METHODS AND SYSTEMS OF CORRELATING NETWORK ATTACKS WITH NETWORK ELEMENT BEHAVIOR

§102 §103

DETAILED ACTION This Office Action is in response to Applicants Preliminary Amendment filed on April 8, 2024. Claims 2-5, 7-9, 12-29, 31-33, 38-41, 43-44, 46-49, 51, 55-63, 65-75, 77-79, 81-92, 94 and 96 have been canceled. Claims 1, 6, 30, 34, 42, 52-54, 80, 93 and 95 have been amended. Claims 1, 6, 10-11, 30, 34-37, 42, 45, 50, 52-54, 64, 76, 80, 93 and 95 are pending and presented for examination. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55. Information Disclosure Statement The information disclosure statement (IDS) submitted on April 8, 2024 has been considered by the examiner. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claim(s) 1, 6, 10-11, 30, 34-37, 42, 52-54, 76, 80, 93 and 95 is/are rejected under 35 U.S.C. 102(a1) as being anticipated by Sharon et al (hereinafter, “Sharon”, WO 2020/261262 A1). As per claim 1, Sharon discloses a method of analyzing the results of a network attack function within a vehicular computing environment including a plurality of network elements each with at least one known parameter, the method comprising: a. executing one or more network attack functions against at least two of the plurality of network elements (plurality of units 111 and 112 of Fig. 1), wherein the one or more network attack functions includes a set of attack function permutations (Fig. 1 & 2; paragraph 00026, ‘automatically simulating an attack on the vehicle's plurality of units 111, 112 according to the matched vulnerabilities 330, and the descriptions 2111 of the plurality of units 111, 112, thereby identifying 308 compromised units 340; [0027], The methods provided herein can further comprise generating and, using the display module- presenting a sorted (e.g., by criticality index) list of threats associated with the plurality of units determined to be compromised in simulation 350 according to at least one of: an attack type, an attack vector, attack surface, impact on privacy, Impact on operational safety, deviation from a regulation (e.g., ISO/IEC/SAE 21434, UNECE WP.29 GRVA), compromise level of the plurality of units determined to be compromised In the simulation, and a criticality of components affected by the simulated attack. The attack type can be, for example, an unintended data disclosure, a denial of service (DoS), a remote code execution (RCE), unauthorized privilege association (PE), and a combination comprising one or more of the foregoing."); b. analyzing results of at least one network attack function to identify anomalous behavior of at least one network element (111, 112; Fig. 1 & 2; paragraph 00019, ‘Provided herein are exemplary implementations of systems and methods of iteratively and continually Identifying, analyzing and remediating vulnerabilities of networked vehicle components to various malicious exploits.’; paragraph 00025, ‘automatically simulating an attack on the vehicle's plurality of units 111, 112 according to the matched vulnerabilities 330, and the descriptions 211i of the plurality of units 111, 112, thereby Identifying 306 compromised units 340; automatically associating 518 the vehicle 110 with a first risk level value 346 based on a criticality of compromised units identified 340 in the step of simulating; and performing at least one action based on the vehicle-associated first risk level value.'; paragraph 00035, ‘Automatically matching 302 vulnerabilities 513 with the plurality of units and simulating an attack in the methods for continuously assessing cyber risk of vehicle functional units, are done in an exemplary Implementation, according to an operational mode of at least one of the plurality of units. In other words, retrieving known vulnerabilities is matched against various units (e.g., ECUs) by, for example, exploiting the vulnerability under normal operating conditions for the particular unit.'); and c. correlating the identified anomalous behavior of the at least one network element with a specific network attack function permutation and with at least one parameter of the specific network element (111, 112; Fig. 1 & 2; paragraph 00018, ‘Provided herein are exemplary Implementations of systems and methods of iteratively and continually identifying, analyzing and remediating vulnerabilities of networked vehicle components to various malicious exploits.'; [00025], ‘automatically simulating an attack on the vehicle's plurality of units 111, 112 according to the matched vulnerabilities 330, and the descriptions 211 of the plurality of units 111, 112, thereby Identifying 308 compromised units 340; automatically associating 518 the vehicle 110 with a first risk level value 345 based on a criticality of compromised units identified 340 in the step of simulating; and performing at least one action based on the vehicle-associated first risk level value." Paragraph 0027, The methods provided herein can further comprise generating and, using the display module- presenting a sorted (e.g., by critically index) list of threats associated with the plurality of units determined to be compromised in simulation 350 according to at least one of: an attack type, an attack vector, attack surface, impact on privacy, impact on operational safety, deviation from a regulation (e.g. ISONEC/SAE 21434, UNECE WP.28 GRVA), compromise level of the plurality of units determined to be compromised In the simulation, and a criticality of components affected by the simulated attack, The attack type can be, for example, an unintended data disclosure, a denial of service (DoS), a remote code execution (RCE), unauthorized privilege association (PE), and a combination comprising one or more of the foregoing.'; paragraph 00035, ‘Automatically matching 302 vulnerabilities 513 with the plurality of units and simulating an attack in the methods for continuously assessing cyber risk of vehicle functional units, are done In an exemplary Implementation, according to an operational mode of at [east one of the plurality of units, In other words, retrieving known vulnerabilities Is matched against various units (e.g., ECUs) by, for example, exploiting the vulnerability under normal operating conditions for the particular unit’; paragraph 00036, 'As illustrated In FIG. 1, description of the plurality of units 211 | relates to at least one of: a manufacture (e.g., 2111 etc.), a software module and version, a set of physical interfaces, and a set of logical Interfaces. The term "logical interface” and the qualifier “logical” describe parameters (e.g., logical units (LUNs), ports, blocks, and addresses) which device controllers of resources in a director network-attached environment utilize to target data blocks in non-volatile memory storage device. As per claim 6, Sharon discloses: wherein the plurality of network elements reside in a hybrid environment, wherein the hybrid environment comprises at least a combination of at least two of a physical network elements, simulated network elements, or emulated network elements (paragraph 00047 discloses a network topology with physical and structural layers; (paragraph 00053 discloses s set of physical interfaces and connections of the plurality of units). As per claim 10, Sharon discloses: wherein the plurality of network elements includes at least one backend service (Fig. 1; paragraph 00040, ‘Specifically with regard to FIG. 1, and as [illustrated, Asset module 100, comprises two (or more) subsystems a client server which can be the fleet owner or OEM 110, and the backend management server (BEMS) 130. The client server may be in continuous and updating communication with a database comprising software component (SWC) list 111, documentation about the car architecture 112, and CSI/Business damage class table 113"; the backend server can be classified as a network element), As per claim 11, Sharon discloses: wherein the plurality of network elements includes at least one web service (Fig. 1; paragraph 00028, 'In the context of the disclosure, the term "asset service module” refers to a "node" meaning any active device (e.g., host machine, server, switch, port, ECU, or the like) attached to a local computer network or telecommunication network (e.g., cellular, wide area network, or the internet). In this context, "asset" of a node refers to programmable devices, data, processes, software, hardware, and networks that are located in asset's service module.'; any device in the system that connects to the Internet may be connecting to a web service). As per claim 30, further discloses: connection with an external computing environment (Fig. 1 & 2; paragraph 00029, ‘Likewise the attack surface, referring to external interfaces for access to the plurality of units (see e.g. FIG. 2, for examples of the plurality of units continuously monitored by the systems and methods provided), these can be indirect physical attack surfaces, for example CD players, Shop tools, 3rd party media players, aftermarket components, charging stations, "pass through devices and the like. Short range wireless attack surfaces can be, for example, Bluetooth, Keyless Entry, tire pressure monitoring system, dedicated short-range communication protocol, RFID-based protocols used by engine immobilizers to Identify the presence of a valid ignition key, and the like. Conversely, long-range wireless attack surfaces can be, for example Cellular, high-definition radio, radio data systems protocols, digital audio broadcasting, satellite radio, and the like.'; paragraph 00040, ‘Specifically with regard to FIG. 1, and as illustrated, Asset module 100, comprises two (or mare) subsystems a client server which can be the fleet owner or OEM 110, and the backend management server (BEMS) 130. The client server may be in continuous and updating communication with a database comprising software component (SWC) list 111, documentation about the car architecture 112, and CSl/Business damage class table 113, while the backend management server may comprise and/or be in communication with a database 140 comprising the connection matrix (see e.g., FIG. 2, and/or exposure map 310); a variety of external computing components may be used through the network connection). As per claim 34, Sharon discloses: wherein an executed network attack function permutation comprises at least one of a manual request from a human, an automated request according to a request schedule, an automated request generated by machine learning, and an artificial intelligence analysis (Fig. 1 & 2; paragraph 00025, ‘automatically simulating an attack on the vehicle’s plurality of units 111, 112 according to the matched vulnerabilities 330, and the descriptions 211i of the plurality of units 111, 112, thereby identifying 306 compromised units 340"; paragraph 0027, The methods provided herein can further comprise generating and, using the display module- presenting a sorted (e.g., by criticality Index) list of threats associated with the plurality of units determined to be compromised in simulation 350 according to at least one of: an attack type, an attack vector, attack surface, impact on-privacy, impact on operational safety, deviation from a regulation (e.g., ISO/IEC/SAE 21434, UNECE WP.29 GRVA), compromise level of the plurality of units determined to be compromised in the simulation, and a criticality of components affected by the simulated attack. The attack type can be, for example, an unintended data disclosure, a denial of service (DoS), a remote code execution (RCE), unauthorized privilege association (PE), and a combination comprising one or more of the foregoing.’; an automatic simulated attack is a form of automated request at a given time). As per claim 35, Sharon discloses: wherein the at least one attack function permutation comprises a logical addresses for each of the plurality of network elements (111, 112; Fig. 1 & 2; paragraph 00036, 'As Illustrated in FIG. 1, description of the plurality of units 211 relates to at least one of: a manufacture (e.g., 2111 etc.), a software module and version, a set of physical interfaces, and a set of logical interfaces. The term "logical interface” and the qualifier logical” describe parameters (e.g., logical units (LUNs), ports, blocks, and addresses) which device controllers of resources in a direct- or network-attached environment utilize to target data blocks in non-volatile memory storage devices’; a plurality of units 111, 112 are the main network elements, though any element that connects to the network may be considered as such’). As per claim 36, Sharon discloses: wherein the at least one attack function permutation comprises at least one characteristic for each of the plurality of network elements (111, 112; Fig. 1 & 2; paragraph 00051, 'Reference throughout the specification to "one exemplary implementation”, "another exemplary implementation”, "an exemplary Implementation”, and so forth, when present, means that a particular element (e.g., feature, structure, and/or characteristic) described In connection with the exemplary implementation is included in at least one exemplary Implementation described herein’; paragraph 00053, 'Accordingly and in an exemplary Implementation, provided herein is a computer- implemented method of evaluating risk for a vehicle, the method comprising: obtaining a configuration of the vehicle, the configuration comprising descriptions of a plurality of units wherein the units are networked and in communication with other units in the vehicle; obtaining specifications of a plurality of vulnerabilities; automatically matching at least one of the vulnerabilities with the plurality of units included in the vehicle configuration; automatically simulating an attack (e.g., using at least one matched vulnerability) on the vehicle according to the matched vulnerabilities and the descriptions of the units, thereby identifying compromised units; automatically associating the vehicle with a first risk level value based on a criticality of the Identified compromised units; and selecting at least one action to perform based on the first risk level value (or alternatively, automatically implementing the action),. As per claim 37, Sharon discloses: wherein the at least one attack function permutation comprises at least one of a duration of time to form at least one attack function, a predicted run time to execute at least one attack function, a requirement to comply with a performance specification of an attack function, or an attack function network route (paragraph 0010, ‘In an exemplary Implementation provided herein is a computer-implemented method of evaluating risk for a vehicle, the method comprising: obtaining a configuration of the vehicle, the configuration comprising descriptions of a plurality of units; obtaining specifications of a plurality of vulnerabilities; automatically matching at least one of the vulnerabilities with a plurality of units included in the configuration; automatically simulating an attack on the vehicle according to the matched vulnerabilities and the descriptions of the units, thereby identifying compromised units; automatically associating the vehicle with a first risk level value based on a criticality of the identified compromised units; and selecting at least one action to perform based on the first risk level value.'; paragraph 00021, It is noted that OEMs will need to conform to the proposed UNECE WP.29 GRVA - REGULATION- to approve vehicles for their cyber security compliance and cybersecurity management systems. To show compliance, the vehicle manufacturer will have to demonstrate that the processes used within their Cyber Security Management System (CSMS) ensures security is adequate’; the simulated attack must comply with certain performance standards for the attack). As per claim 42, Sharon discloses: wherein the at least one network attack function is based at least in part on a previously derived attack function permutation paragraph 00035, ‘Automatically matching 302 vulnerabilities 513 with the plurality of units and simulating an attack In the methods for continuously assessing cyber risk of vehicle functional units, are done In an exemplary Implementation, according to an operational mode of at least one of the plurality of units. In other words, retrieving known vulnerabilities is matched against various units (e.g., ECUs) by, for example, exploiting the vulnerability under normal operating conditions for the particular unit. For example, the unit is an ECU in charge of the tire pressure monitoring system (TPMS) and the operational mode would be a battery power, ASIC for pressure monitoring and the proper RF components, the communication is between the sensors and an RF receiver usually found either in the trunk or glove box, using either the 315 mhz or 433 mhz frequency with encoding but not encryption’; paragraph 00038, ‘Further analysis indicates that the most critical risk based on calculation of the relevant attack vectors 305, leads to the conclusion that ECUs Is the most critical unit (enabling e.g. remote code execution by an attacker and is associated with vehicle safety)’; known vulnerabilities include previously derived and executed attack functions). As per claim 52, Sharon discloses: wherein the at least one network attack function utilizes a web services protocol (paragraph 00029, ‘Likewise the attack surface, referring to external interfaces for access to the plurality of units (see e.g., FIG. 2, for examples of the plurality of units continuously monitored by the systems and methods provided), these can be Indirect physical attack surfaces, for example CD players, Shop tools, 3rd party media players, aftermarket components, charging stations, "pass through" devices and the like. Short range wireless attack surfaces can be, for example, Bluetooth, Keyless Entry, tire pressure monitoring system, dedicated short-range communication protocol, RFID-based protocols used by engine immobilizers to identify the presence of a valid ignition key, and the like. Conversely, long-range wireless attack surfaces can be, for example Cellular, high-definition radio, radio data systems protocols, digital audio broadcasting, satellite radio, and the like.; any device In the system that connects to the Internet may be connecting to a web service, who protocol may be attacked). As per claim 53, Sharon discloses: wherein the at least one network attack function permutation comprises interaction with at least one of a private database, a public database, or a network element specific database (paragraph 0030 ‘Likewise, the term "vulnerability” refers to a weakness in a system or its associated networks’ nodes, system security procedures, internal controls, or implementation that could be exploited to obtain unauthorized access to system resources. For Instance, an open diagnostic port on an ECU is a vulnerability. The vulnerability type can be, for example, at least one of: a coding error, memory corruption, buffer overflow, authentication protocol, authorization protocol, credentials association, a backdoor access, a wide area network access, and a dependency on, for example, unsecured mobile communication device."; memory may store data [database] for a specific element, where memory corruption would be an attack on the specific element's data). As per claim 54, Sharon discloses: wherein the at least one network attack function permutation is at least partially informed by previously obtained correlation results related to a network element ( Fig. 1 & 2; paragraph 00027, "The methods provided herein can further comprise generating and, using the display module- presenting a sorted (e.g., by criticality index) list of threats associated with the plurality of units determined to be compromised In simulation 350 according to at least one of: an attack type, an attack vector, attack surface, Impact on privacy, Impact on operational safety, deviation from a regulation (e.g., ISO/IEC/SAE 21434, UNECE WP.29 GRVA), compromise level of the plurality of units determined to be compromised In the simulation, and a criticality of components affected by the simulated attack. The attack type can be, for example, an unintended data disclosure, a denial of service (DoS), a remote code execution (RCE), unauthorized privilege association (PE), and a combination comprising one or more of the foregoing.'; (paragraph 00035, ‘Automatically matching 302 vulnerabilities 513 with the plurality of units and simulating an attack in the methods for continuously assessing cyber risk of vehicle functional units, are done In an exemplary Implementation, according to an operational mode of at least one of the plurality of units.. As per claim 76, Sharon discloses: wherein correlating the identified anomalous behavior includes the use of a set of predefined and updatable rules to detect anomalous behavior (paragraph 00040, 'In addition, the vulnerabilities module, again comprising the client server 210 (which can be the same or different than server 110) can comprise CVE description 21 li, with specific CVEs 2111, and 2112 that are continuously fed 213 Into backend management server's vulnerability monitoring module 2311 and from there 504 undergo matching function 302 to known ECU's monitored In the fleet's vehicles. The vulnerabilities module can also comprise exploits database, or server 220 which can be updated automatically or manually upon discovery of new exploits 221j, which feed 223 specific exploits 2211 to a determination query 222 and from there 402 to the backend management server's public exploit subsystem 2313. The CVE are also parsed as to their attack type and then classified 2312 and transferred 505 to the analyst assessment query 303 (which can be done by a dedicated team, rather than automatically. The classified vulnerabilities can then be stored 405 on a self-updating vulnerability database 232.; how the attacks are detected and classified are stored in a database with initial Information that Is continuously updated). As per claim 80, Sharon discloses: wherein correlating the identified anomalous behavior includes transferring results of the correlating activity to one or more network elements within a vehicular computing environment (paragraph 00040, ‘Specifically with regard to FIG. 1, and as Illustrated, Asset module 100, comprises two (or more) subsystems a client server which can be the fleet owner or OEM 110, and the backer management server (BEMS) 130. The client server may be in continuous and updating communication with a database comprising software component (SWC) list 111, documentation about the car architecture 112, and CSl/Business damage class table 113, while the backend management server may comprise and/or be in communication with a database 140 comprising the connection matrix (see e.g., FIG. 2, and/or exposure map 310). In addition, the vulnerabilities module, again comprising the client server 210 (which can be the same or different than server 110) can comprise CVE description 21 li, with specific CVEs 2111, and 2112 that are continuously fed 213 into backend management server's vulnerability monitoring module 2311 and from there 504 undergo matching function 302 to known ECU's monitored in the fleet's vehicles. As per claim 93, Sharon discloses: wherein correlating the identified anomalous behavior includes sending results of correlation activity to an attack function generator (paragraph 00021, The processes used to monitor for, detect and respond to cyber-attacks, cyber threats and vulnerabilities on vehicle types and the processes used to assess whether the cyber security measures Implemented are still effective In the light of new cyber threats and vulnerabilities that have.’; (paragraph 00027, ‘The methods provided herein can further comprise generating and, using the display module- presenting a sorted (e.g., by criticality index) list of threats associated with the plurality of units determined to be compromised In simulation 350 according to at least one of: an attack type, an attack vector, attack surface, Impact on privacy, Impact on operational safety, deviation from a regulation (e.g., ISONEC/SAE 21434, UNECE WP.29 GRVA), compromise level of the plurality of units determined to be compromised in the simulation, and a criticality of components affected by the simulated attack). As per claim 95, Sharon discloses: wherein sending the results of the correlation activity to an attack function generator results in generation of an additional attack function permutation (paragraph 00021, The processes used to monitor for, detect and respond to cyber-attacks, cyber threats and vulnerabilities-on vehicle types and the processes used to assess whether the cyber security measures Implemented are still effective In the light of new cyber threats and vulnerabilities). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 45 and 64 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharon in view of Tormasov et al (hereinafter, ‘Tormasov”, U.S. Pub. No. 2022/0321397). As per claim 45, Sharon discloses the invention substantially as claims discussed above. However, Sharon does not explicitly disclose: wherein the network attack function was created by an artificial intelligence system. Tormasov disclose system and method for anomaly detection in a computer network comprising: wherein the network attack function was created by an artificial intelligence system (paragraph 0029). Therefore, it would have been obvious to one of ordinary skill in the art at the time of filing to modify Sharon by incorporating or implementing an artificial intelligence (AI) engine for the purpose of training collected events from a target or network system in a timely and efficient manner. As per claim 64, Sharon discloses the invention substantially as claims discussed above. However, Sharon does not explicitly disclose: wherein analyzing the results of at least one attack function includes the use of a supervised learning operation. Tormasov disclose system and method for anomaly detection in a computer network comprising: wherein analyzing the results of at least one attack function includes the use of a supervised learning operation (paragraph 0036 discloses a behavior analyzer that employs machine learning techniques including supervised). Therefore, it would have been obvious to one of ordinary skill in the art at the time of filing to modify Sharon by incorporating or implementing a supervised machine learning technique for the purpose of training collected events from a target or network system in a timely and efficient manner. Claim(s) 50 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharon in view of Gula et al (hereinafter, ‘Gula”, U.S. Pub. No. 2011/0231935). As per claim 50, Sharon discloses the invention substantially as claims discussed above. However, Sharon does not explicitly disclose: wherein the network attack function includes randomly generated information. Gula discloses a system and method for passively identifying encrypted and interactive network sessions: wherein the network attack function includes randomly generated information (paragraph 0031 discloses generating random data). Therefore, it would have been obvious to one of ordinary skill in the art at the time of filing to modify Sharon by incorporating or implementing a vulnerability scanner for generating random data to detect changes in a network. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to LASHONDA T JACOBS-BURTON whose telephone number is (571)272-4004. The examiner can normally be reached M-F 8:30 am - 5:00 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ario Etienne can be reached at 571-272-4001. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /LASHONDA JACOBS-BURTON/Primary Examiner, Art Unit 2457 ljb October 15, 2025