DETAILED ACTION
Claims 21-40 are examined and pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 21-40 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Lee (U.S. 2020/0195673 A1, hereinafter “Lee”).
As to claims 21, 31, Lee discloses a system, comprising: one or more hardware processors with associated memory that implement an intrusion detection system (IDS) (para.[0025]; “Central analytics platform”), configured to:
monitor network traffic data in a network (para. [0025]; discloses central analytics platform obtains network traffic where the network traffic data is analyzed);
perform a graph analysis-based assessment of the network (para.[0032]; discloses executing graph analysis based on received communication within the network), comprising:
determining, based at least in part on the network traffic data, a graph of network traffic paths among a plurality of nodes in the network (para.[0032]; discloses the network communications and network traffic data to create a graph that define the nodes in a graph representation); and
calculating, based at least in part on the graph, centrality values for individual ones of the plurality of nodes, wherein a centrality value of a given node comprises a betweenness centrality value (closeness value) that indicates a number of shortest paths between two other nodes in the graph that traverses through the given node
( para. [0037], [0038]; discloses determining a centrality measure such as closeness which calculates the shortest average distance to other nodes. The node with the highest normalized closeness has the shortest average distance to other nodes in the graph).
identify, based at least in part on the graph and the centrality values, a significant node in the network (para.[0038]; discloses based on the graph and closeness value as well as other betweenness values, a specific node is identified as the most influential node), wherein the significant node is determined to be, compared to other nodes of the network, a greater source of potential harm to the network if the significant is attacked or infected (para. [0035]; discloses that a node that has a high centrality metric value such as high closeness or betweenness failure or infection of a node with a high value could result in a major disruption to the network); and
in response to the identification of the significant node, cause the IDS to prioritize monitoring of the significant node (para.[0066]-[0068]; discloses after identifying a first node with a high score the system generates a ranked list of nodes in the network associated with potential threats to the network that are ranked in accordance with their threat levels. Para. [0069]; discloses that the priority of the first node in response to the calculated threat level of the first node would cause the system to perform certain actions linked with the first node including blocking traffic, throttling traffic, etc.).
As to claim 22, Lee discloses the system of claim 21, wherein the centrality values include different types of centrality values for individual nodes, including two or more of: an undirected centrality value; an in-degree centrality value (para.[0061]; discloses the measured influence is derived from at least one of: a normalized degree centrality of the first node with respect to other nodes in the network), an out-degree centrality value (para.[0061]; discloses a normalized betweenness centrality of the first node with respect to the other nodes in the network); or an Eigenvector centrality value.
As to claim 23, Lee discloses the system of claim 21, wherein the significant node is identified without accounting for intrinsic attributes of the significant node, including: users who use the significant node, and a node type of the significant node (para. [0056]; discloses node may be classified by the type of service).
As to claim 24, Lee discloses the system of claim 23, wherein the significant node is identified without accounting for intrinsic attributes of peer nodes connected to the significant node in the graph (para. [0025]; discloses first node that is associated with any of the internal node in the graph).
As to claim 25, Lee discloses the system of claim 21, wherein the significant node is identified based on a sensitivity type of information stored or received by the significant node (para. [0018]; discloses node that transmits sensitive data ).
As to claim 26, Lee discloses the system of claim 21, wherein the centrality value of the given node is dependent on an amount of traffic flow through the given node relative to other nodes in the network (para. [0059]; discloses the anomaly factor of the given node that quantifies a deviation of first node from the other nodes).
As to claim 27, Lee discloses the system of claim 21, wherein the prioritized monitoring of the significant node enables the IDS to detect anomalous network behavior of a peer node connected to the significant node in the graph without directly monitoring the peer node (para.[0068]; discloses “network personnel may prioritize investigation of those anomalies that have the greatest potential for harming the network while a SDN controller may configure other nodes to avoid the node(s) comprising potential threats according to the list, may identify other network resources for potentially offloading network traffic of the first node”) .
As to claim 28, Lee discloses the system of claim 21, wherein information generated by the graph analysis-based assessment is used to establish an alert mechanism for the network (para.[0026]; discloses notifying or instructing SDN controller to configure or reconfigure one more or more components of network to reroute the traffic of the first node, slow the traffic of the first node based on platform detecting that a threat level threshold has been reached).
As to claim 29, Lee discloses the system of claim 28, wherein the alert mechanism is established based on user input received via a user interface, wherein the user interface displays one or more of the centrality values (para.[0025]; discloses the central analytics platform displays different scores in accordance with the measured influence of the first node in the network ).
As to claim 30, Lee discloses the system of claim 21, wherein information concerning the identification of the significant node is used by a network management system to perform one or more actions with respect to the significant node, to: prioritize patching of the significant node (para.[0025]; discloses based on the determining of the threat level of the node reconfiguring at least one aspect of a network in response), prioritize monitoring of the significant node, control when the significant node can be taken offline, implement stricter network segmentation in the network to protect the significant node, or add an additional firewall to protect the significant node.
As to claim 32, Lee discloses the method of claim 31, wherein the centrality values include different types of centrality values for individual nodes, including two or more of: an undirected centrality value; an in-degree centrality value (para.[0061]; discloses the measured influence is derived from at least one of: a normalized degree centrality of the first node with respect to other nodes in the network); an out-degree centrality value (para.[0061]; discloses a normalized betweenness centrality of the first node with respect to the other nodes in the network); or an Eigenvector centrality value.
As to claim 33, Lee discloses the method of claim 31, wherein the significant node is identified without accounting for intrinsic attributes of the significant node, including: users who use the significant node, and a node type of the significant node (para. [0056]; discloses node may be classified by the type of service).
As to claim 34, Lee discloses the method of claim 33, wherein the significant node is identified without accounting for intrinsic attributes of peer nodes connected to the significant node in the graph (para. [0025]; discloses first node that is associated with any of the internal node in the graph).
As to claim 35, Lee discloses the method of claim 31, wherein the significant node is identified based on a sensitivity type of information stored or received by the significant node (para. [0018]; discloses node that transmits sensitive data ).
As to claim 36, Lee discloses the method of claim 31, wherein the centrality value of the given node is dependent on an amount of traffic flow through the given node relative to other nodes in the network (para. [0059]; discloses the anomaly factor of the given node that quantifies a deviation of first node from the other nodes). (para. [0059]; discloses the anomaly factor of the given node that quantifies a deviation of first node from the other nodes).
As to claim 37, Lee discloses the method of claim 31, wherein the prioritized monitoring of the significant node enables the IDS to detect anomalous network behavior of a peer node connected to the significant node in the graph without directly monitoring the peer node (para.[0068]; discloses “network personnel may prioritize investigation of those anomalies that have the greatest potential for harming the network while a SDN controller may configure other nodes to avoid the node(s) comprising potential threats according to the list, may identify other network resources for potentially offloading network traffic of the first node”) .
As to claim 38, Lee discloses the method of claim 31, wherein information generated by the graph analysis-based assessment is used to establish an alert mechanism for the network (para.[0026]; discloses notifying or instructing SDN controller to configure or reconfigure one more or more components of network to reroute the traffic of the first node, slow the traffic of the first node based on platform detecting that a threat level threshold has been reached).
As to claim 39, Lee discloses the method of claim 38, wherein the alert mechanism is established based on user input received via a user interface, wherein the user interface displays one or more of the centrality values (para.[0025]; discloses the central analytics platform displays different scores in accordance with the measured influence of the first node in the network ).
As to claim 40, Lee discloses the method of claim 31, wherein information concerning the identification of the significant node is used by a network management system to perform one or more actions with respect to the significant node, to: prioritize patching of the significant node, prioritize monitoring of the significant node (para.[0025]; discloses based on the determining of the threat level of the node reconfiguring at least one aspect of a network in response), control when the significant node can be taken offline, implement stricter network segmentation in the network to protect the significant node, or add an additional firewall to protect the significant node.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Carstens et al. (U.S. 2018/0197128 A1) discloses a computer-based system for identifying supply chain risks and generating supply chain graphs representing an interconnected network of entities. An industrial graph database application is configured to account for direct and indirect (transitive) supplier risk and importance, based on a weighted set of measures: criticality, replaceability, centrality and distance. A graph-based model serves as an interactive and visual supply chain risk and importance explorer.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOE CHACKO whose telephone number is (571)270-3318. The examiner can normally be reached Monday-Friday 7am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ario Etienne can be reached at 5712724001. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JOE CHACKO/Primary Examiner, Art Unit 2457