Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

1.	Claims 1-20 are pending.


Information Disclosure Statement
2.	The information disclosure statement (IDS) submitted on 7/16/2019, 7/24/2019, 11/05/2019, 6/11/2020, 12/14/2020 was filed after the mailing date of the instant application on 7/16/2019.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Double Patenting
3.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

4.	Claims 1-20 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-19 of U.S. Patent No. 10404748.  More specifically, claims 1-11 of the instant application are rejected by claims 1-11 of US 10404748.  Claim 12 of the instant application is rejected under claim 1 of US 10404748.  Claims 13-20 of the instant application is rejected under claims 12-19 of US 10404748.  

Although the claims at issue are not identical, they are not patentably distinct from each other because the subject matter of the claims of the US patent 10404748 appears to anticipate the limitations of the instant application.  


Claim Rejections - 35 USC § 103
5.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

6.	Claims 1-4, 10-12, 14-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kotler et al. USPGPUB 2016/0306979. 

7.	Claims 5-6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kotler et al. USPGPUB 2016/0306979 in view of USPGPUB 2007/0298720 Wolman et al.

s 7-9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kotler et al. USPGPUB 2016/0306979 in view of US patent 9894036 Weinberger et al.

9.	Claim 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kotler et al. USPGPUB 2016/0306979 in view of USPGUB 2015/0373043 Wang et al.


In reference to claim 1:
Kotler et al. teaches a system, comprising: a processor configured to: 
automatically detect occurrence of one or more of events that are indicative of a cyber security breach based on network traffic, where one or more events indicating of a cybersecurity breach are detected through an automated system.  Kotler et al. See Figure 3 
automatically determine one or more breach parameters that apply for the one or more events that occurred, where one or more remediation tasks for a given breach may be generated, such breach parameters being the parameters for a specific simulated breach Kotler et al. Figures 3, [0051, 0045] see also [0058, 0081]
generate a remediation of cyber security parameters for a network based on the one or more determined breach parameters and an associated remediation provision, where a remediation of cyber security parameters of the network which failed the breach are generated to shore up the network to thwart potential attacks.  Kotler et al. [0081], Figure 3, and in particular Figure 3, item 316.  [0051, 0045]
cause the remediation to be performed, where the remediation causes one or more network changes that uses a sophistication score of an entity, where the breach causes a remediation to be performed.  Kotler et al. [0081], Figure 3, and in particular Figure 3, item 316.  [0051, 0045] and where such remediation can include reporting a sophistication score of an entity.  [0065]
a memory coupled to the processor and configured to provide the processor with instructions.  Kotler et al. [0047]

Kotler et al. does not explicitly teach the system:
 wherein the remediation of cyber security parameters at least includes modifying a password requirement associated with one or more computer systems, cause the remediation to be performed, wherein at least one of the network changes includes increasing a password complexity associated with the system and prompting a user associated with the entity to create an associated password that complies with the password complexity, where the sophistication level of the attack is determined.  



Kotler et al. is a method of protecting a network against potentially malicious attacks by simulating breaches.  Kotler et al. Figure 3 expressly states that a simulated malicious action to cause a breach is started.  If the attack is successful, the breach is therefore successful and can be said to have occurred.   Once a breach has occurred, the system attempts to generate changes and 

Kotler et al. attempts to do this by illustrating in great detail a number of malicious attacks, which it refers to as a “playbook”  Kotler et al. [0045]  As Kotler et al. [0045] states: 

“The protection system can be configured to simulate malicious actions, analyze the results, and apply or suggest remediation.  By doing so, a system administrator…can get a true picture of open breaches in their system and quickly fix them”  

see also Kotler [0081] 

Kotler et al. [0119-0120] teaches several attacks may attempt to breach passwords using either a dictionary or brute force attack on an administrator’s password or attempted logins on a company web portal. [0121-0122]

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to include in its remediation, an increase to the password complexity policy of Kotler et al. if it is determined that a password attack breach was successful in the simulated attacks, in order to thwart the password based breach attack.  


Kotler et al. does not explicitly teach the system:
wherein the remediation causes one or more network changes that increase a sophistication score of an entity,

Nevertheless, Kotler’s use of a sophistication score in [0065] is indicative of the level of sophistication required to carry out the action.  Kotler et al. furthermore uses such score in ascertaining the threat levels of the system.  [0042] for example expressly states that lower sophistication scores are higher threats.  In other words, if the simulated breach of Figure 3 is successful, then a lower sophistication score indicates a higher threat as stated in [0042] because it would mean the means of causing such breach is more accessible.

It would have been obvious to one of ordinary skill in the art before the effective filing date to increase a sophistication score as part of a remediation step if it is determined that the means of performing such a breach would require a great deal of technical sophistication, such as by a state actor (explicitly mentioned in [0065].  Doing so would provide the benefit of allowing the administrator a better picture of which breaches remediations to prioritize first. 


In reference to claim 2:
Kotler et al. teaches the system according to claim 1, wherein the network traffic comprises data collected regarding employees using the one or more computing systems or a network associated with the system, where the network traffic data collected may additionally comprise websites visited by employees such as websites to malicious links or in particular e-mail websites such as Hotmail.  Kotler et al.  [0105, 0131] or a dropbox website [0101]

In reference to claim 3:
Kotler et al. teaches the system according to claim 1, wherein the network traffic comprises data collected regarding websites visited by employees using a network associated with the system and the one or more computing systems, where the network traffic data collected may additionally comprise websites visited by employees such as websites to malicious links or in particular e-mail websites such as Hotmail.  Kotler et al.  [0105, 0131] or a dropbox website [0101]

In reference to claim 4:
Kotler et al. teaches the system according to claim 1, wherein the processor is configured to evaluate the network traffic on one or more network layers, where the processor is conjured to evaluate the network traffic on the Application layer or lower level. [0044] see also Kotler et al. [0065]  

In reference to claim 5:
Kotler et al. fails to explicitly teach the system according to claim 4, wherein the network traffic is evaluated for any of dynamic host protocol (DHCP) information, classless inter-domain routing (CIDR) blocks, and domain name system (DNS) information included in the network traffic. 

Wolman et al. [0062] discloses the technique of creating DHCP fingerprints of the network traffic of newly connected network nodes.  Doing so is useful in determining whether a new node is a rogue access point or rogue endpoint.  

It would have been obvious to one of ordinary skill in the art before the effective filing date to create a DHCP fingerprint in order to allow the detection of rogue endpoints accessing a network.  

Kotler et al. in view of Wolman et al. teaches the system according to claim 4, wherein the network traffic is evaluated for any of dynamic host protocol (DHCP) information, classless inter-domain routing (CIDR) blocks, and domain name system (DNS) information included in the network traffic, where a fingerprint of the DHCP network traffic information is created and used to analyze for potentially malicious actors (a network breach of a rogue node)  Wolman et al. [0062, see also [0060-0061]  


In reference to claim 6:
Kotler et al. in view of Wolman et al. teaches the system according to claim 5, wherein the processor is further configured to: 
create a fingerprint of the network traffic from the DHCP information, where a fingerprint of the DHCP network traffic information is created and used to analyze for potentially malicious actors (a network breach of a rogue node)  Wolman et al. [0062, see also [0060-0061]
store the fingerprint in a database, where the fingerprints may be stored in a database.   [0032] Wolman et al.


In reference to claim 7:
Kotler et al. does not explicitly teach the system according to claim 1, further comprising a first set of sensors that operate on a data link layer of a network associated with the system. 

US patent 9894036 Weinberger et al. however teaches that detecting ARP protocol information transmitted to a set of sensors to detect ARP misuse can help to thwart man-in-the middle attacks.  Similarly scanning for IP address usage through another series of sensors is beneficial because a high percentage of malware opens sockets to IP addresses.  More specifically. Weinberger et al. (Column 11, lines 27 – Column 12, line 14) states in relevant part: 

    An ARP (address resolution protocol) misuse sensor is configured to monitor 
use of the ARP protocol and to generate notifications when anomalous ARP use is 
detected.  Misuse of the ARP protocol may be associated with an attempt to 
program a switch in the enterprise network domain 101 in conjunction with a 
man-in-the-middle cyber attack.  The ARP misuse sensor monitors volumes of ARP 
inbound and outbound requests and responses.  Rates in excess of predefined 
thresholds are deemed anomalous by the ARP misuse sensor, and the ARP misuse 
sensor creates a notification when it detects an excess ARP volume. 
 
    In an embodiment, the DNS misuse sensor (or another sensor or other 
software component) may monitor establishment of new IP network flows (e.g., 
establishment of a socket directly to an IP address).  When a new IP network 
flow is detected, the DNS misuse sensor determines whether the new connection 
was preceded by a corresponding DNS lookup.  When DNS lookups are conducted, 
the results may be stored in a DNS cache in the enterprise network domain 101.  
If there is not a corresponding DNS result in the DNS cache, the DNS misuse 
sensor may generate a notification.  It has been observed that under some test 
conditions a high percentage of malware opens sockets to an IP address without 
first performing a DNS lookup. 




In reference to claim 8:
Kotler et al. in view of Weinberger et al. teaches the system according to claim 7, further comprising a second set of sensors that operate on an Internet Protocol Address layer of the network to evaluate address resolution (ARP) protocol information from the network traffic, where a first set of sensors is deployed to detect ARP protocol information, and where a second set of sensors may be deployed to operate and evaluate IP addresses from DNS queries.  Weinberger et al. (Column 11, lines 27 – Column 12, line 14)  
 
In reference to claim 9:
Kotler et al. in view of Weinberger et al. teaches the system according to claim 8, wherein the second set of sensors are configured to transmit the ARP protocol information to the first set of sensors for storage in a database along with DNS information, where a first set of sensors is deployed to detect ARP protocol information, and where a second set of sensors may be deployed to operate and evaluate IP addresses from DNS queries.  Weinberger et al. (Column 11, lines 27 – Column 12, line 14)  



Kotler et al. teaches the system according to claim 1, wherein the remediation comprises recommendations for improvement for the entity based on a nature of the one or more events that occurred, where the remediations may comprise recommendations based on the nature of one or more events that occur, and where some of the modeled breach events may include Kotler et al. [0081] exfiltration breach [0143-0144], password based attacks, [0119-0122], [0134-0135]

In reference to claim 11:
Kotler et al. teaches the system according to claim 1, wherein the processor is further configured to perform at least one of query the entity or a network associated with the system for information, scrape available online sources;  retrieve corporate filings, or query news sources and public record databases, where the processor is further configured to query the entity or network or scrape available information from various online sources including news such  as recent company breaches Kotler et al. [0075] see also [0033, 0037] for financial reports


In reference to claim 12:
Kotler et al. teaches the system of claim 1, wherein the sophistication score is indicative of a cyber security sophistication of the entity, where the sophistication score of an entity may be disclosed in a sophistication score in a breakdown report of a breach.  Kotler et al. [0065] 


In reference to claim 13:
Kotler et al. does not explicitly teach the system according to claim 1, wherein the processor is further configured to: 
evaluate a plurality of networks to generate a plurality of risk scores and a plurality of motivation scores, the plurality of networks including a network associated with the system;  and 
plot the plurality of risk scores and the plurality of motivation scores graphically as a peer group. 

Nevertheless USPGUB 2015/0373043 Wang et al. Figures, 5, 6, 8-9, 10-11 teaches a method of collaborative and adaptive threat intelligence for computer security in which specific entities such as employees or groups of employees have a plurality of risk scores generated for them and where such scores may be graphically displayed as a plot and are indicative of a likelihood of a user or an entity group to pose a threat to the organization.   

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Kotler et al. to further evaluate the network participants and generate a plurality of risk and motivation scores and plot such data in order to give a graphical representation (such as by the rising indicator of Fig 5 of Wang et al.) of the likelihood of any particular end users or groups of end users to commit a data breach against the company.  



Kotler et al. teaches the system according to claim 1, wherein information associated with the entity and the network traffic are evaluated for any of visibility, value, hacker sentiment, employee sentiment, company sentiment, customer sentiment, and combinations thereof, where some of the potential information analyzed and considered include asset visibility and or value of information Kotler et al. [0099] and [0107] consideration of hacker motivations, including protests see also Kotler et al. [0075] for news based visibility. 

 
In reference to claim 15:
Kotler et al. teaches the system according to claim 1, wherein information associated with the entity and the network traffic are evaluated for any of traffic, usage, in-links, page views, duration, traffic volume, links, page rank, market value, stock trade volume, exporting/importing information, and combinations thereof, where the traffic is analyzed for potential exfiltration infiltration attacks or other exporting of information See Kotler et al. Exfiltration breach [0143-0144], [0099-0103] insider attack.

 
Claim 16 is substantially similar to claim 1 and rejected for the same reasons.
Claim 17 is substantially similar to claim 10 and rejected for the same reasons.

 
In reference to claim 18:
where as part of a remediation recommendation, the system of Kotler et al. takes into consideration sophistication scores.  For example, a lower sophistication score, if a successful breach occurs indicates a higher threat.  Kotler et al.  [0042, 0065] see also Figure 3


In reference to claim 19:
Kotler et al. teaches the method according to claim 16, wherein the remediation comprises a change to a hosting infrastructure, network or website topology, vulnerability scanning, content distribution networks, shared hosting, cloud services, patching, updating, default passwords, and any combinations thereof, where remediation may comprise vulnerability scanning, where the system of Kotler et al. seeks to expose vulnerabilities through a breach playbook [0045] and seeks to find remediations upon detecting which breaches were successful, and where additional remediations may include patching vulnerabilities or updated software [0081-0082] 



Claim 20 is substantially similar to claim 1 and rejected for the same reasons.



Conclusion

USPGUB 20110289597 teaches a method of remediating a security breach when it is determined that an account may have been accessed by an unauthorized party.
USPGPUB 2011/0239267 teaches a method of ensuring users abide password complexity policies.
USPGPUB 2016/0148332 teaches a method of identity protection via increasing password 
USPGPUB 2006/0020814 Lieblich et al. teaches a method of end user risk management. 
USPGPUB 2009/0126018 Keohane et. al. teaches an embodiment where an increase in password complexity may be recommended to mitigate a security risk.
US patent 9471777 teaches a method of scheduling defensive security actions to mitigate risk.
Mathew et al. International Journal of Science Technology & Engineering, Oct 2015, “Intruders and Password Management” pages 312-315 teaches some basic security practices of mitigating intrusion risk from proper password management.


11.       Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS M HO whose telephone number is (571)270-7862.  The examiner can normally be reached on 11-7:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung W Kim can be reached on (571)272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Thomas Ho/
Examiner AU 2494

/THEODORE C PARSONS/Primary Examiner, Art Unit 2494