DETAILED ACTION
This office action is in response to the application filed on 04/30/2024.
Claims 1-20 are presented for examination.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/30/2024 and 10/25/2024 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Regarding Claims 1, 8, and 15 The claims recite in part “comparing, a connection notification to a scan of network addresses associated with the public Internet; and identifying, the device exposed to the public Internet based on a match occurring within a timeframe between the connection notification and the scan of the network addresses associated with the public Internet.” and “comparing the connection notification to a domain scan of network addresses associated with a domain name; and identifying a device exposed to a public Internet based on the source network address and a port match occurring within a timeframe between the connection notification and the domain scan.”
The limitations as drafted above is a process that under broadest reasonable interpretation covers performance of the limitations in the mind but for generic computer components and extra solution activities. That is, other than A computer system, central processing unit, memory device, an external attack surface management service, a cybersecurity sensory agent, a cloud computing environment, “a connection notification reported to an external attack surface management service by a cybersecurity sensory agent via a cloud computing environment”, “receiving a connection notification reported by a cybersecurity sensory agent via a cloud computing environment to an external attack surface management service; receiving a packet header specifying a source network address forwarded by the cybersecurity sensory agent via the cloud computing environment to the external attack surface management service”, the claim comprises limitations that can be performed in the human mind, and/or using pen and paper. In this case, a person can reasonably compare addresses and ports to known addresses and ports, to determining matching information. If a claim under its broadest reasonable interpretation covers performance of the limitations in the mind but for recitation of generic computer components and extra solution activities then it falls within “mental processes” grouping of abstract idea. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, the claims only recite the additional elements of A computer system, central processing unit, memory device, an external attack surface management service, a cybersecurity sensory agent, a cloud computing environment, “a connection notification reported to an external attack surface management service by a cybersecurity sensory agent via a cloud computing environment”, “receiving a connection notification reported by a cybersecurity sensory agent via a cloud computing environment to an external attack surface management service; receiving a packet header specifying a source network address forwarded by the cybersecurity sensory agent via the cloud computing environment to the external attack surface management service”. Regarding the system, cpu, memory device, and cloud computing environment, these are generic computer elements recited as performing routing activities. Regarding the external attack surface management service and cyber security sensory agent, these are merely software elements recited as performing the abstract idea. Regarding the reporting and receiving steps, these are merely extra solution activities that obtain the information used in the performance of the abstract idea. Accordingly, the additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims are therefore directed to an abstract idea.
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed in respect to the integration of the abstract idea into a practical application, the elements of A computer system, central processing unit, memory device, an external attack surface management service, a cybersecurity sensory agent, a cloud computing environment, “a connection notification reported to an external attack surface management service by a cybersecurity sensory agent via a cloud computing environment”, “receiving a connection notification reported by a cybersecurity sensory agent via a cloud computing environment to an external attack surface management service; receiving a packet header specifying a source network address forwarded by the cybersecurity sensory agent via the cloud computing environment to the external attack surface management service”, amount to no more than mere instructions to apply the abstract idea to generic network elements and extra solution activities. Mere instructions to apply the abstract idea to generic/well-known elements and extra solution activities cannot provide an inventive concept. The claims are not patent eligible.
Regarding Claims 2-7, 9-14, and 16-20 they recite in part “wherein the identifying of the device exposed to the public Internet based on the match further comprises determining a source network address specified by both the connection notification and the scan of the network addresses associated with the public Internet.”, “wherein the identifying of the device exposed to the public Internet based on the match further comprises determining a destination network address specified by both the connection notification and the scan of the network addresses associated with the public Internet.”, “wherein the identifying of the device exposed to the public Internet based on the match further comprises determining a source port specified by both the connection notification and the scan of the network addresses associated with the public Internet.”, “wherein the identifying of the device exposed to the public Internet based on the match further comprises determining a destination port specified by both the connection notification and the scan of the network addresses associated with the public Internet.”, “comparing a connection timestamp associated with the connection notification to a scan timestamp associated with the scan of the network addresses associated with the public Internet.”, “wherein the identifying of the device exposed to the public Internet further comprises determining a public network address and a port associated with the device.”, “determining the address match based on a source network address specified by both the connection notification and the domain scan of the network addresses associated with the domain name.”, “wherein the operations further comprise determining the address match based on a destination network address specified by both the connection notification and the domain scan of the network addresses associated with the domain name.”, “determining the port match based on a source port specified by both the connection notification and the domain scan of the network addresses associated with the domain name.”, “determining the port match based on a destination port specified by both the connection notification and the domain scan of the network addresses associated with the domain name.”, “comparing a connection timestamp associated with the connection notification to a domain scan timestamp associated with the domain scan of the network addresses associated with the domain name.”, “determining a public network address and a port associated with the device exposed to the public Internet.”
The limitations as drafted above is a process that under broadest reasonable interpretation covers performance of the limitations in the mind, but for generic computer components. That is, other than the device, and public internet, the claim comprises limitations that can be performed in the human mind and/or by using pen and paper. In this case, a person can reasonably compare source and destination addresses, source and destination ports, and timestamps of events to identify a device, and determine an address and port of the device based on these comparisons. If a claim under its broadest reasonable interpretation covers performance of the limitations in the mind but for recitation of generic computer components and extra solution activities then it falls within “mental processes” grouping of abstract idea. Accordingly, the claim recites an abstract idea.
The judicial exception is not integrated into a practical application. In particular, the claims only recite the additional limitations of the device, and public internet. Regarding the device and public internet, these are generic network components that are the subject to the abstract idea, recited as performing routine activities. Accordingly, the additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims are therefore directed to an abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed in respect to the integration of the abstract idea into a practical application, the elements of a device and public internet, amounts to no more than mere instructions to apply the abstract idea to generic network elements. Mere instructions to apply the abstract idea to generic elements cannot provide an inventive concept. The claims are not patent eligible.
Claim Rejections - 35 USC § 102
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claim(s) 1, 4-5, 7-8, 11-12 14 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Huang et al. (hereinafter Huang US 2023/0344848 A1).
Regarding Claim 1, Huang teaches A method executed by a computer system that identifies a device exposed to a public Internet (Huang: para.0003 “As described herein, systems and methods for managing an attack surface are provided. The systems and methods involve an “inside-out” analysis of network traffic flowing into and out of the organization's domain. Using machine intelligence, the most critical vulnerabilities can be identified and addressed in an efficient manner.” Para.0028 “ In asset discovery, internet-facing assets of an organization can be determined without active scanning and without using an inventory list.” Systems that perform a method for determining internet facing assets.), comprising:
comparing, by the computer system providing an external attack surface management service (Huang: Computing System 220 comprising attack surface management engine identifying external facing assets. Para.0067 “hosts of client domain 110 that are exposed to an external network 130 (e.g., the internet)”),
a connection notification reported via a cloud computing environment by a cybersecurity sensory agent (Huang: para.0082 “The processor obtains 901 network traffic logs for a client domain 110. In one embodiment a user of user device 240 may provide (e.g., upload) the network traffic logs 220A for the client domain 110 to the computing system 220, or to a database 250 accessible by the computing system 220, via external network 230. In another embodiment, computing system 220 may actively monitor the network traffic of client domain 110 to obtain the network traffic logs 220A.” para.0047 “ The network traffic logs may comprise timestamps indicating times when each message in a network traffic log was transmitted and received, as well as timestamps for when each network traffic log was obtained by the computing system 220. Furthermore, the network traffic logs may comprise identifiers for the entity (e.g., host) that sent or received the message, and an identifier for the entity where the network traffic log was obtained from. For example, the identifiers may include unique identifiers for each client domain 110, user device 240, and/or user of a user device 240, such as a user profile identifier (ID) stored in database 250 that is correlated to the user device 240 or client domain 110 (e.g., a User ID for an admin of client domain 110).” a connection notification, the network traffic logs comprising information regarding connectivity between entities as messages are sent between each entity, are reported by the user device 240, the software of user device 240 being the cybersecurity sensory agent. The attack surface management engine, para.0032, obtains this information from the user device 240.)
to a scan of network addresses associated with the public Internet (Huang: para.0082 “The processor obtains 901 network traffic logs for a client domain 110.” Para.0083 “The processor correlates 902 the network traffic logs to threat data. The processor correlates the network traffic logs 220A with threat data feeds from threat data store 212 to identify malicious indicators and to identify host identifiers communicating with the malicious indicators in the network traffic logs 220A. The identified host identifiers identify the hosts of the client domain 110.” Para.0051 “ If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” Para.0019 “Furthermore, in embodiments, an attack surface of a domain may be identified by an exposed set of host identifiers, which may comprise a data structure mapping relations between host identifiers associated with vulnerable hosts/entry points and malicious indicators associated with malicious entities that have contacted the hosts or accessed the entry points.” para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” Para.0030 “, the external network 230 may be a public network, such as the internet.” The network traffics logs associated with the domain are then compared to domain information from a threat indicator data store, and exposed assets to public internet may be determined.); and
identifying, by the computer system providing the external attack surface management service, the device exposed to the public Internet (Huang: para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” Para.0030 “, the external network 230 may be a public network, such as the internet.” para.0051 “If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” By the correlation determining a match from the traffic logs and threat data store, assets exposed to the public internet may be identified by the system providing the attack surface management engine 221.)
based on a match occurring within a timeframe between the connection notification and the scan of the network addresses associated with the public Internet (Huang: Para.0051 “ If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” para.0085 “The processor determines 904 an exposed set of host identifiers based on the mapped flow of network traffic mapped at step 903. The processor determines the exposed set of host identifiers by determining host nodes having inbound traffic from at least one indicator node. The exposed set of host identifiers identifies hosts that form an attack surface of the client domain 110.” para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” Para.0020 “As used herein an “asset,” may refer to a physical or virtual device that can send and receive data. For example, an asset may be a client or a server that sends and receives applications, services, other data, or some combination thereof. A “network host,” “host,” or “host asset” may refer to an asset that communicates with other assets through a particular network or domain (i.e., communicates with other hosts of the domain).” Devices, i.e. the devices associated with the identified hosts, exposed to the public internet are identified via the domain scan as in para.0082 Fig. 9 902-905. These devices are exposed to the public internet between the time frame of obtaining of the network logs and the scan of network addresses, as the scan itself it a process in which matches of the identifiers, such as addresses, are determined).
Regarding Claim 4, Huang teaches claim 1 as set forth above.
Huang further discloses wherein the identifying of the device exposed to the public Internet based on the match further comprises determining a destination network address specified by both the connection notification and the scan of the network addresses associated with the public Internet (Huang: para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” Para.0048 “Threat data store 212 stores data for identifying threats. The data may include “threat data feeds.” A used herein, a “threat data feed” may refer to a set of data corresponding to threats, including lists of malicious indicators and data associated with the malicious indicators, such as … destination and source ports,” para.0051 “For example, log-threat correlation module 202 scans a list of malicious indicators in threat data store 212 and compares each entry to each network log in the network traffic log store 210 that is associated with the client domain 110. If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” Para.0083 “The processor correlates 902 the network traffic logs to threat data. The processor correlates the network traffic logs 220A with threat data feeds from threat data store 212 to identify malicious indicators and to identify host identifiers communicating with the malicious indicators in the network traffic logs 220A. The identified host identifiers identify the hosts of the client domain 110.” Based on matching source and destination ports from the logs to the threat data store, assets that are internet facing may be identified.).
Regarding Claim 5, Huang discloses claim 1 as set forth above.
Huang further discloses wherein the identifying of the device exposed to the public Internet based on the match further comprises determining a source port specified by both the connection notification and the scan of the network addresses associated with the public Internet (Huang: para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” Para.0048 “Threat data store 212 stores data for identifying threats. The data may include “threat data feeds.” A used herein, a “threat data feed” may refer to a set of data corresponding to threats, including lists of malicious indicators and data associated with the malicious indicators, such as … destination and source ports,” para.0051 “For example, log-threat correlation module 202 scans a list of malicious indicators in threat data store 212 and compares each entry to each network log in the network traffic log store 210 that is associated with the client domain 110. If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” Para.0083 “The processor correlates 902 the network traffic logs to threat data. The processor correlates the network traffic logs 220A with threat data feeds from threat data store 212 to identify malicious indicators and to identify host identifiers communicating with the malicious indicators in the network traffic logs 220A. The identified host identifiers identify the hosts of the client domain 110.” Based on matching source and destination ports from the logs to the threat data store, assets that are internet facing may be identified.).
Regarding Claim 7, Huang discloses claim 1 as set forth above.
Huang further discloses wherein the identifying of the device exposed to the public Internet further comprises determining a public network address and a port associated with the device (Huang: para.0019 “As such, the attack surface may comprise identifiers for each entry point, such as host identifiers (hosts IDs), port identifiers, device identifiers, combinations thereof, and the like.” para.0074 “ The dashboard may provide contents generated from prioritized attack surface data structure 221A. Entries of a report (e.g., report 401 or report 402), such as entries with private IP addresses, may be investigated using dashboard 403. Inbound traffic may not be expected to private IP addresses, which if detected, may indicate that a firewall is misconfigured and allowing traffic from a known indicator of compromise. A user of user device 240 (e.g., an analyst) can gain further insight into this host using dashboard 403, as shown in the following example. The event data about hosts 10.244.74.35 and 10.256.255.12 is automatically correlated with threat intelligence and asset enrichment.” Para.0028 “Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” The address and ports of the exposed hosts are identified.).
Regarding Claim 8, Huang discloses A computer system that identifies a device exposed to a public Internet (Huang: para.0003 “As described herein, systems and methods for managing an attack surface are provided. The systems and methods involve an “inside-out” analysis of network traffic flowing into and out of the organization's domain. Using machine intelligence, the most critical vulnerabilities can be identified and addressed in an efficient manner.” Para.0028 “ In asset discovery, internet-facing assets of an organization can be determined without active scanning and without using an inventory list.” Systems that perform a method for determining internet facing assets. ), comprising: at least one central processing unit; and a memory device storing instructions that, when executed by the at least one central processing unit, perform operations (Huang: para.0031 “Computing system 220 performs computational tasks, including tasks for discovering, prioritizing, and managing assets that form an attack surface of client domain 110. The computational tasks may be performed by a processor of computing system 220 that executes instructions in the form of computer-readable code stored on a computer-readable medium, such as a memory device.” The computing system that comprises attack surface management engine 221 in Fig. 2-3, comprising memory and processor executing instructions), the operations comprising:
comparing a connection notification reported to an external attack surface management service by a cybersecurity sensory agent (Huang: para.0082 “The processor obtains 901 network traffic logs for a client domain 110. In one embodiment a user of user device 240 may provide (e.g., upload) the network traffic logs 220A for the client domain 110 to the computing system 220, or to a database 250 accessible by the computing system 220, via external network 230. In another embodiment, computing system 220 may actively monitor the network traffic of client domain 110 to obtain the network traffic logs 220A.” a connection notification, the network traffic logs, are reported by the user device 240, the software of user device 240 being the cybersecurity sensory agent. The attack surface management engine, para.0032, obtains this information from the user device 240.) via a cloud computing environment (Huang: para.0095 “The one or more processors may also operate to support performance of the relevant operations in a “cloud computing” environment or as a “software as a service” (SaaS).” In a cloud computing environment.) to a domain scan of network addresses associated with a domain name (Huang: para.0082 “The processor obtains 901 network traffic logs for a client domain 110.” Para.0083 “The processor correlates 902 the network traffic logs to threat data. The processor correlates the network traffic logs 220A with threat data feeds from threat data store 212 to identify malicious indicators and to identify host identifiers communicating with the malicious indicators in the network traffic logs 220A. The identified host identifiers identify the hosts of the client domain 110.” Para.0051 “ If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” Para.0019 “Furthermore, in embodiments, an attack surface of a domain may be identified by an exposed set of host identifiers, which may comprise a data structure mapping relations between host identifiers associated with vulnerable hosts/entry points and malicious indicators associated with malicious entities that have contacted the hosts or accessed the entry points.” The network traffics logs associated with the domain are then compared to domain information from a threat indicator data store to determine matching addresses and domain names.); and
identifying the device exposed to the public Internet based on an address match (Huang: para.0051 “If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” By the correlation determining a match from the traffic logs and threat data store, exposed ports/assets may be identified.)
and a port match (Huang: para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” Para.0054 “For example, attribute determination module 205 may retrieve attributes associated with each host identifier in the exposed set from database 250, such as services associated with ports of the host identifier, a criticality level associated with the host identifier (e.g., as designated by an admin of the client domain 110), vulnerabilities associated with the host identifier, level of criticality associated with the vulnerabilities, other host attributes for generating values of a feature vector for the host identifier, or some combination thereof.” Para.0048 “including lists of malicious indicators and data associated with the malicious indicators, such as indicator attributes, including time of threats, types of threats, confidence of the threats being valid (i.e., confidence score), severity of the threats, destination and source ports,” destination and source ports are considered when correlating logs to the threat data store.)
occurring within a timeframe between the connection notification and the domain scan (Huang: para.0085 “The processor determines 904 an exposed set of host identifiers based on the mapped flow of network traffic mapped at step 903. The processor determines the exposed set of host identifiers by determining host nodes having inbound traffic from at least one indicator node. The exposed set of host identifiers identifies hosts that form an attack surface of the client domain 110.” Para.0030 “, the external network 230 may be a public network, such as the internet.” Para.0020 “As used herein an “asset,” may refer to a physical or virtual device that can send and receive data. For example, an asset may be a client or a server that sends and receives applications, services, other data, or some combination thereof. A “network host,” “host,” or “host asset” may refer to an asset that communicates with other assets through a particular network or domain (i.e., communicates with other hosts of the domain).” Devices, i.e. the devices associated with the identified hosts, exposed to the public internet are identified via the domain scan as in para.0082 Fig. 9 902-905. These devices that are exposed to the public internet are within the timeframe of obtaining of the network logs and domain scan, as after the network logs are obtained, i.e. connection notification, as the domain scan is performed to determine matches. Therefore during the time of the domain scan, after obtaining the connection notification but before completion of the domain scan, matches are determined.).
Regarding Claim 11, Huang discloses claim 8 as set forth above.
Huang further discloses wherein the operations further comprise determining the port match based on a source port specified by both the connection notification and the domain scan of the network addresses associated with the domain name (Huang: para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” Para.0048 “Threat data store 212 stores data for identifying threats. The data may include “threat data feeds.” A used herein, a “threat data feed” may refer to a set of data corresponding to threats, including lists of malicious indicators and data associated with the malicious indicators, such as … destination and source ports,” para.0051 “For example, log-threat correlation module 202 scans a list of malicious indicators in threat data store 212 and compares each entry to each network log in the network traffic log store 210 that is associated with the client domain 110. If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” Para.0083 “The processor correlates 902 the network traffic logs to threat data. The processor correlates the network traffic logs 220A with threat data feeds from threat data store 212 to identify malicious indicators and to identify host identifiers communicating with the malicious indicators in the network traffic logs 220A. The identified host identifiers identify the hosts of the client domain 110.” Based on matching source and destination ports from the logs to the threat data store, assets that are internet facing may be identified.).
Regarding Claim 12, Huang discloses claim 8 as set forth above.
Huang further discloses wherein the operations further comprise determining the port match based on a destination port specified by both the connection notification and the domain scan of the network addresses associated with the domain name (Huang: para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” Para.0048 “Threat data store 212 stores data for identifying threats. The data may include “threat data feeds.” A used herein, a “threat data feed” may refer to a set of data corresponding to threats, including lists of malicious indicators and data associated with the malicious indicators, such as … destination and source ports,” para.0051 “For example, log-threat correlation module 202 scans a list of malicious indicators in threat data store 212 and compares each entry to each network log in the network traffic log store 210 that is associated with the client domain 110. If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” Para.0083 “The processor correlates 902 the network traffic logs to threat data. The processor correlates the network traffic logs 220A with threat data feeds from threat data store 212 to identify malicious indicators and to identify host identifiers communicating with the malicious indicators in the network traffic logs 220A. The identified host identifiers identify the hosts of the client domain 110.” Based on matching source and destination ports from the logs to the threat data store during the domain scan, i.e. the threat database may be scanned for matching domains to the connection notification, assets that are internet facing may be identified.).
Regarding Claim 14, Huang discloses claim 8 as set forth above.
Huang further discloses wherein the operations further comprise determining a public network address and a port associated with the device exposed to the public Internet (Huang: para.0019 “As such, the attack surface may comprise identifiers for each entry point, such as host identifiers (hosts IDs), port identifiers, device identifiers, combinations thereof, and the like.” para.0074 “ The dashboard may provide contents generated from prioritized attack surface data structure 221A. Entries of a report (e.g., report 401 or report 402), such as entries with private IP addresses, may be investigated using dashboard 403. Inbound traffic may not be expected to private IP addresses, which if detected, may indicate that a firewall is misconfigured and allowing traffic from a known indicator of compromise. A user of user device 240 (e.g., an analyst) can gain further insight into this host using dashboard 403, as shown in the following example. The event data about hosts 10.244.74.35 and 10.256.255.12 is automatically correlated with threat intelligence and asset enrichment.” Para.0028 “Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” The address and ports of the exposed hosts are identified.).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 2, 3, 9, 10 15-18, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Huang et al. (hereinafter Huang US 2023/0344848 A1) in view of Cross et al. (hereinafter Cross, US 11,720,686 B1).
Regarding Claim 2, Huang discloses Claim 1 as set forth above.
Huang further discloses wherein the identifying of the device exposed to the public Internet based on the match further comprises determining a network address specified by both the connection notification and the scan of the network addresses associated with the public Internet (Huang: para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” para.0051 “For example, log-threat correlation module 202 scans a list of malicious indicators in threat data store 212 and compares each entry to each network log in the network traffic log store 210 that is associated with the client domain 110. If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” Para.0083 “The processor correlates 902 the network traffic logs to threat data. The processor correlates the network traffic logs 220A with threat data feeds from threat data store 212 to identify malicious indicators and to identify host identifiers communicating with the malicious indicators in the network traffic logs 220A. The identified host identifiers identify the hosts of the client domain 110.” Based on matching addresses from the logs to the threat data store, assets that are internet facing may be identified.).
However while discloses matching addresses in general, Huang does not explicitly disclose wherein the identifying of the device exposed to the public Internet based on the match further comprises determining a source network address specified by both the connection notification and the scan of the network addresses associated with the public Internet.
Cross discloses wherein the identifying of the device exposed to the public Internet (Cross: col. 31 lines 1-8 “. Advantageously, in the event the perimeter of the system needs to be secured such that Internet communications are undesirable, a scanless operation can help identify vulnerabilities without gaining system exposure to external entities.” In col. 61 line 60-col. 62 line 24, Cross initially obtains internet connected devices, and identifies vulnerabilities of those devices in step 1806 of Fig. 18) based on the match further comprises determining a source network address specified by both the connection notification and the scan of the network addresses associated with the public Internet (Cross: col. 61 line 60-col. 62 line 24 “The method 1800 begins at process 1802 with the remediation manager 1714 of the remediation system 114 receiving device connectivity data (e.g., as discussed above, with reference to FIGS. 1-11) for an entity (e.g., vendor). The device connectivity data can be received from a search and discovery engine for internet-connected devices, such as Shodan. … The properties can include device-related data and/or IP traffic data. … Device-related data can include IP address(es),… port number(s), timestamp data, host name, etc. IP traffic data can include items included in packets, as described elsewhere herein..” col. 11 line 20-39 “ For example, in addition to a payload, application-layer and/or link-layer in an example packet, may contain a header and/or footer that may include a source address of the sending host (e.g., a user device)” col. 62 lines 25-52 “At process 1806, the remediation manager 1714 identifies a vulnerability associated with a particular property. …For example, for each property in the collection of properties parsed from the device connectivity data, the remediation system 114 may reference the remediation executable vault 1704. If the property is found in the remediation executable vault 1704 previously populated with external data from NVD or a similar entity, the remediation manager determines 1714 determines that the property is associated with a vulnerability.” the remediation system of Fig. 1 in the cyber security assurance system, the external attack surface management system, receives connectivity data including packets comprising headers and source addresses, and compared them in steps 1804-1806 to identify vulnerabilities in the network).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Huang with Cross in order to incorporate wherein the identifying of the device exposed to the public Internet based on the match further comprises determining a source network address specified by both the connection notification and the scan of the network addresses associated with the public Internet.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved cybersecurity by detecting and addressing cyber security vulnerabilities (Cross: col. 4 lines 4-47).
Regarding Claim 3, Huang teaches claim 1 as set forth above.
Huang further discloses wherein the identifying of the device exposed to the public Internet based on the match further comprises determining a network address specified by both the connection notification and the scan of the network addresses associated with the public Internet (Huang: para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” para.0051 “For example, log-threat correlation module 202 scans a list of malicious indicators in threat data store 212 and compares each entry to each network log in the network traffic log store 210 that is associated with the client domain 110. If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” Para.0083 “The processor correlates 902 the network traffic logs to threat data. The processor correlates the network traffic logs 220A with threat data feeds from threat data store 212 to identify malicious indicators and to identify host identifiers communicating with the malicious indicators in the network traffic logs 220A. The identified host identifiers identify the hosts of the client domain 110.” Based on matching addresses from the logs to the threat data store, assets that are internet facing may be identified.).
However Huang does not explicitly disclose wherein the identifying of the device exposed to the public Internet based on the match further comprises determining a destination network address specified by both the connection notification and the scan of the network addresses associated with the public Internet
Cross discloses wherein the identifying of the device exposed to the public Internet (Cross: col. 31 lines 1-8 “. Advantageously, in the event the perimeter of the system needs to be secured such that Internet communications are undesirable, a scanless operation can help identify vulnerabilities without gaining system exposure to external entities.” In col. 61 line 60-col. 62 line 24, Cross initially obtains internet connected devices, and identifies vulnerabilities of those devices in step 1806 of Fig. 18) based on the match further comprises determining a destination network address specified by both the connection notification and the scan of the network addresses associated with the public Internet (Cross: col. 61 line 60-col. 62 line 24 “The method 1800 begins at process 1802 with the remediation manager 1714 of the remediation system 114 receiving device connectivity data (e.g., as discussed above, with reference to FIGS. 1-11) for an entity (e.g., vendor). The device connectivity data can be received from a search and discovery engine for internet-connected devices, such as Shodan. … The properties can include device-related data and/or IP traffic data. … Device-related data can include IP address(es),… port number(s), timestamp data, host name, etc. IP traffic data can include items included in packets, as described elsewhere herein..” col. 11 line 20-39 “ For example, in addition to a payload, application-layer and/or link-layer in an example packet, may contain a header and/or footer that may include a source address of the sending host (e.g., a user device), destination address of the target host, a source port, a destination port” col. 62 lines 25-52 “At process 1806, the remediation manager 1714 identifies a vulnerability associated with a particular property. …For example, for each property in the collection of properties parsed from the device connectivity data, the remediation system 114 may reference the remediation executable vault 1704. If the property is found in the remediation executable vault 1704 previously populated with external data from NVD or a similar entity, the remediation manager determines 1714 determines that the property is associated with a vulnerability.” the remediation system of Fig. 1 in the cyber security assurance system, the external attack surface management system, receives connectivity data including packets comprising headers and destination addresses, and compared them in steps 1804-1806 to identify vulnerabilities in the network).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Huang with Cross in order to incorporate based on the match further comprises determining a destination network address specified by both the connection notification and the scan of the network addresses associated with the public Internet.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved cybersecurity by detecting and addressing cyber security vulnerabilities (Cross: col. 4 lines 4-47).
Regarding Claim 9, Huang teaches claim 8 as set forth above.
Huang further discloses wherein the operations further comprise determining the address match based on a network address specified by both the connection notification and the domain scan of the network addresses associated with the domain name (Huang: para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” para.0051 “For example, log-threat correlation module 202 scans a list of malicious indicators in threat data store 212 and compares each entry to each network log in the network traffic log store 210 that is associated with the client domain 110. If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” Para.0083 “The processor correlates 902 the network traffic logs to threat data. The processor correlates the network traffic logs 220A with threat data feeds from threat data store 212 to identify malicious indicators and to identify host identifiers communicating with the malicious indicators in the network traffic logs 220A. The identified host identifiers identify the hosts of the client domain 110.” Based on matching addresses from the logs to the threat data store, assets that are internet facing may be identified.).
However while discloses matching addresses in general, Huang does not explicitly disclose wherein the operations further comprise determining the address match based on a source network address specified by both the connection notification and the domain scan of the network addresses associated with the domain name.
Cross discloses determining the address match based on a source network address specified by both the connection notification and the domain scan of the network addresses associated with the domain name (Cross: col. 61 line 60-col. 62 line 24 “The method 1800 begins at process 1802 with the remediation manager 1714 of the remediation system 114 receiving device connectivity data (e.g., as discussed above, with reference to FIGS. 1-11) for an entity (e.g., vendor). The device connectivity data can be received from a search and discovery engine for internet-connected devices, such as Shodan. … The properties can include device-related data and/or IP traffic data. … Device-related data can include IP address(es),… port number(s), timestamp data, host name, etc. IP traffic data can include items included in packets, as described elsewhere herein..” col. 11 line 20-39 “ For example, in addition to a payload, application-layer and/or link-layer in an example packet, may contain a header and/or footer that may include a source address of the sending host (e.g., a user device)” col. 62 lines 25-52 “At process 1806, the remediation manager 1714 identifies a vulnerability associated with a particular property. …For example, for each property in the collection of properties parsed from the device connectivity data, the remediation system 114 may reference the remediation executable vault 1704. If the property is found in the remediation executable vault 1704 previously populated with external data from NVD or a similar entity, the remediation manager determines 1714 determines that the property is associated with a vulnerability.” the remediation system of Fig. 1 in the cyber security assurance system, the external attack surface management system, receives connectivity data including packets comprising headers and source addresses, and compared them in steps 1804-1806 to identify vulnerabilities in the network).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Huang with Cross in order to incorporate determining the address match based on a source network address specified by both the connection notification and the domain scan of the network addresses associated with the domain name.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved cybersecurity by detecting and addressing cyber security vulnerabilities (Cross: col. 4 lines 4-47).
Regarding Claim 10, Huang discloses claim 8 as set forth above.
Huang further discloses wherein the operations further comprise determining the address match based on a network address specified by both the connection notification and the domain scan of the network addresses associated with the domain name(Huang: para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” para.0051 “For example, log-threat correlation module 202 scans a list of malicious indicators in threat data store 212 and compares each entry to each network log in the network traffic log store 210 that is associated with the client domain 110. If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” Para.0083 “The processor correlates 902 the network traffic logs to threat data. The processor correlates the network traffic logs 220A with threat data feeds from threat data store 212 to identify malicious indicators and to identify host identifiers communicating with the malicious indicators in the network traffic logs 220A. The identified host identifiers identify the hosts of the client domain 110.” Based on matching addresses from the logs to the threat data store, assets that are internet facing may be identified.).
However Huang does not explicitly disclose wherein the operations further comprise determining the address match based on a destination network address specified by both the connection notification and the domain scan of the network addresses associated with the domain name
Cross discloses wherein the operations further comprise determining the address match based on a destination network address specified by both the connection notification and the domain scan of the network addresses associated with the domain name (Cross: col. 61 line 60-col. 62 line 24 “The method 1800 begins at process 1802 with the remediation manager 1714 of the remediation system 114 receiving device connectivity data (e.g., as discussed above, with reference to FIGS. 1-11) for an entity (e.g., vendor). The device connectivity data can be received from a search and discovery engine for internet-connected devices, such as Shodan. … The properties can include device-related data and/or IP traffic data. … Device-related data can include IP address(es),… port number(s), timestamp data, host name, etc. IP traffic data can include items included in packets, as described elsewhere herein..” col. 11 line 20-39 “ For example, in addition to a payload, application-layer and/or link-layer in an example packet, may contain a header and/or footer that may include a source address of the sending host (e.g., a user device), destination address of the target host, a source port, a destination port” col. 62 lines 25-52 “At process 1806, the remediation manager 1714 identifies a vulnerability associated with a particular property. …For example, for each property in the collection of properties parsed from the device connectivity data, the remediation system 114 may reference the remediation executable vault 1704. If the property is found in the remediation executable vault 1704 previously populated with external data from NVD or a similar entity, the remediation manager determines 1714 determines that the property is associated with a vulnerability.” the remediation system of Fig. 1 in the cyber security assurance system, the external attack surface management system, receives connectivity data including packets comprising headers and destination addresses, and compared them in steps 1804-1806 to identify vulnerabilities in the network).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Huang with Cross in order to incorporate wherein the operations further comprise determining the address match based on a destination network address specified by both the connection notification and the domain scan of the network addresses associated with the domain name.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved cybersecurity by detecting and addressing cyber security vulnerabilities (Cross: col. 4 lines 4-47).
Regarding Claim 15, Huang teaches A memory device storing instructions that, when executed by a central processing unit (Huang: Fig. 2 Computing system 220, para.0046 “Attack surface management engine 221 may comprise modules of computer-executable instructions, or code, for performing functional tasks when executed by a processor.” Computing system 220 comprising attack surface management engine executing instructions by a processor.), perform operations, comprising:
receiving a connection notification reported by a cybersecurity sensory agent via a cloud computing environment (Huang: para.0095 “The one or more processors may also operate to support performance of the relevant operations in a “cloud computing” environment or as a “software as a service” (SaaS).” In a cloud computing environment.) to an external attack surface management service (Huang: para.0082 “The processor obtains 901 network traffic logs for a client domain 110. In one embodiment a user of user device 240 may provide (e.g., upload) the network traffic logs 220A for the client domain 110 to the computing system 220, or to a database 250 accessible by the computing system 220, via external network 230. In another embodiment, computing system 220 may actively monitor the network traffic of client domain 110 to obtain the network traffic logs 220A.” a connection notification, the network traffic logs, are reported by the user device 240, the software of user device 240 being the cybersecurity sensory agent. The attack surface management engine, para.0032, obtains this information from the user device 240.);
comparing the connection notification to a domain scan of network addresses associated with a domain name (Huang: para.0082 “The processor obtains 901 network traffic logs for a client domain 110.” Para.0083 “The processor correlates 902 the network traffic logs to threat data. The processor correlates the network traffic logs 220A with threat data feeds from threat data store 212 to identify malicious indicators and to identify host identifiers communicating with the malicious indicators in the network traffic logs 220A. The identified host identifiers identify the hosts of the client domain 110.” Para.0051 “ If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” Para.0019 “Furthermore, in embodiments, an attack surface of a domain may be identified by an exposed set of host identifiers, which may comprise a data structure mapping relations between host identifiers associated with vulnerable hosts/entry points and malicious indicators associated with malicious entities that have contacted the hosts or accessed the entry points.” The network traffics logs associated with the domain are then compared to domain information from a threat indicator data store.); and
identifying a device exposed to a public Internet (Huang: para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” Para.0030 “, the external network 230 may be a public network, such as the internet.”) by the external attack surface management service based on the source network address (Huang: para.0051 “If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” By the correlation determining a match from the traffic logs and threat data store, exposed ports/assets may be identified.)
and a port match (Huang: para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” Para.0054 “For example, attribute determination module 205 may retrieve attributes associated with each host identifier in the exposed set from database 250, such as services associated with ports of the host identifier, a criticality level associated with the host identifier (e.g., as designated by an admin of the client domain 110), vulnerabilities associated with the host identifier, level of criticality associated with the vulnerabilities, other host attributes for generating values of a feature vector for the host identifier, or some combination thereof.” Para.0048 “including lists of malicious indicators and data associated with the malicious indicators, such as indicator attributes, including time of threats, types of threats, confidence of the threats being valid (i.e., confidence score), severity of the threats, destination and source ports,” destination and source ports are considered when correlating logs to the threat data store.)
occurring within a timeframe between the connection notification and the domain scan (Huang: para.0085 “The processor determines 904 an exposed set of host identifiers based on the mapped flow of network traffic mapped at step 903. The processor determines the exposed set of host identifiers by determining host nodes having inbound traffic from at least one indicator node. The exposed set of host identifiers identifies hosts that form an attack surface of the client domain 110.” Para.0030 “, the external network 230 may be a public network, such as the internet.” Para.0020 “As used herein an “asset,” may refer to a physical or virtual device that can send and receive data. For example, an asset may be a client or a server that sends and receives applications, services, other data, or some combination thereof. A “network host,” “host,” or “host asset” may refer to an asset that communicates with other assets through a particular network or domain (i.e., communicates with other hosts of the domain).” Devices, i.e. the devices associated with the identified hosts, exposed to the public internet are identified via the domain scan as in para.0082 Fig. 9 902-905. These devices are exposed to the public internet between the timeframe of obtaining of the network logs and when the determination is made of a match during the domain scan, as the matching determination is part of the domain scan.).
However Huang does not explicitly disclose receiving a packet header specifying a source network address forwarded by the cybersecurity sensory agent via the cloud computing environment to the external attack surface management service.
Cross discloses receiving a packet header specifying a source network address forwarded by the cybersecurity sensory agent via the cloud computing environment (Cross: Fig. 12 col. 46 line 45-58 “a cloud computing network,”) to the external attack surface management service (Cross: col. 61 line 60-col. 62 line 24 “The method 1800 begins at process 1802 with the remediation manager 1714 of the remediation system 114 receiving device connectivity data (e.g., as discussed above, with reference to FIGS. 1-11) for an entity (e.g., vendor). The device connectivity data can be received from a search and discovery engine for internet-connected devices, such as Shodan. … The properties can include device-related data and/or IP traffic data. … Device-related data can include IP address(es),… port number(s), timestamp data, host name, etc. IP traffic data can include items included in packets, as described elsewhere herein. Further, IP traffic data included in the device connectivity data can include various supplemental information (e.g., in some arrangements, metadata associated with packets), such as host name, organization, Internet Service Provider information, country, city, communication protocol information, and Autonomous System Number (ASN) or similar identifier for a group of devices using a particular defined external routing policy. ...” col. 11 line 20-39 “ For example, in addition to a payload, application-layer and/or link-layer in an example packet, may contain a header and/or footer that may include a source address of the sending host (e.g., a user device)” the remediation system of Fig. 1 in the cyber security assurance system, the external attack surface management system, receives connectivity data including packets comprising headers and source addresses. Fig. 5 col. 35 lines 20-55 “The computing environment is shown to include service entity data sources 505, organization data sources 510, data channel communication networks 515 a and 515 b, attack surface data channels 525, threat and security (T&S) data channels 530, and threat and security (T&S) data sources 535.”).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Huang with Cross in order to incorporate receiving a packet header specifying a source network address forwarded by the cybersecurity sensory agent via the cloud computing environment to the external attack surface management service.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved cybersecurity by detecting and addressing cyber security vulnerabilities (Cross: col. 4 lines 4-47).
Regarding Claim 16, Huang-Cross discloses claim 15 as set forth above.
Huang further discloses wherein the operations further comprise determining the port match based on a source port specified by both the connection notification and the domain scan of the network addresses associated with the domain name (Huang: para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” Para.0048 “Threat data store 212 stores data for identifying threats. The data may include “threat data feeds.” A used herein, a “threat data feed” may refer to a set of data corresponding to threats, including lists of malicious indicators and data associated with the malicious indicators, such as … destination and source ports,” para.0051 “For example, log-threat correlation module 202 scans a list of malicious indicators in threat data store 212 and compares each entry to each network log in the network traffic log store 210 that is associated with the client domain 110. If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” Para.0083 “The processor correlates 902 the network traffic logs to threat data. The processor correlates the network traffic logs 220A with threat data feeds from threat data store 212 to identify malicious indicators and to identify host identifiers communicating with the malicious indicators in the network traffic logs 220A. The identified host identifiers identify the hosts of the client domain 110.” Based on matching source and destination ports from the logs to the threat data store, assets that are internet facing may be identified.).
Regarding Claim 17, Huang-Cross discloses claim 15 as set forth above.
Huang further discloses wherein the operations further comprise determining the port match based on a destination port specified by both the connection notification and the domain scan of the network addresses associated with the domain name (Huang: para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” Para.0048 “Threat data store 212 stores data for identifying threats. The data may include “threat data feeds.” A used herein, a “threat data feed” may refer to a set of data corresponding to threats, including lists of malicious indicators and data associated with the malicious indicators, such as … destination and source ports,” para.0051 “For example, log-threat correlation module 202 scans a list of malicious indicators in threat data store 212 and compares each entry to each network log in the network traffic log store 210 that is associated with the client domain 110. If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” Para.0083 “The processor correlates 902 the network traffic logs to threat data. The processor correlates the network traffic logs 220A with threat data feeds from threat data store 212 to identify malicious indicators and to identify host identifiers communicating with the malicious indicators in the network traffic logs 220A. The identified host identifiers identify the hosts of the client domain 110.” Based on matching source and destination ports from the logs to the threat data store during the domain scan, i.e. the threat database may be scanned for matching domains to the connection notification, assets that are internet facing may be identified.).
Regarding Claim 18, Huang-Cross discloses claim 15 as set forth above.
Huang further discloses wherein the operations further comprise determining the network address is matched to both the connection notification and the domain scan of the network addresses associated with the domain name (Huang: para.0028 “ Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” para.0051 “For example, log-threat correlation module 202 scans a list of malicious indicators in threat data store 212 and compares each entry to each network log in the network traffic log store 210 that is associated with the client domain 110. If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address), then the identifier found in the network traffic log is determined to be a malicious indicator.” Para.0083 “The processor correlates 902 the network traffic logs to threat data. The processor correlates the network traffic logs 220A with threat data feeds from threat data store 212 to identify malicious indicators and to identify host identifiers communicating with the malicious indicators in the network traffic logs 220A. The identified host identifiers identify the hosts of the client domain 110.” Based on matching addresses from the logs to the threat data store, assets that are internet facing may be identified.).
However while discloses matching addresses in general, Huang does not explicitly disclose wherein the operations further comprise determining the source network address is matched to both the connection notification and the domain scan of the network addresses associated with the domain name.
Cross discloses wherein the operations further comprise determining the source network address is matched to both the connection notification and the domain scan of the network addresses associated with the domain name (Cross: col. 61 line 60-col. 62 line 24 “The method 1800 begins at process 1802 with the remediation manager 1714 of the remediation system 114 receiving device connectivity data (e.g., as discussed above, with reference to FIGS. 1-11) for an entity (e.g., vendor). The device connectivity data can be received from a search and discovery engine for internet-connected devices, such as Shodan. … The properties can include device-related data and/or IP traffic data. … Device-related data can include IP address(es),… port number(s), timestamp data, host name, etc. IP traffic data can include items included in packets, as described elsewhere herein..” col. 11 line 20-39 “ For example, in addition to a payload, application-layer and/or link-layer in an example packet, may contain a header and/or footer that may include a source address of the sending host (e.g., a user device)” col. 62 lines 25-52 “At process 1806, the remediation manager 1714 identifies a vulnerability associated with a particular property. …For example, for each property in the collection of properties parsed from the device connectivity data, the remediation system 114 may reference the remediation executable vault 1704. If the property is found in the remediation executable vault 1704 previously populated with external data from NVD or a similar entity, the remediation manager determines 1714 determines that the property is associated with a vulnerability.” the remediation system of Fig. 1 in the cyber security assurance system, the external attack surface management system, receives connectivity data including packets comprising headers and source addresses, and compared them in steps 1804-1806 to identify vulnerabilities in the network).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Huang with Cross in order to incorporate wherein the operations further comprise determining the source network address is matched to both the connection notification and the domain scan of the network addresses associated with the domain name.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved cybersecurity by detecting and addressing cyber security vulnerabilities (Cross: col. 4 lines 4-47).
Regarding Claim 20, Huang-Cross discloses claim 15 as set forth above.
Huang further discloses wherein the operations further comprise determining a public network address and a port associated with the device exposed to the public Internet (Huang: para.0019 “As such, the attack surface may comprise identifiers for each entry point, such as host identifiers (hosts IDs), port identifiers, device identifiers, combinations thereof, and the like.” para.0074 “ The dashboard may provide contents generated from prioritized attack surface data structure 221A. Entries of a report (e.g., report 401 or report 402), such as entries with private IP addresses, may be investigated using dashboard 403. Inbound traffic may not be expected to private IP addresses, which if detected, may indicate that a firewall is misconfigured and allowing traffic from a known indicator of compromise. A user of user device 240 (e.g., an analyst) can gain further insight into this host using dashboard 403, as shown in the following example. The event data about hosts 10.244.74.35 and 10.256.255.12 is automatically correlated with threat intelligence and asset enrichment.” Para.0028 “Furthermore, the system determines which ports of the hosts may be exposed (e.g., to the internet) on these assets.” The address and ports of the exposed hosts are identified.).
Claim(s) 6, 13, is/are rejected under 35 U.S.C. 103 as being unpatentable over Huang et al. (hereinafter Huang US 2023/0344848 A1) in view of Lyukshin et al. (hereinafter Lyukshin, US 2021/0021613 A1).
Regarding Claim 6, Huang discloses claim 1 as set forth above.
Huang further discloses a connection timestamp associated with the connection notification (Huang: para.0047 “Network traffic log store 210 stores network traffic logs for a client domain 110. The network traffic logs may comprise timestamps indicating times when each message in a network traffic log was transmitted and received, as well as timestamps for when each network traffic log was obtained by the computing system 220.” Timestamps for the connection notification, i.e. the network traffic logs, are obtained.) and
a scan timestamp associated with the scan of the network addresses associated with the public Internet (Huang: para.0048 “For example, the threat data feeds may include markers of suspicious activity, such as anomalous communication behavior (e.g., sending and receiving messages at abnormal times, at abnormal time intervals or frequencies, or according to an irregular schedule) or other anomalous network events.” Para.0051 “For example, log-threat correlation module 202 scans a list of malicious indicators in threat data store 212 and compares each entry to each network log in the network traffic log store 210 that is associated with the client domain 110. If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address)” para.0028 “ To discover the internet facing assets, the network logs are correlated to threat intelligence (e.g., threat data feeds).” Timestamps associated with threats for internet facing assets, i.e. from a scan, are obtained.).
However Huang does not explicitly disclose comparing a connection timestamp associated with the connection notification to a scan timestamp associated with the scan of the network addresses associated with the public Internet.
Lyukshin discloses comparing an event timestamp to another event timestamp (Lyukshin: para.0011 “In an exemplary aspect for correlating events to detect an information security incident, a correlation module may receive (e.g., from an event-generating module) a plurality of network events indicating potential security violations, wherein each network event of the plurality of network events has a respective timestamp. The correlation module may identify, from the plurality of network events, a subset of network events that have occurred within a period of time, based on each respective timestamp.” The timestamps of network events may be correlated together based on the events occurring within a period of time. Examiner notes that in view of para.0003 of applications specification, “When the connection notification and the scan have matching IP addresses and ports within a timeframe (such as 30 minutes), then the EASM service identifies the corresponding client device as being exposed to the public Internet.” This comparison checks to see if the matching events having matching attributes are within the same timeframe.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Huang with Lyukshin in order to incorporate comparing an event timestamp to another event timestamp, such that the comparison step in Huang that compares the connection notification to that of the threat data store information also considers their recorded timestamps to determine a correlation, in addition to the address and port similarities.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of identification of similar events to improve accuracy in identification of security risks (Lyukshin: para.0012 para.0116).
Regarding Claim 13, Huang discloses claim 8 as set forth above.
Huang further discloses wherein the operations further comprise a connection timestamp associated with the connection notification (Huang: para.0047 “Network traffic log store 210 stores network traffic logs for a client domain 110. The network traffic logs may comprise timestamps indicating times when each message in a network traffic log was transmitted and received, as well as timestamps for when each network traffic log was obtained by the computing system 220.” Timestamps for the connection notification, i.e. the network traffic logs, are obtained.)
a domain scan timestamp associated with the domain scan of the network addresses associated with the domain name (Huang: para.0048 “For example, the threat data feeds may include markers of suspicious activity, such as anomalous communication behavior (e.g., sending and receiving messages at abnormal times, at abnormal time intervals or frequencies, or according to an irregular schedule) or other anomalous network events.” Para.0051 “For example, log-threat correlation module 202 scans a list of malicious indicators in threat data store 212 and compares each entry to each network log in the network traffic log store 210 that is associated with the client domain 110. If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address)” para.0028 “ To discover the internet facing assets, the network logs are correlated to threat intelligence (e.g., threat data feeds).” Timestamps associated with threats for internet facing assets, i.e. from a domain scan, are obtained.).
However Huang does not explicitly disclose wherein the operations further comprise comparing a connection timestamp associated with the connection notification to a domain scan timestamp associated with the domain scan of the network addresses associated with the domain name.
Lyukshin discloses comparing an event timestamp to another event timestamp (Lyukshin: para.0011 “In an exemplary aspect for correlating events to detect an information security incident, a correlation module may receive (e.g., from an event-generating module) a plurality of network events indicating potential security violations, wherein each network event of the plurality of network events has a respective timestamp. The correlation module may identify, from the plurality of network events, a subset of network events that have occurred within a period of time, based on each respective timestamp.” The timestamps of network events may be correlated together based on the events occurring within a period of time. Examiner notes that in view of para.0003 of applications specification, “When the connection notification and the scan have matching IP addresses and ports within a timeframe (such as 30 minutes), then the EASM service identifies the corresponding client device as being exposed to the public Internet.” This comparison checks to see if the matching events having matching attributes are within the same timeframe.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Huang with Lyukshin in order to incorporate comparing an event timestamp to another event timestamp, such that the comparison step in Huang that compares the connection notification to that of the threat data store information also considers their recorded timestamps to determine a correlation, in addition to the address and port similarities.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of identification of similar events to improve accuracy in identification of security risks (Lyukshin: para.0012 para.0116).
Claim(s) 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Huang et al. (hereinafter Huang US 2023/0344848 A1) in view of Cross et al. (hereinafter Cross, US 11,720,686 B1) in view of Lyukshin et al. (hereinafter Lyukshin, US 2021/0021613 A1).
Regarding Claim 19, Huang-Cross discloses claim 15 as set forth above.
Huang further discloses wherein the operations further comprise comparing a connection timestamp associated with the connection notification (Huang: para.0047 “Network traffic log store 210 stores network traffic logs for a client domain 110. The network traffic logs may comprise timestamps indicating times when each message in a network traffic log was transmitted and received, as well as timestamps for when each network traffic log was obtained by the computing system 220.” Timestamps for the connection notification, i.e. the network traffic logs, are obtained.)
a domain scan timestamp associated with the domain scan of the network addresses associated with the domain name (Huang: para.0048 “For example, the threat data feeds may include markers of suspicious activity, such as anomalous communication behavior (e.g., sending and receiving messages at abnormal times, at abnormal time intervals or frequencies, or according to an irregular schedule) or other anomalous network events.” Para.0051 “For example, log-threat correlation module 202 scans a list of malicious indicators in threat data store 212 and compares each entry to each network log in the network traffic log store 210 that is associated with the client domain 110. If there is a match between a malicious indicator from threat data store 212 and an identifier found in a network traffic log for client domain 110 (e.g., matching IP address, domain name, or other unique identifier or network address)” para.0028 “ To discover the internet facing assets, the network logs are correlated to threat intelligence (e.g., threat data feeds).” Timestamps associated with threats for internet facing assets, i.e. from a domain scan, are obtained.).
However Huang does not explicitly disclose wherein the operations further comprise comparing a connection timestamp associated with the connection notification to a domain scan timestamp associated with the domain scan of the network addresses associated with the domain name.
Lyukshin discloses comparing an event timestamp to another event timestamp (Lyukshin: para.0011 “In an exemplary aspect for correlating events to detect an information security incident, a correlation module may receive (e.g., from an event-generating module) a plurality of network events indicating potential security violations, wherein each network event of the plurality of network events has a respective timestamp. The correlation module may identify, from the plurality of network events, a subset of network events that have occurred within a period of time, based on each respective timestamp.” The timestamps of network events may be correlated together based on the events occurring within a period of time. Examiner notes that in view of para.0003 of applications specification, “When the connection notification and the scan have matching IP addresses and ports within a timeframe (such as 30 minutes), then the EASM service identifies the corresponding client device as being exposed to the public Internet.” This comparison checks to see if the matching events having matching attributes are within the same timeframe.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Huang with Lyukshin in order to incorporate comparing an event timestamp to another event timestamp, such that the comparison step in Huang that compares the connection notification to that of the threat data store information also considers their recorded timestamps to determine a correlation, in addition to the address and port similarities.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of identification of similar events to improve accuracy in identification of security risks (Lyukshin: para.0012 para.0116).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Du Preez et al. US 2025/0310367 A1, see para.0157-0159 showing port scans and address scans for hosts to determine internet facing assets, the process in more detail in Fig. 8.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EUI H KIM whose telephone number is (571)272-8133. The examiner can normally be reached 7:30-5 M-R, M-F alternating.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached at 5712725863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/EUI H KIM/ Examiner, Art Unit 2453
/KAMAL B DIVECHA/ Supervisory Patent Examiner, Art Unit 2453
Prosecution Insights