Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claims 1 - 20 have been allowed
Drawings filed on 04/14/2021 have been accepted
Specification
The disclosure is objected to because of the following typographical informalities:
“attach chain” in para. 0067
“ cyber-attach techniques” in para. 0073
Appropriate correction is required.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
The application has been amended as follows: minor typographical corrections in claims 1, 19, and 20 and overcoming 112(b) in claims 3 and 17.
Please amend claim 1 as follows:
1. (Currently Amended) A computerized method, comprising:
(a) scanning and mapping a network, of an organization or a venue or a domain; and collecting data and meta-data about network elements of said network;
(b) generating a Permissions Directed-Graph (G1), which indicates permissions that each network element has; wherein each vertex in the Permissions Directed-Graph (G1) represents a network element; wherein each edge in the Permissions Directed-Graph (G1) represents a relationship between two network elements; wherein the Permissions Directed-Graph (G1) represents at least whether a particular user has or does not have access to a particular machine;
(c) generating a Network Connectivity Directed-Graph (G2), which indicates accessible direct-communication routes between network elements;
(d) obtaining a list of attack techniques; and applying a Static Verification process on the list of attack techniques, to generate an initial version of an Attacks Directed-Graph (G3) which maps particular attacks to network elements that are represented in the Permissions Directed-Graph (G1) and in the Network Connectivity Directed-Graph (G2); wherein the Static Verification process comprises generating an initial list of all relevant cyber-attack techniques regardless of context;
(e) performing a Dynamic Verification process on said initial list of all relevant  cyber-attack techniques, and constructing an updated list of dynamically-verified Attack Vectors that were verified as being available within a particular operational context;
(f) generating a Ranking for each dynamically-verified Attack Vector in the updated list of dynamically-verified Attack Vectors;
(g) based on rankings generated in step (f), performing prioritization of the dynamically-verified Attack Vectors and performing prioritization of threat mitigation resources;
(h) activating one or more threat mitigation resources, based on one or more prioritization outputs generated in step (g).

Please amend claim 3 as follows:
3. (currently amended) The computerized method of claim 2,
wherein said querying is performed via a domain user which has read-only access privileges towards the Active Directory (AD) service, without full read-and-write access to the Active Directory (AD) service, to reduce risk to said network.

Please amend claim 17 as follows:
17. (currently amended) The computerized method of claim 1,
wherein at least one of step (d) and step (e) comprises:
(I) initially tagging a particular Attack Vector as an attack vector that is a threat to said network due to existence of one or more particular Vulnerabilities that said particular Attack Vector exploits;
(II) subsequently, un-tagging said particular Attack Vector as a threat to said network, due to a determination that said vulnerability cannot be exploited due to at least one of: (i) lack of a permission of a particular user to perform a particular operation, (ii) lack of connectivity between two particular network elements.

Please amend claim 19 as follows:
19. (currently amended) A non-transitory storage medium having stored thereon instructions that, when executed by one or more processors, cause the one or more processors to perform a method comprising:
(a) scanning and mapping a network, of an organization or a venue or a domain; and collecting data and meta-data about network elements of said network;
(b) generating a Permissions Directed-Graph (G1), which indicates permissions that each network element has; wherein each vertex in the Permissions Directed-Graph (G1) represents a network element; wherein each edge in the Permissions Directed-Graph (G1) represents a relationship between two network elements; wherein the Permissions Directed-Graph (G1) represents at least whether a particular user has or does not have access to a particular machine;
(c) generating a Network Connectivity Directed-Graph (G2), which indicates accessible direct-communication routes between network elements;
(d) obtaining a list of attack techniques; and applying a Static Verification process on the list of attack techniques, to generate an initial version of an Attacks Directed-Graph (G3) which maps particular attacks to network elements that are represented in the Permissions Directed-Graph (G1) and in the Network Connectivity Directed-Graph (G2); wherein the Static Verification process comprises generating an initial list of all relevant cyber-attack techniques regardless of context;
(e) performing a Dynamic Verification process on said initial list of all relevant cyber-attack techniques, and constructing an updated list of dynamically-verified Attack Vectors that were verified as being available within a particular operational context;
(f) generating a Ranking for each dynamically-verified Attack Vector in the updated list of dynamically-verified Attack Vectors;
(g) based on rankings generated in step (f), performing prioritization of the dynamically-verified Attack Vectors and performing prioritization of threat mitigation resources;
(h) activating one or more threat mitigation resources, based on one or more prioritization outputs generated in step (g).

Please amend claim 20 as follows:
20. (currently amended) A system comprising:
one or more processors, operably associated with one or more memory units that stores program code or data, wherein the one or more processors are configured to perform:
(a) scanning and mapping a network, of an organization or a venue or a domain; and collecting data and meta-data about network elements of said network;
(b) generating a Permissions Directed-Graph (G1), which indicates permissions that each network element has; wherein each vertex in the Permissions Directed-Graph (G1) represents a network element; wherein each edge in the Permissions Directed-Graph (G1) represents a relationship between two network elements; wherein the Permissions Directed-Graph (G1) represents at least whether a particular user has or does not have access to a particular machine;
(c) generating a Network Connectivity Directed-Graph (G2), which indicates accessible direct-communication routes between network elements;
(d) obtaining a list of attack techniques; and applying a Static Verification process on the list of attack techniques, to generate an initial version of an Attacks Directed-Graph (G3) which maps particular attacks to network elements that are represented in the Permissions Directed-Graph (G1) and in the Network Connectivity Directed-Graph (G2); wherein the Static Verification process comprises generating an initial list of all relevant cyber-attack techniques regardless of context;
(e) performing a Dynamic Verification process on said initial list of all relevant cyber-attack techniques, and constructing an updated list of dynamically-verified Attack Vectors that were verified as being available within a particular operational context;
(f) generating a Ranking for each dynamically-verified Attack Vector in the updated list of dynamically-verified Attack Vectors;
(g) based on rankings generated in step (f), performing prioritization of the dynamically-verified Attack Vectors and performing prioritization of threat mitigation resources;
(h) activating one or more threat mitigation resources, based on one or more prioritization outputs generated in step (g).


Allowable Subject Matter
Claims 1-20 are allowed. The following is an examiner’s statement of reason for allowance: the following prior arts were yielded during examination of the claims filed on April 14, 2021. They do not explicitly teach the applicant’s claimed invention, but they are in general realm of applicant’s field of endeavor:
CRABTREE (US-20200358804-A1): This prior art teaches a system and method for network cybersecurity analysis that uses user and entity behavioral analysis combined with network topology information to provide improved cybersecurity. The system and method involve gathering network entity information, establishing baseline behaviors for each entity, and monitoring each entity for behavioral anomalies that might indicate cybersecurity concerns. Further, the system and method involve incorporating network topology information into the analysis by generating a model of the network, annotating the model with risk and criticality information for each entity in the model and with a vulnerability level between entities, and using the model to evaluate cybersecurity risks to the network.
CRABTREE does teach “A computerized method, comprising: (a) scanning and mapping a network, of an organization or a venue or a domain; and collecting data … about network elements of said network; ([CRABTREE, para. 0101] “FIG. 11 is a flow diagram of an exemplary method 1100 for continuous cybersecurity monitoring and exploration, according to one aspect. According to the aspect, a state observation service 140 may receive data from a variety of connected systems 1101 such as (for example, including but not limited to) servers, domains, databases, or user directories. This information may be received continuously, passively collecting events and monitoring activity over time while feeding 1102 collected information into a graphing service 145 for use in producing time-series graphs 1103 of states and changes over time.”) ([CRABTREE, para. 0105] “FIG. 15 is a flow diagram of an exemplary method 1500 for cybersecurity risk management, according to one aspect. According to the aspect, multiple methods described previously may be combined to provide live assessment of attacks as they occur, by first receiving 1501 time-series data for an infrastructure (as described previously, in FIG. 11) to provide live monitoring of network events.”) (b) generating a Permissions Directed-Graph (G1), which indicates permissions that each network element has; wherein each vertex in the Permissions Directed-Graph (G1) represents a network element; wherein each edge in the Permissions Directed-Graph (G1) represents a relationship between two network elements; wherein the Permissions Directed-Graph (G1) represents at least whether a particular user has or does not have access to a particular machine; ([CRABTREE, para. 0090] “FIG. 23 is a directed graph diagram showing an exemplary cyber-physical graph 2300 and its possible use in creating cybersecurity profiles and ratings. A cyber-physical graph represents the relationships between entities associated with an organization, for example, devices, users, resources, groups, and computing services, the relationships between the entities defining relationships and processes in an organization's infrastructure, thereby contextualizing security information with physical and logical relationships that represent the flow of data and access to data within the organization including, in particular, network security protocols and procedures. This can be enriched with properties, entities, and relationships that model business processes as well as the criticality of an entity to a business dependency (a representative example being criticality to a particular revenue stream). A cyber-physical graph, in its most basic form, represents the network devices comprising an organization's network infrastructure as nodes (also called vertices) in the graph and the physical or logical connections between them as edges between the nodes. The cyber-physical graph may be expanded to include network information and processes such as data flow, security protocols and procedures, and software versions and patch information. Further, human users and their access privileges to devices and assets may be included. A cyber-security graph may be further expanded to include internal process information such as business processes, loss information, and legal requirements and documents; external information such as domain and IP information, data breach information; and generated information such as open port information from external network scans, and vulnerabilities and avenues of attack. In some embodiments, multiple graphs may be combined into a single cyber-physical graph to enable exploration, modeling, predictive modeling, and simulation of relationships, performance and impacts under a multitude of scenarios. For example, graphs of cash flows, graphs of business processes, graphs of the logical network and graphs of the physical network, facilities, etc., can all be combined for such purposes. Thus, a cyber-physical graph may be used to represent a complete picture of an organization's infrastructure and operations. In some embodiments, instead of combining multiple graphs into a single cyber-physical graph, the graphs may be analyzed separately and the results of the analyses may be combined.”) (c) generating a Network Connectivity Directed-Graph (G2), which indicates accessible direct-communication routes between network elements; ([CRABTREE, para. 0090] “A cyber-physical graph, in its most basic form, represents the network devices comprising an organization's network infrastructure as nodes (also called vertices) in the graph and the physical or logical connections between them as edges between the nodes. …… In some embodiments, instead of combining multiple graphs into a single cyber-physical graph, the graphs may be analyzed separately and the results of the analyses may be combined.”) (d) obtaining a list of attack techniques; …… maps particular attacks to network elements that are represented in the Permissions Directed-Graph (G1) and in the Network Connectivity Directed-Graph (G2); ….  ([CRABTREE, para. 0067] “Second, the advanced cyber decision platform continuously monitors the network in real-time both for types of traffic and through techniques such as deep packet inspection for pre-decided analytically significant deviation in user traffic for indications of known cyberattack vectors such as, but not limited to, ACTIVE DIRECTORY™/Kerberos pass-the-ticket attack, ACTIVE DIRECTORY™/Kerberos pass-the-hash attack and the related ACTIVE DIRECTORY™/Kerberos overpass-the-hash attack, ACTIVE DIRECTORY™/Kerberos Skeleton Key, ACTIVE DIRECTORY™/Kerberos golden and silver ticket attack, privilege escalation attack, compromised user credentials, and ransomware disk attacks.”) ([CRABTREE, para. 0090] “The cyber-physical graph may be expanded to include network information and processes such as data flow, security protocols and procedures, and software versions and patch information. Further, human users and their access privileges to devices and assets may be included. A cyber-security graph may be further expanded to include internal process information such as business processes, loss information, and legal requirements and documents; external information such as domain and IP information, data breach information; and generated information such as open port information from external network scans, and vulnerabilities and avenues of attack. In some embodiments, multiple graphs may be combined into a single cyber-physical graph to enable exploration, modeling, predictive modeling, and simulation of relationships, performance and impacts under a multitude of scenarios.”) ([CRABTREE, para. 0095] “Possible attack paths may be analyzed using the cyber-physical graph by running graph analysis algorithms such as shortest path algorithms, minimum cost/maximum flow algorithms, strongly connected node algorithms, etc. In this example, several exemplary attack paths are ranked by likelihood.”) …. performing prioritization of the …. Attack Vectors and performing prioritization of threat mitigation resources; (h) activating one or more threat mitigation resources, based on one or more prioritization outputs generated in step (g). ([CRABTREE, para. 0091] “In this example, several exemplary attack paths are ranked by likelihood.”) ([CRABTREE, para. 0112] “At an initial step 2203, the system detects anomalous user behavior from a group. This may be based on comparison to established baselines, or a high priority incident caught during routine monitoring, for example a device accessing a blacklisted domain. At step 2206, the system investigates the group in which the anomalous behavior originated. This may include a more thorough analysis of usage and access logs. If applicable, users or devices with higher access privileges may be investigated before those with lower access privileges. At step 2209, the source or sources of the anomalous behavior is identified, and some corrective measures may be taken. For example, the offending device or user account may be automatically locked out of the network until a solution has been implemented. At step 2212, group members and system administrators may be notified. The system may utilize the various techniques discussed above to recommend a corrective action, or the system may take action automatically.”)
However, CRABTREE does not teach “… collecting … metadata ... and applying a Static Verification process on the list of attack techniques, to generate an initial version of an Attacks Directed-Graph (G3) which …. wherein the Static Verification process comprises generating an initial list of all relevant cyber-attack techniques regardless of context; (e) performing a Dynamic Verification process on said initial list of all relevant cyber-attach techniques, and constructing an updated list of dynamically-verified Attack Vectors that were verified as being available within a particular operational context; (f) generating a Ranking for each dynamically-verified Attack Vector in the updated list of dynamically-verified Attack Vectors; (g) based on rankings generated in step (f), …. prioritization of the dynamically- verified”

BEN-YOSEF (US-20210136101-A1): This prior art discloses of a method, apparatus and product for assessing security threats from lateral movements and mitigation thereof. The method comprising statically analyzing the network to determine for each asset of a list of assets in a network, potential network lateral movements therefrom to other assets; dynamically analyzing the network to validate each potential network lateral movement identified by the static analysis; generating a graph of network lateral movements, wherein the graph comprises nodes and directed edges, wherein a node of the graph represents an asset of the list of assets, wherein a direct edge of the graph connecting a source node to a target node represents a validated network lateral movement from a source asset, represented by the source node, to a target asset, represented by the target node; and utilizing the graph of network lateral movements to assess security risk to the network.
BEN-YOSEF does teach “A computerized method, comprising: (a) scanning and mapping a network, of an organization or a venue or a domain; and … data … about network elements of said network; ([BEN-YOSEF, para. 0016] “Yet another exemplary embodiment of the disclosed subject matter is an apparatus comprising a processor and a memory unit, wherein said processor is configured to perform: obtaining a list of assets of a network; statically analyzing the network to determine for each asset of the list of assets”) ([BEN-YOSEF, para. 0004] “One exemplary embodiment of the disclosed subject matter is a method comprising: obtaining a list of assets of a network; statically analyzing the network to determine for each asset of the list of assets, potential network lateral movements therefrom to other assets; dynamically analyzing the network to validate each potential network lateral movement identified by the static analysis, wherein the potential network lateral movements is validated based on a successful lateral movement during the dynamic analysis; generating a graph of network lateral movements, wherein the graph comprises nodes and directed edges, wherein a node of the graph represents an asset of the list of assets, wherein a direct edge of the graph connecting a source node to a target node represents a validated network lateral movement from a source asset, represented by the source node, to a target asset, represented by the target node; and utilizing the graph of network lateral movements to assess security risk to the network.”) ….. (c) generating a Network Connectivity Directed-Graph (G2), which indicates accessible direct-communication routes between network elements; ([BEN-YOSEF] “generating a graph of network lateral movements, wherein the graph comprises nodes and directed edges, wherein a node of the graph represents an asset of the list of assets, wherein a direct edge of the graph connecting a source node to a target node represents a validated network lateral movement from a source asset, represented by the source node, to a target asset, represented by the target node; and utilizing the graph of network lateral movements to assess security risk to the network.”) (d) obtaining a list of attack techniques; and applying a Static Verification process on the list of attack techniques, to generate an initial version of an Attacks Directed-Graph (G3) which maps particular attacks to network elements that are represented … in the Network Connectivity Directed-Graph (G2); wherein the Static Verification process comprises generating an initial list of all relevant cyber-attack techniques regardless of context; ([BEN-YOSEF, para. 0004] “utilizing the graph of network lateral movements to assess security risk to the network.”) ([BEN-YOSEF, para. 0027] “In some exemplary embodiments, static analysis may be employed to determine whether certain methods or exploits may be used to perform network lateral movements from an asset to another asset. The methods may include, for example, Pass the Hash (PtH) technique, Pass the Ticket (PtT) technique, a modification of a logon script, a Remote Desktop Protocol (RDP) attack, a Server Message Block (SMB) relay attack, or the like.”) ([BEN-YOSEF, para. 0023] “One technical solution is to generate a graph of network lateral movements for a network. The network may be analyzed to identify assets therein. Static analysis of the network may be performed to determine, for each asset, potential network lateral movements. Static Analysis may provide an over-approximation of the network lateral movements in the network, as it may identify all network lateral movements and some invalid network lateral movements that cannot be utilized. In some exemplary embodiments”) ([BEN-YOSEF, para. 0047] “On Step 110, static analysis of the network and assets may be performed. During the static analysis, potential network lateral movements may be identified. In some exemplary embodiments, for each asset in the assets identified on Step 100, it may be determined whether the asset is susceptible to methods that enable network lateral movement. Additionally or alternatively, the assets that are reachable to an attacker using such methods may be determined. In some exemplary embodiments, there may be a myriad of methods and techniques, such as but not limited to Pass the Hash (PtH) technique, Pass the Ticket (PtT) technique, a modification of a logon script, a Remote Desktop Protocol (RDP) attack, a Server Message Block (SMB) relay attack, or the like. In some exemplary embodiments, the static analysis may provide an over-approximation of the network lateral movement, including false positive lateral movements. In some exemplary embodiments, the approximation may comprise all lateral movements in the network, and there may be no false negative indications (e.g., possible network lateral movements that are not identified by the static analysis).”) (e) performing a Dynamic Verification process on said initial list of all relevant cyber-attach techniques, and constructing an updated list of dynamically-verified Attack Vectors that were verified as being available within a particular operational context; ([BEN-YOSEF, para. 0023] “dynamic analysis may be performed on the network. The dynamic analysis may comprise performing penetration testing, attempting to exploit each potential network lateral movement identified by the static analysis. In some exemplary embodiments, a subset of the potential network lateral movements may be validated based on a successful lateral movement during the dynamic analysis.”) ([BEN-YOSEF, para. 0048] “On Step 120, dynamic analysis may be performed to validate that network lateral movements identified on Step 110. In some exemplary embodiments, the dynamic analysis may comprise performing penetration testing, attempting to implement the methods to effectuate network lateral movement from one asset to another. In some exemplary embodiments, a subset of the potential network lateral movements identified by the static analysis may be validated. Additionally or alternatively, some lateral movements may be invalidated by the dynamic analysis. Such invalidated lateral movements may be false positive indications of the static analysis. In some exemplary embodiments, it is noted that during dynamic analysis the analysis involves more than the static structure of the network, configurations and the like. The dynamic analysis may comprise execution of processes in the network to attempt implementing attacks and methods to perform the network lateral movement. It is further noted that the disclosed subject matter reduces the amount of time and resources required for such dynamic analysis by providing an initial subset of all theoretical lateral movements based on the static analysis or a portion thereof. Additionally, or alternatively, some potential lateral movements may not be validated nor invalidated, and may be considered as having an “unknown” status. In some exemplary embodiments, lateral movements in “unknown” status may be processed as “validated” or as “invalidated” depending on rules and configurations. In some exemplary embodiments, an unknown lateral movement may be considered of a relative high risk and may therefore be handled as if it was validated, while another low-risk lateral movement may be handled as if it was invalidated. Additionally, or alternatively, using big data analysis of past processing it may be possible to estimate whether in similar circumstances such lateral movement was invalidated or validated, and to handle the unknown lateral movement accordingly.”) …. performing prioritization of the Attack Vectors and performing prioritization of threat mitigation resources; ([BEN-YOSEF, para. 0022] “Another technical problem dealt with by the disclosed subject matter is to provide for an automated manner for suggesting a mitigation action to improve security of the network. In some cases, it may be desired to evaluate whether a potential mitigation action provides a benefit or not. In some cases, a mitigation action may be performed without providing positive utility. As an example, the mitigation action may not prevent any penetration scenario. Additionally, or alternatively, the mitigation action may prevent penetration scenarios that relate to low-priority assets having insignificant payloads. Additionally, or alternatively, the mitigation action may require a substantial resource investment in order to be applied. Additionally, or alternatively, the mitigation action may reduce usability of the network, as it may create obstacles that interfere with legitimate activities of non-malicious users.”) (h) activating one or more threat mitigation resources, based on one or more prioritization outputs generated in step (g). ([BEN-YOSEF, para. 0032] “In some exemplary embodiments, a visualization of the graph may be displayed, and the user may select an edge to remove therefrom. The edge may be removed after a mitigation action is performed to disable the ability to perform a network lateral movement according thereto. In some exemplary embodiments, there may be multiple methods that can be employed to traverse an edge. The mitigation action may disable one method, and cause a change in the annotation, or disable all methods, and cause the edge to be removed.”) ([BEN-YOSEF, para. 0033] “In some exemplary embodiments, a visualization of a modified graph may be displayed to a user, indicating the estimated state after a mitigation action is implemented. The modified graph may remove one or more edges from the graph. In some cases, a visual indication may be utilized to show the user which edges are removed. Additionally, or alternatively, other visualizations showing the differences may be utilized. In some cases, two visualizations may be displayed one next to the other, to allow the user to identify the differences therebetween.”) ([BEN-YOSEF, para. 0055] “mitigation actions may be include decommissioning an asset that is vulnerable, replacing an asset by a different asset having similar properties and lower penetration probabilities, or the like. In some exemplary embodiments, the modified graph may be based on a modification indicated by the user, such as removal of an edge, removal of a node, or the like.”)
However, BEN-YOSEF does not teach “…. collecting … meta-data …. (b) generating a Permissions Directed-Graph (G1), which indicates permissions that each network element has; wherein each vertex in the Permissions Directed-Graph (G1) represents a network element; wherein each edge in the Permissions Directed-Graph (G1) represents a relationship between two network elements; wherein the Permissions Directed-Graph (G1) represents at least whether a particular user has or does not have access to a particular machine; … represented in the Permissions Directed-Graph (G1) and …. (f) generating a Ranking for each dynamically-verified Attack Vector in the updated list of dynamically-verified Attack Vectors; (g) based on rankings generated in step (f), …. prioritization of the dynamically- verified Attack Vectors.”

CHAKRABORTY (US-20140245443-A1): This prior art discloses of a Cyber defense systems and methods protect an enterprise system formed of a plurality of networked components. Connectivity and relationship information indicative of connectivity and behavior of the components are collected. A relationship graph is created based upon the connectivity data and the relationship data, wherein nodes of the relationship graph represent the components and edges of the graph represent connectivity and relationships. At least part of the relationship graph is stored to form a chronology. The relationship graph and the chronology are analyzed to predict connectivity and relationship changes within the enterprise system, and a first anomaly is identified when the current connectivity and relationships do not match the prediction. 
CHAKRABORTY does teach “A computerized method, comprising: (a) scanning and mapping a network, of an organization or a venue or a domain; and collecting data … about network elements of said network; ([CHAKRABORTY, para. 0014] “The cyber defense system platform directly addresses this problem by gathering data and then inferring the behavior patterns of users and devices in the system: who is accessing what data, for how long, and from where. The cyber defense system “discovers” normal behavior for a monitored high-risk component (such as a database). When behavior occurs that is outside “normal,” alerts may be raised and automatic responses taken. If a user endpoint is extracting volumes of data well beyond what is considered normal for that datastore, alerts can be raised, the connection cut, and the endpoint itself could be disconnected from the external Internet before the data can be forwarded.) ([CHAKRABORTY, para. 0015] “As part of the behavior analysis process, the cyber defense system platform is also collecting and analyzing text data from the monitored systems, including items such as database logs, security logs, scripts, and running programs. When an anomaly is discovered that could represent an attack, appropriate text items can be correlated to the event, providing responders with a complete forensic trail at the outset detailing what systems are likely impacted and what the threat vector is.”) ([CHAKRABORTY, para. 0016] “In one embodiment, a cyber defense method protects an enterprise system formed of a plurality of networked components.”) (b) generating a Permissions Directed-Graph (G1), which indicates permissions that each network element has; wherein each vertex in the Permissions Directed-Graph (G1) represents a network element; wherein each edge in the Permissions Directed-Graph (G1) represents a relationship between two network elements;  … ([CHAKRABORTY, para. 0016] “In one embodiment, a cyber defense method protects an enterprise system formed of a plurality of networked components. Connectivity and relationship information indicative of connectivity and behavior of the components are collected. A relationship graph is created based upon the connectivity data and the relationship data, wherein nodes of the relationship graph represent the components and edges of the graph represent connectivity and relationships. At least part of the relationship graph is stored to form a chronology. The relationship graph and the chronology are analyzed to predict connectivity and relationship changes within the enterprise system, and a first anomaly is identified when the current connectivity and relationships do not match the prediction.”) …. (c) generating a Network Connectivity Directed-Graph (G2), which indicates accessible direct-communication routes between network elements; ([CHAKRABORTY, para. 0060] “FIG. 3 shows relationship graph 132 generated and maintained by analyzer 134 within core 110 and based upon collected information 120 of enterprise system 200 of FIG. 2. FIGS. 1 through 3 are best viewed together with the following description. Node 302 represents load balancer 204, node 304 represents server 206(1), node 306 represents VM 206(1), node 308 represents OS 210(1), node 310 represents web server 220, node 312 represents switch 207(1), node 314 represents endpoint 230(1), node 316 represents server 206(2), node 318 represents VM 208(2), node 310 represents OS 210(2), node 322 represents application 222, node 324 represents switch 207(2), node 326 represents server 206(3), node 328 represents VM 208(3), node 330 represents OS 210(3), node 332 represents database 224, node 334 represents endpoint 230(2), and node 336 represents endpoint 230(3).”) ([CHAKRABORTY, para. 0061] “Each node 302-336 has associated node data 380(1)-(18), respectively, that defines certain characteristics of each node. For example, node data 380(16) includes characteristics of database 224, such as a weight value that represents an assessment of the value of database 224 to an attacker. Each edge 340-374 has associated edge data 382(1)-(19) that defines characteristics of the connection. For example, edge data 382(13) defines bit rates of connection 252 between application 222 and database 224.”)  …. relevant cyber-attach techniques, and constructing an updated list of dynamically-verified Attack Vectors that were verified as being available within a particular operational context; ([CHAKRABORTY, para. 0104] “Any change in the historical pattern of connection and behavior is identified as a potential anomaly. Defense system 100 predicts, for example, that each endpoint will access previously accessed components within enterprise system 150 in a similar order, for a similar duration, and transfer similar amounts of data as previously recorded.”) ([CHAKRABORTY, para. 0105] “Certain behavior may be reduced in importance (e.g., the recorded behavior pattern may not repeat on weekends or holidays, may change at end of month or end of quarter or end of year). However, within defense system 100, the following departures from expected behavior changes are considered of key importance: a first component accessing a second sensitive component that is not typically accessed by the first component, a first component accessing a second sensitive component for a much longer duration than previously done, and a first component extracting much more data from a second component than previously done. Other behaviors that correspond to attack vectors include: a component sending email with attachments or links to external URLs to large numbers of people, or to people who have access to sensitive components of enterprise system 150. Defense system 100 may also identify a potential anomaly when the same endpoint is identified twice in relationship graph 134, since this indicates that a third party has spoofed a valid endpoint and is operating within enterprise system 150 as that endpoint.”) … performing prioritization of the … Attack Vectors and performing prioritization of threat mitigation resources; ([CHAKRABORTY, para. 0014] “When behavior occurs that is outside “normal,” alerts may be raised and automatic responses taken. If a user endpoint is extracting volumes of data well beyond what is considered normal for that datastore, alerts can be raised, the connection cut, and the endpoint itself could be disconnected from the external Internet before the data can be forwarded.”) ([CHAKRABORTY, para. 0085] “Upon determining such anomalies, agent 106 generates potential alert 124. Core 110, upon receiving potential alert 124, determines whether the alert passes associated uncertainty thresholds, and if it does, core 110 generates alert 118. For example, a component identified as anomalous may be further investigated. Reverse IP lookup may be used to determine the location of a connected node; however, such information is easily spoofed—although, failure of a reverse IP lookup is, in itself, indicative of anomalous behavior. System 100 may therefore utilize ‘traceroute’, a known technique in the art, to determine location of a node and further utilize roundtrip latency to cross-check the determined location. The physical location of the node may provide further indication of compromise likelihood.”) (h) activating one or more threat mitigation resources, based on one or more prioritization outputs generated in step (g). ([CHAKRABORTY, para. 0014] “If a user endpoint is extracting volumes of data well beyond what is considered normal for that datastore, alerts can be raised, the connection cut, and the endpoint itself could be disconnected from the external Internet before the data can be forwarded.”) ([CHAKRABORTY, para. 0102] “If the alert level of the identified anomaly is above an uncertainty threshold for that type of anomaly, core 110 enters a response phase. In one example of operation, core 110 and/or agent 106 disconnects endpoint 230(2), if still connected. In another example of operation, a user (e.g., the assumed administrator) of endpoint 230(2) is asked to enter an additional PIN on a separate endpoint (e.g., the mobile phone identified with the administrator) to prove the identity of the user of endpoint 230(2). In another example of operation, a tracer payload is added to the data being uploaded by endpoint 230(2). In each case, security personnel may be notified and asked to respond.”)
However, CHAKRABORTY does not teach “collecting … meta-data … wherein the Permissions Directed-Graph (G1) represents at least whether a particular user has or does not have access to a particular machine; (d) obtaining a list of attack techniques; and applying a Static Verification process on the list of attack techniques, to generate an initial version of an Attacks Directed-Graph (G3) which maps particular attacks to network elements that are represented in the Permissions Directed-Graph (G1) and in the Network Connectivity Directed-Graph (G2); wherein the Static Verification process comprises generating an initial list of all relevant cyber-attack techniques regardless of context; (e) performing a Dynamic Verification process on said initial list … (f) generating a Ranking for each dynamically-verified Attack Vector in the updated list of dynamically-verified Attack Vectors; (g) based on rankings generated in step … prioritizing dynamically-verified Attack …”

HERWONO (US-20220150268-A1) this prior art discloses a computer implemented method of computer security for a host computer system in communication with remote computer systems, the method including generating an attack map as a directed graph data structure modelling individual events leading to an exploitation of the host computer system, the attack map being generated in a training phase of the host computer system in which the host is subjected to attacks by one or more attacking remote computer systems, and generating the attack map includes collecting a log of each of a plurality of attack events occurring at the host including network packets involved in each attack event.

HERWONO does teach “A computerized method, comprising: (a) scanning and mapping a network, of an organization or a venue or a domain; and collecting data and … about network elements of said network; ([HERWONO, para. 0047] “Embodiments of the present disclosure addresses the issues faced by rule- and pattern-based cyber-defense systems and improves their performance (in terms of, for example, attack detection and prediction) by collecting event information from each of a plurality of attack patterns, gathering intelligence from network traffic patterns in logs data through application of deep learning method, combining them with network configurations and attack pattern repository along with correlation rules to create attack maps that show all possible attack paths.”) …. of all relevant cyber-attach techniques, and constructing an updated list of dynamically-verified Attack Vectors that were verified as being available within a particular operational context; ([HERWONO, para. 0037] “Embodiments of the present disclosure seek to identify causal relationships between steps or stages in a cyber-attack and identify resources and exploitation mechanisms utilized by an attacker. An attack pattern is represented as a directed graph or a sequence of events, as shown in FIG. 2. Mostly the graph is acyclic, but there might be some cases where a cyclic directed graph structure may describe an attack pattern. Each event in the attack pattern is observable from network activities, e.g. through network packet capture. Embodiments of the present invention thus provide a cyber-defense system that employs attack patterns for detecting potential cyber-attacks having initial attack patterns created and defined by security experts or experienced analysts. The attack patter specifies indicators and parameters such as alert signature name, packet frequency, protocol type, packet sizes, time window, etc. in order to detect or identify particular event that could be part of an attack pattern. For example, to identify an event “Port Scanning”, an analyst may specify a packet frequency of over 100 packets within one”) ([HERWONO, para. 0038] “Furthermore, FIG. 2 also shows that an attack pattern may have branches where an event (e.g. Event 3) may be followed by more than one type of events (e.g. Event 4 and Event 5), each creating different paths on how the attack may progress. Different attack paths may lead to different types of security breach, e.g. Event 4 may lead to data exfiltration while Event 5 may lead to denial of service.”) ([HERWONO, para. 0047] “collecting event information from each of a plurality of attack patterns, gathering intelligence from network traffic patterns in logs data through application of deep learning method, combining them with network configurations and attack pattern repository along with correlation rules to create attack maps that show all possible attack paths.”) ([HEROWONO, para. 0112] “The same method can be applied to other events belonging to different attack patterns (i.e. graphs) to construct a variety of attack maps. As more new events are detected the constructed attack maps may also change over time.”) ([HERWONO, para. 0106] “The same method can be applied to other events belonging to different attack patterns (i.e. graphs) to construct a variety of attack maps. As more new events are detected the constructed attack maps may also change over time.”) … performing prioritization of the Attack Vectors and performing prioritization of threat mitigation resources; ([HERWONO, para. 0117] “In one embodiment of the present disclosure the attack map 200 is used to improve security for the host 202 before operational exploitation is experienced. In particular, a subset of nodes in the attack map are determined such that the subset corresponds to events in attacks where each of the predetermined attack patterns involves at least one of the nodes in the subset are determined. Thus, a subset of nodes that covers substantially all attacks is selected. In some embodiments, a minimized subset (being a smallest number of nodes) that cover all attacks is selected. Subsequently, a component of the host 202 involved in each event represented by each of the nodes in the subset is determined. For example, a web server involved in a cross-site scripting attack; a database involved in an SQL injection attack, and so on. Subsequently, security facilities are deployed at each of the determined host components so as to mitigate attacks according to each of the attack patterns.”) ([HERWONO, para. 0118] “From 224 security events are received by the method. At 226 the method determines if a sequence of security events indicative of an attack according to the attack map 200 is identified. If a sequence of events indicative of an attack is identified, the method deploys security facilities 212 at 228 to mitigate the attack.”) h) activating one or more threat mitigation resources, based on one or more prioritization outputs generated in step (g). ([HERWONO, para. 0115] “According to one embodiment of the present disclosure, the attack map 200 is used in an operational phase of the host 202 (as opposed to the training phase) to detect security events occurring in a sequence constituting a path through the attack map. In this way, the host 202 identifies a sequence of events indicative of an attack based on the attack map 200. Responsive to such a detection, one or more security facilities 212 can be deployed as protective measures. Additionally, or alternatively, existing security features 212 can be reconfigured, redoubled or otherwise adapted in response to the detection.”) ([HERWONO, para. 0118] “If a sequence of events indicative of an attack is identified, the method deploys security facilities 212 at 228 to mitigate the attack.”).
However, HERWONO does not teach “scanning and mapping a network … collect … meta-data … (b) generating a Permissions Directed-Graph (G1), which indicates permissions that each network element has; wherein each vertex in the Permissions Directed-Graph (G1) represents a network element; wherein each edge in the Permissions Directed-Graph (G1) represents a relationship between two network elements; wherein the Permissions Directed-Graph (G1) represents at least whether a particular user has or does not have access to a particular machine; (c) generating a Network Connectivity Directed-Graph (G2), which indicates accessible direct-communication routes between network elements; (d) obtaining a list of attack techniques; and applying a Static Verification process on the list of attack techniques, to generate an initial version of an Attacks Directed-Graph (G3) which maps particular attacks to network elements that are represented in the Permissions Directed-Graph (G1) and in the Network Connectivity Directed-Graph (G2); wherein the Static Verification process comprises generating an initial list of all relevant cyber-attack techniques regardless of context; (e) performing a Dynamic Verification process on said initial list … (f) generating a Ranking for each dynamically-verified Attack Vector in the updated list of dynamically-verified Attack Vectors; g) based on rankings generated in step … prioritizing dynamically-verified Attack”.

Furthermore, none of the prior arts of record independently or in-combination discloses all the limitation of the independent claims 1, 19, and 20 as recited in the amended set of claims being examined.

Therefore, the independent claims are allowable over the prior arts of record. The dependent claims being definite, further limiting, and fully enabled by the specification are also allowed by virtue of their dependence on the independent claims.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AFAQ ALI/Examiner, Art Unit 2434                                                                                                                                                                                                        /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434