DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claims 1, 11 are objected to because of the following informalities: Claims 1, 11 recite “…a target network inspector configured to…at one or more OIS layers”. Also some of limitations in claims 1, 11 such as “a reference database configured to store records of known cyber-attacks and their corresponding mitigations.” end with a “.”. They should end with a “,” or “;”. Appropriate correction is required.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) are: (a target network inspector configured to monitor…; a virtual network generator configured to generate…; a reference database configured to store…; a virtual network analyzer configured to simulate… a network updater configured to implement…) in claim 1; (a triage module configured to assign…) in claim 8.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim 1 limitations “a target network inspector configured to monitor…; a virtual network generator configured to generate…; a reference database configured to store…; a virtual network analyzer configured to simulate… a network updater configured to implement…” and claim 8 limitation “a triage module configured to assign…” invoke 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The claim has no support for means in the specification. Therefore, claims 1-10 (claims 2-10 are dependent claims) are indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph.
Applicant may:
(a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph;
(b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either:
(a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1-3, 5-13, 15-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Crabtree et al (Pub. No. US 2022/0201042).
As per claim 1, Crabtree discloses a system for mitigating cyber-attacks against a target network comprising interconnected nodes that is implemented by Open Systems Interconnection (OSI) layers (when performing external reconnaissance via a network, web crawler may be used to perform a variety of port and service scanning operations on a plurality of hosts. This may be used to target individual network hosts (for example, to examine a specific server or client device) or to broadly scan any number of hosts (such as all hosts within a particular domain, or any number of hosts up to the complete IPv4 address space). Port scanning is primarily used for gathering information about hosts and services connected to a network, using probe messages sent to hosts that prompt a response from that host. Port scanning is generally centered around the transmission control protocol (TCP), and using the information provided in a prompted response a port scan can provide information about network and application layers on the targeted host, par. 111), comprising: a target network inspector configured to monitor the target network for detecting vulnerabilities at one or more OIS layers (an automated cybersecurity defensive strategy analysis and recommendation system is structured to provide an iterative analysis and improvement process that uses an attack implementation engine to test an actual network under test, gathers system information from the test, which is used by a simulator to initiate an iterative simulation of a cyberattack strategy sequence, with each iteration comprising a simulated attack generated by a machine learning algorithm on a model of the network under test and a simulated defense generated by a machine learning algorithm against the simulated attack…par. 140…the network under test is monitored to capture system information about the operation of the network under test (interpreted as one or more OSI layers) during the test cyberattack, including time series information about the sequence of events and response of affected devices…par. 141); a cyber-attack log database containing records of successful cyber-attacks on the target network (the cyber-physical graph plus the analyses of data directed by the distributed computational graph on the reconnaissance data received from the reconnaissance engine are combined to represent the cyber-security profile of the client organization whose network is being evaluated. A queuing system is used to organize and schedule the search tasks requested by the reconnaissance engine. A data to rule mapper is used to retrieve laws, policies, and other rules from an authority database and compare reconnaissance data received from the reconnaissance engine and stored in the reconnaissance data storage against the rules in order to determine whether and to what extent the data received indicates a violation of the rules. Machine learning models may be used to identify patterns and trends in any aspect of the system, but in this case are being used to identify patterns and trends in the data which would help the data to rule mapper determine whether and to what extent certain data indicate a violation of certain rules. A scoring engine receives the data analyses performed by the distributed computational graph, the output of the data to rule mapper, plus event and loss data and contextual data which defines a context in which the other data are to be scored and/or rated…par. 131);
a virtual network generator configured to generate a virtual network comprising a virtualized model of the target network (A simulator/comparator runs simulations on the system models, and compares the simulations to the in-situ operating data to calibrate the system models to the real-world systems being modeled. The simulator/comparator may be programmed to search for parameter values that maximize agreement between simulation output under varying conditions (whether actual or artificial) and in-situ operating data from the real-world OT/IT systems. Results of the simulations may be passed through machine learning algorithms to identify trends or patterns in the data…par. 137), including one or more virtual nodes annotated with identified vulnerabilities of one or more corresponding nodes of the target network (an automated defensive penetration test analysis and recommendation system…may be configured to test the security of a network using preconfigured tests in a live network setting, monitor and record the network's response to the preconfigured test, and then use the network response as an input into one or more machine learning algorithms to generate a model of the network. Once the network model is created, it may be used as an environment to perform a plurality of cyber-security tests that, when executed, can provide useful information which can be used for generating network security recommendations…the preconfigured tests may be penetration tests…the attack engine may be configured to perform one or more penetration tests on a network, both an actual physical network and/or a simulated model of a network…the defense engine may be configured to respond to one or more penetration tests, wherein the response may be based on one of or a combination of the following non-limiting set of actions and resources: defensive countermeasures; entity specific (e.g., company policy) cyber-attack rules; mitigating controls; and vulnerability management, par. 143…The penetration tests that take into account privilege escalation techniques may test a variety of privilege escalation methods (e.g., attack vectors) including, but not limited to, credential exploitation, vulnerabilities and exploits, misconfigurations, malware, and social engineering. Compromised credentials are the easiest privileged attack vector for a threat actor to achieve success. Vulnerabilities are mistakes in code, design, implementation, or configuration that potentially allow malicious activity to occur via an exploit. Vulnerabilities can involve the operating system, applications, web applications, infrastructure, and so on. They also involve the protocols, transports, and communications in between resources from wired networks, WiFi, and tone-based radio frequencies. A vulnerability itself does not allow for a privileged attack vector to succeed; it just means that a risk exists. Absent an exploit, a vulnerability is just a potential problem. Reconnaissance engine may be configured to identify vulnerabilities in the network under test by parsing the captured network/system information in order to locate exploits in the network infrastructure. These exploits may be included in the preconfigured penetration tests…par. 147); a reference database configured to store records of known cyber-attacks and their corresponding mitigations (reconnaissance engine may comprise one or more data parsers configured to parse system information and characteristics captured about the network under test…system log (syslog) information and time series data is gathered from affected devices and sent to a syslog parser which sorts the system logs and associates them with time events to create a time series data store of the cyberattack and network's response. A firewall and network parser may read firewall and configuration information, perform simple cleanup of the information and format it to produce host, network, and firewall rules. A software package parser may read information regarding the installed packages from a host/node, and output a file containing package names and package version numbers installed on the host/node. This outputted file may be compared against a locally stored and updated instance of the National Vulnerability Database (NVD) content and enables embodiments to quickly retrieve a list of vulnerable software from a potentially large list of software installed on network under test devices. All information captured and parsed may be stored in a database for access by system users. Reconnaissance engine may send the system information and/or classifications to one of, or both of, a machine learning simulator and recommendation engine…par. 153).
a virtual network analyzer configured to simulate cyber-attacks on the virtual network based on records of known cyber-attacks and successful cyber-attacks (a simulator/comparator runs simulations on the system models, and compares the simulations to the in-situ operating data to calibrate the system models to the real-world systems being modeled. The simulator/comparator may be programmed to search for parameter values that maximize agreement between simulation output under varying conditions and in-situ operating data from the real-world OT/IT systems. Results of the simulations may be passed through machine learning algorithms to identify trends or patterns in the data. The simulator/comparator may use the output of an iterative parameter calculator to search for parameter values that maximize agreement between simulation output under varying conditions (whether actual or artificial) and in-situ operating data from the real-world OT/IT systems. Results of the simulations may be passed through machine learning algorithms (not shown) to identify trends or patterns in the data…par. 137…an automated cybersecurity defensive strategy analysis and recommendation system…is structured to provide an iterative analysis and improvement process that uses an attack implementation engine to test an actual network under test, gathers system information from the test, which is used by a simulator to initiate an iterative simulation of a cyberattack strategy sequence, with each iteration comprising a simulated attack generated by a machine learning algorithm on a model of the network under test and a simulated defense generated by a machine learning algorithm against the simulated attack…see par. 140).
an AI engine configured to generate one or more mitigation actions based on simulation of the cyber-attacks on the virtual network (an automated cybersecurity defensive strategy analysis and recommendation system is structured to provide an iterative analysis and improvement process that uses an attack implementation engine to test an actual network under test, gathers system information from the test, which is used by a simulator to initiate an iterative simulation of a cyberattack strategy sequence, with each iteration comprising a simulated attack generated by a machine learning algorithm on a model of the network under test and a simulated defense generated by a machine learning algorithm against the simulated attack… The action decisions from the action planning engine are passed to a distributed computational graph, which contains detailed workflows for implementing cyberattacks on the network under test based on the action decisions. The workflows in the distributed computational graph are used to control attacks generated by an offensive tool microservice which contains a collection of cyberattack tools joined together by a scheduler or script engine, which defines when each cyberattack tool will be used against the network under test. System may be configured to test the security of a network using preconfigured tests in a live network setting, monitor and record the network's response to the preconfigured test, and then use the network response as an input into one or more machine learning algorithms to generate a model of the network. Once the network model is created, it may be used as an environment to perform a plurality of cyber-security tests that, when executed, can provide useful information which can be used for generating network security recommendations…the defense engine may be configured to respond to one or more penetration tests, wherein the response may be based on one of or a combination of the following non-limiting set of actions and resources: defensive countermeasures; entity specific (e.g., company policy) cyber-attack rules; mitigating controls; and vulnerability management…par. 140, 143); and a network updater configured to implement the one or more mitigation actions on the target network (a network model may be created using information gathered from performing one or more penetration tests on the network under test, wherein the network model provides a simulated virtual re-creation of the network under test and allows for a continuous, iterative cycle of testing, classifying, recommending network security updates and/or action, and updating the model to reflect new information. Examples of recommended network security updates and/or actions to prevent and mitigate privilege escalation attacks/vulnerabilities may include, but are not limited to: identity lifecycle management recommendations, including provisioning and de-provisioning of identities and accounts to ensure there are no orphaned accounts that could be hijacked; password management recommendations to consistently apply strong credential management practices for both human and machines (e.g., eliminating default and hardcoded credentials); least privilege enforcement such as removing admin rights from users and reduce application and machine privileges to the minimum required, and/or implementing just-in-time access to reduce persistent or standing privileges; recommending advanced application control and protection to enforce granular control over all application access, communications, and privilege elevation attempts; monitor and management recommendations to detect and quickly address any suspicious activity that might indicate a hijacked account or an illicit attempt at privilege escalation or lateral movement; system and application hardening recommendations, such as configuration changes, removing unnecessary rights and access, closing ports, and more in order to improve system and application security and help prevent and mitigate the potential for bugs that leave a vulnerability to injection of malicious code (e.g., SQL injections), buffer overflows, etc., or other backdoors that could allow privilege escalation; vulnerability management recommendations to continuously identify and address vulnerabilities, such as with patching, fixing misconfigurations, eliminating default and/or embedded credentials, etc.; and remote access security recommendations…par. 152).
As per claim 11, Crabtree discloses a method for mitigating cyber-attacks against a target network comprising interconnected nodes that is implemented by Open Systems Interconnection (OSI) layers (when performing external reconnaissance via a network, web crawler may be used to perform a variety of port and service scanning operations on a plurality of hosts. This may be used to target individual network hosts (for example, to examine a specific server or client device) or to broadly scan any number of hosts (such as all hosts within a particular domain, or any number of hosts up to the complete IPv4 address space). Port scanning is primarily used for gathering information about hosts and services connected to a network, using probe messages sent to hosts that prompt a response from that host. Port scanning is generally centered around the transmission control protocol (TCP), and using the information provided in a prompted response a port scan can provide information about network and application layers on the targeted host, par. 111), comprising: monitoring the target network for detecting vulnerabilities at one or more OIS layers (an automated cybersecurity defensive strategy analysis and recommendation system is structured to provide an iterative analysis and improvement process that uses an attack implementation engine to test an actual network under test, gathers system information from the test, which is used by a simulator to initiate an iterative simulation of a cyberattack strategy sequence, with each iteration comprising a simulated attack generated by a machine learning algorithm on a model of the network under test and a simulated defense generated by a machine learning algorithm against the simulated attack…par. 140…the network under test is monitored to capture system information about the operation of the network under test (interpreted as one or more OSI layers) during the test cyberattack, including time series information about the sequence of events and response of affected devices…par. 141); accessing a cyber-attack log database containing records of successful cyber-attacks on the target network (the cyber-physical graph plus the analyses of data directed by the distributed computational graph on the reconnaissance data received from the reconnaissance engine are combined to represent the cyber-security profile of the client organization whose network is being evaluated. A queuing system is used to organize and schedule the search tasks requested by the reconnaissance engine. A data to rule mapper is used to retrieve laws, policies, and other rules from an authority database and compare reconnaissance data received from the reconnaissance engine and stored in the reconnaissance data storage against the rules in order to determine whether and to what extent the data received indicates a violation of the rules. Machine learning models may be used to identify patterns and trends in any aspect of the system, but in this case are being used to identify patterns and trends in the data which would help the data to rule mapper determine whether and to what extent certain data indicate a violation of certain rules. A scoring engine receives the data analyses performed by the distributed computational graph, the output of the data to rule mapper, plus event and loss data and contextual data which defines a context in which the other data are to be scored and/or rated…par. 131); generating a virtual network comprising a virtualized model of the target network (A simulator/comparator runs simulations on the system models, and compares the simulations to the in-situ operating data to calibrate the system models to the real-world systems being modeled. The simulator/comparator may be programmed to search for parameter values that maximize agreement between simulation output under varying conditions (whether actual or artificial) and in-situ operating data from the real-world OT/IT systems. Results of the simulations may be passed through machine learning algorithms to identify trends or patterns in the data…par. 137), including one or more virtual nodes annotated with identified vulnerabilities of one or more corresponding nodes of the target network (an automated defensive penetration test analysis and recommendation system…may be configured to test the security of a network using preconfigured tests in a live network setting, monitor and record the network's response to the preconfigured test, and then use the network response as an input into one or more machine learning algorithms to generate a model of the network. Once the network model is created, it may be used as an environment to perform a plurality of cyber-security tests that, when executed, can provide useful information which can be used for generating network security recommendations…the preconfigured tests may be penetration tests…the attack engine may be configured to perform one or more penetration tests on a network, both an actual physical network and/or a simulated model of a network…the defense engine may be configured to respond to one or more penetration tests, wherein the response may be based on one of or a combination of the following non-limiting set of actions and resources: defensive countermeasures; entity specific (e.g., company policy) cyber-attack rules; mitigating controls; and vulnerability management, par. 143…The penetration tests that take into account privilege escalation techniques may test a variety of privilege escalation methods (e.g., attack vectors) including, but not limited to, credential exploitation, vulnerabilities and exploits, misconfigurations, malware, and social engineering. Compromised credentials are the easiest privileged attack vector for a threat actor to achieve success. Vulnerabilities are mistakes in code, design, implementation, or configuration that potentially allow malicious activity to occur via an exploit. Vulnerabilities can involve the operating system, applications, web applications, infrastructure, and so on. They also involve the protocols, transports, and communications in between resources from wired networks, WiFi, and tone-based radio frequencies. A vulnerability itself does not allow for a privileged attack vector to succeed; it just means that a risk exists. Absent an exploit, a vulnerability is just a potential problem. Reconnaissance engine may be configured to identify vulnerabilities in the network under test by parsing the captured network/system information in order to locate exploits in the network infrastructure. These exploits may be included in the preconfigured penetration tests…par. 147); accessing a reference database configured to store records of known cyber-attacks and their corresponding mitigations (reconnaissance engine may comprise one or more data parsers configured to parse system information and characteristics captured about the network under test…system log (syslog) information and time series data is gathered from affected devices and sent to a syslog parser which sorts the system logs and associates them with time events to create a time series data store of the cyberattack and network's response. A firewall and network parser may read firewall and configuration information, perform simple cleanup of the information and format it to produce host, network, and firewall rules. A software package parser may read information regarding the installed packages from a host/node, and output a file containing package names and package version numbers installed on the host/node. This outputted file may be compared against a locally stored and updated instance of the National Vulnerability Database (NVD) content and enables embodiments to quickly retrieve a list of vulnerable software from a potentially large list of software installed on network under test devices. All information captured and parsed may be stored in a database for access by system users. Reconnaissance engine may send the system information and/or classifications to one of, or both of, a machine learning simulator and recommendation engine…par. 153). simulating cyber-attacks on the virtual network based on records of known cyber-attacks and successful cyber-attacks (a simulator/comparator runs simulations on the system models, and compares the simulations to the in-situ operating data to calibrate the system models to the real-world systems being modeled. The simulator/comparator may be programmed to search for parameter values that maximize agreement between simulation output under varying conditions and in-situ operating data from the real-world OT/IT systems. Results of the simulations may be passed through machine learning algorithms to identify trends or patterns in the data. The simulator/comparator may use the output of an iterative parameter calculator to search for parameter values that maximize agreement between simulation output under varying conditions (whether actual or artificial) and in-situ operating data from the real-world OT/IT systems. Results of the simulations may be passed through machine learning algorithms (not shown) to identify trends or patterns in the data…par. 137…an automated cybersecurity defensive strategy analysis and recommendation system…is structured to provide an iterative analysis and improvement process that uses an attack implementation engine to test an actual network under test, gathers system information from the test, which is used by a simulator to initiate an iterative simulation of a cyberattack strategy sequence, with each iteration comprising a simulated attack generated by a machine learning algorithm on a model of the network under test and a simulated defense generated by a machine learning algorithm against the simulated attack…see par. 140). generating one or more mitigation actions based on simulation of the cyber-attacks on the virtual network using an AI engine (an automated cybersecurity defensive strategy analysis and recommendation system is structured to provide an iterative analysis and improvement process that uses an attack implementation engine to test an actual network under test, gathers system information from the test, which is used by a simulator to initiate an iterative simulation of a cyberattack strategy sequence, with each iteration comprising a simulated attack generated by a machine learning algorithm on a model of the network under test and a simulated defense generated by a machine learning algorithm against the simulated attack… The action decisions from the action planning engine are passed to a distributed computational graph, which contains detailed workflows for implementing cyberattacks on the network under test based on the action decisions. The workflows in the distributed computational graph are used to control attacks generated by an offensive tool microservice which contains a collection of cyberattack tools joined together by a scheduler or script engine, which defines when each cyberattack tool will be used against the network under test. System may be configured to test the security of a network using preconfigured tests in a live network setting, monitor and record the network's response to the preconfigured test, and then use the network response as an input into one or more machine learning algorithms to generate a model of the network. Once the network model is created, it may be used as an environment to perform a plurality of cyber-security tests that, when executed, can provide useful information which can be used for generating network security recommendations…the defense engine may be configured to respond to one or more penetration tests, wherein the response may be based on one of or a combination of the following non-limiting set of actions and resources: defensive countermeasures; entity specific (e.g., company policy) cyber-attack rules; mitigating controls; and vulnerability management…par. 140, 143); and implementing the one or more mitigation actions on the target network (a network model may be created using information gathered from performing one or more penetration tests on the network under test, wherein the network model provides a simulated virtual re-creation of the network under test and allows for a continuous, iterative cycle of testing, classifying, recommending network security updates and/or action, and updating the model to reflect new information. Examples of recommended network security updates and/or actions to prevent and mitigate privilege escalation attacks/vulnerabilities may include, but are not limited to: identity lifecycle management recommendations, including provisioning and de-provisioning of identities and accounts to ensure there are no orphaned accounts that could be hijacked; password management recommendations to consistently apply strong credential management practices for both human and machines (e.g., eliminating default and hardcoded credentials); least privilege enforcement such as removing admin rights from users and reduce application and machine privileges to the minimum required, and/or implementing just-in-time access to reduce persistent or standing privileges; recommending advanced application control and protection to enforce granular control over all application access, communications, and privilege elevation attempts; monitor and management recommendations to detect and quickly address any suspicious activity that might indicate a hijacked account or an illicit attempt at privilege escalation or lateral movement; system and application hardening recommendations, such as configuration changes, removing unnecessary rights and access, closing ports, and more in order to improve system and application security and help prevent and mitigate the potential for bugs that leave a vulnerability to injection of malicious code (e.g., SQL injections), buffer overflows, etc., or other backdoors that could allow privilege escalation; vulnerability management recommendations to continuously identify and address vulnerabilities, such as with patching, fixing misconfigurations, eliminating default and/or embedded credentials, etc.; and remote access security recommendations…par. 152).
As per claims 2, 12, Crabtree discloses wherein the one or more mitigation actions comprise at least one of: 1) application of a security patch, 2) modification of a firewall rule, 3) a role-based access control (RBAC) enforcement, 4) a session termination 5) altering a user’s access rights, 6) isolating a node; 7) disabling a compromised use account; and 8) instituting a lockdown protocol (see par. 152).
As per claims 3, 13, Crabtree discloses wherein simulation of the cyber-attacks on the target network are based on at least one of data associated with cyber-attacks against one or more networks other than the target network and data associated with past cyber-attacks against the target network (a simulator/comparator runs simulations on the system models, and compares the simulations to the in-situ operating data to calibrate the system models to the real-world systems being modeled. The simulator/comparator may be programmed to search for parameter values that maximize agreement between simulation output under varying conditions and in-situ operating data from the real-world OT/IT systems. Results of the simulations may be passed through machine learning algorithms to identify trends or patterns in the data…par. 137…an automated cybersecurity defensive strategy analysis and recommendation system…is structured to provide an iterative analysis and improvement process that uses an attack implementation engine to test an actual network under test, gathers system information from the test, which is used by a simulator to initiate an iterative simulation of a cyberattack strategy sequence…see par. 140).
As per claims 5, 15, Crabtree discloses wherein a cyber-security threat alert is generated categorized by one or more severity levels (see par. 166, 168).
As per claims 6, 16, Crabtree discloses wherein training data for the AI engine includes at least one of structured data and unstructured data associated with cyber-attacks (results of the transformative analysis process may then be combined with further client directives, additional business rules and practices relevant to the analysis and situational information external to the already available data in the automated planning service module which also runs powerful information theory based predictive statistics functions and machine learning algorithms to allow future trends and outcomes to be rapidly forecast based upon the current system derived results and choosing each a plurality of possible business decisions…par. 110).
As per claims 7, 17, Crabtree discloses wherein records of successful cyber-attacks includes at least one of a timestamp, a source, and an attack vector (see par. 147).
As per claims 8, 18, Crabtree discloses a triage module configured to assign risk scores to the vulnerabilities (a cyber-physical system graph (CPG) comprise a visualization of hierarchies and relationships between devices and resources in a security infrastructure, contextualizing security information with physical device relationships that are easily understandable for security personnel and users…behavior analytics information may be received at a graphing service for inclusion in a CPG…impact assessment scores may be received and incorporated in the CPG information, adding risk assessment context to the behavior information…see par. 159-160).
As per claims 9, 19, Crabtree discloses wherein a triage module uses a weighted scoring formula to assign a risk score to a vulnerability based on at least one of probability of breach, business impact, exploit availability, or regulatory risk (collected information from all sources may be scored according to a weighted system, producing an overall cybersecurity rating score based on the information collected and the analysis of that information to reveal additional insights, relationships, and vulnerabilities…see par. 164-165).
As per claims 10, 20, Crabtree discloses wherein the virtual network analyzer simulates what-if scenarios based on the one or more mitigation actions (see par. 183).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 4, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree et al (Pub. No. US 2022/0201042) in view of Shah et al (Pub. No. US 2023/0105021).
As per claims 4, 14, Crabtree discloses the system use captured system data to classify networked system based upon their susceptibility to privilege escalation attacks measured against the networked system's response to a penetration test…the system uses machine learning algorithms to run simulated attack and defense strategies against a model of the networked system created using a directed graph, par. 25. But Crabtree does not disclose wherein the machine learning comprises a deep neural network. However Shah discloses wherein the AI engine comprises a deep neural network trained to classify attack types by an OSI layer (the modeling may include providing the data structures as inputs into one or more neural networks…the neural networks used to perform the unsupervised behavioral modeling may include a Feedforward Neural Network (“FNN”), a Radial Basis Function Neural Network (“RBFNN”), a Multilayer Perceptron, a Convolutional Neural Network (“CNN”), a Recurrent Neural Network (“RNN”), and/or other neural networks that identify patterns, sequencing, rates, trends, signatures, values, attributes, and/or other indicia of regular or expected request behavior from the data structures. Different neural networks may be used to identify different commonality for different expected behaviors from the parameters within the input data structures…par. 54). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Shah in Crabtree for including the above limitations because one ordinary skill in the art would recognize it would further improve the security solution configuration for attack variants in an adaptive network security, see par.2.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to improve network security.
Salji (Pub. No. US 2022/0224716); “User Agent Inference and Active Endpoint Fingerprinting for Encrypted Connections”;
-Teaches the analyzer module uses one or more data analysis processes to produce features for the AI classifiers in the assessment module including i) an agent analyzer coded to analyze user agent/resident process data and detect the cyber threat…see par. 81.
Rawat et al (Pub. No. US 2022/0188690); “Machine Learning Security Threat Detection Using a Meta-Learning Model”;
-Teaches the classification model classifies data as “malicious” or “benign.” The classifications are output to an output module that provides a threat notification if features or data are detected that are classified as threats…see par. 40.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHAZAL B SHEHNI whose telephone number is (571)270-7479. The examiner can normally be reached Mon-Fri 9am-5pm PCT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GHAZAL B SHEHNI/Primary Examiner, Art Unit 2499