CYBERSECURITY AI-DRIVEN WORKFLOW MODIFICATION

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Claims 1-20 are pending. Claim Rejections - 35 USC § 103 I. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. II. CLAIMS 1-15 AND 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over McCARTHY et al (US 2024/0305664) in view of CRABTREE et al (US 2025/0039228). Per claim 1, McCARTHY et al teach a computer-implemented method for cybersecurity management comprising: accessing a plurality of cybersecurity threat protection applications, wherein the plurality of cybersecurity threat protection applications is deployed across a managed cybersecurity network, and wherein the plurality of cybersecurity threat protection applications is managed using a security orchestration, automation, and response (SOAR) platform [paras 0007-9—accessing a plurality of network-connected cybersecurity threat protection applications for cybersecurity management that includes a SOAR system]; executing a cybersecurity workflow, using the SOAR platform, wherein the cybersecurity workflow includes instructions to manage three or more of: antivirus analysis, malware attacks, worms, trojans, spyware, browser hijacking, search hijacking, rootkits, ransomware, phishing attacks, security information and event management triage, threat hunting, insider threat protection, threat intelligence, identity verification reinforcement, endpoint protection, forensic investigation, cryptojacking, vulnerability management, cloud security orchestration, and end-to-end incident lifecycle case management [paras 0022-25, 0030—cybersecurity mitigation task including initiating workflows using SOAR including anti-phishing, antivirus tools, removing trojans, ransomware detection, malware attacks, identity verification, forensic investigation, cryptojacking, insider threat protection, cloud security, threat hunting, incident lifecycle cases, etc.]; capturing data representing one or more cybersecurity actions that are performed in response to execution of the cybersecurity workflow, wherein the captured data comprise reports generated by the SOAR platform, the plurality of cybersecurity threat protection applications, and network devices [paras 0028, 0034, 0038, 0051-52, 0075, 0086—SOAR management system enabling data collection and accumulating antivirus software success and failure logs to execute customized workflows for reporting on the mitigation steps, threat mitigation responses and mitigation completion]; analyzing the one or more cybersecurity actions for workflow relevance based on providing the one or more cybersecurity actions as input to a machine learning model [paras 0022, 0036, 0041, 0043, 0063, 0068, 0085-86—analysis of cybersecurity actions and events based on machine learning model trained using cybersecurity mitigation completion success data and input, input include information associated with a detected cybersecurity threat, detecting new cybersecurity threats and assigning those threats to one or more analysts for action, workflows can automate tasks associated with cybersecurity management], wherein: the machine learning model was trained to (i) analyze the one or more cybersecurity actions and timings of automated responses in the cybersecurity workflow and (ii) compare the analysis to historic cybersecurity actions and timings of automated responses [paras 0040-41, 0048-52, 0054, 0084—machine learning model comparing cybersecurity events to successful event metrics from previous occasions and to previous release events, mitigation results, timings and other parameters of the application responses to metrics from the success metrics library, SOAR can automate responses to threats and adapt the responses using machine learning, comparing mitigation steps to previous incidents], the machine learning model was trained using (i) data from a natural language user interface and data, (ii) data from the plurality of cybersecurity threat protection applications, and (iii) historic cybersecurity events data captured by the SOAR platform [paras 0031, 0035, 0074, 0083— machine learning training data that contains information about the cybersecurity threat protection applications, training data includes historical data associated with past inputs received, information provided in one or more user interface used by network analysts], and automatically updating, in real-time, the cybersecurity workflow on the SOAR platform based on the analyzing, wherein updating the cybersecurity workflow comprises reordering existing remedial steps in the cybersecurity workflow that are performed by an AI computer system to improve efficiency and effectiveness of the one or more cybersecurity actions [paras 0009, 0036, 0041, 0065—in the SOAR environment updating can be based on input from the cybersecurity threat protection applications and human-supplied input based on a machine learning model, providing analysis of security alerts/alarms/warnings in real time; paras 0043, 0068—reassignment and re-triage of cases to one or more other analysts; para 0022—improving performance of mitigation processes over time]; and executing, in parallel to updating the cybersecurity workflow and in real-time, one or more of the remedial steps of the updated cybersecurity workflow, wherein executing the one or more of the remedial steps causes the AI computer system to automatically perform the one or more of the remedial steps [paras 0069-70, 0075—remediation actions and recovery operations]. McCARTHY et al teach the method of claim 1, as applied above along with swapping-in and swapping-out workflows with customizing and creating a new workflow [paras 0063, 0075, 0082], reassignment including re-triage of and existing caseload to reassign one or more analysts determined to be capable of handling the cybersecurity threat and remediation actions [paras 0068-70, 0075]; yet fail to explicitly teach “an artificial intelligence (AI) machine learning model; data from a natural language AI user interface; the analyzing further comprises: generating multiple versions of the SOAR platform using the AI machine learning model, wherein the multiple versions of the SOAR platform comprise alternative workflows, reordering of steps in the alternative workflows, added tasks in the alternative workflows, and parallel remedial steps in the alternative workflows; executing each of the multiple versions of the SOAR platform to test potential actions and responses to different cybersecurity threats and application update requirements; and determining, based on executing the multiple versions of the SOAR platform, respective workflow relevance”. CRABTREE et al teach using an AI planner to determine from the prospective cyberattack type, at least one appropriate SOAR workflow to implement to mitigate the cyberattack and applying a configuration change to the pattern of identified traffic to prevent further compromises by the cyberattack or abuse [paras 0008-11]. CRABTREE et al also teach creating SOAR workflows based on the type of attack that has been detected [para 0075]; a simulation engines for simulating an attack to test the SOAR actions and response to different types of attacks [paras 0008, 0063, 0074, 0079-80]; and using a SOAR workflow, with a non-exhaustive list of exemplary workflows, that implements each workflow triggered by the attacker intercept manager [para 0076], wherein multiple workflows can be implemented in series or in parallel to mitigate an attack depending on the type of attack or number of device affected. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed the invention to combine the teachings of McCARTHY et al and CRABTREE et al for specifying use of AI as the machine learning model, while provisioning the creation of multiple SOAR workflows relevant to the type of cyberattack detected and testing the workflows to determine their mitigation response/actions, which are well-known in the art for implementing specific workflows capable of handling specific cyberattacks. Claim 14 contains limitations that are substantially equivalent to the limitations of claim 1, and are therefore rejected under the same basis. Per claim 2, McCARTHY et al and CRABTREE et al teach the method of claim 1, CRABTREE et al further teach the method further comprising automatically executing the updated cybersecurity workflow on the SOAR platform [paras 0011, 0065—automated planning enhanced SOAR workflow comprising updating; McCARTHY et al: paras 0033-37—SOAR system schedules testing and can track deployment of approved updates]. Per claim 3, McCARTHY et al and CRABTREE et al teach the method of claim 1, McCARTHY et al further teach wherein the one or more cybersecurity actions are implemented in response to an element of the cybersecurity workflow being executed [paras 0022, 0029-30, 0054, 0063—mitigation tasks include workflow initiation and deployment, generating a response that includes initiating a threat response process starting a workflow associated with cybersecurity; CRABTREE et al: paras 0008, 0075-76—implementing a recommended or determined SOAR workflow from the planning choices, SOAR workflow is a predefined sequence of actions and automated tasks that are executed in response to a cybersecurity incident, SOAR workflow manager implements each workflow triggered by attacker intercept manager]. Per claim 4, McCARTHY et al and CRABTREE et al teach the method of claim 3, McCARTHY et al further teach wherein the element includes an action initiated by personnel staffing a security operations center [paras 0031, 0034, 0036-38—notifying the cybersecurity staff members, network security staff to review and integrate into future security policies, support staff, help desk systems and personnel]. Per claim 5, McCARTHY et al and CRABTREE et al teach the method of claim 3, CRABTREE et al further teach wherein the element includes an action initiated by a separate AI system [paras 0010-12, 0025—AI automated planner enhanced SOAR workflow]. Per claim 6, McCARTHY et al and CRABTREE et al teach the method of claim 5, CRABTREE et al further teach wherein the separate AI system is distinct from the SOAR platform [para 0008—AI planner to determine the prospective cyberattack type]. Per claim 7, McCARTHY et al and CRABTREE et al teach the method of claim 1, McCARTHY et al further wherein the one or more cybersecurity actions are implemented in response to an input from the plurality of cybersecurity threat protection applications [paras 0007-9, 0022, 0025-26, 0054—receiving a plurality of inputs from the cybersecurity threat protection applications, input is received in response to one or more cybersecurity event, cybersecurity threat application inputs can include alerts, text or SMS messages, email, a rendering on a graphical display; CRABTREE et al: paras 0029, 0031-35, 0071, 0075—a predefined sequence of actions and automated tasks that are executed in response to a cybersecurity incident, data input used for automated vulnerability discovery techniques]. Per claim 8, McCARTHY et al and CRABTREE et al teach the method of claim 7, McCARTHY et al further wherein in response to the analyzing, the method further comprises automatically triggering a remedial step action suggestion to be performed by personnel staffing a security operations center, wherein the remedial step action suggestion is provided to and displayed at a computing device of the personnel [paras 0038, 0054, 0069-70, 0075, 0086—help desk systems and personnel can be updated to follow up with users whose hardware failed; cybersecurity threat application inputs can include alerts, text or SMS messages, email, a rendering on a graphical display identify and apply remediation actions to ensure configurations are applying current best practices and continually hardening the security posture, remediation action to bring the network environment up to a minimum threshold standard of preparedness for current cybersecurity risks and to provide a benchmark against which the network environment configuration, risks, and performance against attack vectors can be evaluated]. Per claim 9, McCARTHY et al and CRABTREE et al teach the method of claim 1, CRABTREE et al further teach wherein the workflow relevance includes identifying a recidivistic security operations center human response to the one or more cybersecurity actions [paras 0029-30, 0079, 0093, 0095, 0101—analyzing network logs and traffic patterns to trace the path of data and identify any anomalies or suspicious activities, identifying known attack pattern or anomalous behaviors, an alert is generated to notify security administrators of a potential security incident, security vendors and organizations continuously research and develop new IPS signatures to improve detection and prevention capabilities, allowing administrators to detecting and mitigating attacks, and identify abnormal traffic patterns or unauthorized access attempts and facilitate compliance; McCARTHY et al: para 0062—mitigation events is stored and reported on to cybersecurity administrators and managers]. Per claim 10, McCARTHY et al and CRABTREE et al teach the method of claim 9, CRABTREE et al further teach wherein the recidivistic security operations center human response is received as input from a computing device of personnel staffing a security operations center [paras 0029-30, 0079, 0093, 0095, 0101—analyzing network logs and traffic patterns to trace the path of data and identify any anomalies or suspicious activities, identifying known attack pattern or anomalous behaviors, an alert is generated to notify security administrators of a potential security incident, security vendors and organizations continuously research and develop new IPS signatures to improve detection and prevention capabilities, allowing administrators to detecting and mitigating attacks, and identify abnormal traffic patterns or unauthorized access attempts and facilitate compliance; McCARTHY et al: para 0062—mitigation events is stored and reported on to cybersecurity administrators and managers]. Per claim 11, McCARTHY et al and CRABTREE et al teach the method of claim 9, McCARTHY et al further teach wherein automatically updating the cybersecurity workflow comprises updating the cybersecurity workflow to mimic the recidivistic security operations center human response [paras 0033, 0036, 0064—antivirus analysis can be used to determine changes or updates to the virus and how to better detect the virus before it can be deployed; updates to software and hardware applications are developed by vendors in response to cybersecurity threats to their products, updating can be based on human-supplied input and on a machine learning model; CRABTREE et al: paras 0075-76, 0079—workflows can be created to updated IDS/IPS signatures to mitigate attacks to prevent further occurrence]. Per claim 12, McCARTHY et al and CRABTREE et al teach the method of claim 1, McCARTHY et al further teach wherein the automatically updating occurs in real time [paras 0031, 0065—notifications via real-time console warnings; CRABTREE et al: paras 0030, 0094-95—monitoring network traffic and system activities in real-time to detect and prevent malicious activities, generation of alerts and triggering of immediate actions to prevent or mitigate attacks in real-time]. Per claim 13, McCARTHY et al and CRABTREE et al teach the method of claim 1, CRABTREE et al further teach wherein the automatically updating enables parallel remedial step execution in the cybersecurity workflow that was updated automatically [paras 0076— multiple workflows can be implemented either in series or in parallel to mitigate an attack, depending on a number of factors such as the type of attack, the type of users or devices affected, the number of users or devices affected, the criticality of users or devices affected, and other factors which may be indicated either by best practices or by the outputs of modeling and simulation engine based on user-level dependency graph]. Per claim 15, McCARTHY et al and CRABTREE et al teach the method of claim 1, McCARTHY et al further teach wherein the analyzing comprises evaluation of workflow quality [paras 0022, 0071—mitigation success metrics where the metrics provide a way of evaluating the success of the mitigation measures and validating the completion of the mitigation process, incorporate security operations workflows and comprehensive digital risk element evaluations]. Per claim 18, McCARTHY et al and CRABTREE et al teach the method of claim 1, CRABTREE et al further teach wherein the AI machine learning model is embedded in the SOAR platform and trained using data gathered by one or more instantiations of the SOAR platform [paras 0008-11, 0064-66—AI planner enhanced SOAR workflow]. Per claim 19, McCARTHY et al and CRABTREE et al teach the method of claim 1, CRABTREE et al further teach wherein the AI machine learning model is accessed through an application program interface in the SOAR platform [paras 0034-35, 0121-122—API integration]. Per claim 20, McCARTHY et al and CRABTREE et al teach the method of claim 1, McCARTHY et al further teach wherein the cybersecurity workflow further comprises non-cybersecurity elements [paras 0022—mitigation tasks include initiating workflows and notifying law enforcement]. III. CLAIM 16 is rejected under 35 U.S.C. 103 as being unpatentable over McCARTHY et al (US 2024/0305664) in view of CRABTREE et al (US 2025/0039228) and TISHBI et al (US 2025/0063063). Per claim 16, McCARTHY et al and CRABTREE et al teach the method of claim 15, as applied above, with CRABTREE et al further identifying abnormal traffic patterns or unauthorized access attempts [para 0101]; yet fail to explicitly teach wherein the evaluation of workflow quality is based on analysis of repeated incidents having been logged by a security operations center. TISHBI et al disclose identifying trends, such as repeated incidents [paras 0074, 0144]. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed the invention to combine the teachings of McCARTHY et al and CRABTREE et al with TISHBI et al for provisioning the identification of repeated incidents for determining the quality/efficacy of the workflow, which is well-known in the art for identifying repeated, similar attributes of incidents that qualify as patterns for training the workflows. IV. CLAIM 17 is rejected under 35 U.S.C. 103 as being unpatentable over McCARTHY et al (US 2024/0305664) in view of CRABTREE et al (US 2025/0039228) and STEVENS (US 2025/0363035). Per claim 17, McCARTHY et al and CRABTREE et al teach the method of claim 15, as applied above with CRABTREE et al teaching simulation engine for testing [paras 0008-9, 0063, 0074], yet fail to explicitly teach the method wherein the evaluation of workflow quality is based on analysis of operation regression exercises related to a security operations center. STEVENS teaches incorporating regression testing to validate the system functionality [paras 0166-167]. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed the invention to combine the teachings of McCARTHY et al and CRABTREE et al with STEVENS for provisioning regression testing, which is well-known in the art for performing quality assurance of the system. Conclusion V. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: WO 2024259174; US 2024/0073011. VI. Any inquiry concerning this communication or earlier communications from the examiner should be directed to KRISTIE D SHINGLES whose telephone number is (571)272-3888. The examiner can normally be reached on Monday-Thursday, 10am-7pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal Divecha can be reached on 571-272-5863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KRISTIE D SHINGLES/ Primary Examiner, Art Unit 2453