Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
The instant application having Application No. 16/360,641 is presented for examination by the examiner.  Claims 27 and 28 are canceled.  Claims 29 and 30 are added.  Claims 1-8, 10, 12-20, 22, 24-26, and 29-30 are pending.


Response to Arguments
Applicant's arguments filed 3/4/21 have been fully considered but they are not persuasive. Applicant argues that the claims which now have been amended to require the industry associated with the entity to factor into the assigning weights to the security events of each event type is not taught by Schultz.  Applicant contends that paragraph 0224 of Steele does not read on this feature.  Turning to the claim language first and how it is interpreted, the phrase assigning weight is extremely broad in the independent claims.  The rejection as currently put forth relies upon the obvious combination of Schultz and Steele to unify the idea of using historical data in conjunction with threat modeling to assigning weights based on that historical data.  Schultz already teaches assigning weights to event types (attack types) can be weighted (0255).  This , 
[0044] The process continues to block 302, where the system calculates, via a threat level engine, a security threat level of the third party application based on the internal security threat data and the external security threat data. Typically, the threat level engine will input the internal security threat data along with the external security threat data into a security threat detection algorithm to generate a security threat level for the third party application. The security threat detection algorithm may place a greater weight on the internal security threat data compared to the external security threat data. In such embodiments, the internal security threat data will be the main factor in determining the security threat level, while the external security threat data will be used to validate the internal security threat data. The calculated security threat level may have a discrete value, which may typically range from 0 to 100, with a level of 0 indicating that the third party application poses no chance of security threat to the entity (i.e. there is a 0% chance of a security threat caused by the third party application), while a level of 100 indicates that the third party application will certainly pose a security threat to the entity (i.e. there is a 100% chance of a security threat caused by the third party application). The security threat detection algorithm may account for various other factors when calculating the security threat level. For instance, the security threat level may represent the level of vulnerability of the entity's systems to a particular security threat, based on application scans or findings, such as a finding that a third party application uses an outdated encryption method. The security threat level may further represent the frequency with which the security threat is detected.  [Emphasis added].

Connecting the bolded concepts, it is clear the system is weighting a security threat level. One factor that contributes to the threat level is the frequency with which the security threat is detected. Thus the Examiner maintains that this meets the broad claim limitations of assigning weights to security events of each event type based on historical observations.
	Turning focus to the limitation regarding industry now, the same broadness applies with respect to assigning weights.  Schultz discloses in 0244 that the type of industry segment” [emphasis added].  Paragraph 0085 recites, “the described technology can generate a representative distribution of attacks targeting an industry segment”.  Paragraph 0097, recites “the described technology provides a probabilistic propagation of threat agents and their campaigns into different industry segments in order to characterize the likelihood of an organization and particular assets being targeted” [emphasis added].  It is clear from the above passages that Schultz very much takes into account what type of industry the business is in and how that influences how an attacker may threaten the organization.  Certain industry are more susceptible to threats because they have more to lose and thus the attacker has more to gain.  The claims does not require more than what is taught by the prior art.  Respectfully the rejection must be maintained.  



Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 7, 10, 13-15, 17, 19, 23, 25-26, and 29-30, are rejected under 35 U.S.C. 103 as being unpatentable over USP Application Publication  2017/0279843 to Schultz et al hereinafter Schultz in view of USP Application Publication  2017/0161409 to Martin and in view of USP Application Publication  2019/0166152 to Steele et al., hereinafter Steele.

As per claims 1 and 13, Schultz teaches a computer-implemented method for forecasting security ratings for an entity, the method comprising: 
generating a plurality of simulated instantiations (Fig. 2, 310, 314, and 318) of a security scenario for the entity, the security scenario characterized by a plurality of security events associated with at least one event type (0087, 0088, and 0120); 

generating a security forecast for each instantiation based at least in part on the determined security rating for the respective instantiations (0125);
Schultz does not explicitly teach generating a forecast based at least in part on the determined security ratings for the plurality of instantiations, wherein the generated forecast cone comprises a subset of the generated security forecasts. (0075, 0090, and 0128).  Schultz teaches forecasting the results of the simulated threats in time (0073 and 0075) for the security events on the network.  Martin teaches using a forecast cone to display the results of a testing simulation wherein the generated forecast cone comprises a subset of the generated security forecast (0029 and 0030).  Martin selects a plurality of models which can be less than all of the models (0029) and uses the model selector to select a set of near optimal models to execute and provide a forecast cone.  Schultz teaches flexibility in which model to use in the financial loss forecast component 604 in 0128.  If models can best tested thoroughly the best models can be used to increase the confidence value of a forecast (Martin: 0030).    The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.  

As per claims 2 and 14, Schultz teaches generating the plurality of simulated instantiations of the security scenario for the entity comprises: for each event type of the at least one event type: determining a rate of the security events associated with the event type over a forecasting period (0089); determining a duration of the security events associated with the event type in the forecasting period (0165); and determining a temporal placement of the security events associated with the event type in the forecasting period (0173).
As per claims 3 and 15, Schultz teaches determining the rate of the security events associated with the event type over the forecasting period comprises: sampling from a distribution to determine the rate of the security events associated with the event type (0137 and 0140).

As per claims 7 and 19, Schultz teaches determining the temporal placement of the security events associated with the event type in the forecasting period comprises: sampling from a distribution to determine the temporal placement of the security events associated with the event type (0137 and 0140).
As per claims 9 and 21, Schultz teaches determining the security rating for each instantiation of the plurality of instantiations comprises: assigning a weight to security events of each event type (0254 and 0255).  
As per claims 10 and 22, Schultz teaches determining the security rating for each instantiation of the plurality of instantiations comprises: generating a ratings time series for the instantiation, the ratings time series forming a security forecast for the instantiation (0075).
As per claims 25 and 26, Schultz teaches providing, to a user interface, the determined subset of the generated security forecasts for display [output alerts; 0111, 0128, and 0288].
As per claims 29 and 30, Schultz teaches determining the security rating further comprises assigning weights to security events of each event type based on a user input. (0165, 0237, and 0259).

Claims 4, 6, 8, 16, 18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Schultz, Steele, and Martin as applied to claims 1 and 13 above, and further in view of USP Application Publication 2010/0205042 to Mun.
As per claims 4, 6, 8, 16, 18, and 20, Schultz, Steele, and Martin are silent in teaching the distribution is selected from the group consisting of: a normal distribution, a log-normal distribution, a geometric distribution, a Poisson distribution, and a uniform distribution.  Schultz teaches a probability distributions (0075 and 0128) but not the claimed types.  On the other hand Mun teaches distributions from the group consisting of: a normal distribution (0082), a log-normal distribution (0105), a geometric distribution (0055), a Poisson distribution (0085), and a uniform distribution (0123).  These are all known types of distributions.  The use of one over the other is simply a choice as to how the data is preferred to be displayed and analyzed.  The claim is obvious because one of ordinary skill in the art can substitute known methods which do not produce unpredictable results.  

Claims 12 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Schultz, Steele, and Martin as applied to claims 1 and 13 above, and further in view of NPL entitled “Percentile-Based Approach to Forecasting Workload Growth” published in 2015 to Gilgur et al hereinafter Gilgur.

As per claims 12 and 24, Schultz, Steele, and Martin are silent in teaching an inner band of the forecast cone is based on a 25th percentile and a 75th percentile of .  

Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431