DETAILED ACTION
The following claims are pending in this office action: 1-11
Claims 1, 10 and 11 are independent claims.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings filed on 10/21/2024 are accepted.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or
nonobviousness.
Claim 1-5, 10, 11 are rejected under 35 U.S.C. §103 as being unpatentable over
Yuta et al. (US20220358218A1) [hereinafter " Yuta"] in view of Noel et al., (US 7735141 B1) [hereinafter "Noel"].
As per claim 1, Yuta discloses an attack analysis device comprising processing circuitry([Yuta, [0128]] “The attack detection device is a device that monitors the monitoring target, detects the cyberattack that has occurred, and outputs the alert data”) to acquire operation data ([Yuta, [0182]]” In step S111, the reception unit 110 receives software operation data.”) including at least an influence-destination object,([Yuta, [00123]]” the relationship building unit 120 specifies a directed relationship between the operation object and the target object according to the operation type, and adds a directed edge from the operation object node to the target object node. The directed edge has a direction that represents the directed relationship specified.”)the influence-destination object being an object which is influenced by the operation performed by the influence-source object, ([Yuta, [0084]]” The target object is a software object that is to be a target of the software operation. That is, the target object is a software object that is to be an object of the software operation. A specific example of the target object is a file.”)
Yuta does not disclose the attack probability representing a probability of the operation being an attack; and an attack probability among an influence-source object being an object which has performed an operation to influence another object; an attack analysis device comprising processing circuitry to construct relation data when the operation data acquired includes the influence-source object, and the attack probability is equal to or higher than a threshold value A by adding a relation between the influence-source object and the influence-destination object to the relation data; and to specify at least either of an infected range which is supposed to be affected by an attack that is detected, and an intrusion route of the attack detected, based on the relation data constructed, when the attack is detected. However, Noel in the same field of endeavor discloses the attack probability representing a probability of the operation being an attack; ([Noel (Abstract)]” The intrusion detector generates event. Events are associated with exploits. Event graph distances are calculated. Correlation values are calculated for event pair(s) using event graph distances. The correlation values are analyzed using a correlation threshold to detect coordinated attacks. “The Examiner interprets “the correlation values” as measurement of likelihood that events belong to same coordinated attack.)an attack probability among an influence-source object being an object which has performed an operation to influence another object ; ([Noel (8)]” A threshold may be applied to filtered correlations to separate event paths into attack scenarios, i.e., only paths with sufficient correlation (sufficiently small attack graph gaps) are placed in the same attack scenario. Overall relevancy score may also be computed for resulting attack scenarios. This should measures the extent that the attack scenarios populates a path in the attack graph”)an attack analysis device comprising processing circuitry([Noel,(36)” For each path of intrusion events, the Event Analyzer 330 can invert the distances between events (convert them from dissimilarities to similarities), then apply the exponentially weighted moving average filter in Equation (1) to the inverse distances.”) to construct relation data([Noel (13)]” Two events that fall on a connected path in an attack graph may be considered correlated (at least to some extent). Clearly, events should be fully correlated if they map to adjacent exploits in the attack graph, since this is the strongest relationship possible. Conversely, events mapped to non-adjacent exploits are only partially correlated, as shown in FIG. 1, which is an example diagram showing partially correlated events 140 and 150. In this case, the degree of event correlation may be determined through graph distance between corresponding exploits 110, 120 and 130”) when the operation data acquired includes the influence-source object, ([Noel (41)]” The arrow beside "Event x" indicates the direction (source and destination machine) of the event. So the distance from Event 1 (an exploit from machine m23 to m80) to Event 2 (an exploit from machine m80 to m52) is one, the distance from Event 2 to Event 3 is 2, etc.”) and the attack probability is equal to or higher than a threshold value A ([Noel (Abstract)], (44)” The correlation values are analyzed using a correlation threshold to detect coordinated attacks.“ and “A correlation threshold value of T=0.6 is applied, shown as a horizontal plane.”) by adding a relation between the influence-source object and the influence-destination object to the relation data; ([Noel (15)]” An event may be added to the end of a path if it maps to an exploit that has a finite distance from the exploit mapped to the last event in the path. Event time is naturally accounted for, because events are added at the ends of paths, which were constructed from prior events.” and to specify at least either of an infected range which is supposed to be affected by an attack that is detected, and an intrusion route of the attack detected, based on the relation data constructed, when the attack is detected([Noel (22)” Thus, a correlation threshold may be applied that segments event paths into highly correlated attack scenarios. In other words, a consecutive sequence of events that lies above the threshold defines an attack scenario. When individual event paths are formed from the incoming stream of events, new event paths may be created when a new event is not reachable (infinite distance) from the currently existing set of event paths. In this way, event paths have an obvious beginning based on (non-) reachability. The correlation threshold provides a way to end an event path when the distance to the next event is too large, but is still finite.”)
Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Yuta to include the attack probability representing a probability of the operation being an attack; an attack probability among an influence-source object being an object which has performed an operation to influence another object; an attack analysis device comprising processing circuitry to construct relation data when the operation data acquired includes the influence-source object, and the attack probability is equal to or higher than a threshold value A by adding a relation between the influence-source object and the influence-destination object to the relation data; and to specify at least either of an infected range which is supposed to be affected by an attack that is detected, and an intrusion route of the attack detected, based on the relation data constructed, when the attack is detected as suggested by Noel. One of ordinary skill in the art would have been motivated to incorporate Noel’s relation-based attack correlation into Yuta in order to organize detected operations into structured relationships that represent attack propagation paths, thereby enabling identification of affected objects across multiple related operations, as taught by Noel’s attack graph correlation of intrusion events.
As per claim 2, Yuta discloses the attack analysis device as defined in claim 1. Yuta does not disclose wherein the processing circuitry adds, to the relation data, direction information indicating a direction from the influence-source object to the influence-destination object, as the relation between the influence-source object and the influence-destination object, and specifies the infected range by using an object in which an operation indicating the attack detected is detected as an origin, and by tracing a direction indicated by the direction information included in the relation data in a forward direction. However, Noel discloses wherein the processing circuitry adds, to the relation data, direction information indicating a direction from the influence-source object to the influence-destination object, ([Noel, (41)]” Attack graph distances between the 8 intrusion events in FIG. 4 may be determined directly from the figure. The arrow beside "Event x" indicates the direction (source and destination machine) of the event. So the distance from Event 1 (an exploit from machine m23 to m80) to Event 2 (an exploit from machine m80 to m52) is one, the distance from Event 2 to Event 3 is 2, etc.” ) as the relation between the influence-source object and the influence-destination object ([Noel, (10)]” Multiple precondition/postcondition dependencies between exploits can be represented with a single graph edge, meaning that the "to" exploit depends on at least one postcondition of the "from" exploit”) and specifies the infected range([Noel, (40)]” In this experiment, only remote-to-root exploits are included, to make results easier to interpret. That is, each exploit has preconditions of (1) execute access on the attacking machine and (2) a connection from the attacking machine to a vulnerable service on the victim machine, and postconditions of (1) execute access and (2) superuser privilege on the victim machine. Since connections to vulnerable services exist in the initial network conditions, and each exploit directly yields superuser access on the victim machine, the shortest exploit distance between machines is always one. In interpreting these distances from the figure, the actual numbers of exploits between pairs of machines are therefore irrelevant.” by using an object in which an operation indicating the attack detected is detected as an origin, ([Noel, (15)]” The exploit distances may be pre-computed once for an attack graph, and then applied continuously for a real-time stream of intrusion events… If a new event is unreachable from all existing event paths (i.e., if the corresponding attack graph distances are infinite), then the event may form the beginning of a new path.” The Examiner interprets the first event in an event path as corresponding to an object in which an operation indicating “the attack detected is detected as an origin”). and by tracing a direction indicated by the direction information included in the relation data in a forward direction([Noel, (15)]” The exploit distances should supply the necessary information to form event paths. An event may be added to the end of a path if it maps to an exploit that has a finite distance from the exploit mapped to the last event in the path. Event time is naturally accounted for, because events are added at the ends of paths, which were constructed from prior events.
Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Yuta to include wherein the processing circuitry adds, to the relation data, direction information indicating a direction from the influence-source object to the influence-destination object, as the relation between the influence-source object and the influence-destination object, and specifies the infected range by using an object in which an operation indicating the attack detected is detected as an origin, and by tracing a direction indicated by the direction information included in the relation data in a forward direction as suggested by Noel. One of ordinary skill in the art would have been motivated to incorporate direction information included from the influence-source object to the influence-destination object.
As per claim 3, the combination of Yuta and Noel discloses the attack analysis device as defined in claim 2. Yuta does not disclose wherein the processing circuitry specifies the infected range when the operation data is taken as an input, and the attack probability is equal to or higher than a threshold value B higher than the threshold value A, by using the influence-destination object as the object in which the operation indicating the attack detected is detected. However, Noel in the same field of endeavor discloses wherein the processing circuitry specifies the infected range when the operation data is taken as an input, ([Noel, (66)]” We then injected 10,000 intrusion events, mixed with random traffic. We included isolated events as well as multi-step attacks. Using a filter constant of .alpha.=0.4 and a correlation threshold of 0.55, we correctly distinguished the multi-step attacks from the isolated events.” and the attack probability is equal to or higher than a threshold value B([Noel, (45), Abstract(44)]” The correlation values are analyzed using a correlation threshold to detect coordinated attacks.“ and “A correlation threshold value of T=0.6 is applied, shown as a horizontal plane.” The Examiner interprets the disclosed correlation value as corresponding to the claimed attack probability because the correlation value quantifies the likelihood that a sequence of events represents a coordinated attack scenario. (44)) ” For .alpha.=0.1 (front of page), very little filtering is applied, so that the filtered sequence looks very similar to the original sequence of inverse distances. In this region of .alpha. values, for the threshold T=0.6, the event path is separated into 4 short attack scenarios”(45) higher than the threshold value A, ([Noel, (51), (55)]” The problem is that, without adequate filtering, event distances are not being considered in the context of the recent history. One could lower the threshold to below T=0.5 in this case, which would yield these most likely attack scenarios:” and “For larger values of .alpha. (going into the page), more filtering is applied, so that distance recent history is considered more strongly. In this case, the threshold does separate the path into the 2 most likely attack scenarios. A cross section for .alpha.=0.4 is shown in FIG. 7B. For overly large values of .alpha. (e.g., in the region of .alpha.=0.9), so much filtering is applied that the entire path is considered a single attack scenario. In other words, it misses Event 5 as the start of a new attack scenario.”(55). The examiner interprets Noel’s disclosed correlation threshold (e.g., 0.55 and 0.6) as corresponding to the claimed threshold value B.) by using the influence-destination object as the object in which the operation indicating the attack detected is detected.
Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Yuta to include wherein the processing circuitry specifies the infected range when the operation data is taken as an input, and the attack probability is equal to or higher than a threshold value B higher than the threshold value A, by using the influence-destination object as the object in which the operation indicating the attack detected is detected as suggested by Noel. One of ordinary skill in the art would have been motivated to apply Noel’s scenario-level relevancy scoring in the attack analysis of Yuta in order to provide an overall relevance measure for an attack scenario, since Noel teaches that local filtered inverse distances do not provide an overall scenario relevance measure and introduces a scenario relevancy score for that purpose.
As per claim 4, the combination of Yuta and Noel discloses the attack analysis device as defined in claim 1. Yuta does not explicitly disclose wherein the processing circuitry adds direction information indicating a direction from the influence-source object to the influence-destination object, to the relation data, as the relation between the influence-source object and the influence-destination object, and specifies the intrusion route by using the object in which an operation indicating the attack detected is detected as an origin, and by tracing a direction indicated by the direction information included in the relation data in a reverse direction. However, Noel discloses wherein the processing circuitry adds direction information indicating a direction from the influence-source object to the influence-destination object, to the relation data, as the relation between the influence-source object and the influence-destination object, and specifies the intrusion route by using the object in which an operation indicating the attack detected is detected([Noel, (41)]” Attack graph distances between the 8 intrusion events in FIG. 4 may be determined directly from the figure. The arrow beside "Event x" indicates the direction (source and destination machine) of the event. So the distance from Event 1 (an exploit from machine m23 to m80) to Event 2 (an exploit from machine m80 to m52) is one, the distance from Event 2 to Event 3 is 2, etc.” ) as an origin, ([Noel, [36]]”Event paths may be formed in the manner previously described, i.e., by adding new events”and by tracing a direction indicated by the direction information included in the relation data in a reverse direction ([Noel, [36]]” Event paths may be formed in the manner previously described, i.e., by adding new events to the ends of paths if the new event is reachable from the last event in the path, etc. For each path of intrusion events, the Event Analyzer 330 can invert the distances between events (convert them from dissimilarities to similarities), then apply the exponentially weighted moving average filter in Equation (1) to the [inverse distances]. The correlation threshold may then be applied, as described previously, which segments event paths into highly correlated attack scenarios. In practice, proper values of correlation threshold should be based on expected rates of missed detections.”
Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Yuta to include wherein the processing circuitry adds direction information indicating a direction from the influence-source object to the influence-destination object, to the relation data, as the relation between the influence-source object and the influence-destination object, and specifies the intrusion route by using the object in which an operation indicating the attack detected is detected as an origin, and by tracing a direction indicated by the direction information included in the relation data in a reverse direction as suggested by Noel. One of ordinary skill in the art would have been motivated to do so because incorporating direction information enables tracing of an intrusion route from a detected origin event based on relation data to improve identification and analysis of attack propagation.
As per claim 5, the combination of Yuta and Noel discloses the attack analysis device as defined in claim 4. Yuta does not explicitly disclose wherein the processing circuitry specifies the intrusion route when the operation data is taken as an input, and the attack probability is equal to or higher than a threshold value B higher than the threshold value A, by using the influence-destination object as the object in which the operation indicating the attack detected is detected .However, Noel in the same field of endeavor discloses wherein the processing circuitry specifies the intrusion route when the operation data is taken as an input,([Noel, (66)]” We then injected 10,000 intrusion events, mixed with random traffic. We included isolated events as well as multi-step attacks. Using a filter constant of .alpha.=0.4 and a correlation threshold of 0.55, we correctly distinguished the multi-step attacks from the isolated events.”)and the attack probability is equal to or higher than a threshold value B ([Noel, (45), Abstract(44)]” The correlation values are analyzed using a correlation threshold to detect coordinated attacks.“ and “A correlation threshold value of T=0.6 is applied, shown as a horizontal plane.” The Examiner interprets the disclosed correlation value as corresponding to the claimed attack probability because the correlation value quantifies the likelihood that a sequence of events represents a coordinated attack scenario. (44)) ” For .alpha.=0.1 (front of page), very little filtering is applied, so that the filtered sequence looks very similar to the original sequence of inverse distances. In this region of .alpha. values, for the threshold T=0.6, the event path is separated into 4 short attack scenarios”(45) higher than the threshold value A, ([Noel, (51), (55)]” The problem is that, without adequate filtering, event distances are not being considered in the context of the recent history. One could lower the threshold to below T=0.5 in this case, which would yield these most likely attack scenarios:” and “For larger values of .alpha. (going into the page), more filtering is applied, so that distance recent history is considered more strongly. In this case, the threshold does separate the path into the 2 most likely attack scenarios. A cross section for .alpha.=0.4 is shown in FIG. 7B. For overly large values of .alpha. (e.g., in the region of .alpha.=0.9), so much filtering is applied that the entire path is considered a single attack scenario. In other words, it misses Event 5 as the start of a new attack scenario.”(55). The examiner interprets Noel’s disclosed correlation threshold (e.g., 0.55 and 0.6) as corresponding to the claimed threshold value B.) by using the influence-destination object as the object in which the operation indicating the attack detected is detected. Claim 5 is rejected under the same rationale as claim 4 above.
As per claim 10, Yuta discloses an attack analysis method comprising: by a computer, acquiring operation data ([Yuta, [0182]]” In step S111, the reception unit 110 receives software operation data.”) including at least an influence-destination object ([Yuta, [00123]]” the relationship building unit 120 specifies a directed relationship between the operation object and the target object according to the operation type, and adds a directed edge from the operation object node to the target object node. The directed edge has a direction that represents the directed relationship specified.”)the influence-destination object being an object which is influenced by the operation performed by the influence-source object, ([Yuta, [0084]]” The target object is a software object that is to be a target of the software operation. That is, the target object is a software object that is to be an object of the software operation. A specific example of the target object is a file.”)
and Yuta does not disclose the attack probability representing a probability of the operation being an attack; an attack probability among an influence-source object being an object which has performed an operation to influence another object, constructing relation data when the operation data includes the influence-source object, and the attack probability is equal to or higher than a threshold value A, by adding a relation between the influence-source object and the influence-destination object to the relation data; specifying at least either of an infected range which is supposed to be affected by an attack that is detected, and an intrusion route of the attack detected, based on the relation data, when the attack is detected. However, Noel in the same field of endeavor discloses the attack probability representing a probability of the operation being an attack; ([Noel (Abstract)]” The intrusion detector generates event. Events are associated with exploits. Event graph distances are calculated. Correlation values are calculated for event pair(s) using event graph distances. The correlation values are analyzed using a correlation threshold to detect coordinated attacks. “The Examiner interprets “the correlation values” as measurement of likelihood that events belong to same coordinated attack.) an attack probability among an influence-source object being an object which has performed an operation to influence another object, ([Noel (8)]” A threshold may be applied to filtered correlations to separate event paths into attack scenarios, i.e., only paths with sufficient correlation (sufficiently small attack graph gaps) are placed in the same attack scenario. Overall relevancy score may also be computed for resulting attack scenarios. This should measures the extent that the attack scenarios populates a path in the attack graph”) constructing relation data ([Noel (13)]” Two events that fall on a connected path in an attack graph may be considered correlated (at least to some extent). Clearly, events should be fully correlated if they map to adjacent exploits in the attack graph, since this is the strongest relationship possible. Conversely, events mapped to non-adjacent exploits are only partially correlated, as shown in FIG. 1, which is an example diagram showing partially correlated events 140 and 150. In this case, the degree of event correlation may be determined through graph distance between corresponding exploits 110, 120 and 130”) when the operation data includes the influence-source object, ([Noel (41)]” The arrow beside "Event x" indicates the direction (source and destination machine) of the event. So the distance from Event 1 (an exploit from machine m23 to m80) to Event 2 (an exploit from machine m80 to m52) is one, the distance from Event 2 to Event 3 is 2, etc.”) and the attack probability is equal to or higher than a threshold value A, ([Noel (Abstract)], (44)” The correlation values are analyzed using a correlation threshold to detect coordinated attacks.“ and “A correlation threshold value of T=0.6 is applied, shown as a horizontal plane.”) by adding a relation between the influence-source object and the influence-destination object to the relation data; ([Noel (15)]” An event may be added to the end of a path if it maps to an exploit that has a finite distance from the exploit mapped to the last event in the path. Event time is naturally accounted for, because events are added at the ends of paths, which were constructed from prior events.” specifying at least either of an infected range which is supposed to be affected by an attack that is detected, and an intrusion route of the attack detected, based on the relation data, when the attack is detected. ([Noel (22)” Thus, a correlation threshold may be applied that segments event paths into highly correlated attack scenarios. In other words, a consecutive sequence of events that lies above the threshold defines an attack scenario. When individual event paths are formed from the incoming stream of events, new event paths may be created when a new event is not reachable (infinite distance) from the currently existing set of event paths. In this way, event paths have an obvious beginning based on (non-) reachability. The correlation threshold provides a way to end an event path when the distance to the next event is too large, but is still finite.”)
Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Yuta to include the attack probability representing a probability of the operation being an attack; an attack probability among an influence-source object being an object which has performed an operation to influence another object, constructing relation data when the operation data includes the influence-source object, and the attack probability is equal to or higher than a threshold value A, by adding a relation between the influence-source object and the influence-destination object to the relation data; specifying at least either of an infected range which is supposed to be affected by an attack that is detected, and an intrusion route of the attack detected, based on the relation data, when the attack is detected as suggested by Noel. One of ordinary skill in the art would have been motivated to incorporate Noel’s relation-based attack correlation into Yuta in order to organize detected operations into structured relationships that represent attack propagation paths, thereby enabling identification of affected objects across multiple related operations, as taught by Noel’s attack graph correlation of intrusion events.
As per claim 11, the combination of Yuta and Noel discloses a non-transitory computer readable medium storing an attack analysis program to cause a computer to function as an attack analysis device performing: a data acquisition process to acquire operation data ([Yuta, [0182]]” In step S111, the reception unit 110 receives software operation data.”) including at least an influence-destination object, ([Yuta, [00123]]” the relationship building unit 120 specifies a directed relationship between the operation object and the target object according to the operation type, and adds a directed edge from the operation object node to the target object node. The directed edge has a direction that represents the directed relationship specified.”)the influence-destination object being an object which is influenced by the operation performed by the influence-source object, ([Yuta, [0084]]” The target object is a software object that is to be a target of the software operation. That is, the target object is a software object that is to be an object of the software operation. A specific example of the target object is a file.”) Yuta does not disclose the attack probability representing a probability of the operation being an attack; an attack probability among an influence-source object being an object which has performed an operation to influence another object; a relation construction process to construct relation data when the operation data acquired by the data acquisition process includes the influence-source object, and the attack probability is equal to or higher than a threshold value A, by adding a relation between the influence-source object and the influence-destination object to the relation data; a specification process to specify at least either of an infected range which is supposed to be affected by an attack that is detected, and an intrusion route of the attack detected, based on the relation data constructed by the relation construction process, when the attack is detected. However, Noel in the same field of endeavor discloses the attack probability representing a probability of the operation being an attack; ([Noel (Abstract)]” The intrusion detector generates event. Events are associated with exploits. Event graph distances are calculated. Correlation values are calculated for event pair(s) using event graph distances. The correlation values are analyzed using a correlation threshold to detect coordinated attacks. “The Examiner interprets “the correlation values” as measurement of likelihood that events belong to same coordinated attack.) an attack probability among an influence-source object being an object which has performed an operation to influence another object; ([Noel (8)]” A threshold may be applied to filtered correlations to separate event paths into attack scenarios, i.e., only paths with sufficient correlation (sufficiently small attack graph gaps) are placed in the same attack scenario. Overall relevancy score may also be computed for resulting attack scenarios. This should measure the extent that the attack scenarios populate a path in the attack graph”) a relation construction process to construct relation data([Noel (13)]” Two events that fall on a connected path in an attack graph may be considered correlated (at least to some extent). Clearly, events should be fully correlated if they map to adjacent exploits in the attack graph, since this is the strongest relationship possible. Conversely, events mapped to non-adjacent exploits are only partially correlated, as shown in FIG. 1, which is an example diagram showing partially correlated events 140 and 150. In this case, the degree of event correlation may be determined through graph distance between corresponding exploits 110, 120 and 130”) when the operation data acquired by the data acquisition process includes the influence-source object, ([Noel (41)]” The arrow beside "Event x" indicates the direction (source and destination machine) of the event. So the distance from Event 1 (an exploit from machine m23 to m80) to Event 2 (an exploit from machine m80 to m52) is one, the distance from Event 2 to Event 3 is 2, etc.”) and the attack probability is equal to or higher than a threshold value A, ([Noel (Abstract)], (44)” The correlation values are analyzed using a correlation threshold to detect coordinated attacks.“ and “A correlation threshold value of T=0.6 is applied, shown as a horizontal plane.”) by adding a relation between the influence-source object and the influence-destination object to the relation data; ([Noel (15)]” An event may be added to the end of a path if it maps to an exploit that has a finite distance from the exploit mapped to the last event in the path. Event time is naturally accounted for, because events are added at the ends of paths, which were constructed from prior events.” a specification process to specify at least either of an infected range which is supposed to be affected by an attack that is detected, and an intrusion route of the attack detected, based on the relation data constructed by the relation construction process, when the attack is detected. ([Noel (22)” Thus, a correlation threshold may be applied that segments event paths into highly correlated attack scenarios. In other words, a consecutive sequence of events that lies above the threshold defines an attack scenario. When individual event paths are formed from the incoming stream of events, new event paths may be created when a new event is not reachable (infinite distance) from the currently existing set of event paths. In this way, event paths have an obvious beginning based on (non-) reachability. The correlation threshold provides a way to end an event path when the distance to the next event is too large, but is still finite.”)
Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Yuta to include the attack probability representing a probability of the operation being an attack; an attack probability among an influence-source object being an object which has performed an operation to influence another object; a relation construction process to construct relation data when the operation data acquired by the data acquisition process includes the influence-source object, and the attack probability is equal to or higher than a threshold value A, by adding a relation between the influence-source object and the influence-destination object to the relation data; a specification process to specify at least either of an infected range which is supposed to be affected by an attack that is detected, and an intrusion route of the attack detected, based on the relation data constructed by the relation construction process, when the attack is detected as suggested by Noel. One of ordinary skill in the art would have been motivated to incorporate Noel’s relation-based attack correlation into Yuta in order to organize detected operations into structured relationships that represent attack propagation paths, thereby enabling identification of affected objects across multiple related operations, as taught by Noel’s attack graph correlation of intrusion events.
Claims 6-9 are rejected under 35 U.S.C. §103 as being unpatentable over
Yuta et al. (US20220358218A1) [hereinafter " Yuta"] in view of Noel et al., (US 7735141 B1) [hereinafter "Noel"] and in view of Sun et al., (X. Sun, J. Dai, P. Liu, A. Singhal and J. Yen, "Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths," in IEEE Transactions on Information Forensics and Security, vol. 13, no. 10, pp. 2506-2521, Oct. 2018 “) [hereinafter "Sun"] as applied to claim 1 above.
As per claim 6, the combination of Yuta and Noel discloses the attack analysis device as defined in claim 1. The combination does not disclose wherein the processing circuitry adds, to the relation data, a relation between the influence-source object and the influence-destination object in past data of which the attack probability is decided to be higher than a criterion based on a relation with the operation data that is newly acquired, among past data being the operation data of which the attack probability is lower than the threshold value A. However, Sun in the same field of endeavor discloses wherein the processing circuitry adds, to the relation data, a relation between the influence-source object and the influence-destination object in past data of which the attack probability is decided to be higher than a criterion([Sun, [section IV-F-pp2512-Algorithm 2 line 28-29]” if prob[v]≥threshold or(v is marked )as
has_high_probability_ancestor and v is marked
as has_high_probability_descendant) then Vz ← Vz ∪ v ” ) based on a relation with the operation data that is newly acquired, among past data being the operation data of which the attack probability is lower than the threshold value A ([Sun, [section I-Introduction-pp2507], pp2512-Algorithm2, line 11-14]” New intrusion evidence can be incorporated as it is collected. The new evidence may change the previous probability inference results.”and
“for all nextv of v do
if nextv is not labeled as visited then
if the probability for nextv prob[nextv]≥
threshold or nextv is marked as flag then
set find_high_probability as True
else
DFS(G, nextv , direction)” ).
Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Yuta to include the attack probability representing a probability of the operation being an attack; an attack probability among; an attack analysis device comprising processing circuitry to construct relation data when the operation data acquired includes the influence-source object, and the attack probability is equal to or higher than a threshold value A by adding a relation between the influence-source object and the influence-destination object to the relation data; and to specify at least either of an infected range which is supposed to be affected by an attack that is detected, and an intrusion route of the attack detected, based on the relation data constructed, when the attack is detected as taught by Noel to further include wherein the processing circuitry adds, to the relation data, a relation between the influence-source object and the influence-destination object in past data of which the attack probability is decided to be higher than a criterion based on a relation with the operation data that is newly acquired, among past data being the operation data of which the attack probability is lower than the threshold value A as suggested by Sun. One of ordinary skill in the art would have been motivated to incorporate Sun’s teaching of comparing attack probabilities to a threshold to selectively update relation data based on newly acquired evidence.
As per claim 7, the combination of Yuta and Noel discloses the attack analysis device as defined in claim 6. The combination of Yuta and Noel fails to disclose wherein the processing circuitry decides that the attack probability of the past data is higher than the criterion when the attack probability in the operation data newly acquired is equal to or higher than the threshold value A, and a difference between an operation clock time of the operation data newly acquired and an operation clock time of the past data is within a reference time. However, Sun in the same field of endeavor discloses wherein the processing circuitry decides that the attack probability of the past data([Sun, [section III-B-pp2507]” New intrusion evidence can be incorporated as it is collected. The new evidence may change the previous probability inference results. Moreover, erroneous knowledge will be ruled out as more true evidence is fed into BN. Fourth, the tool ZePro is automated, which greatly enhances security analysts’ working effectiveness and efficiency. This paper is developed based on our continuous work [1”) is higher than the criterion when the attack probability in the operation data newly acquired is equal to or higher than the threshold value A,([Sun, [section III-A pp2510]”The intrinsic infection rate ρ decides how likely sink j+1 gets infected when srci is uninfected. In this case, since srci is not the infection source of sink j+1, if sink j+1 is infected, it should be caused by other factors. So ρ can be determined by the prior probabilities of an object being infected, which is usually a very small constant number.
”) and a difference between an operation clock time of the operation data newly acquired and an operation clock time of the past data is within a reference time. ([Sun, [section Definition 3 pp2509]” If the system call trace in a time window T [tbegin, tend ] is denoted as 'J:T and the set of system objects (mainly processes, files or sockets) involved in 'J:T is denoted as OT , then the object instance graph is a directed graph GT (V, E )”. The Examiner interprets Sun’s disclosure as teaching that probability determinations are performed on past operation data within a reference time period relative to newly acquired operation data.).
Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Yuta to include an attack analysis device comprising processing circuitry to construct relation data when the operation data acquired includes the influence-source object, and the attack probability is equal to or higher than a threshold value A by adding a relation between the influence-source object and the influence-destination object to the relation data as suggested by Noel and further include wherein the processing circuitry decides that the attack probability of the past data is higher than the criterion when the attack probability in the operation data newly acquired is equal to or higher than the threshold value A, and a difference between an operation clock time of the operation data newly acquired and an operation clock time of the past data is within a reference time as taught by Sun. One of ordinary skill in the art would have been motivated to do so in order to account for the temporal evolution of intrusion evidence by comparing newly acquired operation data with past data within a reference time window, thereby improving the accuracy and reliability of attack probability determination.
As per claim 8, the combination of Yuta and Noel discloses the attack analysis device as defined in claim 6. The combination does not disclose wherein the processing circuitry decides that the attack probability of the past data is higher than the criterion when the attack probability in the operation data newly acquired is equal to or higher than the threshold value A, and at least either of the influence-source object and the influence-destination object is identical between the operation data newly acquired and the past data. However, Sun in the same field of endeavor discloses wherein the processing circuitry decides that the attack probability of the past data is higher than the criterion when the attack probability in the operation data newly acquired is equal to or higher than the threshold value A, and at least either of the influence-source object and the influence-destination object is identical between the operation data newly acquired and the past data([Sun, [section IV-B-pp2512]” We connect these individual instance graphs with the following steps: 1) identify identical objects that appear in different windows; 2) For each of such object, connect every two closest windows by adding a state transition dependency between the last instance of the object in a window and the first instance of the same object in the next window. The last instance and first instance are determined by the timestamps of instances.” Claim 8 is rejected under the same rationale as claim 6 above.
As per claim 9, the combination of Yuta and Noel discloses the attack analysis device as defined in claim 1. The combination of Yuta and Noel fails to disclose wherein the operation data includes operation information indicating an operation content, and the processing circuitry calculates the attack probability from the operation content indicated in the operation information. However, Sun in the same field of endeavor discloses wherein the operation data includes operation information indicating an operation content, and the processing circuitry calculates the attack probability from the operation content indicated in the operation information (Section IV-B, System call Parsing and Dependency Extraction, p.2509)” By taking intrusion evidence as input, the Bayesian network is able to compute the probabilities of object instances being infected.” And “New intrusion evidence can be incorporated as it is collected. The new evidence may change the previous probability inference results. Moreover, erroneous knowledge will be ruled out as more true evidence is fed into BN. Fourth, the tool ZePro is automated, which greatly enhances security analysts’ working effectiveness and efficiency.”(Sun, Section II-B, pp.2507).
Therefore, it would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Yuta to include an attack analysis device comprising processing circuitry to construct relation data when the operation data acquired includes the influence-source object, and the attack probability is equal to or higher than a threshold value A by adding a relation between the influence-source object and the influence-destination object to the relation data as suggested by Noel and further include wherein the operation data includes operation information indicating an operation content, and the processing circuitry calculates the attack probability from the operation content indicated in the operation information as taught by Sun. One of ordinary skill in the art would have been motivated to incorporate operation information indicating an operation content to improve probabilistic inference accuracy by allowing attack probability to be computed directly from operation level intrusion evidence.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
MURRAY et al.( US12069073B2) , discloses Cyber threat defense systems and methods.
Labreche et al, (US12135789B2), discloses Systems and methods of attack type and likelihood prediction.
YABLOKOV et al, (US9860272B2), discloses System and method for detection of targeted attack based on information from multiple sources.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Komi N. AMEVIGBE whose telephone number is (571)272-3381. The examiner can normally be reached Monday-Friday 2pm-10pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached at (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/K.N.A./Examiner, Art Unit 2493
/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493