Patent 12301628

Obviousness

Combinations of prior art that suggest the claimed invention would have been obvious under 35 U.S.C. § 103.

Active provider: Google · gemini-2.5-pro

Obviousness

Combinations of prior art that suggest the claimed invention would have been obvious under 35 U.S.C. § 103.

✓ Generated

Here is a detailed analysis of the obviousness of US Patent 12,301,628 under 35 U.S.C. § 103, based on the provided prior art.

Obviousness Analysis of U.S. Patent 12,301,628

Standard for Obviousness (35 U.S.C. § 103): A patent claim is invalid for obviousness if the differences between the claimed invention and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art (a "POSA").

Person Having Ordinary Skill in the Art (POSA): For the purposes of this analysis, a POSA is considered to have a bachelor's degree in computer science, computer engineering, or a related field, along with several years of experience in network security, intrusion detection systems, and data analysis. This individual would be familiar with graph theory, machine learning concepts for anomaly detection, and standard security investigation techniques.

Analysis of Independent Claim 1 (Method)

Claim 1 recites a multi-step method for identifying attack information. We will analyze how combinations of the cited prior art render these steps obvious.

Proposed Combination 1: Crabtree '464 in view of Crabtree '910

  • Primary Reference: US 2017/0124464 A1 (Crabtree '464) teaches the foundational concept of creating a "cyber-physical system graph" (CPG). As described in the patent text, a CPG is "a graph visualization of users, servers, devices, and other resources correlating physical relationships... with logical relationships" (FIG. 11, col. 14). This directly teaches the first step of claim 1: "creating a cyber-physical graph of an organization."

  • Secondary Reference: US 10,248,910 B2 (Crabtree '910) teaches a system for "cybersecurity behavioral analytics." The method involves passively collecting activity information (FIG. 8, step 801), processing it to "analyze behavior patterns" (step 802), and recognizing "anomalous behavior" (step 803). This explicitly teaches the concept of establishing a model of normal behavior and identifying deviations from it, which corresponds to the steps in claim 1 of "create a normal behavior model" and "identifying an anomalous event."

  • Motivation to Combine: A POSA, having learned of the comprehensive network and organizational model taught by Crabtree '464, would be motivated to apply analytical techniques to it for security purposes. The problem of detecting threats is a primary driver in the field of cybersecurity. Crabtree '910 provides a direct solution by teaching the use of behavioral analytics to identify anomalies. The motivation would be to apply the anomaly detection method of '910 to the superior, context-rich CPG model from '464 to achieve more accurate and meaningful threat detection. This combination renders the initial steps of claim 1 obvious: creating a graph model, establishing a baseline of normal behavior from collected data, and detecting anomalies against that baseline.

Proposed Combination 2: Combination 1 (Crabtree '464 + '910) in view of Crabtree '147 and '492

  • Primary Combination: Crabtree '464 + '910 as established above.

  • Secondary References: US 10,204,147 B2 (Crabtree '147) and US 2017/0124492 A1 (Crabtree '492).

    • Crabtree '147 teaches a method for "measuring the effects of cybersecurity attacks." It explicitly describes using the CPG to "produce a 'blast radius' calculation" (FIG. 9, step 903), which involves "identifying exactly what resources are at risk as a result of the intrusion." This process inherently requires analyzing the graph to find correlations and connections between the compromised node and other parts of the network, directly teaching the step of "analyzing the cyber-physical graph... to identify correlations between affected nodes."
    • Crabtree '492 discloses "live attack assessment by correlating time-series data with a cyber-physical graph" (Abstract). This further reinforces the idea of analyzing relationships between an event and the affected infrastructure.

  • Motivation to Combine: After detecting an anomaly using the method from Combination 1, the immediate and logical next step for a security analyst is to understand its scope and implications. The "blast radius" calculation from Crabtree '147 provides a method to do exactly that by exploring the connections from the anomalous node. A POSA would be motivated to integrate this impact assessment to understand the potential spread of an attack. This directly leads to generating a "behavior graph" (a subgraph of the CPG showing the potential attack paths) based on the identified correlations.

Proposed Combination 3: Combination 2 in view of the inherent nature of root cause analysis.

  • Primary Combination: Crabtree '464 + '910 + '147 + '492 as established above. These references collectively teach creating a CPG, establishing a baseline, detecting an anomaly, and generating a graph of the "blast radius" or correlated entities. This resulting graph is functionally identical to the "behavior graph" of claim 1, which shows "causative relationships between events."

  • Final Step: The final step of claim 1 is "traversing the behavior tree backward in a temporal dimension to identify a plurality of potential points of origin." This describes the well-known and conventional process of root cause analysis. In cybersecurity and IT diagnostics, once a fault or intrusion is identified and its effects are mapped (as taught by Crabtree '147), it is a standard, routine procedure to trace the event chain backward to find the initial cause. A POSA would find it obvious to apply this fundamental diagnostic technique to the "behavior graph" to determine how the anomaly originated. No inventive step is required to decide to trace an attack path backward once it has been mapped.

Analysis of Independent Claim 9 (System)

Claim 9 recites a system comprising three modules to perform the method of Claim 1. The obviousness of the system follows from the obviousness of the method.

  1. Cyber-physical graph module: Explicitly taught by Crabtree '464.
  2. Reconnaissance engine: This module performs reconnaissance to "create a normal behavior model." This is the functional system taught by Crabtree '910, which collects and analyzes data to establish behavior patterns.
  3. Directed computational graph engine: This module is responsible for the analysis, correlation, and tracing. Crabtree '255 discloses the "directed computational graph" as the core processing framework for analysis. Crabtree '147 and '492 teach the functions of correlating events and assessing impact. The final function of traversing the graph backward is, as argued above, an obvious application of root cause analysis.

A POSA would be motivated to assemble these known modules, all from the same body of work by the same inventors, to create an integrated system. The motivation would be to build a comprehensive security platform that moves from data modeling ('464) to anomaly detection ('910) and finally to impact analysis and root cause identification ('147), representing a logical and predictable design progression.

Conclusion

The independent claims of US Patent 12,301,628 appear to be obvious under 35 U.S.C. § 103 in light of the prior art, particularly the preceding patents and applications by the same inventors. The '628 patent essentially combines several previously disclosed components—the Cyber-Physical Graph, behavioral anomaly detection, and impact analysis—and adds the final, conventional step of performing a root cause analysis by tracing the identified event chain backward. A POSA would have found it obvious to combine these known elements to achieve the claimed invention, as it represents a logical progression of building a comprehensive cybersecurity threat detection and analysis system.

Generated 4/30/2026, 8:34:34 PM