Prosecution Insights
Last updated: April 18, 2026
Application No. 18/950,351

SYSTEM AND METHOD FOR MODELING AND PRIORITIZATION OF ATTACK PATHS IN NETWORK ENVIRONMENTS

Non-Final OA §103§112§DP
Filed
Nov 18, 2024
Examiner
ABDULLAH, SAAD AHMAD
Art Unit
2431
Tech Center
2400 — Computer Networks
Assignee
Leidos Inc.
OA Round
1 (Non-Final)
77%
Grant Probability
Favorable
1-2
OA Rounds
3y 0m
To Grant
99%
With Interview

Examiner Intelligence

Grants 77% — above average
77%
Career Allow Rate
54 granted / 70 resolved
+19.1% vs TC avg
Strong +35% interview lift
Without
With
+35.1%
Interview Lift
resolved cases with interview
Typical timeline
3y 0m
Avg Prosecution
42 currently pending
Career history
112
Total Applications
across all art units

Statute-Specific Performance

§101
4.9%
-35.1% vs TC avg
§103
61.6%
+21.6% vs TC avg
§102
19.6%
-20.4% vs TC avg
§112
6.6%
-33.4% vs TC avg
Black line = Tech Center average estimate • Based on career data from 70 resolved cases

Office Action

§103 §112 §DP
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION The instant application having Application No. 18/950,351 is presented for examination by the examiner. Claims 1-8 have been examined and are currently pending. Claims 9-20 are withdrawn. Restriction/Election Restriction to one of the following inventions is required under 35 U.S.C. 121: Claims 1-8, drawn to a system for modeling a network environment comprising a knowledge graph generation component with three knowledge graph ontologies (vulnerability scan data, authentication service data, network configuration data) that are merged to produce a unified knowledge graph for exposing attack paths to network endpoints, classified in G06N 5/02 (Knowledge representation; Symbolic representation). Claims 9-13, drawn to a machine learning model architecture which ranks resistance of attack paths using graph neural networks with learnable embeddings for attack techniques, weakness indicators, operating system features, network ports, and attack path knowledge graph nodes and edges, classified in G06N 3/042 (Knowledge-based neural networks; Graph networks). Claims 14-17, drawn to a process for training a machine learning model by constructing a ground-truth attack path dataset, embedding attack path knowledge graphs, predicting node weights with a graph neural network over iterations, and optimizing embeddings and the graph neural network by aligning node weights with ground-truth labels, classified in G06N 3/09 (Supervised learning). The inventions are independent or distinct, each from the other because: Inventions I, II, and III are related as dependent subcombinations, but are distinct because they do not overlap in scope and each has separate utility. Subcombination I (Claim 1) is directed to knowledge graph ontology design and merging for network security data integration and has separate utility in exposing attack paths through symbolic knowledge representation alone, without requiring the machine learning architecture or training methodology of subcombinations II and III. Subcombination II (Claim 9) is directed to the GNN architecture design for ranking attack paths and presupposes the knowledge graph of subcombination I, but does not depend on the specific training methodology of subcombination III. Subcombination II has separate utility as an architectural innovation in knowledge-based neural networks. Subcombination III (Claim 14) is directed to the supervised training methodology for optimizing the GNN model and presupposes both the knowledge graph (Claim 1) and the GNN architecture (Claim 9). Claim 14 has separate utility as a machine learning training methodology. See MPEP § 806.05(d). The examiner has required restriction between these distinct subcombinations. Where applicant elects a subcombination and claims thereto are subsequently found allowable, any claim(s) depending from or otherwise requiring all the limitations of the allowable subcombination will be examined for patentability in accordance with 37 CFR 1.104. See MPEP § 821.04(a). Applicant is advised that if any claim presented in a continuation or divisional application is anticipated by, or includes all the limitations of, a claim that is allowable in the present application, such claim may be subject to provisional statutory and/or nonstatutory double patenting rejections over the claims of the instant application. Restriction for examination purposes as indicated is proper because all the inventions listed in this action are independent or distinct for the reasons given above and there would be a serious search and/or examination burden if restriction were not required because one or more of the following reasons apply: 1. The inventions have acquired a separate status in the art in view of their different classification: Invention I is classified in G06N 5/02 (Knowledge representation and symbolic ontologies). Invention II is classified in G06N 3/042 (Knowledge-based neural networks; Graph networks). Invention III is classified in G06N 3/09 (Supervised learning methods) 2. The inventions have acquired a separate status in the art due to their recognized divergent subject matter: Invention I addresses data integration and knowledge graph construction. Invention II addresses neural network architecture design using embeddings. Invention III addresses model training optimization using labeled data 3. The inventions require a different field of search: Invention I requires searching knowledge base prior art, ontologies, semantic networks, and data integration methodologies in G06N 5/02. Invention II requires searching graph neural network prior art, embedding techniques, and architecture design in G06N 3/04 and G06N 3/042. Invention III requires searching supervised learning, backpropagation, and neural network training methodologies in G06N 3/08 and G06N 3/09 In response to the restriction, Applicant’s representative Dawn-Marie Bey (Registration #44,442) had made an election over the phone on 03/11/2026 without traverse. Applicant hereby elects to prosecute Invention I (Claims 1-8), drawn to the knowledge graph system classified in G06N 5/02. By this election, applicant waives the right to prosecution of Claims 9-13 (Invention II) and Claims 14-17 (Invention III) in this application without further authorization or agreement with the examiner. Thus, Claim 9-20 are withdrawn from further consideration pursuant to 37 CFR 1.142(b) as being drawn to a nonelected invention, there being no allowable generic or linking claim. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-8 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor regards as the invention. Regarding Claim 1, the claim recite that the first, second, and third knowledge graph ontologies “infer” vulnerability exploitation, authentication misconfigurations, and network reachability. The term “infers” as used in this context is a purely functional limitation that fails to specify any criteria, threshold or structural mechanism by which such inferences are derived. A POSITA would not be able to determine with reasonable certainty the scope of the claimed inference, specifically what process is required to satisfy this limitation and when the limitation is met. Notably, the terms, “ontology”, “mapped” and “merges” are recognized terms of the art in the knowledge graph and are not themselves a basis for this rejection. However, because the claim provides no structural anchor for what the ontology does with the mapped data to produce an inference, the inference limitation remains indefinite regardless of the clarity of those surrounding terms. The claim also recites “based reachability thereto” in describing the unified knowledge graph’s mapping of connections between endpoints. This phrase is grammatically incomplete and does not permit a POSTIA to determine with reasonable certainty the indented relationship. As written the scope of this limitation cannot be determined with reasonable certainty. Regarding claims 2-8, Claims 2-8 are dependent on claim 1, and therefore inherit 35 U.S.C. 112 second paragraph issues of the independent claim. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Engelberg (US 20230328096 A1), and in view of Crabtree (US 20230153355 A1). Regarding Claim 1 Engelberg discloses: A system for modeling a network environment to expose potential attack paths to endpoints therein, comprises: a knowledge graph generation component for receiving network environment data, the knowledge graph generation component further comprising (Engelberg ¶¶0043–0044, 0071, 0141: teaches a system that receives network environment data from an enterprise network (including IT/OT systems, assets, and associated data) and constructs a knowledge graph from the received raw data, where a runtime module performs knowledge graph construction by mapping the received data into nodes and relationships within a graph database, thereby providing a knowledge graph generation component for receiving and processing network environment data.), a first knowledge graph ontology wherein vulnerability scan data received at the knowledge graph generation component from one or more active network scanners is mapped thereto and infers vulnerability exploitation within the network environment (Engelberg ¶¶0032, 0038–0039, 0044, 0047–0048: teaches mapping vulnerability related data of network elements into a knowledge graph representing an enterprise network, where vulnerabilities and improper configurations associated with configuration items are identified and mapped to the network topology and services, and the knowledge graph is used to analyze how a malicious user can exploit those vulnerabilities to move laterally through the network and impact assets and services, thereby inferring vulnerability exploitation within the network environment based on the mapped data.), a third knowledge graph ontology wherein data received at the knowledge graph generation component is mapped thereto and infers network reachability within the network environment (Engelberg ¶¶0079–0086, 0126–0130: teaches a multilayer ontology knowledge graph containing domain specific ontology data and mapped to instance level data, where different types of network related data including assets, processes, and vulnerability related threat instances are represented as distinct nodes and relationships within the knowledge graph, and vulnerabilities associated with assets are encoded and propagated through relationships between nodes to analyze how threats impact connected elements, thereby providing a structured ontology based mapping of network configuration and vulnerability data that enables inference of connectivity and reachability between elements within the network environment.), Engelberg teaches a system for modeling a network environment to expose potential attack paths to endpoints therein, including generating one or more knowledge graphs representing a network environment, mapping vulnerabilities to network assets, and analyzing lateral movement and reachability within the network. Engelberg is silent in explicitly teaching a second knowledge graph ontology wherein authentication service data received at the knowledge graph generation component is mapped thereto and infers authentication service misconfigurations within the network environment. On the other hand, Crabtree teaches mapping authentication data into a knowledge graph, including users, access permissions, and account/privilege relationships (¶¶0098), representing access rights as authentication ticket constructs such as Kerberos tickets (¶¶0109), and identifying improper access conditions such as an account accessing a resource it should not access as well as attacks such as golden ticket attacks (¶¶0084). Crabtree further teaches generating subgraphs that map account and privilege relationships (¶¶0116). Thus, Crabtree teaches mapping authentication service data into a knowledge graph and analyzing such data to identify improper access relationships, thereby showing authentication service misconfigurations within a network environment. It would have been obvious to one of ordinary skill in the art to modify Engelberg to incorporate Crabtree’s authentication analysis in order to enhance the knowledge graph with identity and access control information for improved detection of security weaknesses, yielding predictable results. Engelberg is further silent in explicitly teaching wherein the knowledge graph generation component merges the first knowledge graph ontology with scan data mapped thereto, the second knowledge graph ontology with authentication service data mapped thereto and the third knowledge graph ontology with network configuration data mapped thereto to produce a unified knowledge graph for the network environment, the unified knowledge graph including a mapping of connections between endpoints in the network environment based reachability thereto. On the other hand, Crabtree teaches applying schemas to heterogeneous data and adding such data into a knowledge graph (¶¶0102, 0107), generating multiple subgraphs including mapped vulnerabilities, mapped attack paths, and mapped account/privilege relationships (¶¶0116), and fusing multiple graphs or subgraphs into a fused knowledge graph (¶¶0103, 0116–0117). Crabtree further teaches that the knowledge graph includes nodes representing devices, users, software, edges representing relationships, permissions, and connectivity between such entities (¶¶0098), thereby providing mappings of connections between endpoints. Thus, Crabtree teaches merging multiple data graph components into a unified knowledge graph including mappings of connections between endpoints based on their relationships and reachability. It would have been obvious to one of ordinary skill in the art to modify Engelberg to include Crabtree’s graph fusion techniques in order to combine multiple sources of security data into a unified knowledge graph for more comprehensive network analysis, yielding predictable results. Regarding Claim 6 Engelberg teaches a system for modeling a network environment to expose potential attack paths to endpoints therein, including generating one or more knowledge graphs representing a network environment, mapping vulnerabilities to network assets, and analyzing lateral movement and reachability within the network. Engelberg is silent in explicitly teaching that authentication service data includes user identity data and access permissions data for individual user access to resources and applications within the network environment. Crabtree teaches managing access to resources in a network environment using user identity data and associated access permissions. Specifically, Crabtree discloses user/account profiles stored in a database and assigning access rights or privileges to users or entities, where such access rights control the ability of users to access resources, devices, or applications represented in a knowledge graph. Crabtree further teaches that these access rights function similarly to authentication tick, thereby associating user identity data with access permissions for controlling access to network resources (¶¶0098, 0108–0110). It would have been obvious to one of ordinary skill in the art to incorporate Crabtree’s authentication and access control mechanisms into Engelberg’s system in order to enhance the network model with user access control information, thereby improving the accuracy of risk analysis and enabling more precise modeling of attack paths based on user privileges. The combination yields predictable results by integrating known authentication and access control techniques into cybersecurity graph analysis systems. Claims 2-5 are rejected under 35 U.S.C. 103 as being unpatentable over Engelberg (US 20230328096 A1), in view of Crabtree (US 20230153355 A1) as applied to claim 1 above and further in view of Engelberg2 (US 20230067128 A1). Regarding Claim 2 Engelberg in view of Crabtree teaches constructing and analyzing a knowledge graph of a network environment that models relationships between different node types and uses those relationships to evaluate and propagate risk across the network based on interconnections between nodes. However, Engelberg and Crabtree are silent in explicitly teaching that the vulnerability scan data includes recognized weaknesses in the security configurations of endpoints or applications as determined by one or more active network scanners. On the other hand, Engelberg2 teaches that data representative of an enterprise network is obtained from discovery services that scan the network using third-party tools to identify assets and vulnerabilities (¶0071). Engelberg2 further teaches that such data can include output of network scanners and known vulnerabilities (¶0044), and that vulnerabilities of assets are determined and used as facts in generating attack graphs (¶0050, ¶0071). These vulnerabilities correspond to recognized weaknesses in the security configurations of endpoints within the network environment as identified through scanning and analysis. It would have been obvious to one of ordinary skill in the art to modify the teachings of Engelberg and Crabtree to incorporate Engelberg2’s vulnerability scan data obtained from active network scanners in order to enhance the knowledge graph with accurate and up to date identification of security weaknesses in endpoints and applications, thereby improving the effectiveness of risk analysis and attack path modeling. The combination merely applies known techniques of vulnerability scanning and data integration to yield predictable results in identifying and modeling security weaknesses within a network environment. Regarding Claim 3 Engelberg in view of Crabtree teaches constructing and analyzing a knowledge graph of a network environment that models relationships between different node types and uses those relationships to evaluate and propagate risk across the network based on interconnections between nodes. However, Engelberg and Crabtree are silent in explicitly teaching that endpoints are identified in vulnerability scan data using specific identifiers such as hostname, IP address, MAC address, or operating system. On the other hand, Engelberg2 teaches collecting data representative of enterprise network assets through discovery services that scan the network and identify configuration items such as computers and hosts (¶0050, ¶0071). Engelberg2 further teaches modeling attack conditions using host relationships, including communication between a source host and a target host, user account associations with hosts, and services operating on specific ports (¶¶0052–0055). For example, Gal teaches evaluating whether a host is listening on specific ports and whether communication can occur between hosts, which necessarily requires identification of endpoints using network identifiers such as IP address or hostname and system characteristics such as operating system and configuration. It would have been obvious to one of ordinary skill in the art to modify Engelberg and Crabtree to incorporate Engelberg2’s host level identification and network communication analysis in order to uniquely identify endpoints within the vulnerability scan data, thereby improving the accuracy of vulnerability mapping and attack path analysis. The combination yields predictable results by applying known techniques of network discovery and host identification to enhance cybersecurity modeling. Regarding Claim 4 Engelberg in view of Crabtree teaches constructing and analyzing a knowledge graph of a network environment that models relationships between different node types and uses those relationships to evaluate and propagate risk across the network based on interconnections between nodes. However, Engelberg and Crabtree are silent in explicitly teaching that applications running on endpoints are characterized in vulnerability scan data by their communication protocol, application version, port number in use, and operating system service. On the other hand, Engelberg2 teaches collecting detailed data representative of enterprise network assets through scanning and discovery processes, including information about installed software and its version (¶0071). Engelberg2 further teaches modeling application and service behavior using network conditions, such as communication between hosts and services operating on specific ports (ports 135, 1029) and protocols such as remote procedure calls (RPC) (¶¶0052–0055). These teachings characterize applications based on their communication behavior, associated ports, underlying services, and software attributes. It would have been obvious to one of ordinary skill in the art to modify Engelberg and Crabtree to incorporate Engelberg2’s detailed characterization of applications and services in order to enhance the knowledge graph with richer application and network information, thereby improving the accuracy of vulnerability analysis and attack path modeling. The combination yields predictable results by applying known techniques of service discovery and network application characterization. Regarding Claim 5 Engelberg in view of Crabtree teaches constructing and analyzing a knowledge graph of a network environment that models relationships between different node types and uses those relationships to evaluate and propagate risk across the network based on interconnections between nodes. However, Engelberg and Crabtree are silent in explicitly teaching enriching vulnerability scan data by mapping recognized weaknesses to known techniques for exploiting those weaknesses. On the other hand, Engelberg2 teaches generating attack graphs based on vulnerability scan data and additional network information, and explicitly mapping vulnerabilities and asset data to known attack techniques, such as those provided by the MITRE ATT&CK™ framework (¶0047, ¶0050, ¶0071). Engelberg2 further teaches that vulnerabilities and configuration data of assets are used as facts, which are associated with attack tactics and rules that define how an attacker can exploit those weaknesses to perform actions such as lateral movement within a network (¶0050–¶0055). This mapping enriches vulnerability data by linking recognized weaknesses to corresponding exploitation techniques. It would have been obvious to one of ordinary skill in the art to modify Engelberg and Crabtree to incorporate Engelberg2’s mapping of vulnerabilities to known attack techniques in order to enhance the knowledge graph with actionable security intelligence, thereby improving the system’s ability to model attack paths and assess risk. The combination yields predictable results by applying known techniques of correlating vulnerabilities with exploitation methods. Claims 7 are rejected under 35 U.S.C. 103 as being unpatentable over Engelberg (US 20230328096 A1), in view of Crabtree (US 20230153355 A1) as applied to claim 6 above and further in view of Han (US 20260019413 A1). Regarding Claim 7 Engelberg in view of Crabtree teaches constructing and analyzing a knowledge graph of a network environment that models relationships between different node types and uses those relationships to evaluate and propagate risk across the network based on interconnections between nodes. However, Engelberg and Crabtree are silent in explicitly teaching that the authentication service data is available from at least one of Active Directory (AD), LDAP, RADIUS, or a Single Sign-On (SSO) solution. Han teaches a network authentication system in which authentication service data is provided via a RADIUS authentication server, including receiving user identity information and performing authentication using EAP over RADIUS protocols (¶¶0040–0042). RADIUS is one of the explicitly recited authentication service sources in the claimed group. It would have been obvious to one of ordinary skill in the art to modify Engelberg and Crabtree to utilize Han’s RADIUS authentication infrastructure as a source of authentication service data, in order to leverage standardized and widely used authentication protocols for managing user identity and access control within the network environment, thereby yielding predictable results. Claims 8 are rejected under 35 U.S.C. 103 as being unpatentable over Engelberg (US 20230328096 A1), in view of Crabtree (US 20230153355 A1) as applied to claim 1 above and further in view of Wollman (US 20200313965 A1). Regarding Claim 8 Engelberg in view of Crabtree teaches constructing and analyzing a knowledge graph of a network environment that models relationships between different node types and uses those relationships to evaluate and propagate risk across the network based on interconnections between nodes. However, Engelberg and Crabtree are silent in explicitly teaching that the network configuration data includes routing tables, access control lists (ACLs), and firewall configurations. Wollman teaches obtaining and analyzing network configuration data for a network environment, wherein the data explicitly includes routing tables, firewall rules, and ACLs, as well as other configuration data indicative of network structure and traffic control (¶0041). Wollman further teaches analyzing such configuration data to determine how traffic flows through the network and identifying restrictions imposed by network devices such as firewalls and routers (¶¶0041–0044, 0066). It would have been obvious to one of ordinary skill in the art to modify Engelberg and Crabtree to incorporate Wollman’s detailed network configuration data, including routing tables, ACLs, and firewall configurations, in order to enhance the accuracy and completeness of the network model and improve identification of attack paths and security weaknesses based on actual network traffic controls, yielding predictable results. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is (571) 272-1531. The examiner can normally be reached on Monday - Friday, 9:30am - 5:30pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SAAD AHMAD ABDULLAH/ Examiner, Art Unit 2431 /SARAH SU/ Primary Examiner, Art Unit 2431
Read full office action

Prosecution Timeline

Nov 18, 2024
Application Filed
Mar 11, 2026
Examiner Interview (Telephonic)
Apr 02, 2026
Non-Final Rejection — §103, §112, §DP (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12592961
QUANTUM-BASED ADAPTIVE DEEP LEARNING FRAMEWORK FOR SECURING NETWORK FILES
2y 5m to grant Granted Mar 31, 2026
Patent 12580886
Network security gateway onboard an aircraft to connect low and high trust domains of an avionics computing infrastructure
2y 5m to grant Granted Mar 17, 2026
Patent 12554871
SYSTEMS, METHODS, AND COMPUTER-READABLE MEDIA FOR SECURE AND PRIVATE DATA VALUATION AND TRANSFER
2y 5m to grant Granted Feb 17, 2026
Patent 12554832
AUTOMATED LEAST PRIVILEGE ASSIGNMENT
2y 5m to grant Granted Feb 17, 2026
Patent 12511372
DATA ACCESSING WITH A VIRTUAL SANDBOX DATABASE
2y 5m to grant Granted Dec 30, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

1-2
Expected OA Rounds
77%
Grant Probability
99%
With Interview (+35.1%)
3y 0m
Median Time to Grant
Low
PTA Risk
Based on 70 resolved cases by this examiner. Grant probability derived from career allow rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month