PNG
    media_image1.png
    327
    1870
    media_image1.png
    Greyscale

    PNG
    media_image1.png
    327
    1870
    media_image1.png
    Greyscale




                                    P.O. Box 1450, Alexandria, Virginia 22313-1450 – WWW.USPTO.GOV

            

            
                Examiner’s Detailed Office Action 

1.	This Office Action is responsive to communication, filed 11/04/2016. Note, the 

present application, filed on or after March 16, 2013, is being examined under the 

first inventor to file provisions of the AIA .


                      Information Disclosure Statement

2.	Applicant is respectfully remind of the Duty to disclose 37 C.F.R. 1.56 all pertinent 

information and material pertaining to the patentability of applicant’s claimed invention, by 

continuing to submitting in a timely manner PTO-1449, Information Disclosure Statement 

(IDS) with the filing of applicants of application or thereafter. 

                            
                                                     Drawings 

3.	The formal drawings submitted have been reviewed by the Office of Initial Patent

Examination (OIPE) and/or the USPTO Office of Draftperson’s Patent Drawings Review.


                                   Specification 

4.	The specification has not been checked to the extent necessary to determine the presence 

of all possible minor errors. Appropriate correction is required.   

	
5.	The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in   
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made.

6.	Claims 1, 3-6, 8, 10-13, 15 & 17-19 are rejected under 35 U.S.C. 103(a) as being 
	unpatentable over 

Paturi et al., (USPAP Pub. No.: US 20200396244 A1, Pub. Date: Dec. 17, 2020),

in view of  

Shou-de-Lin et al., “Discovering and Explaining Abnormal Nodes in Semantic Graphs,”
IEEE Transactions on Knowledge and Data Engineering (Vol: 20, Issue: 8, Aug. 2008).

Independent claim 1, claim 8 & claim15, rejected under the same rationale. 

A method for intelligent learning for explaining anomalies by a processor, comprising: 

[see Paturi et al., Abstract; & [0003]-[0004]

An apparatus and method for cyber risk quantification calculated from the likelihood of a cyber-attack on the target enterprise and/or cyber ecosystem based on its security posture. The cyber-attack likelihood can be derived as a probability-based time-to-event (TTE) measure using survivor function analysis. The likelihood probability measure can also be passed to cyber risk frameworks to determine financial impacts of the cyber-attacks. Embodiments of the present invention also relate to an apparatus and method (1) to identify and validate application attack surfaces and protect web applications against business logic-based attacks, sensitive data leakage and privilege escalation attacks; and/or (2) that protects web applications against business logic-based attacks, sensitive data leakage and privilege escalation attacks. This can include implementing an intelligent learning loop using artificial intelligence that creates an ontology-based knowledge base from application request and response sequences. Stochastic probabilistic measures are preferably applied to a knowledge base for predicting malicious user actions in real time.

[0003] Embodiments of the present invention also relate to software security where target software and web applications can be tested and validated for sophisticated attacks like business logic-based attacks, session hijacking, privilege escalation etc. This inline solution also preferably allows for identification and comprehensive validation of the attack surface of 

[0004] In summary, embodiments of the present invention relate to an apparatus and method for cyber risk quantification calculated from the likelihood of a cyber-attack on the target enterprise and/or cyber ecosystem based on its security posture. The cyber-attack likelihood can be derived as a probability-based time-to-event (TTE) measure using survivor function analysis. The vulnerability data along with internal security control data (like configuration management, endpoint protection, parameter security devices, patch management, event logs etc.) can be correlated with threat, security incident and custom TTE data from a master TTE Index and subjected to regression analysis for deriving the cyber-attack likelihood. The likelihood probability measure can also be passed to cyber risk frameworks to determine financial impacts of the cyber-attacks. Embodiments of the present invention also relate to an apparatus and method to identify and validate application attack surfaces and protect web applications against business logic-based attacks, sensitive data leakage and privilege escalation attacks. In one embodiment, the present invention implements an intelligent learning loop using artificial intelligence that creates an ontology-based knowledge base from application request and response sequences. In one embodiment, the knowledge base represents the user behavioral model and is preferably further used to create offensive ontology applying predicate logic negation rules process. The offensive ontology preferably generates payloads to test target web applications against attacks that target flaws in the underlying application logic. Embodiments of the present invention also relate to an apparatus and method that protects web applications against business logic-based attacks, sensitive data leakage and privilege escalation attacks. The innovative mechanism preferably implements an intelligent learning loop using artificial intelligence that creates an ontology-based knowledge base from application request and response sequences. Stochastic probabilistic measures are preferably applied to a knowledge base for predicting malicious user actions in real time. More specifically, in one embodiment, the knowledge base is used to create a Markov Logic Network and dynamic inference is applied (using time slice networks and relative entropy measures) on it to detect anomalies in user behavior--thus predicting complex application attacks like privilege escalation attempts, sensitive data leakage etc. in real time. 

identifying one or more anomalous records identified in a knowledge base; 

[see Paturi et al., [0004]

[0004] In summary, embodiments of the present invention relate to an apparatus and method for cyber risk quantification calculated from the likelihood of a cyber-attack on the target enterprise and/or cyber ecosystem based on its security posture. The cyber-attack likelihood can be derived as a probability-based time-to-event (TTE) measure using survivor function analysis. The 

generating a list of ranked candidate explanations for the one or more anomalous records;

Paturi et al., does not teach a listing of ranked candidate explanations.

However, Shou-de-Lin teaches a listing of ranked candidate explanations.

[see Shou-de Lin et al.,  et al., [Evaluation of UNICORN 4, Table 1, Table 2 & Table 3, page 1044-1046] … e.g., (page 1046 …)

Results are shown in Table 3. For each algorithm, we show how it ranks the two gang war Mafiyas GM1 and GM2 and/or the industry takeover Mafiya ITM described in the answer 
key of each data set. A perfect algorithm would rank the target Mafiyas at positions 1–3 for 
data sets D1–D3 and at position 1 for data sets D4–D6. The “Perfect” score for each algorithm lists how many Mafiyas were ranked perfectly (that is, there is no “innocent” Mafiya ranked
higher than it) for each data set. We also average and normalize these scores to show what overall percentage of Mafiyas was ranked in perfect position. To evaluate the quality of nonperfect rankings, we compute a position error that measures on the average how many 
false positives before the particular target Mafiya was reached and, presumably, identified 
as a hit. We compute a normalized maximum error “max Err” based on the worst of the 
rankings. …

Accordingly, it would have been obvious to one having ordinary skilled in the art before the 

effective filing date to a person’s having ordinary skill in the art to combine Paturi et al., with 

Shou-de Lin et al., because Shou-de Lin et al. generally relates to the area of homeland security 

is to identify abnormal or suspicious entities in large data sets. Although there are methods from 

data mining and social network analysis focusing on finding patterns or central nodes from 

networks or numerical data sets, there has been little work aimed at discovering abnormal 

instances in large complex semantic graphs, whose nodes are richly connected with many 

different types of links. In this paper, we describe a novel unsupervised framework to identify 

such instances. Besides discovering abnormal instances, we believe that to complete the process, 

a system has to also provide users with understandable explanations for its findings. Therefore, 

in the second part of the paper, we describe an explanation mechanism to automatically generate 

human-understandable explanations for the discovered results. To evaluate our discovery and 

explanation systems, we perform experiments on several different semantic graphs. The results 

show that our discovery system outperforms state-of-the-art unsupervised network algorithms 

used to analyze the 9/11 terrorist network and other graph-based outlier detection algorithms by a 

significant margin. Additionally, the human study we conducted demonstrates that our 

explanation system, which provides natural language explanations for the system’s findings, 

allowed human subjects to perform complex data analysis in a much more efficient and accurate 

manner. and 

initiating an active learning dialog with one or more users to increase accuracy of the knowledge base, a domain knowledge, and each of the ranked candidate explanations.  

[see Paturi et al., Abstract; & FIG. 11, [0135]-[[0140]-[0143]

An apparatus and method for cyber risk quantification calculated from the likelihood of a cyber-attack on the target enterprise and/or cyber ecosystem based on its security posture. The cyber-attack likelihood can be derived as a probability-based time-to-event (TTE) measure using survivor function analysis. The likelihood probability measure can also be passed to cyber risk frameworks to determine financial impacts of the cyber-attacks. Embodiments of the present invention also relate to an apparatus and method (1) to identify and validate application attack surfaces and protect web applications against business logic-based attacks, sensitive data leakage and privilege escalation attacks; and/or (2) that protects web applications against business logic-based attacks, sensitive data leakage and privilege escalation attacks. This can include implementing an intelligent learning loop using artificial intelligence that creates an ontology-based knowledge base from application request and response sequences. Stochastic probabilistic measures are preferably applied to a knowledge base for predicting malicious user actions in real time.

[0140] Web pages provide Document Object Model ("DOM") elements 1604 (see FIG. 11) as part of User Interface ("UI") on which end users perform actions during their interaction with the target application. User actions on DOM elements generate events (handled by event listeners) that can update the DOM element state, eventually updating the DOM structure of the entire web page. For example, when a user enters his username in the username text field and clicks next, he can be presented the password text field in case his username is correct. In this scenario, the username text field is the DOM element, entering username and clicking the submit button are actions performed by the user, validating the username is the event generated by the action performed and appearance of the password field on the web page is the new DOM element which updates the existing DOM structure of the target web page. 

[0141] Note that events generated as a result of end user actions and underlying logic implementation for handling those events preferably define the behavioral model of the web application. Embodiments of the present invention provide an automated methodology to create such behavioral model of the web application and further represent it in a machine understandable format for deriving inferences. 

[0142] Embodiments of the present invention implement a data capture module that captures and processes application requests, responses in their totality as users interact with the target web application. The data capture module preferably considers all kinds of application requests, response sequences between the web server and its end users. Primarily, they can be categorized into (a) Server side request, response sequences and (b) Client side request, response sequences. These are exemplified in FIG. 10. 


[0143] The server side request, response sequences represent synchronous communication between the client and the target web server i.e., they are traditional GET and POST HTTP requests between the client and the server where each response from the server entirely replaces the currently displayed web page on the client side (as represented in 1501). Client side request, response sequences represent asynchronous communication between the client and the server (using technologies like client side JavaScript, AJAX etc.) 1502, 1503 i.e., they modify the Document Object Model ("DOM") state of target web page without having to reload the web page completely. Applications implementing client side request, response sequences are referred to as Rich Internet Applications ("RIAs"). 

Claim 3, claim 10 & claim 17  rejected under the same rationale. 

The method of claim 1, further including ranking each of the ranked candidate explanations according to a weight and a confidence score.  

[see Paturi et al., [0053] & [0269]-[0271]

[0053] In one embodiment, the MLN management module can perform static and dynamic inference to predict and prevent complex web application attacks. The MLN management module preferably forms a feedback loop to the event capture module to reevaluate a primitive event to enhance learning. The alert module can optionally be activated based on attack detection and/or prevention triggers from the MLN management module. The deduction module optionally includes an inductive logic programming-based inference engine that creates grounded MLN for target web applications from user actions. The inference engine preferably assigns weights to the predicate statements that represent user actions on the target web application. The analysis engine can optionally calculate weights as a maximum likelihood estimator for a probability function. The probability function can be based on all state transitions for underlying events applicable to each of a privilege access level. In one embodiment, the inference engine accepts weight inputs that originate from subject matter experts. The inference engine can optionally create a grounded MLN (optionally in live and/or learning mode) for target web applications from end user actions. 

[0269] Dynamic inference pertains to subjecting the dynamic MLN (L) through stochastic probabilistic analysis for detecting user behavior anomalies (in terms of privilege escalation attacks, business logic exploiting attacks etc.) in real time. SMEs can optionally specify rules to the inference engine representing the anomalous behavior they want to detect and stop. Even without such rules, embodiments of the present invention can still detect anomalous user behavior based on MLN comparison techniques. 

[0270] The concept of relative entropy is preferably implemented on the master MLN (L) and dynamic MLN (L) to detect deviations in user behavior and infer potential attacks in progress. 

[0271] The relative entropy (also known as KL-divergence) is a metric that returns the distance between two probability distributions. The returned value is a real number demonstrating how similar the two distributions are; lower values indicate more similarity. The concept is primarily adapted to MLNs, because MLNs represent a grounded form of user actions 

Claim 4 & claim 11 rejected under the same rationale. 

The method of claim 1, further including ranking each of the ranked candidate explana-tions according to a level of confidence of evidence in the knowledge base associated with each of the ranked candidate explanations.  

[see Shou-de Lin et al., pg. 1048 …]

We used this data to perform the following experiment: for each data set, we feed the evidence data graph to UNICORN and ask it to rank the 42 Mafiyas based on their abnormality (using their semantic profiles and Ramaswamy’s distance-based outlier algorithm). We then check how
well the top-ranked Mafiyas correspond to the Mafiyas of interest reported in the answer key (three for large-sized and one for medium-sized data). We compare UNICORN’s performance with that of a set of unsupervised network algorithms that fall into two classes: 1) The first class is composed of centrality-based ranking algorithms such as PageRank [14], Hypertext Induced Topic Selection (HITS) [15], and Betweenness Centrality [16], which all compute some form of importance or authority score based on the connectivity of a node in a graph. PageRank and Betweenness were chosen, specifically, since they have been applied previously to analyze terrorist networks [5], [6].

Accordingly, it would have been obvious to one having ordinary skilled in the art before the 

effective filing date to a person’s having ordinary skill in the art to combine Paturi et al., with 

Shou-de Lin et al., because Shou-de Lin et al. generally relates to the area of homeland security 

is to identify abnormal or suspicious entities in large data sets. Although there are methods from 

data mining and social network analysis focusing on finding patterns or central nodes from 

networks or numerical data sets, there has been little work aimed at discovering abnormal 

instances in large complex semantic graphs, whose nodes are richly connected with many 

different types of links. In this paper, we describe a novel unsupervised framework to identify 

such instances. Besides discovering abnormal instances, we believe that to complete the process, 

a system has to also provide users with understandable explanations for its findings. Therefore, 

in the second part of the paper, we describe an explanation mechanism to automatically generate 

human-understandable explanations for the discovered results. To evaluate our discovery and 

explanation systems, we perform experiments on several different semantic graphs. The results 

show that our discovery system outperforms state-of-the-art unsupervised network algorithms 

used to analyze the 9/11 terrorist network and other graph-based outlier detection algorithms by a 

significant margin. Additionally, the human study we conducted demonstrates that our 

explanation system, which provides natural language explanations for the system’s findings, 

allowed human subjects to perform complex data analysis in a much more efficient and accurate 

manner.

Claim 5, claim 12 & claim 18 rejected under the same rationale. 

The method of claim 1, further including updating the knowledge base using feedback from the one or more users.  

[see Paturi et al., [0047]-[0049]

[0047] An embodiment of the present invention also relates to a method for providing intelligent web application security including creating a comprehensive application attack surface by providing a feedback learning loop configured to implement an intelligent interceptor module and a data capture module, the feedback learning loop enhancing an application knowledge base in real time; configuring the intelligent interceptor module to capture synchronous and asynchronous HTTP requests and response sequences of a target application resulting from user actions in real time and passing them to a data processing module; the data processing module creating structured content hierarchy from captured unstructured HTTP(S) data and passing it to a knowledge module; the knowledge module creating a concept hierarchy from the structured content hierarchy, the knowledge module further generating target application ontology from the concept hierarchy and storing it in a knowledge base; and an intelligent scanner creating offensive ontology-based payloads while testing the target web application for complex web application attacks. In one embodiment of the method, the target application ontology can 

[0048] In one embodiment, the method can include configuring a command and control center to allow end users to communicate with the feedback learning loop and the intelligent scanner. The intelligent interceptor preferably implements a memory-aware browser-based sensor to capture all events resulting from asynchronous communication created from user actions on the target application in real time. The memory-aware sensor preferably creates a stack trace of events from asynchronous communications, so as to capture the document object module state changes, related event chains and corresponding parameter values resulting from user actions. The memory-aware sensor can optionally store the stack trace in a repeatable audit log format using a graph-based data structure. The intelligent interceptor optionally implements a synchronization module that creates a transaction unit, which transaction unit can linearly interleave all events resulting from user actions captured from synchronous and asynchronous communication. 

[0049] In one embodiment of the method, a set of union of all transaction units can be represented as a content hierarchy of the target application. The knowledge module can represent the target application ontology as predicate logic statements. The target application ontology resulting from user actions can be stored in a graph-based knowledge base that acts as a behavioral model of the target application. Optionally, the behavioral model of the target application can be categorized by an end user privilege access level. The knowledge module can create an adversarial behavior model by creating offensive ontology from the application behavioral model stored in the knowledge base. Optionally, the intelligent scanner, as part of a scan initiation, can accept subject-matter expert input to create offensive ontology payloads. The method can also include one or more subject-matter experts specifying rules that represent complex attacks for the target application. The offensive ontology payloads can optionally be derived from the rules specified by the one or more subject-matter experts. The subject-matter expert rules can be translated to a predicate-based ontology representation. The ontology from the subject-matter expert rules can be validated against the target application ontology for completeness. Optionally, validated ontology can be converted to an HTTP request and response sequences that can be executed against the target application. The resulting offensive ontology payloads can be feedback to the knowledge base. 

Claim 6, claim 13 & claim 19 rejected under the same rationale. 

The method of claim 1, further including building one or more recommendation models to generate evidence to support each of the ranked candidate explanations. 

[see Paturi et al., [0004] & [0018]-[0022]

[0004] In summary, embodiments of the present invention relate to an apparatus and method for cyber risk quantification calculated from the likelihood of a cyber-attack on the target enterprise and/or cyber ecosystem based on its security posture. The cyber-attack likelihood can be derived as a probability-based time-to-event (TTE) measure using survivor function analysis. The vulnerability data along with internal security control data (like configuration management, endpoint protection, parameter security devices, patch management, event logs etc.) can be correlated with threat, security incident and custom TTE data from a master TTE Index and subjected to regression analysis for deriving the cyber-attack likelihood. The likelihood probability measure can also be passed to cyber risk frameworks to determine financial impacts of the cyber-attacks. Embodiments of the present invention also relate to an apparatus and method to identify and validate application attack surfaces and protect web applications against business logic-based attacks, sensitive data leakage and privilege escalation attacks. In one embodiment, the present invention implements an intelligent learning loop using artificial intelligence that creates an ontology-based knowledge base from application request and response sequences. In one embodiment, the knowledge base represents the user behavioral model and is preferably further used to create offensive ontology applying predicate logic negation rules process. The offensive ontology preferably generates payloads to test target web applications against attacks that target flaws in the underlying application logic. Embodiments of the present invention also relate to an apparatus and method that protects web applications against business logic-based attacks, sensitive data leakage and privilege escalation attacks. The innovative mechanism preferably implements an intelligent learning loop using artificial intelligence that creates an ontology-based knowledge base from application request and response sequences. Stochastic probabilistic measures are preferably applied to a knowledge base for predicting malicious user actions in real time. More specifically, in one embodiment, the knowledge base is used to create a Markov Logic Network and dynamic inference is applied (using time slice networks and relative entropy measures) on it to detect anomalies in user behavior--thus predicting complex application attacks like privilege escalation attempts, sensitive data leakage etc. in real time. 

[0018] Risk-based vulnerability prioritization includes prioritizing vulnerabilities based on their criticality and their likelihood of exploitation. Combining the prioritized vulnerabilities with financial impact frameworks produces an accurate risk representation for the target organization. Hence, it is extremely important to determine the likelihood of exploiting a vulnerability in the target organizational infrastructure. This includes the following steps: [0019] 1. Identifying threats applicable to vulnerabilities existing in the attack surface. [0020] 2. Predicting high-risk vulnerabilities among the existing ones based on their exploitability and the organization's susceptibility to them. [0021] 3. Evaluating post attack impact of the vulnerabilities upon their successful compromise. 

[0022] One important aspect for efficiently executing the above steps is adversary modeling against the vulnerabilities under consideration. The adversary modeling produces the set of 

                            Claim Objections

7.	Claims 2, 7, 9, 14, 16 & 20 are objected to as being dependent upon a rejected base claim, 

but would be allowable if rewritten in independent form including all of the limitations of the base 

claim and any intervening claims. 
               

                             Claim Interpretation

8. 	The claims and only the claims form the metes and bounds of the invention. “Office 

personnel are to give the claims their broadest reasonable interpretation in light of the supporting 

disclosure. In re Morris, 127 F.3d 1048, 1054-55, 44USPQ2d 1023, 1027-28 (Fed. Cir. 1997). 

Moreover, limitations appearing in the specification but not recited in the claim are not read into 

the claim. In re Prater, 415 F.2d, 1393, 1404-05, 162 USPQ 541,550-551 (CCPA 1969)” (MPEP 

p 2100-8, c 2,145-48; p 2100-9, c 1,1 1-4). 

9.	The Examiner has full latitude to interpret each claim in the broadest reasonable sense. 

The Examiner will reference prior art using terminology familiar to one of ordinary skill in the
art. Such an approach is broad in concept and can be either explicit or implicit in meaning.

10. 	Examiner’s Notes are/if provided with the cited references to prior art to assist the
applicant to better understand the nature of the prior art, application of such prior art and, as 

appropriate, to further indicate other prior art that maybe applied in other office actions. Such 

comments are entirely consistent with the intent and spirit of compact prosecution. However, 

and unless otherwise stated, the citations are self-explanatory to one skilled in the art and do 

not need any further explanation. Moreover, the Examiner’s Notes are not prior art but a link 

to prior art that one of ordinary skill in the art would find inherently or obviously appropriate.

11. 	Unless otherwise annotated, as aforementioned, Examiner’s statements are to be

interpreted in reference to that of one of ordinary skill in the art. Statements made in 

reference to the condition of the disclosure constitute, on the face of it, the basis and such 

would be obvious to one of ordinary skill in the art, establishing thereby an inherent or 

obviousness prima facie case or statement(s).


                             Correspondence Information

12.	Any inquiries concerning this communication or earlier communications from the 

examiner should be directed to Michael B. Holmes, who may be reached Monday through 

Friday, between 8:00 a.m. and 5:00 p.m. EST. or via telephone at (571) 272-3686 or facsimile 

transmission (571) 273-3686 or email michael.holmesb@uspto.gov.

If you need to send an Official facsimile transmission, please send it to (571) 273-8300. 

If attempts to reach the examiner are unsuccessful the Examiner’s Supervisor (SPE), 

Ann Lo J., may be reached at (571) 272-9767.

Hand-delivered responses should be delivered to the Receptionist @ (Customer Service 

Window Randolph Building 401 Dulany Street Alexandria, VA 22313), located on the first 

floor of the south side of the Randolph Building. 

Finally, information regarding the status of an application may be obtained from the 

Patent Application Information Retrieval (PAIR) system. Moreover, status information for

published applications may be obtained from either Private PAIR or Public PAIR. Status

information for unpublished applications is available through Private PAIR only. For more

information about the PAIR system, see http://pair-direct.uspto.gov. Should you have any

questions on access to the Private PAIR system, contact the Electronic Business Center (EBC)

toll-free @ 1-866-217-9197.
                                                         Michael B. Holmes
               						   Primary Examiner
                                                                        Artificial Intelligence
                                                                             Art Unit 2126
                                                       United States Department of Commerce
                                                                  Patent & Trademark Office

Thursday, February 25, 2021                                                  
               MBH

                                                                                             /MICHAEL B HOLMES/  
                                                                             Primary Examiner, Art Unit 2126