DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-16 are pending.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-2 and 8-10 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
To evaluate each claim under 35 U.S.C. § 101, we must apply the USPTO’s two-part Alice/Mayo framework.
Step 1: Statutory Category: Does the claim fall into one of the four statutory categories (process, machine, manufacture, or composition of matter)?
Step 2A, Prong 1: Is the claim directed to a judicial exception (an abstract idea, such as a mental process, mathematical concept, or certain methods of organizing human activity)?
Step 2A, Prong 2: If it is an abstract idea, does the claim integrate that exception into a practical application (e.g., an improvement to the functioning of a computer or technology)?
Step 2B: If not integrated, does the claim contain an inventive concept—elements that are "significantly more" than well-understood, routine, and conventional activities?
Claims 1, 9, and 10
Claim 1: A computer-implemented method for detecting computer vulnerabilities... Claim 9: A data processing system... (corresponds to Claim 1). Claim 10: A tangible, non-transitory computer-readable medium... (corresponds to Claim 1).
Step 1: Statutory Categories
Passes Step 1. Claim 1 is a method (process). Claim 9 is a data processing system (machine). Claim 10 is a tangible, non-transitory computer-readable medium (manufacture). The explicit use of "non-transitory" in Claim 10 properly avoids the exception for signals per se.
Step 2A, Prong One: Recitation of a Judicial Exception
Fails Prong One. Claim 1 recites the steps of "generating synthetic threat data," "injecting" data, "observing a protective model," and "flagging the failure." These steps represent collecting information, analyzing it, and presenting the results. Under USPTO guidelines, this constitutes an abstract idea, specifically falling under the groupings of a mental process (observing and flagging based on a set of rules) or a method of organizing human activity (testing and validating a system's performance).
Step 2A, Prong Two: Integration into a Practical Application
Fails Prong Two. Claim 1 is drafted at a high level of functional abstraction. It recites what is being done (generating, injecting, observing, flagging) rather than how it is being done technologically. It does not recite a specific technical improvement to computer functionality or network security at this broad level; it merely uses generic computer components ("composite data stream," "protective model") as a tool to execute the abstract idea of testing a model. Therefore, the claim is "directed to" the abstract idea.
Step 2B: Significantly More
Fails Step 2B. Looking at the claim elements individually and as an ordered combination, there is no "inventive concept" that transforms the abstract idea into eligible subject matter. The elements (automatically generating, injecting, observing, flagging) are recited at a high level of generality and amount to no more than applying the abstract idea on a generic computer.
Claim 2 (Malicious activity is C2 activity): Merely narrows the type of data being analyzed. Fails to provide a practical application or significantly more.
Claim 3 (Infecting virtual machines; collecting simulated network traffic):
Passes Step 2A, Prong Two / Step 2B. This claim introduces specific, technical network architecture limitations: "infecting a plurality of virtual machines with pseudo-malicious agents" and connecting them to a "simulated network." This represents a specific technological solution to a technical problem (the inability to safely test behavioral models against true malicious activity on a live network, as noted in the specification).
Claims 4-7: Because these depend on Claim 3 and add further specific technical implementations (e.g., deriving agents from configuration files in Claim 4; using an EDR tool to inject agents in Claim 6, they will also pass for the same reasons as Claim 3.
Claim 8 (Synthetic data is entirely synthetic): Depends on Claim 1. Merely describing the data as "entirely synthetic" without reciting the technical means of generating it does not overcome the abstract nature of Claim 1.
Claims 11, 15, and 16:
Claim 11: A computer-implemented method for generating simulated network traffic containing simulated command and control data... Claim 15: A data processing system... (corresponds to Claim 11). Claim 16: A tangible, non-transitory computer-readable medium... (corresponds to Claim 11).
Step 1: Statutory Categories
Passes Step 1. (Process, Machine, Manufacture).
Step 2A, Prong One: Recitation of a Judicial Exception
Claim 11 recites "collecting simulated network traffic," which can be construed as the abstract idea of collecting information.
Step 2A, Prong Two: Integration into a Practical Application
Passes Prong Two. Unlike Claim 1, Claim 11 does not merely recite functional data generation. It specifically recites the technological mechanism: "automatically infecting a plurality of virtual machines with pseudo-malicious agents, wherein each of the virtual machines are connected to a simulated network." This is a specific, computer-centric technique designed to emulate adversarial network activity safely. It is not a process that can be performed in the human mind, nor is it a generic method of organizing human activity. It improves the technological process of computer security testing by generating true-positive telemetry. Therefore, it integrates the abstract idea into a practical application.
Because independent Claim 11 integrates the concept into a practical application and survives the § 101 analysis, these dependent claims—which add further technical specificity regarding tasking sets, configuration files (Claim 12), traffic manipulation (Claim 13), and EDR tool injection (Claim 14)—are also patent-eligible under § 101.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claims 1, 2, 9, 10 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by US 10,044,746 to Vallone et al.
Regarding claims 1, 9 and 10, Vallone teaches a computer-implemented method for detecting computer vulnerabilities (abstract: assessing network vulnerabilities), comprising:
automatically generating synthetic threat data representative of malicious activity (abstract: assessing a target network's vulnerability to a real cyberthreat based on determining policy-based synthetic tests configured to model the behavior of the cyberthreat);
injecting the synthetic threat data into genuine data to create a composite data stream (Fig. 3 and deploying synthetic instructions directly into a live production target networks to test operational sensors);
observing a protective model that monitors the composite data stream to determine a failure by the protective model to detect the synthetic threat data (receiving “real time feedback” from the target network to identify whether security devices (protective models such as IDS or firewalls) successfully caught the test or if they failed to initiate an alert); and
responsive to determining the failure, flagging the failure as a vulnerability (using the feedback to test for unknown vulnerabilities and identifying specific gaps where the network’s defenses failed to respond to the synthetic threat).
Regarding claim 2, Vallone teaches the method of claim 1, wherein the malicious activity is command and control activity and the synthetic threat data is command and control data (simulating network based malware behaviors including creating a network communication on a specific port or to a specific destination).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 3-8 and 11-16, are rejected under 35 U.S.C. 103 as being unpatentable over Vallone as applied to claim 1 above, and further in view of US 2021/0037040 to Aleks et al.
Regarding claims 3, Vallone lacks or does not expressly disclose automatically generating the synthetic threat data. However, Aleks teaches wherein automatically generating the synthetic threat data comprises: automatically infecting a plurality of virtual machines with pseudo-malicious agents, wherein each of the virtual machines are connected to a simulated network; and automatically collecting simulated network traffic from the infected virtual machines, wherein the simulated network traffic contains communications from the pseudo-malicious agents; wherein the synthetic threat data comprises the simulated network traffic (0045-0050: the architectural implementation of automated simulations).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Vallone with Aleks to include automatically generating synthetic threat in order to execute an automated test to prevent attackers, as taught by Aleks.
Regarding claims 4, Vallone lacks or does not expressly disclose specifying tasks.
However, Aleks teaches the pseudo-malicious agents are generated by: automatically specifying taskings for a plurality of tasking sets;
automatically generating, from the specified taskings in the tasking sets, respective configuration files for each of the tasking sets; automatically using the configuration files to derive the respective pseudo-malicious agents (0048: orchestrating simulations using configurable tests that can be executed within a playbook).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Vallone with Aleks to specifying tasks in order to execute an automated test to prevent attackers, as taught by Aleks.
Regarding claims 5, Vallone, as modified above further teaches the method of claim 3, further comprising manipulating the simulated network traffic to mimic genuine network traffic while retaining characteristics of the communications from the pseudo-malicious agents (mapping specific threat characteristics to the simulation. Manipulating packet headers, payload sizes, or timing to mimic normal baseline traffic and evade detection.).
Regarding claims 6, Vallone, as modified above further teaches the method of claim 3, wherein infecting the plurality of virtual machines with the pseudo-malicious agents comprises using at least one endpoint detection and response (EDR) tool to inject the pseudo-malicious agents into the virtual machines (deploying executables or scripts to endpoints via standard enterprise administration tools or EDR “live response” is well known. See Fig. 1B).
Regarding claims 7, Vallone, as modified above further teaches the method of claim 3, wherein: the genuine data comprises genuine network traffic; and injecting the synthetic threat data into the genuine data to create the composite data stream comprises injecting the simulated network traffic into the genuine network traffic (executing tests on a live target network alongside regular user operations, it injects simulated traffic into genuine traffic).
Regarding claims 8, Vallone, as modified above further teaches the method of claim 1, wherein the synthetic threat data is entirely synthetic (generation of synthetic tests modeled after threats rather than requiring the use of actual malware).
Regarding claims 11, 15 and 16, Vallone teaches a computer-implemented method for generating simulated network traffic containing simulated command and control data representative of malware activity (abstract), the method comprising:
Vallone lacks or does not expressly disclose automation.
However Aleks teaches
automatically infecting a plurality of virtual machines with pseudo-malicious agents, wherein each of the virtual machines are connected to a simulated network; and automatically collecting simulated network traffic from the infected virtual machines (0045-0050: the architectural implementation of automated simulations).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Vallone with Aleks to include automatically generating synthetic threat in order to execute an automated test to prevent attackers, as taught by Aleks.
Vallone, as modified above, further teaches wherein the simulated network traffic contains communications from the pseudo-malicious agents (synthetic tests)
As per claim 12-14, this is a method version of the claimed method discussed above in claims 4-6 wherein all claimed limitations have also been addressed and/or cited as set forth above.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached at 571-270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/AUBREY H WYSZYNSKI/Primary Examiner, Art Unit 2434