Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Detailed Action


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1 – 3, 7 – 11 and 15 – 16 are rejected under 35 U.S.C. 103 as being unpatentable over Stokes (US Pub. No. 2018/0367548 A1) in view of Evron (US Pub. No. 2017/0359376 A1) in view of Singh (US Patent No 10419469 B1).


Per claim 1, Stokes suggests a non-transitory computer-readable medium having stored thereon instructions that (see Stokes para 0081 – 0087), when executed by one or more processors (see Stokes para 0082), are configurable to cause the one or more processors to (see Stokes para 0081): analyze user login information (reads on using system and security events to generate a graph representing the computer network comprising nodes that represent computers, user accounts and login events, see Stokes para 0005 and 0088) for multiple users in (reads on user accounts, see Stokes para 0088) a multiuser secure computing environment (reads on a computer network that includes user accounts and user logon events, see Stokes para 0088) to generate multiple user evaluations (reads on to generate a graph representing the computer network comprising nodes that represent user accounts, see Stokes para 0088); analyze at least the multiple user evaluations to generate at least a population evaluation for the multiuser secure computing environment (The Examiner construes this to be an obvious limitation of the prior art’s teaching of the edges in the graph represent computer connections and user logon events, see Stokes para 0006); generate node scores for nodes (reads on determining a combination of node indegree and outdegree and path-rate score using the weight of each edge, see Stokes para 0006 and 0040 – 0043) in the population evaluation (reads on the edges in the graph that represent computer connections and user logon events, see Stokes para 0006) to determine one or more entry nodes for (reads on using the path-rate score to determine that nodes D,H,K and Q are compromised, see Stokes para 0073 – 0077 and Figure 5) the multiple users (reads on user accounts, see Stokes para 0088) in the multiuser secure computing environment (reads on a computer network that includes user accounts and user logon events, see Stokes para 0088). Stokes is silent 
Evron suggests 
analyze (reads on an analysis of a plurality of login events executed by a plurality of computing nodes of a monitored computer network, see Evron para 0026 and 0067) user login information (reads on login events, see Evron para 0067) for multiple users (reads on the obvious human activity associated with login events on a plurality of computer nodes in a monitored computer network, see Evron para 0026 and 0067) in a multiuser secure computing environment (reads on a plurality of computing nodes of a monitored computer network, see Evron para 0026 and 0067) to generate multiple user evaluations (reads on an analysis of a plurality of login events on a plurality of computing nodes of the monitored network, see Evron para 0026 and 0067); analyze at least the multiple user evaluations to generate at least a population evaluation for the multiuser secure computing environment (reads on detecting an absence or presence of a unexpected login event in potentially compromised nodes of the computing nodes of the monitored computer network based on the analysis, see Evron para 0068); generate node scores for nodes in the population evaluation to determine one or more entry nodes for the multiple users in the multiuser secure computing environment (reads on setting a score that may comprise a number of sub scores according to one or more potential damage characteristics, see Evron para 0069); compare the node scores to one or more threshold values to determine whether (reads on determine whether the score is below at 

[0026] The present invention, in some embodiments thereof, relates to responding to potential unauthorized operations in a protected device and/or network, and, more specifically, but not exclusively, to responding to potential unauthorized operations in a protected device and/or network based on an estimated risk level. 
[0067] Reference is made once again to FIG. 1. The process 100 may be executed using the threat management software module 216. First, as shown at 101, an analysis of a plurality of processes executed by the plurality of computing nodes 220 of the monitored computer network 235, also referred to as a monitored computer network, is held. The monitoring may be performed as general deception campaigns, for example as described in U.S. patent application Ser. No. 15/414,850 which is incorporated herein by reference or by PCT Application No. PCT/IB2016/054306 titled “Decoy and Deceptive Data Object Technology” which is incorporated herein by reference. For example, monitored processes are threads or events monitored at the kernel and/or OS level at some or all of the computing nodes 220 as described above. The analysis is optionally performed centrally by the threat management software module 216 and/or by distributed threat evolution software modules which are installed in some or all of the computing nodes 220. The processes may also be login events, resource access events, computer communication events, file copying events and/or the like. A malicious activity threat may be any process and/or filtered processes, for example processes which are not signed or recognized in a white list. A malicious activity threat may be detected using various methods such as analysis of processes using deep learning classification modules (e.g. trained neural networks), a rule based software module for classifying processes, expert system units for classifying processes or any other automated process classification procedure. The processes may be induced by malicious software activity or by human activity. The monitoring may be continuously held as depicted in 108.
[0068] Now, as shown at 102, an absence or a presence of a malicious activity threat is detected in potentially compromised computing node(s) of the computing nodes of the monitored computer network 235 based on an outcome of the analysis. The potentially compromised computing node(s) are one or more computing nodes selected from the computing nodes of the monitored computer network and used for executing processes according to which the malicious activity threat is identified. For example, the compromised computing node(s) are devices on which suspected login activity or file access activity or usage is detected and/or on which suspected computer communication is held (e.g. detecting login from an unexpected location).
[0069] As shown at 103, when the malicious activity threat is identified, a score is set thereto according to one or more potential damage characteristics of the malicious activity threat and/or of the potentially compromised computing node(s). The potential damage characteristics may be extracted from a threat characteristics dataset summarizing potential damage characteristics per thread and/or per computing node in the network 235. The potential damage characteristics may be an urgency to handle value, severity value, and certainty value. The potential damage characteristics may be manually inputted and/or learnt. A potential damage characteristic may be a network location of the computing node used for executing processes related to the malicious activity threat in the monitored computer network 235 and/or a location from which the computing node is accessed. A potential damage characteristic may be a type of the computing node used for executing processes related to the malicious activity threat. A potential damage characteristic may be level of credentials used to access the computing node used for executing processes related to the malicious activity threat and/or the right of access given to these credentials. A potential damage characteristic may be a level of sensitivity given to data stored in or accessible by the computing node used for executing processes related to the malicious activity threat. The processes may be induced by malicious software activity or by human activity.
[0070] The score may comprise a number of sub scores such as an urgency sub score, a severity sub score, and a certainty sub score. In such embodiments, the threshold may be cumulative and/or comprise a plurality of sub thresholds which are used for judging each one of the sub scores separately. For brevity, sub threshold may be referred to herein as a threshold.

[0102] It is appreciated that certain features of the invention, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the invention, which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable subcombination or as suitable in any other described embodiment of the invention. Certain features described in the context of various embodiments are not to be considered essential features of those embodiments, unless the embodiment is inoperative without those elements.

    PNG
    media_image1.png
    1028
    758
    media_image1.png
    Greyscale

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the logon evaluation teachings of the prior art of 
Singh teaches 
user login information corresponding to one or more of the multiple users indicates a privilege escalation condition (reads on generating a user login graph associated with at least one user from log data and determining from the graph that a privilege escalation has occurred, see Singh claims 1 – 6, col. 45 lines 31 – 45 and col. 49 line 1 – col. 50 line 2); and cause a security response action to occur in response to (reads 

[col. 45 lines 31 – 45] FIG. 26 illustrates an example of a process for detecting anomalies. In various embodiments, process 2600 is performed by platform 102. As explained above, a given session will have an original user. And, each action taken by the original user can be tied back to the original user, despite privilege changes and/or lateral movement throughout a datacenter. Process 2600 begins at 2602 when log data associated with a user session (and thus an original user) is received. At 2604, a logical graph is generated, using at least a portion of the collected data. When an anomaly is detected (2606), it can be recorded, and as applicable, an alert is generated (2608). The following are examples of graphs that can be generated (e.g., at 2604), with corresponding examples of anomalies that can be detected (e.g., at 2606) and alerted upon (e.g., at 2608).


[col. 49 line 1 – col. 50 line 2]
C. Privilege Change Graph
One way to track privilege changes in a datacenter is by monitoring a process hierarchy of processes. To help filter out noisy commands/processes such as “su-u,” the hierarchy of processes can be constrained to those associated with network activity. In a *nix system, each process has two identifiers assigned to it, a process identifier (PID) and a parent process identifier (PPID). When such a system starts, the initial process is assigned a PID 0. Each user process has a corresponding parent process.
 FIG. 30 illustrates a representation of a process tree. In the example shown in FIG. 30, PIDs have been replaced with an effective user running a given process. Thus, a designation of “root” (3002) indicates the user running the process is root, and a designation of “avahi” (3004) indicates the user running the process is avahi. Further, in the example shown in FIG. 30, processes depicted to the right of other processes are child processes. In line 3006, the user avahi became root and ran the process “padae_run,” whose parent is “avahi-daemon.” This represents a privilege change (from avahi to root).
Using techniques described herein, a graph can be constructed (also referred to herein as a privilege change graph) which models privilege changes. In particular, a graph can be constructed which identifies where a process P1 launches a process P2, where P1 and P2 each have an associated user U1 and U2, with U1 being an original user, and U2 being an effective user. In the graph, each node is a cluster of processes (sharing a CType) executed by a particular (original) user. As all the processes in the cluster belong to the same user, a label that can be used for the cluster is the user's username. An edge in the graph, from a first node to a second node, indicates that a user of the first node changed its privilege to the user of the second node.
FIG. 31 illustrates an example of a privilege change graph. In the example shown in FIG. 31, each node (e.g., nodes 3102 and 3104) represents a user. Privilege changes are indicated by edges, such as edge 3106.
As with other graphs, anomalies in graph 3100 can be used to generate alerts. Three examples of such alerts are as follows:
New user entering the datacenter. Any time a new user enters the datacenter and runs a process, the graph will show a new node, with a new CType. This indicates a new user has been detected within the datacenter. FIG. 31 is a representation of an example of an interface that depicts such an alert. Specifically, as indicated in region 3108, an alert for the time period 1 pm-2 pm on June 8 was generated. The alert identifies that a new user, Bill (3110) executed a process.
Privilege change. As explained above, a new edge, from a first node (user A) to a second node (user B) indicates that user A has changed privilege to user B.
Privilege escalation. Privilege escalation is a particular case of privilege change, in which the first user becomes root.
An example of an anomalous privilege change and an example of an anomalous privilege escalation are each depicted in graph 3200 of FIG. 32. In particular, as indicated in region 3202, two alerts for the time period 2 pm-3 pm on June 8 were generated (corresponding to the detection of the two anomalous events). In region 3204, root has changed privilege to the user “daemon,” which root has not previously done. This anomaly is indicated to the user by highlighting the daemon node (e.g., outlining it in the color red). As indicated by edge 3206, Bill has escalated his privilege to the user root (which can similarly be highlighted in region 3208). This action by Bill represents a privilege escalation.


1. A system, comprising: a processor configured to: receive log data associated with at least one user session in a network environment associated with an original user, wherein the received log data comprises information associated with the original user provided by a plurality of machines; generate a logical graph using at least a portion of the received log data, wherein the generated logical graph comprises a user login graph that models machines with which the original user interacts, and wherein the generated logical graph comprises: (1) a first node corresponding to the original user, (2) at least a second node, and (3) a set of edges, wherein the set of edges includes at least one edge connecting the first node to the second node; determine, using the generated logical graph, that a change has been made to the set of edges, wherein the change made to the set of edges is at least one of: (1) an addition of an edge to the set, and (2) a modification to an edge that is already present in the set; and in response to determining that the change has been made to the set of edges, automatically generating an alert that an anomaly in the network environment associated with the change in the set of edges has occurred; and a memory coupled to the processor and configured to provide the processor with instructions.
2. The system of claim 1 wherein using the generated logical graph to detect the anomaly includes detecting an anomaly associated with the original user.
3. The system of claim 2 wherein the processor is configured to detect the anomaly associated with the original user at least in part by determining an anomaly associated with a second user that is different from the original user and determining an association between the second user and the original user.
4. The system of claim 1 wherein the logical graph comprises an insider behavior graph, wherein the insider behavior graph models interactions of the original user with a network environment.
5. The system of claim 1 wherein the logical graph comprises a privilege change graph, wherein the privilege change graph models privilege changes between processes.
6. The system of claim 5 wherein the privilege changes are represented as edges in the privilege change graph.





    PNG
    media_image2.png
    681
    584
    media_image2.png
    Greyscale



    PNG
    media_image3.png
    658
    580
    media_image3.png
    Greyscale


Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the privilege escalation teachings of the prior art of record (reads on potential damage due to the level of credentials used to access a computing node, see Evron para 0069 – 0070) by integrating the privilege escalation teachings of Singh (reads on generating a user login graph associated with at least one user from log data and determining from the graph that a privilege escalation has occurred, see Singh claims 1 – 6, col. 45 lines 31 – 45 and col. 49 line 1 – col. 50 line 2) to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, it would have been obvious to one of ordinary skill in the 

Per claim 2, the prior art of record further suggests wherein the multiple user evaluations comprise multiple user graphs (reads on more than one user account and more than one computer connection and more than one user logon event, see Stokes para 0006 and 0088).
Per claim 3, the prior art of record further suggests wherein the at least one population evaluation comprises at least one population graph (reads on to generate a graph representing the computer network comprising nodes that represent user accounts, see Stokes para 0088).
Per claim 7, the prior art of record further suggests wherein the security response action comprises sending a notification to a system administrator (see Evron Figure 1 block 105).
Per claim 8, the prior art of record further suggests wherein the security response action automatically (reads on automatically generating an alert that a privilege escalation condition has occurred, see Singh claim 1, Figure 26 blocks 2606, 2608 and col. 49 line 1 – col. 50 line 2), and without system administrator action (reads on automatically generating an alert that a privilege escalation condition has occurred, see Singh claim 1, Figure 26 blocks 2606, 2608 and col. 49 line 1 – col. 50 line 2), disabling login 
Claim 9 is analyzed with respect to claim 1.
Claim 10 is analyzed with respect to claim 2.
Claim 11 is analyzed with respect to claim 3.
Claim 15 is analyzed with respect to claim 7.
Claim 16 is analyzed with respect to claim 8.









Claims 4 – 6 and 12 – 14 are rejected under 35 U.S.C. 103 as being unpatentable over Stokes in view of Evron in view of Singh  in view of Xie (US Pub. No. 20120246720).


Per claim 4, the prior art of record suggests wherein the node scores are generated utilizing a strategy (reads on the combination of setting a score that may comprise a number of sub scores according to one or more potential damage characteristics and determining a combination of node indegree and outdegree and path-rate score using the weight of each edge, see Stokes para 0006 and 0040 – 0043, see Evron para 0069). The prior art of record is silent on explicitly stating a PageRank strategy. Xie suggests node scores are generated utilizing a PageRank strategy (reads on scores are assigned to each node using a Page Rank computation, see Xie para 0030 – 0033). 
[0030] At 306, a good user profile is determined. The analysis component 116 may use the email-communication graph (directed graph) and a user friendship graph (undirected graph) to determine a profile of good users. The profile may be developed using degree-based and PageRank based evaluations. The degree-based detection is performed based on the edges of the social graph. The degree-based detection is effective for detecting users with obvious patterns, including inactive users who only send a few emails, aggressive attackers who send many emails with few responses, and active good users who have many friends. Degree-based detection looks at an in-degree, which is a number of source users who send emails to the user; an out-degree, which is a number of destination users to whom the user sends emails; and a friend-degree, which is a number of friends of the user (represented by an undirected edge).
[0031] A directional degree-based detection is defined based on a threshold N. If the out-degree is less than or equal to N, then the user account is considered good. A bidirectional degree-based detection is defined as follows: if the out-degree is less than N for inactive users, then the account is considered good. If the out-degree is greater than N and the friend-degree/out-degree (i.e., 
[0032] PageRank may be used to assign a reputation score to the email account associated with a node on the graphs. The PageRank algorithm is widely used for ranking web pages. For web pages, PageRank utilizes a reputation value of a web page that is propagated to the web pages with an initial distribution. The PageRank computation may be iteratively repeated until a convergence point is reached. In the context of an email account (i.e., a node in the social graph 200), a reputation score is assigned to each node 202, 204, 206, 208, 210, 212, and 214 in the social graph. The score is propagated to the node's recipients/senders, at 306, described below.
[0033] In particular, let the social graph 200 be defined as follows: G=(V,E), where Vis a set of nodes (email accounts) and E is a set of edges. For the PageRank algorithm with G, each node 202, 204, 206, 208, 210, 212, and 214 is initially assigned a uniform reputation score (e.g., 1.0). After the ith iteration, a node A's reputation score R.sub.A,i+1 is given by equation (1):
R A , i + 1 = 1 - d + d { X : e XA .di-elect cons. E } R X , i outdegree ( X ) ( 1 ) ##EQU00001##
where d is a damping factor (e.g., 0.85 or other predefined value), R.sub.X,i is the reputation score of node X after the previous iteration, and {X: e.sub.XA.epsilon.E} is the set of nodes in the graph having directed edges pointing to A. In some implementations, the original graph may be modified by adding an edge for each node starting and ending in itself, if this self-loop edge does not exist. This modification would have negligible impact on the overall ranking of all nodes, but provides for conservation of rep
[0074] It should be understood that the various techniques described herein may be implemented in connection with hardware or software or, where appropriate, with a combination of both. Thus, the methods and apparatus of the presently disclosed subject matter, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as floppy diskettes, CD-ROMs, hard drives, or any other machine-readable storage medium where, when the program code is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the presently disclosed subject matter.
[0075] Although exemplary implementations may refer to utilizing aspects of the presently disclosed subject matter in the context of one or more stand-alone computer systems, the subject matter is not so limited, but rather may be implemented in connection with any computing environment, 
[0076] Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the ranking teachings of the prior art of record by integrating the ranking teachings of Xie to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, it would have been obvious to one of ordinary skill in the node ranking art to substitute the well-known PageRank node scoring/ranking algorithm for the path-rate node scoring/ranking algorithm in order to substitute one known in the art method for another known in the art method that accomplishes the same result. The Examiner notes the PageRank algorithm is not Applicant’s invention and would be known by one of ordinary skill in the art to use in situations where node scoring based on incoming and outgoing connections is required. The motivation to combine the references applies to all claims under this heading.  

Claim 5 is analyzed with respect to claim 4. The prior art of record further suggests wherein the node scores are based on (reads on the combination of setting a score that may comprise a number of sub scores according to one or more potential damage characteristics and determining a combination of node indegree and outdegree and path-rate score using the weight of each edge, see Stokes para 0006 and 0040 – 0043, see Evron para 0069) a difference between incoming connections and outgoing connections for corresponding nodes (The Examiner construes this to be an obvious limitation of utilizing a path-rate score using the weight of each edge, see Stokes para 0006 and 0040 – 0043, see Evron para 0069).
Claim 6 is analyzed with respect to claim 4. The prior art of record further suggests wherein the node scores are based on (reads on the combination of setting a score that may comprise a number of sub scores according to one or more potential damage characteristics and determining a combination of node indegree and outdegree and path-rate score using the weight of each edge, see Stokes para 0006 and 0040 – 0043, see Evron para 0069) a number of incoming connections for corresponding nodes (see Xie para 0030 – 0033).
Claim 12 is analyzed with respect to claim 4.
Claim 13 is analyzed with respect to claim 5.
Claim 14 is analyzed with respect to claim 6.

Conclusion

If attempts to reach the examiner by telephone are unsuccessful, the examiner's Supervisor, Ashok Patel can be reached on (571) 272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.  Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/BRIAN F SHAW/Primary Examiner, Art Unit 2491