DETAILED ACTION
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
This Office Action is in response to the communication filed on 12/10/2024.
Claims 1-5 are pending for consideration.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-5 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Regarding claims 1, 4, and 5, the limitations “acquire a BAG…”, “obtain a transition rate indicating a speed…”, “calculate a risk probability of each node”, and “output the calculated risk probability”, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind, but for recitation of a generic computer component. Specifically, other than reciting, “a BAG acquisition unit, including one or more processors…”, “a graph processing unit, including one or more processors…”, “a graph analysis unit, including one or more processors…”, “an output unit, including one or more processors…” nothing in the claim elements preclude the step from practically being performed in the mind. For example, but for the aforementioned language, the context of the claims encompass a user, with the aid of pen and paper, manually calculating a risk probability and outputting the resulting risk probability. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claims recite an abstract idea.
This judicial exception is not integrated into a practical application because the additional limitations “a BAG acquisition unit, including one or more processors, configured to acquire…”, “a graph processing unit, including one or more processors, configured to obtain”, “a graph analysis unit, including one or more processors, configured to calculate a risk probability of each node that changes with an elapsed time from when the attacker has started the attack by performing a Markov analysis process”, “an output unit, including one or more processors, configured to output” are merely insignificant extra-solution activities of gathering state current and transition data and an elapsed time. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. The claim is not patent eligible.
Dependent claims 2-3 are depended on the rejected base claim, and are rejected for the same rationales.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-2, 4 and 5 are rejected under 35 U.S.C. 103 as being unpatentable over Swiler et al. (U.S. 7,013,395)(hereinafter Swiler) in view of Stelmar Netto et al. (U.S. 11,316,886)(hereinafter Stelmar Netto).
Regarding claims 1, 4, and 5, Swiler teaches a risk evaluation device comprising: a BAG acquisition unit, including one or more processors, configured to:
acquire a BAG that is a graph (Swiler: see Col 1 lines 16-20, "Specifically, according to the invention, an attack graph is generated based on hypothesized capabilities of an adversary, network configuration information, and knowledge of the requirements for a successful attack") including, as components, a node indicating a state of a network system to be subjected to risk evaluation (Swiler: see Col 4 lines 33-34, "Each node in the graph represents a possible attack state") and an edge indicating a state transition by connecting the nodes (Swiler: see Col 11 claim 3 lines 37-40, "wherein, for each path, nodes represent discrete physical states of the computer system and edges adjoining nodes represent transitions between physical states in the computer system") and in which an exploit success probability that is a probability that an attacker succeeds in exploiting a vulnerability is applied to each edge (Swiler: see Col 5 lines 11-13, "Each edge has a weight representing a system-security metric, such as success probability, average time to implement, or a cost/effort level for an attacker");
a graph processing unit, including one or more processors, configured to obtain a transition rate indicating a speed at which the attacker succeeds in exploiting the vulnerability by using the exploit success probability of the BAG and a limit time required for attacking the vulnerability and creates a state transition diagram of a continuous-time Markov chain that is a data structure including each node and each edge of the BAG and in which the obtained transition rate is applied to each edge instead of the exploit success probability of each edge (Swiler: see Col 5 lines 11-14, "Each edge has a weight representing a system-security metric, such as success probability, average time to implement, or a cost/effort level for an attacker. This weight could be a function of configuration and attacker profile").
However, Swiler does not teach a graph analysis unit, including one or more processors, configured to calculate a risk probability of each node that changes with an elapsed time from when the attacker has started the attack by performing a Markov analysis process based on the state transition diagram created by the graph processing unit and the elapsed time.
Nevertheless, Stelmar Netto- which is in the same field of endeavor – teaches a graph analysis unit, including one or more processors, configured to calculate a risk probability of each node that changes with an elapsed time from when the attacker has started the attack by performing a Markov analysis process based on the state transition diagram created by the graph processing unit and the elapsed time (Stelmar Netto: see Col 6 lines 8-31, " Referring to FIG. 3, a Markov model 300 used to determine a time length of a mitigation process is shown. The Markov model includes high risk nodes 302, medium risk nodes 304, and low risk nodes 306, in which each node represents a configuration state and a firmware state for the smart sensor-based device 116. The nodes 302, 304, 306 are connected by edges, which represent a change in either the configuration state or the firmware state to move from a node to an adjacent node. Using historical data, the scenario simulator 106 determines estimated time intervals 312 for executing the change for different scenarios...These time intervals are used to produce the probability density functions described in FIG. 2").
Swiler and Stelmar Netto are analogous art because they are from the same field of endeavor. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to combine Swiler’s attack graph edge weights that indicate a cost/effort level for an attacker with the inherent calculation of transition rate for continuous-time Markov chain, and Netto’s use of time intervals to calculate risk probabilities of graph nodes. The suggestion/motivation for doing so would be to predict the likelihood of a attack as a function of elapsed time and allow dynamic and accurate risk analysis.
Regarding claim 2, Swiler and Stelmar Netto teach the graph analysis unit is further configured to calculate an average time to transition to each state based on the state transition diagram and an initial state probability vector indicating a set of state probabilities of the nodes at a point of time when the elapsed time is 0 (Swiler: see Col 5 lines 11-14, "Each edge has a weight representing a system-security metric, such as success probability, average time to implement, or a cost/effort level for an attacker. This weight could be a function of configuration and attacker profile") (Stelmar Netto: see Col 5 lines 50-59, "The horizontal arrows 206, 208, 210 represent a uniform time line, in which the probability density functions 200, 202, 204 begin at a respective least probable shortest completion time and end at a respective least probable greatest length of time of completion. The center of the probability density functions 200, 202, 204 represent the mean time to complete the cyber-attack. For example, dashed line A corresponds to the mean time length B for a hacker to complete the first cyber-attack method on a feature or features of a the smart sensor-based device 116"); and
the output unit is further configured to output the calculated average time (Stelmar Netto: see Col 4 lines 27-29, "The scenario simulator 106 further provides an output as to an estimated time to successfully complete each cyber-attack on the smart sensor-based device 116"; Col 4 lines 61-65, "Based on a comparison of the probability density functions of an cyber-attack and a mitigating process, the notification unit 108 transmits a list of mitigation processes and associated risk levels of each cyber-attack scenario to a user's computing device 114, or a service person's computing device"). Motivation to combine Swiler and Stelmar Netto in the instant claim, is the same as that in claim 1.
Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Swiler and Stelmar Netto, as applied to claims 1-2, 4, and 5 above, and in further view of Al Ghazo et al. (U.S. 12,309,188)(hereinafter Al Ghazo).
Regarding claim 3, Swiler and Stelmar Netto teach the invention detailed above.
However, Swiler and Stelmar Netto do not teach creating the state transition diagram, the graph processing unit is configured to: set a predetermined state of an input state transition diagram as a target node; cut an edge coming out from the target node; and cut a node and an edge that are not included in a path from an initial node in which a state probability is not 0 at a point of time when the elapsed time is 0 to the target node.
Nevertheless, Al Ghazo -which is in the same field of endeavor – teaches creating the state transition diagram, the graph processing unit is configured to: set a predetermined state of an input state transition diagram as a target node (Al Ghazo: see Col 11 lines 43-49, "Attack-graphs are directed labeled graphs, where each vertex corresponds to a certain system status including attacker privileges on various devices/assets, each edge represents an atomic attack that an attacker might execute to gain more privileges, and each path from the initial node to a final node represents an attack path an attacker may follow to compromise a system-level security property");
cut an edge coming out from the target node; and cut a node and an edge that are not included in a path from an initial node in which a state probability is not 0 at a point of time when the elapsed time is 0 to the target node (Al Ghazo: see Col 11 lines 49-59, "The goal for a system administrator then is to find a minimal number of attacks that could be prevented such that no viable path remains from the initial node to a final node. In graph theory this is known as a cut. Since the attack-graph is a directed labeled graph, finding the minimal number of attacks, whose prevention would render the disconnection of the initial node from the final nodes, is an instance of a min label-cut (MLC) that requires finding the minimum number of attack-labels whose edges must be removed from a graph to cut all paths from the initial node to the final nodes").
Swiler, Stelmar Netto, and Al Ghazo are analogous art because they are from the same field of endeavor. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to combine the continuous Markov Chain diagram of Swiler and Stelmar Netto with Al Ghazo’s use of cutting edges that are determined to be inviable. The suggestion/motivation for doing so would be to refine the attack graph to ensure only relevant transitions are being considered in risk analysis.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Rajasooriya et al. (U.S. 10,659,488) teaches the use of Markov chain to model attack graphs for cybersecurity analysis.
Basset (U.S. 2016/0205122) teaches the calculation of risk probability for attack paths based on Bayesian Network Conditional Probability Tables.
Schultz et al. (U.S. 2015/0381649) teaches calculation of success probability of a target node as a function of event time distributions.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KELAH JANAE MCFARLAND-BARNES whose telephone number is (571)272-5953. The examiner can normally be reached Monday through Friday 8:00am until 4:00pm Central Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KELAH JANAE MCFARLAND-BARNES/Examiner, Art Unit 2431
/MICHAEL R VAUGHAN/Primary Examiner, Art Unit 2431
Prosecution Insights