AUTOMATIC INCIDENT IDENTIFICATION, INVESTIGATION, AND NEXT-STEP PREDICTION

§101 §103

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-12, 14-16 and 18-20 are rejected under 35 USC 101 as being directed to an abstract idea without being integrated into a practical application or being significantly more. Regarding claims 1, 8 and 15, the claims recite the limitations “matching the security incident signal embedding to one of the plurality of attack campaign embeddings;” and “determining that an instance of the attack campaign has begun…;” Broadly interpreted, the aforementioned steps are directed to mental processes as said steps could be performed in the human mind. Therefore, the claims recite an abstract idea. Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that could be considered that the abstract idea is being integrated into a practical application. It’s noted that the claims recite the operations “obtaining a security incident signal …;” “obtaining a plurality of attack campaign step embeddings…” and “generating a security alert ….” However, said operations are not sufficient to consider that the abstract idea is being interpreted into a practical application. Said operations are recited at a high level of generality in gathering/processing/storing information, which are a form of insignificant extra-solution activity. It’s also noted that the steps of “generating a security alert …” is generally not sufficient on its own to transform an abstract idea into a patent-eligible practical application and said steps is also considered as insignificant extra-solution activity; See MPEP §2106.04-§2106.05; see also Digitech v. Electronics for Imaging (Fed. Cir. 2014) and Hawk Tech. Sys. LLC v. Castle Retail LLC (Fed. Cir. 2023); Amdocs (Israel) Limited v. Openet Telecom, Inc. (Fed. Cir. 2016). It’s also noted that claims 8 and 15 recite additional limitation/elements (i.e., system, processing unit, memory, etc.,). However, said additional elements are recited at a high-level of generality (i.e., as a generic computing device performing a generic computer functions) such that it amounts no more than mere instructions to apply the exception or abstract idea using generic computer components. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims do not include additional elements/limitations/embodiments that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component. Therefore, the claim is directed to non-statutory subject matter. Regarding claims 2-7, 9-12, 14, 16 and 18-20, claims 2-7, 9-12, 14, 16 and 18-20 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims recite an abstract idea and the claims do not positively recite any other operations that could be considered as the abstract idea is being integrated into a practical application or significantly more. It’s noted that claim 7 recites the limitations: “generating a telemetry query …;” “performing the telemetry query ….” “receiving a result …;” and “determining that the telemetry query result embedding matches …” Said steps are either directed to mental processes and/or in a form of insignificant extra-solution activities; The aforementioned steps are not sufficient to consider that the abstract idea is being integrated into a practical application or significantly more. Therefore, claims 2-7, 9-12, 14, 16 and 18-20 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter. Examiner’s Notes Examiner notes that claims 8-20 recite a “computer-readable storage medium”. The specification has defined a “computer-readable storage medium” as completely separate from a signal, and thus are not rejected as non-patentable subject matter. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Doron US 2019/0182274 in view of Siracusano US 2024/0411994. As per claim 1. Doron teaches A method comprising: receiving a security incident signal; obtaining a security incident signal embedding that represents the security incident signal; [0033][0034][0035] (teaches an attack detector and creating signatures of attack based on embedding process) Doron teaches obtaining a plurality of attack campaign step embeddings that represent a plurality of attack campaign steps of an attack campaign, wherein the plurality of attack campaign steps of the attack campaign are inferred from a text description of the attack campaign; [0038][0039][0067] (teaches learning a sequence of attacks based on individual sets of attacks including a text description with a set of attributes) Doron teaches matching the security incident signal embedding to one of the plurality of attack campaign step embeddings; [0034][0035] (teaches matching security incident embedding to a learned sequence embedding) Doron teaches determining that an instance of the attack campaign has begun based in part on a determination that a threshold of attack campaign step embeddings match individual security incident signal embeddings; [0049][0053]-[0057] [0067][0069][0071] (teaches matching security incident and following incidents to a historical sequence of attack steps, where a match is compared against a predefined threshold) Doron teaches and generating a security alert indicating that the instance of the attack campaign has begun. [0057][0058][0064][0072] (teaches comparison to a threshold and in response scoring the attack and alerting a mitigation engine to take appropriate action) While Doron teaches uses of text description for attack events, and Examiner argues that this anticipates the claims as stated, Examiner includes Siracusano for a more articulate and explicit teaching. Siracusano teaches wherein the plurality of attack campaign steps of the attack campaign are inferred from a text description of the attack campaign. [0208][0214][0225][0226] (teaches extraction of attack pattern using LLM to extract embeddings) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use the extraction of Siracusano with the prior art because it improves detection and decision making. As per claim 2. The method of claim 1, Doron teaches wherein the security incident signal comprises an alert that describes a potential security threat to a device. [0033] (event upon attack detection) As per claim 3. The method of claim 1, Doron does not teach the following: Siracusano teaches wherein the security incident signal comprises an indication of a vulnerable configuration of a device. [0151] (vulnerability) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use the extraction of Siracusano with the prior art because it improves detection and decision making. As per claim 4. The method of claim 1, Doron teaches wherein the security incident signal comprises a behavioral anomaly of a device. [0033] (suspicious behavior) As per claim 5. The method of claim 1, Doron teaches wherein the security incident signal indicates an operation performed by a computing device or a state of the computing device and wherein the plurality of attack campaign step embeddings are precomputed. [0035][0039] [0042]-[0046][0067] (teaches training based on historic attack campaign step embeddings and comparing to current incident) As per claim 6. The method of claim 1, wherein Doron teaches the security incident signal embedding and the plurality of attack campaign step embeddings are obtained from an embedding generation machine learning model. [0042][0045][0063][0067] (teaches a machine learning model of attack sequences using embedding practices) Claim(s) 7, 9, 10, 11, 15-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Doron US 2019/0182274 in view of Siracusano US 2024/0411994 in view of Zhang US 2022/0342990 As per claim 7. The method of claim 1, further comprising: Doron teaches determining that a missing attack campaign step of the plurality of attack campaign steps does not match with a security incident signal; [0015][0025][0035][0039](teaches comparison of steps to an attack campaign profile and thus would detect matching and not matching signals) Doron teaches generating a telemetry query that determines if the missing attack campaign step was performed; performing the telemetry query on a telemetry log; (teaches comparing vectors made of telemetry such as IP address, packets etc.)[0039] [0043] Doron teaches receiving a result of the telemetry query; obtaining a telemetry query result embedding of the result of the telemetry query; [0039] [0043] Doron teaches and determining that the telemetry query result embedding matches an embedding of the missing attack campaign step, wherein determining that the attack campaign has occurred on the device is based in part on a determination that the threshold of attack campaign step embeddings match individual security incident signal embeddings or individual telemetry query result embeddings. [0057][0061] (teaches determining a campaign has occurred based on a threshold matching) Doron teaches use of telemetry data but Doron and Siracusano fail to explicitly teach “telemetry query”. Zhang more explicitly teaches a telemetry query and using the telemetry log to determine an attack campaign step. [0018][0021] [0034] [0045][0053] (teaches telemetry data analysis in comparison to historic telemetry in order to determine a malware campaign compared to a threshold) It would have been obvious to one of ordinary kill in the art before the effective filing date of the claimed invention because it improves the efficiency of malware detection [0014]. As per claim 9. The system of claim 8, Doron teaches wherein the plurality of attack campaign steps are inferred by an attack decomposition machine learning model from a description of the attack campaign. [0038][0039][0067] (teaches learning a sequence of attacks based on individual sets of attacks including a text description with a set of attributes) Siracusano teaches wherein the plurality of attack campaign steps of the attack campaign are inferred from a text description of the attack campaign. [0208][0214][0225][0226] (teaches extraction of attack pattern using LLM to extract embeddings) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use the extraction of Siracusano with the prior art because it improves detection and decision making. As per claim 10. The system of claim 8, Doron teaches wherein the plurality of attack campaign steps are inferred in part from structured data that describes an aspect of the attack campaign. [0038]. Siracusano more explicitly teaches “structured data”. [0140] (structured data) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use the extraction of Siracusano with the prior art because it improves detection and decision making. As per claim 11. The system of claim 10, Doron teaches wherein the structured data includes a malicious IP address, a file hash of malware, or a process name of a malicious executable. [0039] (IP address) Siracusano teaches the structured data includes a malicious IP address, a file hash of malware, or a process name of a malicious executable. [0140] (IP address) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use the extraction of Siracusano with the prior art because it improves detection and decision making. As per claim 15. Doron teaches A computer-readable storage medium having encoded thereon computer-readable instructions that when executed by a processing unit causes a system to: obtain, from an embedding generation machine learning model, a plurality of attack campaign step embeddings that represent a plurality of attack campaign steps of an attack campaign in an embedding space, [0033][0034][0035] (teaches an attack detector and creating signatures of attack based on embedding process) Doron teaches wherein the plurality of attack campaign steps of the attack campaign are inferred by an attack decomposition machine learning model from a text description of the attack campaign; [0038][0039][0067] (teaches learning a sequence of attacks based on individual sets of attacks including a text description with a set of attributes) Doron teaches generate, with a query generation machine learning model, a telemetry query that determines if an unmatched one of the plurality of attack campaign steps has been performed by a computing device; perform the telemetry query on a telemetry log; Doron teaches receive a response to the telemetry query; obtain, with the embedding generation machine learning model, a custom query response embedding from the response; [0015][0025][0035][0039](teaches comparison of steps to an attack campaign profile and thus would detect matching and not matching signals) [0049][0053]-[0057] [0067][0069][0071] (teaches matching security incident and following incidents to a historical sequence of attack steps, where a match is compared against a predefined threshold) Doron teaches determine that an instance of the attack campaign has begun based in part on a determination that a threshold of attack campaign step embeddings match individual custom query response embeddings; generate a security alert indicating that the instance of the attack campaign has begun. [0049][0053]-[0057] [0067][0069][0071] (teaches matching security incident and following incidents to a historical sequence of attack steps, where a match is compared against a predefined threshold) [0057][0058][0064][0072] (teaches comparison to a threshold and in response scoring the attack and alerting a mitigation engine to take appropriate action) While Doron teaches uses of text description for attack events, and Examiner argues that this anticipates the claims as stated, Examiner includes Siracusano for a more articulate and explicit teaching. Siracusano teaches wherein the plurality of attack campaign steps of the attack campaign are inferred from a text description of the attack campaign. [0208][0214][0225][0226] (teaches extraction of attack pattern using LLM to extract embeddings) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use the extraction of Siracusano with the prior art because it improves detection and decision making. Doron and Siracusano fail to explicitly teach “telemetry query”. Zhang more explicitly teaches a telemetry query and using the telemetry log to determine an attack campaign step. [0018][0021] [0034] [0045][0053] (teaches telemetry data analysis in comparison to historic telemetry in order to determine a malware campaign compared to a threshold) It would have been obvious to one of ordinary kill in the art before the effective filing date of the claimed invention it improves the efficiency of malware detection [0014]. As per claim 16. The computer-readable storage medium of claim 15, Doron teaches wherein the instructions further cause the system to: identify one of the plurality of attack campaign steps of the attack campaign that does not match a custom query response as a predicted next step. [0015][0025][0035][0039](teaches comparison of steps to an attack campaign profile and thus would detect matching and not matching signals) As per claim 17. The computer-readable storage medium of claim 16, Doron teaches wherein the instructions further cause the system to: invoke an operation that protects against or prevents the predicted next step. [0064] (mitigation steps) As per claim 18. The computer-readable storage medium of claim 15, Doron teaches wherein the instructions further cause the system to: generate an explanation of the attack campaign including an indication of executed attack campaign steps of the plurality of attack campaign steps. [0035][0064] (teaches prediction of next attack steps including prevention) As per claim 19. The computer-readable storage medium of claim 15, Doron teaches wherein the instructions further cause the system to: receive a security incident signal; and obtain, from the embedding generation machine learning model, a security incident signal embedding that represents the security incident signal in the embedding space, wherein the determination that the instance of the attack campaign has begun is based in part on a determination that the threshold of attack campaign step embeddings match individual security incident signal embeddings or individual custom query response embeddings. [0049][0053]-[0057] [0067][0069][0071] (teaches matching security incident and following incidents to a historical sequence of attack steps, where a match is compared against a predefined threshold, including using embedding distance comparison between vectors) As per claim 20. The computer-readable storage medium of claim 15, Doron teaches wherein an individual attack campaign step embedding matches an individual security incident signal embedding when a distance between the individual attack campaign step embedding and the individual security incident signal embedding is less than a defined distance in the embedding space. [0049][0053]-[0057] [0067][0069][0071] (teaches matching security incident and following incidents to a historical sequence of attack steps, where a match is compared against a predefined threshold, including using embedding distance comparison between vectors) Claim(s) 8, 12, 13, 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Doron US 2019/0182274 in view of Zhang US 2022/0342990. As per claim 8. Doron teaches A system comprising: a processing unit; and a computer-readable storage medium having computer-executable instructions stored thereupon, which, when executed by the processing unit, cause the processing unit to: receive a security incident signal; obtain, from an embedding generation machine learning model, a security incident signal embedding that represents the signal in an embedding space; [0042][0045][0063][0067] (teaches a machine learning model of attack sequences using embedding practices) Doron teaches obtain, from the embedding generation machine learning model, a plurality of attack campaign step embeddings that represent a plurality of attack campaign steps of an attack campaign in the embedding space; [0038][0039][0067] (teaches learning a sequence of attacks based on individual sets of attacks including a text description with a set of attributes) Doron teaches match the security incident signal embedding to at least one of the plurality of attack campaign step embeddings; [0015][0025][0035][0039](teaches comparison of steps to an attack campaign profile and thus would detect matching and not matching signals) Doron teaches generate, with a query generation machine learning model, a telemetry query that determines if an unmatched one of the plurality of attack campaign steps has been performed; perform the telemetry query on a telemetry log; receive a response to the telemetry query; obtain, with the embedding generation machine learning model, a custom query response embedding from the response; [0039] [0043] [0057][0061] (teaches determining a campaign has occurred based on a threshold matching, and based on telemetry information) Doron teaches determine that an instance of the attack campaign has begun based in part on a determination that a threshold of attack campaign step embeddings match individual security incident signal embeddings or individual custom query response embeddings; generate a security alert indicating that the instance of the attack campaign has begun. [0049][0053]-[0057] [0067][0069][0071] (teaches matching security incident and following incidents to a historical sequence of attack steps, where a match is compared against a predefined threshold) Zhang more explicitly teaches a telemetry query and using the telemetry log to determine an attack campaign step. [0018][0021] [0034] [0045][0053] (teaches telemetry data analysis in comparison to historic telemetry in order to determine a malware campaign compared to a threshold) It would have been obvious to one of ordinary kill in the art before the effective filing date of the claimed invention because it improves the efficiency of malware detection [0014]. As per claim 12. The system of claim 8, Doron and Siracusano fail to teach the following: Zhang teaches wherein the security incident signal comprises an alert generated in response to a query of the telemetry log. [0014][0015] (sending notifications in response to telemetry analysis) It would have been obvious to one of ordinary kill in the art before the effective filing date of the claimed invention because it improves the efficiency of malware detection [0014]. As per claim 13. The system of claim 8, Doron teaches wherein the security incident signal comprises a first security incident signal, wherein the attack campaign is selected from a plurality of candidate attack campaigns that include attack campaign steps that match with the first security incident signal, and wherein the computer-executable instructions further cause the processing unit to: receive a second security incident signal; and remove attack campaigns that do not include attack campaign steps that match with the second security incident signal from the plurality of candidate attack campaigns. [0049][0053]-[0057] [0067][0069][0071] (teaches matching security incident and following incidents to a historical sequence of attack steps, where a match is compared against a predefined threshold, the sequences that do not match would not be considered further) As per claim 14. The system of claim 8, Doron teaches wherein the attack campaign is obtained from a blog post, documentation of a penetration testing tool, or a threat intelligence database. [0038] (database) Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439