DETAILED ACTION
This action is responsive to application filed on October 9th, 2024.
Claims 1~20 are examined.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/09/24 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 3 and 13 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
The term “might” in claims 3 and 13 is a relative term which renders the claim indefinite. The term is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1~8, 10~18, and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Muddu et al. hereinafter Muddu (2019/0173893).
Regarding Claim 1,
Muddu taught a non-transitory computer-readable storage medium having computer-readable code stored thereon for programming one or more processors to perform steps of:
responsive to (1) training one or more machine learning models for kill-chain reconstruction [¶220, machine learning models to perform analytics based on the events in conjunction with their associated relationship graphs, to security-oriented anomalies and threats in the environment; ¶179, databases allow rapid reconstruction of the anomalies and all of their supporting data],
(2) monitoring one or more users associated with an enterprise [¶450, network security monitoring can involve tracking network activity by users, devices, and applications; ¶407, summarizes all significant (from a security standpoint) network activity for an entire enterprise or network], and
(3) detecting an incident that is one or more of a threat and a policy violation for a first user of the one or more users [¶349, detects anomalies in event data, and further detects threats based on detected anomalies.],
identifying a transaction associated with the threat and a policy violation as a seed transaction [¶494, Fig. 46F, anomaly is associated with 4 entities: User “ggawrych” 4656, Internal Device “10.104.31.18” and External Device “46.214.107.142” 4657, and Domain “46.214.107.142” 4658. Anomaly Relations box 4659 illustrates the relationship between these entities. As can be seen, User “ggawrych” uses Internal Device “10.104.31.18” to access domain “46.214.142” operating on External Device “46.214.107.142];
retrieving transactions of the user from a preconfigured time window leading up to and occurring after the seed transaction [¶502, Fig. 47D, “User Threats” view 4730 can include a summary section, the number and type of each associated threat 4731, the number and type of each associated anomaly 4732, the number of devices operated by the user that have been associated with anomalies 4733, and the domains involved in the anomalies that the user accessed 4734]; and
reconstructing a kill-chain based on the seed transaction and the time window [¶468, Fig. 40D; ¶470, Fig. 40E, Kill Chain view additionally can include a timeline 4057 that illustrates the timing of each phase].
Regarding Claim 2,
Muddu taught wherein the reconstruction is performed by the one or more machine learning models [¶353; ¶369, threat indicator models; ¶407].
Regarding Claim 3,
Muddu taught wherein the kill-chain comprises one or more malicious events which might follow the seed transaction [Tyagi: ¶474, Fig. 40E, “Land Speed Violation”].
Regarding Claim 4,
Muddu taught wherein the kill-chain comprises one or more transactions that occurred within the time window that are correlated to the seed transaction [¶503, “User Threats” view 4730 also may include a “User Threats Timeline” box 4735 that visually depicts when the user became associated with each type of threat identified in 4731 and the duration of that threat].
Regarding Claim 5,
Muddu taught wherein a transaction is correlated to the seed transaction based on a particular website associated with the transaction statistically occurring together with a domain associated with the seed transaction [¶448, website attacks; ¶449, public-facing website attack; ¶398].
Regarding Claim 6,
Muddu taught wherein a transaction is correlated to the seed transaction based on one or more features of the transaction [¶503, the “User Threats” view 4730 also may include a “User Threats” listing 4736, which, for each threat associated with the user, identifies the threat type].
Regarding Claim 7,
Muddu taught wherein the one or more features of the transaction comprise any of Uniform Resource Locator (URL) features, Request & Response (R&R) features, User Agent (UA) features, Message Digest 5 (MD5) features, policy features, and context features [¶448, anomalies can be alarms, blacklisted applications/domains/IP addresses, domain name anomalies, excessive uploads or downloads, website attacks, land speed violations, machine generated beacons, login errors, multiple outgoing connections, unusual activity time/sequence/file access/network activity, etc].
Regarding Claim 8,
Muddu taught wherein the reconstructing is performed using a graph-based approach [¶448, platform 400 receives alerts from a variety of log sources 402, such as firewalls, intrusion detection and prevention systems, antivirus systems, web proxies, and other systems and network devices and stored in database 404].
Regarding Claim 10,
Muddu taught wherein the transactions of the user from the preconfigured time window are obtained from a cloud-based system that performs monitoring of the one or more users [¶141, the security platform can be implemented at the cloud-based server].
Regarding Claims 11~18 and 20, the claims are similar in scope to claims 1~8 and 10 and therefore, rejected under the same rationale.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu in view of Tyagi et al. hereinafter Tyagi (U.S 2020/0327224).
Regarding Claim 9,
Muddu-Tyagi taught wherein each transaction in the kill-chain is assigned a corresponding MITRE attack stage [¶90~¶92, Figs. 6~7].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention was made, to combine, Tyagi’s teachings with the teachings of Muddu, because the combination allow users to quantify vulnerabilities associated with their computing systems to further allow automatic adaptation of remediation strategies that appropriately account for and remediate against a given attack campaign [Tyagi: ¶24].
Regarding Claim 19, the claim is similar in scope to claims 9 and therefore, rejected under the same rationale.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HEE SOO KIM whose telephone number is (571)270-3229. The examiner can normally be reached M-F 9AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas Taylor can be reached on (571) 272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HEE SOO KIM/Primary Examiner, Art Unit 2443