Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
This office action is responsive to communication filed on 09/22/2021. Claims 1-8, 10-18 and 20-22 have been examined.
Response to Arguments
Regarding 35 U.S.C. 103(a) applicant’s arguments, see page 12 - page 24 (all),
filed September 22 2021, with respect to claims 1-8, 10-18 and 20-22 have been fully considered.
Regarding the 35 U.S.C. 112(b) rejection of claim 20 applicant submits the Office Action is taking a much too narrow view on what constitutes an algorithm for purposes of complying with the requirements of 35 USC 112(b).
In response to applicant's argument, the examiner respectfully disagrees with the
argument above. The examiner could not find full support as to how the means + function is implemented. The "black boxes" of this invention does not fully explain how the means + function is implemented. The cited paragraphs and figures in the applicant's argument does not provide full support as to how the means + function is implemented. The 35 U.S.C. 112(b) rejection of claim 20 is maintained.
Regarding claims 1, 11 and 20 the applicant first argument is that the cited references do not disclose measuring an entropy and a rate of change of information in the database.
In response to applicant's argument, the argument is persuasive and a new round of rejection is presented in view of Chen (US20190317728A1).
.
Regarding claims 1, 11 and 20 the applicant second argument is that the cited references do not disclose calculating a reliability score of the security policy.
In response to applicant's argument, the examiner respectfully disagrees with the
argument above. Yampolskiy, par0080, 0085 teaches when the scorecard system 200 has been activated to calculate an entity's cybersecurity risk, as part of the processing of the entity's calculated security scores to calculate the overall cybersecurity risk score for the entity,….. the scorecard system 200 may calculate a confidence level while performing benchmarking 230 to provide a level of reliability for the overall cybersecurity risk score calculated for an entity).
Regarding claims 1, 11 and 20 the applicant third argument is that the cited references do not disclose producing a recommendation for the security policy.
In response to applicant's argument, the examiner respectfully disagrees with the
argument above. Yampolskiy, par0087 and par0096 teaches after the scorecard system 200 has calculated an overall cybersecurity risk score for an entity, the scorecard system 200 may generate an output through which the results can be presented. For example, FIGS. 7-11 illustrate different outputting embodiments through which the results of the scorecard system's analysis of an entity's cybersecurity risk can be displayed. The outputs may provide a summary of the entity's cybersecurity posture as well as provide recommendations and guidance to improve its cybersecurity posture. For example, the scorecard system 200 may transmit the calculated cybersecurity risk score and an identification of one or more objectives to complete to improve the entity's cybersecurity risk score…. in one embodiment, the scorecard system 200 may send the business partner a one-time URL through which the business partner may login to the scorecard system and access its score and view its recommended action items to improve its score. Allowing access to both a business and a business partner may allow them to collaborate 

Claim Rejections - 35 USC § 112
The following is a quotation of the second paragraph of 35 U.S.C. 112:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 

          The 35 U.S.C. 112(b) rejection of claim 20 is maintained. The applicant correctly pointed out that there is support for claimed features in the specification and "means for" can be expressed in terms of formula, algorithms etc. The examiner could not find full support as to how the means + function is implemented, the . The "black boxes" of this invention does not fully explain how the means + function is implemented. The cited paragraphs and figures in the applicant's argument does not provide full support as to how the means + function is implemented.
          Claim 20 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim element, A system for managing security in a cloud computing environment, the system comprising: "means for gathering data about workloads and applications of the cloud computing environment", "means for updating a graph database using the data", " means for receiving a security template", " means for creating a security policy using the security template 
The specification discloses minimal information about the structure corresponding to the claim terms. Accordingly, the failure to disclose a structure corresponding to the "means for gathering data about workloads and applications of the cloud computing environment", "means for updating a graph database using the data", " means for receiving a security template", " means for creating a security policy using the security template and information in the graph database", and " means for deploying the security policy in the cloud computing environment” renders the claim indefinite.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 

If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
Determining the scope and contents of the prior art.


Ascertaining the differences between the prior art and the claims at issue.

Resolving the level of ordinary skill in the pertinent art.

Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 3-7, 11, 13-17, and 20-22 are rejected under 35 U.S.C. 103 as being unpatentable over Ashley et al. (US20160234250A1) hereinafter Ashley in view of Vajipayajula et al. (US20190394225A1) hereinafter Vajipayajula further in view of Martinez et al. (US20120185913A1) hereinafter Martinez, and further in view of Yampolskiy et al. (US20160173521A1) hereinafter Yampolskiy, and further in view of Chen et al. (US20190317728A1) hereinafter Chen.
As per claim 1. A computer-implemented method for managing security in a cloud computing environment, the method comprising: (Ashley, par0020 teaches with reference now to FIG. 1, the present invention provides a system and method for creating security policy templates or re-usable policy building blocks that can be deployed with matching workloads in cloud and virtualized environments).
gathering data about workloads and applications in the cloud computing environment; (Ashley, par0029, 0033 teaches receiving a Workload Definition Document (WDD) that defines an intended workload deployment. In step 104, the WDD is parsed, so that, in step 106, the workload type and attributes and other configuration data can be extracted….the intended workload 202 in FIG. 2, it is noted that the term ERP stands for Enterprise Resource Planning, a business management software, and usually a suite of integrated applications, that a company can use to collect, store, manage and interpret data).
where the workloads are serviced in the cloud computing environment, (Ashley, par0081 teaches workloads layer 940 provides examples of functionality for which the cloud computing environment may be utilized. Examples of workloads and functions which may be provided from this layer include any number of functions and applications).
utilizing nodes and relationships between the workloads as edges to represent the state of the cloud computing environment; (Ashley, par0066-0068 teaches at the heart of cloud computing is an infrastructure comprising a network of interconnected nodes. Referring now to FIG. 7, a schematic 700 of an example of a cloud computing node is shown. Cloud computing node 700 is only one example of a suitable cloud computing node and is not intended to suggest any limitation as to the scope of use or functionality of embodiments of the invention described herein).
receiving a security template, (Ashley, par0040 teaches providing a library of security templates for network appliance (e.g., XGS). These security templates have been previously prepared by an expert familiar with different security requirements of different types of possible workloads….WDD to select the proper security policy templates, from the security template library, and then fills in proper variable values into the template, as available from the parsed WDD and other inputs).
creating a security policy, using the security template and (Ashley, par0042 teaches the XGS security policy deployment tool is invoked, which in turn searches the library of security templates for the name of the requested security template and retrieves the actual templates, which in the present invention are exemplarily XML type of documents. The security policy deployment tool parses the XML policy template documents and replaces variables 318 found in those documents with concrete values that were passed to the deployment tool as part of its invocation. It then instantiates the filtering rules and as part of that may create filtering rules that serve as headers for sections 316 of filtering rules).
deploying the security policy in the cloud computing environment. (Ashley, par0045-0046 teaches once the security appliance is deployed, it is necessary to chain this appliance into the network traffic flow so that the traffic can be monitored by the security appliance. FIG. 2 shows a sample service chain 204 having various security appliances. After the security appliance, say an IPS, is deployed and configured as described above, it needs to be chained in the network as shown in the picture. To do this, the Cloud management infrastructure needs to configure the network).
          Ashley does not explicitly discloses utilization of a graph database, and updating this graph database using workload data. Having logic to extract information from the graph database for identifying workload targets. 
          Vajipayajula however discloses utilization of a graph database, and updating this graph database using workload data. (Vajipayajula, par0024 teaches local knowledge graph database servers 104 and 106 each ingest a different type of data security information from a different data security information source,…Master knowledge graph database server 108 hosts a master data security risk knowledge graph that contains information corresponding to the uploaded local data security risk knowledge subgraphs).
 (Vajipayajula, par0080 teaches the master knowledge graph database server may be, for example, master knowledge graph database server 108 in FIG. 1. The master knowledge graph database server uses the master knowledge graph to determine whether an event is associated with one of a known malicious action or a suspected malicious action during security incident [workload targets] analysis (step 708)).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of utilization of a graph database, and updating this graph database using workload data. Having logic to extract information from the graph database for identifying workload targets, as taught by Vajipayajula in the method of Ashley, so defined parameters of structured data make structured data some of the easiest data to organize and analyze, businesses and organizations rely on the ability to quickly access this information, see Vajipayajula par0002.
          Ashley and Vajipayajula do not explicitly disclose identifying workload targets for a security policy and how to protect the workload targets, through a real-time computation. 
          Martinez however discloses identifying workload targets for a security policy and how to protect the workload targets, through a real-time computation. (Martinez, par0023, 0030, 0035 teaches applying a security policy to the security zone such that, when the cloud-computing resource deployed in the virtual private cloud that is used to perform the computer workload, the cloud-computing resource's operation or the performance or operation of the computer workload is subject to, the security policy…the system and method may allow a developer to define a security zone and to apply at least one type of security policy… The security policy may be an access policy, a write-permission policy, a resource utilization policy, an editing permission policy, and the like. The security policy may determine whether a software workload is allowed to operate in a specified security zone…based on a computer workload score determined by a scoring logic. The scoring logic may be, for example, based on …may be dynamically updated at or near real-time).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of identifying workload targets for a security policy and how to protect the workload targets, through a real-time computation, as taught by Martinez in the method of Ashley and Vajipayajula, so managed service providers offer cloud computing outsourcing option that promises reduced costs, improved availability, improved scalability, and reduced time to deploy new applications, see Martinez par0002.
          Ashley, Vajipayajula and Martinez do not explicitly disclose calculating a reliability score of a security policy; and producing a recommendation for the security policy. 
          Yampolskiy however discloses calculating a reliability score of a security policy (Yampolskiy, par0080, 0085 teaches the entity's calculated security scores to calculate the overall cybersecurity risk score for the entity,….. the scorecard system 200 may calculate a confidence level while performing benchmarking 230 to provide a level of reliability for the overall cybersecurity risk score calculated [calculating a reliability score of the security policy] for an entity).
producing a recommendation for the security policy (Yampolskiy, par0087 teaches the results of the scorecard system's analysis of an entity's cybersecurity risk can be displayed. The outputs may provide a summary of the entity's cybersecurity posture as well as provide recommendations and guidance [producing a recommendation for the security policy] to improve its cybersecurity posture).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of calculating a reliability score of a security policy; and producing a recommendation for the security policy, as taught by Yampolskiy in the method of Ashley, Vajipayajula and Martinez, so based on cybersecurity risk assessment an entity can make meaningful decisions to improve its cybersecurity performance, reducing the likelihood of experiencing a security breach, suffering from client loss, reputation loss, and exposure to liability, see Yampolskiy par0004.
          Ashley, Vajipayajula, Martinez and Yampolskiy do not explicitly disclose measuring an entropy and a rate of change of information in a database. 
          Chen however discloses measuring an entropy and a rate of change of information in a database.  (Chen, par0044-0046, and 0093 teaches .. the entropy data can be, for example, a measure of an amount of uncertainty in data included in the graph data 112. …a measure of an average amount of data contained in the second graph-structured dataset. Furthermore, the second entropy measure can be, for example, a measure of an amount of uncertainty in data included in the second graph-structured dataset. In an aspect, the information component 104 can calculate an average amount of data contained in the graph data 112. For example, the information component 104 can calculate an average amount of data contained in the first graph-structured dataset….the similarity component 106 can determine similarity between [rate of change of information] the first graph-structured dataset and the second graph-structured dataset based on a graph similarity computation associated with the first entropy measure and the second entropy measure.).
(Chen, par0043-0044 teaches … a graph database system. The graph similarity analytics component 102 (e.g., the information component 104 of the graph similarity analytics component 102) can receive graph data 112. The graph data 112 can be indicative of information associated with data elements that compose one or more graphs).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of measuring an entropy and a rate of change of information in the database, as taught by Chen in the method of Ashley, Vajipayajula, Martinez and Yampolskiy, so cloud systems can automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service, resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service, see Chen par0029.

As per claim 3. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the computer-implemented method of claim 1.
          Ashley further disclose wherein at least one of the security template and the security policy is one or more of a JavaScript Object Notation document, Jinja document, Jinja2 document, YAML Ain't Markup Language document, and Open Policy Agent rule. (Ashley, par0038 teaches the parsing of the JSON (JavaScript Object Notation) document triggers the invocation of a security policy deployment tool 224 of the present invention, which in turn accesses a database of policy templates and builds or composes the workload specific security template based on the workload type, requirements found in the WDD, and other attributes).

As per claim 4. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the computer-implemented method of claim 1.
          Ashley further disclose wherein the creating the security policy includes: identifying the targets in the cloud computing environment in the graph database using labels associated with the security template. (Ashley, par0042 teaches the retrieval of the security policy template can be achieved by using a tool written for this purpose. To realize step 316, the XGS security policy deployment tool is invoked, which in turn searches the library of security templates for the name/label of the requested security template and retrieves the actual templates, which in the present invention are exemplarily XML type of documents. The security policy deployment tool parses the XML policy template documents and replaces variables 318 found in those documents with concrete values that were passed to the deployment tool as part of its invocation).

As per claim 5. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the computer-implemented method of claim 1.
          Ashley further discloses wherein the deploying is performed by a cloud driver using a topology and inventory of the cloud computing environment, the cloud driver communicating with the cloud computing environment using an application programming interface of the cloud computing environment. (Ashley, par0032-0034 teaches heat implements an orchestration engine that can launch multiple composite cloud applications based on templates that are written in the form of text files and can be treated like code. A Heat template describes the infrastructure for a cloud application in a text file that is readable and writable by humans. Infrastructure resources that can be described include virtual machines, floating IP addresses, storage volumes, security groups for low-level filtering of network traffic that can reach VMs, network and subnet configurations, etc. Templates can also specify the relationships between resources, e.g. a specific storage volume is connected to a particular virtual machine. The detailed description of the intended cloud application configuration enables Heat to invoke the OpenStack APIs to create all of the intended infrastructure, including virtual machines, in the correct order and to completely launch an application 204. OpenStack Neutron/Quantum 214 is a cloud networking controller and a networking-as-a-service project within the OpenStack cloud computing initiative. Neutron includes a set of application program interfaces (APIs), plug-ins and authentication/authorization control software that enable interoperability and orchestration of network devices and technologies within infrastructure-as-a-service (IaaS) environments).

As per claim 6. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the computer-implemented method of claim 1.
          Ashley further disclose wherein the cloud computing environment is hosted by a plurality of different cloud services, the different cloud services being at least one of a public cloud, private cloud, and on-premise data center. (Ashley, par0054, 0062-0064 teaches there is a sense of location independence in that the consumer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Private cloud: the cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on-premises or off-premises. Public cloud: the cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services).

As per claim 7. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the computer-implemented method of claim 1.
          Ashley further disclose clustering some of the workloads, the some of the workloads having a similar set of relationships; and (Ashley, par0038 teaches the parsing of the JSON document triggers the invocation of a security policy deployment tool 224 of the present invention, which in turn accesses a database of policy templates and builds or composes the workload specific security template based on the workload type, requirements found in the WDD, and other attributes. The Heat Plug-in 220 works with the cloud management infrastructure (e.g. OpenStack) to deploy the virtual security appliance 222 and populates parameters of the workload and the policy template, like, for example, IP addresses that OpenStack develops as it instantiates the components of the intended virtual configuration 204).
placing others of the workloads into the communities, the others of the workloads collectively performing an application. (Ashley, par0040 teaches these security templates have been previously prepared by an expert familiar with different security requirements of different types of possible workloads. The tool system of the present invention includes a network appliance plug-in (e.g., XGS Heat Plug-in) that interfaces with an API of a conventional virtual configuration orchestration/management tool (e.g., Heat). If invoked by the user, the network appliance plug-in automatically uses results of the parsed WDD to select the proper security policy templates, from the security template library, and then fills in proper variable values into the template, as available from the parsed WDD and other inputs, such as IP addresses from the orchestration/management tool (e.g., Heat). The present invention thereby provides a mechanism to permit a user to define a conventional workload definition document for a conventional virtual configuration orchestration/management tool, with the security settings for any network appliance in the intended workload being automatically set by the tool of the present invention, based on variables identified by the user in the conventional workload definition document).
          Ashley does not explicitly discloses further comprising: displaying a visual representation of information in the graph database to a user. 
          Vajipayajula however discloses further comprising: displaying a visual representation of information in the graph database to a user. (Vajipayajula, par0068 teaches illustrative embodiments traverse the master knowledge graph database starting from an observable finding the malicious node or nodes and edges directly or indirectly (e.g., multiple hops) connected. For example, starting from a URL node, the traversal finds domain names attached to the URL and the DNS resolution (i.e., IP address) for that domain. Then, if the IP address has a malicious reputation (e.g., command and control (CnC) server), illustrative embodiments return the malicious nodes and edges as a sub-graph. At the end of the security analysis, illustrative embodiments may display to a security analyst all malicious relationships and possible malware campaigns associated with the relationships.).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of further comprising: displaying a visual representation of information in the graph database to a user, as taught by Vajipayajula in the method of Ashley, so defined parameters of structured data make structured data some of the easiest data to organize and analyze, businesses and organizations rely on the ability to quickly access this information, see Vajipayajula par0002.

As per claim 11.  A system for managing security in a cloud computing environment, the system comprising: (Ashley, par0020 teaches with reference now to FIG. 1, the present invention provides a system and method for creating security policy templates or re-usable policy building blocks that can be deployed with matching workloads in cloud and virtualized environments).
a processor; and a memory communicatively coupled to the processor, the memory storing instructions executable by the processor to perform a method comprising: (Ashley, par0070-0073 teaches as shown in FIG. 7, computer system/server 712 in cloud computing node 700 … one or more processors or processing units 716, a system memory 728,…memory 728 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention).
gathering data about workloads and applications of the cloud computing environment; (Ashley, par0029, 0033 teaches receiving a Workload Definition Document (WDD) that defines an intended workload deployment. In step 104, the WDD is parsed, so that, in step 106, the workload type and attributes and other configuration data can be extracted….the intended workload 202 in FIG. 2, it is noted that the term ERP stands for Enterprise Resource Planning, a business management software, and usually a suite of integrated applications, that a company can use to collect, store, manage and interpret data).
where the workloads are serviced in the cloud computing environment, (Ashley, par0081 teaches workloads layer 940 provides examples of functionality for which the cloud computing environment may be utilized. Examples of workloads and functions which may be provided from this layer include any number of functions and applications).
utilizing nodes and relationships between the workloads as edges to represent the state of the cloud computing environment; (Ashley, par0066-0068 teaches at the heart of cloud computing is an infrastructure comprising a network of interconnected nodes. Referring now to FIG. 7, a schematic 700 of an example of a cloud computing node is shown. Cloud computing node 700 is only one example of a suitable cloud computing node and is not intended to suggest any limitation as to the scope of use or functionality of embodiments of the invention described herein).
receiving a security template (Ashley, par0040 teaches providing a library of security templates for network appliance (e.g., XGS). These security templates have been previously prepared by an expert familiar with different security requirements of different types of possible workloads….WDD to select the proper security policy templates, from the security template library, and then fills in proper variable values into the template, as available from the parsed WDD and other inputs).
creating a security policy, using the security template and (Ashley, par0042 teaches the XGS security policy deployment tool is invoked, which in turn searches the library of security templates for the name of the requested security template and retrieves the actual templates, which in the present invention are exemplarily XML type of documents. The security policy deployment tool parses the XML policy template documents and replaces variables 318 found in those documents with concrete values that were passed to the deployment tool as part of its invocation. It then instantiates the filtering rules and as part of that may create filtering rules that serve as headers for sections 316 of filtering rules).
deploying the security policy in the cloud computing environment. (Ashley, par0045-0046 teaches once the security appliance is deployed, it is necessary to chain this appliance into the network traffic flow so that the traffic can be monitored by the security appliance. FIG. 2 shows a sample service chain 204 having various security appliances. After the security appliance, say an IPS, is deployed and configured as described above, it needs to be chained in the network as shown in the picture. To do this, the Cloud management infrastructure needs to configure the network).
          Ashley does not explicitly discloses utilization of a graph database, and updating this graph database using workload data. Having logic to extract information from the graph database for identifying workload targets. 
          Vajipayajula however discloses utilization of a graph database, and updating this graph database using workload data (Vajipayajula, par0024 teaches local knowledge graph database servers 104 and 106 each ingest a different type of data security information from a different data security information source,…Master knowledge graph database server 108 hosts a master data security risk knowledge graph that contains information corresponding to the uploaded local data security risk knowledge subgraphs).
Having logic to extract information from the graph database for identifying workload targets (Vajipayajula, par0080 teaches the master knowledge graph database server may be, for example, master knowledge graph database server 108 in FIG. 1. The master knowledge graph database server uses the master knowledge graph to determine whether an event is associated with one of a known malicious action or a suspected malicious action during security incident [workload targets] analysis (step 708)).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of utilization of a graph database, and updating this graph database using workload data. Having logic to extract information from the graph database for identifying workload targets, as taught by Vajipayajula in the system of Ashley, so defined parameters of structured data make structured data some of 
          Ashley and Vajipayajula do not explicitly disclose identifying workload targets for a security policy and how to protect the workload targets, through a real-time computation. 
          Martinez however discloses identifying workload targets for a security policy and how to protect the workload targets, through a real-time computation. (Martinez, par0023, 0030, 0035 teaches applying a security policy to the security zone such that, when the cloud-computing resource deployed in the virtual private cloud that is used to perform the computer workload, the cloud-computing resource's operation or the performance or operation of the computer workload is subject to, the security policy…the system and method may allow a developer to define a security zone and to apply at least one type of security policy… The security policy may be an access policy, a write-permission policy, a resource utilization policy, an editing permission policy, and the like. The security policy may determine whether a software workload is allowed to operate in a specified security zone…based on a computer workload score determined by a scoring logic. The scoring logic may be, for example, based on …may be dynamically updated at or near real-time).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of identifying workload targets for a security policy and how to protect the workload targets, through a real-time computation, as taught by Martinez in the system of Ashley and Vajipayajula, so managed service providers offer cloud computing outsourcing option that promises reduced costs, improved availability, improved scalability, and reduced time to deploy new applications, see Martinez par0002.

          Yampolskiy however discloses calculating a reliability score of the security policy; and (Yampolskiy, par0080, 0085 teaches the entity's calculated security scores to calculate the overall cybersecurity risk score for the entity,….. the scorecard system 200 may calculate a confidence level while performing benchmarking 230 to provide a level of reliability for the overall cybersecurity risk score calculated [calculating a reliability score of the security policy] for an entity).
producing a recommendation for the security policy. (Yampolskiy, par0087 teaches the results of the scorecard system's analysis of an entity's cybersecurity risk can be displayed. The outputs may provide a summary of the entity's cybersecurity posture as well as provide recommendations and guidance [producing a recommendation for the security policy] to improve its cybersecurity posture).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of calculating a reliability score of the security policy; and producing a recommendation for the security policy, as taught by Yampolskiy in the system of Ashley, Vajipayajula and Martinez, so based on cybersecurity risk assessment an entity can make meaningful decisions to improve its cybersecurity performance, reducing the likelihood of experiencing a security breach, suffering from client loss, reputation loss, and exposure to liability, see Yampolskiy par0004.
          Ashley, Vajipayajula, Martinez and Yampolskiy do not explicitly disclose measuring an entropy and a rate of change of information in the database. 
(Chen, par0044-0046, and 0093 teaches .. the entropy data can be, for example, a measure of an amount of uncertainty in data included in the graph data 112. …a measure of an average amount of data contained in the second graph-structured dataset. Furthermore, the second entropy measure can be, for example, a measure of an amount of uncertainty in data included in the second graph-structured dataset. In an aspect, the information component 104 can calculate an average amount of data contained in the graph data 112. For example, the information component 104 can calculate an average amount of data contained in the first graph-structured dataset….the similarity component 106 can determine similarity between [rate of change of information] the first graph-structured dataset and the second graph-structured dataset based on a graph similarity computation associated with the first entropy measure and the second entropy measure.).
information in the database.  (Chen, par0043-0044 teaches … a graph database system. The graph similarity analytics component 102 (e.g., the information component 104 of the graph similarity analytics component 102) can receive graph data 112. The graph data 112 can be indicative of information associated with data elements that compose one or more graphs).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of measuring an entropy and a rate of change of information in the database, as taught by Chen in the system of Ashley, Vajipayajula, Martinez and Yampolskiy, so cloud systems can automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service, resource usage can be monitored, controlled, and reported, 

As per claim 13. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the system of claim 11.
          Ashley further disclose wherein at least one of the security template and the security policy is one or more of a JavaScript Object Notation document, Jinja document, Jinja2 document, YAML Ain't Markup Language document, and Open Policy Agent rule. (Ashley, par0038 teaches The parsing of the JSON (JavaScript Object Notation) document triggers the invocation of a security policy deployment tool 224 of the present invention, which in turn accesses a database of policy templates and builds or composes the workload specific security template based on the workload type, requirements found in the WDD, and other attributes).

As per claim 14. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the system of claim 11.
          Ashley further disclose wherein the creating the security policy includes: identifying the targets in the cloud computing environment in the graph database using labels associated with the security template. (Ashley, par0042 teaches The retrieval of the security policy template can be achieved by using a tool written for this purpose. To realize step 316, the XGS security policy deployment tool is invoked, which in turn searches the library of security templates for the name/label of the requested security template and retrieves the actual templates, which in the present invention are exemplarily XML type of documents. The security policy deployment tool parses the XML policy template documents and replaces variables 318 found in those documents with concrete values that were passed to the deployment tool as part of its invocation).

As per claim 15. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the system of claim 11.
          Ashley further discloses wherein the deploying is performed by a cloud driver using a topology and inventory of the cloud computing environment, the cloud driver communicating with the cloud computing environment using an application programming interface of the cloud computing environment. (Ashley, par0032-0034 teaches Heat implements an orchestration engine that can launch multiple composite cloud applications based on templates that are written in the form of text files and can be treated like code. A Heat template describes the infrastructure for a cloud application in a text file that is readable and writable by humans. Infrastructure resources that can be described include virtual machines, floating IP addresses, storage volumes, security groups for low-level filtering of network traffic that can reach VMs, network and subnet configurations, etc. Templates can also specify the relationships between resources, e.g. a specific storage volume is connected to a particular virtual machine. The detailed description of the intended cloud application configuration enables Heat to invoke the OpenStack APIs to create all of the intended infrastructure, including virtual machines, in the correct order and to completely launch an application 204. OpenStack Neutron/Quantum 214 is a cloud networking controller and a networking-as-a-service project within the OpenStack cloud computing initiative. Neutron includes a set of application program interfaces (APIs), plug-ins and authentication/authorization control software that enable interoperability and orchestration of network devices and technologies within infrastructure-as-a-service (IaaS) environments).

As per claim 16. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the system of claim 11.
          Ashley further discloses wherein the cloud computing environment is hosted by a plurality of different cloud services, the different cloud services being at least one of a public cloud, private cloud, and on-premise data center. (Ashley, par0054, 0062-0064 teaches there is a sense of location independence in that the consumer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Private cloud: the cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on-premises or off-premises. Public cloud: the cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services).

As per claim 17. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the system of claim 11.
          Ashley further discloses clustering some of the workloads, the some of the workloads having a similar set of relationships; and (Ashley, par0038 teaches the parsing of the JSON document triggers the invocation of a security policy deployment tool 224 of the present invention, which in turn accesses a database of policy templates and builds or composes the workload specific security template based on the workload type, requirements found in the WDD, and other attributes. The Heat Plug-in 220 works with the cloud management infrastructure (e.g. OpenStack) to deploy the virtual security appliance 222 and populates parameters of the workload and the policy template, like, for example, IP addresses that OpenStack develops as it instantiates the components of the intended virtual configuration 204).
placing others of the workloads into the communities, the others of the workloads collectively performing an application. (Ashley, par0040 teaches these security templates have been previously prepared by an expert familiar with different security requirements of different types of possible workloads. The tool system of the present invention includes a network appliance plug-in (e.g., XGS Heat Plug-in) that interfaces with an API of a conventional virtual configuration orchestration/management tool (e.g., Heat). If invoked by the user, the network appliance plug-in automatically uses results of the parsed WDD to select the proper security policy templates, from the security template library, and then fills in proper variable values into the template, as available from the parsed WDD and other inputs, such as IP addresses from the orchestration/management tool (e.g., Heat). The present invention thereby provides a mechanism to permit a user to define a conventional workload definition document for a conventional virtual configuration orchestration/management tool, with the security settings for any network appliance in the intended workload being automatically set by the tool of the present invention, based on variables identified by the user in the conventional workload definition document).
          Ashley does not explicitly discloses further comprises: displaying a visual representation of information in the graph database to a user. 
          Vajipayajula however discloses further comprises: displaying a visual representation of information in the graph database to a user (Vajipayajula, par0068 teaches illustrative embodiments traverse the master knowledge graph database starting from an observable finding the malicious node or nodes and edges directly or indirectly (e.g., multiple hops) connected. For example, starting from a URL node, the traversal finds domain names attached to the URL and the DNS resolution (i.e., IP address) for that domain. Then, if the IP address has a malicious reputation (e.g., command and control (CnC) server), illustrative embodiments return the malicious nodes and edges as a sub-graph. At the end of the security analysis, illustrative embodiments may display to a security analyst all malicious relationships and possible malware campaigns associated with the relationships.).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of further comprises: displaying a visual representation of information in the graph database to a user, as taught by Vajipayajula in the system of Ashley, so defined parameters of structured data make structured data some of the easiest data to organize and analyze, businesses and organizations rely on the ability to quickly access this information, see Vajipayajula par0002.

As per claim 20. A system for managing security in a cloud computing environment, the system comprising: (Ashley, par0020 teaches with reference now to FIG. 1, the present invention provides a system and method for creating security policy templates or re-usable policy building blocks that can be deployed with matching workloads in cloud and virtualized environments).
means for gathering data about workloads and applications of the cloud computing environment; (Ashley, par0029, 0033 teaches receiving a Workload Definition Document (WDD) that defines an intended workload deployment. In step 104, the WDD is parsed, so that, in step 106, the workload type and attributes and other configuration data can be extracted….the intended workload 202 in FIG. 2, it is noted that the term ERP stands for Enterprise Resource Planning, a business management software, and usually a suite of integrated applications, that a company can use to collect, store, manage and interpret data).
(Ashley, par0081 teaches workloads layer 940 provides examples of functionality for which the cloud computing environment may be utilized. Examples of workloads and functions which may be provided from this layer include any number of functions and applications).
utilizing nodes and relationships between the workloads as edges to represent the state of the cloud computing environment; (Ashley, par0066-0068 teaches at the heart of cloud computing is an infrastructure comprising a network of interconnected nodes. Referring now to FIG. 7, a schematic 700 of an example of a cloud computing node is shown. Cloud computing node 700 is only one example of a suitable cloud computing node and is not intended to suggest any limitation as to the scope of use or functionality of embodiments of the invention described herein).
means for receiving a security template, and means for creating the security policy using the security template  (Ashley, par0040, par0042 teaches providing a library of security templates for network appliance (e.g., XGS). These security templates have been previously prepared by an expert familiar with different security requirements of different types of possible workloads….WDD to select the proper security policy templates, from the security template library, and then fills in proper variable values into the template, as available from the parsed WDD and other inputs… the XGS security policy deployment tool is invoked, which in turn searches the library of security templates for the name of the requested security template and retrieves the actual templates, which in the present invention are exemplarily XML type of documents. The security policy deployment tool parses the XML policy template documents and replaces variables 318 found in those documents with concrete values that were passed to the deployment tool as part of its invocation. It then instantiates the filtering rules and as part of that may create filtering rules that serve as headers for sections 316 of filtering rules).
means for deploying the security policy in the cloud computing environment. (Ashley, par0045-0046 teaches once the security appliance is deployed, it is necessary to chain this appliance into the network traffic flow so that the traffic can be monitored by the security appliance. FIG. 2 shows a sample service chain 204 having various security appliances. After the security appliance, say an IPS, is deployed and configured as described above, it needs to be chained in the network as shown in the picture. To do this, the Cloud management infrastructure needs to configure the network).
          Ashley does not explicitly discloses means for utilization of a graph database, and updating this graph database using workload data. Having logic to extract information from the graph database for identifying workload targets. 
          Vajipayajula however discloses means for utilization of a graph database, and updating this graph database using workload data (Vajipayajula, par0024 teaches local knowledge graph database servers 104 and 106 each ingest a different type of data security information from a different data security information source,…Master knowledge graph database server 108 hosts a master data security risk knowledge graph that contains information corresponding to the uploaded local data security risk knowledge subgraphs).
Having logic to extract information from the graph database for identifying workload targets (Vajipayajula, par0080 teaches the master knowledge graph database server may be, for example, master knowledge graph database server 108 in FIG. 1. The master knowledge graph database server uses the master knowledge graph to determine whether an event is associated with one of a known malicious action or a suspected malicious action during security incident [workload targets] analysis (step 708)).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of means for utilization of a graph database, and updating this graph database using workload data. Having logic to extract information from the graph database for identifying workload targets, as taught by Vajipayajula in the system of Ashley, so defined parameters of structured data make structured data some of the easiest data to organize and analyze, businesses and organizations rely on the ability to quickly access this information, see Vajipayajula par0002.
          Ashley and Vajipayajula do not explicitly disclose identifying workload targets for a security policy and how to protect the workload targets, through a real-time computation. 
          Martinez however discloses identifying workload targets for a security policy and how to protect the workload targets, through a real-time computation. (Martinez, par0023, 0030, 0035 teaches applying a security policy to the security zone such that, when the cloud-computing resource deployed in the virtual private cloud that is used to perform the computer workload, the cloud-computing resource's operation or the performance or operation of the computer workload is subject to, the security policy…the system and method may allow a developer to define a security zone and to apply at least one type of security policy… The security policy may be an access policy, a write-permission policy, a resource utilization policy, an editing permission policy, and the like. The security policy may determine whether a software workload is allowed to operate in a specified security zone…based on a computer workload score determined by a scoring logic. The scoring logic may be, for example, based on …may be dynamically updated at or near real-time).

          Ashley, Vajipayajula and Martinez do not explicitly disclose means for calculating a reliability score of the security policy; and means for producing a recommendation for the security policy. 
          Yampolskiy however discloses means for calculating a reliability score of the security policy (Yampolskiy, par0080, 0085 teaches the entity's calculated security scores to calculate the overall cybersecurity risk score for the entity,….. the scorecard system 200 may calculate a confidence level while performing benchmarking 230 to provide a level of reliability for the overall cybersecurity risk score calculated [calculating a reliability score of the security policy] for an entity).
means for producing a recommendation for the security policy (Yampolskiy, par0087 teaches the results of the scorecard system's analysis of an entity's cybersecurity risk can be displayed. The outputs may provide a summary of the entity's cybersecurity posture as well as provide recommendations and guidance [producing a recommendation for the security policy] to improve its cybersecurity posture).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of means for calculating 
          Ashley, Vajipayajula, Martinez and Yampolskiy do not explicitly disclose means for measuring an entropy and a rate of change of information in the database. 
          Chen however discloses means for measuring an entropy and a rate of change of information in the database.  (Chen, par0044-0046, and 0093 teaches .. the entropy data can be, for example, a measure of an amount of uncertainty in data included in the graph data 112. …a measure of an average amount of data contained in the second graph-structured dataset. Furthermore, the second entropy measure can be, for example, a measure of an amount of uncertainty in data included in the second graph-structured dataset. In an aspect, the information component 104 can calculate an average amount of data contained in the graph data 112. For example, the information component 104 can calculate an average amount of data contained in the first graph-structured dataset….the similarity component 106 can determine similarity between [rate of change of information] the first graph-structured dataset and the second graph-structured dataset based on a graph similarity computation associated with the first entropy measure and the second entropy measure.).
of the information in the database.  (Chen, par0043-0044 teaches … a graph database system. The graph similarity analytics component 102 (e.g., the information component 104 of the graph similarity analytics component 102) can receive graph data 112. The graph data 112 can be indicative of information associated with data elements that compose one or more graphs).


As per claim 21. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the computer-implemented method of claim 1.
          Ashley further disclose the security policy. (Ashley, par0042 teaches the retrieval of the security policy template can be achieved by using a tool written for this purpose. To realize step 316, the XGS security policy deployment tool is invoked, which in turn searches the library of security templates for the name/label of the requested security template and retrieves the actual templates, which in the present invention are exemplarily XML type of documents. The security policy deployment tool parses the XML policy template documents and replaces variables 318 found in those documents with concrete values that were passed to the deployment tool as part of its invocation).
          Ashley does not explicitly discloses change of the information in the graph database. 
          Vajipayajula however discloses change of the information in the graph database (Vajipayajula, par0024 teaches local knowledge graph database servers 104 and 106 each ingest a different type of data security information from a different data security information source, generate local data security risk knowledge subgraphs using the ingested data security information, and bulk upload [change of information] the local data security risk knowledge subgraphs to master knowledge graph database server 108. Master knowledge graph database server 108 hosts a master data security risk knowledge graph that contains information corresponding to the uploaded local data security risk knowledge subgraphs. In addition, master knowledge graph database server 108 provides data security analytics services by traversing the master data security risk knowledge graph, determining malicious associations in the master data security risk knowledge graph during security incident analysis, and performing one or more action steps to mitigate determined malicious activity, events, or incidents).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of change of the information in the graph database, as taught by Vajipayajula in the method of Ashley, so defined parameters of structured data make structured data some of the easiest data to organize and analyze, businesses and organizations rely on the ability to quickly access this information, see Vajipayajula par0002.
          Ashley, Vajipayajula and Martinez do not explicitly disclose wherein the recommendation for the security policy is applications and services are prevented from proper operation by the security policy. 
          Yampolskiy however discloses wherein the recommendation for the security policy (Yampolskiy, par0087 teaches after the scorecard system 200 has calculated an overall cybersecurity risk score for an entity, the scorecard system 200 may generate an output through which the results can be presented. For example, FIGS. 7-11 illustrate different outputting embodiments through which the results of the scorecard system's analysis of an entity's cybersecurity risk can be displayed. The outputs may provide a summary of the entity's cybersecurity posture as well as provide recommendations and guidance to improve its cybersecurity posture. For example, the scorecard system 200 may transmit the calculated cybersecurity risk score and an identification of one or more objectives to complete to improve the entity's cybersecurity risk score).
applications and services are prevented from proper operation (Yampolskiy, par0055, 0067 teaches information about application vulnerabilities is critical because, when applications are vulnerable, hackers may manipulate the application into performing unexpected and malicious activities, such as spreading malware, stealing sensitive entity database information, and hijacking user accounts. Information about application vulnerabilities can be collected by performing real-time monitoring of an entity's websites and web applications to detect the presence of common vulnerabilities. ….. the scorecard system 200 may utilize network attack honeypot technologies, in which automated network infrastructure honeypots are deployed in multiple locations with the goal of collecting, aggregating, and analyzing IP addresses that are engaged in active attacks against network services, such as SSH brute forcing. In addition, the scorecard system 200 may utilize web application honeypot technologies, in which automated web application honeypots are deployed in multiple locations with the goal of collecting, aggregating, and analyzing IP addresses that are engaged in active attacks against network services, such as SQL injection attempts.).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of wherein the recommendation for the security policy is applications and services are prevented from proper operation by the security policy, as taught by Yampolskiy in the system of Ashley, Vajipayajula 
          Ashley, Vajipayajula, Martinez and Yampolskiy do not explicitly disclose based on the entropy and the rate of change of the information in the graph database. 
          Chen however discloses based on the entropy and the rate of change of the information in the graph database.  (Chen, par0044-0046, and 0093 teaches the graph data 112 can include first information for a first data structure associated with a first network of nodes and connections, second information for a second data structure associated with a second network of nodes and connections, etc….. the entropy data can be, for example, a measure of an amount of uncertainty in data included in the graph data 112. In an embodiment, the information component 104 can generate a first entropy measure for a first graph-structured dataset, the information component 104 can generate a second entropy measure for a second graph-structured dataset, etc. For instance, the information component 104 can generate a first information index indicative of a first entropy measure for a first graph-structured dataset associated with the graph data 112, a second information index indicative of a second entropy measure for a second graph-structured dataset associated with the graph data 112, etc. The first entropy measure can be, for example, a measure of an average amount of data contained in the first graph-structured dataset. Furthermore, the first entropy measure can be, for example, a measure of an amount of uncertainty in data included in the first graph-structured dataset. In addition, the second entropy measure can be, for example, a measure of an average amount of data contained in the second graph-structured dataset. Furthermore, the second entropy measure can be, for example, a measure of an amount of uncertainty in data included in the second graph-structured dataset. In an aspect, the information component 104 can calculate an average amount of data contained in the graph data 112. For example, the information component 104 can calculate an average amount of data contained in the first graph-structured dataset….the similarity component 106 can determine similarity between the first graph-structured dataset and the second graph-structured dataset based on a graph similarity computation associated with the first entropy measure and the second entropy measure. For instance, the similarity component 106 can determine similarity between the first graph-structured dataset and the second graph-structured dataset based on a graph similarity computation associated with the first information index and the second information index. The graph similarity computation can determine, for example, an information distance between the first information index and the second information index…. Workloads layer 1290 provides examples of functionality for which the cloud computing environment may be utilized. Non-limiting examples of workloads and functions which may be provided from this layer include: mapping and navigation 1291; software development and lifecycle management 1292; virtual classroom education delivery 1293; data analytics processing 1294; transaction processing 1295; and graph similarity analytics software 1296).
of the information in the graph database.  (Chen, par0043-0044 teaches the graph similarity analytics component 102 can be in communication with a machine learning system and/or a graph database system. The graph similarity analytics component 102 (e.g., the information component 104 of the graph similarity analytics component 102) can receive graph data 112. The graph data 112 can be indicative of information associated with data elements that compose one or more graphs. A graph can be a data structure (e.g., a graph-structured dataset) that represents data as a network of nodes (e.g., vertices) where a relationship between the nodes can be represented as connections (e.g., edges). The graph data 112 can include information associated with one or more data structures associated with a network of nodes. Additionally, in certain embodiments, the graph data 112 can include metadata that provides attributes and/or properties for one or more data structures associated with a network of nodes. As such, the graph data 112 can be associated with data for a set of graph-structured datasets. In an aspect, the graph data 112 can include information for a set of graph-structured dataset associated with a machine learning system).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of based on the entropy and the rate of change of the information in the graph database, as taught by Chen in the method of Ashley, Vajipayajula, Martinez and Yampolskiy, so cloud systems can automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service, resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service, see Chen par0029.

As per claim 22. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the system of claim 1.
          Ashley further disclose the security policy. (Ashley, par0042 teaches the retrieval of the security policy template can be achieved by using a tool written for this purpose. To realize step 316, the XGS security policy deployment tool is invoked, which in turn searches the library of security templates for the name/label of the requested security template and retrieves the actual templates, which in the present invention are exemplarily XML type of documents. The security policy deployment tool parses the XML policy template documents and replaces variables 318 found in those documents with concrete values that were passed to the deployment tool as part of its invocation).
          Ashley does not explicitly discloses change of the information in the graph database. 
          Vajipayajula however discloses change of the information in the graph database (Vajipayajula, par0024 teaches local knowledge graph database servers 104 and 106 each ingest a different type of data security information from a different data security information source, generate local data security risk knowledge subgraphs using the ingested data security information, and bulk upload [change of information] the local data security risk knowledge subgraphs to master knowledge graph database server 108. Master knowledge graph database server 108 hosts a master data security risk knowledge graph that contains information corresponding to the uploaded local data security risk knowledge subgraphs. In addition, master knowledge graph database server 108 provides data security analytics services by traversing the master data security risk knowledge graph, determining malicious associations in the master data security risk knowledge graph during security incident analysis, and performing one or more action steps to mitigate determined malicious activity, events, or incidents).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of change of the information in the graph database, as taught by Vajipayajula in the system of Ashley, so defined parameters of structured data make structured data some of the easiest data to organize and analyze, businesses and organizations rely on the ability to quickly access this information, see Vajipayajula par0002.

          Yampolskiy however discloses wherein the recommendation for the security policy (Yampolskiy, par0087 teaches after the scorecard system 200 has calculated an overall cybersecurity risk score for an entity, the scorecard system 200 may generate an output through which the results can be presented. For example, FIGS. 7-11 illustrate different outputting embodiments through which the results of the scorecard system's analysis of an entity's cybersecurity risk can be displayed. The outputs may provide a summary of the entity's cybersecurity posture as well as provide recommendations and guidance to improve its cybersecurity posture. For example, the scorecard system 200 may transmit the calculated cybersecurity risk score and an identification of one or more objectives to complete to improve the entity's cybersecurity risk score).
applications and services are prevented from proper operation (Yampolskiy, par0055, 0067 teaches information about application vulnerabilities is critical because, when applications are vulnerable, hackers may manipulate the application into performing unexpected and malicious activities, such as spreading malware, stealing sensitive entity database information, and hijacking user accounts. Information about application vulnerabilities can be collected by performing real-time monitoring of an entity's websites and web applications to detect the presence of common vulnerabilities. ….. the scorecard system 200 may utilize network attack honeypot technologies, in which automated network infrastructure honeypots are deployed in multiple locations with the goal of collecting, aggregating, and analyzing IP addresses that are engaged in active attacks against network services, such as SSH brute forcing. In addition, the scorecard system 200 may utilize web application honeypot technologies, in which automated web application honeypots are deployed in multiple locations with the goal of collecting, aggregating, and analyzing IP addresses that are engaged in active attacks against network services, such as SQL injection attempts.).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of wherein the recommendation for the security policy is applications and services are prevented from proper operation by the security policy, as taught by Yampolskiy in the system of Ashley, Vajipayajula and Martinez, so based on cybersecurity risk assessment an entity can make meaningful decisions to improve its cybersecurity performance, reducing the likelihood of experiencing a security breach, suffering from client loss, reputation loss, and exposure to liability, see Yampolskiy par0004.
          Ashley, Vajipayajula, Martinez and Yampolskiy do not explicitly disclose based on the entropy and the rate of change of the information in the graph database. 
          Chen however discloses based on based on the entropy and the rate of change of the information in the graph database.  (Chen, par0044-0046, and 0093 teaches the graph data 112 can include first information for a first data structure associated with a first network of nodes and connections, second information for a second data structure associated with a second network of nodes and connections, etc….. the entropy data can be, for example, a measure of an amount of uncertainty in data included in the graph data 112. In an embodiment, the information component 104 can generate a first entropy measure for a first graph-structured dataset, the information component 104 can generate a second entropy measure for a second graph-structured dataset, etc. For instance, the information component 104 can generate a first information index indicative of a first entropy measure for a first graph-structured dataset associated with the graph data 112, a second information index indicative of a second entropy measure for a second graph-structured dataset associated with the graph data 112, etc. The first entropy measure can be, for example, a measure of an average amount of data contained in the first graph-structured dataset. Furthermore, the first entropy measure can be, for example, a measure of an amount of uncertainty in data included in the first graph-structured dataset. In addition, the second entropy measure can be, for example, a measure of an average amount of data contained in the second graph-structured dataset. Furthermore, the second entropy measure can be, for example, a measure of an amount of uncertainty in data included in the second graph-structured dataset. In an aspect, the information component 104 can calculate an average amount of data contained in the graph data 112. For example, the information component 104 can calculate an average amount of data contained in the first graph-structured dataset….the similarity component 106 can determine similarity between the first graph-structured dataset and the second graph-structured dataset based on a graph similarity computation associated with the first entropy measure and the second entropy measure. For instance, the similarity component 106 can determine similarity between the first graph-structured dataset and the second graph-structured dataset based on a graph similarity computation associated with the first information index and the second information index. The graph similarity computation can determine, for example, an information distance between the first information index and the second information index…. Workloads layer 1290 provides examples of functionality for which the cloud computing environment may be utilized. Non-limiting examples of workloads and functions which may be provided from this layer include: mapping and navigation 1291; software development and lifecycle management 1292; virtual classroom education delivery 1293; data analytics processing 1294; transaction processing 1295; and graph similarity analytics software 1296).
of the information in the graph database.  (Chen, par0043-0044 teaches the graph similarity analytics component 102 can be in communication with a machine learning system and/or a graph database system. The graph similarity analytics component 102 (e.g., the information component 104 of the graph similarity analytics component 102) can receive graph data 112. The graph data 112 can be indicative of information associated with data elements that compose one or more graphs. A graph can be a data structure (e.g., a graph-structured dataset) that represents data as a network of nodes (e.g., vertices) where a relationship between the nodes can be represented as connections (e.g., edges). The graph data 112 can include information associated with one or more data structures associated with a network of nodes. Additionally, in certain embodiments, the graph data 112 can include metadata that provides attributes and/or properties for one or more data structures associated with a network of nodes. As such, the graph data 112 can be associated with data for a set of graph-structured datasets. In an aspect, the graph data 112 can include information for a set of graph-structured dataset associated with a machine learning system).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of based on the entropy and the rate of change of the information in the graph database, as taught by Chen in the system of Ashley, Vajipayajula, Martinez and Yampolskiy, so cloud systems can automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service, resource usage can be monitored, controlled, and reported, .

Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Ashley in view of Vajipayajula further in view of Martinez further in view of Yampolskiy, further in view of Chen, and further in view of Gamble et al. (US20190342307A1) hereinafter Gamble.

As per claim 2. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the computer-implemented method of claim 1.
             Ashley, Vajipayajula, Martinez, Yampolskiy and Chen do not explicitly disclose wherein the data includes at least one of streaming telemetry from network logs, events from a cloud control plane, and inventory from a configuration management database.
          Gamble however discloses wherein the data includes at least one of streaming telemetry from network logs, (Gamble, par0068  teaches security platform 100 can collect and store network log data in a database 112 before it is ran through the data models 128 (e.g. Hadoop™ cluster) and event detection 122. The results are then stored either in a file at data storage 110 or in a database 112. The events in this database 112 then go through the additional processing by graph generator 126 where they can be linked together and graphs created).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of wherein the data includes at least one of streaming telemetry from network logs, events from a cloud control plane, and inventory from a configuration management database, as taught by Gamble in the method of Ashley, Vajipayajula, Martinez, Yampolskiy and Chen, so data is collected from 

As per claim 12. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the system of claim 11.
             Ashley, Vajipayajula, Martinez, Yampolskiy and Chen  do not explicitly disclose wherein the data includes at least one of streaming telemetry from network logs, events from a cloud control plane, and inventory from a configuration management database.
          Gamble however discloses wherein the data includes at least one of streaming telemetry from network logs, (Gamble, par0068  teaches security platform 100 can collect and store network log data in a database 112 before it is ran through the data models 128 (e.g. Hadoop™ cluster) and event detection 122. The results are then stored either in a file at data storage 110 or in a database 112. The events in this database 112 then go through the additional processing by graph generator 126 where they can be linked together and graphs created).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of wherein the data includes at least one of streaming telemetry from network logs, events from a cloud control plane, and inventory from a configuration management database, as taught by Gamble in the system of Ashley, Vajipayajula, Martinez, Yampolskiy and Chen, so data is collected from different data points in a security infrastructure, the data is modeled and analytics are conducted to identify anomalies, see Gamble par0006-0007.

Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Ashley in view of Vajipayajula further in view of Martinez further in view of Yampolskiy, further in view of Chen, and further in view of Singh et al. (US20070157286A1) hereinafter Singh.

As per claim 8. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the computer-implemented method of claim 1.
          Ashley does not explicitly discloses using the graph database.
          Vajipayajula however discloses using the graph database. (Vajipayajula, par0024 teaches local knowledge graph database servers 104 and 106 each ingest a different type of data security information from a different data security information source, generate local data security risk knowledge subgraphs using the ingested data security information, and bulk upload the local data security risk knowledge subgraphs to master knowledge graph database server 108. Master knowledge graph database server 108 hosts a master data security risk knowledge graph that contains information corresponding to the uploaded local data security risk knowledge subgraphs. In addition, master knowledge graph database server 108 provides data security analytics services by traversing the master data security risk knowledge graph, determining malicious associations in the master data security risk knowledge graph during security incident analysis, and performing one or more action steps to mitigate determined malicious activity, events, or incidents).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of using the graph database, as taught by Vajipayajula in the method of Ashley, so defined parameters of structured 
             Ashley, Vajipayajula, Martinez, Yampolskiy and Chen do not explicitly disclose further comprising: validating the security policy by simulating the security policy.
          Singh however discloses further comprising: validating the security policy by simulating the security policy. (Singh, par0032  teaches simulated security policies that are consistent [validated] with the expected security policy of column 250 are reported as such in column 450. Simulated security policies that differ [no validated] from the expected security policy are indicated by a link 453, 455 to another page that provides the details to facilitate diagnostics).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of further comprising: validating the security policy by simulating the security policy, as taught by Singh in the method of Ashley, Vajipayajula, Martinez, Yampolskiy and Chen, so in a secure computer network only a specified set of systems, services, and applications are permitted to use the network, and not all systems, services, and applications are permitted to communicate with each other, see Singh col1 ln11-14.
  
As per claim 18. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the system of claim 11.
            Ashley does not explicitly discloses using the graph database.
          Vajipayajula however discloses using the graph database. (Vajipayajula, par0024 teaches local knowledge graph database servers 104 and 106 each ingest a different type of data security information from a different data security information source, generate local data security risk knowledge subgraphs using the ingested data security information, and bulk upload the local data security risk knowledge subgraphs to master knowledge graph database server 108. Master knowledge graph database server 108 hosts a master data security risk knowledge graph that contains information corresponding to the uploaded local data security risk knowledge subgraphs. In addition, master knowledge graph database server 108 provides data security analytics services by traversing the master data security risk knowledge graph, determining malicious associations in the master data security risk knowledge graph during security incident analysis, and performing one or more action steps to mitigate determined malicious activity, events, or incidents).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of using the graph database, as taught by Vajipayajula in the system of Ashley, so defined parameters of structured data make structured data some of the easiest data to organize and analyze, businesses and organizations rely on the ability to quickly access this information, see Vajipayajula par0002.
             Ashley, Vajipayajula, Martinez, Yampolskiy and Chen do not explicitly disclose further comprises: validating the security policy by simulating the security policy.
          Singh however discloses further comprises: validating the security policy by simulating the security policy. (Singh, par0032  teaches simulated security policies that are consistent [validated] with the expected security policy of column 250 are reported as such in column 450. Simulated security policies that differ [no validated] from the expected security policy are indicated by a link 453, 455 to another page that provides the details to facilitate diagnostics).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of further comprises: .
 
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Ashley in view of Vajipayajula further in view of Martinez further in view of Yampolskiy, further in view of Chen, and further in view of Overby (US8539548B1) hereinafter Overby.

As per claim 10. Ashley, Vajipayajula, Martinez, Yampolskiy and Chen disclose the computer-implemented method of claim 1.
           Ashley, Vajipayajula, Martinez, Yampolskiy and Chen do not explicitly disclose further comprising: confirming the security policy is deployed in the cloud computing environment.
          Overby however discloses further comprising: confirming the security policy is deployed in the cloud computing environment. (Overby, col6 ln66-col7 ln5  teaches FIG. 4 is a block diagram of an enterprise network 400 that is a variation of the disclosed enterprise network 100. Like numbers indicate like elements when comparing enterprise network 400 of FIG. 4 with enterprise network 100 of FIG. 1. Security administrators may use tools that enterprise network 100 provides to administer, deploy and/or validate [confirming] security policies throughout the enterprise [cloud]).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of further comprising: 

Conclusion
The prior art made of record and not relied upon is considered pertinent are -
• Labat et al. (US10528897B2) – Related art in the area of a system that facilitates the maintenance and execution of a software offering, the system obtains model data associated with a multidimensional model of the software offering and stores the model data in a graph database.
• Banerjee (US9021546B1) – Related art in the area of systems and methods for workload security in virtual data centers by applying security policies to workloads based on an analysis of the underlying computing infrastructure that may connect a workload to sensitive data.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MONISHWAR MOHAN whose telephone number is (571)272-2907. The examiner can normally be reached Monday - Thursday 7:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/M.M./Examiner, Art Unit 2442     
                                                                                                                                                                                                   /JOHN M MACILWINEN/Primary Examiner, Art Unit 2442