DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119
(a)-(d). The certified copy has been filed in parent Application No. KR10-2022-0175743, filed on 12/15/2022
Claim Rejections - 35 USC § 101
Claim 1-6 is rejected under U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite collecting verification information, evaluating whether the information should be used to verify an assertion in content, and in some claims further extracting relevant portions and determining authenticity (data gathering, observation, evaluating, judgement) with some generic recitation of processor, memory, and CRM.
Independent claims 1 and 4 are directed to abstract idea because, although claim 1 is
directed to a statutory process and claim 4 to a statutory machine, each claim is directed to a judicial exception without significantly more.
Under Step 2A, Prong One, the limitation “collecting, by a cybersecurity management apparatus, attack surface information and security threat information” amounts to collecting potential evidence/information (data gathering) of security information. The limitation, as drafted, is a process that, under its broadest reasonable interpretation, covers performance in human mind or by utilizing some additional physical steps e.g., a human using pen and paper. Such as, the steps of collecting data and recognizing certain data within the collected data set or representing data via numeric values is considered a mental process. The limitation “automatically verifying, by the cybersecurity management apparatus, validity of the security threat information by performing an automated test based on the attack surface information and the security threat information” amounts to verifying validity accordingly to the previous limitation. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind (and/or by using pen and paper) but for the recitation of generic computer component, such as a processing apparatus to perform the step of ‘verifying’, then it falls within the “Mental Processes” grouping of abstract ideas.
Under 2A, Prong Two, neither claim integrates the abstract idea into a practical application, because the added limitations “collecting, by a cybersecurity management apparatus” merely provide additional information analysis steps and use generic computer implementation, without reciting any improvement to computer functionality, any particular machine beyond generic processors and memory or any transformation of an article; instead, the claims are confined to collecting information in the field of cybersecurity analysis. Under Step 2B, the additional elements do not amount to significantly more than the abstract idea, because they merely append further abstract analysis to the underlying mental process and are implemented using well-understood, routine, and conventional computing components performing their ordinary functions, as supported by the spec of generic processors, memory, software execution and conventional info processing operations. As a result, claims 1 and 4 are rejected under 35 U.S.C 101 as being directed to non-statutory subject matter as the claims do not contain any element or combination of elements that is sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the ineligible concept itself. See Alice, 134 S. Ct. at 2360. Under Alice, that is not sufficient "to transform an abstract idea into a patent-eligible invention
Dependent claims 2 and 5 are directed to abstract idea because, although claim 2 is directed to a statutory process and claim 5 to a statutory machine, each claim is directed to a judicial exception without significantly more. The recited elements within dependent claims 2 and 5 individually do not amount to “significantly more” than just the abstract idea as previously identified above. Therefore, the claims do not amount to significantly more than the previously defined abstract idea. Some of the evidences of “significantly more” are a) improvement to another technology or field; b) applying judicial exception with or by a “particular machine’; c) transforming particular article/data into different state or thing; d) adding unconventional or non-routine steps, producing useful application; and e) other meaningful limitations beyond generic link to particular technological environment.
Dependent claims 3 and 6 are directed to abstract idea because, although claim 3 is
directed to a statutory process and claim 6 to a statutory machine, each claim is directed to a judicial exception without significantly more. The claims recite: “collecting, by a cybersecurity management apparatus, attack surface information and security threat information”. Claims 3 and 6 are rejected under 101 because, although dependent on statutory independent claims 1 and 4, they remain directed to a judicial exception without significantly more. Under Step 2A, Prong One, both claims continue to recite the abstract idea of a mental process. In claims 3 and 6, the additional limitations “wherein the cybersecurity management apparatus collects the security threat information and the attack surface information through open source intelligence (OSINT) including general Open web and DeepWeb, and DarkWeb” amount to merely gathering the security information, which can be performed in the human mind. Under Step 2A, Prong Two, neither claim integrates the abstract idea into a practical application, because the added limitations merely provide additional information analysis steps and use generic computer implementation, without reciting any improvement to computer functionality, any particular machine beyond generic processors and memory or any transformation of an article; instead, the claims are confined to collecting information in the field of cybersecurity analysis. Under Step 2B, the additional elements do not amount to significantly more than the abstract idea, because they merely append further abstract analysis to the underlying mental process and are implemented using well-understood, routine, and conventional computing components
performing their ordinary functions, as supported by the spec of generic processors, memory,
software execution and conventional info processing operations.
As a result, claims 1-6 are rejected under 35 U.S.C 101 as being directed to non-statutory subject matter as the claims do not contain any element or combination of elements that is sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the ineligible concept itself. See Alice, 134 S. Ct. at 2360. Under Alice, that is not sufficient "to transform an abstract idea into a patent-eligible invention."
Claim Objections
Claim 1 is objected to because of the following informalities: “cybersecurity a threat” should change to “a cybersecurity threat.” Appropriate correction is required.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1-2, and 4-5 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable over Paturi (US 20200356663A1).
Regarding claim 1, Paturi discloses a method of managing cybersecurity a threat and an attack surface, comprising ([0039] “There is thus a present need for a system, method and apparatus capable of identifying and validating application attack surface and protecting web applications against business logic-based attacks, sensitive data leakage and privilege escalation attacks—particularly one which can implement an intelligent learning loop using artificial intelligence to create an ontology-based knowledge base from application request and response sequences”);
collecting, by a cybersecurity management apparatus, attack surface information and security threat information ([0007] “During a risk assessment, organizations must identify their attack surface (as comprehensively as possible) and the risks posed to that attack surface. Identifying the attack surface includes enumerating all critical assets to the business, ranking them by business criticality, understanding the service stacks they are running and their contribution to the day-to-day business, and finally identifying vulnerabilities that affect them”; [0008] “Risk assessment on the attack surface includes ranking the vulnerabilities based on the risk they pose to the organization i.e., risk-based prioritization of the vulnerabilities”; [0104] “The security entities (along with their TTEs), which are pertinent to the target organization, are imported from the Master TTE index to the organizational TTE index 502. The pertinence is preferably decided by mapping the results from active security analysis 503 and passive security analysis 504 to the security entities and IoCs in the Master TTE index's knowledge map. Each mapped security entity in the Master TTE index that's imported into the organizational TTE index is preferably used to calculate a survivor function for assets on which those security entities exist 505”; par. 90: gathering security entities from the Internet, dark web, and internal threat intelligence team), Note that security threat information involves the range of potential threats that could harm an organization, including malware, phishing, insider threats, and other risks. Threats can be internal (e.g., malicious insider) or external (e.g., hacker). Attack surface information involves the sum of all possible points where an unauthorized user can enter or extract data. This includes exposed software, network ports, APIs, cloud services, physical access points, and human vulnerabilitie; See Figure 4 of Paturi for a device implementing gathering of securities entities that involve cyber security attack and security threat information; it focuses on collecting data from public or indirect sources to understand the target’s infrastructure, services, and potential vulnerabilities; and
automatically verifying, by the cybersecurity management apparatus, validity of the security threat information by performing an automated test based on the attack surface information and the security threat information ([0104] “The security entities (along with their TTEs), which are pertinent to the target organization, are imported from the Master TTE index to the organizational TTE index 502. The pertinence is preferably decided by mapping the results from active security analysis 503 and passive security analysis 504 to the security entities and IoCs in the Master TTE index's knowledge map. Each mapped security entity in the Master TTE index that's imported into the organizational TTE index is preferably used to calculate a survivor function for assets on which those security entities exist 505”; [0107] “In a broader sense, the security events and security incidents are preferably gathered from organizational security controls 507. These act as contextual attributes to the security entity data in the organizational TTE index. Some examples of the contextualization can include but are not limited to: (a) security alerts generated by SIEM on a specific server; and/or (b) patch levels of a desktop obtained from the configuration and patch management solution, combinations thereof and the like”, See Fig. 5 of Paturi for the analysis technique of verifying the validity of the security threat information through survivor function for assets and methodologies to determine the compromise probability; [0118] “Referring now to FIGS. 6-16 generally, and especially to FIG. 6, embodiments of the present invention also relate to a solution that encompasses automated techniques directed towards identifying and preventing complex application attacks in real time. These automated techniques function like a ‘hacker in the box’—capable of automating and implementing a human adversary's approach while testing and protecting applications against complex business logic attacks”); [0113] “Embodiments of the present invention use different methodologies to derive the likelihood of compromise probability from the survival function. As mentioned earlier, this probability significantly reduces the uncertainty while trying to assess the cyber risk of the target organization. Two methodologies are applied on the target asset for deriving the likelihood of compromise probability”.
Regarding the cybersecurity management device, comprising claim 4 the claim recites similar limitations as the computer method, comprising claim 1, therefore, rejected based on the same rationale as claim 1.
Regarding claim 2, Paturi discloses all of the limitation of claim 1 comprising a method of managing cybersecurity listed above. Paturi further discloses the attack surface information includes information on assets of a company, which include network equipment, a database (DB), a server, a port, an application, and a domain and are connected to the Internet and exposed to risks ([0023] “Risk-based vulnerability prioritization should not be restricted to the core organizational infrastructure, it instead should be extended to any cloud infrastructure components the organization uses or subscribes to. Further, all third-party vendors doing business with the organization should be included in such risk-based vulnerability prioritization or at least their cyber risk should be quantifiable from publicly-available infrastructure related data. Achieving the above poses a severe challenge to organizations because it's infeasible for them to create, maintain and enhance a master index of vulnerabilities (and their likelihood of exploit) of myriad software, hardware and firmware products that are part of their infrastructure and extended infrastructure (third party vendors and cloud subscriptions)”; [0092] “FIG. 2 shows an embodiment of a general operating environment. Two primary components can include the service provider Cloud (SPC) 201 and the organization network 202. Though it is not explicitly shown in the illustration, embodiments of the present invention can support multiple such organization networks. The SPC preferably contains a Master TTE Index 203, a data processing engine, that preferably computes the survivor function 204, and multiple organizational TTE indices 205. Based on the architecture type chosen, the organization TTE index can optionally reside within the organizational network infrastructure as well. The communication between the SPC and the organization network is performed through a secure channel over the public Internet 206. The target organization network is composed of server infrastructure 207, connected infrastructure (like desktops, printers, scanners etc.) 208, Wireless devices (like mobile devices, laptops etc.) 209, Internet of Things (IoT) 210 and security infrastructure 211. Optionally, the organization can subscribe to third party cloud services 212 that will be considered as part of its network infrastructure. Based on the architecture chosen, the security event data and security scan data can be transferred to the SPC either directly through the secure communication or through on-site module 213. The on-site module can further be used to calculate the organization TTE index. Hardware”; [0093] “In a basic configuration, the apparatuses within SPC or the on-site module can include at least one processing unit 301 and memory, such as system memory 309, volatile memory 310 and non-volatile memory 311. Additionally, the apparatus can have features to connect external media, such as output devices 305 or display devices 313; accept connections from network devices using wired communication interface 307 or wireless communication interface 308. The device can also have multiple data storage components, like database 304, that follow a relational representation structure or NoSQL (schema less) style or a quasi-architecture”); [0277] “Note that in the specification and claims, “about” or “approximately” means within twenty percent (20%) of the numerical amount cited. All computer software disclosed herein may be embodied on any non-transitory computer-readable medium (including combinations of mediums), including without limitation CD-ROMs, DVD-ROMs, hard drives (local or network storage device), USB keys, other removable drives, ROM, and firmware” note that USB and removable drives are devices that must be connected to a ports on a computer to transfer data, meaning the reference discloses use of “ports”; [0130] “Intelligent scanning mode: In this mode, an embodiment of the present invention can be used as an intelligent scanner that has capabilities to enumerate the target application's topology and create a comprehensive attack surface using the data gathered and processed in the learning mode. Further, in one embodiment, the invention can be used to derive offensive ontology-based payloads from the knowledge base created during the learning mode. In one embodiment, an intelligent scanner creates offensive ontology payloads. These payloads are further used to detect target application's susceptibility to complex web application attacks while static scanning”; and
the security threat information includes information exposed through a web or an application that threatens security of the company ([0090] “In one embodiment, the process starts with creating Master TTE index 101 of the security entities defined above. The service provider responsible for quantifying the security risk for its clients (organizations) creates and manages such Master TTE index. The process starts with creation of the Master TTE index for the security entities as gathered and processed from the Internet, dark web and the internal threat intelligence team. As elaborated in FIG. 4, the Master TTE index is a mapping of known vulnerabilities, threats, indicators of compromise (“IoCs”), and the like, combined with publicly available security incident databases. Each entity in the Master TTE index is accompanied with a TTE value (most preferably a time constant) wherever applicable”; [0125] The organization's network preferably includes a web application infrastructure having at least one web server 1202 accompanied by one or more application servers 1203 (hosting business logic) (optional implementation) and a database 1204 for storing data at rest”), See Fig. 7; [0201] “1. Learning mode: This mode preferably allows for the creation of a behavioral model of the target application based on its end users' actions. During the learning mode, target application's users are allowed to perform legitimate actions on it that are captured and processed in real time using an intelligent interceptor. The processed data is also preferably used to create the behavioral model (stored as a knowledge base) of the target application”.
Regarding the cybersecurity management device, comprising claim 5, the claim recites similar limitations as the computer method, comprising claim 2, therefore, rejected based on the same rationale as claim 2.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 3 and 6 are rejected under 35 U.S.C.103 as being unpatentable over Paturi (US 20200356663A1) in view of NPL Boa News “[2021 OSINT Report] Cybercriminals Abusing Anonymity Track Down to the End with OSINT” (Published: 2021-05-03 15:21) (Lee Sang-woo).
Regarding claim 3, Paturi discloses all of the limitations of claim 2 listed above. Paturi further discloses collecting security entity and threat information from Internet dark web, and threat intelligence sources (see pars. 90 and 42). However, Paturi does not explicitly disclose the limitation listed below. Lee expressly discloses wherein the cybersecurity management apparatus collects the security threat information and the attack surface information through open source intelligence (OSINT) including general Open web and DeepWeb, and DarkWeb ([3rd Paragraph from bottom of Page 4] “To detect and track crimes occurring in anonymous spaces, the need for OSINT (Open Source INTelligence) is also growing. OSINT is one of the intelligence collection methods that gather information from publicly available sources and analyze it to obtain information. Compared to the past, when information was mainly collected through newspapers or papers, today's internet-driven OSINT gathers information not only from the surface web such as social media, online communities, and internet news, but also from various public sources such as the deep web and dark web”).
Paturi and Lee are analogous in cybersecurity systems that detect security threat information. Therefore, it would be obvious to one of the ordinary skill in the art before the
effective filing date of the claimed invention to have modified Paturi to incorporate the
teachings of Lee to implement collecting security threat information through OSINT including Open web, DeepWeb, and DarkWeb. Doing so would strengthen cybersecurity analysis and determine appropriate course of action (Lee [3rd paragraph of page] “To detect and track crimes occurring in anonymous spaces, the need for OSINT (Open Source INTelligence) is also growing. OSINT is one of the intelligence collection methods that gather information from publicly available sources and analyze it to obtain information”).
Regarding the cybersecurity management device, comprising claim 6, the claim recites similar limitations as the computer method, comprising claim 3, therefore, rejected based on the same rationale as claim 3.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Kim (US 20250301013 A1) discloses a method for managing a cybersecurity threat and attack surface, and a device for performing the method (See Fig. 3).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VIVIAN D. HO whose telephone number is (571)272-9957. The examiner can normally be reached M- TH 9:00 - 6:00; F 9:00-1:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached at (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/VIVIAN D HO/Examiner, Art Unit 2497 /ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497