Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
DETAILED ACTION
This action is in response to applicant’s original submittal made on 7/31/2020. Claims 1-12 are pending.
Specification (Title)
The title of the invention is not descriptive.  A new title is required that is clearly indicative of the invention to which the claims are directed. 
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

Claims 1 and 7 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 10,735,456 and 456’ hereinafter. Although the claims at issue are not identical, they are not patentably distinct from each other because both sets of claims are drawn to the following: 
(16/945743) A system for operating an advanced cyber decision platform for mitigation of cyberattacks, the system comprising: a computing device comprising a memory and a processor; a time series data store comprising a first plurality of programming instructions stored in the memory and operating on the processor, wherein the first plurality of programming instructions, when operating on the processor, cause the computing device to: monitor a plurality of network events on a network; produce time-series data comprising at least a record of a network event and the time at which the network event occurred; an observation and state estimation module comprising a second plurality of programming maps to (456’) A system for operating an advanced cyber decision platform for mitigation of cyberattacks, the system comprising: a computing device comprising a memory and a processor; a time series data store comprising a first plurality of programming instructions stored in the memory and operating on the processor, wherein the first plurality of programming instructions, when operating on the processor, cause the computing device to: monitor a plurality of network .



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-7 and 10-12 are rejected under 35 U.S.C. 103 as being unpatentable over Marvasti et al. (US Patent No. 7,869,967 and Marvasti hereianfter) in view of Muller et al. (US Patent Publication No. 2015/0106941 and Muller hereinafter).

As to claims 1 and 7, Marvasti teaches a system for operating an advanced cyber decision platform for mitigation of cyberattacks, the system comprising: 
a computing device comprising a memory and a processor (i.e. …teaches memory in col. 16 lines 35-40…teaches a processor in col. 15, lines 40-45); 
a time series data store comprising a first plurality of programming instructions stored in the memory and operating on the processor (i.e., …teaches in col. 16 lines 44-60 the following: “the instructions can be downloaded into a computing device over a data network”.), wherein the first plurality of programming instructions, when operating on the processor, cause the computing device to (i.e., …teaches in col. 16 lines 44-60 the following: “the instructions can be downloaded into a computing device over a data network”.): 
monitor a plurality of network events on a network (i.e., …teaches in col. 2, lines 25-35 the following: “collect a historical time-series data set for a metric in an IT infrastructure for at least one monitoring period, each monitoring period having a plurality of timeslots and each timeslot observing 
produce time-series data comprising at least a record of a network event and the time at which the network event occurred (i.e., …teaches in col. 9 lines 55-67 the following: “FIG. 5 shows an embodiment using a one-way cusum statistic S.sub.n.sup.+. The raw data shows live sessions of network activity. System administrators may decide, for example, that zero live sessions are not indicative of a problem state or failure, according to an embodiment. As with the prior examples, the 5 general peaks represent work days Monday through Friday shown on graph, and the smaller peaks on June 23 and June 24 are Saturday and Sunday respectively. In this case, the threshold H is set at a value of just under 3200.”); 
an observation and state estimation module comprising a second plurality of programming instructions stored in the memory and operating on the processor (i.e.. …teaches in col. 13 lines 49-56 the following: “data observations as that data being observed in real-time in operation 232”.), 
wherein the second plurality of programming instructions, when operating on the processor, cause the computing device to (i.e., …teaches in col. 16 lines 44-60 the following: “the instructions can be downloaded into a computing device over a data network”), 
monitor a plurality of connected resources on the network (i.e., …teaches in col. 14 lines 15-25 the following: “process described herein are applicable to data network monitoring. Network usage”).

Marvasti does not expressly teach:
produce a cyber-physical graph comprising nodes representing the plurality of connected resources and edges between the nodes representing the physical and logical relationships between the nodes, 

operate the cyber-physical graph as a simulated network using the time-series data as a first series of simulated network events on the cyber-physical graph; 
monitor the simulated network during the occurrence of a simulated cyberattack generated by an action-outcome simulation module to identify a response of the simulated network to the simulated cyberattack, the response comprising a second series of simulated network events;
and the action-outcome simulation module comprising a third plurality of programming instructions stored in the memory and operating on the processor, wherein the third plurality of programming instructions, when operating on the processor, cause the computing device to: produce a simulated cyberattack on the simulated network, the simulated cyberattack comprising a third series of simulated network events; 
produce a plurality of security reports based on the response identified by the observation and state estimation module, 
wherein the contents of each report are customized to provide a specialized information stream relevant to the operational role of a recipient of the report.
In this instance the examiner notes the teachings of prior art reference Muller. 
With regards to applicant’s claim limitation element of, “produce a cyber-physical graph comprising nodes representing the plurality of connected resources and edges between the nodes representing the physical and logical relationships between the nodes”, Muller illustrates in figure 1 a cyber-graph with relationship between network entities. 
With regards to applicant’s claim limitation element of, “whereby the cyber-physical graph represents the physical and logical structure of the portion of the network represented by the 
With regards to applicant’s claim limitation element of, “operate the cyber-physical graph as a simulated network using the time-series data as a first series of simulated network events on the cyber-physical graph”, Muller teaches a (i.e., …teaches in paragraph 0062 the following: “the model may be executed a sufficient number of iterations to simulate attacks against the target by an adversary traversing areas of the physical and cyber domains to assist with evaluation of security risks of the facility.”.); 
With regards to applicant’s claim limitation element of, “monitor the simulated network during the occurrence of a simulated cyberattack generated by an action-outcome simulation module to identify a response of the simulated network to the simulated cyberattack, the response comprising a second series of simulated network events”, Muller teaches in paragraph 0057 the following: “the statistics for each iteration are captured in the output log for the analyst to review, and can be compiled across multiple iterations. Statistical analysis can be performed for each use case, and selected scenarios can be played back in a graphical user interface in one embodiment. In one embodiment, the graphical user interface may display a graph, for example as shown in FIG. 1, and the relevant information during the execution of the model during an iteration (e.g., display event detection, response initiation, the path the adversary chooses, the safeguard being exploited, and the time involved with each event). In this example, the analysts can watch each step of the attack as they unfold or after the fact for iterations of interest.”. 
With regards to applicant’s claim limitation element of, “and the action-outcome simulation module comprising a third plurality of programming instructions stored in the memory and operating on the processor, wherein the third plurality of programming instructions, when operating on the processor, cause the computing device to: produce a simulated cyberattack on the simulated network, 
With regards to applicant’s claim limitation element of, “produce a plurality of security reports based on the response identified by the observation and state estimation module”, teaches in paragraph 0057 the following: “the statistics for each iteration are captured in the output log for the analyst to review…”. 
With regards to claim limitation element of, “wherein the contents of each report are customized to provide a specialized information stream relevant to the operational role of a recipient of the report”, teaches in paragraph 0063 the following: “the results of the execution may be utilized to provide information regarding the security risk of the facility with respect to the target. For example, the summary statistics and detailed iteration analysis may be stored, mined, searched and reviewed by an analyst.”. The examiner notes that the analyst specific to the target will received the data pertinent to them.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Marvasti with the teachings of Muller by including the feature of cyber-graph analysis. Utilizing cyber-graph analysis as taught by Muller above allows a system to provide comprehensive threat detection and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Marvasti's system will obtain the capability to provide enhanced system security. 

As to claims 4 and 10, the system of Marvasti and Muller as applied to claim 1 above, specifically Marvasti does not teach a system of claim 1, wherein the action-outcome simulation module further causes the computing device to compare relationships between connected resources against known security vulnerabilities.
In this instance the examiner notes the teachings of prior art reference Muller. 
Muller teaches in paragraph 0073 the following: “an overall vulnerability analysis of the entire system may be performed taking into account previously unidentified and unaccounted for areas of physical/cyber interdependencies.”. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Marvasti with the teachings of Muller by including the feature of cyber-graph analysis. Utilizing cyber-graph analysis as taught by Muller above allows a system to provide comprehensive threat detection and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Marvasti's system will obtain the capability to provide enhanced system security. 

As to claims 5 and 11, the system of Marvasti and Muller as applied to claim 1 above, specifically Marvasti does not teach a system of claim 4, wherein action-outcome simulation module further causes the computing device to produce recommended security mitigations based on the comparison against known security vulnerabilities.
In this instance the examiner notes the teachings of prior art reference Muller. 
Muller teaches in paragraph 0053 the following: “The output information resulting from the executions of the model may be mined and used in various different ways. In one example, the results may be queried or searched by an analyst, for example, to identify weaknesses in the security system, to 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Marvasti with the teachings of Muller by including the feature of cyber-graph analysis. Utilizing cyber-graph analysis as taught by Muller above allows a system to provide comprehensive threat detection and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Marvasti's system will obtain the capability to provide enhanced system security. 

As to claims 6 and 12, the system of Marvasti and Muller as applied to claim 1 above, specifically Marvasti does not teach a system of claim 1, wherein the observation and state estimation module is further configured to produce a visualization of the operation of the cyber-physical graph as a simulated network over time.
In this instance the examiner notes the teachings of prior art reference Muller. 
Muller teaches in paragraph 0057 the following: “the statistics for each iteration are captured in the output log for the analyst to review, and can be compiled across multiple iterations. Statistical analysis can be performed for each use case, and selected scenarios can be played back in a graphical user interface in one embodiment. In one embodiment, the graphical user interface may display a graph, for example as shown in FIG. 1, and the relevant information during the execution of the model during an iteration (e.g., display event detection, response initiation, the path the adversary chooses, the safeguard being exploited, and the time involved with each event). In this example, the analysts can watch each step of the attack as they unfold or after the fact for iterations of interest.”. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Marvasti with the teachings of Muller by including . 

Claims 2, 3, 8 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Marvasti in view of Muller et al. (US Patent Publication No. 2015/0106941) as applied to claims 1 and 7 above and further in view Zandani (US Patent Publication No. 2013/0227697).

As to claims 2 and 8, the system of Marvasti and Muller as applied to claims 1 and 7 above teaches cyber security, however neither reference expressly teaches a system of claim 1, wherein the action-outcome simulation module further causes the computing device to calculate an impact assessment score for a connected resource represented by a node in the cyber-physical graph.
In this instance the examiner notes the teachings of prior art reference Zandani. 
Zandani teaches as part of his Abstract the following: “global cyber attack data and comparing the global cyber attack data to the organizational profile data, to compute a cyber attack risk score for each of the organizational assets..”. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Marvasti and Muller with the teachings of Zandani by including the feature of threat impact scoring. Utilizing threat impact scoring as taught by Zandani above allows a system to provide comprehensive attack impact analysis and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, the system of Marvasti and Muller will obtain the capability to provide enhanced security threat assessment. 

As to claims 3 and 11, the system of Marvasti and Muller as applied to claims 1 and 7 above teaches cyber security, system of claim 2, wherein the action-outcome simulation module further causes the computing device to calculate an overall impact of a cyberattack, wherein the calculation is based on the impact assessment score for each connected resource affected by the simulated cyberattack.
In this instance the examiner notes the teachings of prior art reference Zandani. 
Zandani teaches in paragraph 0016 the following: “compute a success probability score of one or more attack…indicated by the global cyber attack data”. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Marvasti and Muller with the teachings of Zandani by including the feature of threat impact scoring. Utilizing threat impact scoring as taught by Zandani above allows a system to provide comprehensive attack impact analysis and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, the system of Marvasti and Muller will obtain the capability to provide enhanced security threat assessment. 
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

/BRYAN F WRIGHT/            Examiner, Art Unit 2497