Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-19, 37, 55, and 70 are pending.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1-7,10-16, 19, 37, 55, and 70 are rejected under 35 U.S.C. 102(a)(1)/(2) as being anticipated by Boyer et al (US Pub. No. 2021/0273957; cited on IDS), hereafter, “Boyer.”
As to claim 1, Boyer discloses a method for assessing a cybersecurity threat associated with a node in a network, the method comprising the steps of:
(a) storing in a memory, at least one rule for determining at least one cybersecurity threat score for the node (Fig. 6, labels 606, 608, [0136] and [0139], particularly, “Detectors are discrete mathematical models that implement a specific mathematical method against different sets of variables with the target network. For example, Hidden Markov Models (HMM) may look specifically at the size and transmission time of packets between nodes…The automated adaptive periodicity detection uses the period of time the Bayesian probabilistic has computed to be most relevant within the observed network or machines. Furthermore, the pattern of life analysis identifies how a human or machine behaves over time, such as when they typically start and stop work. Since these models are continually adapting themselves automatically, they are inherently harder to defeat than known systems. The threat risk parameter is a probability of there being a threat in certain arrangements.”) and wherein each of the at least one rule is based on network information associated with the node comprising one or a combination of:
(i) a volume or a pattern of data packet traffic transmitted or received by the node ([0136], particularly, “Detectors are discrete mathematical models that implement a specific mathematical method against different sets of variables with the target network. For example, Hidden Markov Models (HMM) may look specifically at the size and transmission time of packets between nodes”);
b) using a processor, monitoring the network to acquire the network information ([0136], particularly, “Detectors are discrete mathematical models that implement a specific mathematical method against different sets of variables with the target network. For example, Hidden Markov Models (HMM) may look specifically at the size and transmission time of packets between nodes”);
(c) using the processor, determining the at least one cybersecurity threat score for the node, based on the acquired network information and in accordance with the at least one rule (Fig. 6, labels 606, 608, [0136] and [0139], particularly, “Detectors are discrete mathematical models that implement a specific mathematical method against different sets of variables with the target network. For example, Hidden Markov Models (HMM) may look specifically at the size and transmission time of packets between nodes…The automated adaptive periodicity detection uses the period of time the Bayesian probabilistic has computed to be most relevant within the observed network or machines. Furthermore, the pattern of life analysis identifies how a human or machine behaves over time, such as when they typically start and stop work. Since these models are continually adapting themselves automatically, they are inherently harder to defeat than known systems. The threat risk parameter is a probability of there being a threat in certain arrangements.”) and
(d) using the processor, causing a display device to display the determined at least one cybersecurity threat score, a value derived from the determined at least one cybersecurity threat score, or an alert based on the determined at least one cybersecurity threat score ([0176], particularly, “The cyber threat detector has a risk profile module configured to be able to see, examine, and combine risk profiles from multiple different cyber protection domains or environments in a single pane of analysis displayable on a same user interface.”).
As to claims 10, 55, and 77, they are rejected by a similar rationale by that set forth in claim 1’s rejection.
As to claim 19, Boyer discloses a method for controlling a response of a network to a data packet addressed from a first node having a first node location to a second node having a second node location in the network (Abstract), the method comprising the steps of:
(a) using the processor, in accordance with at least one rule stored in a memory, determining an access control score based on the first node location and the second node location ([0180]-[0182], particularly, “The SaaS pre-emptive risk detector can factor in the riskiness of the location of a SaaS account based upon known-active email threat campaigns in their geographic location. Active cyber threat campaigns can be occurring in geographic locations and by simply presence in that geographic locations can increase the risk profile… Additionally, the SaaS pre-emptive risk detector can track files on entry into the organization, check emails against known SaaS accounts to detect unauthorized SaaS platform usage, and compare user location as retrieved from the SaaS platform to active malicious email campaigns to increase alert scores.”; and
(b) using the processor, controlling the response of the network comprising one or a combination of:
(i) either allowing or preventing transmission of the data packet to the second node, depending on the determined access control score ([0141], particularly, “This could include interrupting connections, preventing the sending of malicious emails, preventing file access, preventing communications outside of the organization, etc. The approach begins in as surgical and directed way as possible to interrupt the attack without affecting the normal behavior of, for example, a laptop. If the attack escalates, the cyber threat defense system may ultimately quarantine a device to prevent wider harm to an organization.”)
…(iii) causing a display device to display the determined access control score, a value derived from the determined access control score, or an alert based on the determined access control score ([0181], particularly, “A user interface, such as a SaaS console, can be the one plane to analyse and present these cross-platform risk profiles. An email cyber security appliance can talk to the SaaS cyber security appliance and other modules of the SaaS pre-emptive risk detector.”).
As to claim 37, it is rejected by a similar rationale by that set forth in claim 19’s rejection.
As to claims 2 and 11, Boyer discloses the network information comprises the volume or the pattern of data packet traffic transmitted or received by the node ([0136], particularly, “Detectors are discrete mathematical models that implement a specific mathematical method against different sets of variables with the target network. For example, Hidden Markov Models (HMM) may look specifically at the size and transmission time of packets between nodes”).
As to claims 3 and 12, Boyer discloses the network information comprises the size, the content, or the communication protocol of the data packet transmitted to or received by the node ([0136], particularly, “Detectors are discrete mathematical models that implement a specific mathematical method against different sets of variables with the target network. For example, Hidden Markov Models (HMM) may look specifically at the size and transmission time of packets between nodes”).
As to claims 4 and 13, Boyer discloses the network information comprises the network address of the node ([0090], particularly, “These similarities of events or alerts in the chain may be, for example, alerts or events are coming from same device, same user credentials, same group, same source identifiers, same destination Internet Protocol addresses, same types of data transfers, same type of unusual activity, same type of alerts, same rare connection being made, same type of events, or others, so that a human can visually see what spatially and content-wise is making up a particular chain rather than merely viewing a textual log of data.”).
As to claims 5 and 14, Boyer discloses the network information comprises the connection relationship of the node to the another node in the network ([0136], particularly, “Detectors are discrete mathematical models that implement a specific mathematical method against different sets of variables with the target network. For example, Hidden Markov Models (HMM) may look specifically at the size and transmission time of packets between nodes” and further, ([0090], particularly, “These similarities of events or alerts in the chain may be, for example, alerts or events are coming from same device, same user credentials, same group, same source identifiers, same destination Internet Protocol addresses, same types of data transfers, same type of unusual activity, same type of alerts, same rare connection being made, same type of events, or others, so that a human can visually see what spatially and content-wise is making up a particular chain rather than merely viewing a textual log of data.”).
As to claims 6 and 15, Boyer discloses the network information comprises the identifier or the role of the user of the node ([0090], particularly, “These similarities of events or alerts in the chain may be, for example, alerts or events are coming from same device, same user credentials, same group, same source identifiers, same destination Internet Protocol addresses, same types of data transfers, same type of unusual activity, same type of alerts, same rare connection being made, same type of events, or others, so that a human can visually see what spatially and content-wise is making up a particular chain rather than merely viewing a textual log of data.”).
As to claims 7 and 16, Boyer discloses the network information comprises the identifier of the node ([0090], particularly, “These similarities of events or alerts in the chain may be, for example, alerts or events are coming from same device, same user credentials, same group, same source identifiers, same destination Internet Protocol addresses, same types of data transfers, same type of unusual activity, same type of alerts, same rare connection being made, same type of events, or others, so that a human can visually see what spatially and content-wise is making up a particular chain rather than merely viewing a textual log of data.”).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 8, 9, 17, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Boyer in view of Akella et al (US Pub. No. 2024/0048581), hereafter, “Akella.”
As to claims 8 and 17, Boyer discloses parent claim but does not disclose the network information comprises the operational data indicative of the operational parameter of the node in the SCADA system. However, Akella discloses network information comprises the operational data indicative of the operational parameter of the node in the SCADA system ([0094], particularly, “FIG. 6 depicts an example architecture of a network traffic sensor array 110. As depicted, network sensor array 110 includes Ethernet traffic sensor 602, SCADA traffic sensor 604, USB traffic sensor 606, IoT gateway traffic sensor 608, and arbitrary network packet broker 610. In general, network traffic sensor array 110 can be configured to detect any network traffic-related communication data associated with computing devices, for example, 102, 104, 106, 124, 134, or 142, on a network, for example, computer network 116.”)
Therefore it would have been obvious to one of ordinary skill in the art prior the effective filing date of the application to combine the teachings of Boyer and Akella in order to extend the system to a broader range of networks and device types.
As to claims 9 and 18, Boyer discloses parent claim but does not disclose the node is a component of the SCADA system. However, Akella discloses a node is a component of the SCADA system ([0094], particularly, “FIG. 6 depicts an example architecture of a network traffic sensor array 110. As depicted, network sensor array 110 includes Ethernet traffic sensor 602, SCADA traffic sensor 604, USB traffic sensor 606, IoT gateway traffic sensor 608, and arbitrary network packet broker 610. In general, network traffic sensor array 110 can be configured to detect any network traffic-related communication data associated with computing devices, for example, 102, 104, 106, 124, 134, or 142, on a network, for example, computer network 116.”)
Therefore it would have been obvious to one of ordinary skill in the art prior the effective filing date of the application to combine the teachings of Boyer and Akella in order to extend the system to a broader range of networks and device types.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
US Pub. No. 2020/0311630 – The method involves retrieving data corresponding to an asset, where the asset is a computing device or software application of an enterprise system. A set of vulnerabilities of the asset are identified. A recommendation is generated for mitigating the vulnerability for each vulnerability in the set of vulnerabilities. A user interface is generated for the asset, which includes a list of the recommendations. The user interface is provided for display. The recommendation is generated in response to determining a measure of effectiveness of a security control has exceeded a threshold. A user interaction is received at a portion of a second user interface corresponding to the asset. The user interface for the asset is generated responsive to receiving the user interaction.
US Pat. 9,325,728 – The process includes instructions for receiving data related to defense training exercise and applying a set of scoring rules to determine base scores for each participant in the training. An actual score is determined for each participant using the base scores at the end of training exercise. The data related to operation and maintenance of critical services including percentage up time of critical services is received. The set of scoring rules related to percentage up time of the critical services is applied in the calculation of objective scores for result of each participant.
US Pub. No. 2014/0137257 – The method involves providing a database containing data relating to one or more assets. The threat scores for assets are calculated using multiple processors communicably coupled to the database. The vulnerability scores for the assets are calculated using the processors. An impact score for the assets is calculated. The risk of the assets is determined based on threat score, the vulnerability score and the impact score using processors.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS J DAILEY whose telephone number is (571)270-1246. The examiner can normally be reached 9:30am-6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571-270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THOMAS J DAILEY/ Primary Examiner, Art Unit 2458
Prosecution Insights