Enhanced Real-Time Supply Chain Analysis

§102 §103

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claim(s) 1, 2, 10, 11, and 19 is/are rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being anticipated by Crabtree et al. (Pub. No. US 2022/0232040 A1) (hereinafter Crabtree). Regarding Claim 1, Crabtree teaches A system comprising: a microprocessor; and (Crabtree par. [0032] “a system ”); (par. [0143] “CPU 12 may include one or more processors 13 such as, for example, a processor from one of the Intel, ARM, Qualcomm, and AMD families of microprocessors.”) a computer readable medium, coupled with the microprocessor and comprising microprocessor readable and executable instructions that, when executed by the microprocessor, cause the microprocessor to: (par. [0032] “According to a preferred embodiment, a system for analyzing the cybersecurity threat of software applications from the software supply chain is disclosed, comprising: a computing device comprising a memory and a processor; a software analyzer comprising a first plurality of programming instructions stored in the memory of, and operating on the processor of, the computing device, wherein the first plurality of programming instructions, when operating on the processor, cause the computing device to:”) determine, in real-time, that a first software application is one of: running, being loaded, being installed, or has been installed; (par. [0032] “receive a software application for analysis;”); ([0067] “The system and method comprising analyzing the code and/or operation of a software application to determine components comprising the software”); (par. [0106] “Binary code 2112, whether received directly by the software definition portal 2110 or compiled by the compiler 2130 from source code 2111, is sent to a compiled code analyzer 2140 which analyzes the software while it is in operation (i.e., running) on hardware under an operating system.”); (par. [0137] “FIG. 18 is a flow diagram of an exemplary method 1800 for risk-based vulnerability and patch management, according to one aspect. According to the aspect, an advanced cyber decision platform may monitor all information about a network 1801, including (but not limited to) device telemetry data, log files, connections and network events, deployed software versions, or contextual user activity information. This information is incorporated into a CPG 1802 to maintain an up-to-date model of the network in real-time.”) in response to determining, in real-time, that the first software application is one of: running, being loaded, being installed, or has been installed, identify one or more software components that are associated with the first software application; (par. [0032] “identify one or more software components comprising the software application and send a component identifier for each software component identified to a reconnaissance engine; a reconnaissance engine comprising a second plurality of programming instructions stored in the memory of, and operating on the processor of, the computing device, wherein the second plurality of programming instructions, when operating on the processor, cause the computing device to: receive the component identifier for the one or more software components; search one or more databases to identify a source of each software component; search one or more databases to identify a vulnerability of each software component; send the component identifier, source, and vulnerability for each of the one or more software components to a cyber-physical graph engine;”); (par. [0106] “While the software is running, a function extractor 2141 monitors which operations are performed by the software, the order of such operations, and which system resources are accessed by the software, which can disclose the functions, subroutines, etc., that are being executed by the compiled code.”) generate current supply chain data, wherein the current supply chain data is associated with the first software application and the identified one or more software components associated with the first software application; and (par. [0032] “…receive the component identifier, source, and vulnerability for each of the one or more software components; and construct a cyber-physical graph of a software supply chain for the software application, the cyber-physical graph comprising nodes representing the source and vulnerability of each software component of the software application and edges representing the relationships between the nodes;”) process the current supply chain data to identify one or more vulnerabilities in the first software application and/or the identified one or more software components associated with the first software application. (par.[0032] “a scoring engine comprising a third plurality of programming instructions stored in the memory of, and operating on the processor of, the computing device, wherein the third plurality of programming instructions, when operating on the processor, cause the computing device to: run one or more graph-processing algorithms on the cyber-physical graph to determine one or more paths of vulnerability in the software supply chain and a probability of occurrence for each path; and generate a cybersecurity score for the software application based on the vulnerabilities in the software supply chain.”); ([0033] “identifying one or more software components comprising the software application;”) Regarding Claim 10, claim 10 is a method claim that recites similar limitation as claim 1, therefore, is rejected based on the same rational as claim 1 outlined above. (Crabtree par. [0031] “ a system and method for comprehensive cybersecurity threat assessment of software applications based on the totality of vulnerabilities from all levels of the software supply chain.”) Regarding Claim 19, claim 19 is directed to claim 1 that recites similar limitations as claim 19 and is being rejected based on the same rational as claim 1 above. Moreover, a non-transient computer readable medium having stored thereon instructions that cause a processor to execute a method, the method comprising instructions to, is thought on (Crabtree par. [0148] “Because such information and program instructions may be employed to implement one or more systems or methods described herein, at least some network device aspects may include non-transitory machine-readable storage media, which, for example, may be configured or designed to store program instructions, state information, and the like for performing various operations described herein.”) Regarding Claim 2, Crabtree teaches The system of claim 1, wherein the identified one or more software components associated with the first software application comprises one or more of: an operating system, a hypervisor, a container, a virtual machine, a library, an output application, an Integrated Development Environment (IDE), a compiler, an installer, a loader, a second software application executed by the first software application, and an interpreter. (“Crabtree [0032] “receive a software application for analysis; identify one or more software components comprising the software application; and send a component identifier for each software component identified to a reconnaissance engine;”) Regarding Claim 11, claim 11 is the method of claim 10 that recites similar limitations as claim 2, therefore, is rejected based on the same rational as claim 2 outlined above. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 3, 4, 12, 13, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree et al. (Pub. No. US 2022/0232040 A1) (hereinafter Crabtree) in view of Tianyu Gu et al. (NPL: BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain)(hereinafter Gu). Regarding Claim 3, Crabtree teaches The system of claim 1, outlined above. While Crabtree discloses predictive statistics functions and machine learning algorithms to allow future trends and outcomes to be rapidly forecast based upon the current system [0081], Crabtree fails to explicitly teach wherein the first software application is an Artificial Intelligence (AI) algorithm and wherein the current supply chain data comprises real-time supply chain data that comprises at least one of: AI algorithm input prompt data, real-time output data from the AI algorithm, real-time AI algorithm weight data, and real-time prompt filter data. However, Gu teaches wherein the first software application is an Artificial Intelligence (AI) algorithm and wherein the current supply chain data comprises real-time supply chain data that comprises at least one of: AI algorithm input prompt data, real-time output data from the AI algorithm, real-time AI algorithm weight data, and real-time prompt filter data. (Gu Sec. 6. Vulnerabilities in the Model Supply Chain “Moreover, we examine one of the most popular sources of pre-trained models—the Caffe Model Zoo [43]—and examine the process by which these models are located, downloaded, and retrained by users; by analogy with supply chains for physical products, we call this process the model supply chain. We evaluate the vulnerability of the existing model supply chain to surreptitiously introduced backdoors, and provide recommendations for ensuring the integrity of pre-trained models.”); (Gu 2.1.2 “The weights and biases of the network are learned during training. The network’s output is a function of the last hidden layer’s activations.”) Crabtree and Gu are analogues in that they are both in the same field of supply chain analysis. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Crabtree to incorporate the teachings of Gu wherein the first software application is an Artificial Intelligence (AI) algorithm and wherein the current supply chain data comprises real-time supply chain data that comprises at least one of: AI algorithm input prompt data, real-time output data from the AI algorithm, real-time AI algorithm weight data, and real-time prompt filter data. Doing so would aid in the need to investigate techniques for detecting backdoors in deep neural networks. Section 6.1 Security Recommendations Gu Regarding Claim 12, claim 12 is the method of claim 10 that recites similar limitations as claim 3, therefore, is rejected based on the same rational as claim 3 outlined above. Regarding Claim 20, claim 20 is directed to The non-transient computer readable medium of claim 19, that recites similar limitation as claim 3 and is being rejected based on the same rational as claim 3 above. Moreover, non-transient computer readable medium is thought on par. [0148] Crabtree. Regarding Claim 4, Crabtree in view of Gu teaches The system of claim 3, outlined above. Crabtree teaches wherein the microprocess readable and executable instructions further cause the microprocessor to: generate, in real-time, based at least on the real-time supply chain data, a real-time vulnerability score; and (Crabtree [0033] “generating a cybersecurity score for the software application based on the vulnerabilities in the software supply chain.”); (Crabtree [0137] “FIG. 17 “Network is monitored in real-time” and FIG. 18 “According to the aspect, an advanced cyber decision platform may monitor all information about a network 1801, including (but not limited to) device telemetry data, log files, connections and network events, deployed software versions, or contextual user activity information. This information is incorporated into a CPG 1802 to maintain an up-to-date model of the network in real-time. generate, for display in a user interface, the real-time vulnerability score. (Crabtree [0033] “generating a cybersecurity score for the software application based on the vulnerabilities in the software supply chain.”);([0080] “Client access to the system 105 for specific data entry, system control and for interaction with system output such as automated predictive decision making and planning and alternate pathway simulations, occurs through the system's distributed, extensible high bandwidth cloud interface 110 which uses a versatile, robust web application driven interface for both input and display of client-facing information via network 107 and operates a data store 112.”) Regarding Claim 13, claim 12 is the method of claim 12 that recites similar limitations as claim 4, therefore, is rejected based on the same rational as claim 4 outlined above. Claim(s) 5, 6, 9, 14, 15, 18, is/are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree et al. (Pub. No. US 2022/0232040 A1) (hereinafter Crabtree) in view of Devarakonda et al. (US 11,694,142 B2). Regarding Claim 5, Crabtree teaches The system of claim 1, outlined above. Crabtree fails to explicitly teach wherein the first software application is an Artificial Intelligence (AI) algorithm and wherein the identified one or more software components associated with the AI algorithm comprises one or more of: an operating system, a hypervisor, a container, a virtual machine, a library, an output application, an Integrated Development Environment (IDE), a compiler, an installer, an interpreter, an input application, an input filter, an AI filter algorithm, a vulnerability filter, a weight changing AI algorithm, weights used by the AI algorithm, a backpropagation AI algorithm, a fine-tuning AI algorithm, a training set filter, an obfuscator, a modification AI algorithm, an initial training set, a fine-tuning training set. However, Devarakonda teaches wherein the first software application is an Artificial Intelligence (AI) algorithm and wherein the identified one or more software components associated with the AI algorithm comprises one or more of: an operating system, a hypervisor, a container, a virtual machine, a library, an output application, an Integrated Development Environment (IDE), a compiler, an installer, an interpreter, an input application, an input filter, an AI filter algorithm, a vulnerability filter, a weight changing AI algorithm, weights used by the AI algorithm, a backpropagation AI algorithm, a fine-tuning AI algorithm, a training set filter, an obfuscator, a modification AI algorithm, an initial training set, a fine-tuning training set. (Devarakonda Col. 8 Ln. 37-38 “The machine-learning algorithms of the machine-learning (ML) application…”); (Col. 11 Ln. 24-30 “With the supply chain training data 304 and the identified features 302, the machine-learning application 218 (e.g., model) is trained by machine-learning application trainer 224. The machine-learning application 218 appraises the value of the features 302 as they correlate to the supply chain training data 304. The result of the training is the machine-learning application 218.”). Crabtree and Devarakonda are analogues in that they are both in the same field of supply chain analysis. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Crabtree to incorporate the teachings of Devarakonda wherein the first software application is an Artificial Intelligence (AI) algorithm and wherein the identified one or more software components associated with the AI algorithm comprises one or more of: an operating system, a hypervisor, a container, a virtual machine, a library, an output application, an Integrated Development Environment (IDE), a compiler, an installer, an interpreter, an input application, an input filter, an AI filter algorithm, a vulnerability filter, a weight changing AI algorithm, weights used by the AI algorithm, a backpropagation AI algorithm, a fine-tuning AI algorithm, a training set filter, an obfuscator, a modification AI algorithm, an initial training set, a fine-tuning training set. Doing so would aid by identifying a predicted value impact as the highest predicted value impact from a set of predicted value impacts each associated with an action recommendation for a product in the supply chain. Col. 15 Ln. 29-32 Devarakonda Regarding Claim 14, claim 14 is the method of claim 10 that recites similar limitations as claim 5, therefore, is rejected based on the same rational as claim 5 outlined above. Regarding Claim 6, Crabtree in view of Devarakonda teaches The system of claim 5, outlined above. Crabtree fails to explicitly teach wherein the identified one or more software components associated with the AI algorithm comprises at least one of: the input application, the input filter, the AI filter algorithm, the vulnerability filter, the weight changing AI algorithm, the weights used by the AI algorithm, the backpropagation AI algorithm, the fine-tuning AI algorithm, the training set filter, the obfuscator, the modification AI algorithm, the initial training set, the fine-tuning training set, a final training set, and a final fine tuning training set. However, Devarakonda teaches wherein the identified one or more software components associated with the AI algorithm comprises at least one of: the input application, the input filter, the AI filter algorithm, the vulnerability filter, the weight changing AI algorithm, the weights used by the AI algorithm, the backpropagation AI algorithm, the fine-tuning AI algorithm, the training set filter, the obfuscator, the modification AI algorithm, the initial training set, the fine-tuning training set, a final training set, and a final fine tuning training set. (Devarakonda Col. 11 Ln. 31-33 “When the machine-learning (ML) application 218 is used to perform an assessment, supply chain data 306 is provided as an input to the machine-learning (ML) application 218…”)(Examiner: the input application) Crabtree and Devarakonda are analogues in that they are both in the same field of supply chain analysis. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Crabtree to incorporate the teachings of Devarakonda wherein the identified one or more software components associated with the AI algorithm comprises at least one of: the input application, the input filter, the AI filter algorithm, the vulnerability filter, the weight changing AI algorithm, the weights used by the AI algorithm, the backpropagation AI algorithm, the fine-tuning AI algorithm, the training set filter, the obfuscator, the modification AI algorithm, the initial training set, the fine-tuning training set, a final training set, and a final fine tuning training set. Doing so would aid to find correlations among the identified features that affect the outcome or assessment. Col. 11 Ln. 16-18 Devarakonda Regarding Claim 15, claim 15 is the method of claim 14 that recites similar limitations as claim 6, therefore, is rejected based on the same rational as claim 6 outlined above. Regarding Claim 9, Crabtree teaches The system of claim 1, outlined above. Crabtree fails to teach wherein generating the current supply chain data comprises getting real-time supply chain data, getting internal non-real-time supply chain data, and getting external non-real-time supply chain data. However, Devarakonda teaches wherein generating the current supply chain data comprises getting real-time supply chain data, getting internal non-real-time supply chain data, and getting external non-real-time supply chain data. (Devarakonda Col. 9 Ln. 42-44 “…the supply chain training data 304 may include observed supply chain operational metrics observed in the supply chain 100 and operational plans.”); (Col. 11 Ln. 37-39 “the supply chain data 306 may be captured in real-time as the supply chain is functioning.”); (Col. 12 Ln. 19-21) The supply chain data 306 may be received from various external data sources 202, such as those described above with reference to FIG. 2.”) Crabtree and Devarakonda are analogues in that they are both in the same field of supply chain analysis. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Crabtree to incorporate the teachings of Devarakonda wherein generating the current supply chain data comprises getting real-time supply chain data, getting internal non-real-time supply chain data, and getting external non-real-time supply chain data. Doing so would aid in resources and recommend prescriptive action for planners in a fast-moving supply chain. Col. 12 Ln. 10-11 Devarakonda Regarding Claim 18, claim 18 is the method of claim 10 that recites similar limitations as claim 9, therefore, is rejected based on the same rational as claim 9 outlined above. Claim(s) 7, 8, 16, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree et al. (Pub. No. US 2022/0232040 A1) (hereinafter Crabtree) in view of Singh (US 11,816,221 B2). Regarding Claim 7, Crabtree teaches The system of claim 1, outlined above. Crabtree fails to teach wherein the microprocess readable and executable instructions further cause the microprocessor to: generate, for display, in a user interface, the identified one or more vulnerabilities, in the first software application and/or the identified one or more software components associated with the first software application. However, Singh teaches wherein the microprocess readable and executable instructions further cause the microprocessor to: generate, for display, in a user interface, the identified one or more vulnerabilities, in the first software application and/or the identified one or more software components associated with the first software application. (Singh par. [0063] “The microprocessor may also be configured to execute an editing controller application. The editing controller application may include instructions to, following the identifying of the one or more vulnerabilities, mark each identified vulnerability on the display.”); (par. [0066] “The editing controller application may be further configured to display to the user the selected vulnerability based on the received input of the selected edit-option.”) Crabtree and Singh are analogues in that they are both in the same field of vulnerabilities analysis. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Crabtree to incorporate the teachings of Singh wherein the microprocess readable and executable instructions further cause the microprocessor to: generate, for display, in a user interface, the identified one or more vulnerabilities, in the first software application and/or the identified one or more software components associated with the first software application. Doing so would aid in allowing the input received to be shared and may further be combined and generated as one vulnerability report file. [0067] Singh Regarding Claim 16, claim 16 is the method of claim 10 that recites similar limitations as claim 7, therefore, is rejected based on the same rational as claim 7 outlined above. Regarding Claim 8, Crabtree and in view of Singh teach The system of claim 7, outlined above. Crabtree fails to teach wherein the identified one or more vulnerabilities in the first software application and/or the identified one or more software components associated with the first software application can be individually selected by a user to view code associated with the identified one or more vulnerabilities, in the first software application and/or the identified one or more software components associated with the first software application. However, Singh teaches wherein the identified one or more vulnerabilities in the first software application and/or the identified one or more software components associated with the first software application can be individually selected by a user to view code associated with the identified one or more vulnerabilities, in the first software application and/or the identified one or more software components associated with the first software application. (Singh [0109] “FIG. 3 may display a diagram of a source code vulnerability identification system 300. System 300 may include a UI screen 302, smart glasses 304 and a display 314 that is viewed via the smart glasses 304.”); ([0066] “The editing controller application may be configured to display to a user of the smart glasses device, on the display, a selection of edit-options. The selection may include highlighting, inserting a comment, cross-outs, underline and any other relevant editing tools. The sensors may identify the input of a selected edit-options and the processor may be configured receive the input. The input received may be specific to a selected vulnerability with the scanned application source code. The editing controller application may be further configured to display to the user the selected vulnerability based on the received input of the selected edit-option.”) Crabtree and Singh are analogues in that they are both in the same field of vulnerabilities analysis. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Crabtree to incorporate the teachings of Singh wherein the identified one or more vulnerabilities in the first software application and/or the identified one or more software components associated with the first software application can be individually selected by a user to view code associated with the identified one or more vulnerabilities, in the first software application and/or the identified one or more software components associated with the first software application. Doing so would aid in identifying of the one or more vulnerabilities, mark each identified vulnerability on the display. [0063] Singh Regarding Claim 17, claim 17 is the method of claim 16 that recites similar limitations as claim 8, therefore, is rejected based on the same rational as claim 8 outlined above. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. Arulmani et al. (Pub. No. US 2024/0126871 A1) teaches vulnerability analysis for software products. Tripp (US 9,529,695 B2) teaches detecting race condition vulnerabilities in computer software applications. Hay et al. (Pub. No. US 2014/0373158 A1) teaches detecting security vulnerabilities on computing devices. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MALA BOYD whose telephone number is (571)272-6450. The examiner can normally be reached M-F 7:30-4:00. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor Eleni Shiferaw can be reached at (571) 272-3867. The examiner can normally be reached on M-F 7:30-4:00 EST. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. Mala Boyd Patent Examiner Art Unit 2497 /ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497