PRIVILEGE ASSURANCE OF ENTERPRISE COMPUTER NETWORK ENVIRONMENTS USING ATTACK PATH DETECTION AND PREDICTION

§103 §DP

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. DETAILED ACTION This action is in response to applicant’s original submittal made on 09/23/2024. Claims 1-24 are pending. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO internet Web site contains terminal disclaimer forms which may be used. Please visit http://www.uspto.gov/forms/. The filing date of the application will determine what form should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. Claims 1-3, 7-9, 13-15 and 19-21 are rejected on the ground of non-statutory double patenting as being unpatentable over claims 1, 2 and 3 of U.S. Patent No. 12,113,831 and 831’ hereinafter. Although the claims at issue are not identical, they are not patentably distinct from each other because both sets of claims are drawn to the following: (18/893894) Claim 1 A computing system for privilege assurance of enterprise computer network environments using an attack path detection and prediction, comprising: a local monitoring unit comprising a first plurality of programming instructions that, when operating on a processor of a first computing device, cause the first computing device to: collect a plurality of session details for a user authentication session; retrieve a plurality of host details pertaining to the first computing device; monitor activity during the authentication session; and generate an event log based on the monitored activity; and a graph processing unit comprising a second plurality of programming instructions that, when operating on a processor of a second computing device, cause the second computing device to: create and store a cyber-physical graph of the computer network using the event log and the session and host details, wherein the vertices or nodes of the cyber-physical graph represent directory access protocol objects and the edges of the cyber-physical graph represent the relationships between those objects; perform a plurality of queries over time on the cyber-physical graph to identify paths between the nodes; receive a plurality of results of the plurality of queries; analyze the plurality of results to determine a plurality of risk attributes associated with each of a plurality of the nodes in the graph, the risk attributes for each node being based at least in part on a determined value of the node and the node's connectivity to other nodes within any identified paths; and create and store an attack path map comprising a plurality of identified paths that each exceed a plurality of stored risk conditions; maps to (831’) Claim 1 A system for privilege assurance of enterprise computer network environments using lateral movement detection and prevention, comprising: a local session monitor comprising a first plurality of programming instructions stored in a memory of, and operating on a processor of, a first computing device within a computer network operating a directory access protocol, wherein the first plurality of programming instructions, when operating on the processor of the first computing device, cause the first computing device to: receive a first plurality of session-based details for an authentication session for a user; check the validity of the first plurality of session-based details, using a stored session configuration; log the first plurality of session-based details; receive a second plurality of session details; compare the first and second pluralities of session details against a stored expected pattern to identify any mismatched data; where invalid or mismatched information is identified in the first or second pluralities of session-based details or in the comparison against a stored expected pattern, revoke the authentication credentials for the session and generate an event log indicating the particular session-based details that contain the invalid or mismatched information; send the event log to a graph engine; a graph engine comprising a second plurality of programming instructions stored in a memory of, and operating on a processor of, a second computing device, wherein the second plurality of programming instructions, when operating on the processor of the second computing device, cause the second computing device to: receive the event log; create and store a cyber-physical graph of the computer network using the event log, wherein the vertices of the cyber-physical graph represent directory access protocol objects and the edges of the cyber-physical graph represent the relationships between those objects; perform a plurality of queries over time on the cyber-physical graph a cyberattack parameter of interest; receive results of the plurality of queries; analyze the plurality of results to determine a plurality of high-risk hosts, the high-risk hosts being determined based on the number and value of user accounts associated with each object in the cyber-physical graph and its connections to neighboring objects; and create and store a lateral movement path map comprising a plurality of identified paths involving each of the plurality of high-risk nodes. (18/893894) Claims 2, 8, 14 and 20 wherein the session details comprise information about a user’s granted privilege levels maps to (831’) Claim 2 wherein the plurality of session-based details comprises information about a user's granted privilege levels. (18/893894) Claim 3, 9, 15 and 21 wherein the session details comprise historical user activity within the network maps to (831’) Claim 3 wherein the plurality of session-based details comprises historical user activity within the network. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-5, 8-11, 13-17 and 19-23 are rejected under 35 U.S.C. 103 as being unpatentable over Hart (US Patent Publication No. 2016/0330233) in view of Ben-Yosef et al. (US Patent Publication No. 2021/0136101 and Ben hereinafter). As to claims 1, 7, 13 and 19, Hart teaches a computing system for privilege assurance of enterprise computer network environments using an attack path detection and prediction, comprising: a local monitoring unit comprising a first plurality of programming instructions that, when operating on a processor of a first computing device, cause the first computing device to: collect a plurality of session details for a user authentication session (i.e., …teaches in par. 0050 the following: “Detection system 108 may be configured to collect authentication messages generated and/or exchanged in computer network system 100 and extract data from the authentication messages.” …teaches in par. 0050 the following: “detection system 108 may collect authentication messages by monitoring one or more of client 102, authentication system 104, and service providing system 106. Alternatively or additionally, detection system 108 may collect authentication messages using sensors or sniffers distributed in network 112. Detection system 108 may collect authentication messages in other manners as well.”); monitor activity during the authentication session (i.e., …teaches in par. 0050 the following: “detection system 108 may monitor traffic in and/or out of authentication system 104; traffic in and/or out of client 102;”); and generate an event log based on the monitored activity (i.e., …teaches in par. 0050 the following “logs provided by any of client 102, authentication system 104, and service providing system 106.” …teaches in par. 0062 the following: “Additional information may be gathered by analyzing the content of other Kerberos-related communications, such as ticket requests sent to the KDC and KDC responses to these requests. ETSs and other information may be used to detect potentially malicious activity in a computer network (e.g., network 112).” …teaches in par. 0100 the following: “data may be collected by monitoring traffic in the computer network. For example, traffic may be monitored to and from the KDC, such as KRB_AS_REQ and KRB_AS_REP messages exchanged during the AS Exchange step or KRB_TGS_REQ and KRB_TGS_REP message exchanged during the TGS Exchange step; and between endpoints, such as KRB_AP_REQ and KRB_AP_REP messages exchanged during the CS Exchange step. Observing messages exchanged during the CS Exchange step may include, for example, parsing various protocols that use Kerberos for authentication, such as File Transfer Protocol (FTP), Structured Query Language (SQL), Remote Desktop Protocol (RDP), Server Message Block (SMB) Protocol, Common Internet File System (CIFS), and Hypertext Transfer Protocol (HTTP). Other protocols, including any other application protocol, are possible as well” …teaches in par. 0102 the following: “creating a mapping for some or all retrieved ETSs. The mapping may indicate, for example, an origin, destination, time of transmission, and message type for an authentication message from which data identified by the ETS was extracted. The mapping may involve, for example, creating a file or a database table for each message type. For a computer network operating the Kerberos protocol, for instance, the message types may include KRB_AS_REQ, KRB_AS_REP, KRB_TGS_REQ, KRB_TGS_REP, KRB_AP_REQ, and KRB_AP_REP. Other message types, including any message transmitted, received, or stored in connection with an authentication protocol, are possible as well. Details for each ETS may be stored in the file or database table that corresponds to the appropriate message type. In some embodiments, as noted above, ETSs may be stored as a hash of the ETS. Storing ETSs as hashes may, in some embodiments, serve to reduce a size of the mapping.”.). Hart does not expressly teach: retrieve a plurality of host details pertaining to the first computing device; and a graph processing unit comprising a second plurality of programming instructions that, when operating on a processor of a second computing device, cause the second computing device to: create and store a cyber-physical graph of the computer network using the event log and the session and host details, wherein the vertices or nodes of the cyber-physical graph represent directory access protocol objects and the edges of the cyber-physical graph represent the relationships between those objects; perform a plurality of queries over time on the cyber-physical graph to identify paths between the nodes; receive a plurality of results of the plurality of queries, analyze the plurality of results to determine a plurality of risk attributes associated with each of a plurality of the nodes in the graph, the risk attributes for each node being based at least in part on a determined value of the node and the node’s connectivity to other nodes within any identified path, and create and store an attack path map comprising a plurality of identified paths that each exceed a plurality of stored risk conditions. In this instance the examiner notes the teachings of prior art reference Ben. With regards to applicant’s claim limitation element of, “retrieve a plurality of host details pertaining to the first computing device”, Ben teaches in par. 0024 the following: “local credentials may be deployed and may appear to the static analysis as a vulnerability. In actuality, configurations in remote machines may deny connections using the local credentials. The rejection of the local credentials may be discovered by penetration testing attempting to utilize them in a lateral movement.”. With regards to applicant’s claim limitation element of, “and a graph processing unit comprising a second plurality of programming instructions that, when operating on a processor of a second computing device, cause the second computing device to: create and store a cyber-physical graph of the computer network using the event log and the session and host details”, Ben teaches in par. 0049 the following: “a graph of network lateral movements may be generated. The graph may comprise nodes representing assets in the network. The graph may comprise directed edges from source nodes to target nodes, where an edge indicates that a network lateral movement can be implemented from the source node to the target node of the edge. In some exemplary embodiments, an edge corresponds to a validated network lateral movement from the asset represented by the source node to the asset represented by the target node.”. Ben teaches in par. 0050 the following: “each node in the graph may be assigned a probability of penetration…The probability may be determined automatically based on rules and historical information of similar assets, such as datasets indicating attacks or datasets of manually provided estimated probabilities. …the probability may depend on monitoring of a external resources, such as monitoring events”. With regards to applicant’s claim limitation element of, “wherein the vertices or nodes of the cyber-physical graph represent directory access protocol objects and the edges of the cyber-physical graph represent the relationships between those objects”, Ben teaches in the abstract the following: “graph comprises nodes and directed edges, wherein a node of the graph represents an asset of the list of assets, wherein a direct edge of the graph connecting a source node to a target node represents a validated network lateral movement from a source asset, represented by the source node…”. With regards to applicant’s claim limitation element of, “perform a plurality of queries over time on the cyber-physical graph to identify paths between the nodes”, Ben teaches in par. 0028 the following: “connected components of the graph may be displayed as a single element, and bridges connecting therebetween may be displayed. The user may perform drill down to obtain a detailed view of a connected component.”. Teaches in par. 0041 the following: “bridges in the graph of network lateral movements may be identified. In some exemplary embodiments, a bridge may be an edge in the graph that connects between two connected components.”. Teaches in par. 0034 the following: “where G is the graph of network lateral movements that comprise assets and indicative reachability via network lateral movements therebetween”. Teaches in par. 0054 the following: “the user may manipulate the graph, may request simulation”. With regards to applicant’s claim limitation element of: “receive a plurality of results of the plurality of queries”, Ben teaches in par. 0054 the following: “the user may manipulate the graph, may request simulation”. Teaches in par. 0005 the following: “dynamically analyzing the network comprises performing penetration testing”. Teaches in par. 0035 the following: “estimated loss from penetration may be utilized as a quantitative measure that can be used to determine whether to perform a mitigation action”. Teaches in par. 0011 the following: “the estimated loss from penetration is computed as a summation of estimated loss from penetration to each node of the graph, wherein an estimated loss from penetration to a node is computed based on probability of penetration directly to the node and based on payload utility of nodes that are reachable from the node.”. With regards to applicant’s claim limitation element of, “analyze the plurality of results to determine a plurality of risk attributes associated with each of a plurality of the nodes in the graph”, Ben teaches in par. 0015 the following: “and utilizing the graph of network lateral movements to assess security risk to the network and utilizing the graph of network lateral movements to assess security risk to the network”. Teaches in par. 0034 the following: “The estimated loss from penetration function may be utilized as a part of a target function in optimizations regarding security risk from network lateral movements.”. Teaches in par. 0042 the following: “One technical effect of utilizing the disclosed subject matter is obtaining a clear assessment of security risks to an organizational network from an attacker's ability to perform network lateral movements. Such assessment may indicate that a low-level asset, that is accordingly being protected using low-standards, is in fact a weak link and represents a potential breach point into the high-level payloads of the organization.”. With regards to applicant’s claim limitation element of, “the risk attributes for each node being based at least in part on a determined value of the node and the node’s connectivity to other nodes within any identified path”, Ben teaches in par. 0042 the following: “One technical effect of utilizing the disclosed subject matter is obtaining a clear assessment of security risks to an organizational network from an attacker's ability to perform network lateral movements. Such assessment may indicate that a low-level asset, that is accordingly being protected using low-standards, is in fact a weak link and represents a potential breach point into the high-level payloads of the organization.”. Teaches in par. 0054 the following: “the user may remove edges or nodes to review how the security risk to the network may change if changes are implemented.”. With regards to applicant’s claim limitation element of, “and create and store an attack path map comprising a plurality of identified paths that each exceed a plurality of stored risk conditions”, Ben teaches in par. 0055 the following: “a modified graph may be determined.”. Teaches in par. 0057 the following: “the visualization of the modified graph may present a mapping of possible network lateral movements”. Teaches in par. 0058 the following: “the display may comprise statistics on the utility of the mitigation action such as reduced connectivity due thereto, nodes that were changed from “red” to “green”, such as nodes where penetration should be avoided and the risk thereof was sufficiently handled, or the like.”. Teaches in par. 0057 the following: “he mapping may be displayed with an indication regarding the differences from the original mapping. This may enable to user to quickly comprehend what is modified in view of the mitigation action. In some exemplary embodiments, all unaffected edges and nodes may be presented in a grayed-manner, and the affected edges and nodes may be presented in color. The color-coding may be an absolute color-coding (e.g., indicating probability of penetration, estimated loss from penetration, payload value, or the like). Additionally or alternatively, the color-coding may be a relative color coding, indicating the difference between the original state and the modified state. In some exemplary embodiments, a combination of visual indications may be used to provide both absolute and relative aspects.”. Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teachings of Hart with the teachings of Ben by having their system comprise an enhanced network attack analysis process. One would have been motivated to do so to provide a simple and effective means to determine network vulnerabilities, wherein the enhanced network attack analysis process helps facilitate optimal security within the network and makes it easier to determine proper attack mitigation practices. As to claims 2, 8, 14 and 20, the system of Hart and Ben as applied to claim 1 above teaches risk assessment, specifically Hart teaches a system of claim 1, wherein the session details comprise information about a user’s granted privilege levels (i.e., …teaches in par. 0137 the following: “This may effectively change the privileges of the TGT, thereby giving the user higher levels of access to target services.”). As to claims 3, 9, 15 and 21, the system of Hart and Ben as applied to claim 1 above teaches risk assessment, specifically Hart teaches a system of claim 1, wherein the session details comprise historical user activity within the network (i.e. …teaches in par. 0211 the following: “historical data”). As to claims 4, 10, 16 and 22, the system of Hart and Ben as applied to claim 1 above teaches risk assessment, specifically Hart teaches a system of claim 1, wherein the risk attributes further comprise contextual risk factors (i.e., …teaches in par. 0081 the following: “risk factors or risk scenarios associated with determining indications of potentially malicious activity.”). As to claims 5, 11, 17 and 23, the system of Hart and Ben as applied to claim 1 above teaches risk assessment, specifically Hart does not expressly teach a system of claim 4, wherein the context-based risk attribute for a node within an identified path is based on a plurality of risk attributes of other nodes within the identified path. In this instance the examiner notes the teachings of prior art reference BEN. BEN teaches in par. 0055 the following: “a modified graph may be determined.”. Teaches in par. 0057 the following: “the visualization of the modified graph may present a mapping of possible network lateral movements”. Teaches in par. 0058 the following: “the display may comprise statistics on the utility of the mitigation action such as reduced connectivity due thereto, nodes that were changed from “red” to “green”, such as nodes where penetration should be avoided and the risk thereof was sufficiently handled, or the like.”. Teaches in par. 0057 the following: “he mapping may be displayed with an indication regarding the differences from the original mapping. This may enable to user to quickly comprehend what is modified in view of the mitigation action. In some exemplary embodiments, all unaffected edges and nodes may be presented in a grayed-manner, and the affected edges and nodes may be presented in color. The color-coding may be an absolute color-coding (e.g., indicating probability of penetration, estimated loss from penetration, payload value, or the like). Additionally or alternatively, the color-coding may be a relative color coding, indicating the difference between the original state and the modified state. In some exemplary embodiments, a combination of visual indications may be used to provide both absolute and relative aspects.”. Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teachings of Hart with the teachings of Ben by having their system comprise an enhanced network attack analysis process. One would have been motivated to do so to provide a simple and effective means to determine network vulnerabilities, wherein the enhanced network attack analysis process helps facilitate optimal security within the network and makes it easier to determine proper attack mitigation practices. Allowable Subject Matter Claims 6, 12, 18 and 24 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The following is a statement of reasons for the indication of allowable subject matter: Applicant’s clam limitation(s) recital of, “store iterative updates of the cyber-physical graph in a multi-dimensional time-series database at predetermined intervals or in response to specific events; retrieve a specific historical reference of the cyber-physical graph corresponding to a specified past time point or time window; perform specific queries on the retrieved historical reference of the cyber-physical graph to analyze the network state as it existed at the specified past time point or within the specified time window; analyze query results to determine risk attributes for nodes in the historical reference of the graph, based on each node’s value and connectivity within identified paths; create a historical attack path map comprising paths that exceed stored risk thresholds at the specified past time point or within the specified time window; and store the historical attack path map for future reference and comparison with current network states”. Contact Information Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /BRYAN F WRIGHT/ Examiner, Art Unit 2497