DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-20 are presented for examination.

Drawings
The drawings are objected to because in Figure 4, “NETWORK DEVICE” labeled as 410ab should be labeled 410b.  
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claims 7, 14, and 20 are rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Claims 7, 14, and 20 do not further limit claims 1, 8, and 15, respectively, because they recite substantially the same subject matter.  Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –




Claim(s) 1, 7-9, 14, 15, and 20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Choi et al. (US 2015/0058993 A1 and Choi hereinafter).
As to claims 1 and 8, Choi discloses a system and method for discovering optimal network attack paths, the system and method having:
determining user information indicating one or more user attributes associated with a vulnerability of a computing device (qualitative data) (0057, lines 1-8; 0059, lines 1-14); 
determining system exploitability information of the computing device, the system exploitability information indicating one or more of: the vulnerability associated with the computing device (scoring result), an exposure window associated with the computing device, a protection window associated with the computing device (0053, lines 1-5);
determining system criticality information of the computing device, the system criticality information indicating one or more: assets associated with the computing device, services associated with the computing device (0048, lines 1-11; 0056, lines 13-17); 
determining a risk profile for the computing device based on the user information, the system exploitability information, and the system criticality information (0057, lines 1-8); 
initiating generation of an attack path based on the risk profile, the attack path indicating a route through which an attacker accesses the computing device (0065, lines 5-10). 

As to claim 15, Choi discloses:
one or more computing system processors (0102, lines 1-5); 
memory storing instructions that, when executed by the one or more computing system processors, causes the system to (0102, lines 1-5): 
determine user information indicating one or more user attributes associated with a vulnerability of a computing device (0057, lines 1-8; 0059, lines 1-14); 
determine system exploitability information of the computing device, the system exploitability information indicating one or more of: the vulnerability associated with the computing device, an exposure window associated with the computing device, a protection window associated with the computing device (0053, lines 1-5); 
determine system criticality information of the computing device, the system criticality information indicating one or more: assets associated with the computing device, services associated with the computing device (0048, lines 1-11; 0056, lines 13-17); 
determine a risk profile for the computing device based on the user information, the system exploitability information, and the system criticality information (0057, lines 1-8); 
initiate generation of an attack path based on the risk profile, the attack path indicating a route through which an attacker accesses the computing device (0065, lines 5-10). 

As to claims 7, 14, and 20, Choi discloses:
wherein the risk profile is determined based on combining the user information, the system exploitability information, and the system criticality information (0057, lines 1-8). 

As to claim 9, Choi discloses:
wherein the route comprises one of a digital route, a digital pathway, and one or more computer systems through which an attacker works to attack the computing device (Abstract, lines 1-2).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 3, 4, 10, 11, 16, and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Choi as applied to claims 1, 8, and 15 above, and further in view of Cohen et al. (US Patent 6,952,779 B1 and Cohen hereinafter).
As to claims 3, 10, and 16, Choi fails to specifically disclose:
wherein the vulnerability associated with the computing device is based on data relating to vulnerability and patching associated with the computing device. 
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Choi, as taught by Cohen.
Cohen discloses a system and method for risk detection and analysis in a computer system, the system and method having:
wherein the vulnerability associated with the computing device is based on data relating to vulnerability and patching associated with the computing device (col. 10, lines 18-20, 43-53). 
Given the teaching of Cohen, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Choi with the teachings of Cohen by using vulnerability and patching data to determine vulnerability. Cohen recites motivation by disclosing that using vulnerability and fix data allows potential attacks to be evaluated and therefore an actual analysis of system vulnerabilities (col. 10, lines 43-53). It is obvious that the teachings of Cohen would have improved the teachings of Choi by using vulnerability and fix data in order to determine system vulnerability.

As to claims 4, 11, and 17, Choi fails to specifically disclose:
wherein the data relating to vulnerability and patching include on one or more of: a hardware specification of the computing device, whether an operating system of the computing device is up to date, a list of shared directories on the computing device, whether the computing device has latest patches, whether the computing device has the latest services enabled, one or more connectivity types associated with the computing device, and types of security solutions associated with the computing device. 
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Choi, as taught by Cohen.
Cohen discloses:
wherein the data relating to vulnerability and patching include on one or more of: a hardware specification of the computing device, whether an operating system of the computing device is up to date, a list of shared directories on the computing device, whether the computing device has latest patches, whether the computing device has the latest services enabled, one or more connectivity types associated with the computing device, and types of security solutions associated with the computing device (i.e. fixes) (col. 10, lines 43-53). 
Given the teaching of Cohen, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Choi with the teachings of Cohen by using various data relating to vulnerability and patching. Please refer to the motivation recited above with respect to claims 3, 10, and 16 as to why it is obvious to apply the teachings of Cohen to the teachings of Choi.

Claims 5, 6, 12, and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Choi as applied to claims 1 and 8 above, and further in view of Yadav et al. (US 2016/0359872 A1 and Yadav hereinafter).
As to claims 5 and 12, Choi fails to specifically disclose:
 wherein the exposure window represents an amount of time where the computing device remains unpatched after a new patch associated with the computing device is released. 
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Choi, as taught by Yadav.
Yadav discloses a system and method for managing datacenters, the system and method having:
wherein the exposure window represents an amount of time where the computing device remains unpatched after a new patch associated with the computing device is released (0074, lines 1-11).
Given the teaching of Yadav, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Choi with the teachings of Yadav by using a window of unpatched exposure time after 

As to claims 6 and 13, Choi fails to specifically disclose:
wherein the protection window represents an amount of time where a security infrastructure associated with the computing device does not have one or more definitions, patches, and signatures. 
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Choi, as taught by Yadav.
Yadav discloses:
wherein the protection window represents an amount of time where a security infrastructure associated with the computing device does not have one or more definitions, patches, and signatures (0074, lines 1-11; 0030, lines 9-11).
Given the teaching of Yadav, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Choi with the teachings of Yadav by using a window of protection. Please refer to the motivation recited above with respect to claims 5 and 12 as to why it is obvious to apply the teachings of Yadav to the teachings of Choi.

Allowable Subject Matter
Claims 2, 18, and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Prior Art Made of Record
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Ngo et al. (US 2020/0137103 A1) discloses a system and method for security protection rule prediction and enforcement.
Paturi et al. (US 2020/0351298 A1) discloses a system and method for complex application attack quantification, testing, detection, and prevention.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SARAH SU whose telephone number is (571)270-3835.  The examiner can normally be reached on 7:30 AM - 4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

/SARAH SU/Primary Examiner, Art Unit 2431