DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is a non-final office action in response to applicant’s communication filed on 6/7/2024.
Claims 1-20 are pending and being considered.
Priority
Applicant’s claim for the benefit of a prior-filed application (No. 63/472,227, filed on 6/9/2023) under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged.
Claim Objections
Claims 1, 3-11, 13-20 are objected to because of the following informalities:
Claim 1 line 11, “as well as” is suggested to read “and”.
Similarly claim 11 lines 11-12.
Claim 1 lines 4-5, “and any combination of these” may read “and any combination thereof”.
Similarly claim 11 lines 4-5, claim 20 line 14.
Claim 1 line 16, claim 9 line 4, claim 11 line 17, claim 18 line 4, claim 20 line 7, each uses phrase “in order to”, suggesting intended use for limitation(s) that follow(s).
Claims 3-10, 13-19, each recites “a first LLM” without referring to “the one or more LLMs”. Applicant is suggested to recite “a first LLM of the one or more LLMs” for clarity.
Appropriate correction is suggested.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 lines 9-11 recites “… to investigate a chain of two or more minor anomalies linked to each other over a time frame of examination spanning two or more days”. It is not clear to what extent the anomalies are minor anomalies, and how minor anomalies matter to the claim, rendering the claim scope unclear and indefinite.
Similarly, for claim 11 and 20
Claims 2-10 depend on claim 1, claims 12-19 depend on claim 11, therefore are also rejected for the same reason set forth above.
Claim 5 last line recites “the API request”. There is insufficient antecedent basis for this limitation in the claim. Applicant may recite “the API requests” or more appropriate form.
Similarly claim 15.
Claim 7 lines 4-5 recites “enabling localization”. It is not clear to one ordinary skilled in the arts how to interpret the limitation, rendering the claim scope unclear and indefinite.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-10 are rejected under 35 USC § 101 because the claimed invention is directed to non-statutory subject matter. The claims are not statutory as they are drawn as a whole to a software per se.
Claim 1 recites “A cybersecurity system, comprising: one or more cybersecurity components including i) a cyber security appliance with a cyber threat detect engine…, ii) a proactive threat notification service…, iii) a cyber threat autonomous response engine…, iv) a cyberattack simulator…, v) a cyber-attack restoration engine…, vi) an artificial intelligence-based cyber threat analyst module”, and one or more large language models (LLMs), in which each of the components above is interpreted as software per se, under the broadest reasonable interpretation in light of applicant’s Specification. The claim does not fall within at least one of the four categories of patent eligible subject matter because the claim is directed to software(s). To overcome the above concern, applicant is suggested to include at least one hardware component in the system claim.
Claims 2-10 depend on claim 1, therefore are also rejected for the same reason set forth above.
Examiner Notes
Examiner cites particular paragraphs, columns and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 11, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Humphrey et al (US20210273961A1, hereinafter, “Humphrey”), in view of Kras et al (US20200177612A1, hereinafter, “Kras”), further in view of Lee et al (US20230315856A1, hereinafter, “Lee”).
Regarding claim 1, similarly claim 11, claim 20, Humphrey teaches:
A cybersecurity system, A method to protect against cyber threats, A non-transitory storage medium including software that, upon execution by a processor (Humphrey, discloses apparatus and method for cyber-threat defense system with artificial intelligence models, see [Title]/[Abstract]. And e.g., [0030] for processors, computer-readable medium), comprising: one or more cybersecurity components (see Fig. 1, Cyber security appliance 100) including
i) a cyber security appliance with a cyber threat detect engine to detect a cyber threat in one or more of an email system, an Information Technology network, a cloud network, and any combination of these (Fig. 1, Cyber security appliance 100, Network model and Email module), ii) a proactive threat notification service to publicize new and ongoing cyber threats (Fig. 1, [0048] the trigger module may detect time stamped data indicating an event is occurring and then triggers that something unusual is happening... The trigger module may identify, with one or more AI models trained with machine learning on a normal email pattern of life for entities in the email network, at least one of i) an abnormal behaviour, ii) a suspicious activity, and iii) any combination of both, from one or more entities in the system), iii) a cyber threat autonomous response engine to take one or more actions to mitigate a detected cyber threat (Fig. 1, Autonomous Response module, and [0022] The autonomous response module may be configurable to know when the response module should take the autonomous actions to mitigate the cyber-threat when one or more incidents are worth of being determined as a cyber-threat), iv) a cyberattack simulator to simulate a cyberattack ([0050] FIG. 2 illustrates an example cyber security appliance 100 using an intelligent-adversary simulator cooperating with a network module and network probes ingesting traffic data for network devices and network users in the network under analysis), [v) a cyber-attack restoration engine to restore network components back to an operational state prior to the cyberattack], and vi) an artificial intelligence-based cyber threat analyst module to investigate a chain of two or more minor anomalies linked to each other over a time frame of examination spanning two or more days ([0054] The analyser module can form one or more hypotheses on what are a possible set of activities including cyber threats that could include the identified abnormal behaviour and/or suspicious activity from the trigger module with one or more AI models trained with machine learning on possible cyber threats. And [0111] The cyber-threat module considers over 750 metrics and the organizational pattern of life for unusual behavior for a window of time. For example, the cyber-threat module considers metrics and the organizational pattern of life for unusual behavior and other supporting metrics for the past 7 days when computing the anomaly score, which is also factored into the final threat risk parameter); (See Kras below for teachings of limitation in bracket)
and where instructions implemented in software for the cybersecurity components and the large language models are configured to be stored in one or more non-transitory storage mediums to be executed by one or more processing units (computer-readable medium, see e.g., [0030], [Claim 20]).
While Humphrey teaches the main concept of the claimed invention of cyber-threat defense system using AI models, but does not specifically teach v) a cyber-attack restoration engine to restore network components back to an operational state prior to the cyberattack, in the same field of endeavor Kras teaches:
a cyber-attack restoration engine to restore network components back to an operational state prior to the cyberattack (Kras, discloses systems and methods of cybersecurity attack simulation for incident response training and awareness, see [Title]/[Abstract]. And [0103] simulated attack response system 201 will create a backup of the database in advance of a simulated cybersecurity attack that involves changes to the database, such that the database can be restored after the simulated cybersecurity attack),
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kras in the cyber-threat defense system of Humphrey by creating a backup of database in advance of a simulated cybersecurity attack. This would have been obvious because the person having ordinary skill in the art would have been motivated to restore the database using back up database after the simulated cybersecurity attack (Kras, [Abstract], [0103]).
The combination of Humphrey-Kras does not specifically teach the following, in the same field of endeavor Lee teaches:
as well as one or more large language models (LLMs) configured to communicate and cooperate with the one or more cybersecurity components via one or more Application Program Interfaces (APIs) to receive cyber security information being produced by the one or more of the cybersecurity components and then to apply language generation functionality in order to assist a human in an understanding of the cyber security information being produced by the cybersecurity components, and then also to provide recommendations to prioritize breaches over other breaches in a native human friendly format for the human (Lee, discloses method and apparatus for augmenting training data using large language models for performing cybersecurity task, see [Title]/[Abstract]. And [0056] The NL interface manager 211 can be configured to generate a user interface that can be used to receive natural language queries or phrases from a human user. And [0099] the functions of the NL analysis device can be implemented via an API that is configured to execute a set of functions to receive user input, auto-complete to generate an NL query, receive the competed NL query and infer intent through a sequence of functions referred to as refinement, to generate the template query and/or the finalized query);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Lee in the cyber-threat defense system of Humphrey-Kras by configuring a user interface that can receive natural language queries from human user. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the user interface receiving natural language queries from human user for training data using large language models for performing cybersecurity task (Lee, [Abstract]).
Allowable Subject Matter
Claims 2-10, 12-19 are objected to as being dependent upon a rejected base claim(s), but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims as well as resolving of any outstanding informalities, concerns under 35 USC 112(b) and 35 USC 101 presented in this office action.
The following is a statement of reasons for the indication of allowable subject matter:
Claim 2 (similarly claim 12) depends on claim 1 (claim 11), further specifies “where the one or more LLMs are trained to do tasks on behalf of a user and provide human readable summaries, including i) summarization and prioritization of breaches, ii) launching an investigation using the one or more APIs to find out information, and then iii) utilizing language capabilities of the LLMs to rephrase existing textual material to make the information more readily understandable to a larger audience of human end users”.
Claim 3 (similarly claim 13) depends on claim 1 (claim 11), further specifies “where a first LLM has been trained on an API specification for one or more of the cyber security components so that the first LLM can understand how to make API requests and translate at least one of i) a user question and ii) a question by the LLM itself into API queries into the one or more cyber security components of the cyber security system to explain a decision process of a machine learning from within that cyber security component as well as explain a cyber security incident in the native human friendly format for that human”.
Claim 4 (similarly claim 14) depends on claim 1 (claim 11), further specifies “where a first LLM has been trained on an API specification for one or more of the cyber security components so that the first LLM can understand how to make API requests to help explain both i) a decision-making process of one or more of the cyber security components as well as ii) cyber security jargon and concepts to enhance transparency and trust”.
Claim 5 (similarly claim 15) depends on claim 1 (claim 11), further specifies “where a first LLM has been trained on an API specification for one or more of the cyber security components so that the first LLM can understand how to make API requests, where the training also included training on capabilities of each of the one or more of the cybersecurity components including what type of information can be found by communicating with each particular cybersecurity component as well as how to get that information through the API request”.
Claim 6 (similarly claim 16) depends on claim 1 (claim 11), further specifies “where a first LLM has been trained to take in a specification description of one or more of the APIs and turn the specification of one or more of the APIs into a set of endpoints and their associated parameters and available information that a trained deep learning model in the LLM will then use to call the cybersecurity components”.
Claim 7 depends on claim 1, further specifies “where a first LLM has been trained to perform an automatic translation of the cyber security information in a first human language into a second human language of content within a user interface to be displayed on a display screen, enabling localization”.
Claim 8 (similarly claim 17) depends on claim 1 (claim 11), further specifies “where a first LLM has a query interface, where the first LLM with its training on the cyber security information combined with its training to go through the APIs to obtain additional knowledge from the cyber security components creates a large cyber security knowledge base that allows the first LLM to act as a search engine, in response to a user’s query to the query interface, to obtain and provide detailed understandings of the cyber security information”.
Claim 9 (similarly claim 18) depends on claim 1 (claim 11), further specifies “where a first LLM has a user interface, where an end user is able to select at least one of a term and a phrase, displayed on the user interface, as a query input to the first LLM in order to cause the first LLM to explain and provide additional details on the selected term and/or phrase”.
Claim 10 (similarly claim 19) depends on claim 1 (claim 11), further specifies “where one or more of the cybersecurity components, which are configured to provide a list of all of the breaches and their severity scores as well as cyber threats trending currently in response to a first API request, to a first LLM, and then the first LLM is trained to provide the recommendations to prioritize the breaches over other breaches i) on a display and/or ii) in a printed report to the human”.
The prior arts identified, Humphrey, Kras, Lee, Thakur, Goutal, and Lev, either singularly or in combination fails to anticipate or render obvious the claimed limitations of claims 2-10, 12-19 shown above.
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Thakur et al (US20220038489A1) discloses system and method for classifying elements of computer system into defined security categories of security categorization model with artificial intelligence models.
Goutal et al (US20240403792A1) discloses method of generating security awareness training samples with large language models.
Lev (US20240281668A1) discloses system and method for classifying text from a document using an ensemble of close ended questions and a neural network based large language model, which might have been trained for different purposes.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975. The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL M LEE/Primary Examiner, Art Unit 2436