Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Shachar et al, US 2024/0372876.
Regarding claim 1, Shachar teaches a non-transitory storage medium including software configured, when executed by one or more processors, to enhance cyber threat detection or a response to a cyber threat detected by a cybersecurity appliance of a cybersecurity system, the software comprising:
a first orchestrator module deployed with at least a first large language model (0004: generative AI systems use generative models such as LLMs) that is configured, when executed by the one or more processors, to perform artificial intelligence-based simulations of cyber-attacks, to assist in determining (i) how a simulated cyber-attack might occur in a selected computing device protected by the cybersecurity system, and (ii) how to use simulated cyber-attack information to preempt possible escalations of an ongoing actual cyber-attack (0005: processing the plurality of first data sets using a first large language model (LLM) to produce, from each first data set, a second data set that provides a summary of a sequence of events that occurred on the enterprise corresponding to first data set; processing at least some of the second data sets using a second LLM to identify atypical patterns in the at least some of the second data sets, the at least some of the data sets associated with a proper subset of the plurality of enterprises); and
a second orchestrator module deployed with at least a second large language model that is configured, when executed by the one or more processors, to perform a remediation task to correct one or more misconfigurations in one or more components associated with the cybersecurity system and return the one or more components back to a trusted operational state (0019: the remediation suggestion module is configured to process the current security posture of the enterprise together with the identified patterns by applying a machine learning model.).
Regarding claim 2, Shachar teaches the non-transitory storage medium of claim 1, wherein the first orchestrator module comprises a mitigation remediation suggestion module configured to initiate a series of application programming interface (API) calls to multiple computing devices including the selected computing device to acquire information associated with the computing devices including external exposure information associated with each of the computing devices (Fig. 1, remediation suggestion module 114. 0053: The remediation suggestion module 114 operates to process, for an enterprise whose summary data set did not contribute to the pattern identification (i.e., an enterprise that is not in the proper subset of enterprises), a current security posture of the enterprise (which can be described in a data type/format that uses human-readable text, for example a JSON file) together with the patterns identified by the pattern identification module 112 to produce a recommended security posture for the enterprise.).
Regarding claim 3, Shachar teaches the non-transitory storage medium of claim 2, wherein the acquired information includes (1) user context information, (2) known cyber-attack paths, and (3) pattern of life event data that provides an intrinsic understanding of normal behaviors for the selected computing device or a user of the selected computing device (0052: The pattern identification module 112 operates to receive at least some of the summary data sets from the summarization module 110 and to identify similar patterns in the received summary data sets.).
Regarding claim 4, Shachar teaches the non-transitory storage medium of claim 3, wherein the pattern of life event data includes (i) traffic pattern, and (ii) log that maintains a record of incoming and outgoing network traffic including blocked connections and communication attempts and access logs that maintain successful logins and unauthorized access attempts from unexpected locations could indicate external communication (0052: The patterns identified by the pattern identification module 112 are atypical patterns, for example relative to historical patterns, and are indicative of atypical activity (i.e., suspicious activity) carried out on or in association with the enterprises.).
Regarding claim 5, Shachar teaches the non-transitory storage medium of claim 2, wherein the mitigation remediation suggestion module is further configured to assign an external exposure score to each analyzed computing device to prioritize a prescribed number of the computing devices with a greatest external exposure (0056: the remediation suggestion module 114 processes the current security posture of the enterprise and the identified patterns using a set of rules and policies to generate the security posture recommendation for the enterprise. In yet other embodiments, the remediation suggestion module 114 processes the current security posture of the enterprise and the identified patterns using a machine learning model to generate the security posture recommendation for the enterprise.).
Regarding claim 6, Shachar teaches the non-transitory storage medium of claim 5, wherein the mitigation remediation suggestion module is further configured to conduct analytics on functionality of the prescribed number of computing devices with the greatest external exposure score, the functionality includes an analysis of one or more settings of the prescribed number of computing devices, a status of software updates, a presence of software modules unnecessary for an intended operability of each of the prescribed number of computing devices (0041: a predefined threshold, a user (e.g., one of the enterprise computers) applies an API that is not common to the user group it belongs to, one or more machines (computers) of the enterprise are invoked at an unusual rate.).
Regarding claim 7, Shachar teaches the non-transitory storage medium of claim 5, wherein the mitigation remediation suggestion module is further configured to (i) access a threat technique data store including threat technique data associated with threat landscape data gathered by the cybersecurity system and (ii) determine if any mitigation suggestions aligns with the stored threat technique data and factor any alignment into a first recommendation message output by the mitigation remediation suggestion module (0005: processing a current security posture of the enterprise together with the identified patterns to produce a recommended security posture for the enterprise.).
Regarding claim 8, Shachar teaches the non-transitory storage medium of claim 2, wherein the second orchestrator module comprises a misconfiguration remediation suggestion module configured to establish communications with and acquire information from the one or more components, the acquired information includes detected misconfigurations of the one or more components provided from a cloud service provider along with cloud resource information that provides additional context associated with the one or more components (0040: each of the CDR systems 150a-150n functions to monitor the environment (preferably the virtual cloud environment) of the enterprise 160a-160n to which the CDR system is connected, and to generate CDR data therefrom. In particular, each CDR system monitors the (cloud) environment of its corresponding enterprise for suspicious activity occurring on or in relation to the enterprise, and generates CDR data sets, for example including alert data, based on, for example, predefined rules and thresholds.).
Regarding claim 9, Shachar teaches the non-transitory storage medium of claim 8, wherein the misconfiguration remediation suggestion module is further configured to establish communications with the cybersecurity appliance to obtain information associated with threat landscape data and to factor the information into a second recommendation message output by the misconfiguration remediation suggestion module, the second recommendation message includes a listing of steps to perform correct a misconfiguration or increase network security (0025: by performing the following steps when such program is executed on the system. The steps comprise: obtaining a plurality of first data sets associated with a plurality enterprises, each first data set associated with a corresponding one of the enterprises and having data indicative of activity performed in association with the corresponding one of the enterprises; processing the plurality of first data sets using a first large language model (LLM) to produce, from each first data set, a second data set that provides a summary of a sequence of events that occurred on the enterprise corresponding to first data set).
As per claims 10-16 and 17-20, this is a system and method version of the claimed storage medium discussed above in claims 1-9 wherein all claimed limitations have also been addressed and/or cited as set forth above.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2024/0385818 to Silverstein teaches the remediation action can include flagging the one or more functions that have source code execution variability scores that exceed the threshold values for review by a software developer. In other embodiments, the remediation action can include automatically replacing a portion of the one of the one or more functions with a suitable alternative that has a lower variability score than the portion. In exemplary embodiments, automatically replacing a portion of the one of the one or more functions with a suitable alternative is performed by providing the one or more functions to a large language model and requesting that the large language model provide a suitable alternative to the source code that would have a more consistent execution time that the provided function.
US 20023/0208869 to BISHT et al teaches an autonomous decision engine (ADE) module coupled to the SSE module. In an example, the ADE module is configured for a remediation process. In an example, the remediation process comprises an autonomous decision engine comprising a sense process, plan process, and an act process (collectively the “AI processes” or “AI decision processes”), and is configured to make a decision from the flow of data to remediate and take appropriate action based upon the what signal is received from the client device, and processed through a behavior analytics engine.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KAMBIZ ZAND can be reached at 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/AUBREY H WYSZYNSKI/Examiner, Art Unit 2434