Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments
Applicant's arguments filed have been fully considered but they are not persuasive. 

Applicant argues that the rejection, including Ettema fails to teach “configuring at least one rule for a downstream partial cyber-attack in the cyber-attack chain based on the type and the attribute in an attack pattern…for future attacks.   Applicant argues that Ettema is silent with regard to downstream phases.  Examiner disagrees.  As cited in the previous office action, Ettema teaches analysis including downstream phases.  Ettema states analysis of advanced stages of threats not observed in the initial short time period may lead to rules for alerts and detection including rootkits, end game and exfiltration techniques.  As Applicant is aware, rootkit control is a specific phase (command and control) of a cyber kill chain, as is exfiltration.   
Examiner further argues that quick detection and expedient remedies to malicious software is not detrimental to continued monitoring of threats, and formulating new rules for said threats.   
Applicant argues that Puri does not remedy Ettema because Puri does not teach a rule for a specific downstream phase of an attack chain.  Examiner argues that in general, Puri is relied upon to teach  detecting from a plurality of log sources, a cyber attack chain, and includes the plurality of phases.  [0034] states “detect anomalies throughout several stages of the cyber kill 

Applicant argues that Lem does teach different stages, but is silent with regard to a chain of events.  Applicant argues that Lem is directed at the potential attack within the same stage, but not a later downstream stage.  Examiner disagrees.    Examiner points to Lem [0039] which states that the attacks are multistage attacks.  Lem then explicitly lists the multiple downstream stages of a cyber attack.   Lem teaches in [0048][0050][0052] that the downstream stage of “command and control” is considered in the cyber attack and monitoring determines new rules according to said downstream stage to detect and flag certain properties.

Examiner has included a notice of additional references corresponding to this office action.  Examiner would like to emphasize the Israel US 2018/0248893 reference.  This reference was not relied upon only because the current rejection is believed to be sufficient to reject the claims at issue.   Israel teaches a plurality of alerts in a plurality of phases of a cyber kill chain, with distinct properties and attributes.  



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective 

Claims 1-8, 12-19, 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 2018/0322283 in view of Ettema US 10,530,810 in view of Lem US 2019/0132344.
As per claims 1, 12, Puri teaches A computer-implemented method, comprising: receiving a sequence of security events; determining, in the received sequence of security events, a first cyber-attack pattern using a correlation engine by applying a set of predefined rules for a detection of an indicator of compromise of a first partial cyber-attack of a cyber-attack chain, thereby identifying a specific cyber-attack chain; determining a type and an attribute in a pattern of the first partial cyber-attack of the identified specific cyber-attack chain; [0018][0019][0020][0024]-[0027] [0034]   (teaches learning behavior and performing analytics and using computer models to find attributes and to correlate attack events and APTs in order to detect cyber attack kill chains)

Ettema teaches configuring at least one rule for a downstream partial cyber-attack in the specific cyber-attack chain based on the type and the attribute in an attack pattern of the first partial cyber-attack; and adding the at least one configured rule to the set of predefined rules to be used by the correlation engine for dynamically identifying security threats to information technology systems.  Ettema teaches the rules addresses the specific cyber attack chain at at least one of the phases downstream of the first cyber attack of the specific cyber attack chain. (Column 4 line 30 to Column 5 line 48) (teaches a plurality of attributes used to configure detection, and other identification techniques which are send downstream to other clients in order to detect and prevent further attacks in a kill chain)


Lem teaches the cyber attack chain having a plurality of phases with  at least two phases having distinct types and attributes.  Lem teaches rules that address the specific cyber attack chain at at least one of the phases downstream of the first first partial cyber-attack of the specific cyber-attack chain.  [0038]-[0051]  (Lem teaches that chains have a plurality of phases, delivery, exploitation, lateral movement, command and control etc.   And that the delivery phase has a domain IP address attribute, and the C&C attribute includes a network profile.  As an example a persistent communication session between certain parties)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the phases and attributes of Lem with the prior art because it improves APT detection.As per claims 2, 13,  Ettema teaches The method according to claim 1, further comprising: determining, in the received sequence of security events, a second cyber-attack pattern using the correlation engine by applying the configured at least one rule for a detection of a second indicator of compromise in the second cyber-attack of the cyber-attack chain. (Column 4 line 30 to Column 5 line 48) (detecting other cyber attacks based on update rules)As per claims 3, 14. Ettema teaches The method according to claim 1, wherein the set of rules uses information about malware attribute enumeration and characterization and structured threat information expressions. (Column 4 line 30 to Column 5 line 48) (detecting other cyber attacks based on update rules including attributes)
As per claim 23.  Puri teaches A computer-implemented method, comprising: receiving a sequence of security events; determining, in the received sequence of security events, a first cyber-attack pattern using a correlation engine by applying a set of predefined rules for a detection of an indicator of compromise of a first partial cyber-attack of a cyber-attack chain, thereby identifying a specific cyber-attack chain; determining a type and an attribute in a pattern of the first partial cyber-attack of the identified specific cyber-attack chain; [0018][0019][0020][0024]-[0027] [0034]   (teaches learning behavior and performing analytics and using computer models to find attributes and to correlate attack events and APTs in order to detect cyber attack kill chains)

Ettema teaches configuring at least one rule for a downstream partial cyber-attack in the specific cyber-attack chain based on the type and the attribute in an attack pattern of the first partial 

It would have been obvious to one of ordinary skill in the art to use the rules of Ettema with the system of Puri because it would prevent further attacks and the spread of malware.
Claims 9, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 2018/0322283 in view of Ettema US 10,530,810 in view of Lem US 2019/0132344  in view of Thioux US 2017/0289191.


As per claims 9, 20. Thioux teaches The method according to claim 1, further comprising: removing the at least one configured rule for a downstream partial cyber-attack in the specific cyber-attack chain in the set of rules if it is determined that a risk value for the specific cyber-attack chain is reduced to below a predetermined risk threshold value. [0278] (teaches removing rules when the list is determined low because a black list item has been determined to be of low or no risk)
.

Claims 10, 11, 21, 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Puri US 2018/0322283 in view of Ettema US 10,530,810 in view of Lem US 2019/0132344 in view of Thioux US 2017/0289191 in view of Reinecke US 2018/0004958.
As per claims 10, 21. Reinecke teaches The method according to claim 9, further comprising: removing the at least one configured rule for a downstream partial cyber-attack in the specific cyber-attack chain if correlation engine using the at least one configured rule did not determine a downstream cyber-attack pattern for a predefined time. [0025] (teaches removing rules/model if performing poorly and does not detect attacks)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the rule modification of Reinecke with the previous prior art combination because it is more efficient.
As per claims 11. Reinecke teaches The method according to claim 9, further comprising: removing a rule relating to at least one configured rule for a downstream partial cyber-attack in the specific cyber-attack chain in the set of rules from the repository of malware attribute 
As per claim 22, Reinecke teaches The system according to claim 20, wherein the instructions for removing comprise instructions for: removing a rule relating to at least one configured rule from set of predefined rules. [0025] (teaches removing rules/model if performing poorly and does not detect attacks)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833.  The examiner can normally be reached on M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439