Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to an amendment application received on 01/16/2026. In the amendment, claims 1, 8-9, 15, and 18 have been amended. Claims 5-7, 16-17, and 19-20 have been cancelled. Claims 21-27 have been added as new claim.
For this Office Action, claims 1-4, 8-15, 18, and 21-27 have been received for consideration and have been examined.
Response to Arguments
Claim Rejections – 35 USC § 101
Applicant’s amendments to claims have been reviewed and amendments have overcome the raised 35 USC § 101 Abstract Idea rejection. Therefore, this rejection has been withdrawn.
Claim Rejections – 35 USC § 102 & 103
Applicant’s amendments to claims have been reviewed and amendments have overcome the 102 rejection under Kapelevich, however, claims are rejected under already cited reference of Caceres. See Office Action for details.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claim(s) 1-4, 8-15, 18, and 21-27 are rejected under 35 U.S.C. 102(a)(1) & (a)(2) as being anticipated by Caceres et al., (US20220014561A1).
Regarding claim 1, Caceres discloses:
A method comprising:
receiving one or more requests for data (i.e., identifying IP addresses/external sites/people/content of interest/vulnerabilities), wherein the one or more requests are received over at least one computer network ([0084] FIG. 2A is a block diagram showing general steps 200 for performing passive network reconnaissance. It should be appreciated that the steps illustrated and described may be performed in any order, and that steps may be added or omitted as needed for any particular reconnaissance operation; [0103] FIG. 8 is a flow diagram of an exemplary method 800 for cybersecurity behavioral analytics, according to one aspect. According to the aspect, behavior analytics may utilize passive information feeds from a plurality of existing endpoints (for example, including but not limited to user activity on a network, network performance, or device behavior) to generate security solutions. In an initial step 801, a web crawler 115 may passively collect activity information, which may then be processed 802 using a DCG 155 to analyze behavior patterns);
analyzing at least one of the one or more requests and one or more processes performed in response to the one or more requests to determine (i.e., collect & analyze trust map for anomaly detection) whether the one or more requests comprise reconnaissance for a cyber attack ([0085] FIG. 2B is a process diagram showing a general flow of a process 210 for performing active reconnaissance using DNS leak information collection … In a final step 214, the trust map may then be analyzed to identify anomalies, for example using community detection algorithms that may discover when new references are being created, and this may be used to identify vulnerabilities that may arise as a byproduct of the referential nature of a DNS hierarchy. In this manner, DCG pipeline processing and time-series data graphing may be used to identify vulnerabilities that would otherwise be obscured within a large dataset; [0103] Based on this initial analysis, anomalous behavior may be recognized 803 (for example, based on a threshold of variance from an established pattern or trend) such as high-risk users or malicious software operators such as bots. These anomalous behaviors may then be used 804 to analyze potential angles of attack);
tracking one or more transmission paths (i.e., steps performed in Fig. 2D) of at least one of the one or more requests and the one or more processes such that the analyzing further comprises:
scanning the one or more transmission paths to identify one or more deviations from a standard transmission path for the one or more requests ([0086] FIG. 2C is a process diagram showing a general flow of a process 220 for performing active reconnaissance using web application and technology reconnaissance. In an initial step 221, a plurality of manual HTTP requests may be transmitted to a host, for example to determine if a web server is announcing itself, or to obtain an application version number from an HTTP response message. In a next step 222, a robots.txt, used to identify and communicate with web crawlers and other automated “bots”, may be searched for to identify portions of an application or site that robots are requested to ignore. In a next step 223, the host application layer may be fingerprinted, for example using file extensions and response message fields to identify characteristic patterns or markers that may be used to identify host or application details. In a next step 224, publicly-exposed admin pages may be checked, to determine if any administrative portals are exposed and therefore potentially-vulnerable, as well as to potentially determine administration policies or capabilities based on exposed information. In a final step 225, an application may be profiled according to a particular toolset in use, such as WORDPRESS™ (for example) or other specific tools or plugins); and
determining that the one or more requests comprise the reconnaissance for the cyber attack in response to identifying the one or more deviations from the standard transmission path ([0087] FIG. 2D is a process diagram showing a general flow of a process 230 for producing a cybersecurity rating using reconnaissance data. In an initial step 231, external reconnaissance may be performed using DNS and IP information as described above (referring to FIG. 2B), collecting information from DNS records, leak announcements, and publicly-available records to produce a DNS trust map from collected information and the DCG-driven analysis thereof … In a final step 236, collected information from all sources may be scored according to a weighted system, producing an overall cybersecurity rating score based on the information collected and the analysis of that information to reveal additional insights, relationships, and vulnerabilities’ [0088] For example, in an exemplary scoring system similar to a credit rating, information from initial Internet recon operations may be assigned a score up to 400 points, along with up to 200 additional points for web/application recon results, 100 points for patch frequency, and 50 points each for additional endpoints and open-source intel results. This yields a weighted score incorporating all available information from all scanned sources, allowing a meaningful and readily-appreciable representation of an organization's overall cybersecurity strength),
wherein the standard transmission path is determined using one or more machine learning algorithms implementing a testing mechanism based on one or more of invalid, unexpected and random data ([0098] Machine learning models 1901 may be used to identify patterns and trends in any aspect of the system, but in this case are being used to identify patterns and trends in the data which would help the data to rule mapper 1904 determine whether and to what extent certain data indicate a violation of certain rules; [0103] Passive monitoring 801 then continues, collecting information after new security solutions are implemented 806, enabling machine learning to improve operation over time as the relationship between security changes and observed behaviors and threats are observed and analyzed); and
preventing at least one of generation and transmission of one or more responses to the one or more requests in response to determining that the one or more requests comprise the reconnaissance for the cyber attack ([0112] FIG. 16 is a flow diagram of an exemplary method 1600 for dynamic network and rogue device discovery, according to one aspect. According to the aspect, an advanced cyber decision platform may continuously monitor a network in real-time 1601, detecting any changes as they occur. When a new connection is detected 1602, a CPG may be updated 1603 with the new connection information, which may then be compared against the network's resiliency score 1604 to examine for potential risk. The blast radius metric for any other devices involved in the connection may also be checked 1605, to examine the context of the connection for risk potential (for example, an unknown connection to an internal data server with sensitive information may be considered a much higher risk than an unknown connection to an externally-facing web server). If the connection is a risk, an alert may be sent to an administrator 1606 with the contextual information for the connection to provide a concise notification of relevant details for quick handling);
wherein the steps of the method are executed by a processing device operatively coupled to a memory ([0122] Software/hardware hybrid implementations of at least some of the aspects disclosed herein may be implemented on a programmable network-resident machine (which should be understood to include intermittently connected network-aware machines) selectively activated or reconfigured by a computer program stored in memory).
Regarding claim 15, it is an apparatus claim and recites similar subject matter as claim 1 and therefore rejected under similar ground of rejection.
Regarding claim 18, it is a non-transitory processor-readable storage medium claim and recites similar subject matter as claim 1 and therefore rejected under similar ground of rejection.
Regarding claim 2, Caceres discloses:
The method of claim 1 wherein the analyzing comprises: identifying a source of the one or more requests; determining whether the identified source has been designated for restriction; and determining that the one or more requests comprise the reconnaissance for the cyber attack in response to determining that the identified source has been designated for restriction ([0084] FIG. 2A is a block diagram showing general steps 200 for performing passive network reconnaissance. It should be appreciated that the steps illustrated and described may be performed in any order, and that steps may be added or omitted as needed for any particular reconnaissance operation … In another step 206, publicly-available information may be used to identify web application vulnerabilities that may be exploited with further active penetration testing; [0085] FIG. 2B is a process diagram showing a general flow of a process 210 for performing active reconnaissance using DNS leak information collection. In an initial step 211, publicly-available DNS leak disclosure information may be collected to maintain current information regarding known leaks and vulnerabilities).
Regarding claim 21, it is a non-transitory processor-readable storage medium claim and recites similar subject matter as claim 2 and therefore rejected under similar ground of rejection.
Regarding claim 3, Caceres discloses:
The method of claim 1 wherein: the analyzing comprises scanning the one or more requests to validate one or more elements corresponding to the one or more requests; and the one or more elements comprise at least one of one or more header fields and one or more flags ([0084] FIG. 2A is a block diagram showing general steps 200 for performing passive network reconnaissance. It should be appreciated that the steps illustrated and described may be performed in any order, and that steps may be added or omitted as needed for any particular reconnaissance operation. In a step 201, network address ranges and domains or sub-domains associated with a plurality of targets may be identified, for example to collect information for defining the scope of further scanning operations).
Regarding claim 22, it is a non-transitory processor-readable storage medium claim and recites similar subject matter as claim 3 and therefore rejected under similar ground of rejection.
Regarding claim 4, Caceres discloses:
The method of claim 1 wherein receiving the one or more requests comprises intercepting transmission of the one or more requests from a firewall ([0089] FIGS. 3A and 3B are process diagrams showing business operating system functions in use to mitigate cyberattacks. Input network data which may include … Output 317 can be used to configure network gateway security appliances 361).
Regarding claim 23, it is a non-transitory processor-readable storage medium claim and recites similar subject matter as claim 4 and therefore rejected under similar ground of rejection.
Regarding claim 8, Caceres discloses:
The method of claim 1 further comprising:
backtracking through the one or more transmission paths to identify one or more details corresponding to a source of the one or more requests determined to comprise the reconnaissance for the cyber attack; and storing the one or more details corresponding to the source in one or more databases ([0103] FIG. 8 is a flow diagram of an exemplary method 800 for cybersecurity behavioral analytics, according to one aspect. According to the aspect, behavior analytics may utilize passive information feeds from a plurality of existing endpoints (for example, including but not limited to user activity on a network, network performance, or device behavior) to generate security solutions. In an initial step 801, a web crawler 115 may passively collect activity information, which may then be processed 802 using a DCG 155 to analyze behavior patterns. Based on this initial analysis, anomalous behavior may be recognized 803 (for example, based on a threshold of variance from an established pattern or trend) such as high-risk users or malicious software operators such as bots. These anomalous behaviors may then be used 804 to analyze potential angles of attack and then produce 805 security suggestions based on this second-level analysis and predictions generated by an action outcome simulation module 125 to determine the likely effects of the change).
Regarding claim 24, it is a non-transitory processor-readable storage medium claim and recites similar subject matter as claim 8 and therefore rejected under similar ground of rejection.
Regarding claim 9, Caceres discloses:
The method of claim 8 further comprising terminating the backtracking in response to at least one of the identifying of the one or more details and storing the one or more details ([0089] Output 317 can be used to configure network gateway security appliances 361, to assist in preventing network intrusion through predictive change to infrastructure recommendations 362, to alert an enterprise of ongoing cyberattack early in the attack cycle, possibly thwarting it but at least mitigating the damage 362, to record compliance to standardized guidelines or SLA requirements 363, to continuously probe existing network infrastructure and issue alerts to any changes which may make a breach more likely 364, suggest solutions to any domain controller ticketing weaknesses detected 365, detect presence of malware 366, perform one time or continuous vulnerability scanning depending on client directives 367, and thwart or mitigate damage from cyber attacks 368).
Regarding claim 25, it is a non-transitory processor-readable storage medium claim and recites similar subject matter as claim 9 and therefore rejected under similar ground of rejection.
Regarding claim 10, Caceres discloses:
The method of claim 8 further comprising preventing processing of one or more subsequent requests from the source ([0089] Output 317 can be used to configure network gateway security appliances 361, to assist in preventing network intrusion through predictive change to infrastructure recommendations 362, to alert an enterprise of ongoing cyberattack early in the attack cycle, possibly thwarting it but at least mitigating the damage 362, to record compliance to standardized guidelines or SLA requirements 363, to continuously probe existing network infrastructure and issue alerts to any changes which may make a breach more likely 364, suggest solutions to any domain controller ticketing weaknesses detected 365, detect presence of malware 366, perform one time or continuous vulnerability scanning depending on client directives 367, and thwart or mitigate damage from cyber attacks 368).
Regarding claim 26, it is a non-transitory processor-readable storage medium claim and recites similar subject matter as claim 10 and therefore rejected under similar ground of rejection.
Regarding claim 11, Caceres discloses:
The method of claim 1 wherein the preventing of the transmission of the one or more responses comprises using a bi-directional proxy layer to filter the one or more responses ([0089] Output 317 can be used to configure network gateway security appliances 361, to assist in preventing network intrusion through predictive change to infrastructure recommendations 362, to alert an enterprise of ongoing cyberattack early in the attack cycle, possibly thwarting it but at least mitigating the damage 362, to record compliance to standardized guidelines or SLA requirements 363, to continuously probe existing network infrastructure and issue alerts to any changes which may make a breach more likely 364, suggest solutions to any domain controller ticketing weaknesses detected 365, detect presence of malware 366, perform one time or continuous vulnerability scanning depending on client directives 367, and thwart or mitigate damage from cyber attacks 368).
Regarding claim 27, it is a non-transitory processor-readable storage medium claim and recites similar subject matter as claim 11 and therefore rejected under similar ground of rejection.
Regarding claim 12, Caceres discloses:
The method of claim 1 wherein: the one or more processes comprise the generation of the one or more responses to the one or more requests: and the analyzing comprises:
identifying one or more deviations in the one or more responses from a standard response to the one or more requests ([0103] FIG. 8 is a flow diagram of an exemplary method 800 for cybersecurity behavioral analytics, according to one aspect. According to the aspect, behavior analytics may utilize passive information feeds from a plurality of existing endpoints (for example, including but not limited to user activity on a network, network performance, or device behavior) to generate security solutions. In an initial step 801, a web crawler 115 may passively collect activity information, which may then be processed 802 using a DCG 155 to analyze behavior patterns); and
determining that the one or more requests comprise the reconnaissance for the cyber attack in response to identifying the one or more deviations from the standard response ([0103] The suggested behaviors may then be automatically implemented 806 as needed. Passive monitoring 801 then continues, collecting information after new security solutions are implemented 806, enabling machine learning to improve operation over time as the relationship between security changes and observed behaviors and threats are observed and analyzed).
Regarding claim 13, Caceres discloses:
The method of claim 12 wherein the standard response is determined using one or more machine learning algorithms implementing a fuzz testing mechanism ([0101] For example, multiple web crawlers may be used in parallel to perform load testing, or to utilize different testing configurations with each of a number of crawlers, such as using different fuzz testing configurations or granularity. During a scan, a web crawler may request a web page within a configured domain 3030, and then interact with the page's contents 3040 using a fuzzer 2906 to test any variables using unexpected or random input data. For example, if a web page is a submission form (such as a “contact us” page for a corporate domain), unexpected data may be provided in the form fields to test for any vulnerabilities that may be exposed by an attacker using randomized or malicious form submissions to gain illicit access to resources within the domain. Scan results, such as a form response or additional web pages requested by the web crawler (for example, if a webpage includes links or fields that may be used to retrieve additional pages), may then be indexed and stored 3050 for use in cybersecurity rating or review by an administrator, so that indexed scan results may be quickly processed for future use 3060).
Regarding claim 20, Caceres discloses:
The method of claim 1 wherein: the processing device comprises an edge device located at a same location as one or more servers hosting at least one application configured to respond to the one or more requests; and the edge device is connected to a content delivery network aggregator and to a backend server through the content delivery network aggregator ([0031] FIGS. 3A and 3B are process diagrams showing business operating system functions in use to mitigate cyberattacks; [0089] FIGS. 3A and 3B are process diagrams showing business operating system functions in use to mitigate cyberattacks. Input network data which may include network flow patterns 321, the origin and destination of each piece of measurable network traffic 322, system logs from servers and workstations on the network 323, endpoint data 329, any security event log data from servers or available security information and event (SIEM) systems 324, external threat intelligence feeds 324, identity or assessment context 325, external network health or cybersecurity feeds 326, Kerberos domain controller or ACTIVE DIRECTORY™ server logs or instrumentation 327, business unit performance related data 328, endpoint data 329, among many other possible data types for which the invention was designed to analyze and integrate).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Korzuch can be reached at 571-272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SYED M AHSAN/Primary Examiner, Art Unit 2491