Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the claims filed 10/16/2024. Claims 1-6 are rejected. Therefore, claims 1-6 are pending and addressed below.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-6 are rejected under 35 U.S.C. 103 as being unpatentable over Park et al (US Patent No. 10250619 B1) in view of Nakahira (US PG-PUB No. 20100185760 A1)
Regarding claim 1, claim 5 and claim 6, Park teaches an information processing system, method and program, the system comprising: an upper network device (the control device) being a device constituting an overlay network; and a lower network device (the security device) being a device constituting an underlay network, wherein the upper network device includes: first processing circuitry configured to: detect unauthorized communication ([Col 7, line 30]: “On the analog side, the overlay cyber security networked (overlay network, upper network) system's ability to detect unauthorized (detect unauthorized communication) (by control system management) or unusual (out of sequence or above nominal value) signals can initiate additional log event data collection and correlation (post alert), which could be used as part of the root cause analysis.”); and notify the lower network device of information related to the unauthorized communication detected ([Col 10, line 19]: “The Control Device (The upper network device which includes the first processing circuitry, constituting an overlay network) can be configured to output one or more commands associated with one or more response options (notify the information related to the unauthorized communication detected) to one or more of the Security Devices (The lower network device which includes the second processing circuitry, constituting an underlay network)”), and the lower network device includes: second processing circuitry configured to: acquire information related to communication of a terminal connected to the lower network device ([Col 45, line 60]: “In various embodiments, the Security Device 101 (the second processing circuitry ) is configured to determine occurrence of an unexpected state (determines an inconsistency level among a plurality of pieces of flow data in the underlay network) associated with the 150 component based on the monitored physical-level signal information (acquiring, by the lower network device, information related to communication of a terminal connected to the lower network device) and to output an indication of the unexpected state.”); determine an inconsistency level among a plurality of pieces of flow data in the underlay network having the same connection destination address as the information related to unauthorized communication notification of which is provided; and block the information related to unauthorized communication notification of which is provided as unauthorized communication in accordance with the inconsistency level determined ([Col10, line 21]: “upon receiving the one or more commands the Security Device can be configured to issue device commands to the associated protected system or device to restore a desired fallback or normal operating state of the protected system or device” (Upon receiving the notification from the first processing circuitry, the second processing circuitry determines an inconsistency level and block the information related to unauthorized communication notification of which is provided as unauthorized communication in accordance with the inconsistency level determined).”; Park further teaches determining an inconsistency level among a plurality of pieces of flow data in the underlay network to determine what is normal versus unexpected behavior in [Col 7, line35]: “Differential analysis logic can be used to compare differences in the information stream using either programmatic or developed knowledge of the systems being monitored in order to determine what is normal versus unexpected behavior or what is considered normal vs expected behavior”).
Park teaches determining an inconsistency level among a plurality of pieces of flow data in the underlay network. Park is not relying on, but Nakahira teaches determining an inconsistency level among a plurality of pieces of flow data in the underlay network having the same connection destination address as the information related to unauthorized communication notification of which is provided (Paragraph [0026]: “A correlator-evaluator-thresholder collects and additively compiles the traffic profiles obtained at the different points, and calculates a correlation level between the compiled profile of traffic inbound to a node in the network, the node being the destination of the inbound traffic, and the compiled profile of outbound traffic originating from that node. The correlation level is compared with a threshold to decide whether the node is relaying overlay network traffic (determine an inconsistency level among a plurality of pieces of flow data in the underlay network having the same connection destination address as the information related to unauthorized communication notification of which is provided).”)
Park and Nakahira are both considered to be analogous to the claimed invention because they both teach overlay network traffic detection. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the overlay cyber security networked system and method disclosed by Park with adding the inconsistency level analysis based on the same connection destination address as the information related to unauthorized communication disclosed by Nakahira.
One of the ordinary skills in the art would have been motivated to make this modification in order to evaluate the correlation between the time series data (time series profile) of inbound traffic observed at a plurality of interfaces but having the same IP address as a destination address and the time series data (time series profile) of outbound traffic observed at a plurality of interfaces and having this same IP address as a source address, as suggested by Nakahira in paragraph [0060].
Regarding claim 2, Park and Nakahira teach all of the features with respect to claim 1, as outlined above.
Park further teaches determining whether the inconsistency level is a predetermined threshold ([Col 7, line 41]: “Once a set threshold has been exceeded, an in-band or out-of-band alert, including the threshold data, can be sent to a consuming system and trigger the collection of additional information to assist in identifying and isolating the root cause to determine if the changed behavior was unauthorized behavior”).
Park is not relying on, but Nakahira teaches calculate an inconsistency level among a plurality of pieces of flow data in the underlay network having the same connection destination address as the information related to the unauthorized communication notification of which is provided (Paragraph [0065]: “when the correlator-evaluator-thresholder 16 performs a frequency component analysis based on the traffic profile information, as preprocessing for the frequency component analysis, the traffic profiler 14 may compare information provided by the traffic measurement unit 13 about the traffic addressed to a predetermined destination node with the information about traffic originating from the same node, select the traffic information that shows a high correlation, and create a profile based on that traffic information, screening out other less correlated traffic.”), and determine that the detection is erroneous when the inconsistency level is the predetermined threshold or more, and when the second processing circuitry has determined that the inconsistency level is less than the predetermined threshold, determine that the detection is not erroneous and block the information related to the unauthorized communication notification of which is provided as unauthorized communication (Paragraph [0054]: “An evaluation that produces a value equal to or greater than the corresponding threshold value indicates overlay network traffic; a value less than the threshold value indicates ordinary traffic”).
One of the ordinary skills in the art would have been motivated to make this modification in order to decide whether the node is relaying overlay network traffic, as suggested by Nakahira in paragraph [0026].
Regarding claim 3, Park and Nakahira teach all of the features with respect to claim 2, as outlined above.
Park is not relying on, but Nakahira teaches the second processing circuitry is further configured to calculate the inconsistency level based on any one or a plurality of communication date/time, connection destination port number, a communication protocol, and number of bytes transferred, among the pieces of flow data (Paragraph [0050]: “The traffic measurement unit 13 extracts information necessary to determine whether inbound traffic is overlay network traffic or not and outputs the extracted information to the traffic profiler 14. The extracted information may include the arrival time (communication date/time), length, source and destination IP addresses, port number, protocol number, sequence number, presence or absence of errors, and other inbound traffic information.”; also in paragraph [0015]: “a method that includes analyzing the time stamp (communication date/time), outgoing Internet protocol (IP) address, incoming IP address (communication protocol), outgoing port number (connection destination port number), incoming port number and packet size of each packet (number of bytes transferred).”)
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the overlay cyber security networked system and method disclosed by Park with adding calculating the inconsistency level based on communication date/time, connection destination port number, a communication protocol, and number of bytes transferred, among the pieces of flow data, disclosed by Nakahira.
One of the ordinary skills in the art would have been motivated to make this modification in order to decide whether the node is relaying overlay network traffic, as suggested by Nakahira in paragraph [0026].
Regarding claim 4, Park and Nakahira teach all of the features with respect to claim 2, as outlined above.
Park is not relying on, but Nakahira teaches wherein the second processing circuitry is further configured to notify the upper network device of deletion of information related to unauthorized communication used for detection in a case where the second processing circuitry has determined that the inconsistency level is a predetermined threshold or more (Paragraph [0066]: “In the third method, traffic is screened by the correlator-evaluator-thresholder 16. The correlator-evaluator-thresholder 16 decides what data are to be screened out (the second processing circuitry has determined that the inconsistency level is a predetermined threshold or more), and removes those data from the profiles it collects from the traffic profiler 14 in overlay traffic information collector 100-1 and the traffic profilers 14 at other overlay traffic information collectors (notify the upper network device of deletion of information related to unauthorized communication used for detection).”).
One of the ordinary skills in the art would have been motivated to make this modification in order to decide whether the node is relaying overlay network traffic, as suggested by Nakahira in paragraph [0026].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-892 form for details).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASMINE DAY whose telephone number is (571)272-0204. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/J.M.D./ Examiner, Art Unit 2499 /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499