Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-8 and 11-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent Application Publication No.: US 2022/0210190 A1 (Weber et al.) in view of United States Patent Application Publication No.: US 2017/0078322 A1 (Seiver et al.).
As Per Claim 1: Weber et al. teaches: A comprehensive vulnerability rating system comprising:
- at least one hardware processor; and
- at least one non-transitory memory storing instructions, which, when executed by the at least one hardware processor, cause the system to:
(Weber et al., Paragraph [0041], “The security alert machine learning system 114 may implement a single machine learning algorithm or an ensemble of machine learning algorithms. Additionally, the security alert machine learning system 114 may be implemented by the one or more computing servers, computer processors, and the like of the artificial intelligence virtual assistance platform no.”).
- receive and normalize a dataset to generate a normalized dataset, wherein normalizing the dataset comprises encoding categorical data and nominal data of the dataset;
- generate a training dataset from the normalized dataset, wherein the training dataset comprises training attributes used to generate a pre-determined comprehensive vulnerability rating associated with the training dataset;
- train a machine learning model by inputting the training dataset to the machine learning model to generate a trained machine learning model;
(Weber et al., Paragraph [0096], “In some embodiments, the phishing machine learning model comprises an ensemble of distinct (phishing) machine learning models that may operate in combination to compute or produce the predictive inference for determining whether a target communication may be malicious or non-malicious. In such embodiments, each machine learning model may be trained with one or more corpora of labeled training data comprising a plurality of distinct training samples of malicious (adverse) or non-malicious (non-adverse) electronic communications.”).
- evaluate the trained machine learning model using one or more evaluation criteria, wherein the one or more evaluation criteria
(Weber et al., Paragraph [0038], “In one or more embodiments, the security alert engine 110 may include a security threat detection logic module 112 that may function to assess inbound security alert data using predetermined security detection logic that may validate or substantiate a subset of the inbound alerts as security threats requiring an escalation and/or a threat mitigation response by the system 100.”).
- receive and normalize an inference dataset to generate a normalized inference dataset, wherein the inference dataset comprises information associated with at least one vulnerability;
- generate one or more feature vectors from the normalized inference dataset;
- input the one or more feature vectors to the trained machine learning model to generate a comprehensive vulnerability rating associated with the at least one vulnerability associated with the normalized inference dataset;
- identify, based on the comprehensive vulnerability rating associated with the at least one vulnerability associated with the normalized inference dataset,
(Weber et al., Paragraph [0015], “In one embodiment, the method further includes computing, by a phishing machine learning model, a cybersecurity threat inference comprising a phishing threat score based on an input of feature vectors derived from the one or more corpora of feature data from the suspicious electronic communication, wherein the phishing threat score indicates a likelihood that a target electronic communication comprises an adverse electronic communication or a malicious electronic communication.”).
- display, via a user interface, the comprehensive vulnerability rating associated with the at least one vulnerability and the identified at least one computing device affected by the at least one vulnerability.
(Weber et al., Paragraph [0046], “The security mitigation user interface 130 may function to enable an analyst or an administrator to perform, in a parallel manner, monitoring, investigations, and reporting of security event incidents, and/or resolutions to subscribers to the system 100 and/or service implementing the system 100. In some embodiments, an operation of the security user interface 130 may be transparently accessible to subscribers, such that one or more actions in monitoring, investigation, and reporting security threats or security incidents may be surfaced in real-time to a user interface accessible, via the Internet or the like to a subscribing entity.”).
Weber et al. does not explicitly teach the following limitations however Seiver et al. teaches the following limitations:
- (evaluation criteria) comprise at least determining if an output of the machine learning model is within a threshold range of the pre-determined comprehensive vulnerability rating associated with the training dataset;
(Seiver et al., Paragraph [0312], “In this way, a user can specify methods of each metric being determined, and subsequently utilized to determine a compromise likelihood or compromise value of a user account or network device. Different networks may call for different methods, for instance a user of a first network may be more interested in weighting network devices based on a number of vulnerable applications they run (e.g., exploitable applications, for instance as indicated by the common vulnerability scoring system (CVSS)), than weighting network devices based on a maximum severity score of any one application they run (e.g., a maximum score of any of the exploitable applications as indicated by CVSS). Therefore, a user (e.g., a security officer) can fine-tune methods associated with determining compromise values and/or compromise likelihoods based on needs associated with the user's networks.”).
- receive computing system data, the computing system data comprising information associated with a plurality of computer devices;
(Seiver et al., Paragraph [0167], “Furthermore, the system can monitor changes to compromise values and compromise vulnerabilities of user accounts, and network devices, over time. The reviewing user can then determine any positive, or negative, changes to the determined values and take remedial actions in response. For instance, the reviewing user can indicate goals to improve compromise values and compromise vulnerabilities, and the system can monitor whether the goals are positively affecting network security (e.g., an investment as will be described below).”).
- (identify) at least one computer device of the plurality of computer devices that is affected by the at least one vulnerability; and
(Seiver et al., Paragraph [0181], “User interface 940 includes a graphical representation 942 of network devices mapped in a chart according to respective network device risk values as described in FIG. 9A. In some implementations, to illustrate the affect of the external event, the graphical representation 942 can include an animation, a video, and so on, which identifies (e.g., highlights) affected network devices and illustrates their increase in associated compromise vulnerability. In this way, the reviewing user can quickly review the graphical representation 942 to get a sense of how deeply the external event affects the network devices.”).
It would have been an obvious interchangeable variation readily implemented with expectations of success to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Seiver et al. in to the method of Weber et al. to take advantage of Seiver et al.’s much more compressive risk assessment methodologies in applying Weber et al.’s risk thresholds.
As Per Claim 2: The rejection of claim 1 is incorporated and further Weber et al. teaches:
- the system is further caused to extract features from the inference dataset using a large language model (LLM) to generate the normalized inference dataset.
(Weber et al., Paragraph [0051], “In one or more embodiments, the embeddings module may function to compute or generate word and/or sentence embeddings (i.e., semantic vector values) based on the content data extracted from the electronic communication data. In such embodiments, the embeddings module may be implemented with an external embeddings (e.g., Bert-as-a-service or the like) that communicates with the embeddings modules to generate word and/or sentence embeddings.”).
As Per Claim 3: The rejection of claim 1 is incorporated and further Weber et al. teaches:
- generating the comprehensive vulnerability rating associated with the at least one vulnerability of the normalized inference dataset comprises determining a plurality of attributes associated with the at least one vulnerability and at least one or more logical relationships between the plurality of attributes.
(Weber et al., Paragraph [0090], “Additionally, or alternatively, S240 may function to generate phishing threat intelligence data that identifies or includes criteria and/or attributes that are drivers or signals that encouraged the one or more similarity metric values. For instance, S240 may function to add criteria such as, but not limited to, domain match, attachment match, timing (of send) requirements, content match, and/or the like.”).
As Per Claim 4: The rejection of claim 3 is incorporated and further Weber et al. does not explicitly teach the following limitations however Seiver et al. teaches the following limitations:
- the plurality of attributes comprise at least one of the following: most recent exploitation date, number of threat actors, nationalities of threat actors, number of exploits, number of exploit codes, whether or not the at least one vulnerability has been weaponized, whether or not botnets are used to exploit the at least one vulnerability, whether or not the at least one vulnerability is associated with ransomware, a likelihood that the at least one vulnerability will be exploited in the near future, whether or not the at least one vulnerability has been reported by one or more tracking services, social media activity related to the at least one vulnerability, news reports related to the at least one vulnerability, particular types of malware associated with the at least one vulnerability, when the at least one vulnerability was first weaponized, when an exploit for the at least one vulnerability was first published, and whether or not a patch is available for the at least one vulnerability.
(Seiver et al., Paragraph [0181], “User interface 940 includes a graphical representation 942 of network devices mapped in a chart according to respective network device risk values as described in FIG. 9A. In some implementations, to illustrate the affect of the external event, the graphical representation 942 can include an animation, a video, and so on, which identifies (e.g., highlights) affected network devices and illustrates their increase in associated compromise vulnerability. In this way, the reviewing user can quickly review the graphical representation 942 to get a sense of how deeply the external event affects the network devices.”).
It would have been an obvious interchangeable variation readily implemented with expectations of success to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Seiver et al. in to the method of Weber et al. to take advantage of Seiver et al.’s much more compressive risk assessment methodologies in applying Weber et al.’s risk thresholds.
As Per Claim 5: The rejection of claim 3 is incorporated and further Weber et al. teaches:
- the system is further caused to determine a value associated with each of the plurality of attributes.
(Weber et al., Paragraph [0090], “Additionally, or alternatively, S240 may function to generate phishing threat intelligence data that identifies or includes criteria and/or attributes that are drivers or signals that encouraged the one or more similarity metric values. For instance, S240 may function to add criteria such as, but not limited to, domain match, attachment match, timing (of send) requirements, content match, and/or the like.”).
As Per Claim 6: The rejection of claim 1 is incorporated and further Weber et al. teaches:
- the machine learning model comprises a neural network.
(Weber et al., Paragraph [0042], “The machine learning models and/or the ensemble of machine learning models of the security alert machine learning system 114 may employ any suitable machine learning including one or more of: supervised learning (e.g., using logistic regression, using back propagation neural networks, using random forests, decision trees, etc.), unsupervised learning (e.g., using an Apriori algorithm, using K-means clustering), semi-supervised learning, reinforcement learning (e.g., using a Q-learning algorithm, using temporal difference learning), and any other suitable learning style. Each module of the plurality can implement any one or more of: a regression algorithm (e.g., ordinary least squares, logistic regression, stepwise regression, multivariate adaptive regression splines, locally estimated scatterplot smoothing, etc.), an instance-based method (e.g., k-nearest neighbor, learning vector quantization, self-organizing map, etc.), a regularization method (e.g., ridge regression, least absolute shrinkage and selection operator, elastic net, etc.), a decision tree learning method (e.g., classification and regression tree, iterative dichotomiser 3, C 4.5, chi-squared automatic interaction detection, decision stump, random forest, multivariate adaptive regression splines, gradient boosting machines, etc.), a Bayesian method (e.g., naïve Bayes, averaged one-dependence estimators, Bayesian belief network, etc.), a kernel method (e.g., a support vector machine, a radial basis function, a linear discriminate analysis, etc.), a clustering method (e.g., k-means clustering, expectation maximization, etc.), an associated rule learning algorithm (e.g., an Apriori algorithm, an Eclat algorithm, etc.), an artificial neural network model (e.g., a Perceptron method, a back-propagation method, a Hopfield network method, a self-organizing map method, a learning vector quantization method, etc.), a deep learning algorithm (e.g., a restricted Boltzmann machine, a deep belief network method, a convolution network method, a stacked auto-encoder method, etc.), a dimensionality reduction method (e.g., principal component analysis, partial least squares regression, Sammon mapping, multidimensional scaling, projection pursuit, etc.), an ensemble method (e.g., boosting, bootstrapped aggregation, AdaBoost, stacked generalization, gradient boosting machine method, random forest method, etc.), and any suitable form of machine learning algorithm. Each processing portion of the system 100 can additionally or alternatively leverage: a probabilistic module, heuristic module, deterministic module, or any other suitable module leveraging any other suitable computation method, machine learning method or combination thereof. However, any suitable machine learning approach can otherwise be incorporated in the system 100. Further, any suitable model (e.g., machine learning, non-machine learning, etc.) may be used in implementing the security alert machine learning system 114 and/or other components of the system 100.”).
As Per Claim 7: The rejection of claim 1 is incorporated and further Weber et al. teaches:
- the machine learning model comprises a support vector machine algorithm, decision tree, Parzen window, Bayesian model, clustering model, reinforcement learning model, probability distribution, or decision tree forest.
(Weber et al., Paragraph [0042], “The machine learning models and/or the ensemble of machine learning models of the security alert machine learning system 114 may employ any suitable machine learning including one or more of: supervised learning (e.g., using logistic regression, using back propagation neural networks, using random forests, decision trees, etc.), unsupervised learning (e.g., using an Apriori algorithm, using K-means clustering), semi-supervised learning, reinforcement learning (e.g., using a Q-learning algorithm, using temporal difference learning), and any other suitable learning style. Each module of the plurality can implement any one or more of: a regression algorithm (e.g., ordinary least squares, logistic regression, stepwise regression, multivariate adaptive regression splines, locally estimated scatterplot smoothing, etc.), an instance-based method (e.g., k-nearest neighbor, learning vector quantization, self-organizing map, etc.), a regularization method (e.g., ridge regression, least absolute shrinkage and selection operator, elastic net, etc.), a decision tree learning method (e.g., classification and regression tree, iterative dichotomiser 3, C 4.5, chi-squared automatic interaction detection, decision stump, random forest, multivariate adaptive regression splines, gradient boosting machines, etc.), a Bayesian method (e.g., naïve Bayes, averaged one-dependence estimators, Bayesian belief network, etc.), a kernel method (e.g., a support vector machine, a radial basis function, a linear discriminate analysis, etc.), a clustering method (e.g., k-means clustering, expectation maximization, etc.), an associated rule learning algorithm (e.g., an Apriori algorithm, an Eclat algorithm, etc.), an artificial neural network model (e.g., a Perceptron method, a back-propagation method, a Hopfield network method, a self-organizing map method, a learning vector quantization method, etc.), a deep learning algorithm (e.g., a restricted Boltzmann machine, a deep belief network method, a convolution network method, a stacked auto-encoder method, etc.), a dimensionality reduction method (e.g., principal component analysis, partial least squares regression, Sammon mapping, multidimensional scaling, projection pursuit, etc.), an ensemble method (e.g., boosting, bootstrapped aggregation, AdaBoost, stacked generalization, gradient boosting machine method, random forest method, etc.), and any suitable form of machine learning algorithm. Each processing portion of the system 100 can additionally or alternatively leverage: a probabilistic module, heuristic module, deterministic module, or any other suitable module leveraging any other suitable computation method, machine learning method or combination thereof. However, any suitable machine learning approach can otherwise be incorporated in the system 100. Further, any suitable model (e.g., machine learning, non-machine learning, etc.) may be used in implementing the security alert machine learning system 114 and/or other components of the system 100.”).
As Per Claim 8: The rejection of claim 1 is incorporated and further Weber et al. teaches:
- the machine learning model is locally hosted, cloud managed, accessed via one or more Application Programming Interfaces (“APIs”), or a combination of the above.
(Weber et al., Paragraph [0037], “The security alert aggregation and identification module 110, sometimes referred to herein as the “security alert engine 110” may be in operable communication with a plurality of distinct sources of cyber security alert data. In one or more embodiments, the module no may be implemented by an alert application programming interface (API) that may be programmatically integrated with one or more APIs of the plurality of distinct sources of cyber security alert data and/or native APIs of a subscriber to a security service implementing the system 100.”).
As Per Claims 11-18: Claims 11-18 are substantially a restatement of the vulnerability rating system of claims 1-8 as a computer-implemented method and are rejected under substantially the same reasoning.
Claim(s) 9-10 and 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent Application Publication No.: US 2022/0210190 A1 (Weber et al.) in view of United States Patent Application Publication No.: US 2017/0078322 A1 (Seiver et al.) in further view of United States Patent Application Publication No.: US 2017/0372232 A1 (Maughan et al.)
As Per Claim 9: The rejection of claim 1 is incorporated and further Weber et al. and Seiver et al. do not explicitly teach the following limitations however Maughan et al. teaches the following limitations:
- the system is further caused to determine a score for each of the one or more feature vectors, wherein the score corresponds to a contribution of the feature vector to the comprehensive vulnerability rating associated with the at least one vulnerability of the normalized inference dataset.
(Maughan et al., Paragraph [0087], “The quality analysis module 202, in certain embodiments, may process data to detect one or more patterns of missingness. For example, missing values do not always occur randomly and the quality analysis module 202 may score feature vectors with missing values to see if there is a pattern of missingness or if the missingness appears to be completely at random. If the quality analysis module 202 determines that a pattern of missingness is not completely at random, in various embodiments, the corrective action module 204 may exclude a feature, impute values for a feature, or the like, as a corrective action.”).
It would have been an obvious interchangeable variation readily implemented with expectations of success to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Maughan et al. in to the method of Weber et al. and Seiver et al. to expand on detection and corrective action options.
As Per Claim 10: The rejection of claim 1 is incorporated and further Weber et al. and Seiver et al. do not explicitly teach the following limitations however Maughan et al. teaches the following limitations:
- determining a variance of one or more features of the normalized inference dataset and removing at least one of the one or more features that have a determined variance above a pre-determined threshold.
(Maughan et al., Paragraph [0079], “The quality analysis module 202, in one embodiment, may process data to detect zero variance, near zero variance, or the like and perform and/or recommend one or more associated corrective actions. The quality analysis module 202, in certain embodiments, may determine and provide a variance score, flagging features with little or no variance, or the like, for a corrective action. For example, the corrective action module 204 may perform and/or recommend a corrective action comprising excluding a feature with variance that fails to satisfy a threshold (e.g., with variance below a threshold, or the like).”).
It would have been an obvious interchangeable variation readily implemented with expectations of success to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Maughan et al. in to the method of Weber et al. and Seiver et al. to expand on detection and corrective action options.
As Per Claims 19-20: The rejection of claim 11 is incorporated and further claims 19-20 are substantially a restatement of the vulnerability rating system of claims 9-10 as a computer-implemented method and are rejected under substantially the same reasoning.
Additional Prior Art
United States Patent Application Publication No.: US 2024/0396921 A1 (Alkelaibi et al.), United States Patent Application Publication No.: US 2024/0330480 A1 (Roytman) and United States Patent Application Publication No.: US 2024/0289465 A1 (Zech et al.) teach relevant methods in machine learning in analogous art.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN A KAPLAN whose telephone number is (571)270-3170. The examiner can normally be reached 9:00 a.m. - 5:00 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached at (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BENJAMIN A KAPLAN/Examiner, Art Unit 2434