DETAILED ACTION
The following is a non-final office action in response to applicants’ request for continued examination (RCE) filed on 12/16/2021.  Claims 1, 9, and 15 have been amended.  Claims 1-20 are currently pending and have been considered as follows.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicants’ submission filed on 12/16/2021 has been entered.
Response to Arguments
Applicants’ amendment of independent Claims 1, 9, and 15 with the amended limitation “a weighted combination of exploit action attributes” has changed the scope of the claimed invention.  Therefore, applicants’ arguments on pages 9-12 of the remarks filed 12/16/2021 with respect to King (US 20100100930 A1) have been fully considered but are moot because the new ground of rejection does not rely on King as applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Lucangeli Obes et al. (US 20110035803 A1, hereinafter Lucangeli) in view of Swiler et al. (US 7013395 B1, hereinafter Swiler).
As to Amended Claim 1:
Lucangeli discloses a computer-implemented method (e.g. Lucangeli “system and method for extending automated penetration testing of a target network is provided” [Abstract]; “system and method provides an automated process for planning and performing a penetration test to assess security within a network of computers, devices and applications. A computer-generated plan is provided for an attack, which isolates the user from the complexity of selecting suitable exploits for hosts in a target network. In addition, a suitable model is provided to represent these attacks so as to systematize the knowledge gained during manual penetration tests performed by expert users, thereby making penetration testing frameworks more accessible to non-experts. Further, incorporating an attack planning phase to the penetration testing framework allows, in accordance with the present invention, optimizations based on, but not limited to, coverage of the tested threats, exploit running time, reliability, or evasion of intrusion detection systems, and other control or defense systems. As is known by those having ordinary skill in the art, intrusion detection systems are devices or applications that inspect network traffic, looking for attacks and generating alerts when attacks are detected. Detection is done by inspecting packet streams looking for "static signatures of attacks," or statistical deviations from good behavior, or variations of previously-identified malicious behavior” [0028]; [0029]), comprising:
generating an action path for a phase of a penetration test (e.g. Lucangeli attack planning phase to the penetration testing framework [0028] which includes making a Planning Domain Definition Language (PDDL) representation [0031]; producing a scenario [0055]; [0056] building the scenarios (that is, a PDDL representation [0059]; [0068] and calculating one or more possible plans that if executed, lead to the defined goal [0073]; planner module creates the plans [0091]), wherein the action path comprises a kill chain (e.g. Lucangeli list of penetration modules [0059]; PDDL actions are the building blocks to be executed [0061]), the kill chain comprises performance of a plurality of exploit actions (e.g. Lucangeli scenario includes sequence of penetration testing framework modules that are executed [0058]), and the generating the action path comprises identifying one or more exploit actions of the plurality of exploit actions (e.g. Lucangeli calculating an ordered sequence of actions to be executed [0099]) based on exploit action attributes (e.g. Lucangeli [0049]; [0061]-[0064]; [0076]), comprising a penetration parameter (e.g. Lucangeli success rate of the module for different types of assets [0049]; precondition PDDL predicates that must be satisfied to run each penetration module [0061]; “removes the actions that cannot be applied to any target host present in the PDDL scenario” [0080]; [0096]), a detection parameter (e.g. Lucangeli stealth-level parameter variable [0062]; [0063]), and a time parameter (e.g. Lucangeli running time for each module [0049]; run time [0063]) associated with each of the one or more exploit actions (e.g. Lucangeli “A second database 122 within the knowledge base 120 contains information regarding the modules located within a penetration testing framework module (100, FIG. 5), such as the requirements for each module and its performance statistics, including, but not limited to, the running time and success rate of the module for different types of assets. As a non-limiting example, such information may include the running time against each combination of operating system, version, and patch level” [0049]”; “Each action has a set of preconditions (requirements) that must be satisfied in order to run the action (e.g., the penetration module). These preconditions must be defined using PDDL predicates and logical connectors (i.e., AND, OR)” [0061]; “The parameters are defined by their type and the value of the parameter must be provided as input. An action has an effect, which generally speaking is the outcome of this action, sometimes expressed as predicates or recomputing the value of global plan variables (including but not limited to run_time, stealth_level or uncertainty), also called effects. Global plan variables are variables used by the planner” [0062]; “The planners that accept numerical effects can build plans constrained to a given metric optimization. An example of these planners is Metric-FF. It should be noted that possible effects could be, but are not limited to, different predicate assertions or increasing some numerical variable (metric) such as running_time” [0064]);
determining that performance of the one or more identified exploit actions permits successful completion of the phase of the penetration test (e.g. Lucangeli “The planner module 142 receives as input a PDDL scenario, and calculates one or more possible plans 144 that if executed, lead to the defined goal 134. The possible plans 144 calculated can be simple straight-forward paths or part of a tree-like structure with some decision points, dependent on the execution of some actions” [0073]; “If the goal is achieved, the automated penetration testing process is complete” [0091]; “a specific goal that the planner will try to reach by analyzing the scenario and the available actions (modules)” [0098])
based on the determining, designating the action path for inclusion as part of a best path for the penetration test (e.g. Lucangeli “since the attack planning problem has typically more than one solution, one may look for a specific solution, for example, the path that underlies less expected time of execution or has less expectancy to be detected by control systems” [0031]; “the post-planner processor module 143 can execute the alternative plans 144 in parallel in order to choose the best alternative based on different properties, including, but not limited to, run time, stealth level, or uncertainty” [0076]);
But Lucangeli does not specifically disclose:
a weighted combination of exploit action attributes.
However, the analogous art Swiler does disclose a weighted combination of exploit action attributes (e.g. Swiler generated attack graphs comprise weighted edges that use metrics such as attacker effort, likelihood of attack success, time to succeed [Abstract]; defined path is assigned a length value [column 3 lines 25-32]; multiple edge weight metrics on each edge [column 5 lines 11-24]; each path of edge weights in the attack graph represent a unique attack path of sequence of potential attack steps based on attack requirements [column 6 lines 3-11]; “Distance, in this case, relates to the edge weight functions in the attack templates and represents, as more fully explained above, such considerations as estimated time, cost, degree of effort and likelihood of detection of the attack” [column 9 lines 60-64]).  Lucangeli and Swiler
(e.g. see Swiler, “The invention is based on generation of attack graphs wherein each node represents a possible attack state and each edge represents a change in state caused by a single action taken by an attacker or unwitting assistant. Edges are weighted using metrics such as attacker effort, likelihood of attack success, or time to succeed. Generation of an attack graph is accomplished by matching information about attack requirements (specified in "attack templates") to information about computer system configuration (contained in a configuration file that can be updated to reflect system changes occurring during the course of an attack)” [Abstract]; “provide method for systematically identifying and mitigating vulnerabilities in a computer system including the steps of describing a set of potential attacks on the computer system, defining a path for each potential attack described, and for each path, assigning a length value, L, corresponding to degree of attacker effort necessary to effect the transition from the start condition to the attack goal” [column 3 lines 25-32]; “Each edge has a weight representing a system-security metric, such as success probability, average time to implement, or a cost/effort level for an attacker. This weight could be a function of configuration and attacker profile. A short path in the attack graph represents a low cost path. Since edge weights may only be estimates, we consider the set of all є-optimal paths… If the edge metrics are reasonably accurate, this set as a group represents the most exploitable parts of the network with respect to this metric. By having multiple metrics on each edge, one can represent conflicting criteria (e.g. the attacker wishes to maximize probability of success subject to a limit on time spent” [column 5 lines 11-24]; “The graph generator is a C++ program that creates the attack graph and populates the edges with edge weights, representing a security metric of interest. The graph is generated by matching the information known about the current state against the library of templates, choosing only the templates that apply to the current state. Each path in the graph represents a unique attack path. A path is a sequence of potential attack steps based on network configuration and attack requirements” [column 6 lines 3-11]; “Distance, in this case, relates to the edge weight functions in the attack templates and represents, as more fully explained above, such considerations as estimated time, cost, degree of effort and likelihood of detection of the attack” [column 9 lines 60-64]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Lucangeli and Swiler before him or her, to modify the invention of Lucangeli with the teachings of Swiler to include a weighted combination of exploit action attributes as claimed because Lucangeli provides a system and method for an automated process for planning and performing penetration testing to assess security within a network based upon success rates of penetration modules, stealth-level parameters, and running times (Lucangeli [Abstract]; [0028]; [0049]; [0061]-[0063]; [0080]; [0096]; [0099]) which could be considered as a weighted combination of metrics in unique attack paths (Swiler [Abstract]; [column 3 lines 25-32]; [column 5 lines 11-24]; [column 6 lines 3-11]; [column 9 lines 60-64]).  The suggestion/motivation for doing so would have been to provide insight into how to reduce network vulnerability and to provide a graph-based (Swiler [column 1 lines 21-23]; [column 3 lines 16-19]).  Therefore, it would have been obvious to combine Lucangeli and Swiler to obtain the invention as specified in the instant claim(s).
As to Claim 2:
Lucangeli in view of Swiler discloses the computer-implemented method of claim 1, further comprising: 
performing a scan action to determine a topology of a network environment (e.g. Lucangeli FIG. 11 “information regarding the target network is first collected… by performing a Rapid Penetration Test Information Gathering process” [0088]; “the information gathered is imported into the workspace 55 by the penetration testing framework module 100. As shown by block 206, the scenario translator 130 translates the data in the workspace 55 into the target network description 132 of the PDDL scenario 130. This process has been described in detail above… specifies all the known information about the target network, including but not limited to… connections between hosts, types of the connections, and open ports, among other relevant information that can be collected through an information gathering process” [0089]); and
storing the topology of the network environment, wherein the topology comprises metadata associated with a plurality of nodes operating in the network environment (e.g. Lucangeli “A first database 121 within the knowledge base 120 stores information regarding the network being tested and the on-going penetration test. This information can be extracted from the workspace 55 and includes the hosts discovered and information about each host, including, but not limited to, open/closed ports, agents installed and operating systems” [0048]; “A third database 123 within the knowledge base 120 stores information regarding target networks in general along with statistical estimations regarding the distribution of operating system installations depending on the machine type, vulnerabilities, network topologies, and other statistics’ [0050]; [0057]).
As to Claim 3:
Lucangeli in view of Swiler discloses the computer-implemented method of claim 2, further comprising: 
generating a next action path for a next phase of the penetration test, wherein the next action path is part of the kill chain (e.g. Lucangeli “the post-planner may select to do one of several things to ensure that the next plan achieves the goal. This may be, for example, removing the actions that failed, or looking for alternative actions that have the same effects as the actions that failed and executing them, or by interacting with the knowledge base to update its contents” [0091]; “The cycle can then start over by determining a new goal with the scenario modified after running the sequence of actions calculated by the planner” [0109]), and
the generating the next action path comprises adjusting the penetration parameter, the detection parameter, and/or the time parameter based on the metadata (e.g. Lucangeli modified run time, stealth [0063]; increasing metric such as running_time [0064]; “The pre-planner processor module 141 uses the information available in the knowledge base 120 and PDDL scenario to modify the PDDL scenario. The objective of the pre-planner processor module 141 is to enhance the efficiency of the execution, or run, of the planner module 142 underlying this scenario (explicitly, to minimize the running time of the planner against an alternative representation of the PDDL scenario with equivalent solutions). The pre-planner processor module 141 can, for example, reduce the complexity of building a plan by removing unnecessary constraints or definitions. The pre-processor module 141 also updates the knowledge base 120 with strategic information about the target networked computers and applications, including, but not limited to, OS installation statistics and versions” [0068]) and the designation of the action path (e.g. Lucangeli “The PDDL scenario, including the network description 132, available actions 133, and goal 134 are then sent to the attack plan solver module 140 (block 212). The pre-planner processor module 141 then modifies the received PDDL scenario to optimize its processing by the planner module” [0090]; “the optimized PDDL scenario is then received by the planner module 142 which creates the plans” [0091]);
identifying one or more other exploit actions of the plurality of exploit actions based on the adjusted penetration parameter, the adjusted detection parameter, and/or the adjusted time parameter (e.g. Lucangeli “Assume the pre-planner processor module 141 modified the PDDL scenario received form the scenario translator 130 and sends it to the planner module 142. The planner module 142 then starts the computation of a plan 144 and forces the usage of actions that learn new information from the target network and monitors when new information is received by the workspace and updated in the PDDL scenario… the workspace may be modified and so the scenario translator 130 will update the scenario with the changes” [0083]);
determining that performance of the one or more other exploit actions permits successful completion of the next phase of the penetration test (e.g. Lucangeli “The post-planner processor module 143 monitors the execution of each step and can perform actions based on changes observed in the scenario. The post-planner processor module 143 can force a re-plan action by sending the updated scenario and the original plan 144 to the planner module 142 so that the planner module 142 can calculate a new plan 144. This process can repeat itself to conform an iterative planning process” [0084]; “If the goal is achieved, the automated penetration testing process is complete.  Alternatively, if the goal is not complete, another plan is calculated by the planner module 142. In this case, post-planner may select to do one of several things to ensure that the next plan achieves the goal. This may be, for example, removing the actions that failed, or looking for alternative actions that have the same effects as the actions that failed and executing them, or by interacting with the knowledge base to update its contents” [0091])
based on the determining, designating the next action path for inclusion as part of the best path for the penetration test (e.g. Lucangeli “The pre-planner processor module 141 uses the information available in the knowledge base 120 and PDDL scenario to modify the PDDL scenario. The objective of the pre-planner processor module 141 is to enhance the efficiency of the execution, or run, of the planner module 142 underlying this scenario (explicitly, to minimize the running time of the planner against an alternative representation of the PDDL scenario with equivalent solutions). The pre-planner processor module 141 can, for example, reduce the complexity of building a plan by removing unnecessary constraints or definitions. The pre-processor module 141 also updates the knowledge base 120 with strategic information about the target networked computers and applications, including, but not limited to, OS installation statistics and versions” [0068]; “If the planner module 142 is a proactive planner with several alternative plans 144, the post-planner processor module 143 can execute the alternative plans 144 in parallel in order to choose the best alternative based on different properties, including, but not limited to, run time, stealth level, or uncertainty” [0076]; “If the planner module 142 is a reactive planner, the post-planner processor module 143 will execute the plan 144 in a single-step fashion, where after executing an action (step of the plan) the post-planner processor module 143 can recognize changes in the scenario and, after making the proper changes in the PDDL definition of the scenario, send the changed scenario back to the planner module 142 together with the original plan 144, to calculate a refined plan. The plans computed by reactive planners may also have actions that learn from the target network and updates the information in the scenario” [0077]).
As to Claim 4:
Lucangeli in view of Swiler discloses the computer-implemented method of claim 1, wherein
the penetration parameter comprises one or more penetration attributes, wherein the one or more penetration attributes comprise at least a data attribute, a credentials attribute, and an exploit attribute (e.g. Lucangeli requirements for each module and performance statistics including the success rate of the penetration module for different types of assets [0049]; precondition PDDL predicates that must be satisfied to run each penetration module [0061]; “removes the actions that cannot be applied to any target host present in the PDDL scenario” [0080]; [0096]),
the detection parameter comprises at least a detection attribute (e.g. Lucangeli stealth-level parameter variable [0062]; evasion of intrusion detection systems [0028]; less expectancy to be detected by control systems [0031]),
the time parameter indicates an execution time attribute associated with performing the one or more exploit actions (e.g. Lucangeli running time for each penetration testing module against each combination of operating system, version, and patch level [0049]; run time [0063]),
the one or more penetration attributes are positive attributes (e.g. Lucangeli success rate of the penetration module is a positive attribute [0049])
the detection attribute and the execution time attribute are negative attributes (e.g. Lucangeli expectancy to be detected by control system and running time for each penetration testing module are negative attributes [0031]; [0049]; [0062]; [0063]).
As to Claim 5:
Lucangeli in view of Swiler discloses the computer-implemented method of claim 1, wherein
the determining that performance of the one or more identified exploit actions permits successful completion of the phase of the penetration test (e.g. Lucangeli “The planner module 142 receives as input a PDDL scenario, and calculates one or more possible plans 144 that if executed, lead to the defined goal 134. The possible plans 144 calculated can be simple straight-forward paths or part of a tree-like structure with some decision points, dependent on the execution of some actions” [0073]; “If the goal is achieved, the automated penetration testing process is complete” [0091]; “a specific goal that the planner will try to reach by analyzing the scenario and the available actions (modules)” [0098]) comprises 
receiving indication that the one or exploit actions identified as part of generating the action path result in a lowest risk of detection during performance of the penetration test (e.g. Lucangeli stealth-level parameter variable [0062]; “incorporating an attack planning phase to the penetration testing framework allows, in accordance with the present invention, optimizations based on, but not limited to… evasion of intrusion detection systems, and other control or defense systems” [0028]; “since the attack planning problem has typically more than one solution, one may look for a specific solution, for example, the path that… has less expectancy to be detected by control systems” [0031]).
As to Claim 6:
Lucangeli in view of Swiler discloses the computer-implemented method of claim 3, wherein the penetration test is performed by a penetration testing server (e.g. Lucangeli FIG. 1 automated system 10; “Functionality of the present automated system 10 and method can be implemented in software, firmware, hardware, or a combination thereof. In a first exemplary embodiment, a portion of the automated system 10 is implemented in software, as an executable program, and is executed by a special or general-purpose digital computer, such as a… mainframe computer” [0035]), and the penetration testing server is not part of the network environment (e.g. Lucangeli automated system is separated from the target network by the Internet [0033]).
As to Claim 7:
Lucangeli in view of Swiler discloses the computer-implemented method of claim 3, further comprising generating the best path for the penetration test including:
configuring a penetration testing server to schedule performance of the next action path after performance of the action path (e.g. Lucangeli “The plans are then sent to the post-planner processor module 143 which executes the plans and updates the scenario based on execution results (block 218)… the post-planner may select to do one of several things to ensure that the next plan achieves the goal. This may be, for example, removing the actions that failed, or looking for alternative actions that have the same effects as the actions that failed and executing them, or by interacting with the knowledge base to update its contents” [0091]; “The cycle can then start over by determining a new goal with the scenario modified after running the sequence of actions calculated by the planner” [0109]); and
modifying the kill chain based on the scheduling (e.g. Lucangeli “The pre-planner processor module 141 uses the information available in the knowledge base 120 and PDDL scenario to modify the PDDL scenario. The objective of the pre-planner processor module 141 is to enhance the efficiency of the execution, or run, of the planner module 142 underlying this scenario (explicitly, to minimize the running time of the planner against an alternative representation of the PDDL scenario with equivalent solutions). The pre-planner processor module 141 can, for example, reduce the complexity of building a plan by removing unnecessary constraints or definitions. The pre-processor module 141 also updates the knowledge base 120 with strategic information about the target networked computers and applications, including, but not limited to, OS installation statistics and versions” [0068]; “Assume the pre-planner processor module 141 modified the PDDL scenario received form the scenario translator 130 and sends it to the planner module 142. The planner module 142 then starts the computation of a plan 144 and forces the usage of actions that learn new information from the target network and monitors when new information is received by the workspace and updated in the PDDL scenario… the workspace may be modified and so the scenario translator 130 will update the scenario with the changes” [0083]; “The post-planner processor module 143 monitors the execution of each step and can perform actions based on changes observed in the scenario. The post-planner processor module 143 can force a re-plan action by sending the updated scenario and the original plan 144 to the planner module 142 so that the planner module 142 can calculate a new plan 144. This process can repeat itself to conform an iterative planning process” [0084]; “If the goal is achieved, the automated penetration testing process is complete.  Alternatively, if the goal is not complete, another plan is calculated by the planner module 142. In this case, post-planner may select to do one of several things to ensure that the next plan achieves the goal. This may be, for example, removing the actions that failed, or looking for alternative actions that have the same effects as the actions that failed and executing them, or by interacting with the knowledge base to update its contents” [0091]).
As to Claim 8:
Lucangeli in view of Swiler discloses the computer-implemented method of claim 1, wherein
the action path is one of a plurality of available action paths that permit successful completion of the phase of the penetration test (e.g. Lucangeli “The planner module 142 receives as input a PDDL scenario, and calculates one or more possible plans 144 that if executed, lead to the defined goal 134. The possible plans 144 calculated can be simple straight-forward paths or part of a tree-like structure with some decision points, dependent on the execution of some actions” [0073]; “If the goal is achieved, the automated penetration testing process is complete” [0091]; “a specific goal that the planner will try to reach by analyzing the scenario and the available actions (modules)” [0098]), and
performing the one or more exploit actions comprised in the action path results in a lowest risk of detection during the penetration test compared to performing one or more other exploit actions comprised in one or more other action paths of the plurality of available action paths (e.g. Lucangeli “incorporating an attack planning phase to the penetration testing framework allows, in accordance with the present invention, optimizations based on, but not limited to… evasion of intrusion detection systems, and other control or defense systems” [0028]; “since the attack planning problem has typically more than one solution, one may look for a specific solution, for example, the path that… has less expectancy to be detected by control systems” [0031]) “If the planner module 142 is a proactive planner with several alternative plans 144, the post-planner processor module 143 can execute the alternative plans 144 in parallel in order to choose the best alternative based on different properties, including, but not limited to, run time, stealth level, or uncertainty” [0076]).


As to Amended Claim 9:
Lucangeli discloses a non-transitory computer readable storage medium (e.g. “The automated system 10 can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions” [0043]) comprising program instructions executable to:
generate an action path for a phase of a penetration test (e.g. Lucangeli attack planning phase to the penetration testing framework [0028] which includes making a Planning Domain Definition Language (PDDL) representation [0031]; produce a scenario [0055]; [0056] build the scenarios (that is, a PDDL representation [0059]; [0068] and calculate one or more possible plans that if executed, lead to the defined goal [0073]; planner module creates the plans [0091]), wherein the action path comprises a kill chain (e.g. Lucangeli list of penetration modules [0059]; PDDL actions are the building blocks to be executed [0061]), the kill chain comprises performance of a plurality of exploit actions (e.g. Lucangeli scenario includes sequence of penetration testing framework modules that are executed [0058]), and the generating the action path comprises identifying one or more exploit actions of the plurality of exploit actions (e.g. Lucangeli calculating an ordered sequence of actions to be executed [0099]) based on exploit action attributes (e.g. Lucangeli [0049]; [0061]-[0064]; [0076]), comprising a penetration parameter (e.g. Lucangeli success rate of the module for different types of assets [0049]; precondition PDDL predicates that must be satisfied to run each penetration module [0061]; “removes the actions that cannot be applied to any target host present in the PDDL scenario” [0080]; [0096]), a detection parameter (e.g. Lucangeli stealth-level parameter variable [0062]), and a time parameter (e.g. Lucangeli running time for each module [0049]; run time [0063]) associated with each of the one or more exploit actions (e.g. Lucangeli “A second database 122 within the knowledge base 120 contains information regarding the modules located within a penetration testing framework module (100, FIG. 5), such as the requirements for each module and its performance statistics, including, but not limited to, the running time and success rate of the module for different types of assets. As a non-limiting example, such information may include the running time against each combination of operating system, version, and patch level” [0049]”; “Each action has a set of preconditions (requirements) that must be satisfied in order to run the action (e.g., the penetration module). These preconditions must be defined using PDDL predicates and logical connectors (i.e., AND, OR)” [0061]; “The parameters are defined by their type and the value of the parameter must be provided as input. An action has an effect, which generally speaking is the outcome of this action, sometimes expressed as predicates or recomputing the value of global plan variables (including but not limited to run_time, stealth_level or uncertainty), also called effects. Global plan variables are variables used by the planner” [0062]; “The planners that accept numerical effects can build plans constrained to a given metric optimization. An example of these planners is Metric-FF. It should be noted that possible effects could be, but are not limited to, different predicate assertions or increasing some numerical variable (metric) such as running_time” [0064]);
determine that performance of the one or more identified exploit actions permits successful completion of the phase of the penetration test (e.g. Lucangeli “The planner module 142 receives as input a PDDL scenario, and calculates one or more possible plans 144 that if executed, lead to the defined goal 134. The possible plans 144 calculated can be simple straight-forward paths or part of a tree-like structure with some decision points, dependent on the execution of some actions” [0073]; “If the goal is achieved, the automated penetration testing process is complete” [0091]; “a specific goal that the planner will try to reach by analyzing the scenario and the available actions (modules)” [0098]); and
based on the determining, designate the action path for inclusion as part of a best path for the penetration test (e.g. Lucangeli “since the attack planning problem has typically more than one solution, one may look for a specific solution, for example, the path that underlies less expected time of execution or has less expectancy to be detected by control systems” [0031]; “the post-planner processor module 143 can execute the alternative plans 144 in parallel in order to choose the best alternative based on different properties, including, but not limited to, run time, stealth level, or uncertainty” [0076]);
But Lucangeli does not specifically disclose:
a weighted combination of exploit action attributes.
However, the analogous art Swiler does disclose a weighted combination of exploit action attributes (e.g. Swiler generated attack graphs comprise weighted edges that use metrics such as attacker effort, likelihood of attack success, time to succeed [Abstract]; defined path is assigned a length value [column 3 lines 25-32]; multiple edge weight metrics on each edge [column 5 lines 11-24]; each path of edge weights in the attack graph represent a unique attack path of sequence of potential attack steps based on attack requirements [column 6 lines 3-11]; “Distance, in this case, relates to the edge weight functions in the attack templates and represents, as more fully explained above, such considerations as estimated time, cost, degree of effort and likelihood of detection of the attack” [column 9 lines 60-64]).  Lucangeli and Swiler are analogous art because they are from the same field of endeavor in penetration testing of vulnerabilities with exploits.
(e.g. see Swiler, “The invention is based on generation of attack graphs wherein each node represents a possible attack state and each edge represents a change in state caused by a single action taken by an attacker or unwitting assistant. Edges are weighted using metrics such as attacker effort, likelihood of attack success, or time to succeed. Generation of an attack graph is accomplished by matching information about attack requirements (specified in "attack templates") to information about computer system configuration [Abstract]; “provide method for systematically identifying and mitigating vulnerabilities in a computer system including the steps of describing a set of potential attacks on the computer system, defining a path for each potential attack described, and for each path, assigning a length value, L, corresponding to degree of attacker effort necessary to effect the transition from the start condition to the attack goal” [column 3 lines 25-32]; “Each edge has a weight representing a system-security metric, such as success probability, average time to implement, or a cost/effort level for an attacker. This weight could be a function of configuration and attacker profile. A short path in the attack graph represents a low cost path. Since edge weights may only be estimates, we consider the set of all є-optimal paths… If the edge metrics are reasonably accurate, this set as a group represents the most exploitable parts of the network with respect to this metric. By having multiple metrics on each edge, one can represent conflicting criteria (e.g. the attacker wishes to maximize probability of success subject to a limit on time spent” [column 5 lines 11-24]; “The graph generator is a C++ program that creates the attack graph and populates the edges with edge weights, representing a security metric of interest. The graph is generated by matching the information known about the current state against the library of templates, choosing only the templates that apply to the current state. Each path in the graph represents a unique attack path. A path is a sequence of potential attack steps based on network configuration and attack requirements” [column 6 lines 3-11]; [column 9 lines 60-64]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Lucangeli and Swiler before him or her, to modify the invention of Lucangeli with the teachings of Swiler to include a weighted combination of exploit action attributes as claimed because Lucangeli provides a system and method for an automated process for planning and performing penetration testing to assess security within a network based upon success rates of penetration modules, stealth-level parameters, and running times (Lucangeli [Abstract]; [0028]; [0049]; [0061]-[0063]; [0080]; [0096]; [0099]) which could be considered as a weighted combination of metrics in unique attack paths (Swiler [Abstract]; [column 3 lines 25-32]; [column 5 lines 11-24]; [column 6 lines 3-11]; [column 9 lines 60-64]).  The suggestion/motivation for doing so would have been to provide insight into how to reduce network vulnerability and to provide a graph-based tool that can identify the set of attack paths that have a high probability of success (or a low "effort" cost) for the attacker (Swiler [column 1 lines 21-23]; [column 3 lines 16-19]).  Therefore, it would have been obvious to combine Lucangeli and Swiler to obtain the invention as specified in the instant claim(s).
As to Claim 10:
Lucangeli in view of Swiler
perform a scan action to determine a topology of a network environment (e.g. Lucangeli FIG. 11 “information regarding the target network is first collected… by performing a Rapid Penetration Test Information Gathering process” [0088]; “the information gathered is imported into the workspace 55 by the penetration testing framework module 100. As shown by block 206, the scenario translator 130 translates the data in the workspace 55 into the target network description 132 of the PDDL scenario 130. This process has been described in detail above… specifies all the known information about the target network, including but not limited to… connections between hosts, types of the connections, and open ports, among other relevant information that can be collected through an information gathering process” [0089]); and
store the topology of the network environment, wherein the topology comprises metadata associated with a plurality of nodes operating in the network environment (e.g. Lucangeli “A first database 121 within the knowledge base 120 stores information regarding the network being tested and the on-going penetration test. This information can be extracted from the workspace 55 and includes the hosts discovered and information about each host, including, but not limited to, open/closed ports, agents installed and operating systems” [0048]; “A third database 123 within the knowledge base 120 stores information regarding target networks in general along with statistical estimations regarding the distribution of operating system installations depending on the machine type, vulnerabilities, network topologies, and other statistics’ [0050]; [0057]).
As to Claim 11:
Lucangeli in view of Swiler discloses the non-transitory computer readable storage medium of claim 10, wherein the program instructions executable to:
generate a next action path for a next phase of the penetration test, wherein the next action path is part of the kill chain (e.g. Lucangeli “the post-planner may select to do one of several things to ensure that the next plan achieves the goal. This may be, for example, removing the actions that failed, or looking for alternative actions that have the same effects as the actions that failed and executing them, or by interacting with the knowledge base to update its contents” [0091]; “The cycle can then start over by determining a new goal with the scenario modified after running the sequence of actions calculated by the planner” [0109]), and
the generating the next action path comprises adjusting the penetration parameter, the detection parameter, and/or the time parameter based on the metadata (e.g. Lucangeli modified run time, stealth [0063]; increasing metric such as running_time [0064]; “The pre-planner processor module 141 uses the information available in the knowledge base 120 and PDDL scenario to modify the PDDL scenario. The objective of the pre-planner processor module 141 is to enhance the efficiency of the execution, or run, of the planner module 142 underlying this scenario (explicitly, to minimize the running time of the planner against an alternative representation of the PDDL scenario with equivalent solutions). The pre-planner processor module 141 can, for example, reduce the complexity of building a plan by removing unnecessary constraints or definitions. The pre-processor module 141 also updates the knowledge base 120 with strategic information about the target networked computers and applications, including, but not limited to, OS installation statistics and versions” [0068]) and the designation of the action path (e.g. Lucangeli “The PDDL scenario, including the network description 132, available actions 133, and goal 134 are then sent to the attack plan solver module 140 (block 212). The pre-planner processor module 141 then modifies the received PDDL scenario to optimize its processing by the planner module” [0090]; “the optimized PDDL scenario is then received by the planner module 142 which creates the plans” [0091]);
identify one or more other exploit actions of the plurality of exploit actions based on the adjusted penetration parameter, the adjusted detection parameter, and/or the adjusted time parameter (e.g. Lucangeli “Assume the pre-planner processor module 141 modified the PDDL scenario received form the scenario translator 130 and sends it to the planner module 142. The planner module 142 then starts the computation of a plan 144 and forces the usage of actions that learn new information from the target network and monitors when new information is received by the workspace and updated in the PDDL scenario… the workspace may be modified and so the scenario translator 130 will update the scenario with the changes” [0083])
determine that performance of the one or more other exploit actions permits successful completion of the next phase of the penetration test (e.g. Lucangeli “The post-planner processor module 143 monitors the execution of each step and can perform actions based on changes observed in the scenario. The post-planner processor module 143 can force a re-plan action by sending the updated scenario and the original plan 144 to the planner module 142 so that the planner module 142 can calculate a new plan 144. This process can repeat itself to conform an iterative planning process” [0084]; “If the goal is achieved, the automated penetration testing process is complete.  Alternatively, if the goal is not complete, another plan is calculated by the planner module 142. In this case, post-planner may select to do one of several things to ensure that the next plan achieves the goal. This may be, for example, removing the actions that failed, or looking for alternative actions that have the same effects as the actions that failed and executing them, or by interacting with the knowledge base to update its contents” [0091]); and
based on the determining, designate the next action path for inclusion as part of the best path for the penetration test (e.g. Lucangeli “The pre-planner processor module 141 uses the information available in the knowledge base 120 and PDDL scenario to modify the PDDL scenario. The objective of the pre-planner processor module 141 is to enhance the efficiency of the execution, or run, of the planner module 142 underlying this scenario (explicitly, to minimize the running time of the planner against an alternative representation of the PDDL scenario with equivalent solutions). The pre-planner processor module 141 can, for example, reduce the complexity of building a plan by removing unnecessary constraints or definitions. The pre-processor module 141 also updates the knowledge base 120 with strategic information about the target networked computers and applications, including, but not limited to, OS installation statistics and versions” [0068]; “If the planner module 142 is a proactive planner with several alternative plans 144, the post-planner processor module 143 can execute the alternative plans 144 in parallel in order to choose the best alternative based on different properties, including, but not limited to, run time, stealth level, or uncertainty” [0076]; “If the planner module 142 is a reactive planner, the post-planner processor module 143 will execute the plan 144 in a single-step fashion, where after executing an action (step of the plan) the post-planner processor module 143 can recognize changes in the scenario and, after making the proper changes in the PDDL definition of the scenario, send the changed scenario back to the planner module 142 together with the original plan 144, to calculate a refined plan. The plans computed by reactive planners may also have actions that learn from the target network and updates the information in the scenario” [0077]).
As to Claim 12:
Lucangeli in view of Swiler
the penetration parameter comprises one or more penetration attributes, wherein the one or more penetration attributes comprise at least a data attribute, a credentials attribute, and an exploit attribute (e.g. Lucangeli requirements for each module and performance statistics including the success rate of the penetration module for different types of assets [0049]; precondition PDDL predicates that must be satisfied to run each penetration module [0061]; “removes the actions that cannot be applied to any target host present in the PDDL scenario” [0080]; [0096]),
the detection parameter comprises at least a detection attribute (e.g. Lucangeli stealth-level parameter variable [0062]; evasion of intrusion detection systems [0028]; less expectancy to be detected by control systems [0031]),
the time parameter indicates an execution time attribute associated with performing the one or more exploit actions (e.g. Lucangeli running time for each penetration testing module against each combination of operating system, version, and patch level [0049]; run time [0063]),
the one or more penetration attributes are positive attributes (e.g. Lucangeli success rate of the penetration module is a positive attribute [0049]), and
the detection attribute and the execution time attribute are negative attributes (e.g. Lucangeli expectancy to be detected by control system and running time for each penetration testing module are negative attributes [0031]; [0049]; [0062]; [0063]).


As to Claim 13:
Lucangeli in view of Swiler discloses the non-transitory computer readable storage medium of claim 9, wherein
the determining that performance of the one or more identified exploit actions permits successful completion of the phase of the penetration test (e.g. Lucangeli “The planner module 142 receives as input a PDDL scenario, and calculates one or more possible plans 144 that if executed, lead to the defined goal 134. The possible plans 144 calculated can be simple straight-forward paths or part of a tree-like structure with some decision points, dependent on the execution of some actions” [0073]; “If the goal is achieved, the automated penetration testing process is complete” [0091]; “a specific goal that the planner will try to reach by analyzing the scenario and the available actions (modules)” [0098]) comprises 
receiving indication that the one or exploit actions identified as part of generating the action path result in a lowest risk of detection during performance of the penetration test (e.g. Lucangeli stealth-level parameter variable [0062]; “incorporating an attack planning phase to the penetration testing framework allows, in accordance with the present invention, optimizations based on, but not limited to… evasion of intrusion detection systems, and other control or defense systems” [0028]; “since the attack planning problem has typically more than one solution, one may look for a specific solution, for example, the path that… has less expectancy to be detected by control systems” [0031])
the action path is one of a plurality of available action paths that permit successful completion of the phase of the penetration test (e.g. Lucangeli “The planner module 142 receives as input a PDDL scenario, and calculates one or more possible plans 144 that if executed, lead to the defined goal 134. The possible plans 144 calculated can be simple straight-forward paths or part of a tree-like structure with some decision points, dependent on the execution of some actions” [0073]; “If the goal is achieved, the automated penetration testing process is complete” [0091]; “a specific goal that the planner will try to reach by analyzing the scenario and the available actions (modules)” [0098]), and
performing the one or more exploit actions comprised in the action path results in a lowest risk of detection during the penetration test compared to performing one or more other exploit actions comprised in one or more other action paths of the plurality of available action paths (e.g. Lucangeli “incorporating an attack planning phase to the penetration testing framework allows, in accordance with the present invention, optimizations based on, but not limited to… evasion of intrusion detection systems, and other control or defense systems” [0028]; “since the attack planning problem has typically more than one solution, one may look for a specific solution, for example, the path that… has less expectancy to be detected by control systems” [0031]) “If the planner module 142 is a proactive planner with several alternative plans 144, the post-planner processor module 143 can execute the alternative plans 144 in parallel in order to choose the best alternative based on different properties, including, but not limited to, run time, stealth level, or uncertainty” [0076]).
As to Claim 14:
Lucangeli in view of Swiler discloses the non-transitory computer readable storage medium of claim 11, wherein the penetration test is performed by a penetration testing server (e.g. Lucangeli FIG. 1 automated system 10; “Functionality of the present automated system 10 and method can be implemented in software, firmware, hardware, or a combination thereof. In a first exemplary embodiment, a portion of the automated system 10 is implemented in software, as an executable program, and is executed by a special or general-purpose digital computer, such as a… mainframe computer” [0035]), and the penetration testing server is not part of the network environment (e.g. Lucangeli automated system is separated from the target network by the Internet [0033]), and the program instructions are executable too generate the best path for the penetration test including configuring the penetration testing server to schedule performance of the next action path after performance of the action path (e.g. Lucangeli “The plans are then sent to the post-planner processor module 143 which executes the plans and updates the scenario based on execution results (block 218)… the post-planner may select to do one of several things to ensure that the next plan achieves the goal. This may be, for example, removing the actions that failed, or looking for alternative actions that have the same effects as the actions that failed and executing them, or by interacting with the knowledge base to update its contents” [0091]; “The cycle can then start over by determining a new goal with the scenario modified after running the sequence of actions calculated by the planner” [0109]), and modifying the kill chain based on the scheduling (e.g. Lucangeli “The pre-planner processor module 141 uses the information available in the knowledge base 120 and PDDL scenario to modify the PDDL scenario. The objective of the pre-planner processor module 141 is to enhance the efficiency of the execution, or run, of the planner module 142 underlying this scenario (explicitly, to minimize the running time of the planner against an alternative representation of the PDDL scenario with equivalent solutions). The pre-planner processor module 141 can, for example, reduce the complexity of building a plan by removing unnecessary constraints or definitions. The pre-processor module 141 also updates the knowledge base 120 with strategic information about the target networked computers and applications, including, but not limited to, OS installation statistics and versions” [0068]; “Assume the pre-planner processor module 141 modified the PDDL scenario received form the scenario translator 130 and sends it to the planner module 142. The planner module 142 then starts the computation of a plan 144 and forces the usage of actions that learn new information from the target network and monitors when new information is received by the workspace and updated in the PDDL scenario… the workspace may be modified and so the scenario translator 130 will update the scenario with the changes” [0083]; “The post-planner processor module 143 monitors the execution of each step and can perform actions based on changes observed in the scenario. The post-planner processor module 143 can force a re-plan action by sending the updated scenario and the original plan 144 to the planner module 142 so that the planner module 142 can calculate a new plan 144. This process can repeat itself to conform an iterative planning process” [0084]; “If the goal is achieved, the automated penetration testing process is complete.  Alternatively, if the goal is not complete, another plan is calculated by the planner module 142. In this case, post-planner may select to do one of several things to ensure that the next plan achieves the goal. This may be, for example, removing the actions that failed, or looking for alternative actions that have the same effects as the actions that failed and executing them, or by interacting with the knowledge base to update its contents” [0091]).
As to Amended Claim 15:
Lucangeli discloses a system (e.g. Lucangeli “automated system 10 and method can be implemented in software, firmware, hardware, or a combination thereof. In a first exemplary embodiment, a portion of the automated system 10 is implemented in software, as an executable program, and is executed by a special or general-purpose digital computer, such as a personal computer, workstation, minicomputer, or mainframe computer. The first exemplary embodiment of a general-purpose computer architecture that can implement the automated system 10 is shown in FIG. 2. Since the computer is executing functionality of the automated system 10, the computer is also identified by the number 10” [0035]) comprising:
one or more processors (e.g. Lucangeli “The processor 52 is a hardware device for executing software, particularly that stored in the memory 60. The processor 52 can be any custom made or commercially available processor, a central processing unit (CPU), an auxiliary processor among several processors associated with the computer 10, a semiconductor based microprocessor (in the form of a microchip or chip set), a macroprocessor, or generally any device for executing software instructions” [0037]); and
a memory coupled to the one or more processors (e.g. Lucangeli memory 60 [0038]; “The software 80 in the memory 60 may include one or more separate programs, or modules, each of which contains an ordered listing of executable instructions for implementing logical functions of the automated system 10” [0039]), wherein the memory stores program instructions executable by the one or more processors to:
generate an action path for a phase of a penetration test (e.g. Lucangeli attack planning phase to the penetration testing framework [0028] which includes making a Planning Domain Definition Language (PDDL) representation [0031]; produce a scenario [0055]; [0056] build the scenarios (that is, a PDDL representation [0059]; [0068] and calculate one or more possible plans that if executed, lead to the defined goal [0073]; planner module creates the plans [0091]), wherein the action path comprises a kill chain (e.g. Lucangeli list of penetration modules [0059]; PDDL actions are the building blocks to be executed [0061]), the kill chain comprises performance of a plurality of exploit actions (e.g. Lucangeli scenario includes sequence of penetration testing framework modules that are executed [0058]), and the generating the action path comprises identifying one or more exploit actions of the plurality of exploit actions (e.g. Lucangeli calculating an ordered sequence of actions to be executed [0099]) based on exploit action attributes (e.g. Lucangeli [0049]; [0061]-[0064]; [0076]), comprising a penetration parameter (e.g. Lucangeli success rate of the module for different types of assets [0049]; precondition PDDL predicates that must be satisfied to run each penetration module [0061]; “removes the actions that cannot be applied to any target host present in the PDDL scenario” [0080]; [0096]), a detection parameter (e.g. Lucangeli stealth-level parameter variable [0062]), and a time parameter (e.g. Lucangeli running time for each module [0049]; run time [0063]) associated with each of the one or more exploit actions (e.g. Lucangeli “A second database 122 within the knowledge base 120 contains information regarding the modules located within a penetration testing framework module (100, FIG. 5), such as the requirements for each module and its performance statistics, including, but not limited to, the running time and success rate of the module for different types of assets. As a non-limiting example, such information may include the running time against each combination of operating system, version, and patch level” [0049]”; “Each action has a set of preconditions (requirements) that must be satisfied in order to run the action (e.g., the penetration module). These preconditions must be defined using PDDL predicates and logical connectors (i.e., AND, OR)” [0061]; “The parameters are defined by their type and the value of the parameter must be provided as input. An action has an effect, which generally speaking is the outcome of this action, sometimes expressed as predicates or recomputing the value of global plan variables (including but not limited to run_time, stealth_level or uncertainty), also called effects. Global plan variables are variables used by the planner” [0062]; “The planners that accept numerical effects can build plans constrained to a given metric optimization. An example of these planners is Metric-FF. It should be noted that possible effects could be, but are not limited to, different predicate assertions or increasing some numerical variable (metric) such as running_time” [0064]);
determine that performance of the one or more identified exploit actions permits successful completion of the phase of the penetration test (e.g. Lucangeli “The planner module 142 receives as input a PDDL scenario, and calculates one or more possible plans 144 that if executed, lead to the defined goal 134. The possible plans 144 calculated can be simple straight-forward paths or part of a tree-like structure with some decision points, dependent on the execution of some actions” [0073]; “If the goal is achieved, the automated penetration testing process is complete” [0091]; “a specific goal that the planner will try to reach by analyzing the scenario and the available actions (modules)” [0098]); and
based on the determining, designate the action path for inclusion as part of a best path for the penetration test (e.g. Lucangeli “since the attack planning problem has typically more than one solution, one may look for a specific solution, for example, the path that underlies less expected time of execution or has less expectancy to be detected by control systems” [0031]; “the post-planner processor module 143 can execute the alternative plans 144 in parallel in order to choose the best alternative based on different properties, including, but not limited to, run time, stealth level, or uncertainty” [0076]);
But Lucangeli does not specifically disclose:
a weighted combination of exploit action attributes.
However, the analogous art Swiler does disclose a weighted combination of exploit action attributes (e.g. Swiler generated attack graphs comprise weighted edges that use metrics such as attacker effort, likelihood of attack success, time to succeed [Abstract]; defined path is assigned a length value [column 3 lines 25-32]; multiple edge weight metrics on each edge [column 5 lines 11-24]; each path of edge weights in the attack graph represent a unique attack path of sequence of potential attack steps based on attack requirements [column 6 lines 3-11]; “Distance, in this case, relates to the edge weight functions in the attack templates and represents, as more fully explained above, such considerations as estimated time, cost, degree of effort and likelihood of detection of the attack” [column 9 lines 60-64]).  Lucangeli and Swiler are analogous art because they are from the same field of endeavor in penetration testing of vulnerabilities with exploits.
(e.g. see Swiler, “The invention is based on generation of attack graphs wherein each node represents a possible attack state and each edge represents a change in state caused by a single action taken by an attacker or unwitting assistant. Edges are weighted using metrics such as attacker effort, likelihood of attack success, or time to succeed. Generation of an attack graph is accomplished by matching information about attack requirements (specified in [Abstract]; “provide method for systematically identifying and mitigating vulnerabilities in a computer system including the steps of describing a set of potential attacks on the computer system, defining a path for each potential attack described, and for each path, assigning a length value, L, corresponding to degree of attacker effort necessary to effect the transition from the start condition to the attack goal” [column 3 lines 25-32]; “Each edge has a weight representing a system-security metric, such as success probability, average time to implement, or a cost/effort level for an attacker. This weight could be a function of configuration and attacker profile. A short path in the attack graph represents a low cost path. Since edge weights may only be estimates, we consider the set of all є-optimal paths… If the edge metrics are reasonably accurate, this set as a group represents the most exploitable parts of the network with respect to this metric. By having multiple metrics on each edge, one can represent conflicting criteria (e.g. the attacker wishes to maximize probability of success subject to a limit on time spent” [column 5 lines 11-24]; “The graph generator is a C++ program that creates the attack graph and populates the edges with edge weights, representing a security metric of interest. The graph is generated by matching the information known about the current state against the library of templates, choosing only the templates that apply to the current state. Each path in the graph represents a unique attack path. A path is a sequence of potential attack steps based on [column 6 lines 3-11]; “Distance, in this case, relates to the edge weight functions in the attack templates and represents, as more fully explained above, such considerations as estimated time, cost, degree of effort and likelihood of detection of the attack” [column 9 lines 60-64]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Lucangeli and Swiler before him or her, to modify the invention of Lucangeli with the teachings of Swiler to include a weighted combination of exploit action attributes as claimed because Lucangeli provides a system and method for an automated process for planning and performing penetration testing to assess security within a network based upon success rates of penetration modules, stealth-level parameters, and running times (Lucangeli [Abstract]; [0028]; [0049]; [0061]-[0063]; [0080]; [0096]; [0099]) which could be considered as a weighted combination of metrics in unique attack paths (Swiler [Abstract]; [column 3 lines 25-32]; [column 5 lines 11-24]; [column 6 lines 3-11]; [column 9 lines 60-64]).  The suggestion/motivation for doing so would have been to provide insight into how to reduce network vulnerability and to provide a graph-based tool that can identify the set of attack paths that have a high probability of success (or a low "effort" cost) for the attacker (Swiler [column 1 lines 21-23]; [column 3 lines 16-19]).  Therefore, it would have been obvious to combine Lucangeli and Swiler to obtain the invention as specified in the instant claim(s).


As to Claim 16:
Lucangeli in view of Swiler discloses the system of claim 15, wherein the program instructions are executable to: 
perform a scan action to determine a topology of a network environment (e.g. Lucangeli FIG. 11 “information regarding the target network is first collected… by performing a Rapid Penetration Test Information Gathering process” [0088]; “the information gathered is imported into the workspace 55 by the penetration testing framework module 100. As shown by block 206, the scenario translator 130 translates the data in the workspace 55 into the target network description 132 of the PDDL scenario 130. This process has been described in detail above… specifies all the known information about the target network, including but not limited to… connections between hosts, types of the connections, and open ports, among other relevant information that can be collected through an information gathering process” [0089]); and
store the topology of the network environment, wherein the topology comprises metadata associated with a plurality of nodes operating in the network environment (e.g. Lucangeli “A first database 121 within the knowledge base 120 stores information regarding the network being tested and the on-going penetration test. This information can be extracted from the workspace 55 and includes the hosts discovered and information about each host, including, but not limited to, open/closed ports, agents installed and operating systems” [0048]; “A third database 123 within the knowledge base 120 stores information regarding target networks in general along with statistical estimations regarding the distribution of operating system installations depending on the machine type, vulnerabilities, network topologies, and other statistics’ [0050]; [0057]).
As to Claim 17:
Lucangeli in view of Swiler discloses the system of claim 16, wherein the program instructions are executable to: 
generate a next action path for a next phase of the penetration test, wherein the next action path is part of the kill chain (e.g. Lucangeli “the post-planner may select to do one of several things to ensure that the next plan achieves the goal. This may be, for example, removing the actions that failed, or looking for alternative actions that have the same effects as the actions that failed and executing them, or by interacting with the knowledge base to update its contents” [0091]; “The cycle can then start over by determining a new goal with the scenario modified after running the sequence of actions calculated by the planner” [0109]), and
the generating the next action path comprises adjusting the penetration parameter, the detection parameter, and/or the time parameter based on the metadata (e.g. Lucangeli modified run time, stealth [0063]; increasing metric such as running_time [0064]; “The pre-planner processor module 141 uses the information available in the knowledge base 120 and PDDL scenario to modify the PDDL scenario. The objective of the pre-planner processor module 141 is to enhance the efficiency of the execution, or run, of the planner module 142 underlying this scenario (explicitly, to minimize the running time of the planner against an alternative representation of the PDDL scenario with equivalent solutions). The pre-planner processor module 141 can, for example, reduce the complexity of building a plan by removing unnecessary constraints or definitions. The pre-processor module 141 also updates the knowledge base 120 with strategic information about the target networked computers and applications, including, but not limited to, OS installation statistics and versions” [0068]) and the designation of the action path (e.g. Lucangeli “The PDDL scenario, including the network description 132, available actions 133, and goal 134 are then sent to the attack plan solver module 140 (block 212). The pre-planner processor module 141 then modifies the received PDDL scenario to optimize its processing by the planner module” [0090]; “the optimized PDDL scenario is then received by the planner module 142 which creates the plans” [0091]);
identify one or more other exploit actions of the plurality of exploit actions based on the adjusted penetration parameter, the adjusted detection parameter, and/or the adjusted time parameter (e.g. Lucangeli “Assume the pre-planner processor module 141 modified the PDDL scenario received form the scenario translator 130 and sends it to the planner module 142. The planner module 142 then starts the computation of a plan 144 and forces the usage of actions that learn new information from the target network and monitors when new information is received by the workspace and updated in the PDDL scenario… the workspace may be modified and so the scenario translator 130 will update the scenario with the changes” [0083]);
determine that performance of the one or more other exploit actions permits successful completion of the next phase of the penetration test (e.g. Lucangeli “The post-planner processor module 143 monitors the execution of each step and can perform actions based on changes observed in the scenario. The post-planner processor module 143 can force a re-plan action by sending the updated scenario and the original plan 144 to the planner module 142 so that the planner module 142 can calculate a new plan 144. This process can repeat itself to conform an iterative planning process” [0084]; “If the goal is achieved, the automated penetration testing process is complete.  Alternatively, if the goal is not complete, another plan is calculated by the planner module 142. In this case, post-planner may select to do one of several things to ensure that the next plan achieves the goal. This may be, for example, removing the actions that failed, or looking for alternative actions that have the same effects as the actions that failed and executing them, or by interacting with the knowledge base to update its contents” [0091]); and
based on the determining, designate the next action path for inclusion as part of the best path for the penetration test (e.g. Lucangeli “The pre-planner processor module 141 uses the information available in the knowledge base 120 and PDDL scenario to modify the PDDL scenario. The objective of the pre-planner processor module 141 is to enhance the efficiency of the execution, or run, of the planner module 142 underlying this scenario (explicitly, to minimize the running time of the planner against an alternative representation of the PDDL scenario with equivalent solutions). The pre-planner processor module 141 can, for example, reduce the complexity of building a plan by removing unnecessary constraints or definitions. The pre-processor module 141 also updates the knowledge base 120 with strategic information about the target networked computers and applications, including, but not limited to, OS installation statistics and versions” [0068]; “If the planner module 142 is a proactive planner with several alternative plans 144, the post-planner processor module 143 can execute the alternative plans 144 in parallel in order to choose the best alternative based on different properties, including, but not limited to, run time, stealth level, or uncertainty” [0076]; “If the planner module 142 is a reactive planner, the post-planner processor module 143 will execute the plan 144 in a single-step fashion, where after executing an action (step of the plan) the post-planner processor module 143 can recognize changes in the scenario and, after making the proper changes in the PDDL definition of the scenario, send the changed scenario back to the planner module 142 together with the original plan 144, to calculate a refined plan. The plans computed by reactive planners may also have actions that learn from the target network and updates the information in the scenario” [0077]).
As to Claim 18:
Lucangeli in view of Swiler 
the penetration parameter comprises one or more penetration attributes, wherein the one or more penetration attributes comprise at least a data attribute, a credentials attribute, and an exploit attribute (e.g. Lucangeli requirements for each module and performance statistics including the success rate of the penetration module for different types of assets [0049]; precondition PDDL predicates that must be satisfied to run each penetration module [0061]; “removes the actions that cannot be applied to any target host present in the PDDL scenario” [0080]; [0096]),
the detection parameter comprises at least a detection attribute (e.g. Lucangeli stealth-level parameter variable [0062]; evasion of intrusion detection systems [0028]; less expectancy to be detected by control systems [0031]),
the time parameter indicates an execution time attribute associated with performing the one or more exploit actions (e.g. Lucangeli running time for each penetration testing module against each combination of operating system, version, and patch level [0049]; run time [0063]),
the one or more penetration attributes are positive attributes (e.g. Lucangeli success rate of the penetration module is a positive attribute [0049]), and
the detection attribute and the execution time attribute are negative attributes (e.g. Lucangeli expectancy to be detected by control system and running time for each penetration testing module are negative attributes [0031]; [0049]; [0062]; [0063]).
As to Claim 19:
Lucangeli in view of Swiler 
the determining that performance of the one or more identified exploit actions permits successful completion of the phase of the penetration test (e.g. Lucangeli “The planner module 142 receives as input a PDDL scenario, and calculates one or more possible plans 144 that if executed, lead to the defined goal 134. The possible plans 144 calculated can be simple straight-forward paths or part of a tree-like structure with some decision points, dependent on the execution of some actions” [0073]; “If the goal is achieved, the automated penetration testing process is complete” [0091]; “a specific goal that the planner will try to reach by analyzing the scenario and the available actions (modules)” [0098]) comprises 
receiving indication that the one or exploit actions identified as part of generating the action path result in a lowest risk of detection during performance of the penetration test (e.g. Lucangeli stealth-level parameter variable [0062]; “incorporating an attack planning phase to the penetration testing framework allows, in accordance with the present invention, optimizations based on, but not limited to… evasion of intrusion detection systems, and other control or defense systems” [0028]; “since the attack planning problem has typically more than one solution, one may look for a specific solution, for example, the path that… has less expectancy to be detected by control systems” [0031]),
the action path is one of a plurality of available action paths that permit successful completion of the phase of the penetration test (e.g. Lucangeli “The planner module 142 receives as input a PDDL scenario, and calculates one or more possible plans 144 that if executed, lead to the defined goal 134. The possible plans 144 calculated can be simple straight-forward paths or part of a tree-like structure with some decision points, dependent on the execution of some actions” [0073]; “If the goal is achieved, the automated penetration testing process is complete” [0091]; “a specific goal that the planner will try to reach by analyzing the scenario and the available actions (modules)” [0098]), and
performing the one or more exploit actions comprised in the action path results in a lowest risk of detection during the penetration test compared to performing one or more other exploit actions comprised in one or more other action paths of the plurality of available action paths (e.g. Lucangeli “incorporating an attack planning phase to the penetration testing framework allows, in accordance with the present invention, optimizations based on, but not limited to… evasion of intrusion detection systems, and other control or defense systems” [0028]; “since the attack planning problem has typically more than one solution, one may look for a specific solution, for example, the path that… has less expectancy to be detected by control systems” [0031]) “If the planner module 142 is a proactive planner with several alternative plans 144, the post-planner processor module 143 can execute the alternative plans 144 in parallel in order to choose the best alternative based on different properties, including, but not limited to, run time, stealth level, or uncertainty” [0076]).

As to Claim 20:
Lucangeli in view of Swiler discloses the system of claim 17, wherein the penetration test is performed by a penetration testing server (e.g. Lucangeli FIG. 1 automated system 10; “Functionality of the present automated system 10 and method can be implemented in software, firmware, hardware, or a combination thereof. In a first exemplary embodiment, a portion of the automated system 10 is implemented in software, as an executable program, and is executed by a special or general-purpose digital computer, such as a… mainframe computer” [0035]), the penetration testing server is not part of the network environment (e.g. Lucangeli automated system is separated from the target network by the Internet [0033]), and the program instructions are executable to generate the best path for the penetration test including to configure the penetration testing server to schedule performance of the next action path after performance of the action path (e.g. Lucangeli “The plans are then sent to the post-planner processor module 143 which executes the plans and updates the scenario based on execution results (block 218)… the post-planner may select to do one of several things to ensure that the next plan achieves the goal. This may be, for example, removing the actions that failed, or looking for alternative actions that have the same effects as the actions that failed and executing them, or by interacting with the knowledge base to update its contents” [0091]; “The cycle can then start over by determining a new goal with the scenario modified after running the sequence of actions calculated by the planner” [0109]), and modify the kill chain based on the scheduling (e.g. Lucangeli “The pre-planner processor module 141 uses the information available in the knowledge base 120 and PDDL scenario to modify the PDDL scenario. The objective of the pre-planner processor module 141 is to enhance the efficiency of the execution, or run, of the planner module 142 underlying this scenario (explicitly, to minimize the running time of the planner against an alternative representation of the PDDL scenario with equivalent solutions). The pre-planner processor module 141 can, for example, reduce the complexity of building a plan by removing unnecessary constraints or definitions. The pre-processor module 141 also updates the knowledge base 120 with strategic information about the target networked computers and applications, including, but not limited to, OS installation statistics and versions” [0068]; “Assume the pre-planner processor module 141 modified the PDDL scenario received form the scenario translator 130 and sends it to the planner module 142. The planner module 142 then starts the computation of a plan 144 and forces the usage of actions that learn new information from the target network and monitors when new information is received by the workspace and updated in the PDDL scenario… the workspace may be modified and so the scenario translator 130 will update the scenario with the changes” [0083]; “The post-planner processor module 143 monitors the execution of each step and can perform actions based on changes observed in the scenario. The post-planner processor module 143 can force a re-plan action by sending the updated scenario and the original plan 144 to the planner module 142 so that the planner module 142 can calculate a new plan 144. This process can repeat itself to conform an iterative planning process” [0084]; “If the goal is achieved, the automated penetration testing process is complete.  Alternatively, if the goal is not complete, another plan is calculated by the planner module 142. In this case, post-planner may select to do one of several things to ensure that the next plan achieves the goal. This may be, for example, removing the actions that failed, or looking for alternative actions that have the same effects as the actions that failed and executing them, or by interacting with the knowledge base to update its contents” [0091]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicants’ disclosure.
Chen et al. (US 20090077666 A1) is cited for analyzing security threats associated with vulnerabilities and generating attack graphs for scenarios.
Giakouminakis et al. (US 20130074188 A1) is cited for determining overall risk using a security tool that utilizes factors and weights for the factors.
Loder et al. (US 20140351940 A1) is cited for a security assessment tool that includes listing counter measures to security threats and weighting values.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kenneth W Chang whose telephone number is (571)270-7530. The examiner can normally be reached Monday - Friday 9-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KENNETH W CHANG/Primary Examiner, Art Unit 2438                                                                                                                                                                                                        
    PNG
    media_image1.png
    35
    280
    media_image1.png
    Greyscale

01.11.2022