Notice of Pre-AIA  or AIA  Status
Claims 1-20 remain for examination.  The amendment filed 9/9/21 amended claims 1, 5, 10, 14, and 19.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 8/20/21 has been considered by the examiner.

Response to Arguments
Applicant’s arguments, see pages of the amendment filed 9/9/21, with respect to the rejection(s) of claim(s) 1-20 under Vallone in view of Alexander have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of the newly discovered reference to Kliger.

Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Vallone in view of Alexander in view of Kliger (U.S. Patent Publication 2020/0044911).



Vallone discloses a method, system, and non-transitory computer readable medium for threat simulation and threat mitigation recommendations, comprising: performing a first threat simulation using at least one attack vector, wherein performing the first threat simulation includes generating simulated network traffic associated with the at least one attack vector and sending, via at least one intermediate node, the simulated network traffic to a test agent in a target network (paragraph 0015: the invention generates synthetic security events, representative of actual cyberthreat activity, for testing the effectiveness of a network's detective and preventative information security controls; see also paragraph 0037: “A threat intelligence component 202 gathers information regarding cyberthreats, a synthetic test generation component 204 determines one or more synthetic tests based on creating instructions for implementing one or more objectives of the cyberthreat, and a synthetic test policy component 206 configures one or more agents 210 to operate with one or more host/system devices under test 208 ("hosts") (e.g., a computer 100)”); determining, using simulated network traffic arrival metrics, at least one threat mitigation recommendation (Ibid: “For example, the sensor environment 212 can capture data to indicate that a user's Windows desktop has generated 3000 or more requests to various websites over the course of a 24-hour period. The analytic environment 214 applies a number of analysis techniques to the data, and identifies that, for example, 16 web requests to a single domain occur exactly 33 minutes and 27 seconds apart, indicative of an automated (and potentially malicious) process, rather than human-driven web browsing behavior. The host 208, sensor environment 212, analytic environment 214, and assessment/response processes 216 each are configured to separately and/or conjunctively communicate feedback data to the synthetic test generation component 204, which can further analyze the feedback and, optionally, initiate additional instructions (e.g., based on a defined policy)”); and providing, via a user interface, the at least one threat mitigation recommendation to a Validation feedback data (e.g., status, indicia, updates, the number of an instruction's steps completed/not completed, the monitoring capabilities' detection/response data), in one or more embodiments, are received from the target network so that the target network's effectiveness can be measured and recorded (e.g., via an electronic and/or physical report) and, if relevant, additional instructions can be initiated to carry out additional characteristics.”; see also paragraph 0040, wherein the feedback from the simulated threat can inter alia be used “for determining an executable strategy for efficiently addressing deficiencies in the target network”; see also claim 1, the “generating an analysis…” limitation).  Further regarding claim 10, Vallone also discloses a processor and memory (paragraphs 0045-0047).
Although the test agents are software modules installed on the hosts being protected by Vallone’s invention that help process the simulated attack and generate feedback, it is unclear from this disclosure if these test agents can be said to simulate at least one protected asset in the target network.  However, Alexander discloses a remarkably similar invention to that of Vallone, wherein his equivalent component of the test agent explicitly simulates the asset(s) to be protected (see the attack checker of paragraph 0005).  It would have been obvious prior to the effective filing date of the instant invention to modify Vallone such that the test agent simulates the host device being tested with the simulated attack, as doing so would help prevent the simulated attack from breaking the bounds of the simulation and actually gain illicit access to the protected device (Alexander, Ibid).
Neither Vallone nor Alexander explicitly disclose wherein the at least one threat mitigation recommendation includes an associated crowd-sourced metric.  However, Kliger discloses a related invention for threat detection and mitigation wherein that invention explicitly identifies solutions for a threat or alert condition based on a crowd-

Regarding claims 2, 11, and 20:	The combination further discloses wherein determining the at least one threat mitigation recommendation includes using target network topology information of the target network (Alexander: paragraph 0080). 

Regarding claims 3 and 12:	The combination further discloses wherein the at least one threat mitigation recommendation is stored in a data structure containing threat mitigation recommendations associated with different intermediate nodes and/or threat mitigation recommendations associated with different intermediate node classes (Vallone: the feedback data including recommendations on how to fix vulnerabilities at paragraph 0041; and the database said data is stored in illustrated in Figure 5). 

Regarding claims 4 and 13:	The combination further discloses wherein the at least one intermediate node includes a security node, a firewall, a network firewall, an application firewall, an 

Regarding claims 5 and 14:	The combination further discloses wherein the at least one threat mitigation recommendation is associated with the at least one intermediate node, wherein the at least one threat mitigation recommendation includes administration instructions and/or configuration instructions for the at least one intermediate node (Vallone: paragraph 0041). 

Regarding claims 6 and 15:	The combination further discloses wherein the simulated network traffic arrival metrics are generated by monitoring the arrival of simulated network traffic at the at least one intermediate node and/or the test agent (Vallone: paragraph 0037). 

Regarding claims 7 and 16:	The combination further discloses wherein the test agent is in the target network in a manner that is topologically similar to the protected asset (Alexander: paragraph 0047). 
Regarding claims 8 and 17:	The combination further discloses wherein the at least one threat mitigation recommendation is stored in a data structure accessible via an API or user interface (Vallone, paragraph 0041). 
. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A GYORFI whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

THOMAS A. GYORFI
Examiner
Art Unit 2435



/THOMAS A GYORFI/Examiner, Art Unit 2435                                                                                                                                                                                                        11/15/2021