Patent 12301627

Obviousness

Combinations of prior art that suggest the claimed invention would have been obvious under 35 U.S.C. § 103.

Active provider: Google · gemini-2.5-pro

Obviousness

Combinations of prior art that suggest the claimed invention would have been obvious under 35 U.S.C. § 103.

✓ Generated

Analysis of Obviousness of U.S. Patent No. 12,301,627 under 35 U.S.C. § 103

This analysis examines whether the claimed invention in U.S. Patent No. 12,301,627 would have been obvious to a Person Having Ordinary Skill in the Art (PHOSITA) at the time the invention was made. The analysis is based on the patent's own detailed description and its relationship to prior art, particularly its extensive family of preceding patents.

Legal Standard for Obviousness

Under 35 U.S.C. § 103, a patent claim is invalid as obvious "if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art." The analysis requires considering the scope and content of the prior art, the differences between the prior art and the claims at issue, and the level of ordinary skill in the pertinent art. A key consideration is whether a PHOSITA would have had a reason or motivation to combine the teachings of the prior art references to arrive at the claimed invention.

Person Having Ordinary Skill in the Art (PHOSITA)

For the technology described in the '627 patent, a PHOSITA would be an individual with a bachelor's degree in computer science, cybersecurity, or a related field, and several years of professional experience in network security, incident response, or security analytics. This individual would be familiar with:

  • Network architecture and security principles.
  • Common cyberattack vectors and threat mitigation techniques.
  • Data collection methods, including active and passive network scanning.
  • Data modeling and analysis, including the use of graph databases and time-series data.
  • Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM) systems, and behavioral analytics tools.
  • Standard incident response procedures, including root cause analysis.

Deconstruction of the Claims

The independent claims of the '627 patent can be broken down into the following key elements:

  1. Cyber-Physical Graph (CPG): A model representing entities (devices, users, etc.) and their relationships within an organization's infrastructure.
  2. Reconnaissance Engine: A component that performs active and passive data collection.
  3. Normal Behavior Model: A baseline of normal activity derived from the reconnaissance data and applied to the CPG.
  4. Anomaly Detection: The identification of events that deviate from the normal behavior model.
  5. Correlation of Anomalies: Linking an identified anomaly to other network events and affected resources (nodes).
  6. Behavior Graph Generation: Creating a new graph that illustrates the causative relationships and pathways derived from the correlated events.
  7. Backward Temporal Traversal: Analyzing the behavior graph by tracing dependencies backward in time to identify the origin of the anomalous event.

Combination of Prior Art and Motivation to Combine

The claims of the '627 patent are rendered obvious by a combination of its own predecessor patents, particularly U.S. Patent Nos. 11,025,674 and 10,735,456.

Primary Combination: U.S. Patent No. 11,025,674 ('674 Patent) in view of U.S. Patent No. 10,735,456 ('456 Patent).

  1. What the '674 Patent Teaches: The '674 patent, titled "Cybersecurity Profiling and Rating Using Active and Passive External Reconnaissance," explicitly discloses the core data gathering and modeling elements of the '627 patent. It teaches:

    • Performing active and passive reconnaissance to gather a wide range of internal and external data.
    • Using this data to create a comprehensive "cybersecurity profile" of an organization.
    • The concept of a "cyber-physical graph" to model the organization's infrastructure and the relationships between its entities (elements 1 and 2).
    • Analyzing collected data over time to understand patterns, such as software patching frequency, which is foundational to establishing a baseline of normal activity (element 3).

  2. What the '456 Patent Teaches: The '456 patent, titled "Advanced Cybersecurity Threat Mitigation Using Behavioral and Deep Analytics," focuses on the analytical application of such data. It teaches:

    • Using passive information feeds to analyze behavior patterns.
    • Detecting "anomalous behavior" based on deviations from established patterns (element 4).
    • Using these anomalies to analyze potential attack vectors and their impact (a form of correlation, covering element 5).
    • The goal of this analysis is to provide "proactive and high-speed reactive defense capabilities."

Motivation to Combine '674 and '456:

A PHOSITA, presented with the system described in the '674 patent, would possess a rich, detailed model of an organization's network and a baseline of its normal operations. The natural and obvious next step would be to use this model for its intended security purpose: detecting threats. The '456 patent provides precisely this methodology—applying behavioral analytics to detect anomalies against a known pattern. The motivation to combine these two is straightforward and compelling: the output of the '674 system (a detailed, dynamic network model) is the ideal input for the analytical engine of the '456 patent (an anomaly detection system). Combining them would create a system that both understands the network environment and can detect threats within it. This is not an inventive leap, but a logical integration of a data collection/modeling tool with a data analysis/threat detection tool to build a more complete security solution.

Obviousness of the Final "Root Cause Analysis" Steps

The remaining elements of the '627 patent claims—generating a "behavior graph" and "traversing it backward" to find an attack's origin (elements 6 and 7)—represent a form of automated root cause analysis. This, too, would be an obvious extension to a PHOSITA.

  • Established Practice: In the field of cybersecurity and digital forensics, tracing an incident back to its origin is a fundamental and well-understood objective. When a security analyst using a SIEM or IDS (as described in the '456 patent) identifies a series of correlated alerts, the immediate next step in any standard incident response protocol is to investigate the chain of events to find the initial point of compromise.
  • Predictable Solution: Creating a visual representation of a sequence of events (a "behavior graph" or "dependency tree") is a common analytical technique used to understand complex interactions. A PHOSITA, having identified correlated anomalous events on different network nodes, would find it obvious to map these events and their dependencies to understand how an attack propagated.
  • Motivation for Implementation: The motivation for automating this final step is to improve the speed and efficiency of incident response. Once anomalies are detected and correlated, the process of tracing them backward is a logical and necessary function for any advanced threat detection system. A PHOSITA would be motivated to automate this investigative process to reduce manual effort and response time, thus making the addition of an automated "backward traversal" a predictable improvement rather than an inventive step. The '627 patent itself states that this process allows for identifying the "root cause of the issue," a universally understood goal in the field.

Conclusion

The independent claims of U.S. Patent No. 12,301,627 are likely invalid as obvious under 35 U.S.C. § 103. The core components of the invention—data gathering, creating a cyber-physical model, and anomaly detection—are explicitly taught by the predecessor '674 and '456 patents. A person of ordinary skill in the art would have been motivated to combine the modeling capabilities of the '674 patent with the analytical and threat-detection methods of the '456 patent to create a more effective security system. The final steps of generating a behavior graph and traversing it backward to find the attack's origin represent a logical and obvious implementation of standard root cause analysis principles, a necessary and predictable next step for any system designed to not just detect, but also respond to and remediate, security threats. Therefore, the claimed invention as a whole represents a combination of known elements, used according to their known functions, to yield a predictable result.

Generated 4/30/2026, 11:45:30 PM