we use srsRAN configured as the UE to control the USRP B210 device, facilitating communication with the Amarisoft Call Box) [Yang, p.3, col.2 and p.5, col.2]. Re Claim 12. Yang teaches the method of Claim 11, wherein said performing step further comprises the step of passing protocols satisfying certain properties to a fuzz testing case generator (i.e. based on the attack model, the fuzzing strategy function will generate the fuzzing sequences ordered by the priorities. The output of the system contains the identification of high-risk states and transactions, the detected vulnerabilities, and the prediction of the vulnerable path.) [Yang, p.4, Fig.2, col.1, first paragraph]. Re Claim 13. Yang teaches the method of Claim 12, further comprising the steps of monitoring unintended emergent behavior by designing test cases that violate corresponding assumptions for verified protocol models (i.e. At the command level, commands are replaced by other commands in the same physical channel to test whether any communication error state occurs……………………..Due to the change of temporary identifiers, such as rnti, most of the replaced messages are illegal for UE or gNB. In this way, our fuzz testing framework replaces messages with not only regular ones but also abnormal messages since the number of message permutations grows with the increasing number of cases) [Yang, p.7, col.1, Section B]. Re Claim 14. Yang teaches the method of Claim 11, wherein said fuzzing testing is applied to a Radio Resource Control layer (i.e. we apply the relay model across different layers. In particular, we apply our fuzzing strategies to the RRC layer and the MAC layer) [Yang, p.5, col.1]. Re Claim 15. Yang teaches the method of Claim 11, wherein said fuzzing testing is applied to a medium access control (MAC) layer (i.e. we apply the relay model across different layers. In particular, we apply our fuzzing strategies to the RRC layer and the MAC layer) [Yang, p.5, col.1]. Claims 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Yang et al “Systematic Meets Unintended: Prior Knowledge Adaptive 5G Vulnerability Detection via Multi-Fuzzing”, IEEE Journal of LaTeX Class Files, 2021, provided in Applicant’s IDS in view Geddes et al (US Pub. No. 2022/0335135) Re Claim 16. In a manner similar to the rejection of claim 1, Yang discloses a method for vulnerability detection and unintended-emergent-behavior assessment in fuzz testing, comprising the steps of: performing formal space identification; performing formal vulnerability searching; conducting formal guided fuzzing classification; doing high risk space detection; utilizing a [generative adversarial network based] high risk fuzz case generator; and conducting fuzzing-based vulnerability detection, wherein outputs generated by fuzzing are provided to a formal analysis process (i.e. With the sequence of fuzzing tests being executed, the system automatically generates a state transaction probability map. The probability map predicts the connection risks, and further rerouting strategies can be developed to avoid certain states and transactions that may potentially lead to RRC connection failures. The RRC state changes from one to another are defined and recorded as a transaction. We can graphically represent the state and transaction during the RRC procedures as the vertex and edge to ease further graphics-based analysis for risk identification and prediction) [Yang, p.7, col.2, Section C(2)], and wherein said fuzzing-based vulnerability detection and said formal analysis process are performed iteratively (i.e. fuzz testing is implemented iteratively through each case in the pool) [Yang, p.7, col.1]. Yang does not explicitly disclose whereas Geddes discloses: “generative adversarial network based” fuzz generator” (i.e. fuzzing and drilling may be performed for several hours in order to identify interesting code paths which may be used for smart seeding using a generative adversarial network (GAN) or other machine learning framework) [Geddes, para.0043]. It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Yang with Geddes because it uses smart seeding to optimize fuzzing [Geddes, Abstract]. Re Claim 17. Yang in view of Geddes teaches the method of Claim 16, wherein said performing formal space identification comprises the step of dividing a space into a potential attack trace area, an attack derivative area and a clear area [Yang, p.3, Fig.1, the “not illegal and not valid” yellow zone is interpreted as a “potential attack trace area”, the “illegal not valid” red zone is an “attack derivative area” and the “valid states” green zone is a “clear area”]. Re Claim 18 Yang in view of Geddes teaches the method of Claim 16, further comprising the steps of collecting in-space data and using said data for classification model training (i.e. we propose a multiple dimension multi-layer protocol-independent fuzzing framework based on digital twin system, which is combined with machine learning algorithms aiming to detect protocol vulnerabilities and unintended emergent behaviors) [Yang, p.2, col.2, last sentence], (i.e. we use 20% of the dataset as testing data and 0.001 as the learning rate of the model) [Yang, p.8, col.2, first paragraph]. Re Claim 19. Yang in view of Geddes teaches the method of Clam 18, further comprising the step of using trained models (i.e. we use 20% of the dataset as testing data and 0.001 as the learning rate of the model) [Yang, p.8, col.2, first paragraph] to identify a high risk out-space region (i.e. based on the attack model, the fuzzing strategy function will generate the fuzzing sequences ordered by the priorities. The output of the system contains the identification of high-risk states and transactions, the detected vulnerabilities, and the prediction of the vulnerable path) [Yang, p.4, col.1, Section A and col.2 first paragraph]. Rec Claim 20. Yang in view of Geddes teaches the method of Clam 19. This claim recites features similar to those in claim 3, therefore it is rejected in a similar manner. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285. The examiner can normally be reached Monday - Friday. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached at 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /NOURA ZOUBAIR/Primary Examiner, Art Unit 2434