DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

Information Disclosure Statement (IDS)
The applicant’s note that the reference listed as the first item in the “Non-Patent Literature Documents” section in page 2 of the Information Disclosure Statement (IDS) titled “Rule Engine Memory Reduction Using Attack Trees” was inadvertently cited and should be removed is noted.  Again, the examiner will not review this reference.

Objections to the Drawings
The new drawings were received on 2/24/2021.  These changes are acceptable and the drawing objection is now withdrawn.     


Objections to the Specification
The amendments to the specification were received on 2/24/2021.  These changes are acceptable and these specification objections are now withdrawn.   

Claims Objections – 35 USC § 112(b)
The amendments to claims 6, 8, 15, and 17 are acceptable so that the claim objections under 35 USC § 112(b) are now withdrawn.

Response to Amendment/Remarks
This action is responsive to the applicant’s reply filed on 2/24/2021.  Claims 1-20 are pending in the case.  Claims 1, 10, and 19 are independent.  Claims 1, 6, 8, 10, 16, 17, and 19 are amended.

First (1), applicant argues for independent claims 1, 10, and 19, beginning on page 15, line 13 that “Lacerte fails to teach or suggest that each of the nodes other than a final success node is associated in a respective one of the attack trees (itself) with a respective detection rule for detecting an occurrence of the respective security event.”  In a sub-argument, applicant further argues that the Lacerte reference fails to show detection rules are “associated with each node in each of the attack trees, as essentially recited in claim 1”.

Regarding the applicants first (1) argument, the office disagrees because Fig. 4 and column 6, lines 7-10 of Lacerte teach an example of an attack tree with nodes with corresponding security events other than for the final node 54 (e.g., final “success” 
Regarding the sub-argument, Fig. 4 and column 6, lines 7-28 teach security event(s) (e.g., detection rules) are associated with nodes in the attack tree.  For example, some example labels of rules in Fig. 4 may include: “Data load via ARINC 429 path”, “Data load via the OMS”, etc.  so that detection rules are associated with nodes in each of the attack trees.  Thus, the applicant’s arguments are overcome.
Applicants second (2) argument on page 16, line 1, is that “traversing a node simply involves moving downstream from one node to the next. In view of the preceding, it would seem intuitive to move the watchpoint downstream along the direction of travel, and counterintuitive to move the watchpoint upstream while traversing downstream as essentially recited in claim 1.”  The office best understands the applicant arguing the attack tree flows (transverses) downstream away from “root node” and the watchpoints move upstream toward a “root node”.  However, when the office reads claim 1 (and similarly claims 10 and 19) as a whole, the claim recites moving the watchpoints upstream toward the root node and nothing prevents traversing the attack tree upstream toward the same root node so that both the watch points and the attack tree transversal movement are both moving the same direction toward the root node.  For at least this reason this applicant argument’s has been overcome.
The applicant’s third (3) argument on page 16, line 16, is that claim 1, and similar for claims 10 and 19, recites, inter alia: "erasing the respective watchpoint assigned to all downstream nodes relative to the next upstream node” and that erasing requires an affirmative act of ERASING something.”  The office clarifies that Lacerte, column 6, lines 23-23, lines 39-40, and Fig. 4, teaches moving through a sequence of nodes on path 60 so that once nodes have been passed the respective watchpoint for prior downstream nodes are essentially erased because they are no longer needed.  Thus, the applicant’s argument is overcome.
The applicant’s fourth (4) argument on page 17, line 6, is that claim 1, and similar for claims 10 and 19, recite, inter alia “wherein only the respective detection rule for the nodes currently having the respective watchpoint assigned thereto are loaded into a memory device during runtime, while excluding from the memory device the respective detection rule for remaining ones of the nodes in the attack trees to reduce the memory consumption".  
Reference DSP56300, page 8-1, lines 2-4, teaches an instruction cache that includes a buffer memory between external memory and the DSP core processor.  As understood by those of ordinary skill in the art, when code executes, instructions pointed to by pointer(s) (i.e., watchpoints) at the locations requested by the instruction set (i.e., attack tree logic/software monitoring security events) are copied into the instruction cache for direct access by the core processor/attack tree.  For at least these reasons, this applicant argument is overcome.

As discussed above, applicant’s Remarks are not persuasive.  Regarding Remarks related to amended claims or those claims dependent from amended claims, the rejections cited below apply.  Rejection of claims 1-20 are maintained as cited below.

CLAIM REJECTIONS 
35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 3, 4-6, 10, 12, 13-15, 19, and 20 is/are rejected under 35 U.S.C. § 103 as being unpatentable over Lacerte et al. (9,369,484 B1) hereinafter “Lacerte” in view of DSP56300FM (DSP56300 Family Manual by Freescale Semiconductor, Rev. 5, May 2005), hereinafter “DSP56300”. 

Regarding claims 1, 10, and 19, Lacerte teaches:
A computer-implemented method for reducing memory consumption by a rule engine, the method comprising:
receiving a set of attack trees, (Lacerte, column 4, line 43) each of the attack trees having nodes and edges, (Lacerte, column 4, lines 62-64) each of the nodes other than a final success node representing a respective security event (column 6, lines 31-33, and Fig. 4, teach a respective security event associated within a respective node 54, 56, and 58.  Fig. 4 and column 6, lines 7-10 of Lacerte teach an example of an attack tree with nodes with corresponding security events other than for the final node 54 (e.g., final “success” node) of Fig. 4. which is labeled with a result of an “unauthorized external data load operation” which is a final result, but not a security and associated in a respective one of the attack trees with a respective detection rule for detecting an occurrence of the respective security event, (Lacerte, FIG. 4) and each of the edges connecting a respective pair of the nodes; (Specification, paragraph [0044] defines “edges” as connecting nodes which equates to the “links” of Lacerte, column 4, lines 62-64; and FIG. 4, nodes 56 and 58.  Fig. 4 and column 6, lines 19-22 teach security event(s) (e.g., detection rules) are associated with “respective ones” of nodes in the attack tree.  For example, some example labels of rules in Fig. 4 may include: “Data load via ARINC 429 path”, “Data load via the OMS”, “Data load via an AFDX device”, “perform data load”, etc.)
assigning a respective watchpoint to each of leaf nodes from among the nodes in the attack trees; (Specification at paragraph [0056] qualifies “watchpoint” to represent a security event for which a rule engine watches”; Lacerte, column 6, lines 31-36; and FIG. 4). 
moving the respective watchpoint assigned to any given one of the leaf nodes to a next upstream node towards to a root node, responsive to detecting an occurrence of the respective security event represented by the given one of the leaf nodes; (Lacerte, column 4, lines 62-63, “An attack sequence is the set of links and nodes traversed by an attack…”; column 6, lines 31-36; and FIG. 4, line 60 show a sequence of security events/nodes being traversed and moving toward node 54, a root node.) and
erasing the respective watchpoint assigned to all downstream nodes relative to the next upstream node, (Lacerte, column 6, lines 20-22, only one node/security event connected by a label OR is needed; and FIG. 4, as line 60 is Lacerte, column 6, lines 23-23, lines 39-40, and Fig. 4, teach moving through a sequence of nodes on path 60 so that once nodes have been passed the respective watchpoint for prior downstream nodes are essentially erased because they are no longer needed.) responsive to the next upstream node being connected to a next one of the downstream nodes using an edge having an "OR" join type, (Lacerte, column 5, lines 16-17; and in FIG. 4, Node “Data load via ARINC 429 path” is connected via OR to Node “Perform data load”).
Lacerte does not, but in related art, DSP56300 teaches: 
wherein only the respective detection rule for the nodes currently having the respective watchpoint assigned thereto are loaded into a memory device during runtime, (DSP56300, page 8-1, lines 2-4, disclose an instruction cache that includes a buffer memory between external memory and the DSP core processor.  As understood by those of ordinary skill in the art, when code executes, instructions at the locations requested by the instruction set (i.e., attack tree) are copied into the instruction cache for direct access by the core processor.  Similarly, nodes and security events are loaded into the memory for next execution/analysis as pointed to by the watchpoint(s) when traversing the attack tree.  Like an instruction cache, this processes is repeated for each set of nodes and security events as the attack tree is traversed) while excluding from the memory device the respective detection rule for remaining ones of the nodes in the attack trees to reduce the memory consumption. (DSP56300, page 8-1, lines 2-11, only a limited number of next instructions to execute will fit in the instruction cache.  The instruction cache saves digit signal processor (DSP) 
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Lacerte and DSP56300, to construct an attack tree as taught in Lacerte combined with the concepts of the instruction cache as taught in DSP56300.  One of ordinary skill in this art would have been motivated to include concepts of the instruction cache of DSP56300 so that only instructions soon ready to execute are loaded into the cache and then the DSP.  This is similar to only loading nodes of the attack tree of Lacerte that are ready to detect their respective security events into memory.  Here, DSP56300 saves DSP memory by using an instruction cache by not requiring the DSP load an entire program the DSP, but, instead, using an instruction cache (DSP56300, page 1-4, section 1-3 Instruction Cache).  

Regard claim 3 and 12, Lacerte in view of DSP56300 teaches: 
“The computer-implemented method of claim 1, (Lacerte in view of DSP56300 teaches the limitations of claim 1 as discussed above) wherein each of the edges have a type selected from the group consisting of a simple order, an AND join, and the OR join type.  (Lacerte, column 6, lines 12-24; and FIG. 4).

Regard claim 4, 13, and 20, Lacerte in view of DSP56300 teaches: 
“The computer-implemented method of claim 1, (Lacerte in view of DSP56300 teaches the limitations of claim 1 as discussed above) wherein said assigning step assigns the respective watchpoint to each of the leaf nodes (Lacerte, column 6, lines 31-36; and FIG. 4) at an initial time of the runtime (DSP56300, page 8-6, section 8.5 after reset/cache flush the instruction cache needs to be initialized with starting instruction(s) so first instructions execute from a desired starting place alike an attack tree assigning watchpoint(s) at an initial time of the runtime).
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Lacerte and DSP56300, to construct an attack tree as taught in Lacerte combined with an instruction cache as taught in DSP56300.  One of ordinary skill in this art would have been motivated to include the instruction cache of DSP56300.  This is because the cache (or attack tree) may need to be initialized with starting instruction(s) so first instructions execute from a desired starting place alike an attack tree assigning watchpoint(s) at an initial time of the runtime.

Regarding claims 5 and 14 Lacerte in view of DSP56300 teaches:
“The computer-implemented method of claim 1, (Lacerte in view of DSP56300 teaches the limitations of claim 1 as discussed above)” wherein the set of attack trees (Lacerte, column 4, line 43, “Database 46 contains attack trees.”; FIG. 3, database 46) correspond to multiple devices under attack, and (Lacerte, column 3, lines 33-38; and FIG. 2, devices 24, 26, 28, 30, 32, and 34) the method further comprises further associating each of the watchpoints with a particular one of the multiple devices (As discussed above with reference to Claim 1, Lacerte, column 6, lines 31-36; and FIG. 4).

Regard claim 6 and 15, Lacerte in view of DSP56300 teaches: 
“The computer-implemented method of claim 5, (Lacerte in view of DSP56300 teaches the limitations of claim 1 as discussed above) wherein the watchpoints for each of the multiple devices can only be moved to nodes representing the respective security event (Lacerte, column 6, lines 31-36; and FIG. 4, line 60 shows an example sequence of security events/nodes being traversed in a specific order)  involving a same one of the multiple devices (Lacerte, column 3, lines 33-38; and FIG. 2, devices 24, 26, 28, 30, 32, and 34).

Claims 2 and 11, is/are rejected under 35 U.S.C. 103 as being unpatentable over Lacerte in view of DSP56300, and in further view of Chaudhuri, et al., US 2005/0192921 A1 (hereinafter Chaudhuri).

Regarding claims 2 and 11 Lacerte in view of DSP56300 teaches:
“The computer-implemented method of claim 1, (Lacerte in view of DSP56300 teaches the limitations of claim 1 as discussed above)”.
Lacerte in view of DSP56300 does not, but in related art, Chaudhuri teaches: 
wherein the rule engine is an Event Condition Action rule engine. (Chaudhuri, paragraph [0020], lines 1-2). 
Lacerte and DSP56300 with the teachings of Chaudhuri, to use an Event Condition Action (ECA) rule engine as the rule engine.  The motivation to do so is because of their simplicity, ECA rules are amenable to implementation with low CPU and memory overheads and ECA rules also allow specification of options that control the memory overhead of monitoring. (Chaudhuri, paragraph [0020], lines 5-9).

Claims 7 and 16, is/are rejected under 35 U.S.C. 103 as being unpatentable over Lacerte in view of DSP56300 and in further view of Yu, et al., CN 106131078 A (hereinafter Yu). 

Regarding claims 7 and 16 Lacerte in view of DSP56300 teaches:
“The computer-implemented method of claim 1, (Lacerte in view of DSP56300 teaches the limitations of claim 1 as discussed above)”.
wherein at least one of the attack trees in the set (Lacerte, column 4, line 43).
Lacerte in view of DSP56300 does not, but in related art, Yu teaches: 
relates to information leakage via a server vulnerability. (Yu, page 1, last paragraph). 
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Lacerte and DSP56300 with the teachings of Yu, to provide for at least one of the attack trees in the set relates to information leakage via a server vulnerability.  The motivation to do so is when . 

Claims 8 and 17, is/are rejected under 35 U.S.C. 103 as being unpatentable over Lacerte in view of DSP56300 and in further view of Viswananthan, et al., US20180083893 A1 (hereinafter Viswananthan). 

Regarding claims 8 and 17 Lacerte in view of DSP56300 teaches:
“The computer-implemented method of claim 1, (Lacerte in view of DSP56300 teaches the limitations of claim 1 as discussed above)”.
wherein at least one of the attack tree in the set (Lacerte, column 4, line 43).
Lacerte in view of DSP56300 does not, but in related art, Viswananthan teaches: 
relates to making a computing device a bot. (Viswananthan, paragraph [0043], lines 1-2). 
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Lacerte and DSP56300 with the teachings of Viswananthan, to make a computing device a bot.  The motivation to do so is to provide for a bot device that can run more interactions than a non-bot device may accomplish.

Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lacerte in view of DSP56300 and in further view of Schryer, et al., US 10332384 B1 (hereinafter Schryer). 
The computer-implemented method of claim 1,” (Lacerte in view of DSP56300 teaches the limitations of claim 1 as discussed above)”.
wherein at least one attack implicated by the set of attack trees (Lacerte, column 4, line 43);
Lacerte in view of DSP56300 does not, but in related art, Schryer teaches:
involves communication between a computing device and a cloud application (Schryer, column 2, lines 12-18 and column 5, lines 16-24 and FIG.2).
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Lacerte and DSP56300 with the teachings of Schryer, to provide for communication between a computing device and a cloud application.  The motivation to do so is to provide for a way to provide devices at a home, office, or other location running a premises application and a cloud server running a cloud application that evaluates communications responsive to real-time security events at the non-cloud device (Schryer, column 2, lines 12-18).

Claim 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lacerte in view of DSP56300 and in further view of Guibene, et al., US 2018/00069611 (hereinafter Guibene). 
The computer-implemented method of claim 1,” (Lacerte in view of DSP56300 teaches the limitations of claim 1 as discussed above)”.
wherein at least one attack implicated by the set of attack trees (Lacerte, column 4, line 43);
Lacerte in view of DSP56300 does not, but in related art, Guibene teaches:
involves communication between an Internet of Things device and a cloud application (Guibene, paragraph [0012], lines 12-14 and FIG.2).
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Lacerte and DSP56300 with the teachings of Guibene, to include one or more Internet of Things devices communicating with a cloud application.  The motivation to do so is to provide for a system architecture to a large number of computing devices interconnected to each other and to the Internet to provide functionality and data acquisition at very low levels. (Guibene, paragraph [0012], lines 1-4).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODNEY E HAVEN whose telephone number is (313) 446-6648.  The examiner can normally be reached on 7:30 - 4:30 Monday to Thursday.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/R.E.H./Examiner, Art Unit 4235                                                                                                                                                                                                        
                                           
/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435