Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION
This action is in response to the communication filed on 04/23/2019.
Claims 1-20 are under examination.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 3 and 16 recites the limitation "the simulated security rules".  There is insufficient antecedent basis for this limitation in the claim.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-14 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Cohen et al. (US 2005/0193430 A1), Zimmermann et al. (US 2018/0027006 A1) and Donahue (US 2018/0054429 A1).
Regarding claim 1, Cohen et al. discloses A system for sanitizing an organization's network against attacker breach [par. 0056, presents fixes for eliminating vulnerabilities], comprising: a data collector, gathering information about network hosts, including endpoint computers and server computers within an organization's network [par. 0012, gathering information about the network and its components, creating a model of the network (which can include all of its nodes and their configurations/services)]; an analyzer applying graph theory to construct the organization's network topology and connections between hosts [par. 0028, Information discovery agents also gather network topology and services information, or configuration of security measures such as access control lists from routers, firewalls, or other devices, par. 0029, A model of the network is thus created detailing the network topology and the actual atomic vulnerabilities present at each network node, par. 0030, graph nodes and edges describe all action routes in a given network]; identifying key assets of [par. 0071, The analytic engine 146 retrieves the filtered raw vulnerabilities information from the vulnerabilities database 162 and the corrected network and services information from the network and services database 160 to analyze vulnerabilities with logic… the analytic engine 146 determines actual vulnerabilities by consulting a vulnerabilities rule set].  
Cohen et al. does not explicitly disclose a machine learning engine categorizing the hosts into users, groups and organizational units.
However Zimmermann et al. teaches a machine learning engine categorizing the hosts into users, groups and organizational units, and identifying key assets of the organization [par. 0568, The machine learning engine will also be able to classify and identify the sensitive data of a user, a group and/or an organization, par. 0574, binary classification of usage as human or machine, par. 0458, automate the process of surfacing the things that are most important within it].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Zimmermann et al. into the teaching of Cohen et al. with the motivation to allow the enterprise to discover and manage third party applications that may have been delegated access to enterprise information and to understand how to deal with, among other things, compromised accounts and behavior-based attacks as taught by Zimmermann et al. [Zimmermann et al.: par. 0012].

However, Donahue teaches gathering information about credentials stored on these computers; depict hosts that have credentials stored therein [par. 0044, the Credential and Computer Risk analyzer can also search for and store information regarding the presence of account credentials or credential artifacts on any computing device that can be can be used to gain access to additional computing devices where additional credentials or credential artifacts can be collected... visualized by a visualization engine 211 for example in a graph diagram displaying nodes and links]; and inferring security rules that prescribe on which specific hosts which specific credentials are permitted to be stored [par. 0046, “The remediation engine 212 can analyze the behavioral database and determine which credentials and credential artifacts can be removed from systems without negatively impacting system user”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Donahue into the teaching of Cohen et al. and Zimmermann et al. with the motivation to removing credentials and credential artifacts from computing devices in a way which will not significantly disrupt the users of the respective computing devises and of the network as taught by Donahue [Donahue: par. 0014].
Regarding claim 4, the rejection of claim 1 is incorporated.
[par. 0063, The report generator 150 creates reports of analysis results, system activities, rule sets, and other items as specified by a user, par. 0066, The violations database 164 can store policy violations detected by the system, alerts generated and their status, and reports generated, or, in some embodiments, information such as the alert information and the report information can be stored in one or more other databases, par. 0083, The report readily shows that these attacks can be prevented by disabling the network DDE on the web server 248, making /public read-only on the FTP server 252, and disabling rlogin from the web server 246 to the administration server 254. Once these fixes have been performed, the security administrator can then focus on fixing the denial of service attacks by patching the web servers 246, 248, and 250 to prevent buffer overflows, patching the router 232 to prevent remote configuration loading, replacing the application server 262 password, and blocking port 8080 from network device 244 to network device 260].
Regarding claim 5, the rejection of claim 1 is incorporated.
Zimmermann et al. further discloses an analyst dashboard visualizing in real-time activities within the organizations' network [par. 0125, “enabling various user interfaces and visualization capabilities such as ones that help security professionals to manage various cyber security use cases, such as identifying emerging events, dealing with compromised accounts, preventing malware, avoiding and managing data breaches, providing forensic capabilities, managing compliance, and the like”, par. 0141, “A complete IDaaS offering may include an "activities view" visualization”].
[Zimmermann et al.: par. 0012].
Regarding claim 6, the rejection of claim 5 is incorporated.
Zimmermann et al. further discloses analyst dashboard automatically infers security rules for the network [par. 0012, “global policy creation and policy automation (such as enabling management of work flows and implementing various rules, such as enabled by a rules engine, about taking action in the enterprise environment (including any cloud) with automated actions taking place in response to the policy engine)”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Zimmermann et al. into the teaching of Cohen et al. with the motivation to allow the enterprise to discover and manage third party applications that may have been delegated access to enterprise information and to understand how to deal with, among other things, compromised accounts and behavior-based attacks as taught by Zimmermann et al. [Zimmermann et al.: par. 0012].
Regarding claim 7, the rejection of claim 6 is incorporated.
Zimmermann et al. further discloses analyst dashboard activates the security rules in the network [par. 0012, “global policy creation and policy automation (such as enabling management of work flows and implementing various rules, such as enabled by a rules engine, about taking action in the enterprise environment (including any cloud) with automated actions taking place in response to the policy engine)”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Zimmermann et al. into the teaching of Cohen et al. with the motivation to allow the enterprise to discover and manage third party applications that may have been delegated access to enterprise information and to understand how to deal with, among other things, compromised accounts and behavior-based attacks as taught by Zimmermann et al. [Zimmermann et al.: par. 0012].
Regarding claim 8, the rejection of claim 7 is incorporated.
Donahue further discloses analyst dashboard eliminates potential attack vectors for which the activated security rules are violated. [par. 0012, “the remediation engine can determine that an account named "back-up service account" performs non-interactive authentications once every 24 hours, then launches a single process which completes in 5 minutes, but leaves credential artifacts on the computing device. The remediation engine determines that based on factors which indicate times that an account is not actively being used by the computing device, for example frequency of authentication, non-interactive logon, single consistent process creation, and duration of process; these credentials and credential artifacts can safely be removed from the computing device and send a message to the Web Service which notifies the Agent which deletes the credentials and credential artifacts”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Donahue into the teaching [Donahue: par. 0014].
Regarding claim 9, the rejection of claim 1 is incorporated.
Cohen et al. discloses an attacker view visualizing the endpoints and the servers within the organization's network [par. 0013, “Network models including attack graphs can be used in conducting attack simulations. An algorithm is used in generating attack simulations. The algorithm can first identify or select starting point graph nodes for attacks. The algorithm can then utilize constraint information associated with connecting graph nodes in determining possible attack paths from starting point graph nodes through other connecting graph nodes, and to determine attack termination point graph nodes”, par. 0029, “By comparing the raw vulnerabilities with information about the network topology and the network services, the system combines vulnerabilities with logic to determine actual vulnerabilities which might be exploited by an attacker”].
Regarding claim 10, the rejection of claim 9 is incorporated.
Donahue further discloses attacker view represents connections by protocol and by credentials within the network [par. 0044, “the Credential and Computer Risk analyzer can also search for and store information regarding the presence of account credentials or credential artifacts on any computing device that can be can be used to gain access to additional computing devices where additional credentials or credential artifacts can be collected. The Credential and Computer Risk analyzer creates Links for each account with credential or credential artifacts on a computer which can be used to access another computer and collect credentials and credential artifacts. This Links include a Source Node representing the computing device where initial credential and credential artifacts are collected, the Link name which is an account with can be used to access another computing device, and the Target Node representing the computing device on which the initial credential and credential artifacts can be used to collect additional credential and credential artifacts. The Links can be stored in a Link database 208, and could optionally be visualized by a visualization engine 211 for example in a graph diagram displaying nodes and links”, official notice: computer communication connection by protocol is well known in the art].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Donahue into the teaching of Cohen et al. and Zimmermann et al. with the motivation to removing credentials and credential artifacts from computing devices in a way which will not significantly disrupt the users of the respective computing devises and of the network as taught by Donahue [Donahue: par. 0014].
Regarding claim 11, the rejection of claim 10 is incorporated.
Cohen et al. discloses attacker view visualizes real and deceptive connections within the network [par. 0013, “Network models including attack graphs can be used in conducting attack simulations. An algorithm is used in generating attack simulations. The algorithm can first identify or select starting point graph nodes for attacks. The algorithm can then utilize constraint information associated with connecting graph nodes in determining possible attack paths from starting point graph nodes through other connecting graph nodes, and to determine attack termination point graph nodes”, par. 0029, “By comparing the raw vulnerabilities with information about the network topology and the network services, the system combines vulnerabilities with logic to determine actual vulnerabilities which might be exploited by an attacker”].
Regarding claim 12, the rejection of claim 11 is incorporated.
Cohen et al. discloses attacker view identifies security rule violations across the organization's network [par. 0066, “The alert generator 148 issues alerts according to vulnerabilities, risks, or violations detected as specified by preferences stored in the configuration database 174”].
Regarding claim 13, the rejection of claim 12 is incorporated.
Donahue discloses attacker view enables removal of credential-based security rule violations by use of actions [par. 0062, “the owners and administrators of the computer devices are aware of the total impact of account compromise, for example, via credential theft, from one or more computing devices across all of their computer devices and across their network. The credential security discovery system can then interact with the computer devices to remove credentials and credential artifacts”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Donahue into the teaching of Cohen et al. and Zimmermann et al. with the motivation to removing credentials and credential artifacts from computing devices in a way which will not significantly disrupt the users of the respective computing devises and of the network as taught by Donahue [Donahue: par. 0014].
Regarding claim 14, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 17, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 18, it recites limitations similar to claim 8. The reason for the rejection of claim 8 is incorporated herein.
Regarding claim 19, it recites limitations similar to claim 11. The reason for the rejection of claim 11 is incorporated herein.
Regarding claim 20, it recites limitations similar to claims 12 and 13. The reason for the rejection of claims 12 and 13 are incorporated herein.

Claims 2-3 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Cohen et al. (US 2005/0193430 A1), Zimmermann et al. (US 2018/0027006 A1) and Donahue (US 2018/0054429 A1) as applied to claims 1, 4-14 and 17-20 above, and further in view of Attfield et al. (US 1,0169,571 B1).
Regarding claim 2, the rejection of claim 1 is incorporated.
Cohen et al. discloses simulation.
They do not explicitly disclose security rules engine simulates the inferred security rules for existing network data offline.
However Attfield et al. teaches security rules engine simulates the inferred security rules for existing network data offline [col. 8, lines 8-12, “allow for test of policy changes before go-live on production systems”].
[Attfield et al.: abs, col. 8, lines 8-12].
Regarding claim 3, the rejection of claim 1 is incorporated.
Cohen et al. discloses simulation.
They do not explicitly disclose security rules engine implements production versions of the simulated security rules.
However Attfield et al. teaches security rules engine implements production versions of the simulated security rules [col. 8, lines 8-12, “allow for test of policy changes before go-live on production systems”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Attfield et al. into the teaching of Cohen et al., Zimmermann et al. and Donahue with the motivation for secure, policy-based, access control and management of mobile computing devices and allow for test of policy changes before go-live on production systems as taught by Attfield et al. [Attfield et al.: abs, col. 8, lines 8-12].
Regarding claim 15, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 16, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.


 
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 20120180133 A1		Systems, Program Product and Methods For Performing a Risk Assessment Workflow Process For Plant Networks and Systems
US 20030212909 A1		Tool, method and apparatus for assessing network security
US 20040015728 A1		System and method for network vulnerability detection and reporting
US 20140007241 A1		SYSTEM AND METHOD FOR IDENTIFYING EXPLOITABLE WEAK POINTS IN A NETWORK
US 20110277034 A1		SYSTEM AND METHOD FOR THREE-DIMENSIONAL VISUALIZATION OF VULNERABILITY AND ASSET DATA
US 10044745 B1		Systems for computer network security risk assessment including user compromise analysis associated with a network of devices
US 20180084012 A1		DYNAMIC POLICY INJECTION AND ACCESS VISUALIZATION FOR THREAT DETECTION

US 20050138413 A1		Network security planning architecture
US 20180191726 A1		ACCESS RELATIONSHIPS IN A COMPUTER SYSTEM
US 20150128205 A1		METHODS AND SYSTEMS FOR SECURE NETWORK CONNECTIONS
US 20140067779 A1		PREDICTIVE INFORMATION TOPOLOGY MODELING AND VISUALIZATION
US 20160191532 A1		SYSTEMS FOR NETWORK RISK ASSESSMENT INCLUDING PROCESSING OF USER ACCESS RIGHTS ASSOCIATED WITH A NETWORK OF DEVICES
US 20170048215 A1		SECURE STORAGE OF ENTERPRISE CERTIFICATES FOR CLOUD SERVICES

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.




/JASON CHIANG/Primary Examiner, Art Unit 2431