Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1-20 are pending.
Information Disclosure Statement PTO-1449
The Information Disclosure Statement submitted by applicant on 06-12-2025 and 04-30-2024 have been considered. Please see attached PTO-1449.
Claim Objections
Claim 15 is objected to for the following reason:
Claim 15 is objected to under 37 CFR 1.75 as being a substantial duplicate of claim 5.
For the purpose of examination, Examiner assumes “The method of claim 13” is a typographical error, --The apparatus of claim 13-- was intended instead. Appropriate correction required.
Claim Rejections - 35 USC § 101
835 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-23 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
The claims when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance, are directed to abstract idea. Claim 1 for example, recites a method and, therefore, is a process. The claim recites the limitation of “calculating similarity using a first embedding vector for cyber threat identification information and a second embedding vector for asset information when security event information is received, wherein the security event information includes the cyber threat identification information; measuring correlation between the cyber threat identification information and the asset information based on the similarity; and determining an asset vulnerable to cyber threats based on the correlation”. These limitations, under broadest reasonable interpretation are directed performance of the limitation in a human mind. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, the claim encompasses a human simply calculating a similarity by using a first and second value (a first embedding vector and a second embedding vector) and measuring a correlation between cyberthreat identification and asset information, and based on correlation determining an asset vulnerable to cyber threat.
Thus, the claim recites a mental process when analyzed under step 2A prong 1.
Claim is further analyzed in step 2A prong 2, to evaluate whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by identifying whether there are any additional elements recited in the claim beyond the judicial exception, and evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. However, the remaining limitations appears to be generic computer functions which do not constitute meaningful limitations that would amount to significantly more than the abstract idea. The combination of the additional element is no more than generic computer functions. Thus, even in combination, the additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limitations on practicing the abstract idea.
Claim is additionally analyzed under Step 2B to evaluates whether the claim as a whole amount to significantly more than the recited exception, whether any additional element, or combination of additional elements, adds an inventive concept to the claim. When claims evaluated under step 2B, it is no more than what is well-understood, routine, conventional activity in the field. The specification does not provide any indication anything other than a generic computer component. The mere calculating similarity… measuring correlation… and determining an asset vulnerable to cyber threats…” is a well-understood, routing and conventional function when it is claimed in a merely generic manner as it is here.
Independent claims 11 and 20 include limitations similar to the limitations of claim 1 and are rejected under 35 U.S.C. 101 as being directed to abstract idea for the same reasons discussed above with respect to claim 1.
Dependent claims 2-10 and 12-19 do not cure the deficiency of the independent claims and are directed to abstract idea when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance.
Claim 20 is further rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
Claim recites a “computer-readable recording medium”, in which is not limited to falling under the statutory classes of invention set forth. The claim in using the term “computer-readable recording medium” in accordance with Applicant's specification (paragraph 62), allows for the “computer-readable recording medium” to be signals. The specification does not limit the claimed medium to only hardware embodiments. Examiner suggests that Applicants amend the claims to add a limitation to direct the language of the “computer-readable recording medium” claim to only include the non- transitory embodiment which would remove the possibility of claiming signals.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-9 and 11-20 are rejected under 35 U.S.C. 103 as being unpatentable over Craig et al. (US Patent No. 10,812,510 ), hereinafter Craig, in view of Withnell et al. (US Publication No.2024/0098114), hereinafter Withnell.
As per claim 1, 11 and 20, Craig discloses, a method performed by an apparatus for predicting cyber threats (column 4, lines 17-25, “protecting against a cyber threat…identifying all systems …that could potentially be attacked…”) , the method comprising: calculating similarity using a first embedding vector for cyber threat identification information and a second embedding vector for asset information when security event information is received, wherein the security event information includes the cyber threat identification information (column 1, lines 45-60, column 6, lines 51-66 and column 11, lines 31-51, receiving and extracting by extraction subsystem keywords from a plurality of cyber incident report, the input to extraction subsystem including description of a system behaving anomalously, anomalous behavior, description of a vulnerability for example to WPA2 (Krack), description of assets to be protected. Applying a shallow machine learning technique to the keywords and identifications of the plurality of networked assets to obtain an identification of a first subset of the networked assets vulnerable to a first threat scenario and an identification of the first threat scenario; applying a deep machine learning technique to the identification of a first subset of the networked assets vulnerable to the first threat scenario, the identification of the first threat scenario, the keywords and identifications of the plurality of networked assets, to obtain an identification of a second subset of the networked assets vulnerable to a second threat scenario and identification of the second threat scenario); and measuring correlation between the cyber threat identification information and the asset information based on the similarity (column 8, lines 1-14, “An identification (e.g., a list) of the assets operational within the protected system that most closely match the assets identified by information extraction subsystem 300…. An identification of threat scenarios or past anomalies, with one or more keyword matches to the association 310 of protected assets to keywords output by information extraction subsystem 300. Pattern matching for any other forms of output of information extraction subsystem 300, such as a sequence of anomalous events, a root cause, an entry point, a threat trajectory”).
While Creg discloses measuring correlation, Craig does not explicitly disclose, determining an asset vulnerable to cyber threats based on the correlation. However, in an analogous art, Withnell discloses, measuring correlation between the cyber threat identification information and the asset information based on the similarity, and determining an asset vulnerable to cyber threats based on the correlation (paragraph [0152],“determine threats directed to an enterprise, rank the determined threats… after gaining access to the enterprise profile and the threat catalog, the threat management system conducts correlation analytics between the contents (threat attributes) of each threat and characteristics associated with the enterprise profile…Thereafter, the eligible threats are ranked…”, and paragraph [0023], “identify top threats faced by an enterprise based on a correlation”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Craig with Withnell. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to automatically curate cyber-security intelligence for user in protecting an enterprise.
As per claim 2 and 12, Craig furthermore discloses performing countermeasures to safeguard the determined asset against cyber threats (column 4, lines 52-57, “closing down ports or system portions, installing further security measures on potential target assets., and other measures”).
As per claim 3 and 13, Craig furthermore discloses, wherein the correlation between the cyber threat identification information and the asset information is measured based on a first correlation between the cyber threat identification information and cyber threat information and a second correlation between the cyber threat information and the asset information (column 13, lines 21-42, shallow machine learning techniques applied to the keywords and identification of the plurality networked assets to obtain an identification of a first subset of the networked assets vulnerable to first threat scenario and an identification of the first threat scenario, further, a deep machine learning technique applied to the identification of a first subset of the networked assets vulnerable to the first threat scenario, the identification of the first threat scenario, the keywords and the identification of the plurality of networked asset, to obtain an identification of a second subset of networked assets vulnerable to a second threat scenario and an identification of the second threat scenario, and simulating the plurality of networked assets and the second threat scenario).
As per claim 4 and 14, Craig furthermore discloses wherein the first embedding vector and the second embedding vector are obtained using a learning model, and the learning model uses cyber threat information and knowledge corpus information as training data (column 1, lines 46-59, “applying a shallow machine learning technique to at least the keywords and identifications of the plurality of networked assets…applying a deep machine learning technique to at least the identification of a first subset of the networked assets vulnerable to the first threat scenario, the identification of the first threat scenario, the keywords, and identifications of the plurality of networked…”, and column 2, lines 24-30 and column 7, lines 10-17, “ These tools extract keywords related to observed anomalous behavior (e.g. proprietary, information, exfiltration, database, etc.) and the types of system/asset attacked (e.g., a database management system (DBMS) version). Such tools output a taxonomy of the event, and possibly one or both of a known ( sub ) sequence of anomalous sub-events, or a root cause, an entry point, and a complete threat trajectory”).
As per claim 5 and 15, Withnell furthermore discloses, wherein the cyber threat information includes at least one of an identifier, a description, and a vulnerable product (paragraph [0031], identification of source of threat (e.g., threat actor group, source website, IP address, etc.)). The motivation is similar to the motivation provided in claim 1.
As per claim 6 and 16, It is noted that claim 6 (wherein a structure of the description is composed in the order of preposition, identifier, and sentence, and a structure of the vulnerable product is composed in the order of the identifier, verb, and vulnerable product name) depend on the method of claim 5. Claim 5 requires one of: an identifier, a description and a vulnerable product. As shown in rejection of claim 5 above, whiting the optional limitations (an identifier, a description and a vulnerable product) claimed identifier was considered and rejected, not the description and the vulnerable product recited in claim 6. As such, the limitation of claim 6 is not further analyzed or considered since it does not further limit the considered limitation of claim 5. Additionally , it is noted that event if the limitations were considered, ordering the structure of description in a particular order ( preposition, identifier, and sentence) and structure of vulnerable product in a particular order (identifier, verb, and vulnerable product name) does not require inventive concept. Such ordering would have been obvious to one of ordinary skill in the art since it involves only routine skill in the art.
As per claim 7 and 17, Withnell furthermore discloses, wherein, if the asset information has a plurality of configuration information, the second embedding vector corresponds to an average value of a plurality of embedding vectors of the plurality of configuration information (paragraph [0084], “ the characteristic-attribute correlation levels may be determined based, at least in part, on separate rankings of different characteristic-attribute pairings 246 and an aggregation 250 of these rankings. This "aggregation" may include the collection of rankings of similar or related characteristic-attribute pairings (e.g., rankings directed to identical or related threat attributes, etc.) followed by an operation to normalize the rankings into an overall ranking ( e.g., average rankings, etc.)”). The motivation is similar to the motivation provided in claim 1.
As per claim 8 and 18, Withnell furthermore discloses, wherein the asset information includes at least one of manufacturer information and product name information (paragraph [0077], types of products and services). The motivation is similar to the motivation provided in claim 1.
As per claim 9 and 19, Craig furthermore discloses, wherein performing the countermeasures comprises controlling network traffic for the determined asset (column 4, lines 52-57, “closing down ports or system portions…., and other measures”).
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Craig in view of Withnell, further in view of Jacobson et al. (US Publication No.2016/0134624), hereinafter Jacobson.
As per claim 10, Craig modified does not explicitly disclose, but in an analogous art, Jacobson discloses controlling a service connection for the determined asset in conjunction with an authentication server (paragraph [0034], “The authentication server 125 and/or the firewall 155 can determine when to allow mobile devices with access to the internet 115 and/or access to one or more access-restricted resources 190”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Craig with Jacobson. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to achieve the predictable result of securely providing access resources by performing authentication using authentication server.
References Cited, Not Used
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Andres et al. (US Publication No.2012/0185945) discloses, a security risk management system comprises a vulnerability database, an asset database, a local threat intelligence database and a threat correlation module. The vulnerability database comprises data about security vulnerabilities of assets on
a network gathered using active or passive vulnerability assessment techniques. The asset database comprises data concerning attributes of each asset. The threat correlation module receives threat intelligence alerts that identify attributes and vulnerabilities associated with security threats that affect classes of assets. The threat correlation module compares asset attributes and vulnerabilities with threat
attributes and vulnerabilities and displays a list of assets that are affected by a particular threat. The list can be sorted according to a calculated risk score, allowing an administrator to prioritize preventive action and respond first to threats that affect higher risk assets. The security risk management system provides tools for performing preventive action and for tracking the success of preventive action.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437
Prosecution Insights