SECURITY ANALYSIS DEVICE, SECURITY ANALYSIS METHOD, AND COMPUTER READABLE MEDIUM

§101 §102 §103 §112

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. DETAILED ACTION Information Disclosure Statement The information disclosure statement (IDS) submitted on 10/09/2024 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-10 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e. an abstract idea) without significantly more. Step 1: This part of the eligibility analysis evaluates whether the claim falls within any statutory category. See MPEP 2106.03. The claims recites a method and system. These are directed to a machine, a series of steps or acts and manufacture, and falls within one of the statutory categories of invention. (Step 1: YES). Step 2A, Prong One: This part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception or whether the claim is “directed to” the judicial exception. This evaluation is performed by (1) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (2) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. See MPEP 2106.04(d). Claim 1, 9 and 10 are directed to an abstract idea because the following claim limitations recite an abstract idea: A device, method and manufacture comprising : calculate a likelihood of occurrence of a threat that may occur in a constituent element of a system, based on a similarity of an attack scenario indicating a chronological sequence of an attack method up to occurrence of the threat and a past scenario indicating a chronological sequence of an attack method in an attack case that has occurred previously (mathematical concept/mental process: a human-being comparing sequence of historical and hypothetical events to mathematically/logically determine the probability of a future event); Training a learning model with the training data (mental process: a human-being trained with training material that helps the human-being make decisions using a decision model) Claims 1, 9 and 10 recites the following additional elements: Wherein the device is a “security analysis device comprising processing circuitry”; Wherein the threat occurs to a “constituent element of a system” Wherein the method is for “security analysis” Where the manufacture is a “non-transitory computer readable medium storing a security analysis program that causes a computer to function as a security analysis device” Step 2A, Prong Two: This part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception or whether the claim is “directed to” the judicial exception. This evaluation is performed by (1) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (2) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. The claims fails to achieve a technical solution to a technical problem. Thus the claim fail to provide an improvement to the function of a computer or to a technology itself. The claim culminate with calculating a likelihood of occurrence of a threat. See MPEP 2106.04(d)(1) and 2106.05(a). The additional elements are recited at a high level of generality and amount to merely using computers as a tool to implement the abstract idea. Thus the additional elements are considered mere instruction to apply the abstract ideal See MPEP 2106.05(f). Even when viewed in combination, these additional elements do not integrate the recited judicial exception into a practical application (Step 2A, Prong Two: NO), and the claim is directed to the judicial exception. (Step 2A: YES).Therefore, the examiner must find that the claims fail to integrate the abstract idea into a practical application. Step 2B: This part of the eligibility analysis evaluates whether the claim as a whole amounts to significantly more than the recited exception i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. See MPEP 2106.05. One way to determine integration into a practical application is when the claimed invention improves the functioning of a computer or improves another technology or technical field. To evaluate an improvement to a computer or technical field, the specification must set forth an improvement in technology and the claim itself must reflect the disclosed improvement. See MPEP 2106.04(d)(1) and 2106.05(a). Likewise to step 2A prong 2, the claims fails to achieve a technical solution to a technical problem. Thus the claim fail to provide an improvement to the function of a computer or to a technology itself. The claim culminate with calculating a likelihood of occurrence of a threat. See MPEP 2106.04(d)(1) and 2106.05(a). The additional elements are recited at a high level of generality and amount to merely using computers as a tool to implement the abstract idea. Thus the additional elements are considered mere instruction to apply the abstract ideal See MPEP 2106.05(f). Even when viewed in combination, these additional elements do not integrate the recited judicial exception into a practical application (Step 2A, Prong Two: NO), and the claim is directed to the judicial exception. (Step 2A: YES).Therefore, the examiner must find that the claims fail to amount to significantly more than the abstract idea itself, even when the additional elements are considered alone and in combination with the abstract idea. (Step 2B: NO). Therefore, the claims are directed to an abstract idea without significantly more and are unpatentable. Claims 2-8 Regarding claims 2-8 the following claim limitations recites an abstract idea (Claim 2) Arranging the attack scenario and past scenario chronologically as character strings and calculating a similarity between the character strings. (mathematical concept/mental process: the human-being ordering data points in a sequence of symbols and mathematically comparing the sequences .) (Claim 3) Using a Levenshtein distance to calculate a similarity between the character string of the attack scenario and the character string of the past scenario. (mathematical concept: the human-being using a mathematical formula to comparing the similarity between symbols .) (Claim 4) Generating an amplified scenario by changing a chronological sequence of a plurality of attack methods constituting the past scenario or deleting one or more attack methods of the plurality of attack methods constituting the past scenario and calculating the likelihood of occurrence taking into consideration a similarity between the attack scenario and the amplified scenario. (mental process/mathematical concept: the human-being generating hypothetical scenario by rearranging or deleting events and mathematically comparing similarity between the scenarios .) (Claim 5) calculates a similarity between an evaluation target portion that is part of the attack scenario and an evaluation target portion that is part of the past scenario as a similarity between the attack scenario and the past scenario. (mental process/mathematical concept: the human-being selecting subsets of data and mathematically comparing the subsets.) (Claim 6) combining a likelihood of occurrence calculated by a different method and the likelihood of occurrence calculated by the processing circuitry so as to calculate a new likelihood of occurrence. (mathematical concept: the human-being using standard mathematical formula to calculate a probability utilizing calculated probabilities.) (Claim 7) re-calculating a likelihood of occurrence of the threat based on a similarity between the attack scenario and a log scenario indicating a chronological sequence of an attack method carried out against the system. (mental process/mathematical concept: the human-being updating the probability based on new data.) (Claim 8) calculates a risk value in the constituent element based on the likelihood of occurrence calculated by the processing circuitry and worth of an information asset existing in the constituent element.. (mental process/mathematical concept: the human-being evaluating or mathematically calculating impact risk based on value.) Claims 2-8 recites the additional elements: Wherein the device is a “security analysis device comprising processing circuitry”; Wherein the threat occurs to a “constituent element of a system” Step 2A, Prong 2 and Step 2B Claims 2-8 fail to recite any new additional elements relative to base claims 1, 7 and 14. Thus, the analysis and findings for step 2A, prong 2 and step 2B incorporates the analysis and findings of claims 1, 7 and 14 however, the analysis and findings includes consideration of claims 2, 8 and 15 as a whole. Therefore, claims 2-8 are directed to an abstract idea without significantly more and is unpatentable. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-3 and 6 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention. Regarding claim 1 the limitation directed to “a threat that may occur in a constituent element of a system” renders the scope of the claim indefinite. Specifically, it is unclear if the constituent element and system are comprised within the security analysis device and therefore structure of the security analysis device or part of the environment in which the security analysis device operates in. Regarding claim 2, the claims states “wherein the attack scenario is a character string in which characters respectively identifying a plurality of attack” however the base claim originally stated “an attack scenario indicating a chronological sequence of an attack method”, thus it is unclear as to how a single attack method becomes a plurality of attack methods. Claim 3 is rejected for inheriting the deficiencies from the claim in which it depends. In regards to claim 6, the recitation “a different method” renders the scope of the claims indefinite. Specifically, this term, a different method has no standard meaning within the art and represents no specific and identifiable structure. Furthermore, the applicant's original disclosure fails to define the specific structure, materials or acts that would constitute a different method. Thus it is unclear as to what specific structure, materials, or acts fall within and outside the scope of da different method. For the purpose of examination, the examiner presumes that the applicant claims broadly references any alternative process used to determine a threat likelihood distinct from the primary process. Furthermore claim 6 uses the phrase "so as" which renders the claim indefinite because it is unclear whether the limitations following the phrase are part of the claimed invention. See MPEP § 2173.05(d). Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claim(s) 1, 5-7, 9 and 10 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by US 9654485 to Neumann Claim 1 Neumann teaches a security analysis device[e.g. Neumann; Col 8 Ln 49-50] comprising processing circuitry[e.g. Neumann; Col 13 Ln 34-50] to calculate a likelihood of occurrence of a threat that may occur in a constituent element of a system, [e.g. Neumann; Col 12 Ln 30-51, Col 16 Ln 12-31] based on a similarity of an attack scenario indicating a chronological sequence of an attack method up to occurrence of the threat and a past scenario indicating a chronological sequence of an attack method in an attack case that has occurred previously. [e.g. Neumann; Col 2 Ln 8 – Col 4 Ln 61, Col 12 Ln 30-51, Col 14 Ln 40-59, Col 15 Ln – Col 20 Ln 11, Col 24 Ln 31- Col 26 Ln 11, Col 27 Ln 12-19; Neumann discloses sequence of behavioral data elements representing behaviors stored in a profile. The profile being through experiential knowledge of previously encountered benign events and/or previous detected attacks. Neumann further discloses that a profile may consist of a multi-phase attack and discloses the attack may include an initial receipt, callback operation and receipt of a larger package from a server that the examiner has interpreted broadly and reasonably as a chronological sequence up to occurrence of a threat. The correlated behavioral fragments map to an attack scenario and the known attack profiles map to a past scenario. Lastly Neuman determines an attack score which may represent an actual attack or potential attack (e.g. likelihood of occurrent of a threat to a constituent of a system) based on how similar the correlated behavioral fragments are to the known attack profiles.] Claim 5 Neumann teaches the security analysis device according to claim 1, wherein the processing circuitry calculates a similarity between an evaluation target portion that is part of the attack scenario and an evaluation target portion that is part of the past scenario as a similarity between the attack scenario and the past scenario. [e.g. Neumann; Col 2 Ln 8 – Col 4 Ln 61, Col 12 Ln 30-51, Col 14 Ln 40-59, Col 15 Ln – Col 20 Ln 11, Col 24 Ln 31- Col 26 Ln 11, Col 27 Ln 12-19; Neumann discloses sequence of behavioral data elements representing behaviors stored in a profile. The profile being through experiential knowledge of previously encountered benign events and/or previous detected attacks. Neumann further discloses that a profile may consist of a multi-phase attack and discloses the attack may include an initial receipt, callback operation and receipt of a larger package from a server that the examiner has interpreted broadly and reasonably as a chronological sequence up to occurrence of a threat. The correlated behavioral fragments map to an attack scenario and the known attack profiles map to a past scenario. Lastly Neuman determines an attack score which may represent an actual attack or potential attack (e.g. likelihood of occurrent of a threat to a constituent of a system) based on how similar the correlated behavioral fragments are to the known attack profiles.] Claim 6 Neumann teaches the security analysis device according to claim 1, wherein the processing circuitry combines a likelihood of occurrence calculated by a different method and the likelihood of occurrence calculated by the processing circuitry so as to calculate a new likelihood of occurrence. [e.g. Neumann; Col 2 Ln 8 – Col 4 Ln 61, Col 12 Ln 30-51, Col 14 Ln 40-59, Col 15 Ln – Col 20 Ln 11, Col 24 Ln 31- Col 26 Ln 11, Col 27 Ln 12-19; Neumann discloses combining likelihood scores of different method (e.g. port behavior, beacon detection, etc.) to determine an update likelihood score.] Claim 7 Neumann teaches the security analysis device according to claim 1, wherein the processing circuitry re-calculates a likelihood of occurrence of the threat based on a similarity between the attack scenario and a log scenario indicating a chronological sequence of an attack method carried out against the system. [e.g. Neumann; Col 2 Ln 8 – Col 4 Ln 61, Col 5 Ln 46 – Col 6 Ln 9, Col 12 Ln 30-51, Col 14 Ln 40-59, Col 15 Ln – Col 20 Ln 11, Col 24 Ln 31- Col 26 Ln 11, Col 27 Ln 12-19; Neumann discloses recursively scanning cache and adjusting the attack score.] Regarding claims 9 and 10 they are method and manufacture claims essentially corresponding to the above recitations, and they are rejected, at least, for the same reasons. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 2 and 3 are rejected under 35 U.S.C. 103 as being unpatentable over US 9654485 to Neumann in view of US 20180046800 AOKI et al. (hereinafter “Aoki”) Claim 2 While Neumann teaches the security analysis device according to claim 1 and teaches calculating similarity between chronological events Neumann fails to explicitly teach however, Aoki teaches: wherein the attack scenario is a character string in which characters respectively identifying a plurality of attack methods are arranged according to a chronological sequence up to occurrence of the threat, wherein the past scenario is a character string in which the characters are arranged according to a chronological sequence in the attack case, and wherein the processing circuitry calculates a similarity between the character string of the attack scenario and the character string of the past scenario as a similarity between the attack scenario and the past scenario. [e.g. Aoki; Para. 0012, 0045, 0127; Aoki discloses assigning events uniquely identifiable character and calculating a Levenshtein distance between the character strings to determine a similarity.] Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to include, the above limitations in the invention as disclosed by Neumann with the benefit of improving the efficiency of detection as disclosed by Aoki Para. 0094 Claim 3 While Neumann teaches the security analysis device according to claim 2 and teaches calculating similarity between chronological events Neumann fails to explicitly teach however, Aoki teaches:, wherein the processing circuitry uses a Levenshtein distance to calculate a similarity between the character string of the attack scenario and the character string of the past scenario. [e.g. Aoki; Para. 0012, 0045, 0127; Aoki discloses assigning events uniquely identifiable character and calculating a Levenshtein distance between the character strings to determine a similarity.] Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to include, the above limitations in the invention as disclosed by Neumann with the benefit of improving the efficiency of detection as disclosed by Aoki Para. 0094 Claims 4 is rejected under 35 U.S.C. 103 as being unpatentable over US 9654485 to Neumann in view of US 20220053012 to NISHIJIMA et al. (hereinafter “Nishjimia”) Claim 4 While Neumann teaches the security analysis device according to claim 1 and teaches calculating similarity between chronological events Neumann fails to explicitly teach however, Nishjimia teaches: wherein the processing circuitry generates an amplified scenario by changing a chronological sequence of a plurality of attack methods constituting the past scenario or deleting one or more attack methods of the plurality of attack methods constituting the past scenario, and wherein the processing circuitry calculates the likelihood of occurrence taking into consideration a similarity between the attack scenario and the amplified scenario. [e.g. Nishjimia; Claim 1, Para. 0009, 0097, 0148; Nishjimia discloses simulating attacks through an agent by transitioning states to generate new attack scenarios (e.g. amplified scenario).] Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to include, the above limitations in the invention as disclosed by Neumann with the benefit of countering constantly changing attacks as indicated by Nishjimia para 0003-0004. Claims 8 is rejected under 35 U.S.C. 103 as being unpatentable over US 9654485 to Neumann in view of US 20060156407 to Cummins Claim 8 While Neumann teaches the security analysis device according to claim 1 and teaches calculating similarity between chronological events Neumann fails to explicitly teach however, Cummins teaches: wherein the processing circuitry calculates a risk value in the constituent element based on the likelihood of occurrence calculated by the processing circuitry and worth of an information asset existing in the constituent element. [e.g. Cummins; Para. 0017, 0018, 0047, 0048; Cummins discloses calculating risk based on cost or worth of an asset.] Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to include, the above limitations in the invention as disclosed by Neumann with the advantage of identifying vital systems for an organization and reducing potential damages caused by interruption as disclosed in para 0018 of Cummins. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER C HARRIS whose telephone number is (571)270-7841. The examiner can normally be reached Monday through Friday between 8:00 AM to 4:00 PM CST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CHRISTOPHER C HARRIS/Primary Examiner, Art Unit 2432