Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 7-18-2019 was in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101 (Abstract Idea)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


8.	Claims 1 – 20 is / are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more analyzed according to 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”). The claim recites upon receiving a computer data, it is determined if the data conforms to industry standards using test scripts, if mitigated or not, generate a cyber-attack patterns and mitigations and using machine learning models to determine current controls and automatically generate an attack tree.
Step 1: The claims 1, 10 and 18 do fall into one of the four statutory categories of method and system claims. Nevertheless the claims still is/are considered as abstract idea for the following prongs and reasons.
Step 2A: Prong 1: The limitation of claims 1, 10 and 18 recites: upon receiving a computer data, it is determined if the data conforms to industry standards using test scripts, if mitigated or not, generate a cyber-attack patterns and mitigations and using machine learning models determine current controls and automatically generate an attack tree, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the human mind and / or with pen and paper with/without a generic computer. Except for words ‘system with memory and processors’, there is nothing in the claim element precludes the step from practically being performed in human mind and/or with pen and paper. For example, checking current state of the system and determining if it conforms to industry standards and obtaining various information, in any office or campus can also be perceived to be done manually by human in an orderly fashion. In the context of these claims encompasses taking remedial measures and using modelling to perceive or predict threat patterns and/or behavior accordingly. 
Dependent claims 2 – 9, 11 – 17, 19 and 20 which in turn recite checking likelihood of the attack on an asset using predictive modelling, using location feature, determining criticality of asset, strengthening mitigating controls, ML using attack pattern, using cyber kill chain with attributes etc. is/are mere structural addendums and are other steps that could be performed by human manually with/without need for a computer.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in human mind but for the recitation of generic computer components, then it falls within the “mental processes” grouping of abstract ideas and can be done manually. Accordingly, the claim recites an abstract idea.
Prong 2: This judicial exception is not integrated into a practical application. In particular, the claims do not recite any additional element to perform beyond routine steps of: upon receiving a computer data, it is determined if the data conforms to industry standards using test scripts, if spec. [0026]) such that it amounts no more than mere instructions to apply the exception using generic computer components). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore the claims is directed to an abstract idea.
Step 2B: The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, upon receiving a computer data, it is determined if the data conforms to industry standards using test scripts, if mitigated or not, generate a cyber-attack patterns and mitigations and using machine learning models determine current controls and automatically generate an attack tree amounts to no more than mere instructions to apply the exception using a generic computer terms. Mere instructions to apply an exception using a generic computer components cannot provide an inventive concept. The claims is / are not patent eligible. Therefore all the corresponding dependent claims 2 – 9, 11 – 17, 19 and 20 are also rejected for the same rationale.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chen et al (US 8392997), hereafter Chen and Liu (US 9661019), hereafter Li.
Claim 1: Chen teaches a method for determining in real-time a likelihood of failure due to a multi- dimensional cybersecurity threat, the method comprising: automatically retrieving, by a computer processor, data from a system of record associated with a cybersecurity threat; (C32L45-47: a computer via crawling automatically receives data from one or more mass storage devices (C17L4-35) processes are automated using an automation tool);
assessing, by the computer processor, a current control environment by applying a test script stored in a library of test scripts in compliance with industry and internal security frameworks; (C1L48-50: analyzing security threats associated with software and computer vulnerabilities (C32L12-16:  via scripts) includes identifying stakeholder values relevant for a software system (C10L21-24) based on the NIST IT Risk Guide and the emerging national standard Common Vulnerability Scoring System (CVSS), a joint effort across CERT, Cisco, MITRE, eBay, ISS, Microsoft, Qualys, and Symantec);
generating, by the computer processor, in real-time a plurality of potential cybersecurity attack patterns and mitigated combinations against control mechanisms at each step of a cyber kill chain; (C1L54-57: Structured Attack Graph is generated to include the quantified stakeholder values to evaluate attack paths in that Structure Attack Graph. Each attack path represents a respective attack scenario and (C2L64-67) T-MAP systematically establishes technical-level security threats and corresponding mitigation strategies);
[using machine learning (ML)] from prior test scripts to determine (i) current controls, (ii) missing controls, and (iii) recommended controls for a plurality of dimensions; (C2L55-56: using Threat Modeling Method Based on Attack Path Analysis (T-MAP) (C15L34-36, Fig. 9) (i) initial attack paths and associated severity weights are calculated for the current system without any security protection; C2L10-14: recommendation is provided on a security investment plan including identifying at least one of the attack paths that a security practice can suppress (iii), Identifying the stakeholder values includes identifying values that cannot be quantified in terms of tangible units (ii));
Chen teaches the concept but is silent on identifying, by the computer processor, a control type as one of mitigated and unmitigated, in each of a plurality of dimensions; and automatically generating, by the computer processor, a graphical user interface comprising a cybersecurity attack tree showing a combination of at least a threat actor, attack pattern, and target in at least one stage of the cyber kill chain and use machine learning (ML).
But analogous art Li teaches identifying, by the computer processor, a control type as one of mitigated and unmitigated, in each of a plurality of dimensions; (C2L32-39: information layer agent on one or more nodes determines if an event is indicative of an imminent or current attack, determines if the event represents a known or unknown attack pattern and classify the attack, based on information associated with known attack patterns, including state-action mappings (Fig. 32) in various dimensions);
automatically generating, by the computer processor, a graphical user interface comprising a cybersecurity attack tree showing a combination of at least a threat actor, attack pattern, and target in at least one stage of the cyber kill chain and use machine learning (ML). (C2L56-64: an attack tree model is constructed for the distributed system to construct a model of the progression (or likely progression) of an attack (C17L17-20) formulated attack path discovery algorithm is used to locate a set of paths to a victim node from which an attacker launches DoS attacks to overwhelm victim resources and (C4L28-29) discovering new attack patterns and building attack tree models and (C1L41-42) automatic responsive actions and/or preventive rule-based controls; C4L51-52: incrementally refining initial, arbitrary models using machine learning techniques;).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Chen to include the idea of identifying control type and generating attack tree model as taught by Li so that a Q learning and a fair share scheduling based policy action controls a flood attack in order to ensure the resilience of the system in response to a DoS attack (C18L59-62).
Claim 10: Chen teaches a multi-dimensional cybersecurity threat modeling system comprising: a computer processor; a tangible computer memory storing computer-executable instructions that, when executed by the computer processor, cause the multi-dimensional cybersecurity threat modeling system to (Fig. 2): automatically retrieve data from a system of record associated with (C32L45-47: a computer via crawling automatically receives data from one or more mass storage devices (C17L4-35) processes are automated using an automation tool; C1L48-50: analyzing security threats associated with software and computer vulnerabilities (C32L12-16:  via scripts) includes identifying stakeholder values relevant for a software system (C10L21-24) based on the NIST IT Risk Guide and the emerging national standard Common Vulnerability Scoring System (CVSS), a joint effort across CERT, Cisco, MITRE, eBay, ISS, Microsoft, Qualys, and Symantec; C1L54-57: Structured Attack Graph is generated to include the quantified stakeholder values to evaluate attack paths in that Structure Attack Graph. Each attack path represents a respective attack scenario and (C2L64-67) T-MAP systematically establishes technical-level security threats and corresponding mitigation strategies; C2L55-56: using Threat Modeling Method Based on Attack Path Analysis (T-MAP) (C15L34-36, Fig. 9) (i) initial attack paths and associated severity weights are calculated for the current system without any security protection; C2L10-14: recommendation is provided on a security investment plan including identifying at least one of the attack paths that a security practice can suppress (iii), Identifying the stakeholder values includes identifying values that cannot be quantified in terms of tangible units (ii)).
Chen teaches the concept but is silent on identify a control type as one of mitigated and unmitigated, in each of a plurality of dimensions; and automatically generate a graphical user 
But analogous art Li teaches identify a control type as one of mitigated and unmitigated, in each of a plurality of dimensions; and automatically generate a graphical user interface comprising a cybersecurity attack tree showing a combination of at least a threat actor, attack pattern, and target in at least one stage of the cyber kill chain and use and use machine learning (ML). (C2L32-39: information layer agent on one or more nodes determines if an event is indicative of an imminent or current attack, determines if the event represents a known or unknown attack pattern and classify the attack, based on information associated with known attack patterns, including state-action mappings (Fig. 32) in various dimensions; C2L56-64: an attack tree model is constructed for the distributed system to construct a model of the progression (or likely progression) of an attack (C17L17-20) formulated attack path discovery algorithm is used to locate a set of paths to a victim node from which an attacker launches DoS attacks to overwhelm victim resources and (C4L28-29) discovering new attack patterns and building attack tree models and (C1L41-42) automatic responsive actions and/or preventive rule-based controls; C4L51-52: incrementally refining initial, arbitrary models using machine learning techniques).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Chen to include the idea of identifying control type and generating attack tree model as taught by Li so that a Q learning and a fair share scheduling based policy action controls a flood attack in order to ensure the resilience of the system in response to a DoS attack (C18L59-62).
Claim 18: Chen teaches a tangible, non-transitory computer-readable medium storing computer- executable instructions that, when executed by a computer processor, cause a multi- dimensional cybersecurity threat modeling system to (Fig. 2): automatically retrieve data from a system of record associated with a cybersecurity threat of one or more networked assets; assess a current control environment by applying a test script; generate a plurality of potential cybersecurity attack patterns and mitigated combinations against control mechanisms at each stage of a cyber kill chain; use machine learning (ML) from prior test scripts to determine at least one of: (i) current controls, (ii) missing controls, and (iii) recommended controls for a plurality of dimensions. (C32L45-47: a computer via crawling automatically receives data from one or more mass storage devices (C17L4-35) processes are automated using an automation tool; C1L48-50: analyzing security threats associated with software and computer vulnerabilities (C32L12-16:  via scripts) includes identifying stakeholder values relevant for a software system (C10L21-24) based on the NIST IT Risk Guide and the emerging national standard Common Vulnerability Scoring System (CVSS), a joint effort across CERT, Cisco, MITRE, eBay, ISS, Microsoft, Qualys, and Symantec; C1L54-57: Structured Attack Graph is generated to include the quantified stakeholder values to evaluate attack paths in that Structure Attack Graph. Each attack path represents a respective attack scenario and (C2L64-67) T-MAP systematically establishes technical-level security threats and corresponding mitigation strategies; C2L55-56: using Threat Modeling Method Based on Attack Path Analysis (T-MAP) (C15L34-36, Fig. 9) (i) initial attack paths and associated severity weights are calculated for the current system without any security protection; C2L10-14: recommendation is provided on a security investment plan including identifying at least one of the attack paths that a security practice can suppress (iii), Identifying the stakeholder values includes identifying values that cannot be quantified in terms of tangible units (ii)).
Chen teaches the concept but is silent on identify a control type as one of mitigated and unmitigated, in each of a plurality of dimensions; and automatically generate a graphical user interface comprising a cybersecurity attack tree showing a combination of at least a threat actor, attack pattern, and target in at least one stage of the cyber kill chain and use machine learning (ML).
But analogous art Li teaches identify a control type as one of mitigated and unmitigated, in each of a plurality of dimensions; and automatically generate a graphical user interface comprising a cybersecurity attack tree showing a combination of at least a threat actor, attack pattern, and target in at least one stage of the cyber kill chain and use machine learning (ML). (C2L32-39: information layer agent on one or more nodes determines if an event is indicative of an imminent or current attack, determines if the event represents a known or unknown attack pattern and classify the attack, based on information associated with known attack patterns, including state-action mappings (Fig. 32) in various dimensions; C2L56-64: an attack tree model is constructed for the distributed system to construct a model of the progression (or likely progression) of an attack (C17L17-20) formulated attack path discovery algorithm is used to locate a set of paths to a victim node from which an attacker launches DoS attacks to overwhelm victim resources and (C4L28-29) discovering new attack patterns and building attack tree models and (C1L41-42) automatic responsive actions and/or preventive rule-based controls; C4L51-52: incrementally refining initial, arbitrary models using machine learning techniques).
C18L59-62).
Claim 2: the combination of Chen and Li teaches the method of claim 1, wherein the using ML from prior test scripts comprises: determining a likelihood of success of the cybersecurity threat with a predictive analytics engine. (Chen: C6L40-42: T-MAP tool enumerates the possible attack scenarios for IT systems… and (C7L23-25) uses the Attack Path concept to characterize possible scenarios wherein an attacker can jeopardize organizational values).
Claim 3: the combination of Chen and Li teaches the method of claim 1, wherein ML training data includes at least one location feature. (Li: C7L28-32: knowledge layer is located on the same node or nodes as the information layer, or on one or more other nodes (distributed, or located on a different central node than the information layer)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Chen to include the idea of use ML model with location feature as taught by Li so that a Q learning and a fair share scheduling based policy action controls a flood attack in order to ensure the resilience of the system in response to a DoS attack (C18L59-62).
Claim 4: the combination of Chen and Li teaches the method of claim 3, wherein the ML training data is based on a criticality of an asset, a centrality of the asset, a skill of the threat actor, a strength of mitigating controls, and historical data about previously observed cybersecurity attacks. (Chen: C2L7-8: quantitative measure of security criticalness of each node in the Structured Attack Graph, Fig. 8b: estimated skill level of the attacker, C7L19-21: different IT servers have different levels of importance in terms of supporting the business's core values, C30L43-45: T-MAP's significant strength in estimating the effectiveness of security practices, C9L44-45: "Vulnerability" in the Structured Attack Graph, if the connectability between exploits is known).
Claim 5: the combination of Chen and Li teaches the method of claim 1, wherein ML training data includes at least one attack pattern feature. (Chen: C2L44-46: based on the generated structured attack graph, identify structured attack paths. Each structured attack path represents a respective attack scenario).
Claim 6: the combination of Chen and Li teaches the method of claim 1, wherein the plurality of potential cybersecurity attack patterns are categorized by a common attack pattern enumerated classification (CAPEC). (Chen: C6L40-42: T-MAP tool can enumerate the possible attack scenarios for IT systems based on a vulnerability database).
Claim 7: the combination of Chen and Li teaches the method of claim 1, wherein stages of the cyber kill chain comprise reconnaissance, weaponization, delivery, exploit, installation, command and control, and actions. (Chen: C6L44-49, Fig. 4: Each attack scenario can be specified with the following information: (1) the organizational value affected; (2) the vulnerable computer; (3) the vulnerable software; (4) the CVE name of the vulnerability; (5) the impact type of the vulnerability in terms of confidentiality, integrity, and/or availability; and (6) the patch availability of the vulnerability; C12L45-54: attackers are modeled (Fig. 9, 930). The attacker is another factor that drives the severity of security incidents. T-MAP models attacker groups with attributes of skill level, group size, and the motivation, represented by A.SL, A.GS and A.MT...).
Claim 8: the combination of Chen and Li teaches the method of claim 1, wherein the cybersecurity attack tree shows a further combination of at least an attack vector, a mitigating control by dimension, target, and effect in at last one stage of the cyber kill chain. (Chen: Fig. 4, C8L32-39: On each node the actions that the attacker shall take are clearly noted (e.g., pick lock, learn combo, etc.). The possible or impossible next-process scenarios associated with each node are also specified by connecting nodes in the next layer. When a defender is able to block all the possible attack paths on the tree, the defender will be safe, assuming the attack tree is complete, (C9L35-37) mitigation actions are proactively taken to minimize the threats to the validation process).
Claim 9: the combination of Chen and Li teaches the method of claim 1, wherein the plurality of dimensions comprise people, process, and technology. (Chen: C1L61-65: the layers of System Key Stakeholders, Computer Hosts, Commercial Off The Shelf Software, Vulnerabilities, Network Ports, and Attackers, Based on the generated Structured Attack Graph, Structured Attack Paths are identified).
Claim 11: the combination of Chen and Li teaches the system of claim 10, wherein ML training data from prior test scripts is based on a criticality of an asset, a centrality of the asset, a skill of the threat actor, a strength of mitigating controls, and historical data about previously observed cybersecurity attacks. (Chen: C2L7-8: quantitative measure of security criticalness of each node in the Structured Attack Graph, Fig. 8b: estimated skill level of the attacker, C7L19-21: different IT servers have different levels of importance in terms of supporting the business's core values, C30L43-45: T-MAP's significant strength in estimating the effectiveness of security practices, C9L44-45: "Vulnerability" in the Structured Attack Graph, if the connectability between exploits is known).
Claim 12: the combination of Chen and Li teaches the system of claim 10, wherein the using ML from prior test scripts comprises: determining a likelihood of success of the cybersecurity threat with a predictive analytics engine. (Chen: C6L40-42: T-MAP tool enumerates the possible attack scenarios for IT systems… and (C7L23-25) uses the Attack Path concept to characterize possible scenarios wherein an attacker can jeopardize organizational values).
Claim 13: the combination of Chen and Li teaches the system of claim 10, wherein ML training data includes at least one attack pattern feature. (Chen: C2L44-46: based on the generated structured attack graph, identify structured attack paths. Each structured attack path represents a respective attack scenario).
Claim 14: the combination of Chen and Li teaches the system of claim 10, wherein ML training data includes at least one location feature. (Li: C7L28-32: knowledge layer is located on the same node or nodes as the information layer, or on one or more other nodes (distributed, or located on a different central node than the information layer)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Chen to include the idea of use ML model with location feature as taught by Li so that a Q learning and a fair share scheduling based policy action controls a flood attack in order to ensure the resilience of the system in response to a DoS attack (C18L59-62).
Claim 15: the combination of Chen and Li teaches the system of claim 10, wherein the plurality of potential cybersecurity attack patterns are categorized by a common attack pattern enumerated classification (CAPEC), and wherein stages of the cyber kill chain comprise reconnaissance, weaponization, delivery, exploit, installation, command and control, and actions. (Chen: C6L40-42: T-MAP tool can enumerate the possible attack scenarios for IT systems based on a vulnerability database; C6L44-49, Fig. 4: Each attack scenario can be specified with the following information: (1) the organizational value affected; (2) the vulnerable computer; (3) the vulnerable software; (4) the CVE name of the vulnerability; (5) the impact type of the vulnerability in terms of confidentiality, integrity, and/or availability; and (6) the patch availability of the vulnerability; C12L45-54: attackers are modeled (Fig. 9, 930). The attacker is another factor that drives the severity of security incidents. T-MAP models attacker groups with attributes of skill level, group size, and the motivation, represented by A.SL, A.GS and A.MT...).
Claim 16: the combination of Chen and Li teaches the system of claim 10, wherein the test script is stored in a library of test scripts in compliance with industry and internal security frameworks. (Chen: C1L48-50: analyzing security threats associated with software and computer vulnerabilities (C32L12-16:  via scripts) includes identifying stakeholder values relevant for a software system (C10L21-24) based on the NIST IT Risk Guide and the emerging national standard Common Vulnerability Scoring System (CVSS), a joint effort across CERT, Cisco, MITRE, eBay, ISS, Microsoft, Qualys, and Symantec).
Claim 17: the combination of Chen and Li teaches the system of claim 10, wherein the cybersecurity attack tree shows a further combination of at least an attack vector, a mitigating control by dimension, target, and effect in at last one stage of the cyber kill chain. (Chen: Fig. 4, C8L32-39: On each node the actions that the attacker shall take are clearly noted (e.g., pick lock, learn combo, etc.). The possible or impossible next-process scenarios associated with each node are also specified by connecting nodes in the next layer. When a defender is able to block all the possible attack paths on the tree, the defender will be safe, assuming the attack tree is complete, (C9L35-37) mitigation actions are proactively taken to minimize the threats to the validation process).
Claim 19: the combination of Chen and Li teaches the computer-readable medium of claim 18, wherein the plurality of dimensions comprise people, process, and technology. (Chen: C1L61-65: the layers of System Key Stakeholders, Computer Hosts, Commercial Off The Shelf Software, Vulnerabilities, Network Ports, and Attackers, Based on the generated Structured Attack Graph, Structured Attack Paths are identified).
Claim 20: the combination of Chen and Li teaches the computer-readable medium of claim 18, wherein the recommended controls comprise a mitigation strategy comprising at least one of: applying a patch to the one or more networked assets, issuing a renewed security certificate, and physically altering an architecture of the one or more networked assets. (Chen: C6L50-53, C11L38-42: T-MAP Tool provides improved security practices such as Firewall, system patching and hardening, enhancing physical security, creating backup systems, and data encryption).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 8:30am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BADRINARAYANAN /Examiner, Art Unit 2438.