DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Claim 1 recites an apparatus which appears to be a ‘machine’ and one of the four statutory subject matter categories of invention (Step 1 of the Subject Matter Eligibility Test).
However, the claim appears to not qualify for a streamlined analysis thus a full eligibility and thus a full eligibility analysis is necessary (Step 2A and Step 2B of the Subject Matter Eligibility Test).
In Step 2A, Prong One, examiners evaluate whether the claim recites a judicial exception, i.e., whether a law of nature, natural phenomenon, or abstract idea is set forth or described in the claim. The claim recites the steps of:
“…an input device configured to receive an input of a user…”
“…a processor configured to derive a security goal linked to threat mitigation information by performing Threat Analysis Risk Assessment (TARA)...”
“… re-calculate an Attack Feasibility Rating, based on assumption information corresponding to the security goal linked to the threat mitigation information, when entering into a mode TARA (ReCAL) of re-executing the Threat Analysis Risk Assessment to verify completeness of the security goal.…”
The steps performing amount to an abstract idea which falls under a judicial exception (Step 2A Prong 1, of Subject Matter Eligibility). Abstract ideas fall in the category. The abstract idea falls in the categories of a mental process, for example evaluation, judgements, and opinion and mathematical concepts (MPEP 2106.04(a)(2) & MPEP 2106.06) such as executing a Threat Analysis Risk Assessment (calculation) to verify completeness of a security goal. For example, the courts found that a claim “generating a life insurance policy including a stable value protected investment with an initial value based on a value of underlying securities, calculating surrender value protected investment credits for the life insurance policy; determining an investment value and a value of the underlying securities for the current day;” where attempt to patent the use of the abstract idea of [managing a stable value protected life insurance policy] and then instruct the use of well-known [calculations] to help establish some of the inputs into the equation, Bancorp Services., L.L.C. v. Sun Life Assurance Co. of Canada (U.S.), 687 F.3d 1266, 103 USPQ2d 1425 (Fed. Cir. 2012).
In Step 2A, Prong Two, examiner determine whether the claim as a whole integrates the judicial exception into a practical application to disqualify abstract as a judicial exception. However, the judicial exception in claim 1 Is not integrated into practical application because the generically recited computer elements:
“...input device…”
“…a processor…”
do not add meaningful limitation to an abstract idea because they do not add a meaningful limitation to an abstract idea because they amount to simply implementing the abstract idea on a computer. The implementation of using a confidence level results enabling human decision making without using the user actions in any meaningful to improve the functioning of a computer or another technology without reference to what is well-understood, routine, and conventional activity. The claim do not include additional elements that are sufficient to amount to significantly more than the judicial exception because simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception, e.g., a claim to an abstract idea requiring no more than a generic computer to perform generic computer function that are well-understood, routine and conventional activities previously known to the industry, as discussed in Alice Corp., 573 U.S. at 225, 110 USPQ2d at 1984.
Thus, the analysis concludes is ineligible under 35 U.S.C. § 101 as it is directed to a judicial
exception.
Regarding to claims 2-10:
Claims 2-10 do not add any additional elements than those already disclosed in claim 1, and merely adds further abstract ideas. Furthermore, none of the claims integrate the judicial exception into a practical application.
Claim 11 recites a method which appears to be a ‘process’ and one of the four statutory subject matter categories of invention (Step 1 of the Subject Matter Eligibility Test).
However, the claim appears to not qualify for a streamlined analysis thus a full eligibility and thus a full eligibility analysis is necessary (Step 2A and Step 2B of the Subject Matter Eligibility Test).
In Step 2A, Prong One, examiners evaluate whether the claim recites a judicial exception, i.e., whether a law of nature, natural phenomenon, or abstract idea is set forth or described in the claim. The claim recites the steps of:
“…deriving a security goal linked to threat mitigation information by performing Threat Analysis Risk Assessment (TARA)…”
“…re-calculating an Attack Feasibility Rating, based on assumption information corresponding to the security goal linked to the threat mitigation information, when entering into a mode TARA (ReCAL) of re-executing the Threat Analysis Risk Assessment to verify completeness of the security goal....”
The steps performing amount to an abstract idea which falls under a judicial exception (Step 2A Prong 1, of Subject Matter Eligibility). Abstract ideas fall in the category. The abstract idea falls in the categories of a mental process, for example evaluation, judgements, and opinion and mathematical concepts (MPEP 2106.04(a)(2) & MPEP 2106.06) such as executing a Threat Analysis Risk Assessment (calculation) to verify completeness of a security goal. For example, the courts found that a claim “generating a life insurance policy including a stable value protected investment with an initial value based on a value of underlying securities, calculating surrender value protected investment credits for the life insurance policy; determining an investment value and a value of the underlying securities for the current day;” where attempt to patent the use of the abstract idea of [managing a stable value protected life insurance policy] and then instruct the use of well-known [calculations] to help establish some of the inputs into the equation, Bancorp Services., L.L.C. v. Sun Life Assurance Co. of Canada (U.S.), 687 F.3d 1266, 103 USPQ2d 1425 (Fed. Cir. 2012).
In Step 2A, Prong Two, examiner determine whether the claim integrates the judicial exception into a practical application to disqualify abstract as a judicial exception. However, the judicial exception in claim 11 is not integrated into practical application because the generically recited computer elements do not add meaningful limitation to an abstract idea because they do not add a meaningful limitation to an abstract idea because they amount to simply implementing the abstract idea on a computer. The implementation of using a cost function and performing symbolic execution results enabling human decision making without using the user actions in any meaningful to improve the functioning of a computer or another technology without reference to what is well-understood, routine, and conventional activity. The claim do not include additional elements that are sufficient to amount to significantly more than the judicial exception because simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception, e.g., a claim to an abstract idea requiring no more than a generic computer to perform generic computer function that are well-understood, routine and conventional activities previously known to the industry, as discussed in Alice Corp., 573 U.S. at 225, 110 USPQ2d at 1984.
Thus, the analysis concludes is ineligible under 35 U.S.C. § 101 as it is directed to a judicial
exception.
Regarding claims 12-19
Claims 12-19 do not add any additional elements than those already disclosed in claim 11, and merely adds further abstract ideas. Furthermore, none of the claims integrate the judicial exception into a practical application.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1-19 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Regarding claims 1 and 11:
“…verifying a security goal…” is recited in claims 1 and 11, but the specification does not describe what constitutes what a “security goal” is or what a security goal represents. There is no definition, no rule, and no algorithm disclosed for a security goal is classified or how it determined based on threat mitigation information and threat analysis risk assessment.
The claim further recites:
“…based on assumption information…”
“…Threat Analysis Risk Assessment to verify completeness of the security goal…”
“…re-calculate an Attack Feasibility Rating...”
The application provides no structural support, algorithmic detail, or any sample implementation for how a security goal is derived from the threat mitigation information and the assessment , or any other forms of input. It is not clear what the ‘security goal’ represents to a person having ordinary skill in the art and what the metes and bounds of the introduced terms should mean to a person having ordinary skill in the art. This contrasts with well-established terms like “security requirements” which are mathematically well defined an do not need additional guidance from the inventor.
On a similar note, the specification does not describe how a Attack Feasibility Rating is calculated, what values or metrics it may represents, or how it is applied to a security goal. The terms “assumption information”, “completeness of the security goal”, and “Attack Feasibility Rating” are likewise undefined and unsupported and there is no disclosure or how these values are selected or quantified.
Regarding claims 7, 8, 17, and 18 :
Claims 7-8 and 17-18 recites “...scheme of Risk Acceptable…”. The specification does not reasonable convey to those skilled in the art the inventors were in possession of the full score of this limitation at the time of the filing.
Claims 2-10 and 12-19 do not overcome the rejections of their respective base claims that have been rejected above, and therefore rejected under the same grounds provided to claims 1 and 11 .
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-19 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Regarding claims 1 and 11:
“…verifying a security goal…”
Indefinite because the claim does not specify what constitutes as “security goal” nor how the security goal is derived from the risk assessment. It is unclear whether “security goal” refers to.
“…based on assumption information…”
Indefinite because the claim does not specify what constitutes as an “assumption” nor how assumption information is obtained or what constitutes as assumption information. It is unclear whether assumption information refers to an inference, scenario, or related to attack paths.
“…Threat Analysis Risk Assessment to verify completeness of the security goal…”
Indefinite because the claim provides no objective boundaries or metrics by which person having ordinary skill in the art can determine “completeness” of a security goal, nor it is clear whether refers to a rating, percentage, or a score.
“…re-calculate an Attack Feasibility Rating...”
Indefinite because the claim does not recite what Attack Feasibility Rating what Attack Feasibility Rating represents (e.g., score, probability, likelihood), how it is derived, or from what inputs it is calculated. Functional limitations must be supported by structure in specification, but the application fails to disclose any algorithms, flowcharts, pseudo-code, etc. that offer structural support for this limitation.
Regarding claims 7, 8, 17, and 18 :
“...scheme of Risk Acceptable…”
Indefinite because the claim does not specify what constitutes as “Risk Acceptable” nor how it is derived, or from what inputs it is calculated. Functional limitations much be supported by structure in the specification, but the application fails to disclose any algorithms, flowcharts, pseudo-code etc. that offer structural support for this limitation.
Regarding claims 3, 4, 13, and 14:
“…treatment mitigation information linked to the security goal…”
Indefinite because the claim does not specify what constitutes as treatment mitigation information nor how it is derived, or from what inputs it is calculated. It is not clear what the ‘treatment mitigation information’ represents to a person having ordinary skill in the art and what the metes and bounds of the introduced terms should mean to a person having ordinary skill in the art. Functional limitations much be supported by structure in the specification, but the application fails to disclose any algorithms, flowcharts, pseudo-code etc. that offer structural support for this limitation.
Claims 2-10 and 12-19 do not overcome the rejections of their respective base claims that have been rejected above, and therefore rejected under the same grounds provided to claims 1 and 11 .
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 2, 5-9, 11, 12, and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Kang et al (US PGPub No. 20230222247-A1 ) in view of Davidovich et al. (US PGPub No. 20250013754-A1) , and Salehie et al. (US PGPub No. 20140090071-A1).
With respect to claim 1, Kang teaches an apparatus (¶0026: In other examples, known structures and apparatuses are illustrated in block diagram form in order to facilitate description. ) for verifying a security goal for vehicle cybersecurity, (¶0081-0087: As seen in Figure 3, the mapping results of the security-by-design methodology stored in the database unit 130 of the server 100 may include at least one security step, at least one security step, at least one security activity, and a product. A first step may be a step for security training. Meanwhile, a second step may be a step for initiation and plan. Specifically the security activity of the second step may include at least one of security activities such as security schedule planning and management, security goal setting, and verification of consistency and completeness of a goal (verifying security goal). ).
the apparatus comprising: an input device configured to receive an input of a user; and (¶0123-0125: As seen in Figure 5, the level extraction unit 140 of the server 100 may recognize characteristics of the enterprise and a current status of the security-by-design methodology of the enterprise (S210). As example, the level extraction unit 140 may determine the characteristic and the current status of the enterprise based on information received from the enterprise through a user input unit (not illustrated) and a communication unit (not illustrated). );
Kang does not disclose:
a processor configured to derive a security goal linked to threat mitigation information by performing Threat Analysis Risk Assessment (TARA), and
re-calculate an Attack Feasibility Rating, based on assumption information corresponding to the security goal linked to the threat mitigation information, when entering into a mode TARA (ReCAL) of re-executing the Threat Analysis Risk Assessment to verify completeness of the security goal.
However, Davidovich teaches a processor configured to derive a security goal linked to threat mitigation information by performing Threat Analysis Risk Assessment (TARA), and (¶0071: In some examples, as illustrated in Figure 1D, system 10 receives risk analysis information 90 directly from input subsystem 120. Threat Analysis and Risk Assessment (“TARA”) information 190 directly using the subsystem input 120. In some examples, a user can perform TARA work using the graphical user interface of management subsystem 11 of system 10. Further in ¶0143: Figure 5B, illustrates ah high-level flow of a process of security control optimization subsystem 60 for further optimizing the security control (as defined in ¶0084: The term “security control”, as used herein, means methods that are used to reduce feasibility of the attack step.) implementation list of stage 1650. In some examples, in stage 1700, a risk goal for the item is set. In some examples, the risk goal is at least partially based on data in risk analysis information 190 (as seen in ¶0054 in some examples, risk analysis information 190 contains a description of results of an analysis of the risk of predetermined security threats associated with one or more functionalities. In some examples, risk analysis information comprises Threat Analysis and Risk Assessment (TARA) information, such as defined in ISO/SAE)).).
re-calculate an Attack Feasibility Rating, based on assumption information corresponding to the security goal linked to the threat mitigation information, (¶0210: In the event that one or more security control implementations are implemented on software affected by this bug/vulnerability, risk subsystem 65 can determine that the feasibility rating of the respective security control implementation (i.e., how much the security control implementation reduces the feasibility of any attack step/attack path) is reduced (feasibility rating corresponding to threat mitigation information) , thereby increasing the risk level.) when entering into a mode TARA (ReCAL) of re-executing the Threat Analysis Risk Assessment to verify completeness of the security goal. (¶0149: As seen in Figure 5C, in some examples, in stage 1830, for each security control implementation described above, security control optimization subsystem 60 determines the effect of the respective security control implementation on the overall feasibility of the attack path or attack tree (feasibility rating). In some examples, a score is determined by security optimization subsystem 60 where coverage' is the number of attack paths or attack steps (i.e., the coverage value), in a single attack tree (or attack path) or in a plurality of attack trees (or attack paths) of different threat models; ‘reduced_risk’ is a value indicating how much the overall risk level was reduced by; and ‘max_score’ is a value that is updated every time ‘score’ is greater than the current ‘feasibility max_score’ (newly recalculated feasibility rating). In some examples, ‘reduced_risk’ is determined by risk subsystem 65. It is further noted that the coverage value includes the number of attack paths treated in multiple threats of multiple items by a single security control implementation. In some examples, weights 1-3 are adjustable responsive to a user input. In some examples, ‘score’ is continuously calculated until the risk goal is met or a predetermined time period has elapsed (verifying the completeness of the security goal). ).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Davidovich with regards to deriving a security goal linked to threat mitigation information by performing Threat Analysis Risk Assessment to the method of Kang in order to analyze the risk and impact of cyberattacks on a given component and its functionality (Davidovich ¶0003).
Kang in view of Davidovich does not disclose:
re-executing the Threat Analysis Risk Assessment
Although, Davidovich does explicitly does not disclose the re-execution of an assessment. However, Salehie teaches re-executing the Threat Analysis Risk Assessment (¶0074: Security concerns may change dynamically. For example, the value of asset application variables can be changed, and new vulnerabilities can be introduced by context modifications. These modifications are propagated onto the causal network by updating the value of its nodes 181 and/or its structure 180. Analysis is triggered after a change takes place (¶0094 The proposed approach uses the artifacts generated by security requirements engineering and risk assessment methods by adding an asset model which implies along with the re-calculation of the asset model the risk assessment is also re-executed), in order to re-calculate new utility values for all applicable configurations of security controls . The most appropriate set of security controls, exhibiting the highest utility, is selected and applied onto the running system. ).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Salehie with regards to re-execution of an assessment to the method of Kang in view of Davidovich in order to mitigate risks of future attacks in real time as assets, their values and/or the security context change (Salehie ¶0014).
With respect to claim 2, the combination of Kang in view of Davidovich and Salehie teaches the apparatus of claim 1 (see rejection of claim 1 above), wherein the processor is configured to add the security goal as the assumption information, when defining an item after entering into the mode TARA (ReCAL) of re-executing the Threat Analysis Risk Assessment, and in response to receiving, from the user, the security goal serving as the assumption information. (Davidovich ¶0141-0146: As seen in Figure 5A, in stage 1650, security control optimization subsystem 60 generates a list of identified security control implementations, associated with the respective attack steps of the attack tree (or one or more attack paths) of the respective threat, that can be implemented on the respective item. In Figure 5B illustrates a high-level flow of a process of security control optimization subsystem 60 for further optimizing the security control implementation list of stage 1650. In some examples, in stage 1700, a risk goal for the item is set. In some examples, the risk goal is at least partially based on data in risk analysis information. 190. ).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Davidovich with regards to adding the security goal as the assumption information, when defining an item to the method of Kang in view of Salehie in order to analyze the risk and impact of cyberattacks on a given component and its functionality (Davidovich ¶0003).
With respect to claim 5, the combination of Kang in view of Davidovich and Salehie teaches apparatus of claim 1 (see rejection of claim 1 above) wherein the processor is configured to, when the Attack Feasibility Rating is re-calculated, re-determine a risk value based on the re-calculated Attack Feasibility Rating. (Davidovich ¶0169 & ¶0213: In some examples, the term “risk level”, as used herein, is defined as a predetermined function of the respective feasibility rating and the respective impact value. In some examples, the impact value is a numerical indication of the impact that a particular threat will have on the respective asset (or on the item itself) if the respective threat is realized. In some examples, impact values are assigned numerical values, as known to those skilled in the art.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Davidovich with regards to a risk value based on the Attack Feasibility Rating to the method of Kang in view of Salechie in order to analyze the risk and impact of cyberattacks on a given component and its functionality (Davidovich ¶0003).
With respect to claim 6, the combination of Kang in view of Davidovich and Salehie teaches the apparatus of claim 5 (see rejection of claim 5 above) wherein the processor is configured to determine a risk treatment scheme based on the re-determined risk value. (Salehie ¶0087-0097: . The FCN 180 is also augmented with the total risk node 1001 and utility node 1003. The total risk node 1001 aggregates all partial risks 1001, whereas the utility node 1003 aggregates a set of costs and benefits. Although the causal network 180 is designed to be used in a fully automatic adaptive mechanism, it may also be employed in a recommender system. Such a system analyzes impacts of asset changes and only recommends potential adjustments in security controls with their costs and benefits.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Salehie with regards to risk value to the method of Kang in view of Davidovich in order to better configure security controls and parameters in a system in real time while decreasing risk of harm to the system (Salehie ¶0014-0015).
With respect to claim 7, the combination of Kang in view of Davidovich and Salehie teaches the apparatus of claim 6 (see rejection of claim 6 above) wherein the processor is configured to determine whether the risk treatment scheme is a scheme of Risk Acceptable. (Salehie ¶0106: The adaptive security manager applies the security controls that reflect the risk and the value of the assets to be protected, because the causal network computes the utility by taking into account the impact of the satisfaction of the security goals and the risk (Risk Acceptable) . An increase in the asset value can increase both the risk and the criticality of the security goals, however the configuration of security controls with the highest utility is selected as the value of the assets increases, thus more effective countermeasure are selected to guarantee the satisfaction of more critical security goals, and reduce a higher risk.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Salehie with regards to risk value to the method of Kang in view of Davidovich in order to better configure security controls and parameters in a system in real time while decreasing risk of harm to the system (Salehie ¶0014-0015).
With respect to claim 8, the combination of Kang in view of Davidovich teaches the apparatus of claim 7 (see rejection of claim 7 above) wherein the processor is configured to, when the risk treatment scheme is determined as Risk Acceptable, determine completeness of the security goal as being verified. (Salehie ¶0099: between a security control and a vulnerability (security control-vulnerability relationship) to indicate the impact that a security control has on mitigating that vulnerability; between a security control and a security requirement (security control-requirement relationship) to indicate the impact that a security control has on satisfying that security requirement; between a security requirement and a security goal (security requirement-security goal relationship) to indicate the impact that the satisfaction level of a security requirement has on the achievement of the corresponding security goal (security goal being verified);).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Salehie with regards to risk value to the method of Kang in view of Davidovich in order to better configure security controls and parameters in a system in real time while decreasing risk of harm to the system (Salehie ¶0014-0015).
With respect to claim 9, the combination of Kang in view of Davidovich and Salehie teaches the apparatus of claim 8 (see rejection of claim 8 above) wherein the processor is configured to: generate a result of verification completed, when the completeness of the security goal is determined as being verified, and output the result of the verification completed ( Kang: ¶0063: Meanwhile, in the present disclosure, when the level extraction unit 140 maps only one attribute of the functional correctness, the safety integrity, and the security assurance, the level extraction unit 140 may calculate the level of the corresponding attribute. Alternatively, when two or more attributes are mapped, the level extraction unit 140 may coordinate the level through a security activity execution status. The level produced through such a process may be derived for each security activity. In addition, the result is output in the graph form to determine the security-by-design methodology level at a glance. However, the present disclosure is not limited thereto. Meanwhile, the information generation unit 160 may provide second information for at least one required security activity related to the appropriate security-by-design methodology level of the level desired by the enterprise among at least one security activity included in the mapping result.) through an output device. ( Kang: ¶0181: A monitor 1144 or other types of display devices are also connected to the system bus 1108 through interfaces such as a video adapter 1146, and the like. In addition to the monitor 1144, the computer generally includes other peripheral output devices (not illustrated) such as a speaker, a printer, others.).
With respect to claim 11, Demi teaches a method (¶0009: An exemplary embodiment of the present disclosure provides a method for embodying a security-by-design methodology using a processor of a computing device, which may include: mapping the security-by-design methodology and an evidence-based security methodology ;) for verifying a security goal for vehicle cybersecurity, (¶0081-0087: As seen in Figure 3, the mapping results of the security-by-design methodology stored in the database unit 130 of the server 100 may include at least one security step, at least one security step, at least one security activity, and a product. A first step may be a step for security training. Meanwhile, a second step may be a step for initiation and plan. Specifically the security activity of the second step may include at least one of security activities such as security schedule planning and management, security goal setting, and verification of consistency and completeness of a goal (verifying security goal). ).
Kang does not disclose:
the method comprising: deriving a security goal linked to threat mitigation information by performing Threat Analysis Risk Assessment (TARA); and
re-calculating an Attack Feasibility Rating, based on assumption information corresponding to the security goal linked to the threat mitigation information, when entering into a mode TARA (ReCAL) of re-executing the Threat Analysis Risk Assessment to verify completeness of the security goal.
However, Davidovich teaches the method comprising: deriving a security goal linked to threat mitigation information by performing Threat Analysis Risk Assessment (TARA); and (¶0071: In some examples, as illustrated in Figure 1D, system 10 receives risk analysis information 90 directly from input subsystem 120. Threat Analysis and Risk Assessment (“TARA”) information 190 directly using the subsystem input 120. In some examples, a user can perform TARA work using the graphical user interface of management subsystem 11 of system 10. Further in ¶0143: Figure 5B, illustrates ah high-level flow of a process of security control optimization subsystem 60 for further optimizing the security control (as defined in ¶0084: The term “security control”, as used herein, means methods that are used to reduce feasibility of the attack step.) implementation list of stage 1650. In some examples, in stage 1700, a risk goal for the item is set. In some examples, the risk goal is at least partially based on data in risk analysis information 190 (as seen in ¶0054 in some examples, risk analysis information 190 contains a description of results of an analysis of the risk of predetermined security threats associated with one or more functionalities. In some examples, risk analysis information comprises Threat Analysis and Risk Assessment (TARA) information, such as defined in ISO/SAE)).).
re-calculating an Attack Feasibility Rating, based on assumption information corresponding to the security goal linked to the threat mitigation information, (¶0210: In the event that one or more security control implementations are implemented on software affected by this bug/vulnerability, risk subsystem 65 can determine that the feasibility rating of the respective security control implementation (i.e., how much the security control implementation reduces the feasibility of any attack step/attack path) is reduced (feasibility rating corresponding to threat mitigation information) , thereby increasing the risk level.) when entering into a mode TARA (ReCAL) of re-executing the Threat Analysis Risk Assessment to verify completeness of the security goal. (¶0149: As seen in Figure 5C, in some examples, in stage 1830, for each security control implementation described above, security control optimization subsystem 60 determines the effect of the respective security control implementation on the overall feasibility of the attack path or attack tree (feasibility rating). In some examples, a score is determined by security optimization subsystem 60 where coverage' is the number of attack paths or attack steps (i.e., the coverage value), in a single attack tree (or attack path) or in a plurality of attack trees (or attack paths) of different threat models; ‘reduced_risk’ is a value indicating how much the overall risk level was reduced by; and ‘max_score’ is a value that is updated every time ‘score’ is greater than the current ‘feasibility max_score’ (newly recalculated feasibility rating). In some examples, ‘reduced_risk’ is determined by risk subsystem 65. It is further noted that the coverage value includes the number of attack paths treated in multiple threats of multiple items by a single security control implementation. In some examples, weights 1-3 are adjustable responsive to a user input. In some examples, ‘score’ is continuously calculated until the risk goal is met or a predetermined time period has elapsed (verifying the completeness of the security goal). ).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Davidovich with regards to deriving a security goal linked to threat mitigation information by performing Threat Analysis Risk Assessment to the method of Kang in order to analyze the risk and impact of cyberattacks on a given component and its functionality (Davidovich ¶0003).
Kang in view of Davidovich does not disclose:
re-executing the Threat Analysis Risk Assessment
Although, Davidovich does explicitly does not disclose the re-execution of an assessment. However, Salehie teaches re-executing the Threat Analysis Risk Assessment (¶0074: Security concerns may change dynamically. For example, the value of asset application variables can be changed, and new vulnerabilities can be introduced by context modifications. These modifications are propagated onto the causal network by updating the value of its nodes 181 and/or its structure 180. Analysis is triggered after a change takes place (¶0094 The proposed approach uses the artifacts generated by security requirements engineering and risk assessment methods by adding an asset model which implies along with the re-calculation of the asset model the risk assessment is also re-executed), in order to re-calculate new utility values for all applicable configurations of security controls . The most appropriate set of security controls, exhibiting the highest utility, is selected and applied onto the running system. ).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Salehie with regards to re-execution of an assessment to the method of Kang in view of Davidovich in order to mitigate risks of future attacks in real time as assets, their values and/or the security context change (Salehie ¶0014).
With respect to claim 12, the combination of Kang in view of Davidovich and Salehie teaches the method of claim 11 (see rejection of claim 11 above) a further comprising adding the security goal as the assumption information, when defining an item after entering into the mode (TARA (ReCAL) of re-executing the Threat Analysis Risk Assessment, and in response to receiving, from a user, the security goal serving as the assumption information. (Davidovich ¶0141-0146: As seen in Figure 5A, in stage 1650, security control optimization subsystem 60 generates a list of identified security control implementations, associated with the respective attack steps of the attack tree (or one or more attack paths) of the respective threat, that can be implemented on the respective item. In Figure 5B illustrates a high-level flow of a process of security control optimization subsystem 60 for further optimizing the security control implementation list of stage 1650. In some examples, in stage 1700, a risk goal for the item is set. In some examples, the risk goal is at least partially based on data in risk analysis information. 190. ).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Davidovich with regards to adding the security goal as the assumption information, when defining an item to the method of Kang in view of Salehie in order to analyze the risk and impact of cyberattacks on a given component and its functionality (Davidovich ¶0003).
With respect to claim 15, the combination of Kang in view of Davidovich and Salehie teaches the method of claim 11 (see rejection of claim 11 above) further comprising, when the Attack Feasibility Rating is re-calculated, re-determining a risk value based on the re-calculated Attack Feasibility Rating. (Davidovich ¶0169 & ¶0213: In some examples, the term “risk level”, as used herein, is defined as a predetermined function of the respective feasibility rating and the respective impact value. In some examples, the impact value is a numerical indication of the impact that a particular threat will have on the respective asset (or on the item itself) if the respective threat is realized. In some examples, impact values are assigned numerical values, as known to those skilled in the art.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Davidovich with regards to a risk value based on the Attack Feasibility Rating to the method of Kang in view of Salechie in order to analyze the risk and impact of cyberattacks on a given component and its functionality (Davidovich ¶0003).
With respect to claim 16, the combination of Kang in view of Davidovich and Salehie teaches the method of claim 15 (see rejection of claim 15 above) further comprising determining a risk treatment scheme based on the re-determined risk value. (Salehie ¶0087-0097: . The FCN 180 is also augmented with the total risk node 1001 and utility node 1003. The total risk node 1001 aggregates all partial risks 1001, whereas the utility node 1003 aggregates a set of costs and benefits. Although the causal network 180 is designed to be used in a fully automatic adaptive mechanism, it may also be employed in a recommender system. Such a system analyzes impacts of asset changes and only recommends potential adjustments in security controls with their costs and benefits.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Salehie with regards to risk value to the method of Kang in view of Davidovich in order to better configure security controls and parameters in a system in real time while decreasing risk of harm to the system (Salehie ¶0014-0015).
With respect to claim 17, the combination of Kang in view of Davidovich and Salehie teaches the method of claim 16 (see rejection of claim 16 above) further comprising determining whether the risk treatment scheme is a scheme of Risk Acceptable. (Salehie ¶0106: The adaptive security manager applies the security controls that reflect the risk and the value of the assets to be protected, because the causal network computes the utility by taking into account the impact of the satisfaction of the security goals and the risk (Risk Acceptable) . An increase in the asset value can increase both the risk and the criticality of the security goals, however the configuration of security controls with the highest utility is selected as the value of the assets increases, thus more effective countermeasure are selected to guarantee the satisfaction of more critical security goals, and reduce a higher risk.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Salehie with regards to risk value to the method of Kang in view of Davidovich in order to better configure security controls and parameters in a system in real time while decreasing risk of harm to the system (Salehie ¶0014-0015).
With respect to claim 18, the combination of Kang in view of Davidovich and Salehie teaches the method of claim 17 (see rejection of claim 17 above) further comprising, when the risk treatment scheme is determined as Risk Acceptable, determining completeness of the security goal as being verified. (Salehie ¶0099: between a security control and a vulnerability (security control-vulnerability relationship) to indicate the impact that a security control has on mitigating that vulnerability; between a security control and a security requirement (security control-requirement relationship) to indicate the impact that a security control has on satisfying that security requirement; between a security requirement and a security goal (security requirement-security goal relationship) to indicate the impact that the satisfaction level of a security requirement has on the achievement of the corresponding security goal (security goal being verified);).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention utilize the teachings of Salehie with regards to risk value to the method of Kang in view of Davidovich in order to better configure security controls and parameters in a system in real time while decreasing risk of harm to the system (Salehie ¶0014-0015).
With respect to claim 19, the combination of Kang in view of Davidovich and Salehie teaches the method of claim 18 (see rejection of claim 18 above) but does not disclose further comprising: generating a result of verification completed, when the completeness of the security goal is determined as being verified, and outputting the result of the verification completed ( Kang: ¶0063: Meanwhile, in the present disclosure, when the level extraction unit 140 maps only one attribute of the functional correctness, the safety integrity, and the security assurance, the level extraction unit 140 may calculate the level of the corresponding attribute. Alternatively, when two or more attributes are mapped, the level extraction unit 140 may coordinate the level through a security activity execution status. The level produced through such a process may be derived for each security activity. In addition, the result is output in the graph form to determine the security-by-design methodology level at a glance. However, the present disclosure is not limited thereto. Meanwhile, the information generation unit 160 may provide second information for at least one required security activity related to the appropriate security-by-design methodology level of the level desired by the enterprise among at least one security activity included in the mapping result.) through an output device. ( Kang: ¶0181: A monitor 1144 or other types of display devices are also connected to the system bus 1108 through interfaces such as a video adapter 1146, and the like. In addition to the monitor 1144, the computer generally includes other peripheral output devices (not illustrated) such as a speaker, a printer, others.).
Claims 3, 4, 13, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Kang et al (US PGPub No. 20230222247-A1 ) in view of Davidovich et al. (US PGPub No. 20250013754-A1) , Salehie et al. (US PGPub No. 20140090071-A1), and Chen et al. (US PGPub No. 20090077666-A1 ) .
With respect to claim 3, the combination of Kang in view of Davidovich and Salehie teaches the apparatus of claim 1 (see rejection of claim 1 above) but does not disclose, wherein the processor is configured to generate mapping information by mapping, based on a pre-stored database, i) threat mitigation information, derived with respect to each threat, among one or more threats, for each attack path, among one or more attack paths, based on a threat scenario to ii) treatment mitigation information linked to the security goal.
However, Chen teaches wherein the processor is configured to generate mapping information by mapping, based on a pre-stored database, (¶0078-0081: T-MAP tool automates T-MAP to reduce the necessary human effort involved in security assessment. T-MAP tool can enumerate the possible attack scenarios for IT systems based on a vulnerability database that includes the information of more than 27,400 known software vulnerabilities. Each attack scenario can be specified with the following information: (1) the organizational value affected; (2) the vulnerable computer; (3) the vulnerable software; (4) the CVE name of the vulnerability; (5) the impact type of the vulnerability in terms of confidentiality, integrity, and/or availability; and (6) the patch availability of the vulnerability. A comprehensive COTS security vulnerability database is established 190 across current authority resources such as NIST, CERT, Microsoft, Symantec, and FrSIRT. Further, an automated tool is developed 195 to scrawl Internet resources across authority organizations such as NIST National Vulnerability Database (NVD), ISS, Microsoft, SANS, CERT, Symantec/BugTraq and FrSIRT to collect and update the vulnerability database continuously.) i) threat mitigation information, derived with r