Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/07/2024 was filed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Objections
Regarding claims 1, and 13, Claims 1, and 13 are objected to because of the following informalities: In line 11 and 12 respectively “based on the analyzing the graph” should read “based on analyzing the graph”. Appropriate correction is required.
Regarding claim 9, Claim 9 is objected to because of the following informalities: In line 1, “wherein the managing the graph” should read “wherein managing the graph”. The claim further recites “for a given cybersecurity signal of the plurality of cybersecurity signals, any of: creating a new node for the given cybersecurity signal; updating an existing node for the given cybersecurity signal; and creating or updating a unified node for the cybersecurity signal”. The language is unclear because it does not clearly distinguish when each operation applies, in particular, creating or updating a unified node” overlaps with other listed operations and leaves the scope uncertain. Appropriate correction is required.
Regarding claims 10-12, Claims 10-12 are objected to because of the following informalities: In line 1, “wherein the analyzing the graph” should read “wherein analyzing the graph”. Appropriate correction is required.
Regarding claim 11, Claim 11 is objected to because of the following informalities: In line 1, “patterns include any of ” should read “patterns including any of”. Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION. —The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-20 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claims 1 and 13 recite the limitation “utilizing a unified node in the graph for two cybersecurity signals from the at least two disparate cybersecurity monitoring systems”, dependent claims 6 and 18 further recites that “the unified node is determined based on the matching one or more data fields”. The terms “unified node” is unclear that what structural or operational distinction it constitutes such as a newly created node, a merged existing node, logical association between nodes, or the “uber node” described in the specification. Moreover, the term “disparate” is relative term without an objective boundary. It is unclear whether “disparate” means different system types, different monitoring scopes, or any non-identical systems making the scope of “disparate cybersecurity systems” unclear. The claims further recites “analyzing the graph to determine a representation of the computing environment”. The phrase “representation of the computing environment” is unclear what constitutes the claimed representation. The claims does not make clear whether the representation is the graph itself, a subset of the graph, a visualization, a model derived from the graph, a state description or some other output. Further the graph already includes the nodes of entities in the computing environment and vertices representing relationship between the nodes, it is unclear hoe determining a “representation of the computing environment” is meaningfully distinct from already recited graph. The claims further recites the limitation “managing the computing environment based on the analyzing the graph including determining one or more cybersecurity threats in the computing environment and associated severity”. The phrase “managing the computing environment” is unclear what acts as managing. It does not define whether managing includes displaying information, generating alerts, initiating remediation, updating the graph, or some other actions. Moreover, the phrase “associated severity” is also unclear what the severity is associated with, and how the severity is measured or determined. The claim does not recite whether severity associated with the one or more cybersecurity threats, a node, the computing environment, numerical, categorical or relative. Examiner suggest applicant to clarify the scope of the claims. Dependent claims are also rejected for inheriting the deficiencies set forth above for independent claims. Appropriate correction is required.
Regarding Claims 10-12, and 19-20, Claim 10 recites “unusual patterns”, claim 12 recites “seemingly unrelated nodes” and “learned relationships”. These phrases lacks objective boundaries. The phrases “unusual patterns” does not specify unusual relative to what base line, timeframe or threshold, “seemingly unrelated nodes” depends on subjective appearance rather than objective relationship criteria, and “learned relationships” does not identify the model, the criteria, or measurable basis for the relationship. Same applies for claims 19-20. Examiner suggest applicant to clarify the scope of these claims. Dependent claims are also rejected for inheriting the deficiencies set forth above for independent claims. Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
Independent claims 1, and 13:
Step1:
Claims 1 is drawn to “a method”, claim 13 is drawn to “a non-transitory computer-readable storage media configured to store instructions to perform the method”, therefore each of these claim groups falls under one of four categories of statutory subject matter (process/method, machines/products/apparatus, manufactures, and compositions of matter).
Step 2A, Prong 1:
Claims 1, and 13 are directed to a judicially recognized exception of an abstract idea without significantly more. Each of claims 1, and 13 recites limitations “receiving a plurality of cybersecurity signals each determined based on monitoring a computing environment by a plurality of cybersecurity monitoring systems, including at least two disparate cybersecurity monitoring systems” merely data gathering, “managing a graph based on the plurality of cybersecurity signals where the graph includes nodes of entities in the computing environment and vertices representing relationships between the nodes, wherein the managing includes utilizing a unified node in the graph for two cybersecurity signals from the at least two disparate cybersecurity monitoring systems”, and “analyzing the graph to determine a representation of the computing environment; and managing the computing environment based on the analyzing the graph including determining one or more cybersecurity threats in the computing environment and associated severity” is just organizing and analyzing data making determination based on the analysis that under its broadest reasonable interpretation, enumerates a mental evaluation and abstract ideas. Other than reciting a generic “one or more processors” (Claim 13), nothing in the claims preclude the steps from practically being performed in the human mind. For example, other than the “one or more processors” language, the claims encompass a user visually and manually collect data, organizing data into a graph, analyze the data and make a decision or determination based on the analysis. The mere nominal recitation of a generic computer component (computer processor) to automate the mental steps, the claim limitations are nothing more than abstract mental process (See MPEP 2106.04(a)(2)(I)(III)).
Step 2A, Prong 2:
Claims 1 and 13 recites additional element computing environment, cybersecurity monitoring systems without any particular machine or specialized hardware, graph is described at high level and merely as data organization tool, unified node as generic data correlation, “non-transitory computer-readable medium” to store computer program instructions and “one or more processors” to execute the computer program instructions. These additional elements are recited at a high level of generality (i.e., as generic computer components performing generic computer functions to organize, correlate, store and to process data respectively). These generic computer functions are no more than mere instructions to apply the exception using generic computer components. The combination of these additional elements does not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea (MPEP 2106.05(f)).
Step 2B:
The additional elements receiving data from cybersecurity systems, organizing data into graphs and analyzing relationships, matching identifiers for correlation of data, “one or more computer readable storage media” to store computer program instructions and “one or more computer processors” to execute the computer program instructions are no more than generic, off-the-shelf computer components, and the Symantec, TLI, OIP Techs, and Versata court decisions cited in MPEP 2106.05(d)(II) indicate that mere collection/receipt of data over a network using cybersecurity systems, organizing and corelating data and making determination based on the analysis and/or storing and retrieving information in memory are well-understood, routine, and conventional functions when it is claimed in a merely generic manner (See MPEP 2106.05(d)(II)(IV)). As such, claims 1, and 13 are not patent eligible.
Dependent claims 2-12, and 14-20:
Step 1:
Claims 2-12 are drawn to “a method” and 14-20 are drawn to “non-transitory computer-readable medium” therefore each of these claims falls under one of four categories of statutory subject matter (process/method, machines/products/apparatus, manufactures, and compositions of matter).
Steps 2A-2B:
Dependent claims 2-12 and 14-20 are also ineligible for the same reasons given with respect to claims 1 and 13. Claims 2-12 and 14-20 recite further abstract ideas of types of threats, types of monitoring systems, security policy, logging as signals, matching identifiers for correlation of data (i.e., data correlation), types of signals, types of entities, generic data structure operation such as create, update, unify node, generic ML technique for analysis, abstract data recognition, and data correlation (MPEP 2106.04(a)(2)(I)). Claims 2-12 and 14-20 fail to recite any additional elements/steps that might integrates the abstract idea into a practical application. As such, claims 2-12 and 14-20 are not patent eligible.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1, 2, 13, and 14 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 9, 10 and 19 of Application No. 18176151. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims in instant application are anticipated by claims 1, 9, 10 and 19 of co-pending Application No. 18176151.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
18940065
18176151
1. A method comprising steps of: receiving a plurality of cybersecurity signals each determined based on monitoring a computing environment by a plurality of cybersecurity monitoring systems, including at least two disparate cybersecurity monitoring systems; managing a graph based on the plurality of cybersecurity signals where the graph includes nodes of entities in the computing environment and vertices representing relationships between the nodes, wherein the managing includes utilizing a unified node in the graph for two cybersecurity signals from the at least two disparate cybersecurity monitoring systems; analyzing the graph to determine a representation of the computing environment; and managing the computing environment based on the analyzing the graph including determining one or more cybersecurity threats in the computing environment and associated severity.
1. (Currently Amended) A method for unifying cybersecurity data for threat management, comprising receiving a first cybersecurity signal from a first monitoring system, the first monitoring system configured to monitor a computing environment for a cybersecurity threat; receiving a second cybersecurity signal from a second monitoring system, the second monitoring system is also configured to monitor the computing environment for the cybersecurity threat, wherein the second monitoring system is independent of the first monitoring system and each is configured to scan for different types of cybersecurity threats in the computing environment, and each monitoring system has a respective scanner that independently accesses and collects data from different resources deployed within the computing environment; generating a unified cybersecurity object based on the first cybersecurity signal and the second cybersecurity signal, wherein the first cybersecurity signal and the second cybersecurity signal include different data fields, and wherein the generating includes consolidating the different data fields into the unified cybersecurity object, the consolidating comprising mapping at least one data field from the first cybersecurity signal and at least one different data field from the second cybersecurity signal to a single data field in a predefined data structure, the mapping performed according to stored mapping rules, the generating further comprising correlating the mapped data fields to a common node within a graph-based representation of the computing environment, and establishing relational links (edges) between the unified cybersecurity object and nodes representing related entities or events so that the unified cybersecurity object encapsulates correlated data from heterogeneous monitoring sources; determining a severity level of the cybersecurity threat based on the unified cybersecurity object, the determining including evaluating, within the graph-based representation, the unified cybersecurity object and graph-connected nodes using rules from a rule engine and scan data received from independent monitoring systems, and assigning the severity level based on the correlated evidence; and storing the generated unified cybersecurity object on a graph database, the graph database including a representation of the computing environment.
Claim 2. The method of claim 1, wherein the cybersecurity threat is any one of: a misconfiguration, a malware code, a weak password, an outdated certificate, an exposure, a vulnerability, and any combination thereof.
Claim 9. The method of claim 1, wherein the cybersecurity threat is any one of: a misconfiguration, a malware code, a weak password, an outdated certificate, an exposure, a vulnerability, and any combination thereof.
Furthermore, Claims 10 and 19 of the reference 18176151 anticipates claims 13 and 14 respectively of instant application.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 6-12, 14-15, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Apostolopoulos (US 20180219888 A1) in view of Wolff (US 20200259852 A1).
Regarding claim 1, Apostolopoulos teaches a method comprising steps of:
receiving a plurality of cybersecurity signals each determined based on monitoring a computing environment by a plurality of cybersecurity monitoring systems, including at least two disparate cybersecurity monitoring systems (Apostolopoulos, machine data is generated by various components in the information technology (IT) environments, such as servers, sensors, routers, mobile devices, Internet of Things (IoT) devices, etc. Machine-generated data can include system logs, network packet data, sensor data, application program data, error logs, stack traces, system performance data, etc. In general, machine-generated data can also include performance data, diagnostic information, and many other types of data that can be analyzed to diagnose performance problems, monitor user interactions, and to derive other insights, [0039] The security platform introduced here is capable of handling large volumes of data, particularly machine data, from multiple data sources. These data sources may have different data formats and may provide data at very high data rates (e.g., gigabytes of data per second or more), [0095] the data connectors 702 enable the security platform to obtain machine data from various different data sources. (1) Identity/Authentication: e.g., active directory/domain controller, single sign-on (SSO), human resource management system (HRMS), virtual private network (VPN), domain name system (DNS), or dynamic host configuration protocol (DHCP); Activity: e.g., web gateway, proxy server, firewall, Netflow™, data loss prevention (DLP) server, file server, or file host activity logs; Security Products: e.g., endpoint security, intrusion prevention system, intrusion detection system, or antivirus; Software as a Service (SaaS) or Mobile: e.g., AWS™ CloudTrail™, SaaS applications such as Box™ or Dropbox™, or directly from mobile devices, [0017-0121]) Heterogeneous events can be a result of the events originating from different machines, different types of machines (e.g., a firewall versus a DHCP server), being in a different data format, or a combination thereof., [0123]) [Examiner interprets that system generating machine data (i.e., cybersecurity signals) different heterogenous formats from multiple data sources such as IDS, endpoint, firewall, threat feeds etc., as limitation above];
managing a graph based on the plurality of cybersecurity signals where the graph includes nodes of entities in the computing environment and vertices representing relationships between the nodes (Apostolopoulos, relationship graph generator 710 generate a single relationship graph for each event; such an event-specific relationship graph may also be called a “mini-graph.” Further, some implementations incorporate the generated relationship graph into the event data that represents the event, in the form of a data structure representing the relationship graph. A graph in the context of this description includes a number of nodes and edges. Each node in the relationship graph represents one of the entities involved in the event, and each edge represents a relationship between two of the entities. In general, any event involves at least two entities with some relationship between them (e.g., a device and a user who accesses the device) and therefore can be represented as an event-specific relationship graph, [0135] this composite relationship graph can include all identified relationships among all identified entities involved in the events that take place over the predetermined period of time, [0145]);
analyzing the graph to determine a representation of the computing environment (Apostolopoulos, all the relationship graphs from those events are combined into a composite relationship graph, the composite relationship graph can provide a good indication of the behavior of many entities, and the quality/accuracy of this indication increases over time as the composite relationship graph grows. Then, the subsequent processing stages (e.g., the complex processing engine) can use models to perform analytics on the composite relationship graph or on any particular portion (i.e., “projection”, discussed further below) of the composite relationship graph, [0145] the composite graph enables the security platform to perform analytics on entity behaviors, which can be a sequence of activities, a certain volume of activities, or can be custom defined by the administrator (e.g., through a machine learning model), [0147] a machine learning model in the ML-based CEP engine can perform entity-specific behavioral analysis, time series analysis of event sequences, graph correlation analysis of entity activities, peer group analysis of entities.. The outputs of the machine learning models can be an anomaly, a threat indicator, or a threat, [0154]); and
managing the computing environment based on the analyzing the graph including determining one or more cybersecurity threats in the computing environment and associated severity (Apostolopoulos, the security platform introduced here can perform user behavioral analytics (UBA), or more generally user/entity behavioral analytics (UEBA), to detect the security related anomalies and threats, ..presenting analytical results scored with risk ratings and supporting evidence, [0035] An anomaly or a set of anomalies may be evaluated together and may result in a determination of a threat indicator or a threat. A threat is an interpretation of one or more anomalies and/or threat indicators, [0101] ] the composite graph enables the security platform to perform analytics on entity behaviors, which can be a sequence of activities, a certain volume of activities, or can be custom defined by the administrator (e.g., through a machine learning model), [0147] a machine learning model in the ML-based CEP engine can perform entity-specific behavioral analysis, time series analysis of event sequences, graph correlation analysis of entity activities, peer group analysis of entities.. The outputs of the machine learning models can be an anomaly, a threat indicator, or a threat, [0154] calculation of the threat indicator score is based on the processing logic contained within the threat indicator model and represents a quantification of a degree to which the processed anomaly data is associated with activity that may be a threat to the security of the network… the threat indicator score is a value in a specified range. For example, the resulting threat indicator score may be a value between 0 and 10, with 0 being the least threating and 10 being the most threatening, [0181])
Apostolopoulos does not explicitly teach:
wherein the managing includes utilizing a unified node in the graph for two cybersecurity signals from the at least two disparate cybersecurity monitoring systems
However, Wolff teaches:
wherein the managing includes utilizing a unified node in the graph for two cybersecurity signals from the at least two disparate cybersecurity monitoring systems (Wolff, a method for representing common entities and actions across heterogeneous datasets from cloud-based application platforms includes extracting user and event data from transaction logs, databases, and/or exposed web services and resolving entities and events from heterogeneous platforms into a common entity and/or a common action or event. In some instances, data from other sources (e.g., IP address data, geolocation data, VPN data, and others) may be used to enrich the corpus of information used to create unified definitions. The data can be analyzed to identify common “entities” (e.g., users or people) or activities (e.g., data or file manipulations or transmissions) throughout the different logs and databases that may be described using different terminology or captured at a different level of hierarchy across the various platforms. A graph can be constructed in which each identified “user” (as resolved across the various platforms) is assigned to a node, and activities and interactions among the users and/or other entities (e.g., data or files) are modeled as edges connecting the nodes, [0004] Some patterns may involve detecting the same action or different actions in multiple cloud services that are associated with the same user account or IP address, [0021] entity resolution process can be used to consolidate and normalize the data such that activities associated with a single individual, file, or process can be viewed or aggregated as a common set, regardless of the naming convention used in the individual cloud-based application platforms, [0023] When the system determines two or more entities should be resolved to a single entity in an application, the two entity objects can be merged, after which both of the underlying entities can now point to the merged entity, allowing for an ability to reference or deference the merged or raw version of the entity, [0025] the resolution process can view the merged entities of all applications, and perform a second pass where entities across multiple systems are resolved into a single entity representation for all systems, [0026]) [Examiner interprets that system receiving activity data (i.e., cybersecurity signals) from multiple independent cloud based platforms, identifying that activities across different platforms correspond to the same entity (e.g., user/IP), merging entities across disparate systems into single entity representation, and the graph is constructed where each node represents the resolved entity as limitation above].
Therefore, it would have been obvious to PHOSITA before the effective filing date to modify the teaching of Apostolopoulos to include a concept of the managing includes utilizing a unified node in the graph for two cybersecurity signals from the at least two disparate cybersecurity monitoring systems as taught by Wolff for the purpose of detecting and managing security-related activities associated with a plurality of application platforms, such as independent cloud-based, hosted application platforms. [Wolff: 0059].
Regarding claim 2, Apostolopoulos and Wolff teaches the method of claim 1, wherein the cybersecurity threat is any one of: a misconfiguration, a malware code, a weak password, an outdated certificate, an exposure, a vulnerability, and any combination thereof (Apostolopoulos, Malicious activities can cause harm to the network's software or hardware, or its users. Malicious activities may include unauthorized access or subsequent unpermitted use of network resources and data (i.e., exposure , vulnerability), [0004] the security platform and techniques introduced here can be applied to detect any type of unusual or anomalous activity involving data access, data transfer, network access, and network use regardless of whether security is implicated or not, [0098])
Regarding claim 3, Apostolopoulos and Wolff teaches the method of claim 1, wherein the plurality of cybersecurity monitoring systems include any one of: an Intrusion detection and prevention system (IDS/IPS), a security information and event management (SIEM) system, an endpoint detection and response (EDR), an external attack surface management (EASM) system, and an identity and access management (IAM) service (Apostolopoulos, the data connectors 702 enable the security platform to obtain machine data from various different data sources. (1) Identity/Authentication: e.g., active directory/domain controller, single sign-on (SSO), human resource management system (HRMS), virtual private network (VPN), domain name system (DNS), or dynamic host configuration protocol (DHCP); Activity: e.g., web gateway, proxy server, firewall, Netflow™, data loss prevention (DLP) server, file server, or file host activity logs; Security Products: e.g., endpoint security, intrusion prevention system, intrusion detection system, or antivirus; Software as a Service (SaaS) or Mobile: e.g., AWS™ CloudTrail™, SaaS applications such as Box™ or Dropbox™, or directly from mobile devices, [0017-0121]).
Regarding claim 6, Apostolopoulos and Wolff teaches the method of claim 1, wherein the unified node is determined based on matching one or more data fields, including any one of: name, media access control (MAC) address, Internet protocol (IP) address, and operating system (Wolff, entity resolution process can be used to consolidate and normalize the data such that activities associated with a single individual, file, or process can be viewed or aggregated as a common set, regardless of the naming convention used in the individual cloud-based application platforms, [0023] the resolution process can be aware of different naming conventions, and can determine that these email addresses represent the same user in the service.. resolution can occur based on an understanding that activity between two entities is a likely indicator that those entities represent the same user, [0025] the resolution process can view the merged entities of all applications, and perform a second pass where entities across multiple systems are resolved into a single entity representation for all systems, [0026] additional context information for an activity may be captured and stored, such as an IP address, process status information (e.g., success/failure), client machine identification information, and/or effects of the activity on the target device, account or object, [0030]) [Examiner interprets matching identifiers (emails, activity patterns, IPS) to determine a single entity representation (i.e., unified node) as limitation above] Same motivation applies as claim 1.
Regarding claim 7, Apostolopoulos and Wolff teaches the method of claim 1, wherein the plurality of cybersecurity signals are from any of: vulnerability feeds, threat intelligence, endpoint telemetry, user behavior analytics, and cloud configuration details (Apostolopoulos, the data connectors 702 enable the security platform to obtain machine data from various different data sources. (1) Identity/Authentication: e.g., active directory/domain controller, single sign-on (SSO), human resource management system (HRMS), virtual private network (VPN), domain name system (DNS), or dynamic host configuration protocol (DHCP); Activity: e.g., web gateway, proxy server, firewall, Netflow™, data loss prevention (DLP) server, file server, or file host activity logs; Security Products: e.g., endpoint security, intrusion prevention system, intrusion detection system, or antivirus; Software as a Service (SaaS) or Mobile: e.g., AWS™ CloudTrail™, SaaS applications such as Box™ or Dropbox™, or directly from mobile devices, [0017-0121])
Regarding claim 8, Apostolopoulos and Wolff teaches the method of claim 1, wherein the entities in the computing environment include any of: users, devices, applications, vulnerabilities, and data stores (Apostolopoulos, the data format can assist the field mapper 708 to identify and extract entities from the tokens, and more specifically, the data format can specify which of the extracted tokens represent entities. In other words, the field mapper 708 can perform entity extraction in accordance with those embodiments that can identify which tokens represent entities. An entity can include, for example, a user, a device, an application, a session, a uniform resource locator (URL), or a threat, [0133])
Regarding claim 9, Apostolopoulos and Wolff teaches the method of claim 1, wherein the managing the graph includes, for a given cybersecurity signal of the plurality of cybersecurity signals, any of: creating a new node for the given cybersecurity signal; updating an existing node for the given cybersecurity signal; and creating or updating a unified node for the cybersecurity signal (Wolff, A graph can be constructed in which each identified “user” (as resolved across the various platforms) is assigned to a node, and activities and interactions among the users and/or other entities (e.g., data or files) are modeled as edges connecting the nodes, [0004] entity resolution process can be used to consolidate and normalize the data such that activities associated with a single individual, file, or process can be viewed or aggregated as a common set, regardless of the naming convention used in the individual cloud-based application platforms, [0023] the resolution process can be aware of different naming conventions, and can determine that these email addresses represent the same user in the service.. resolution can occur based on an understanding that activity between two entities is a likely indicator that those entities represent the same user, [0025] the resolution process can view the merged entities of all applications, and perform a second pass where entities across multiple systems are resolved into a single entity representation for all systems, [0026] The data can then be combined and normalized into a centralized data store, where a semantic representation (e.g., generalized dictionary) is used to implement an entity resolution process, as described herein. Once the data is resolved, a graph structure can be produced to assist with visualization and causal analysis, [0041]) [Examiner interprets that system constructing graph (i.e., create node) , normalizing and merging process (i.e., creating /updating node) as limitation above] Same motivation applies as claim 1.
Regarding claim 10, Apostolopoulos and Wolff teaches the method of claim 1, wherein the analyzing the graph includes: utilizing unsupervised learning techniques to detect unusual patterns in the graph where the unusual patterns indicate insider threats, compromised accounts, or anomalous activities (Apostolopoulos, Malicious activities can cause harm to the network's software or hardware, or its users. Malicious activities may include unauthorized access or subsequent unpermitted use of network resources and data (i.e., exposure , vulnerability), [0004] the security platform and techniques introduced here can be applied to detect any type of unusual or anomalous activity involving data access, data transfer, network access, and network use regardless of whether security is implicated or not, [0098] The ML-based CEP engine disclosed herein is advantageous in comparison to conventional CEP engines at least because of its ability to recognize unknown patterns and to incorporate historical data without overburdening the distributed computation system by use of machine learning models. Because the ML-based CEP engine can utilize unsupervised machine learning models, it can identify entity behaviors and event patterns that are not previously known to security experts. In some embodiments, the ML-based CEP engine can also utilize supervised, semi-supervised, and deep machine learning models, [0152])
Regarding claim 11, Apostolopoulos and Wolff teaches the method of claim 1, wherein the analyzing the graph includes: utilizing graph-based pattern recognition to identify known threat patterns include any of: lateral movement attempts, privilege escalation, or indicators of malware behavior (Apostolopoulos, Examples of graph-based analysis of entity activities include command and control detection analysis, beaconing detector, device, IP, domain and user reputation analysis, lateral movement detector, dynamic fingerprinting for users/devices,[0156])
Regarding claim 12, Apostolopoulos and Wolff teaches the method of claim 1, wherein the analyzing the graph includes: utilizing correlation algorithms by linking seemingly unrelated nodes based on learned relationships (Apostolopoulos, The method further identifies security threats by correlating the anomalies across the composite relationship graph. For example, the method can use a neighborhood computation algorithm to identify a group of related anomalies in the composite relationship graph that represent a security threat. Alternatively, the method can identify an insider who poses a security threat based on a group of anomalies being close to each other in time and their confidence metrics, [0190])
Regarding claim 13, Claim 13 recite commensurate subject matter as claim 1. Therefore, it is rejected for the same reasons. Except the additional element:
Apostolopoulos further teaches:
A non-transitory computer-readable medium storing instructions that, when executed, cause one or more processors to execute steps (Apostolopoulos, non-transitory machine-readable medium having stored thereon instructions .., [0252]) of:
Regarding claims 14-15, and 18-20 , Claims 14-15, and 18-20 recite commensurate subject matter as claims 2-3, and 6-8. Therefore, they are rejected for the same reasons.
Claims 4, 5, 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Apostolopoulos (US 20180219888 A1) in view of Wolff (US 20200259852 A1) in further view of Thomas (20230114719 A1).
Regarding claim 4, Apostolopoulos and Wolff teaches the method of claim 1, wherein the plurality of cybersecurity monitoring systems include a cloud-based system (Apostolopoulos, The security platform may be cloud-based and may employ big data techniques to process a vast quantity of high data rate information in a highly scalable manner. the security platform may be hosted in the cloud and provided as a service, [0096])
Apostolopoulos does not explicitly teach:
the plurality of cybersecurity monitoring systems include a cloud-based system configured for zero trust management of endpoints in the computing environment
However, Thomas teaches:
the plurality of cybersecurity monitoring systems include a cloud-based system configured for zero trust management of endpoints in the computing environment (Thomas, The security events may include asynchronous data from the plurality of compute instances… The cloud service may include one or more of a web application, a cloud storage service, an electronic mail application, an authentication service, a zero trust network access resource, a cloud computing service, and a virtualization platform, [0007] compute instances 10-26 may communicate with cloud applications, such as a SaaS application 156, [0052] the security management facility 122 may provide for network access control, which generally controls access to and use of network connections… in the security agent of an endpoint 12, in a wireless access point 11 or firewall 10, as part of application protection 150 provided by the cloud, e.g., from the threat management facility 100 or other network resource(s), [0058]The event collection facility 164 may be used to collect events from any of a wide variety of sensors that may provide relevant events from an asset, such as sensors on any of the compute instances, firewalls, [0077] the cloud service 1808 may be a zero trust network access resource providing secure access to applications and the like for users associated with an enterprise network, [0259]) [Examiner interprets that system managing endpoints, enforcing access policies using zero trust network access resource as limitation above].
Therefore, it would have been obvious to PHOSITA before the effective filing date to modify the teaching of Apostolopoulos and Wolff to include a concept the plurality of cybersecurity monitoring systems include a cloud-based system configured for zero trust management of endpoints in the computing environment as taught by Thomas for the purpose of using zero trust network access resource for providing secure access to applications and the like for users associated with an enterprise network [Thomas:0259].
Regarding claim 5, Apostolopoulos, Wolff, and Thomas teaches the method of claim 4, wherein the cloud-based system generates logs each being one of the plurality of cybersecurity signals managed in the graph (Apostolopoulos, . Machine-generated data can include system logs, network packet data, sensor data, application program data, error logs, stack traces, system performance data, etc. In general, machine-generated data can also include performance data, diagnostic information, and many other types of data that can be analyzed to diagnose performance problems, monitor user interactions, and to derive other insights, [0039] components which may generate machine data from which events can be derived include, but are not limited to, web servers, application servers, databases, firewalls, routers, operating systems, and software applications that execute on computer systems, mobile devices, sensors, Internet of Things (IoT) devices, etc. The data generated by such data sources can include, for example and without limitation, server log files, activity log files, configuration files, messages, network packet data, performance measurements, sensor measurements, etc., [0046] The security platform may be cloud-based and may employ big data techniques to process a vast quantity of high data rate information in a highly scalable manner. the security platform may be hosted in the cloud and provided as a service, [0096])
Regarding claims 16-17, Claims 16-17 recite commensurate subject matter as claims 4-5. Therefore, they are rejected for the same reasons.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20180069888 A1: “pertains to distributed data processing systems, and more particularly, to intelligence generation and activity discovery from events in a distributed data processing system”
US 20240303329 A1: “relates generally to digital forensics and specifically to performing forensic analysis in a cloud computing environment”
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMIKSHYA POUDEL whose telephone number is (703)756-1540. The examiner can normally be reached 7:30 AM - 5PM Mon- Fri.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached at (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/S.N.P./Examiner, Art Unit 2436 /SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436
Prosecution Insights