DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . /Claims PTC app, filed on 05/18/2022/
Claims 1-14, filed on 10/24/2024 are presented for examination.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Mahadevia” et al. (US 10630698 B2) in view of “Jeffords” et al. (US 12381876 B2).
Mahadevia discloses claim 1/13/14. An attack detection apparatus/method/ non-transitory computer readable medium comprising: processing circuitry:
to execute for each of a plurality of pieces communication data as subject data, an attack detection process to determine whether or not the subject data complies with one of rules included in an authorization list that includes a plurality of rules to each of which a unique identifier has been assigned [Mahadevia discloses “The data store may include a plurality of signatures defining a set of rules to detect attacks or intrusive activities on a network that can occur through the process”, wherein “the signature includes a unique signature identification code” (col.2, line 66-col.3, line 21); “If any vulnerability is found, the intrusion prevention unit 314 may respond back to the calling process with signature rule identification information” (col.26, lines 41-43 with FIG.3). See also FIG.2, where Mahadevia disclose intrusion prevention unit with signature DB 224, plurality of signatures 226 defining set of rules having unique code (col.24, lines 34-65)];
when the subject data complies with one of the rules included in the authorization list, to execute a pattern determination process to determine whether or not an identifier corresponding to a rule with which the subject data complies conforms to an appearance pattern of identifiers, Mahadevia discloses, “The intrusion prevention unit may be further configured to verify the information from the pattern matching unit against the plurality of signatures stored in the database to identify and detect a known vulnerability in network activities”, and “the pattern matching unit includes an application process information database containing unique a signature identification code, a signature name, an applicable process name, and an applicable process version. In some implementations, the pattern matching unit is further configured for matching the signature identification code in the verification report with the signature identification code stored in the application process information database” (column 2, line 60 to col.3, line 17). See also FIG.2, where Mahadevia disclose pattern matching unit 212 that includes DB 230 (col.24, line 64 to col.25, line 29)];
Mahadevia does not; but, Jeffords, analogues art, disclose pattern identifiers derived from a model and using the model [“using machine learning models based on historic patterns” (Abstract), Machine Learning Model 214 (Figs. 2, 4) and Access Patterns 316 (Fig.3) of Jeffords].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify the system of Mahadevia by incorporating the machine learning model of Jeffords to implement defense in depth for mitigating cybersecurity risk from requests for access to services or other resources.
Mahadevia in view of Jeffords further disclose,
and when the pattern determination process is executed, to determine whether the subject data is normal or not, using a determination result by the attack detection process and a determination result by the pattern determination process [Mahadevia discloses, “The intrusion prevention unit may be further configured to verify the information from the pattern matching unit against the plurality of signatures stored in the database to identify and detect a known vulnerability in network activities”, “The method may include verifying, by the intrusion prevention unit, the information against a plurality of signatures stored in a database of the intrusion prevention unit to identify and detect a known vulnerability in network activity” (col.2, line 60 to col.3, line 10 and col.3, line 52 to col.4, line 14). See also detection process in FIG.2-3 (with col.24, line 25 to col.27, line 3); and FIGS. 11-13 (with col.30, line 8 to col.31, line 19)].
Mahadevia in view of Jeffords further disclose claim 2. The attack detection apparatus according to claim 1, wherein when the subject data has been determined in the attack detection process not to comply with any of the rules included in the authorization list, the processing circuitry determines that the subject data is not normal [Mahadevia discloses, “The intrusion prevention unit may be further configured to verify the information from the pattern matching unit against the plurality of signatures stored in the database to identify and detect a known vulnerability in network activities”, and “the pattern matching unit includes an application process information database containing unique a signature identification code, a signature name, an applicable process name, and an applicable process version. In some implementations, the pattern matching unit is further configured for matching the signature identification code in the verification report with the signature identification code stored in the application process information database” (column 2, line 60 to col.3, line 17). See also FIG.2, where Mahadevia disclose pattern matching unit 212 that includes DB 230 (col.24, line 64 to col.25, line 29)], and when the identifier corresponding to the rule with which the subject data complies has been determined in the pattern determination process not to conform to the appearance pattern derived from the model at a time when the subject data has been determined in the attack detection process to comply with one of the rules included in the authorization list, the processing circuitry determines that the subject data is not normal [Mahadevia discloses, “The intrusion prevention unit may be further configured to verify the information from the pattern matching unit against the plurality of signatures stored in the database to identify and detect a known vulnerability in network activities”, “The method may include verifying, by the intrusion prevention unit, the information against a plurality of signatures stored in a database of the intrusion prevention unit to identify and detect a known vulnerability in network activity” (col.2, line 60 to col.3, line 10 and col.3, line 52 to col.4, line 14). See also detection process in FIG.2-3 (with col.24, line 25 to col.27, line 3); and FIGS. 11-13 (with col.30, line 8 to col.31, line 19)].
Mahadevia in view of Jeffords further disclose claim 3 and 5. The attack detection apparatus according to claim 1, wherein the processing circuitry to select a method of that learns the model [“Anomalous access requests are detected using machine learning models based on historic patterns” (Abstract), Machine Learning Model 214 (Figs. 2, 4) and Access Patterns 316 (Fig.3). See also Cybersecurity risk mitigation method 600 (Fig.6) of Jeffords],
using a plurality of pieces of communication data determined to be normal and an depending on classification of appearance pattern of identifiers each of which corresponds to each of the plurality of pieces of communication data determined to be normal [Mahadevia discloses, “The intrusion prevention unit may be further configured to verify the information from the pattern matching unit against the plurality of signatures stored in the database to identify and detect a known vulnerability in network activities”, “The method may include verifying, by the intrusion prevention unit, the information against a plurality of signatures stored in a database of the intrusion prevention unit to identify and detect a known vulnerability in network activity” (col.2, line 60 to col.3, line 10 and col.3, line 52 to col.4, line 14). See also detection process in FIG.2-3 (with col.24, line 25 to col.27, line 3); and FIGS. 11-13 (with col.30, line 8 to col.31, line 19)].
The motivation to combine is the same as that of claim 1 above.
Mahadevia in view of Jeffords further disclose claim 7. The attack detection apparatus according to claim 1, wherein when the processing circuitry collates the subject data with each rule included in the authorization list, the processing circuitry collates a hash value corresponding to the subject data with a value corresponding to each rule included in the authorization list [Mahadevia discloses, “The pattern matching unit 312 may put a wrapper (e.g., a Hashvalue of a combination of MAC ID & Source IP Address), on every packet to associate it with the respective device 308” (col.26, lines 29-32 with FIG.3)].
Claim 4 is rejected for the same rationale applied in rejecting claim 3.
Claim 6 is rejected for the same rationale applied in rejecting claim 5.
Claims 8-12 are rejected for the same rationale applied in rejecting claim 7.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. (See PTO—892).
For example, US is directed to US 11411965 B2 directed to Method And System Of Attack Detection And Protection In Computer Systems.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMARE F TABOR whose telephone number is (571) 270-3155. The examiner can normally be reached Mon.—Fri. 8:00 AM to 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached at (571) 270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/AMARE F TABOR/ Primary Examiner, Art Unit 2434