Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
           
         DETAILED ACTION

1.	This action is responsive to:  an original application filed on 5 April 2019.	
2.	Claims 1-24 are currently pending and claims 1, 9 and 17 are independent claims. 

                                           Information Disclosure Statement

3.	The information disclosure statement (IDS) submitted are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

         Priority

4.	Priority claimed from provisional application no.62/774,516, filed on 3 December 2018.
      Drawings

5.	The drawings filed on 5 April 2019 are accepted by the examiner. 
 Claim Rejections - 35 USC § 103
	
6.	The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained through the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459  (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-24 are rejected under 35 U.S.C §103(a) as being unpatentable over Joseph Durairaj et al. (US Publication No. 20170032130), hereinafter Joseph Durairaj and in view of Jajodia et al. (US Publication No. 20100058456), hereinafter Jajodia.  

In regard to claim 1: 
receiving, from an agile security platform, attack graph (AG) data representative of one or more AGs, each AG representing one or more lateral paths within an enterprise network for reaching a target asset from one or more assets within the enterprise network (Joseph Durairaj,¶21-22).
processing, by a security platform, data from one or more data sources to selectively generate at least one event, the at least one event representing a potential security risk within the enterprise network (Joseph Durairaj,¶19-20).
Joseph Durairaj does not explicitly suggest, and selectively generating, within the security platform, an alert representing the at least one event, the alert being associated with a priority within a set of alerts, the priority being is based on the AG data; however in a same field of endeavor Jajodia discloses this limitation (Jajodia, ¶34-35, 30).  
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to include the method of analyzing attack graph (AG) of Joseph Durairaj with the prioritizing alert disclosed in Jajodia in order to stop any further progress by the attacker can be formulated, stated by Jajodia at para.42.

In regard to claim 2: 
Joseph Durairaj does not explicitly suggest, wherein the alert is associated with an asset and is assigned an initial priority, and the priority comprises an elevated priority relative to the initial priority based on the AG data; however in a same field of endeavor Jajodia discloses this limitation (Jajodia, ¶72, 54). 
Same motivation for combining the respective features of Joseph Durairaj and Jajodia applies herein, as discussed in the rejection of claim 1.

In regard to claim 3: 
Joseph Durairaj does not explicitly suggest, wherein the initial priority is elevated to the priority in response to determining that the asset is included in a critical path represented within the AG data; however in a same field of endeavor Jajodia discloses this limitation (Jajodia, ¶34). 
Same motivation for combining the respective features of Joseph Durairaj and Jajodia applies herein, as discussed in the rejection of claim 1.
In regard to claim 4: 
wherein the event is selectively generated based on filtering a plurality of potential events based on the AG data (Joseph Durairaj,¶20, 22).

In regard to claim 5:
wherein each AG is generated by a discovery service of the agile security platform, the discovery service detecting assets using one or more adaptors and 

In regard to claim 6: 
wherein each AG is associated with a target within the enterprise network, the target being selected based on a disruption occurring in response to an attack on the target (Joseph Durairaj,¶69-70).

In regard to claim 6: 
wherein the disruption is based on one or more metrics (Joseph Durairaj,¶97, 19, 25).

In regard to claim 8: 
wherein the one or more metrics comprise loss of technical resources, physical losses, disruption in services, and financial losses (Joseph Durairaj,¶84, 97).

In regard to claim 9: 
A non-transitory computer-readable storage medium coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors, cause the one or more processors to perform operations for security of enterprise networks, the operations comprising: receiving, from an agile security platform, attack graph (AG) data representative of one or more AGs, each AG representing one or more lateral paths within an enterprise network for reaching a target asset from one or more assets within the enterprise network(Joseph Durairaj,¶21-22, 17).
processing, by a security platform, data from one or more data sources to selectively generate at least one event, the at least one event representing a potential security risk within the enterprise network (Joseph Durairaj,¶19-20).
Joseph Durairaj does not explicitly suggest, and selectively generating, within the security platform, an alert representing the at least one event, the alert being associated with a priority within a set of alerts, the priority being is based on the AG data; however in a same field of endeavor Jajodia discloses this limitation (Jajodia, ¶34-35, 30).  
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to include the method of analyzing attack graph (AG) of Joseph Durairaj with the prioritizing alert disclosed in Jajodia in order to stop any further progress by the attacker can be formulated, stated by Jajodia at para.42.
 
In regard to claim 10: 
Joseph Durairaj does not explicitly suggest, wherein the alert is associated with an asset and is assigned an initial priority, and the priority comprises an elevated priority relative to the initial priority based on the AG data; however in a same field of endeavor Jajodia discloses this limitation (Jajodia, ¶72, 54). 
Same motivation for combining the respective features of Joseph Durairaj and Jajodia applies herein, as discussed in the rejection of claim 9.

In regard to claim 11: 
Joseph Durairaj does not explicitly suggest, wherein the initial priority is elevated to the priority in response to determining that the asset is included in a critical path represented within the AG data; however in a same field of endeavor Jajodia discloses this limitation (Jajodia, ¶72, 54). 
Same motivation for combining the respective features of Joseph Durairaj and Jajodia applies herein, as discussed in the rejection of claim 9.

In regard to claim 12: 
wherein the event is selectively generated based on filtering a plurality of potential events based on the AG data (Joseph Durairaj,¶20, 22).

In regard to claim 13: 
wherein each AG is generated by a discovery service of the agile security platform, the discovery service detecting assets using one or more adaptors and respective asset discovery tools that generate an asset inventory and a network map of the enterprise network (Joseph Durairaj,¶27).

In regard to claim 14: 
wherein each AG is associated with a target within the enterprise network, the target being selected based on a disruption occurring in response to an attack on the target (Joseph Durairaj,¶69-70, 97).

In regard to claim 15: 
wherein the disruption is based on one or more metrics (Joseph Durairaj,¶19, 25).

In regard to claim 16: 
wherein the one or more metrics comprise loss of technical resources, physical losses, disruption in services, and financial losses (Joseph Durairaj,¶84, 97).

In regard to claim 17: 
one or more computers (Joseph Durairaj,¶35).
and a computer-readable storage device coupled to the computing device and having instructions stored thereon which, when executed by the computing device, cause the computing device to perform operations for security of enterprise networks, the operations comprising: receiving, from an agile security platform, attack graph (AG) data representative of one or more AGs, each AG representing one or more lateral paths within an enterprise network for reaching a target asset from one or more assets within the enterprise network (Joseph Durairaj,¶17, 21-22).
processing, by a security platform, data from one or more data sources to selectively generate at least one event, the at least one event representing a potential security risk within the enterprise network (Joseph Durairaj,¶19-20).
Joseph Durairaj does not explicitly suggest, and selectively generating, within the security platform, an alert representing the at least one event, the alert being associated with a priority within a set of alerts, the priority being is based on the AG data; however in a same field of endeavor Jajodia discloses this limitation (Jajodia, ¶34-35, 30).  
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to include the method of analyzing attack graph (AG) of Joseph Durairaj with the prioritizing alert disclosed in Jajodia in order to stop any further progress by the attacker can be formulated, stated by Jajodia at para.42.

In regard to claim 18: 
Joseph Durairaj does not explicitly suggest, wherein the alert is associated with an asset and is assigned an initial priority, and the priority comprises an elevated priority relative to the initial priority based on the AG data; however in a same field of endeavor Jajodia discloses this limitation (Jajodia, ¶72, 54). 
Same motivation for combining the respective features of Joseph Durairaj and Jajodia applies herein, as discussed in the rejection of claim 17.

In regard to claim 19: 
Joseph Durairaj does not explicitly suggest, wherein the initial priority is elevated to the priority in response to determining that the asset is included in a critical path represented within the AG data; however in a same field of endeavor Jajodia discloses this limitation (Jajodia, ¶72, 54). 
Same motivation for combining the respective features of Joseph Durairaj and Jajodia applies herein, as discussed in the rejection of claim 17.
In regard to claim 20: 
wherein the event is selectively generated based on filtering a plurality of potential events based on the AG data (Joseph Durairaj,¶20, 22). 

In regard to claim 21: 
wherein each AG is generated by a discovery service of the agile security platform, the discovery service detecting assets using one or more adaptors and respective asset discovery tools that generate an asset inventory and a network map of the enterprise network (Joseph Durairaj,¶27).
 
In regard to claim 22:
wherein each AG is associated with a target within the enterprise network, the target being selected based on a disruption occurring in response to an attack on the target (Joseph Durairaj,¶69-70).
 
In regard to claim 23: 
wherein the disruption is based on one or more metrics (Joseph Durairaj,¶19, 25, 97).

In regard to claim 24: 
wherein the one or more metrics comprise loss of technical resources, physical losses, disruption in services, and financial losses (Joseph Durairaj,¶84). 


Conclusion

7.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Monjour Rahim whose telephone number is (571)270-3890. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (in USA or CANANDA) or 571-272-1000.

/Monjur Rahim/
Patent Examiner
United States Patent and Trademark Office
Art Unit: 2436; Phone: 571.270.3890
E-mail: monjur.rahim@uspto.gov
Fax: 571.270.4890