DETAILED ACTION
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2. Claims 1-20 are pending. Claims 1, 8 and 15 are independent.
3. The IDS submitted on 8/17/2024 has been entered.
Claim Rejections - 35 USC § 102
4. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
5. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
6. Claims 1-4, 7-15 and 18-20 are rejected under 35 U.S.C. 102 as being anticipated over Soliman (US Patent 11,734,423).
As regarding claim 1, Soliman discloses A method comprising:
identifying a plurality of correlations among a plurality of alerts [col. 3 lines 17-37; correlating alerts sharing a common attribute];
constructing an incident graph in which vertices represent the plurality of alerts and edges represent the plurality of correlations [col. 4 lines 13-22; constructing attach graph];
pruning redundant edges from the incident graph [col. 6 lines 63-67; redundant graph edge is not generated at attach graph]; and
performing a security operation based on the pruned incident graph [col. 7 line 46 thru col. 8 line 21; performing remedial action].
As regarding claim 2, Soliman further discloses The method of claim 1, wherein identifying an individual correlation comprises identifying a pair of alerts that share an attribute [col. 3 lines 17-37; correlating alerts sharing a common attribute].
As regarding claim 3, Soliman further discloses The method of claim 2, wherein the shared attribute of the pair of alerts comprises a shared IP address, a shared username, or a shared session identifier [col. 12 lines 10-14 and col. 5 lines 50-65].
As regarding claim 4, Soliman further discloses The method of claim 2, wherein the attribute is associated with a time window, and wherein identifying the individual correlation comprises determining that the pair of alerts occurred within the time window [col. 1 line 62 thru col. 2 line 14 and col. 14 line 54 thru col. 15 line 13; correlation cybersecurity alerts received over a period of time].
As regarding claim 7, Soliman further discloses The method of claim 1, wherein performing the security operation comprises sending a report that includes the pruned incident graph as part of a description of an incident [col. 8 lines 2-9; performing remedial action].
As regarding claim 8, Soliman discloses A system comprising:
a processing unit [col. 1 line 62 thru col. 2 line 29; processor]; and
a computer-readable storage medium having computer-executable instructions stored thereupon, which, when executed by the processing unit, cause the processing unit [col. 1 line 62 thru col. 2 line 29; processor processor-readable medium storing instructions] to:
receive a plurality of alerts [col. 1 line 62 thru col. 2 line 29; receiving cybersecurity alerts];
identify a plurality of pairwise correlations among the plurality of alerts, wherein an individual pair of alerts correlate by: having a shared attribute, and occurring within an attribute-specific time window [col. 1 line 62 thru col. 2 line 14 and col. 14 line 54 thru col. 15 line 13; correlation cybersecurity alerts received over a period of time];
construct an incident graph in which vertices represent the plurality of alerts and edges represent the plurality of pairwise correlations [col. 4 lines 13-22; constructing attach graph];
prune a redundant edge from the incident graph [col. 6 lines 63-67; redundant graph edge is not generated at attach graph]; and
perform a security operation based on the pruned incident graph [col. 7 line 46 thru col. 8 line 21; performing remedial action].
As regarding claim 9, Soliman further discloses The system of claim 8, wherein redundant edges are pruned using a minimum spanning tree algorithm [col. 4 lines 23-27; applications of greedy algorithm including Kruskal’s and Prim’s minimum spanning tree algorithm].
As regarding claim 10, Soliman further discloses The system of claim 8, wherein the attribute-specific time window begins when an earlier of the individual pair of alerts occurred [col. 1 line 62 thru col. 2 line 14 and col. 14 line 54 thru col. 15 line 13; correlation cybersecurity alerts received over a period of time].
As regarding claim 11, Soliman further discloses The system of claim 8, wherein individual attribute-specific time windows are longer for higher-fidelity attributes [col. 1 line 62 thru col. 2 line 14 and col. 14 line 54 thru col. 15 line 13; correlation cybersecurity alerts received over a period of time].
As regarding claim 12, Soliman further discloses The system of claim 8, wherein the security operation automatically counters an incident described by the incident graph [col. 7 line 46 thru col. 8 line 21; performing remedial action].
As regarding claim 13, Soliman further discloses The system of claim 8, wherein the plurality of pairwise correlations are filtered based on an indication from threat intelligence data about a shared attribute [col. 6 lines 63-67; redundant graph edge is not generated at attach graph].
As regarding claim 14, Soliman further discloses The system of claim 13, wherein threat intelligence data indicates an IP address or a file are associated with malicious use [col. 12 lines 10-14 and col. 5 lines 50-65].
As regarding claim 15, Soliman discloses A computer-readable storage medium having encoded thereon computer-readable instructions that when executed by a processing unit causes a system to:
receive a plurality of alerts [col. 1 line 62 thru col. 2 line 29; receiving cybersecurity alerts];
identify a plurality of pairwise correlations among the plurality of alerts, wherein an individual pair of alerts correlate by: having a shared attribute, and occurring within an attribute-specific time window [col. 1 line 62 thru col. 2 line 14 and col. 14 line 54 thru col. 15 line 13; correlation cybersecurity alerts received over a period of time];
construct an incident graph in which vertices represent the plurality of alerts and edges represent the plurality of pairwise correlations [col. 4 lines 13-22; constructing attach graph];
prune redundant edges from the incident graph [col. 6 lines 63-67; redundant graph edge is not generated at attach graph]; and
perform a security operation based on the pruned incident graph [col. 7 line 46 thru col. 8 line 21; performing remedial action].
As regarding claim 18, Soliman further discloses The computer-readable storage medium of claim 15, wherein the individual pair of alerts have a non-shared attribute, and wherein the instructions further cause the system to: omit the individual pair of alerts from the incident graph based on a determination that the individual pair of alerts have the non-shared attribute [col. 6 lines 15-22 and col. 12 lines 42-62; second cyber security alert associated with a second attribute different that the first attribute].
As regarding claim 19, Soliman further discloses The computer-readable storage medium of claim 15, wherein the incident graph comprises any alert that is connected to the individual pair of alerts by any number of edges [col. 4 lines 13-22].
As regarding claim 20, Soliman further discloses The computer-readable storage medium of claim 15, wherein the plurality of pairwise correlations are identified by incrementally performing a join operation on the plurality of alerts for a plurality of attributes [col. 6 lines 15-32; each alert attribute is associated with a different bucket].
Claim Rejections - 35 USC § 103
7. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
8. Claims 5, 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Soliman (US Patent 11,734,423) in view of Jakobsson (US PG Pub. 2024/0089285).
As regarding claim 5, Soliman does not explicitly discloses that the time window is increased based on a determination that the attribute indicates a heightened security risk. However, Jakobsson discloses it [para. 68; increasing the time period based on the number of malicious messages exceeding multiple thresholds].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Soliman’s system to further comprise the missing claim limitation, as disclosed by Jakobsson, in order to determine the level of severity of the security risk.
As regarding claim 6, Soliman and Jakobsson further disclose The method of claim 5, wherein the attribute comprises an IP address [Soliman col. 12 lines 10-14 and col. 5 lines 50-65], and wherein the determination that the attribute indicates a heightened security risk comprises identifying the IP address in a list of malicious IP addresses [Jakobsson para. 128].
As regarding claim 16, Soliman and Jakobsson further disclose The computer-readable storage medium of claim 15, wherein the attribute-specific time window is adjusted based on the shared attribute being associated with malicious activity [Jakobsson para. 68; increasing the time period based on the number of malicious messages exceeding multiple thresholds].
9. Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Soliman (US Patent 11,734,423) in view of Jakobsson (US PG Pub. 2024/0089285) and further in view of Kraft (US PG Pub. 2025/0358297).
As regarding claim 17, Soliman and Jakobsson do not explicitly disclose associations between attributes and malicious activity are refined with a human-in-the-loop feedback system. However, Kraft discloses it [para. 42, 53 and 76].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Soliman and Jakobsson’s system to further comprise the missing claim limitation, as disclosed by Kraft, in order to enhance cybersecurity incident management [Kraft para. 76].
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THONG P TRUONG whose telephone number is (571)270-7905. The examiner can normally be reached on M-F 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 57127267986798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THONG TRUONG/
Examiner, Art Unit 2433
/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433