Detailed Action
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments
This final office action is in response to the amendments filed 12/03/2025. In which, claims 1, 6-8, and 13-20 have been amended, claims 3-5, 10-12, and 17-18 have been cancelled, and claims 1-2,6-9,13-16 and 19-20 remain pending in the application.
Response to Amendment
The amendment filed on 12/03/2025 has been entered. See response to amendments.
Response to Arguments
Applicant’s amendments and arguments are fully considered and are persuasive, however arguments are moot in view of new ground of rejection below.
With respect to applicant’s argument to the remaining dependent claims 2-7, 9-14, and 16-20 on page 13 of the remark, the applicant is relying on the newly added amendments of the independent claims 1, 8, and 15. Please see Examiner’s response above and the detail of the rejection.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Jones et al. (US-20180063182-A1hereafter Jones), in view of Grossman et al. (US-20180018463-A1 Grossman).
Regarding claim 1 Jones discloses a method comprising:
ingesting, by a processing device, cybersecurity data collected from a set of data sources of a computing system of an enterprise to obtain input data (see Jones par.0028: “An enterprise threat analysis system 110 includes one or more computer systems configured to interface with one or more systems of an enterprise in order to configure and deploy an enterprise data collection and analysis tool to the one or more systems of the enterprise. The enterprise data collection and analysis tool is configured to collect information associated with threat parameters and/or sensitive data parameters associated with an enterprise.”), wherein each data source of the set of data sources generates data related to cybersecurity within the computing system (see Jones par.0032: “The data collection module may also be enabled to ensure that the system can identify which enterprise computing system is associated with the collected system data and/or to identify previous versions of stored system data associated with each enterprise collection system. For example, specific enterprise computing systems may be assigned unique identifiers and collected data may be time stamped such that the enterprise threat analysis system can track changes between collected system data over time.”);
processing, by the processing device, the input data to generate an analysis output comprising an assessment of cybersecurity risk within the computing system (see Jones par.0033: “A data analysis module 115 of the threat analysis system is configured to process the collected system information to identify known threats or potential threats associated with each of the enterprise computing systems. The data analysis module may perform a number of different types of data analysis…the data analysis module may be configured to perform a signature
analysis for each of the system data sets collected against a database of known threats, perform a behavioral analysis for each of the system data sets for unknown threats, and/or may perform a vulnerability analysis for each of the system data sets.”, par.0035: “The data analysis module may log threat information associated with the computing system including a file identifier associated with the threat, a computing system identifier, a type of threat indicator, and a threat identifier associated with the system data set. The threat information may be included in a threat report and a corresponding threat alert that may be provided to a system administrator computer for the enterprise where a threat is found.”). Examiner interpret the data analysis as the assessment of the cybersecurity risk that will be output a threat report to which examiner interpret the threat report as the analysis output; and
performing, by the processing device based on the analysis output, at least one action to manage the cybersecurity for the computing system (see Jones par.0028: “The enterprise threat analysis system may analyze the collected data for threats and/or sensitive data associated with each of the one or more computing systems within the enterprise system, generate threat reports and/or sensitive data reports, collect additional information from systems with potential malicious threats, and provide information to a system administrator for remediation of the threats”). Examiner interpret the threat report as the analysis output, and the one action provide that information for action or remediation to be made by the administrator,
Jones appear to be silence however Grossman teaches
wherein performing the at least one action comprises at least one of:
using a digital assistant implemented by an interactive digital avatar for managing the cybersecurity of the computing system (see Grossman par.0107: “simulations and a virtual reality system are used to enhance the operational capabilities or training of cyber defenders by sharing behavioral related information with each other, both observed behavioral related information, and behavioral related information generated when multiple real or virtual cyber actors engage in scenes, simulations and virtual reality environments. Sharing observed or simulated cyber behaviors in this way between all operational elements, within or among geographically dispersed enterprises, enables an immediate “army” of cyber defenders versus a single element of defenders. This “army” of both real and simulated virtual cyber actors or avatars (an interactive digital avatar), enables the cyber defenders to engage and collaborate in scenes, simulations and virtual reality environments. This real-time collaboration is enabled by simulating multiple courses of action (COAs) ( at least one action), defensive strategies, impacts of actions and incorporating this information into a shared virtual environment for enhanced visualizations supporting a more comprehensive and rapid operational understanding and decision process.”, par.0109: “the simulation engine 115 is used to generate multiple simulated CBS 111 that are used in the interactive CBS environment 401 to provide courses of action (COA) for network defenders (in the case that some of the actors 105 are network defenders). The data to create the interactive CBS environments can include, but is not limited to, cyber data 101, sensor data 102, and various types of enrichment data 103. Actors 105 and observers/controllers 402 can use the interaction engine 401 to create training scenarios, develop COA, replay scenarios and take different actions to try to improve outcomes.”) Examiner interpret the virtual cyber actors or avatars (an interactive digital avatar) to performed at least one action for managing the cybersecurity of the computing system;
or
using an extended reality system to access a virtual environment for managing the cybersecurity of the computing system.
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Jones teaching “The threat analysis system may configure a threat analysis software tool that can be deployed across an enterprise. The threat analysis software tool securely collects system information (e.g., logs, network traffic, file names, file paths, configuration settings, etc.) from each of the computers across the enterprise based on threat parameters provided during configuration of the software tool and delivers the collected information to a secure central data storage location across the enterprise”, (see Jones par.0013), with Grossman teaching “the simulation engine 115 is used to generate multiple simulated CBS involving simulated virtual cyber actors engaging in behavior, such as, but not limited to, initial reconnaissance, scanning, initial compromise, establishing a foothold, beaconing, command and control, credential capture, escalating privileges, internal reconnaissance, lateral motion, network mapping, data exfiltration, maintaining persistence, and related behaviors; and the interaction engine 106 is used so that network defender actors can take actions in the interactive CBS environment, including but not limited to, blocking a device from communicating, blocking ports to stop an exfiltration, removing users or removing privileges of users, and killing processes.”, (see Grossman par.0110).
Regarding claim 8 is a system claim that recites similar limitations as the method claim 1 and is being rejected based on the same rational as claim 1. Memory (see Jones par.0143).
Claims 2, and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Jones et al. (US-20180063182-A1hereafter Jones), in view of Grossman et al. (US-20180018463-A1 Grossman), in further view of Thomas et al. (US-20230114719-A1 hereafter Thomas).
Regarding claim 2 Jones in view of Grossman disclose the method of claim 1, but fail to explicitly disclose however Thomas teaches wherein ingesting the cybersecurity data to obtain the input data further comprises generating the input data by transforming the cybersecurity data. (See Thomas par.0187: “The stream service 1404 may ingest events from the enterprise network 1402 including any of the events and the like”, par.0188: “The transformer 1406 may generally process events in the stream service 1404, e.g., by organizing data according to one or more applicable schemas from the schema registry 1412, and augmenting the data with any suitable metadata to provide augmented event data for use in threat detection, investigation, and management. For example, the transformer 1406 may add a customer identifier, a firewall identifier, or other information for identifying a source of an event.”) Examiner interpret the events as the data ingested and transformed by the transformer 1406 to provide augmented event data in threat detection.
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Jones and Grossman teaching of claim 1 with Thomas teaching “The transformer service may be configured to process the asynchronous event stream by filtering the additional data objects to remove duplicate one or more data objects already stored in the data lake, thereby providing filtered data objects, to augment each of the filtered data objects with a corresponding description organized according to one of the one or more schemas, thereby providing augmented data objects, and to store the augmented data objects in the data lake.”, (see Thomas par.0321).
Regarding claim 9 is a system claim that recites similar limitations as the method claim 2 and is being rejected based on the same rational as claim 2.
Claims 6, 7, 13, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Jones et al. (US-20180063182-A1hereafter Jones), in view of Grossman et al. (US-20180018463-A1 Grossman), in further view of Ramakrishna et al. (US-20180121808-A1 hereafter Ramakrishna).
Regarding claim 6 Jones in view of Grossman disclose the method of claim 1, Jones in view of Grossman do not explicitly disclose however Ramakrishna teaches wherein the at least one action to manage the cybersecurity for the computing system comprises at least one remedial action performed without additional user interaction to address at least one cybersecurity threat identified within the computing system. (See Ramakrishna par.0040: “The server receives, via the particular chatbot session, a triage request to enter a triage mode regarding the one or more reported symptoms. The server predicts a corrective action using the one or more reported symptoms as input to a machine learning model. The machine learning model is trained using a history of observed symptoms in the network, a history of corrective actions initiated via chatbot sessions and associated with the observed symptoms, and a history of feedback regarding the corrective actions received via the chatbot sessions. The server provides the predicted corrective action to the user interface via the particular chatbot session as a suggested corrective action, in response to the received triage request”, par.0050: “chatbot server 304 may automatically initiate a corrective action (at least one remedial action performed without additional user interaction), in response to receiving a symptom alert 310. For example, the user of administrator device 306 may establish one or more rules on chatbot server 304 that cause server 304 to send out a corresponding action command 326 based on the received symptom(s).”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Jones in view of Grossman of claim 1 with Ramakrishna teaching “the chatbot may generate symptom-driven, intelligent triaging and troubleshooting workflow step recommendations. In further aspects, the chatbot itself may undertake smart, rule-driven triage actions, automatically.”, (see Ramakrishna par.0039).
Regarding claim 13 is a system claim that recites similar limitations as the method claim 6 and is being rejected based on the same rational as claim 6.
Regarding claim 7 Jones in view of Grossman, and Ramakrishna disclose the method of claim 6, Jones further disclose wherein the at least one remedial action comprises generating an alert indicative of the at least one cybersecurity threat.
(See Jones par.0040: “A reporting module 114 of the threat analysis system is configured to generate a threat report including relevant information to any identified potential threats identified in the enterprise computing systems and provide the threat report to a system administrator of the enterprise and/or an analyst for further investigation and/or mediation of the threat. Additionally and/or alternatively, the reporting module may generate and deliver an alert to the system administrator to notify them of the potential problem so that the potential threat can be identified and remediated as soon as possible to ensure the least amount of damage or compromise to the enterprise.”).
Regarding claim 14 is a system claim that recites similar limitations as the method claim 7 and is being rejected based on the same rational as claim 7.
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Jones et al. (US-20180063182-A1hereafter Jones), in view of Brunner et al. (US-20230171266-A1 Brunner).
Regarding claim 15 Jones discloses a method comprising:
ingesting, by a processing device, cybersecurity data collected from a set of data sources of a computing system of an enterprise to obtain input data (see Jones par.0028: “An enterprise threat analysis system 110 includes one or more computer systems configured to interface with one or more systems of an enterprise in order to configure and deploy an enterprise data collection and analysis tool to the one or more systems of the enterprise. The enterprise data collection and analysis tool is configured to collect information associated with threat parameters and/or sensitive data parameters associated with an enterprise.”);
processing, by the processing device, the input data to generate an analysis output (see Jones par.0033: “A data analysis module 115 of the threat analysis system is configured to process the collected system information to identify known threats or potential threats associated with each of the enterprise computing systems. The data analysis module may perform a number of different types of data analysis…the data analysis module may be configured to perform a signature analysis for each of the system data sets collected against a database of known threats, perform a behavioral analysis for each of the system data sets for unknown threats, and/or may perform a vulnerability analysis for each of the system data sets.”, par.0035: “The data analysis module may log threat information associated with the computing system including a file identifier associated with the threat, a computing system identifier, a type of threat indicator, and a threat identifier associated with the system data set. The threat information may be included in a threat report and a corresponding threat alert that may be provided to a system administrator computer for the enterprise where a threat is found.”); and
Jones does not explicitly teaches however Brunner teaches
performing, by the processing device and based on the analysis output, at least one action to manage cybersecurity for the computing system, wherein performing the at least one action to manage the cybersecurity for the computing system comprises using an extended reality system to access a virtual environment for managing the cybersecurity of the computing system. (see Brunnerpar.0020: “the threat prediction platform (the processing device) can be incorporated into a network’s cybersecurity applications/services that may be used to protect network/enterprise platforms and assets. Such applications/services may include, for example, cybersecurity service(s) that analyze flow and domain name service (DNS) metadata to identify potential cyber threats and attacks based on customer Internet traffic traversing the operator’s network; cybersecurity service(s) that collect and analyze security data from a variety of sources (e.g., the network, cloud(s), endpoint(s), software asset discovery, monitoring, and analysis system(s), etc.), detect intrusions, correlate events (the analysis output), and alert and report on potential security vulnerabilities and attacks (at least one action);”, par.0035 : “the threat prediction platform 210 may be communicatively coupled to one or more user/computing devices (the computing system), which may include one or more devices capable of receiving, generating, storing, processing, and/or providing data (e.g., network-related data, control data, etc.) relating to the threat prediction platform 210. For example, a user/computing device can include a communication and/or computing device, such as a mobile phone (e.g., a smart phone, a radiotelephone, etc.), a desktop computer, a laptop computer, a tablet computer, a handheld computer, a display device, a gaming device, a wearable communication device (e.g., a smart wristwatch, a pair of smart eyeglasses, XR gear (e.g., a pair of AR, VR, MR glasses (using an extended reality system to access a virtual environment), a headset, headphones, and/or the like), etc.),”) Examiner interpret that the threat mitigation platform perform an action to manage the cybersecurity for the computing system that comprises of an extended reality system.
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Jones teaching “The threat analysis system may configure a threat analysis software tool that can be deployed across an enterprise. The threat analysis software tool securely collects system information (e.g., logs, network traffic, file names, file paths, configuration settings, etc.) from each of the computers across the enterprise based on threat parameters provided during configuration of the software tool and delivers the collected information to a secure central data storage location across the enterprise”, (see Jones par.0013), with Brunner teaching “ the threat prediction platform 210 may generate one or more (e.g., preemptive) alerts/recommendations that a security analyst can utilize to effect mitigation of one or more predicted threat activities. For instance, the threat prediction platform 210 may generate one or more alerts regarding the predicted threat activities, such as a corresponding alert for each predicted activity (or set of predicted activities) associated with each threat actor modeled.”, (see Brunner par.0057). The motivation would have been to combine the threat prediction platform with the computing device e.g. XR gear (e.g., a pair of AR, VR, MR glasses).
Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Jones et al. (US-20180063182-A1hereafter Jones), in view of Brunner et al. (US-20230171266-A1 Brunner), in further view of Thomas et al. (US-20230114719-A1 hereafter Thomas).
Regarding claim 16 Jones in view of Brunner disclose the method of claim 15, Jones in view of Brunner do not explicitly teach however Thomas teaches wherein ingesting the cybersecurity data to obtain the input data further comprises generating the input data by transforming the cybersecurity data. (See Thomas par.0187: “The stream service 1404 may ingest events from the enterprise network 1402 including any of the events and the like”, par.0188: “The transformer 1406 may generally process events in the stream service 1404, e.g., by organizing data according to one or more applicable schemas from the schema registry 1412, and augmenting the data with any suitable metadata to provide augmented event data for use in threat detection, investigation, and management. For example, the transformer 1406 may add a customer identifier, a firewall identifier, or other information for identifying a source of an event.”) Examiner interpret the events as the data ingested and transformed by the transformer 1406 to provide augmented event data in threat detection.
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Jones and Brunner teaching of claim 15 with Thomas teaching “The transformer service may be configured to process the asynchronous event stream by filtering the additional data objects to remove duplicate one or more data objects already stored in the data lake, thereby providing filtered data objects, to augment each of the filtered data objects with a corresponding description organized according to one of the one or more schemas, thereby providing augmented data objects, and to store the augmented data objects in the data lake.”, (see Thomas par.0321).
Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Jones et al. (US-20180063182-A1hereafter Jones), in view of Brunner et al. (US-20230171266-A1 Brunner), in further view of Ramakrishna et al. (US-20180121808-A1 hereafter Ramakrishna).
Regarding claim 19 Jones in view of Brunner disclose the method claim 15, ones in view of Brunner do not explicitly teach however Thomas teaches wherein the at least one action to manage the cybersecurity for the computing system comprises at least one remedial action performed without additional user interaction to address at least one cybersecurity threat identified within the computing system. (See Ramakrishna par.0040: “The server receives, via the particular chatbot session, a triage request to enter a triage mode regarding the one or more reported symptoms. The server predicts a corrective action using the one or more reported symptoms as input to a machine learning model. The machine learning model is trained using a history of observed symptoms in the network, a history of corrective actions initiated via chatbot sessions and associated with the observed symptoms, and a history of feedback regarding the corrective actions received via the chatbot sessions. The server provides the predicted corrective action to the user interface via the particular chatbot session as a suggested corrective action, in response to the received triage request”, par.0050: “chatbot server 304 may automatically initiate a corrective action (at least one remedial action performed without additional user interaction), in response to receiving a symptom alert 310. For example, the user of administrator device 306 may establish one or more rules on chatbot server 304 that cause server 304 to send out a corresponding action command 326 based on the received symptom(s).”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Jones in view of Brunner of claim 15 with Ramakrishna teaching “the chatbot may generate symptom-driven, intelligent triaging and troubleshooting workflow step recommendations. In further aspects, the chatbot itself may undertake smart, rule-driven triage actions, automatically.”, (see Ramakrishna par.0039).
Regarding claim 20 Jones in view of Brunner, and Ramakrishna disclose the method claim 19, Jones further disclose wherein the at least one remedial action comprises generating an alert indicative of the at least one cybersecurity threat. (See Jones par.0040: “A reporting module 114 of the threat analysis system is configured to generate a threat report including relevant information to any identified potential threats identified in the enterprise computing systems and provide the threat report to a system administrator of the enterprise and/or an analyst for further investigation and/or mediation of the threat. Additionally and/or alternatively, the reporting module may generate and deliver an alert to the system administrator to notify them of the potential problem so that the potential threat can be identified and remediated as soon as possible to ensure the least amount of damage or compromise to the enterprise.”).
Conclusion
The prior art made of record and not relied upon is considered pertinent to
applicant's disclosure:
Brannon et al. (US-12118121-B2) the system may, for example, be configured to: (1) receive risk remediation data for a plurality of identified risk triggers from a plurality of different entities; (2) analyze the risk remediation data to determine a pattern in assigned risk levels and determined response to particular risk triggers; and (3) develop a model based on the risk remediation data for use in facilitating an automatic assessment of and/or response to future identified risk triggers. assess and analyze the one or more potential updated risk triggers to determine a relevance of a risk posed to the entity by the one or more potential updated risk triggers; (5) use one or more data modeling techniques to identify one or more data assets associated with the entity that may be affected by the risk; and (6) update the risk remediation data to include the one or more actions to remediate the risk in response to identifying the one or more potential updated risk triggers.
Choi et al. (US-20060031938-A1) the integrated computer emergency response system comprises: an information collecting/managing section 1000 for collecting security information about computer systems or networks, applications and internet services which need to be protected, through communication networks, such as web sites, telephone, e-mail and facsimile, and storing source data; an information processing/analyzing section 2000 for processing and analyzing the collected security information using a knowledge-based analysis algorithm to store and manage the analysis results. The computer emergency response according to the present invention broadly comprises four procedural steps: collection of security information (information collection), test/analysis of security information and attack assessment (test/analysis/attack assessment), forecast/warning and information sharing (interworking with other company/public Org./R&D institute etc.).
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUILIO MUNGUIA whose telephone number is (571)270-5277. The examiner can normally be reached M-F 9:30AM - 5:00Pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached at (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DUILIO MUNGUIA/Examiner, Art Unit 2497
/ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497