DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on March 30, 2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 9-28 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Hassanzadeh et al, US 2016/0301704.
As per claim 9, it is disclosed of a computer-implemented method (paragraph 0084) for determining aspects of a security attack on a computer, the method comprising:
receiving a first list of devices and a second list of connection relations among the devices (paragraph 0040, lines 16-31);

storing one or more previous attack paths as attack cases in an attack case database, wherein the attack case database associates (correlates) at least one of the one or more previous attack paths with an attack phase (attack source, attack targets) and a node condition at a time of the security attack (paragraph 0040, lines 11-35 and paragraph 0047, lines 3-9);
determining the attack phases and the node conditions of the devices, wherein each of the attack paths comprises a node representing one of the devices (paragraph 0040, lines 16-35);
retrieving, based on a search in the attack case database using the determined attack phase and the determined node conditions, an attack case, wherein the attack case relates to one or more of the devices (paragraph 0040, lines 11-35 and paragraph 0041, lines 1-8); and
providing the retrieved attack case as output (paragraph 0062, lines 1-21).
As per claims 10, 17, and 24, it is taught wherein the method further comprising:
determining, based on a location (IP address) of one of the devices on the attack path, the attack phase (paragraph 0040, lines 16-35).
As per claims 11, 18, and 25, it is disclosed wherein the method further comprising: ACTIVE. 125122466.013U.S. Patent Application Serial No. Filed herewith Preliminary Amendment dated October 1, 2020
determining, based on types of the devices and relationships among the devices, the node conditions (paragraph 0040, lines 16-35).
As per claims 12 and 19, it is taught wherein the attack case includes an attack detail and a countermeasure (dropping the packet) for the attack detail (paragraph 0033, lines 10-17 & 25-30).
As per claims 13 and 20, it is disclosed wherein the output includes a report of the retrieved attack case in a table format (paragraph 0036, lines 1-6 & 24-32).

As per claims 15, 22, and 28, it is disclosed wherein the method further comprising:
extracting, based on a route search on a graph, the attack path, wherein the graph represents the received first list of devices and the received second list of connection relations among the devices (paragraph 0036, lines 1-6 & 24-32 and paragraph 0040, lines 16-31).
As per claim 16, it is taught of a system for determining aspects of a security attack on a computer, the system comprises:
a processor (paragraph 0084); and
a memory storing computer-executable instructions that when executed by the processor (paragraph 0084) cause the system to:
receive a first list of devices and a second list of connection relations among the devices (paragraph 0040, lines 16-31);
determine, based on the received first list of devices and the received second list of connection relations, an attack path (paragraph 0040, lines 31-35);
store one or more previous attack paths as attack cases in an attack case database, wherein the attack case database associates (correlates) at least one of the one or more previous attack paths with an attack phase (attack source, attack targets) and a node condition at a time of the security attack (paragraph 0040, lines 11-35 and paragraph 0047, lines 3-9); ACTIVE. 125122466.014U.S. Patent Application Serial No. Filed herewith Preliminary Amendment dated October 1, 2020
determine the attack phases and the node conditions of the devices, wherein each of the attack paths comprises a node representing one of the devices (paragraph 0040, lines 16-35);

provide the retrieved attack case as output (paragraph 0062, lines 1-21).
As per claim 23, it is disclosed of a computer-readable non-transitory recording medium storing computer-executable instructions that when executed by a processor (paragraph 0084) cause a computer system to:
receive a first list of devices and a second list of connection relations among the devices (paragraph 0040, lines 16-31);
determine, based on the received first list of devices and the received second list of connection relations, an attack path (paragraph 0040, lines 31-35);
store one or more previous attack paths as attack cases in an attack case database, wherein the attack case database associates (correlates) at least one of the one or more previous attack paths with an attack phase (attack source, attack targets) and a node condition at a time of the security attack (paragraph 0040, lines 11-35 and paragraph 0047, lines 3-9);
determine the attack phases and the node conditions of the devices, wherein each of the attack paths comprises a node representing one of the devices (paragraph 0040, lines 16-35);
retrieve, based on a search in the attack case database using the determined attack phase and the determined node conditions, an attack case, wherein the attack case relates to one or more of the devices (paragraph 0040, lines 11-35 and paragraph 0041, lines 1-8); and
provide the retrieved attack case as output (paragraph 0062, lines 1-21).
As per claim 26, it is taught wherein the retrieved attack case includes an attack detail of the security attack and a countermeasure (dropping the packet) for the attack detail (paragraph 0033, lines 10-17 & 25-30); and
. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Hu et al, U.S. Patent 10,616,270 is a related application from the Applicant.
Ashkenazy et al, U.S. Patent 10,382,473 is relied upon for disclosing of calculating vulnerability scores for a group of attack paths, see column 14, lines 39-41.
Herwono et al, WO 2020/193333 A1 is relied upon for disclosing of an attack map that shows relationships of extracted features based upon events and a predefined definition of attack patterns, see abstract.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit 






























/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431