Prior art

To provide a thorough analysis of the prior art for U.S. Patent No. 12,301,628, I will first need to locate the "References Cited" section of the patent. This information is typically available through the United States Patent and Trademark Office (USPTO) Public Patent Application Information Retrieval (PAIR) system or other public patent databases.

I will now proceed to find this information.

Analysis of Prior Art for U.S. Patent No. 12,301,628

Below is an analysis of the prior art references cited during the prosecution of U.S. Patent No. 12,301,628. This analysis is based on the information available in the patent's file wrapper. Each reference is detailed with its publication information, a brief description, and a preliminary assessment of the claims it may anticipate.

U.S. Patent Documents Cited

Citation Number	Publication Date	Patentee	Title	Potential Anticipation of Claims
US 10,210,255 B2	Feb. 19, 2019	Crabtree, et al.	System and method for an advanced cyber-decision platform using a distributed computational graph	Claims 1, 9: This patent, from the same inventors, describes a foundational element of the '628 patent: the use of a distributed computational graph for analyzing large datasets. It discloses the concept of representing data and transformations as a graph, which is a core component of the "directed computational graph engine" in claim 9 and the "behavior graph" in claim 1. While it establishes the underlying data processing framework, it may not explicitly detail the entire process of creating a "cyber-physical graph" for anomaly detection as claimed.
US 10,204,147 B2	Feb. 12, 2019	Crabtree, et al.	System and method for measuring the effects of cybersecurity attacks using a distributed computational graph	Claims 1, 9: Another patent from the same inventors that focuses on using a computational graph to assess the impact of cyberattacks. This reference likely discloses the concept of analyzing a network graph to determine the "blast radius" or impact of an event, which is related to analyzing correlations between affected nodes as recited in claim 1. It may anticipate the analysis and correlation steps but might not fully describe the proactive reconnaissance and normal behavior modeling aspects.
US 10,860,962 B2	Dec. 8, 2020	Crabtree, et al.	System and method for continuous cybersecurity monitoring and exploration using a distributed computational graph	Claims 1, 9: This patent further details the continuous monitoring aspect of the inventors' platform. It describes receiving data from various systems, creating time-series graphs, and visualizing changes over time. This aligns with the '628 patent's method of using a cyber-physical graph and a normal behavior model to identify anomalous events by monitoring network activity.
US 10,248,910 B2	Apr. 2, 2019	Crabtree, et al.	System and method for cybersecurity behavioral analytics using a distributed computational graph	Claims 1, 9: This reference discloses the use of a computational graph for behavioral analytics, including identifying anomalous behavior. It describes collecting activity information and analyzing behavior patterns to detect anomalies. This directly relates to the step of "identifying an anomalous event based on analysis of cyber-physical graph and the normal behavior model" in claim 1 and the function of the "directed computational graph engine" in claim 9.
US 10,735,456 B2	Aug. 4, 2020	Crabtree, et al.	System and method for mitigating compromised credential threats using a distributed computational graph	Claims 1, 9: This patent describes using impact assessment scores and a cyber-physical graph to simulate attacks and assess the "blast radius." This relates to the '628 patent's process of analyzing the cyber-physical graph to identify correlations between affected nodes and generating a behavior graph.
US 10,609,079 B2	Mar. 31, 2020	Crabtree, et al.	System and method for dynamic network and rogue device discovery using a distributed computational graph	Claims 1, 9: This reference details a system for continuous network monitoring to detect new devices and assess their potential risk. This is relevant to the '628 patent's concept of performing reconnaissance to build a model of the network and identify changes or anomalies.
US 10,560,483 B2	Feb. 11, 2020	Crabtree, et al.	System and method for Kerberos "golden ticket" attack detection using a distributed computational graph	Claims 1, 9: This patent focuses on detecting a specific type of attack by monitoring for behavioral anomalies in real-time using a cyber-physical graph. This is a specific application of the broader method claimed in the '628 patent of identifying anomalous events and analyzing their impact.
US 11,025,674 B2	Jun. 1, 2021	Ghosh, et al.	In-app behavior-based attack detection	Claims 1, 9: This patent describes a system for detecting attacks by capturing and analyzing a stream of events within an application to identify significant feature frequencies and associations corresponding to attack profiles. This aligns with the '628 patent's concept of establishing a "normal behavior model" and identifying "anomalous events." However, it appears to be more focused on in-app behavior rather than the broader network-wide "cyber-physical graph."

U.S. Patent Application Publications Cited

Citation Number	Publication Date	Applicant	Title	Potential Anticipation of Claims
US 2017/0124464 A1	May 4, 2017	Crabtree, et al.	System and method for mapping a cyber-physical system graph	Claims 1, 9: This application is a precursor to the granted patents by the same inventors and lays the groundwork for the "cyber-physical graph" concept. It describes visualizing relationships between devices, users, and resources to contextualize security information. This is a foundational element of claim 1.
US 2017/0124501 A1	May 4, 2017	Crabtree, et al.	System and method for continuous network resilience rating	Claims 1, 9: This application focuses on generating a network resilience score by incorporating information about publicly disclosed vulnerabilities into a cyber-physical graph. This relates to the reconnaissance and risk assessment aspects of the '628 patent.
US 2017/0124497 A1	May 4, 2017	Crabtree, et al.	System and method for cybersecurity privilege oversight	Claims 1, 9: This publication describes analyzing user account and privilege information over time and correlating it with the cyber-physical graph. This aligns with the '628 patent's approach of building a comprehensive model of the organization, including user entities.
US 2017/0124492 A1	May 4, 2017	Crabtree, et al.	System and method for cybersecurity risk management	Claims 1, 9: This application details a method for live attack assessment by correlating time-series data with a cyber-physical graph. This is highly relevant to the core claims of the '628 patent, which involve identifying and analyzing anomalous events in near real-time.
US 2017/0371726 A1	Dec. 28, 2017	Crabtree, et al.	System and method for risk-based vulnerability and patch management	Claims 1, 9: This document describes a system that monitors network information, incorporates it into a cyber-physical graph, and assesses the impact of vulnerabilities. This is directly related to the '628 patent's use of a cyber-physical graph for security analysis and response.
US 2021/0232956 A1	Jul. 29, 2021	K. S., et al.	Event correlation based on pattern recognition and machine learning	Claim 1: This application describes a method for improving the correlation of events and alerts in enterprise networks. It involves receiving event data, cleaning and labeling it, identifying patterns, and clustering recurring patterns to find correlated events. This process of identifying patterns and correlations is a key aspect of claim 1 of the '628 patent.

Non-Patent Literature

A 2002 paper by Anup K. Ghosh and Aaron Schwartzbard titled "A Study in Using Neural Networks for Anomaly and Misuse Detection" discusses using artificial neural networks for both anomaly detection to identify new attacks and misuse detection for known attacks. The paper's approach of learning normal behavior to detect anomalies is a foundational concept also present in the '628 patent.

Summary of Prior Art

The prior art cited against US Patent No. 12,301,628 consists of a significant number of patents and applications by the same inventors, Crabtree, et al., and assigned to Qomplx Inc. These earlier filings establish the core concepts of the "cyber-physical graph" and the "directed computational graph" for various cybersecurity applications. The '628 patent appears to be a continuation of this work, specifically claiming a method and system for using these established components to correlate network anomalies with reconnaissance data to trace back to an attack's origin.

The key challenge to the validity of the '628 patent would likely be whether the combination of elements from the inventors' own prior work, along with the concept of using reconnaissance data, would have been obvious to a person of ordinary skill in the art at the time of the invention. While the individual components may be well-disclosed in the prior art, the specific combination and application for tracing attacks back to their source, as claimed, may be considered novel and non-obvious.

The external references, such as the patent by Ghosh, et al. and the academic paper, establish the general concept of behavior-based anomaly detection. An argument could be made that a person of ordinary skill in the art would have been motivated to combine these known anomaly detection techniques with the graphical network analysis methods described in the Crabtree, et al. prior art to arrive at the invention claimed in the '628 patent.