Prosecution Insights
Last updated: July 17, 2026
Application No. 19/067,228

MACHINE LEARNING TECHNIQUES FOR ANALYZING OPERATIONAL TECHNOLOGY NETWORKS

Non-Final OA §103§112
Filed
Feb 28, 2025
Priority
Feb 28, 2024 — provisional 63/559,095
Examiner
POUDEL, SAMIKSHYA NMN
Art Unit
Tech Center
Assignee
Frenos Inc.
OA Round
1 (Non-Final)
45%
Grant Probability
Moderate
1-2
OA Rounds
1y 6m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 45% of resolved cases
45%
Career Allowance Rate
9 granted / 20 resolved
-15.0% vs TC avg
Strong +75% interview lift
Without
With
+75.0%
Interview Lift
resolved cases with interview
Typical timeline
2y 10m
Avg Prosecution
16 currently pending
Career history
48
Total Applications
across all art units

Statute-Specific Performance

§101
0.7%
-39.3% vs TC avg
§103
87.1%
+47.1% vs TC avg
§102
3.4%
-36.6% vs TC avg
§112
8.2%
-31.8% vs TC avg
Black line = Tech Center average estimate • Based on career data from 20 resolved cases

Office Action

§103 §112
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Objections Regarding claim 1, the claims are objected to because of the following informalities: The phrase “based on output simulated attack data” should be “based on outputted simulated attack data” or “based on simulated attack data output”. Appropriate correction is required. Regarding claim 5, the claims are objected to because of the following informalities: The phrase “substantially all connected assets” should be clarified what degree of completeness is required by “substantially all” connected assets. Appropriate correction is required. Regarding claim 10, the claims are objected to because “customer OT network environment” lacks clear context relative to previously recited “one or more OT network environments” Applicant may clarify whether the “customer OT network environment” is one of the previously recited OT network environments. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION. —The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-20 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claims 1 and 11 recite the limitation “training an attack simulation model to simulate attacks on a network replica by a plurality of threats described in the threat database” is grammatically unclear. It is unclear whether the attacks are performed by threats, simulated using threat data, or correspond to threats described in the threat database. Furthermore, the claim recite limitation "generating a threat analysis system configured to apply the attack simulation model" is unclear because the claim does not specify what is generated or how the threat analysis system is generated. It is unclear whether the claimed step requires generating executable software, configuring an existing system, initiating a computing service, generating a model, or merely producing data/configuration instructions. Thus, the scope of the claim is unclear. Same applies for mirror claim 11. Dependent claims are also rejected for inheriting the deficiencies set forth above for independent claims. Appropriate correction is required. Claims 2 and 12 recite the limitation “a value function that optimizes attack path selection” fails to specify what parameter or objective is optimized. It is unclear whether the value function optimizes likelihood of success, risk score, attack impact, path length, or another metric. Same applies for mirror claim 12. Claims 3 and 13 recite the limitation “at least a portion of the neural network includes a linear regression model” is unclear. It is unclear how a portion of neural network “includes” a linear regression model, or whether the linear regression model is a layer of the neural network, a separate model coupled to the neural network. The scope of the claim is unclear. Same applies for mirror claim 13. Dependent claims are also rejected for inheriting the deficiencies set forth above for independent claims. Appropriate correction is required. Claims 6 and 16 recite the term “simultaneously” is unclear in the context of simulating attack paths through a graph database. The claim does not specify whether “simultaneously” requires a parallel, concurrent processing or merely evaluating multiple attack paths as part of the same simulation process. Thus, the scope of the claim is unclear. Same applies for mirror claim 16. Dependent claims are also rejected for inheriting the deficiencies set forth above for independent claims. Appropriate correction is required. Claims 8 and 18 recites the phrase “based on a retentive network” fails to particularly point out the relationship between the attack analysis language model and the retentive network. It is unclear whether the attack analysis language model is itself a retentive network , includes a retentive network component, is trained using a retentive network, or merely uses techniques associated with retentive networks. Thus, the scope of the claim is unclear. Same applies for mirror claim 18. Dependent claims are also rejected for inheriting the deficiencies set forth above for independent claims. Appropriate correction is required. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 5, 10,11, 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree (US 20210168175 A1) in view of Hassell (US 20150295948 A1). Regarding claim 1, Crabtree teaches method comprising: maintaining a threat database comprising threat data describing threats capable of compromising operational technology (OT) network environments (Crabtree, Input network data which may include network flow patterns 321, the origin and destination of each piece of measurable network traffic 322, system logs from servers and workstations on the network 323, endpoint data 329, any security event log data from servers or available security information and event (SIEM) systems 324, external threat intelligence feeds 324, identity or assessment context 325, external network health or cybersecurity feeds 326, [0095] one or more directed graphs are used to create system models 2610 to model both the operational technology (OT) and information technology (IT) systems and the interactions between them, [0108] compiled by first collecting 1201 information on publicly-disclosed vulnerabilities, such as (for example) using the Internet or common vulnerabilities and exploits (CVE) process, [0121] Non-limiting examples of external reconnaissance data 2120 include domains and IP information, data breach information, organization information such as corporate structures, key employees, etc., open port information, information regarding which organizations are current targets of cyber-attacks, network vulnerability information, system version and patch/update information, known and possible exploits, and publicly available information, [0130] A generative modeling attack generator 3104 simulates an attacker using available attack building resources 3102 which contain scripts for implementing certain types of attacks on a network, [0141]) [Examiner interprets that system storing and using such cybersecurity information to support simulation and recommendation generation as limitation above, Under BRI in light of spec [0069], [0081] , “ a datastore” or stored collection of threat/vulnerability/exploit data satisfies threat database]; training an attack simulation model to simulate attacks on a network replica by a plurality of threats described in the threat database (Crabtree, The system and method use machine learning algorithms to run simulated attack and defense strategies against a model of the networked system created using a directed graph, [0005] The real-world data from the time series data store 3003 is used to inform the operations of a simulator 3100, which uses the real-world data to run attack and defense simulations using a machine learning engine 3120, which uses machine learning algorithms such as reinforcement learning or evolutionary learning algorithms to test a model of the network under test 3001 represented by a cyber-physical graph 3101. The results of the simulations comprise a probability of success of various attack and defense strategies arising out of the implementation of the real-world attack data on the model of the network under test 3001 represented by the cyber-physical graph 3101, [0115] A reinforcement learning (RL) attack engine applies the generated attacks to the network model through a real-time simulation engine 3105, and learns which attacks are most effective by gaining a reward for each successful attack. The attack building resources 3102 may be updated by the RL attack engine as new forms of possible attacks find success. As part of its reinforcement learning process, the RL attack engine 3103 calculates probabilities of success of certain attack strategies based on outcome of attacks presented to the real-time simulation engine 3105, [0141]) [Examiner interprets that system using simulator, machine learning engine, and RL attack engine to simulate attacks against a modeled network and learning RL attack engine as limitation above]; the attack simulation model outputting simulated attack data comprising a set of simulated attack paths corresponding to one or more threats of the plurality of threats (Crabtree, obtain a simulation result comprising the cyberattack strategy sequence and a probability of success of the attack and the defense in each iteration, [0006] Possible attack paths may be analyzed using the cyber-physical graph by running graph analysis algorithms such as shortest path algorithms, minimum cost/maximum flow algorithms, strongly connected node algorithms, etc. In this example, several exemplary attack paths are ranked by likelihood. In the most likely attack path, user 2201 is an administrator to device 2202 to which device 2203 has connected, [0133] The attack and defense strategies generated by the attack engine 3105 are run on a real-time simulation engine, which implements the attacks on the cyber-physical graph and measures the impact of mitigations and other features of network resilience. The real-time simulation engine further captures the probabilities of successful attack strategies from the RL attack engine 3103 and the probabilities of successful defense strategies from the EA defense engine 3106, and outputs simulation results comprising those probabilities, [0143]) [Examiner interprets that system generating possible attack paths through the cyber physical graph and ranking those paths by likelihood and the attack generator using attack building resources and the graph includes known vulnerabilities/exploits as limitation above]; the network replica comprising a structured representation of a plurality of assets belonging to an OT network environment, communication pathways between the plurality of assets, security controls implemented in the OT network environment, and vulnerabilities (Crabtree, The server 2511 routes information to and from to the SCADA/HMI system 2521, one or more routers 2512 which route information to a plurality of workstations 2513a-n and other devices (not shown), storage 2514, and a domain controller 2515 which controls access to the IT infrastructure from other networks 2516 such as the Internet, [0107] one or more directed graphs are used to create system models 2610 to model both the operational technology (OT) and information technology (IT) systems and the interactions between them.. a cyber-physical graph is used to model the entities and entity relationships of the OT system 2612 and a distributed computational graph is used to model the complex workflows and processes within the OT system 2614 as modeled by the cyber-physical graph of the OT system 2612, [0108] first collecting 1201 information on publicly-disclosed vulnerabilities, such as (for example) using the Internet or common vulnerabilities and exploits (CVE) process… the combined data of the CPG and the known vulnerabilities may then be analyzed 1203 to identify the relationships between known vulnerabilities and risks exposed by components of the infrastructure. This produces a combined CPG 1204 that incorporates both the internal risk level of network resources, user accounts, and devices as well as the actual risk level based on the analysis of known vulnerabilities and security risks, [0121] A cyber-physical graph (i.e., network replica), in its most basic form, represents the network devices comprising an organization's network infrastructure as nodes (also called vertices) in the graph and the physical or logical connections between them as edges between the nodes.. The cyber-physical graph may be expanded to include network information and processes such as data flow, security protocols and procedures, and software versions and patch information, [0132] In this cyber-physical graph, nodes (aka vertices) represent entities (in this case components and devices) and the edges between the nodes represent logical relationships between the nodes, [0135]); generating a threat analysis system configured to apply the attack simulation model to an input network replica and provide one or more risk reduction recommendations based on output simulated attack data from the attack simulation model (Crabtree, the system is structured to provide an iterative analysis and improvement process that uses an attack implementation engine 3010 to test an actual network under test 3001, gathers system information from the test, which is used by a simulator 3100 to initiate an iterative simulation of a cyberattack strategy sequence, with each iteration comprising a simulated attack generated by a machine learning algorithm on a model of the network under test 3001 and a simulated defense generated by a machine learning algorithm against the simulated attack. The iterative simulation produces a simulation result, which is passed to a recommendation engine 3200, which recommends cybersecurity improvements to the network under test 3001 based on one or more cost factors and benefit factors….., [0113] The simulation results from the simulator 3100 are sent to a recommendation engine 3200, which compares the likelihood of success of the various attack and defense strategies against real-world cost and benefit considerations to generate recommendations for cost-effective, realistic security improvements to the network under test 3001, [0115] The recommendation engine 3200 receives simulation results, performs a cost/benefit analysis, and makes recommendations as to what security improvements to implement, [0145]) [Examiner interprets that (simulator + recommendation engine) as threat analysis system and simulator applying attack simulations to network model, and the recommendation engine generating cybersecurity improvement recommendations based on simulation results as limitation above]; and deploying the threat analysis system to generate risk reduction recommendations for one or more OT network environments (Crabtree, A major benefit of this system is its automation. The system can be made to be entirely automated, running iteration after iteration and implementing recommended changes to the networked system through the use of changes in software configurations, access controls, etc., even including isolating certain hardware from the network through software controls, [0059] The recommendations may be used to automatically implement security improvements and initiate the next iteration of testing, [0115] one or more directed graphs are used to create system models 2610 to model both the operational technology (OT) and information technology (IT) systems and the interactions between them, [0108]) [Examiner interprets that system implementing or deploying the cybersecurity analysis and recommendation system on computing devices associated with networks, including OT/IT systems, automated implementation of recommendations and Iterative improvement as limitation above]; wherein the method is performed by one or more processors (Crabtree, one or more processors 13, [0150]). Although, Crabtree teaches the functionally the same general use of threat/exploit/attack resources in ML based attack simulation, But, Crabtree does not explicitly teach: training an attack simulation model to simulate attacks on a network replica by a plurality of threats described in the threat database (Hassell, The system 200 may not be connected to the network 210 under study physically, but ingests data produced by tools 212 that may be connected to the network in order to provide a simulated target network topology. An agent framework handles information changes. After a cyber analyst 230 ascertains the network data model, the system 200 initiates a discrete simulation (DSIM) 240 and launches simulated threat attacks that seek to reach the final attack phase, i.e., exploitation on a target node in the modeled network, [0020] Data sources 260, such as proprietary data sources and administered data sources (e.g., MTRE), provide vulnerability threats to the database 250 (e.g., data warehouse), [0022] There may be single or multiple threats 550, multiple, simultaneous attacks 552, single or multiple defenses 554. The scenarios may be applied to the network 520. The attack results are noted and the simulation results are provided to database 560, [0042] The threats in the threat library used as templates 540 may be Java models, with embedded behavior, [0043] A simulation model 630 is created based on the experimental design, [0045]) [Examiner interprets that creating, configuring and running a cyber-attack simulation model against a modeled/simulated network topology iteratively using multiple threats stored/described in a database or threat library as limitation above]. Therefore, it would have been obvious to PHOSITA before the effective filing date to modify the teaching of Crabtree to include a concept of training an attack simulation model to simulate attacks on a network replica by a plurality of threats described in the threat database as taught by Hassell for the purpose of providing a cyber defense simulation toolkit to evaluate and enhance the resiliency of networks in the face of cyber-attacks [Hassell:0050]. Regarding claim 5, Crabtree and Hassell teaches the method of claim 1, wherein the network replica comprises a graph database that includes the structured representation of substantially all connected assets in the OT network environment (Crabtree, the graph stack service module 145 represents data in graphical form influenced by any pre-determined scripted modifications 145a and stores it in a graph-based data store 145b such as GIRAPH™ or a key value pair type data store REDIS™, or RIAK™, among others, all of which are suitable for storing graph-based information, [0082] one or more directed graphs are used to create system models 2610 to model both the operational technology (OT) and information technology (IT) systems and the interactions between them…. a cyber-physical graph is used to model the entities and entity relationships of the OT system 2612 and a distributed computational graph is used to model the complex workflows and processes within the OT system 2614 as modeled by the cyber-physical graph of the OT system 2612, [0108] The cyber-physical graph 1902 is a directed graph that represents a comprehensive picture of an organization's infrastructure and operations. A cyber-physical graph 1902 represents the relationships between entities associated with an organization, for example, devices, users, resources, groups, and computing services, the relationships between the entities defining relationships and processes in an organization's infrastructure…., [0130] A cyber-physical graph, in its most basic form, represents the network devices comprising an organization's network infrastructure as nodes (also called vertices) in the graph and the physical or logical connections between them as edges between the nodes… Thus, a cyber-physical graph may be used to represent a complete picture of an organization's infrastructure and operations, [0132]) [Examiner interprets that system using graph-based data store and a cyber physical graph representing devices/assets and relationships which completes picture of organizations infrastructure and operations and the represents the devices and relationships as nodes and edges as limitation above]. Regarding claim 10, Crabtree and Hassell teaches the method of claim 1, wherein deploying the threat analysis system includes providing computer-readable instructions for execution on one or more computing devices in a customer OT network environment (Crabtree, one or more directed graphs are used to create system models 2610 to model both the operational technology (OT) and information technology (IT) systems and the interactions between them, [0108] The recommendations are also sent to an administrative user interface 3004, which may be used by an administrator 3005 to manually implement security improvements and initiate the next iteration of testing, [0115] at least some of the features or functionalities of the various aspects disclosed herein may be implemented on one or more general-purpose computers associated with one or more networks, [0147]) [Examiner interprets that system teaching client/customer networks, OT/IT systems, and systems implemented on computing devices associated with networks as limitation above]. Regarding claim 11, Claim 11 recite commensurate subject matter as claim 1. Therefore, it is rejected for the same reasons. Except the additional elements: Crabtree further teaches: A computer system comprising: one or more hardware processors; at least one memory storing one or more instructions which, when executed by the one or more hardware processors, cause the one or more hardware processors (Crabtree, operating on a processor of, a computing device, wherein the first plurality of programming instructions, when operating on the processor, cause the computing device to, [0006]) Regarding claim 15, and 20, Claims 15 and 20 recite commensurate subject matter as claims 5 and 10. Therefore, it is rejected for the same reasons. Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree (US 20210168175 A1) in view of Hassell (US 20150295948 A1) in further view of Korge (US 20230034303 A1). Regarding claim 2, Crabtree teaches method of claim 1, wherein the attack simulation model is a reinforcement learning model (Crabtree, Reinforcement learning algorithms attempt to find optimal actions to be taken by maximizing some reward, [0071] The real-world data from the time series data store 3003 is used to inform the operations of a simulator 3100, which uses the real-world data to run attack and defense simulations using a machine learning engine 3120, which uses machine learning algorithms such as reinforcement learning or evolutionary learning algorithms to test a model of the network under test 3001 represented by a cyber-physical graph 3101, [0115] the machine learning simulator 3100 pits a reinforcement learning (RL) attack engine 3122 against a dynamically-modified network model driven by an evolutionary algorithm (EA) defense engine, [0140] A reinforcement learning (RL) attack engine applies the generated attacks to the network model through a real-time simulation engine 3105, and learns which attacks are most effective by gaining a reward for each successful attack, [0141]) comprising: Crabtree does not explicitly teach: a representation network configured to encode the current state of the network replica into a latent space representation; a dynamics network configured to predict a future state in an attack sequence given a simulated action; a prediction network configured to estimate a likelihood of success for simulated attack paths; and a value function that optimizes attack path selection. However, Korge teaches: a representation network configured to encode the current state of the network replica into a latent space representation (Korge, Reinforcement learning as used herein is the training of machine learning models to make a sequence of decisions, [0035] receiving, from a graph database, a graph representing a digital network of a plurality of nodes, the graph including at least one vulnerability for each of the plurality of nodes; receiving, from an embeddings generator, for the plurality of nodes, a plurality of embeddings based on the graph, [0006] an embeddings generator configured to generate, for the plurality of nodes, a plurality of embeddings based on the graph, [0017] the embeddings include a vector of real numbers representing the nodes in the graph, [0022] The RL agent is a process which applies the policy model to a numerical representation of each target and uses the results to determine which, if any, path segment is best traversed in its effort to find a valid path, [0045] An embeddings generation operation 204 performs generating, for the plurality of nodes, a plurality of embeddings based on the graph, [0049] the embeddings of the device the agent 118 is currently located as well as the connections between the current device and the successor devices the agent 118 can transition to, [0055]) [Examiner interprets that system converting the graph/node into vector embeddings usable by the neural network/agent as limitation above]; a dynamics network configured to predict a future state in an attack sequence given a simulated action (Korge, determine a transition for the agent to take from the initial node to a next accessible node from the plurality of accessible nodes; compute a reward for moving to the next accessible node; and assign the agent a new state corresponding to the next accessible node, [0016] Agent 118 then determines from the information it has about the first state and, using the neural network 116 along with the navigational constraints stored in navigational constraints store 120, determines a decision as to what action from the available actions it will take next, In operation 136, the agent 118 selects the next state. [0038] A transition operation 210 performs determining which transition the agent will take from the initial node to a next accessible node from the plurality of accessible nodes, [0056] an agent assignment operation 214 performs assigning the agent a new state corresponding to the next accessible node, [0057]) [Examiner interprets that the agent selecting an action/transition from a current node to a next node and is assigned a new state corresponding to that next node as limitation above]. a prediction network configured to estimate a likelihood of success for simulated attack paths (Korge, By using neural networks to analyze the available actions, the agent 118 can efficiently choose an optimum action from a large, discrete set, [0048] The neural network 116 provides the agent 118 a prediction as to which action is optimal for it to take, [0052] FIG. 3 depicts an illustrative output of an interface representing an example attack path that leads from a node 302 with vulnerabilities (e.g., an individual device) to a high value asset, node 310, (e.g., a domain administrator), [0064] advanced notification of such potential footholds is provided to prevent an attacker from establishing a foothold by installing a persistent backdoor or downloading additional utilities or malware to the victim system through the exploit of a vulnerability of an asset within the network, [0065]) [Examiner interprets that system using neural network to predict the optimal action/path and to identify attack paths leading from vulnerable nodes to high value assets as limitation above]; and a value function that optimizes attack path selection (Korge, compute a reward for moving to the next accessible node; and assign the agent a new state corresponding to the next accessible node, [0016] the next state reward that results from agent 118 being in the next state is fed back to the agent 118, as shown in operation 138. This will repeat until the agent 118 arrives at a terminal state…. The data that has been stored in collected experience database 106 is used to update the neural network 116 for training purposes,, [0038] Typical pathfinding mechanisms seek only the shortest path between two nodes rather than RL to intelligently navigate a graph, which may not necessarily be the shortest path. Example embodiments described herein use deep learning that uses a stochastic model (e.g., instead of a deterministic policy) to predict a reward from the current position of an agent, [0046] By using neural networks to analyze the available actions, the agent 118 can efficiently choose an optimum action from a large, discrete set, [0048]) [Examiner interprets that system using reward computation, reward prediction, and reinforcement learning optimization of the agent’s path selection as limitation above]. Therefore, it would have been obvious to PHOSITA before the effective filing date to modify the teaching of Crabtree to include a concept of a representation network configured to encode the current state of the network replica into a latent space representation; a dynamics network configured to predict a future state in an attack sequence given a simulated action; a prediction network configured to estimate a likelihood of success for simulated attack paths; and a value function that optimizes attack path selection as taught by Korge for the purpose of applying reinforcement learning with navigational constraints to a cybersecurity graph to determine whether available resources of at least one node on the cybersecurity graph can used by an attacker to traverse across the cybersecurity graph [Korge:0005]. Regarding claim 12, Claim 12 recite commensurate subject matter as claim 2. Therefore, it is rejected for the same reasons. Claims 3, 4, 6, 13, 14, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree (US 20210168175 A1) in view of Hassell (US 20150295948 A1) in further view of Crabtree (US 20230370490 A1). Regarding claim 3, Crabtree and Hassell teaches the method of claim 1, wherein Crabtree (US 20210168175 A1) and Hassell does not explicitly teach: the attack simulation model comprises a neural network, wherein at least a portion of the neural network includes a linear regression model However, Crabtree (US 20230370490 A1) teaches: the attack simulation model comprises a neural network, wherein at least a portion of the neural network includes a linear regression model (Crabtree, A machine learning engine 2811 is responsible for generalized machine learning tasks including the operating of neural networks of various compositions, and potentially other algorithms such as simulated annealing, genetic algorithms or other metaheuristics, linear regression algorithms, reinforcement learning, and more, [0135] Using one of many possible parameter adjustment 2933 techniques, including linear regression,.., [0139] Neural networks may be used as part of a machine learning engine, as the method by which training is done and a model is generated, [0141]) [Examiner interprets that system using machine learning engine using neural networks and liner regression algorithms, also using linear algorithm as parameter adjustments as limitation above]. Therefore, it would have been obvious to PHOSITA before the effective filing date to modify the teaching of Crabtree (US 20210168175 A1) and Hassell to include a concept of the attack simulation model comprises a neural network, wherein at least a portion of the neural network includes a linear regression model as taught by Crabtree (US 20230370490 A1) for the purpose of using parameter adjustment techniques [Crabtree :0139] and using neural network a part of machine learning engine for training and generating model [Crabtree:0141]. Regarding claim 4, Crabtree and Hassell teaches the method of claim 1, wherein Crabtree (US 20210168175 A1) and Hassell does not explicitly teach: the attack simulation model is configured to utilize a Monte Carlo Tree Search (MCTS) decision process However, Crabtree (US 20230370490 A1) teaches: the attack simulation model is configured to utilize a Monte Carlo Tree Search (MCTS) decision process (Crabtree, network attack path analysis and automated task planning for minimizing network exposure and maximizing resiliency is performed with machine learning, generative adversarial networks, hierarchical task networks, and Monte Carlo search trees, [0020] receive information about the topology and setup of a network of entities, from a directed graph; receive information about an optimal path of actions through a Monte Carlo tree search engine, for reducing network exposure to an attack and maximizing the network resiliency; and creating an automated task plan for minimizing network exposure and maximizing network resilience, [0021] A Monte Carlo Tree Search (“MCTS”) algorithm 3400 is both a system and method of representing certain simulation and probability problems, as a graph tree 3450 of choices and outcomes, [0155]) [Examiner interprets system using MCTS in cyber exploitation path analysis and network attack/defense planning as limitation above]. Therefore, it would have been obvious to PHOSITA before the effective filing date to modify the teaching of Crabtree (US 20210168175 A1) and Hassell to include a concept of the attack simulation model is configured to utilize a Monte Carlo Tree Search (MCTS) decision process as taught by Crabtree (US 20230370490 A1) for the purpose of receiving information about an optimal path of actions through a Monte Carlo tree search engine, for reducing network exposure to an attack and maximizing the network resiliency and creating an automated task plan for minimizing network exposure and maximizing network resilience, [Crabtree:0021]. Regarding claim 6, Crabtree and Hassell teaches the method of claim 1, wherein Crabtree (US 20210168175 A1) and Hassell does not explicitly teach: the attack simulation model is configured to simulate a plurality of attack paths through the graph database simultaneously However, Crabtree (US 20230370490 A1) teaches: the attack simulation model is configured to simulate a plurality of attack paths through the graph database simultaneously (Crabtree, Pipeline orchestrator 501 may spawn a plurality of child pipeline clusters 502a-b, which may be used as dedicated workers for streamlining parallel processing, [0101] Possible attack paths may be analyzed using the cyber-physical graph by running graph analysis algorithms such as shortest path algorithms, minimum cost/maximum flow algorithms, strongly connected node algorithms, etc. In this example, several exemplary attack paths are ranked by likelihood, [0111] Behavioral analysis engine 819 may use graph stack service 145 and DCG module 155 to convert and analyze the data in graph format using various machine learning models and may also process the data using parallel computing to quickly process large amounts of data, [0108] the algorithm may repeat, continually searching and expanding new gameplay paths or simulation choices, with optional weights towards specific node selection, and in some specialized cases, even the simulation stage 3430 may be weighted or programmed to be biased in favor of certain choices for a playout, to attempt to explore “better” choices that may be more likely to end in a favorable result, [0159]) [Examiner interprets that system multiple attack paths, graph analysis, MCTS expansion of multiple simulation choices, and parallel processing as limitation above]. Therefore, it would have been obvious to PHOSITA before the effective filing date to modify the teaching of Crabtree (US 20210168175 A1) and Hassell to include a concept of the attack simulation model is configured to simulate a plurality of attack paths through the graph database simultaneously as taught by Crabtree (US 20230370490 A1) for the purpose of analyzing using the cyber-physical graph by running graph analysis algorithms such as shortest path algorithms, minimum cost/maximum flow algorithms, strongly connected node algorithms [Crabtree:0111] for reducing network exposure to an attack and maximizing the network resiliency and creating an automated task plan for minimizing network exposure and maximizing network resilience, [Crabtree:0021]. Regarding claim 13, 14, and 16, Claims 13, 14, and 16 recite commensurate subject matter as claim 3, 4, and 6. Therefore, they are rejected for the same reasons. Claims 7, 9, 17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree (US 20210168175 A1) in view of Hassell (US 20150295948 A1) in further view of Sellers (US 20240406210 A1). Regarding claim 7, Crabtree and Hassell teaches the method of claim 1, wherein the threat analysis system is configured to apply a model to the simulated attack data to generate the one or more risk reduction recommendations (Crabtree, The simulation results from the simulator 3100 are sent to a recommendation engine 3200, which compares the likelihood of success of the various attack and defense strategies against real-world cost and benefit considerations to generate recommendations for cost-effective, realistic security improvements to the network under test 3001. The recommendations may be used to automatically implement security improvements and initiate the next iteration of testing. The recommendations are also sent to an administrative user interface 3004, which may be used by an administrator 3005 to manually implement security improvements and initiate the next iteration of testing, [0115] inputs to a recommendation engine 3200 for an automated cybersecurity defensive strategy analysis and recommendation system. The recommendation engine 3200 receives simulation results, performs a cost/benefit analysis, and makes recommendations as to what security improvements to implement, [0145]) Although Crabtree teaches recommendation generation based on simulation results, But Crabtree and Hassell do not explicitly teach: the threat analysis system is configured to apply an attack analysis language model to the simulated attack data to generate the one or more risk reduction recommendations However, Sellars teaches: the threat analysis system is configured to apply an attack analysis language model to the simulated attack data to generate the one or more risk reduction recommendations (Sellars, The cyber security training tool has a natural language processor and a large language model to be able to analyze both i) a synthetic cyberattack in a mimic network corresponding to a real world network as well as ii) a real cyberattack in the real world network, [0019] The cyber security training tool 136 uses the large language model i) as a data transformation tool and ii) to apply natural language processing to turn data collected from the wargaming cyberattack exercise and then explain in natural language format the attack steps in the synthetic attack based on vulnerabilities utilized and the autonomous responses that were taken in the wargaming cyberattack exercise and suggest the steps that the cyber security team member needs to take to mitigate and remediate to reduce risk, [0051] The synthetic cyberattack tool 125 and the cyber security training tool 136 cooperate with the user interface component to record events and data in a log of attack data of how the cyber-attack is progressing on the mimic network, what components in the mimic network are being affected by the cyber threat, effects of any countermeasures used by a human cybersecurity team and any automated responses by an autonomous response module in a cyber security appliance 100 on the cyber threat that was deployed, and then the synthetic cyberattack tool 125 and the cyber security training tool 136 are configured to send out the log to the user interface component so that the human cybersecurity team can observe how the cyber-attack on the mimic network is playing out, [0089]) [ Examiner interprets that cybersecurity training tool that uses a large language model (LLM) and natural language processor to analyze data from synthetic cyberattack and generate remediation steps to reduce risk as limitation above]. Therefore, it would have been obvious to PHOSITA before the effective filing date to modify the teaching of Crabtree to include a concept of the threat analysis system is configured to apply an attack analysis language model to the simulated attack data to generate the one or more risk reduction recommendations as taught by Sellars for the purpose of suggesting the steps that the cyber security team member needs to take to mitigate and remediate to reduce risk, [Sellers:0051]. Regarding claim 9, Crabtree, Hassell, and Sellers teaches method of claim 7, further comprising training the attack analysis language model (Sellers, the system trains the large language model on these sentences/textual representations derived from graphs describing a security compromise produced by the cyber security analyst, so that the LLM can deduce how these attacks are structured.. Next, once the neural networks forming the artificial intelligence have learned how to understand graphs that describe a security compromise, then the synthetic cyberattack tool 125 can work the LLM to take the next step and train on how to generatively produce graphs that describe how to make a security compromise. Thus, cyberattack simulator 105 can use an autonomous agent LLM trained on cyber security analyst graphs describing a security compromise to then produce a graph for a proposed simulated/synthetic cyberattack and then evaluate each step in an ongoing synthetic cyberattack to the current conditions in the mimicked network. [0039] for better performance of the LLM to carry out its intended functions, the LLM can be trained on cyber security specific material in the format that the cyber security material is natively recorded.. the LLM can be fine-tuned in their training for uses in the cyber security system to make more accurate predictions and more relevant training. The cyber security system can use LLMs to enhance cyber security measures by simulating attack scenarios and facilitating customized training, [0063]) [Examiner interprets that training the LLM on cybersecurity specific data, analyst graphs, textual representations of security compromise as limitation above] Same motivation applies as claim 8. Regarding claims 17 and 19, Claims 17 and 19 recite commensurate subject matter as claims 7, and 9. Therefore, they are rejected for the same reasons. Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree (US 20210168175 A1) in view of Hassell (US 20150295948 A1) in further view of Sellers (US 20240406210 A1) in further view of Thesen (US 20250157639 A1). Regarding claim 8, Crabtree, Hassell, and Sellers the method of claim 7, wherein the attack analysis language model is based on a retentive network (Sellers, The synthetic cyberattack tool 125 uses the autonomous agent LLM as a correlation engine because it has strong abilities to correlate, as a data transformation tool, and finally, as a form of natural language processing to turn data about breaches and vulnerabilities as well as captured meta data from the synthetic attack into information that the LLM can understand and analyze on a consistent basis, [0031] The cyber security training tool 136 and the synthetic cyberattack tool 125 can utilize an autonomous agent large language model. Autonomous agent based large language models (LLMs), like Auto GPT, autonomously chain together tasks to achieve a big-picture goal set by the user, [0042] The autonomous agent based LLM can be leveraged to simulate attack scenarios by working together and feeding back into themselves. The autonomous agent based LLMs can work together and feed back into themselves to perform long complex tasks during a simulated cyberattack, as such, they can simulate a cyber threat in an environment, [0042]) Although, Sellers teaches autonomous agent LLMs ability to feed back into itself, chain tasks, and handle long complex simulated attack tasks is similar to a retentive network architecture, but Crabtree, Hassell, and Sellers do not expressly teach: the analysis language model is based on a retentive network However, Thesen teaches: the attack analysis language model is based on a retentive network (Horton, The processing may be performed using a large language model (LLM), deep learning (DL), a foundation model, a generative model, and/or a generative intelligence, in particular a generative artificial intelligence (AI), [0051] the generative AI may comprise a retentive network (RetNet), [0067] The RetNet may, e.g., have a better language modelling performance than any (linear and/or non-linear) transformer or RNN, achieve the better language modelling performance with (e.g., 3.4×) lower memory consumption, (e.g., 8.4×) higher throughput, and (e.g., 15.6×) lower latency, [0068]) Therefore, it would have been obvious to PHOSITA before the effective filing date to modify the teaching of Crabtree, Hassell, and Sellers to include a concept of the attack analysis language model is based on a retentive network as taught by Thesen for the purpose of applying retentive network in LLMs or generative AI [Thesen:0067-0068] Regarding claim 18, Claim 18 recite commensurate subject matter as claim 8. Therefore, it is rejected for the same reasons. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 20210273978 A1: “directed to a Cyber Digital Twin (CDT) platform that executes simulations on a digital twin of an enterprise network to determine and prioritize security controls requirements to mitigate cyber security risk in the enterprise network” US 20240414190 A1: “ directed to use of Artificial Intelligence in cybersecurity” US 20250373647 A1: “relates generally to cybersecurity. More particularly, the present disclosure relates to systems and methods for misconfiguration detection and prevention in a data fabric” Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMIKSHYA POUDEL whose telephone number is (703)756-1540. The examiner can normally be reached 7:30 AM - 5PM Mon- Fri. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached at (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /S.N.P./Examiner, Art Unit 2436 /TRONG H NGUYEN/Primary Examiner, Art Unit 2436
Read full office action

Prosecution Timeline

Feb 28, 2025
Application Filed
Jun 03, 2026
Non-Final Rejection mailed — §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12645787
STACK TRACE ANALYSIS MODEL
2y 11m to grant Granted Jun 02, 2026
Patent 12619726
CYBER RESILIENCE INTEGRATED SECURITY INSPECTION SYSTEM (CRISIS) AGAINST FALSE DATA INJECTION ATTACKS
4y 1m to grant Granted May 05, 2026
Patent 12591663
INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING METHOD, AND INFORMATION PROCESSING COMPUTER PROGRAM PRODUCT
2y 7m to grant Granted Mar 31, 2026
Patent 12470379
LINK ENCRYPTION AND KEY DIVERSIFICATION ON A HARDWARE SECURITY MODULE
3y 0m to grant Granted Nov 11, 2025
Patent 12452254
SECURE SIGNED FILE UPLOAD
3y 6m to grant Granted Oct 21, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
45%
Grant Probability
99%
With Interview (+75.0%)
2y 10m (~1y 6m remaining)
Median Time to Grant
Low
PTA Risk
Based on 20 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month