DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is a reply to the application filed on 06/02/2020, in which, claim(s) 1-4 are pending. Claims 1 and 3 are independent.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/02/2020, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.

Terminal Disclaimer
The terminal disclaimers filed on 12/21/2021 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of US Patent No. 10,673,887 and 11,070,592 have been reviewed and are accepted.  The terminal disclaimers have been recorded.

Drawings
The drawings filed on 06/02/2020 are accepted by The Examiner.

EXAMINER’S AMENDMENT
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided 
Authorization for this examiner's amendment was given in a telephone interview with Attorney Brian S. Boon (Reg. No. 77,640) on 12/20/2021.
 
Please replace ¶[044] with the following:
[044] Fig. 5 is a method diagram illustrating and describing many activities and steps for network and internet based reconnaissance for cybersecurity purposes. The first step, according to an aspect, would be to use Internet Control Message Protocol (ICMP) to resolve what IP address each domain of the target resolves as 501. According to an aspect, another process in the method would be to perform a DNS forward lookup 502, using the list of subdomains of the target as input, generating a list of IP addresses as output. It is then possible to see if the IP addresses returned are within the net ranges discovered by a whois—which is a protocol used for querying databases for information related to assignees of an internet resource, including an IP address block, or domain name—check of the target’s domain 503, and if not, perform additional whois lookups to determine if new associated net ranges are of interest, and then you may run a reverse DNS Lookup to determine the domains to which those addresses belong. A second use for whois lookups 503 is to determine where the site is hosted, and with what service—for example in the cloud, with Amazon Web Services, Cloudflare, or hosted by the target corporation itself. The next overall step in the process, according to an aspect, is to examine DNS records 504, with reverse IP lookups, and using certain tools such as dnscheck.ripe.net it is possible to see if other organizations share hosting space with the target. Other DNS record checks 504 include checking the Mail Exchange (“MX”) record, for the Sender Policy Framework (“SPF”) to determine if the domain is protected against emails from unauthorized domains, known commonly as phishing or spam, and other forms of email attack. Further examining the DNS MX record 504 allows one to examine if the target is self-hosting their email or if it is 504 may also be gathered for additional information, as defined by an aspect. The next overall step in the process is to conduct a port scan on the target network 505, and of any devices immediately recognizable, to find insecure or open ports on target IP addresses. Multiple tools for this exist, or may be constructed. Next, collecting the identity of the target’s DNS registrar 506 should be done, to determine more information about their hosting practices. Another action in the method, according to an aspect, is to leverage the technology and technique of DNS sinkholing 507, a situation where a DNS server is set up to spread false information to clients that query information from it. For these purposes, the DNS sinkhole 507 may be used to redirect attackers from examining or connecting to certain target IP addresses and domains, or it can be set up as a DNS proxy for a customer in an initial profiling phase. There are possible future uses for DNS sinkholes 507 in the overall cybersecurity space, such as potentially, for example, allowing a customer to route their own requests through their own DNS server for increased security. The next overall step in network and internet reconnaissance, according to an aspect, is to use Réseaux IP Européens (“RIPE”) datasets 508 or similar datasets for analytics, such as RIPE Atlas Raw Data, RIS Raw Data, Reverse DNS Delegations, IPv6 Web Statistics, RIPE NCC Active Measurements Of World IPv6 Day Dataset, RIPE NCC Active Measurements of World IPv6 Launch Dataset, iPlane traceroute Dataset, NLANR AMP Data, NLANR PMA Data, and WITS Passive Datasets. Another process in the method, according to an aspect, is to collect information from other public datasets 509 from scanning projects produced by academia and the government510, for anomalies and important data which may be relevant to the security of the server. Another process in the method, according 511, an internet measurement data catalogue, which publicly makes available measurement data gathered from various scans of the internet, for research purposes. Another process in the method, according to an aspect, is to enumerate DNS records 512 from many groups which host website traffic, including Cloudflare, Akamai, and others, using methods and tools already publicly available on websites such as github. Technologies such as DNSRecon and DNSEnum exist for this purpose as well, as recommended by Akamai. Another action in the method, according to an aspect, is to collect and crawl Google search results 513 in an effort to build a profile for the target corporation or group, including finding any subdomains still not found. There is an entire category of exploit with Google searches that exploits the Google search technique and may allow access to some servers and web assetsOther exploits found online 514, which possesses an index of data from many internet providers and may be useful for analyzing and probing certain networks.

Please replace ¶[045] with the following:
[045] Fig. 6 is a method diagram illustrating key steps in collection of DNS leak information. A first step in this process would be, according to an aspect, to collect periodic disclosures of DNS leak information 601, whereby a user’s privacy is insecure because of improper network configuration. A second step, according to an aspect, is to top-level domain records and information about top-level domain record health 602, such as reported by open-source projects available on websites such as Github. Another process in the method is to create a Trust Tree map 603 of the target domain, which is an open-source project available on Github 604 within the Tree Trust graphs, using algorithms to detect if new references are being created in records (possible because of the use of MDTSDB’s recording data over time), which may help with alerting one to numerous vulnerabilities that may be exploited, such as if a top level domain is hijacked through DNS record manipulation, and other uses are possible.


Please replace claim 1 with:
1. (Currently amended) A system for comprehensive cybersecurity analysis and rating based on heterogeneous data and reconnaissance, comprising:
a computing device comprising a hardware memory, a hardware processor, and a network interface device; and
a high volume web crawler comprising a first plurality of programming instructions stored in the memory of, and operating on the processor of, the computing device, wherein the first plurality of programming instructions, when operating on the processor, causes the computing device to obtain information from the Internet as directed by an automated planning service module;
an automated planning service module, comprising a second plurality of programming instructions stored in the memory of, and operating on the processor of, the computing device, wherein the second plurality of programming instructions, when operating on the processor, causes the computing device to:
establish a scope of cybersecurity analysis by:
defining a target network by identifying internet protocol addresses and subdomains of the target network;
identifying web applications used by the target network; and
gathering version and update information for hardware and software systems within the boundary of the target network; and
perform reconnaissance of the target network according to the established scope by:
verifying domain name system information for each internet protocol address and subdomain of the target network to confirm ownership and extent of the target network, and assigning an Internet reconnaissance score based on the confirmation;
collecting domain name system leak information by identifying improper network configurations in the internet protocol addresses and subdomains of the target network, and assigning a domain name system leak information score;
analyzing web applications used by the target network to identify vulnerabilities in the web applications that could allow unauthorized access to the target network, and assigning a web application security score based on the identified vulnerabilities; and
checking version and update information for the hardware and software systems within the boundary of the target network, and assigning a patching frequency score; and
a cybersecurity scoring engine comprising a third plurality of programming instructions stored in the memory of, and operating on the processor of, the computing device, wherein the third plurality of programming instructions, when operating on the processor, cause the computing device to:
generate a weighted cybersecurity rating by:
assigning a weight to each of the Internet reconnaissance score, the domain name system leak information score, the web application security score, the patching frequency score;
aggregating the weighted scores into the weighted cybersecurity rating; and
reporting the weighted cybersecurity rating.


Please replace claim 3 with:
3. (Currently amended) A method for comprehensive cybersecurity analysis and rating based on heterogeneous data and reconnaissance, comprising the following steps: 
establishing a scope of cybersecurity analysis using a high volume web crawler directed by an automated planning service module, the establishment of the scope of cybersecurity analysis comprising the following steps:
defining a target network by identifying internet protocol addresses and subdomains of the target network;
identifying web applications used by the target network; and
gathering version and update information for hardware and software systems within the boundary of the target network; and
performing reconnaissance of the target network according to the established scope using a high volume web crawler directed by an automated planning service module, the reconnaissance comprising the following steps:
verifying domain name system information for each internet protocol address and subdomain of the target network to confirm ownership and extent of the target network, and assigning an Internet reconnaissance score based on the confirmation;
collecting domain name system leak information by identifying improper network configurations in the internet protocol addresses and subdomains of the target network, and assigning a domain name system leak information score;
analyzing web applications used by the target network to identify vulnerabilities in the web applications that could allow unauthorized access to the target network, and assigning a web application security score based on the identified vulnerabilities; and
checking version and update information for the hardware and software systems within the boundary of the target network, and assigning a patching frequency score; and
generating a weighted cybersecurity rating using a cybersecurity scoring engine, the generation of the weighted cybersecurity rating comprising the following steps:
assigning a weight to each of the Internet reconnaissance score, the domain name system leak information score, the web application security score, and the patching frequency score; and
aggregating the weighted scores into the weighted cybersecurity rating; and
reporting the weighted cybersecurity rating.


Allowable Subject Matter
Claims 1-4 are allowed.
The following is an examiner's statement of reasons for allowance:
Independent Claim(s) and their respective dependent claims are allowable over prior arts since the prior arts taken individually or in combination fails to particular discloses, fairly suggest or render obvious the following italic limitations:

In claims 1 and 3:
“verifying domain name system information for each internet protocol address and subdomain of the target network to confirm ownership and extent of the target network, and assigning an Internet reconnaissance score based on the confirmation;
collecting domain name system leak information by identifying improper network configurations in the internet protocol addresses and subdomains of the target network, and assigning a domain name system leak information score;
analyzing web applications used by the target network to identify vulnerabilities in the web applications that could allow unauthorized access to the target network, and assigning a web application security score based on the identified vulnerabilities; and
checking version and update information for the hardware and software systems within the boundary of the target network, and assigning a patching frequency score” in combination with other limitations recited as specified in the independent claim(s). 

The closest prior art made of record are:
Neil et al. (US 2015/0020199 A1) teaches detecting network intrusions, anomalies, and policy violations by path scanning for the detection of anomalous subgraphs embedded within time-evolving graphs and, additionally relates to the use of Domain Name Service ("DNS") requests for situational awareness and anomaly/change detection on computer network.
Michael Roy Stute (US 2013/0117852 A1) teaches calculating a score that indicates a discrepancy between an amount of data in each of the subset of the component data types and the counts for each corresponding historical data type in the same time period, and handling the candidate alert based upon the score. 
Amit et al. (US 2013/0111595 A1) teaches detection of Document Object 
James Michael Knight (US 2004/0255167 A1) teaches a remote security management center to provide many of the monitoring and protection functions traditionally carried out by an information technology support center located at a particular network site. The remote center can monitor a protected network and intervene to thwart hacking or viral/worm attacks against the separate protected network through the global network attached to the protected network.
Gilbert et al. (US 2007/0226796 A1) teaches a utility that enables detection of both tactical and strategic threats against an individual entity and interrelated/affiliated networks of entities.
Watters et al. (US 2016/0241581 A1) teaches a plurality of consensus evaluations and a plurality of cyber threat analyst ratings, and an application stored in the memory. When executed by the computer, the application generates a cyber threat report that identifies of a cyber threat intent and a cyber threat technology, receives from a cyber threat analyst an input of a cyber threat frequency score, an input of a cyber threat likelihood score, and an input of a cyber threat capability score, and generates a cyber threat intensity based on the scores and based on a cyber threat analyst rating stored in the data store and associated with the cyber threat analyst inputting the scores.
Segal et al. (US 2015/0358343 A1) teaches detecting and classifying malicious agents on a computer network.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For 





/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497