DETAILED ACTION
1. 	This office action is response to application No. 16/855,631 filed on 04/22/2020. Claims 1-20 are submitted for examination. Claim 1, 11 and 20 are independent. 

Notice of Pre-AIA  or AIA  Status

2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority

	3.	This application filed on 04/22/2020 is a continuation of application No. 16222573, filed 12/17/2018, now U.S. Patent No. 10645102. Furthermore application No. 16222573 is a continuation of application No. 15339437, filed 10/31/2016, now U.S. Patent #10158654. Therefore, the effective filling date for the subject matter defined in the pending claims of this application is 10/31/2016.
Information Disclosure Statement
4.	The information disclosure statements (IDS) submitted on 04/29/2020 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto.
Drawings
5.	The drawings filed on April 22, 2020 are accepted. 
Specification
6.	The specification filed on April 22, 2020 is also accepted.

Double Patenting

7.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
8.	A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
9.	The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and 
10.	Claims 1-3,7-13 and 17-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of the U.S. Patent application 10/645,102 (hereinafter refereed as ‘102 patent)  Although the conflicting claims are not identical, they are not patentably distinct from each other.
Claims 1-3, 7-13 and 17-20 of the instant application and claims 1-20, of US Patent No. ‘102 patent recite similar limitation. The above claims, namely claims 1-3, 7-13 and 17-20 of the instant/present application would have been obvious over claims 1-2, 4-6, 10-12, 14-15 and 19-20, of the ‘102 patent because every element of the above claims 1-3, 7-13 and 17-20 of the present application is anticipated by the corresponding claims 1-20 of the ‘102 patent [See the following table that compares the claims]


Instant/Current Application No. 16/855,631
See the following claims, App. No. 16/855,631
‘102 patent
See the following claims ‘102 Patent
1, 11 and 20. A system comprising: 



cybersecurity event associated with a computer network; 



determine one or more first parameters of an asset of the computer network based at least on the detected cybersecurity event; 
transmit a first query of the one or more parameters to a device associated with the asset; 

receive, from the device, one or more first values for the one or more first parameters; 
determine a state of operation of the asset, indicative of one of a normal behavior or abnormal behavior, based at least on by the cybersecurity event based on the state of operation of the asset. 





identify one or more assets of the computer network associated with the specification; and an asset profiling engine configured to, for each asset of the one or more identified assets: determine a first set of parameters for profiling the asset based on detected violation of the specification;

transmit a first query for the first set of parameters to a computing device associated with the asset; 

receive, from the computing device, one or more first parameter values corresponding to the first set of parameters 
responsive to the first query; compare the one or more first parameter values to one or more first criteria or threshold values; and 

determine a second set of parameters based at least on comparing the one or more first values for the one or more first parameters to the corresponding one or more first thresholds;



receive second values for the second set of parameters, 

responsive to the second query; and determine the state of operation of the asset based on comparing the second values to corresponding second thresholds or criteria. 



determine a second set of parameters based on the comparing, for each of the one or more identified assets, of the one or more first parameter values to the one or more first criteria or threshold values; 


transmit, for each asset of the one or more identified assets, a second query for the 

receive, from each asset of the one or more identified assets, one or more second parameter values corresponding to the second set of parameters, 
responsive to the second query; compare, for each asset of the one or more identified assets, the one or more second parameter values to one or more second criteria or threshold values; 


and determine, for each asset of the one or more assets, the state of operation of the asset further based on comparing the one or more second parameter values to the one or more second criteria or threshold values.
cybersecurity attack, a cybersecurity threat or an unpatched vulnerability.
6 and 15. The system of claim 1, wherein detecting that the specification associated with the operation of the computer network is violated includes detecting access of the network of computer devices by an electronic 

10 and 19. The system of claim 1, wherein the controller is configured to update a state parameter of an asset of the one or more identified assets based on the state of operation of the asset.
8. The system of claim 1, wherein the one or more corresponding first thresholds or criteria are specific to the asset. 

2 and 12. The system of claim 1, wherein the asset profiling engine is further configured to: determine a second set of parameters based on the comparing, for each of the one or more identified assets, of the one or more first parameter values to the one or more first criteria or threshold values
9 and 18. The system of claim 1, wherein the one or more processors are further configured to provide an indication of whether the asset is affected by the cybersecurity event for display on a display device.
4 and 14. The system of claim 1, wherein the controller engine is further configured to: provide an indication of an abnormal behavior of at least one asset of the one or more identified assets or an indication of the cause of violating the specification for display on a display device.
10 and 19. The system of claim 1, wherein the one or more processors are further 




		Regarding the independent claims.
Independent claims 1, 11 and 20 of the instant application and claims 1, 11 and 20, of ‘102 patent recite similar limitation. The above claims, namely claims 1, 11 and 20 of the instant/present application would have been obvious over claims 1, 11 and 20, of the ‘102 patent because every element of the above claims 1, 11, 20 of the present application is anticipated by the corresponding claims 1, 11 and 20 of the ‘102 patent except independent claims 1, 11 and 20 of the instant application recites a claim limitation, such as detecting the “cyber security events”. However this extra claim limitation is also at least anticipated by the claim limitation “detect/ing that a specification associated with operation of the computer network is violated” recited in the corresponding independent claims 1, 11 and 20 of ‘102 patent. 
Regarding the dependent claims-see the mapping shown above on the table.


11.	Claims 1, 2-3, 8-9, 10-13 and 20 are also rejected on the ground of non-statutory double patenting as being unpatentable over claims 1-3, 8-12 and 17-18 of the U.S. Patent application 

		Regarding the independent claims.
Independent claims 1, 11 and 20 of the instant application and claims 1, 10 and 18, of ‘654 patent recite similar limitation. The above claims, namely claims 1, 11 and 20 of the instant/present application would have been obvious over claims 1, 10 and 18, of the ‘654 patent because every element of the above claims 1, 11, 20 of the present application is anticipated by the corresponding claims 1, 10 and 18 of the ‘654 patent except independent claims 1, 11 and 20 of the instant application recites a claim limitation, such as detecting the “cyber security events”. However this extra claim limitation is also at least anticipated by the claim limitation “determine the state of operation of the target asset …the state of operation indicative of an abnormal behavior associated with the target asset” recited in the corresponding independent claims 1, 11 and 20 of ‘102 patent. 

Regarding dependent claims 

Dependent claims 2 and 12 of the instant application and claims 2 and 11, of ‘654 patent recite similar limitation. The above claims, namely claims 2 and 12 of the instant/present application would have been obvious over claims 2 and 11, of the ‘654 patent because every element of the above claims 2 and 12 of the present application is anticipated by the corresponding claims 2 and 11 of the ‘654 patent.

Dependent claims 3 and 13 of the instant application and claims 3, of ‘654 patent recite similar limitation. The above claims, namely claims 3 and 13 of the instant/present application would have been obvious over claims 3, of the ‘654 patent because every element of the above claims 3 and 13 of the present application is anticipated by the corresponding claim 3 of the ‘654 patent.


Dependent claim 8 of the instant application and claims 2 and 12, of ‘654 patent recite similar limitation. The above claims, namely claim 8 of the instant/present application would have been obvious over claims 2 and 12, of the ‘654 patent because every element of the above claim 8 of the present application is anticipated by the corresponding claims 2 and 12 of the ‘654 patent.

Dependent claim 9 of the instant application and claims 8 and 17, of ‘654 patent recite similar limitation. The above claims, namely claim 9 of the instant/present application would have been obvious over claims 8 and 17, of the ‘654 patent because every element of the above claim 9 of the present application is anticipated by the corresponding claims 8 and 17 of the ‘654 patent.

Dependent claim 10 of the instant application and claim 9, of ‘654 patent recite similar limitation. The above claims, namely claim 10 of the instant/present application would have been obvious over claim 9, of the ‘654 patent because every element of the above claim 10 of the present application is anticipated by the corresponding claim 9 of the ‘654 patent.

Claim Rejections - 35 USC § 103
12.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
13.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

14.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

	Examiner’s note: text in bold corresponds to the claimed limitations; text in italics underlined or not underlined correspond to the cited prior art reference (i.e., verbatim, and/or examiner’s clarification. Meaning, text after a limitation in brackets [ ] corresponds to examiner’s mapping (including further explanation and/or comments) and/or prior art reference citations. 
15.	Claims 1-4, 6-14 and 16-20 are rejected under AIA  35 U.S.C. 103 as being unpatentable over Lovy et al (herein after referred as Lovy) (US  Patent No. 7,028,228 B1) (April 11, 2006) (This application is cited in the IDS) in view of Jim Hanson (hereinafter referred as Hanson) (US Publication No. 2011/0277034 A1) (Nov. 10, 2011) 


As per independent claim 1, Lovy discloses a system comprising: one or more processors, coupled to a memory and configured to: detect a [See the abstract and figure 2, a network appliance for monitoring, diagnosing and documenting problems among a plurality of devices and processes (objects) coupled to a computer network utilizes periodic polling and collection of object-generated trap data to monitor the status of objects on the computer network. The status of a multitude of objects is maintained in memory utilizing virtual state machines which contain a small amount of persistent data but which are modeled after one of a plurality of finite state machines. The memory further maintains dependency data related to each object which identifies parent/child relationships with other objects at the same or different layers of the OSI network protocol model. See also A trap is a message sent by an SNMP agent to appliance 300 to indicate the occurrence of a significant event. An event may be a defined condition, such as a link failure, device or application failure, power failure, or a threshold that has been reached. See also In the illustrative embodiment, performance poller 322 may have an object-oriented implementation. Performance poller 322 receives external data from applications 312 through message methods. Such external applications may include Firewalls, Intrusion Detection Systems (IDS), Vulnerability Assessment tools, etc. Poller 322 receives performance data requests from web process 302 via Uniform Resource Locator (URL) methods.]; determine one or more first parameters of an asset of the computer network based at least on the detected [See at least column 2, line 38-45…A Status Poller periodically polls one or more monitored network objects and receives fault responses thereto. A Trap Receiver receives device generated fault messages. Both the Trap Receiver and Status Poller generate and transmit decision requests to the decision engine. The decision engine verifies through on-demand polling that a device is down….identifying, diagnosing, and documenting problems in computer networks using the appliance. The devices and process available on a network, as well as grouping of the same, are collectively referred to hereafter as "objects". See also column 2, lines 28-35..Accordingly, a monitored or managed object may be physical device(s), process(es) or logical associations or the same. According to one aspect of the invention, the network appliance comprises one or more a polling modules, a decision engine, a database and a case management module. The network appliance monitors objects throughout the network and communicates their status and/or problems to any number of receiving devices. See also e.g., col. 11, lines 35-36: "Performance poller 322 polls monitored device(s) 314a-n periodically for performance statistics including an identification step]; 
transmit a first query of the one or more parameters to a device associated with the asset
(col. 11, lines 36-38: "Specifically, performance poller 322 queries each device 314 with an SNMP Get call in accordance with the SNMP standard."); 
receive, from the device, one or more first values for the one or more first parameters
(col. 11, lines 38-42: "In response, the monitored device 314 provides a performance poll response to performance poller 322 in the form of an SNMP Response call, also in accordance with the SNMP standard."); determine a state of operation of the asset, indicative of one of a normal behavior or abnormal behavior, based at least on comparing the one or more first values to one or more corresponding first thresholds or criteria (col. 11, lines 42-58: "Based on the results of the performance poll response, performance poller 322 generates and transmits decision requests to decision engine 334 in the form of messages. Such decision requests may be generated when i) a specific performance condition occurs, ii) if no response is received within predefined threshold, or iii) if other criteria are satisfied.")
; and determine whether the asset is affected by the  (col. 15, lines 50-58: "As illustrated, decision engine 334 receives decision requests from any of Performance poller 322, Status Poller 330 or Trap Receiver 332, in the form of messages. [...] Decision processor 344 verifies the validity of any alarms and thresholds and forwards a generation request to case generator request 346 in the form of a message.", the cases generated being indicative of an abnormal behavior) 

Lovy discloses a network appliance for monitoring, diagnosing and documenting problems among a plurality of devices and processes (objects) coupled to a computer network utilizes periodic polling and collection of object-generated trap data to monitor the status of objects on the computer network. Furthermore Lovy discloses applications 312 through message methods. Such external applications may include Firewalls, Intrusion Detection Systems (IDS), Vulnerability Assessment tools, etc. Poller 322 receives performance data requests from web process 302 via Uniform Resource Locator (URL) methods.]

the system may include intrusion detection system (IDS), Vulnerability Assessment tools etc. but doesn’t explicitly discloses disclose the system having or detecting a “cybersecurity” events.   

Even if for the sake of argument, if it is assumed that it does not explicitly disclose the limitation detecting a “cybersecurity” events, Hanson discloses the following that clearly discloses a system of detecting a cybersecurity events or “cybersecurity”

Hanson at least the paragraph 0003 discloses the shortcoming of a prior art such as conducting vulnerability analysis in the network through manual inspection or network scan, “In many network environments, illegal or unauthorized users may exploit vulnerabilities in the network to gain access, deny access, or otherwise attack systems in the network. As such, to detect and remediate such network vulnerabilities, existing network security systems typically conduct vulnerability analysis in the network through manual inspection or network scans”. Furthermore Hanson on paragraph 0006 discloses another shortcoming of a prior art such as representing the network topologies in two dimensional visual representation that may obscure distinctions between the various routers, devices and hosts and on paragraph 0007 Hanson discloses a network security system that can aggregate information describing a network from various sources in order to generate visual representations that represent various network vulnerabilities and network assets in a manner that can simplify management of the various vulnerabilities and assets in the network. 
In particular on paragraph 0061 and abstract Hanson discloses how it detects or identify a cybersecurity or vulnerability using a three-dimensional routing topology as follows:
In another example, assets associated with the scan times that exceed the threshold may be analyzed for common parameters or other criteria (e.g., processor speeds, memory, system firewalls, vulnerabilities, etc.), which may be compared to other assets having faster scan times to determine whether the parameters common to the assets having the longer scan times may be causing the longer scan times. In this example, a first query may be provided to the management console to filter the topology for a target network and a second query may be provided to filter the topology for the hosts that have the longer scan times, whereby different three-dimensional visualizations created in response to the first query and the second query can be visually compared to identify open ports, vulnerabilities, or other criteria that may be causing the longer scan times.”

Lovy and Hanson are analogous arts and are in the same field of endeavor as they both pertain to actively monitor the status of objects or devices and processes on the computer network. 

It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention, to implement in the system of Lovy, a mechanism to add the feature such as “cybersecurity” or a mechanism to detect a “cybersecurity” as taught by Hanson,  

As per independent claim 11, independent claim 11 is rejected for the same reason or rationale as that of the above independent claim 1 as they both recites the same/similar limitations having the same/similar scope. 

As per independent claim 20, independent claim 20 is rejected for the same reason or rationale as that of the above independent claim 1 as they both recites the same/similar limitations having the same/similar scope. 

As per dependent claim 2, the combination of Lovy and Hanson discloses the method/system as applied to claims above. Furthermore Hanson discloses the method/system, wherein the one or more processors are further configured to: determine a second set of parameters based at least on comparing the one or more first values for the one or more first parameters to the corresponding one or more first thresholds; transmit a second query for the second set of parameters to the device; receive second values for the second set of parameters, responsive to the second query; and determine the state of operation of the asset based on comparing the second values to corresponding second thresholds or criteria. [See at least paragraph 0061, In another example, assets associated with the scan times that exceed the threshold may be analyzed for common parameters or other criteria (e.g., processor speeds, memory, system firewalls, vulnerabilities, etc.), which may be compared to other assets having faster scan times to determine whether the parameters common to the assets having the longer scan times may be causing the longer scan times. In this example, a first query may be provided to the management console to filter the topology for a target network and a second query may be provided to filter the topology for the hosts that have the longer scan times, whereby different three-dimensional visualizations created in response to the first query and the second query can be visually compared to identify open ports, vulnerabilities, or other criteria that may be causing the longer scan times.”]

As per dependent claim 12, dependent claim 12 is rejected for the same reason or rationale as that of the above dependent claim 2 as they both recites the same/similar limitations having the same/similar scope. 


As per dependent claim 3, the combination of Lovy and Hanson discloses the method/system as applied to claims above. Furthermore Hanson discloses the method/system, wherein the cybersecurity event includes at least one of a cybersecurity attack, a cybersecurity threat or an unpatched vulnerability. [See first on paragraph 0003, where Hanson discloses the shortcoming of a prior art such as conducting vulnerability analysis in the network through manual inspection or network scan, “In many network environments, illegal or unauthorized users may exploit vulnerabilities in the network to gain access, deny access, or otherwise attack systems in the network. As such, to detect and remediate such network vulnerabilities, existing network security systems typically conduct vulnerability analysis in the network through manual inspection or network scans” and see at least the abstract, “The system and method for three-dimensional visualization of vulnerability and asset data described herein may provide a management console that integrates various active vulnerability scanners, various passive vulnerability scanners, and a log correlation engine distributed in a network. In particular, the management console may include a three-dimensional visualization tool that can be used to generate three-dimensional visualizations that graphically represent vulnerabilities and assets in the network from the integrated information that management console collects the active vulnerability scanners, the passive vulnerability scanners, and the log correlation engine distributed in the network”]

As per dependent claim 13 dependent claim 13 is rejected for the same reason or rationale as that of the above dependent claim 3 as they both recites the same/similar limitations having the same/similar scope. 

As per dependent claim 4, the combination of Lovy and Hanson discloses the method/system as applied to claims above. Furthermore Lovy discloses the method/system, wherein the one or more first parameters include a computer processing unit (CPU) usage parameter and the first thresholds or criteria include a CPU usage threshold level over a predefined time period. 
[See column 12, lines 13-23…A series of device-specific Performance Plug-Ins 321 serve as the interface between the Performance Poller 322 and managed network objects. The performance criteria monitored for each component begins with a best practices of network management approach. This approach defines what elements within a given device or application will be monitored to provide for the best appraisal of performance status. The managed elements for each device or application type are flexible, allowing for the creation of a management environment that reflects the significance and criticality of key infrastructure. See also column 12, lines 32- 40…Once the performance management criterion is established, the Performance Plug-Ins are configured for each managed device and application. Performance elements monitored may include, but are not limited to, such attributes as CPU utilization, bandwidth, hard disk space, memory utilization, or temperature. Appliance 300 continuously queries managed or monitored objects 314 at configured intervals of time, and the information received is stored as numeric values in database.]


As per dependent claim 14 dependent claim 14 is rejected for the same reason or rationale as that of the above dependent claim 4 as they both recites the same/similar limitations having the same/similar scope. 

As per dependent claim 6, the combination of Lovy and Hanson discloses the method/system as applied to claims above. Furthermore Hanson discloses the method/system, wherein comparing the one or more first values to the one or more corresponding first thresholds or criteria includes determining a deviation of a first value from a corresponding threshold. 
[“Paragraph 0061, In another example, assets associated with the scan times that exceed the threshold may be analyzed for common parameters or other criteria (e.g., processor speeds, memory, system firewalls, vulnerabilities, etc.), which may be compared to other assets having faster scan times to determine whether the parameters common to the assets having the longer scan times may be causing the longer scan times. In this example, a first query may be provided to the management console to filter the topology for a target network and a second query may be provided to filter the topology for the hosts that have the longer scan times, whereby different three-dimensional visualizations created in response to the first query and the second query can be visually compared to identify open ports, vulnerabilities, or other criteria that may be causing the longer scan times.”]

As per dependent claim 16 dependent claim 16 is rejected for the same reason or rationale as that of the above dependent claim 6 as they both recites the same/similar limitations having the same/similar scope. 

As per dependent claim 7, the combination of Lovy and Hanson discloses the method/system as applied to claims above. Furthermore Hanson discloses the method/system, wherein the one or more processors are further configured to update a state parameter of the asset based on the sate operation of the asset. [Paragraph 0022, the passive vulnerability scanners 120 may further apply various signatures to the information observed in the packet stream to identify vulnerabilities in the network and determine whether any packets in the packet stream potentially target such vulnerabilities. In one implementation, the passive vulnerability scanners 120 may observe the packet stream continuously, at periodic intervals, on a pre-configured schedule, or in response to determining that certain criteria or conditions have been satisfied. The passive vulnerability scanners 120 may then automatically reconstruct the network sessions, build or update the network model, identify the network vulnerabilities, and detect the traffic potentially targeting the network vulnerabilities in response to any new or changed information in the network and see paragraph 0013, Furthermore, the model or topology may be automatically updated in response to new or changed information discovered in subsequent active vulnerability scans, subsequently observed network traffic, or subsequently analyzed event logs. In one implementation, in response to suitably building the topology of the network, the management console may analyze the topology to identify various vulnerabilities in the network, and in one implementation, the management console may provide capabilities to search and query the topology or model of the network.]

As per dependent claim 17 dependent claim 17 is rejected for the same reason or rationale as that of the above dependent claim 7 as they both recites the same/similar limitations having the same/similar scope. 

As per dependent claim 8, the combination of Lovy and Hanson discloses the method/system as applied to claims above. Furthermore Hanson discloses the method/system, wherein the one or more corresponding first thresholds or criteria are specific to the asset [See at least paragraph 0011, As such, the log correlation engine may analyze and correlate the events contained in the logs, the information describing the observed network traffic, and/or the information describing the snapshot of the network to automatically detect statistical anomalies, correlate intrusion events or other events with the vulnerabilities and assets in the network, search the analyzed and correlated information for data meeting certain criteria, or otherwise manage vulnerabilities and asset and see paragraph 0030…automatically detect statistical anomalies, correlate intrusion events or other events with the vulnerabilities and assets in the network, search the analyzed and correlated information for data meeting certain criteria or otherwise manage vulnerabilities and assets across the network.]

As per dependent claim 18 dependent claim 18 is rejected for the same reason or rationale as that of the above dependent claim 8 as they both recites the same/similar limitations having the same/similar scope. 

As per dependent claim 9, the combination of Lovy and Hanson discloses the method/system as applied to claims above. Furthermore Hanson discloses the method/system, wherein the one or more processors are further configured to provide an indication of whether the asset is affected by the cybersecurity event for display on a display device. [See at least Paragraph 0037, display the three-dimensional visualizations created in operation 370 (with or without any visual effects that may have been applied in operation 380), the management console may operate on a web server and generate a user interface that can present the three-dimensional visualizations and/or any visual effects applied thereto within a web browser. Alternatively, in one implementation, the management console may provide a specialized application that can present the three-dimensional visualizations and/or the visual effects applied thereto and paragraph 0014, According to one aspect of the invention, the system and method described herein may further include a three-dimensional visualization tool associated with the management console, wherein the three-dimensional visualization tool may be used to create three-dimensional visualizations of the network topology and/or vulnerabilities.]

As per dependent claim 19 dependent claim 19 is rejected for the same reason or rationale as that of the above dependent claim 9 as they both recites the same/similar limitations having the same/similar scope. 



As per dependent claim 10, the combination of Lovy and Hanson discloses the method/system as applied to claims above. Furthermore Lovy discloses the method/system, wherein the one or more processors are further configured to: identify a second asset; and upon determining that the second asset is not responding to one or more requests, transmit the first query for the one or more parameters to the device associated with the asset, the one or more first parameters associated with the second asset. [Bulk ICMP Poller 397 performs several ICMP (ping) tests in parallel. Bulk ICMP Poller 397 can initiate several hundred tests without waiting for any current tests to complete. Tests consists of an ICMP echo-request packet to an address. When an ICMP echo-reply returns, the rawO status is deemed normal. Any other response or no answer within a set time generates a new echo-request. If an ICMP echo-reply is not received after a set number of attempts, the raw status is deemed critical. The time between requests (per packet and per address), the maximum number of requests per address, and the amount of time to wait for a reply are tunable by the network administrator using appliance 300.]

16.	Claims 5 and 15 are rejected under AIA  35 U.S.C. 103 as being unpatentable over Lovy et al herein after referred as Lovy) (US  Patent No. 7,028,228 B1) (April 11, 2006) (This application is cited in the IDS) in view of Jim Hanson (hereinafter referred as Hanson) (US Publication No. 2011/0277034 A1) (Nov. 10, 2011)  and further in view of Lee Hahn Holloway (herein after referred as Holloway) (US Patent No. 8,613,089 B1)


As per dependent claim 5, the combination of Lovy and Hanson discloses a system comprising: one or more processors, coupled to a memory and configured to: detect a cybersecurity event associated with a computer network [See the abstract and figure 2, a network appliance for monitoring, diagnosing and documenting problems among a plurality of devices and processes (objects) coupled to a computer network utilizes periodic polling and collection of object-generated trap data to monitor the status of objects on the computer network. The status of a multitude of objects is maintained in memory utilizing virtual state machines which contain a small amount of persistent data but which are modeled after one of a plurality of finite state machines. The memory further maintains dependency data related to each object which identifies parent/child relationships with other objects at the same or different layers of the OSI network protocol model. See also A trap is a message sent by an SNMP agent to appliance 300 to indicate the occurrence of a significant event. An event may be a defined condition, such as a link failure, device or application failure, power failure, or a threshold that has been reached. See also In the illustrative embodiment, performance poller 322 may have an object-oriented implementation. Performance poller 322 receives external data from applications 312 through message methods. Such external applications may include Firewalls, Intrusion Detection Systems (IDS), Vulnerability Assessment tools, etc. Poller 322 receives performance data requests from web process 302 via Uniform Resource Locator (URL) methods.]; determine one or more first parameters of an asset of the computer network based at least on the detected [A Status Poller periodically polls one or more monitored network objects and receives fault responses thereto. A Trap Receiver receives device generated fault messages. Both the Trap Receiver and Status Poller generate and transmit decision requests to the decision engine. The decision engine verifies through on-demand polling that a device is down….identifying, diagnosing, and documenting problems in computer networks using the appliance. The devices and process available on a network, as well as grouping of the same, are collectively referred to hereafter as "objects". Accordingly, a monitored or managed object may be physical device(s), process(es) or logical associations or the same. According to one aspect of the invention, the network appliance comprises one or more a polling modules, a decision engine, a database and a case management module. The network appliance monitors objects throughout the network and communicates their status and/or problems to any number of receiving devices. See also e.g., col. 11, lines 35-36: "Performance poller 322 polls monitored device(s) 314a-n periodically for performance statistics including an identification step]

Furthermore, Hanson on abstract and paragraph 0061 discloses how it detects or identify a cybersecurity or vulnerability using a three-dimensional routing topology as follows:
“..the three-dimensional routing topology may be referenced (or filtered) in various ways to derive information about the network that can then be used to balance speeds, thoroughness, and invasiveness associated with scanning the network and further to optimize performance in the network. For example, the three-dimensional routing topology may visually represent various hosts, routing nodes, or other systems within a particular address space or subnet that represents a choke point in the network, whereby additional routing nodes, switches, or other infrastructure may be deployed at the choke point to reduce bottlenecks that may occur therein. In another example, assets associated with the scan times that exceed the threshold may be analyzed for common parameters or other criteria (e.g., processor speeds, memory, system firewalls, vulnerabilities, etc.), which may be compared to other assets having faster scan times to determine whether the parameters common to the assets having the longer scan times may be causing the longer scan times. In this example, a first query may be provided to the management console to filter the topology for a target network and a second query may be provided to filter the topology for the hosts that have the longer scan times, whereby different three-dimensional visualizations created in response to the first query and the second query can be visually compared to identify open ports, vulnerabilities, or other criteria that may be causing the longer scan times.”


“Using the generated probability map, the service sets may set rules in the proxy servers and/or routers to drop or rate limit the number of packets received from an IP address in an abnormal region (one that it has low probability of receiving traffic from). In one embodiment, the lower the probability of receiving traffic at a particular proxy server, the higher the rate limiting. In some cases, if the probability is below a threshold packets from that IP address or range of IP addresses would be dropped at the proxy server” [See at least column 19, lines 56-64]
Lovy, Hanson and Holloway are analogous arts and are in the same field of endeavor as they pertain to actively monitor and protect devices, assets and processes on the computer network. 

It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention, to implement in the system of Lovy, a mechanism to add the feature such as “one or more first parameters include a packet drop rate parameter and the first thresholds or criteria include a packet drop level” as taught by Holloway, because this would enhance the security of the system by protecting the system form the DoS attack by determining and controlling the abnormally high amount of traffic directed to the target IP addresses [See Holloway at least abstract and column 19, lines 56-64].

As per dependent claim 15 dependent claim 15 is rejected for the same reason or rationale as that of the above dependent claim 5 as they both recites the same/similar limitations having the same/similar scope. 

Conclusion


17.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
A.	US Publication No. 2004/0148520 A1 to Talpada discloses service attacks, such as denial of service and distributed denial of service attacks, of a customer network are detected and subsequently mitigated by the Internet Service Provider (ISP) that services the customer network. A sensor examines the traffic entering the customer network for attack traffic. When an attack is detected, the sensor notifies an analysis engine within the ISP network to mitigate the attack. The analysis engine configures a filter router to advertise new routing information to the border and edge routers of the ISP network. The new routing information instructs the border and edge routers to reroute attack traffic and non-attack traffic destined for the customer network to the filter router. At the filter router, the attack traffic and non-attack traffic are automatically filtered to remove the attack traffic. The non-attack traffic is passed back onto the ISP network for routing towards the customer network. 

B.	US Patent No. 9,516,053 B1 to Muddu discloses a security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a 
C.	US Publication No. 2015/0278729 A1 to Hu discloses a method (and system) of scoring asset risk includes determining, using a processor, a risk value for each entity of a plurality of entities within a network and ranking each risk value. 
D.	US Patent No. 8,813,236 B1 discloses a method for detecting hidden malicious network nodes. Starting from a pool of seed nodes that have previously been identified as malicious, a two-phase score propagation algorithm is employed to propagate threat scores from the seeded nodes to other nodes in an IP-address connectivity graph. Nodes with high threat score after propagation are declared to be malicious.
E.	See the other cited prior arts.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMSON B LEMMA whose telephone number is 571-272-3806.  The examiner can normally be reached on M-F 8am-10pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor Yin-Chen Shaw can be reached on 571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/SAMSON B LEMMA/Primary Examiner, Art Unit 2498