DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


The following is a final office action in response to communications received 1/12/2021. Claims 1, 5, 11, 15, 20 have been amended. Claims 8, 17 have been cancelled. Claims 21-22 have been added. Therefore, claims 1-7, 9-16, 18-22 are pending and addressed below.

Response to Amendment
Applicant’s amendments and response to the claims are NOT sufficient to overcome the 35 USC 101 rejections, set forth in the previous office action. Applicant’s amendments are sufficient to overcome the 35 USC 112, second paragraph rejection, set forth in the previous office action.

Response to Arguments
Applicant’s arguments filed 01/12/2021 have been fully considered but they are not persuasive. Applicant argues that (1) the combination of Stevenson and Kumar does not discloses determining a relevant threat set for a first vulnerability of the plurality of vulnerabilities including eliminating threats from the plurality of threats that are not related to the first vulnerability.

In response to argument (1), Examiner respectfully disagrees. Kumar discloses once the device D is infected, an egg download that evaded traditional network edge protections (legacy security .


Claim Rejections – 35 USC § 101

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. 

Claims 1, 2, 4-7, 9-12, 14-16, 18-22 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim recites identifying, using at least one threat categorization model, a plurality of threats to a first component of a networked system…assigning a plurality of weighting values to the plurality of threats…. 
The limitation of identifying a plurality of threats to a first component of a networked system…assigning…identifying…determining…repeating…calculating a component risk…, as drafted, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “a first component of a networked system” nothing in the claim element precludes the step from practically being performed in the mind. Similarly, the limitation of communicating, via the communication device…, as drafted, is a process that, under its broadest reasonable 
This judicial exception is not integrated into a practical application. In particular, the claim only recites one additional element – a first component of a networked system…. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. 
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform the claimed limitations, amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claim is not patent eligible.

Examiner’s note
Claim 22 is not rejected under cited prior art(s).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having 

Claim 1-7, 9-16, 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Stevenson (Pat. No. US 9462010) in view of Kumar et al (Pub. No. US 2013/0298192).

As per claims 1, 11, 20, Stevenson discloses a method for providing network security risk evaluation, the method comprising: (A) identifying, using at least one threat categorization model (col.22 lines 18-30), a plurality of threats to a first component of a networked system (…determining a threat assessment level…from a set of threat assessment levels…see col.22 lines 1517); (B) assigning a plurality of weighting values to the plurality of threats (…classifying security situation into a discrete category…see col.22 lines 18-25); (C) identifying a plurality of vulnerabilities of the first component (…see col.22 lines 45-50); (D) determining a relevant threat set for a first vulnerability of the plurality of vulnerabilities based on the first vulnerability and the plurality of weighting values assigned to the plurality of threats, wherein the relevant threat set comprises one or more of the plurality of threats (…security assessment device may determine the threat assessment level based on the specificity of the security situation, the damage metric…security assessment device may applying a weighting to the multiple parameters…security assessment may apply a weight to the specificity of the security situation…see col.23 lines 1-10); (E) repeating step (D) for each of the plurality of vulnerabilities to determine a plurality of relevant threat sets (…security assessment device establishes the threat assessment level and may continue monitoring…see col.27 lines 5-23). Stevenson does not explicitly disclose eliminating threats from the plurality of threats that are not related to the first vulnerability, calculating a component risk of the first component based on the plurality of relevant threat sets. However Kumar discloses eliminating threats from the plurality of threats that are not related to the first vulnerability (once the device D is infected, an egg download that evaded traditional network edge protections (legacy security technologies such as firewalls and network IPS/IDS systems) has occurred. At this stage of infection, legacy security technologies such as traditional antivirus programs installed on the device are unlikely to detect the targeted malware (benign) because no signature or blacklist already exists for this threat. The malware (benign) may then perform discrete surveillance operations on the device, such as periodic process restarts, executable file property modifications to introduce entropy and evade detection…the endpoint trust agent monitors the executing malware process performs file and component level integrity checks including checking a file hash digest…and access intelligent whitelisting services…see par. 150-152); (F) calculating a component risk of the first component based on the plurality of relevant threat sets (…performing a calculus of risk…including integrity measurement and verification scan correlation…generate integrity metrics for security orchestration…see par. 85). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Kumar in Stevenson for including the above limitations because one ordinary skill in the art would recognize it would further enhance the security of software applications and by performing scheduled policy based sacs to detect vulnerabilities… see Kumar, par. 155.


As per claims 2, 12, the combination of Stevenson and Kumar discloses wherein the networked system comprises a plurality of components and the method further comprises repeating steps (A) - (F) for each of the plurality of components (same rejection as in claim 1 with the same motivation as in claim 1, 11).


As per claims 3, 13, the combination of Stevenson and Kumar discloses wherein the networked system comprises a subsystem, wherein the subsystem comprises two or more components from the plurality of components, and wherein the method further comprises calculating a subsystem risk of the subsystem based on the component risk of each component in the subsystem (Kumar, see par. 157-159). The motivation for claims 3, 13 is the same motivation as in claims 1, 11 above.


As per claims 4, 14, the combination of Stevenson and Kumar discloses wherein the method further comprises calculating a system risk of the networked system based on the component risk of each of the plurality of components (Kumar: see par. 112). The motivation for claims 4, 14 is the same motivation as in claims 1, 11 above.


As per claims 5, 15, the combination of Stevenson and Kumar discloses wherein the method further comprises selecting a path of successive components from the plurality of components and calculating a path risk of the path of successive components (Kumar: see par. 112). The motivation for claims 5, 15 is the same motivation as in claims 1, 11 above.


As per claim 6, the combination of Stevenson and Kumar discloses wherein the first component comprises a plurality of subcomponents and the method comprises performing steps (A) - (F) to calculate a subcomponent risk of a first subcomponent of the first component (Kumar, see par. 157-159). The motivation for claim 6 is the same motivation as in claim 1 above.


As per claims 7, 16, the combination of Stevenson and Kumar discloses wherein the method comprises selecting a subset of threats from the plurality of relevant threat sets and calculating the component risk of the first component based on the subset of threats (Kumar: see par. 112). The motivation for claims 7, 16 is the same motivation as in claims 1, 11 above.


As per claims 9, 18, the combination of Stevenson and Kumar discloses wherein the first component has an overall impact value and an overall exploitability value, and wherein calculating the component risk of the first component comprises computing a product of; the overall impact value, the overall exploitability value, and a sum of the plurality of weights assigned to the plurality of threats in the plurality of relevant threat sets (Kumar: see par. 169-170). The motivation for claims 9, 18 is the same motivation as in claims 1, 11 above.


As per claims 10, 19, the combination of Stevenson and Kumar discloses wherein each of the plurality of vulnerabilities has an impact value and a failure to exploit value, and the overall impact value of the first component is a sum of the impact values of each of the plurality of vulnerabilities and the overall exploitability value of the first component is a sum of the failure to exploit values of each of the plurality of vulnerabilities (Kumar: see par. 153-155). The motivation for claims 10, 19 is the same motivation as in claims 1, 11 above.

Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Stevenson (Pat. No. US 9462010) in view of Kumar et al (Pub. No. US 2013/0298192) as applied to claim 1 above, and further in view of Satish (Pat. No. US 7895448).

As per claim 21, the combination of Stevenson and Kumar does not explicitly discloses wherein at least one of the assigned weighting values is equal to zero. However Satish discloses wherein at least one of the assigned weighting values is equal to zero (…the risk score is set to 0, see col.4 lines 15-17 and fig.2). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Satish in the combination of Stevenson and Kumar for including the above limitations because one ordinary skill in the art would recognize it would further improve the intrusion detection program by disclosing one or more risk properties including risk level, risk type, etc., see Satish col.2 lines 50-60.




Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to threat-specific security risk evaluation.

Giakouminakis et al (Pub. No. US 2013/0074188); “Methods and Systems for Improved Risk Scoring of Vulnerabilities”;
-Teaches assets can be assigned a classification that automatically assign specific values that drive the overall risk associated with asset…see par. 42, 44.

Bhaskaran (Pub. No. US 2010/0125911); “Risk Scoring Based on Endpoint User Activities”; 
-Teaches risk involved in activities and determining compliance with the security policies, and for identifying violations of the security policies, see par. 12.


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 5712724219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/GHAZAL B SHEHNI/Primary Examiner, Art Unit 2436