DETAILED ACTION
This office action is in response to the original application filed on September 18, 2020.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Claims 1-20 are pending.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-5, 8, 9-11, 13 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja (US Pub. No. 2014/0173739) in view of Davis (US Pub. No. 2020/0204576).

	As per claim 1 Ahuja discloses:
A method, comprising: identifying a first security metric of a first asset in a network; (paragraph 35 of Ahuja, other assets with high criticalities that are dependent on a particular asset can further enhance consideration of the particular asset as a high criticality asset. For instance, a relatively large amount of communications by a first asset with a second asset having a high criticality rating can indicate criticality of the first asset as well, in some examples). The specification defines the claim term “security metric” as, (paragraph 24 of the specification, the security metric can nevertheless significantly indicate the criticality of the asset to a network).
Identifying network data that identifies data flows associated with a second asset in the network, (paragraph 34 of Ahuja, traffic rules 248 can be used to determine that a given asset is more or less critical to a computing environment, organization, etc., based for instance on the amount of traffic originating from, passing through, or received at the asset).
Determining, based on the network data, a number of hosts in the network that exchanged data traffic with the second asset during a time period; (paragraph 35 of Ahuja, dependence of other assets, services, customers, and other entities can also be determined based on traffic data involving the asset. For instance, multiple connections to an asset can indicate that many other entities depend on the operation, functionality and/or data of a particular asset evidencing criticality of the asset. Alternatively, multiple connections from an asset to other assets can additionally indicate criticality of the asset. Assets upon which large numbers of other assets are dependent can have a higher criticality) and (paragraph 34 of Ahuja, a traffic rule 248 can define various traffic thresholds, such as average traffic, indicating that an asset has a higher criticality. Such traffic thresholds can pertain to the overall amount of traffic received or sent, the amount of traffic in particular time windows of interest, amounts of traffic relating to certain system functions or types of data transmissions (e.g., time-clustering)).
other assets with high criticalities that are dependent on a particular asset can further enhance consideration of the particular asset as a high criticality asset) and (paragraph 34 of Ahuja, traffic rules 248 can be used to determine that a given asset is more or less critical to a computing environment, organization, etc., based for instance on the amount of traffic originating from, passing through, or received at the asset).
Adjusting a security policy of the second asset based on the second security metric. (Paragraph 20 of Ahuja, deployment of countermeasures on assets can be prioritized based on each asset's respective criticality, with more critical assets receiving attention before other assets with lower criticality measures, among other examples).
Ahuja teaches the method of identifying network data that identifies data flows associated with a second asset in the network (see paragraph 34 of Ahuja) but fails to disclose:
The second asset being a nearest neighbor/within a threshold distance of the first asset in the network.
However, in the same field of endeavor, Davis teaches this limitation as, (paragraph 110 of Davis, in some embodiments, it may be known that a small set of assets are of high importance to an enterprise system. In such cases, the local profile of each such asset built using the features 1-7 described above can be used to identify similar assets. The features 1-7 are numeric, and thus a nearest neighbor search and Euclidean distance may be used to find imposter assets or unknown-but-important assets when such assets are “projected” to the applications-space of the important assets).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Ahuja and include the above limitation using the teaching of Davis in order to identifying the high important asset to the enterprise/other assets using how close is the asset to the other asset (see paragraph 110 of Davis). 

Claim 9 is rejected under the same reason set forth in rejection of claim 1:

As per claim 2 Ahuja in view of Davis disclose:
traffic rules 248 can be used to determine that a given asset is more or less critical to a computing environment, organization, etc., based for instance on the amount of traffic originating from, passing through, or received at the asset). 

Claim 10 is rejected under the same reason set forth in rejection of claim 2:

As per claim 3 Ahuja in view of Davis disclose:
The method of claim 1, wherein the second asset comprises at least one of an application, a port, or a host. (Paragraph 25 of Ahuja, in some implementations, an example assessment engine 244 can access data describing various attributes of a particular asset, such as security tools deployed on behalf of the particular sddrtd, network traffic patterns involving or referencing the sddrt, change control, access control, and data loss protections in place in connection with the asset, change control the user(s) of the asset, global positioning information relating the location of the asset, the status of the asset within an environment, the applications, operating system, peripherals installed on or in use with the asset). 

Claim 11 is rejected under the same reason set forth in rejection of claim 3:

As per claim 4 Ahuja in view of Davis disclose:
The method of claim 1, wherein the second security metric indicates at least one of a criticality of the second asset, an exposure of the second asset, a vulnerability exploit probability of the asset, or an application vulnerability risk of the asset. (Paragraph 35 of Ahuja, other assets with high criticalities that are dependent on a particular asset can further enhance consideration of the particular asset as a high criticality asset. For instance, a relatively large amount of communications by a first asset with a second asset having a high criticality rating can indicate criticality of the first asset as well, in some examples).


The method of claim 1, further comprising: identifying a number of users associated with the hosts that exchanged data traffic with the second asset during the time period, wherein generating the second security metric is based on the number of users. (Paragraph 34 of Ahuja, traffic rules 248 can be used to determine that a given asset is more or less critical to a computing environment, organization, etc., based for instance on the amount of traffic originating from, passing through, or received at the asset). 

Claim 13 is rejected under the same reason set forth in rejection of claim 5:

As per claim 8 Ahuja in view of Davis disclose:
The method of claim 1, wherein adjusting the security policy comprises: determining that one or more packets directed to the second asset are blocked by a firewall associated with the second asset; determining that the second security metric is above a threshold; and based on determining that the second security metric is above the threshold, outputting an alert reporting the one or more packets blocked by the firewall. (Paragraph 20 of Ahuha, deployment of countermeasures on assets can be prioritized based on each asset's respective criticality, with more critical assets receiving attention before other assets with lower criticality measures, among other examples) and (paragraph 43 of Ahuha, a passive countermeasure may generate back-up copies of particular files targeted by an attack, so that even if the attack attacks the files, the files can be restored. Example passive countermeasures include, but are not limited to, hardware firewalls, software firewalls (e.g., 265), web filters (e.g., at 266), mail filters (e.g., at 268), host-based intrusion prevention systems (e.g., 270), network-based intrusion prevention systems (e.g., 272), rate-based intrusion prevention systems, content-based intrusion prevention systems, intrusion detection systems (e.g., 274), policy and compliance detection and management programs (e.g., 275), virus and malware detection software (e.g., 276), data loss prevention systems (e.g., 278), web proxies, among other examples). 

Claim 16 is rejected under the same reason set forth in rejection of claim 8:

Claims 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja (US Pub. No. 2014/0173739) in view of Davis (US Pub. No. 2020/0204576) and further in view of Coskun (US Pub. No. 2018/0097828).

As per claim 6:
The method of claim 1, wherein determining the number of hosts comprises: identifying, based on the network data, addresses of the hosts; (paragraph 21 of Ahuja, a set of one or more assets can be selected and defined by the user as having a particular level of criticality based on the asset's position within a hierarchy, IP address, type of asset, etc).
The combination of Ahuja and Davis teaches the method of identifying network data that identifies data flows associated with a second asset in the network (see paragraph 34 of Ahuja) but fails to disclose:
Generating shortened addresses by extracting a subset of the most significant digits of the addresses, the shortened addresses being shorter than the addresses; and determining the number of hosts based on a number of the shortened addresses.
However, in the same field of endeavor, Coskun teaches this limitation as, (paragraph 87 of Coskun, IP addresses can be clustered together based on a similarity metric which i) yields higher values (e.g., related to how similar they are) between IP addresses which belong to the same cluster, and ii) yields lower values between IP addresses which do not belong to the same cluster).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Ahuja and Davis to include the above limitation using the teaching of Coskun in order to identifying if the asset belongs to the same cluster (see paragraph 87 of Coskun). 

Claim 14 is rejected under the same reason set forth in rejection of claim 6:

Claims 7 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja (US Pub. No. 2014/0173739) in view of Davis (US Pub. No. 2020/0204576) and further in view of Tang (US Pub. No. 2014/0289827).

As per claim 7:
The combination of Ahuja and Davis teaches the method of identifying network data that identifies data flows associated with a second asset in the network (see paragraph 34 of Ahuja) but fails to disclose:
The method of claim 1, wherein adjusting the security policy comprises: determining that the second security metric is above a threshold; and based on determining that the second security metric is above the threshold, decreasing a multi-factor authentication (MFA) interval of the asset.
However, in the same field of endeavor, Tang teaches this limitation as, (paragraph 48 of Tang, embodiments of the present disclosure enable the complexity of an authentication scheme to be relaxed/reduced based on external factors relative to a user/device attempting to authenticate to a computing system. In some embodiments, the proximity of other users/devices/agents to the agent attempting to authenticate to the system may indicate that a sufficient level of security is present to warrant authenticating the agent using an authentication scheme of lesser complexity than would ordinarily be applied. The proximity information may be evaluated for the quantity and/or relative locations of other users/devices/agents relative to the agent attempting to authenticate to the system to dynamically evaluate the level of authentication scheme to apply) and (paragraph 32 of Tang, in some embodiments, standard credential data 334 may comprise an authentication scheme that includes multiple implementations (e.g., for an Intranet system, the scheme may comprise basic authentication implementation and a token-based second factor authentication). An adjustment to the standard scheme to reduce the complexity thereof may result in a reduction in the overall strength of the authentication scheme. Embodiments of the present disclosure utilize external factors associated with device 330 to invoke a relaxed authentication scheme without compromising the overall strength of authentication to system 302).


Claim 15 is rejected under the same reason set forth in rejection of claim 7:

Claims 12, 17, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ahuja (US Pub. No. 2014/0173739) in view of Davis (US Pub. No. 2020/0204576) and further in view of Akella (US Pub. No. 2021/0279565).

As per claim 12:
The combination of Ahuja and Davis teaches the method of determining a number of hosts in the network that exchanged data traffic with the second asset during a time period (see paragraph 35 of Ahuja) but fails to disclose:
The system of claim 9, wherein a length of the time period is greater than or equal to 1 day and less than or equal to 31 days.
However, in the same field of endeavor, Akella teaches this limitation as, (paragraph 57 of Akella, communication data associated with computing device 116 through computing device 120 is collectively received by network gateway 108 and transmitted to database 102. Database 102 is configured to store temporal communication data associated with computing device 116 through computing device 120. Temporal communication data associated with a computing device (such as computing device 116) is defined as historical communication data over a past period of time (e.g., two weeks, six months, or some other past time interval), and also communication data for a present time interval).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Ahuja and Davis to include the above limitation 

As per claim 17 Ahuja discloses:
A system, comprising at least one processor; and one or more non-transitory media storing instructions that, when executed by the system, cause the system to perform operations comprising:
identifying a first security metric of a first asset in a network; (paragraph 35 of Ahuja, other assets with high criticalities that are dependent on a particular asset can further enhance consideration of the particular asset as a high criticality asset. For instance, a relatively large amount of communications by a first asset with a second asset having a high criticality rating can indicate criticality of the first asset as well, in some examples). The specification defines the claim term “security metric” as, (paragraph 24 of the specification, the security metric can nevertheless significantly indicate the criticality of the asset to a network).
	Identifying network data that identifies data flows associated with a second asset in the network, (paragraph 34 of Ahuja, traffic rules 248 can be used to determine that a given asset is more or less critical to a computing environment, organization, etc., based for instance on the amount of traffic originating from, passing through, or received at the asset).
	Determining, based on the network data, a number of hosts in the network that received data traffic from the second asset during a time period, (paragraph 35 of Ahuja, dependence of other assets, services, customers, and other entities can also be determined based on traffic data involving the asset. For instance, multiple connections to an asset can indicate that many other entities depend on the operation, functionality and/or data of a particular asset evidencing criticality of the asset. Alternatively, multiple connections from an asset to other assets can additionally indicate criticality of the asset. Assets upon which large numbers of other assets are dependent can have a higher criticality) and (paragraph 34 of Ahuja, a traffic rule 248 can define various traffic thresholds, such as average traffic, indicating that an asset has a higher criticality. Such traffic thresholds can pertain to the overall amount of traffic received or sent, the amount of traffic in particular time windows of interest, amounts of traffic relating to certain system functions or types of data transmissions (e.g., time-clustering)).
	Determining, based on the network data, an amount of the data traffic; (paragraph 35 of Ahuja, dependence of other assets, services, customers, and other entities can also be determined based on traffic data involving the asset. For instance, multiple connections to an asset can indicate that many other entities depend on the operation, functionality and/or data of a particular asset evidencing criticality of the asset. Alternatively, multiple connections from an asset to other assets can additionally indicate criticality of the asset. Assets upon which large numbers of other assets are dependent can have a higher criticality) and (paragraph 34 of Ahuja, a traffic rule 248 can define various traffic thresholds, such as average traffic, indicating that an asset has a higher criticality. Such traffic thresholds can pertain to the overall amount of traffic received or sent, the amount of traffic in particular time windows of interest, amounts of traffic relating to certain system functions or types of data transmissions (e.g., time-clustering)).
	Generating a second security metric of the second asset based on the first security metric, the number of hosts, and the amount of the data traffic; ; (paragraph 35 of Ahuja, other assets with high criticalities that are dependent on a particular asset can further enhance consideration of the particular asset as a high criticality asset) and (paragraph 34 of Ahuja, traffic rules 248 can be used to determine that a given asset is more or less critical to a computing environment, organization, etc., based for instance on the amount of traffic originating from, passing through, or received at the asset).
	Determining that one or more packets directed to the second asset are blocked by a firewall associated with the second asset; determining that the second security metric is above a threshold; and based on determining that the second security metric is above the threshold, outputting an alert reporting the one or more packets blocked by the firewall. (Paragraph 20 of Ahuha, deployment of countermeasures on assets can be prioritized based on each asset's respective criticality, with more critical assets receiving attention before other assets with lower criticality measures, among other examples) and (paragraph 43 of Ahuha, a passive countermeasure may generate back-up copies of particular files targeted by an attack, so that even if the attack attacks the files, the files can be Example passive countermeasures include, but are not limited to, hardware firewalls, software firewalls (e.g., 265), web filters (e.g., at 266), mail filters (e.g., at 268), host-based intrusion prevention systems (e.g., 270), network-based intrusion prevention systems (e.g., 272), rate-based intrusion prevention systems, content-based intrusion prevention systems, intrusion detection systems (e.g., 274), policy and compliance detection and management programs (e.g., 275), virus and malware detection software (e.g., 276), data loss prevention systems (e.g., 278), web proxies, among other examples).
Ahuja teaches the method of identifying network data that identifies data flows associated with a second asset in the network (see paragraph 34 of Ahuja) but fails to disclose:
	The second asset being a nearest neighbor of the first asset in the network;
However, in the same field of endeavor, Davis teaches this limitation as, (paragraph 110 of Davis, in some embodiments, it may be known that a small set of assets are of high importance to an enterprise system. In such cases, the local profile of each such asset built using the features 1-7 described above can be used to identify similar assets. The features 1-7 are numeric, and thus a nearest neighbor search and Euclidean distance may be used to find imposter assets or unknown-but-important assets when such assets are “projected” to the applications-space of the important assets).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Ahuja and include the above limitation using the teaching of Davis in order to identifying the high important asset to the enterprise/other assets using how close is the asset to the other asset (see paragraph 110 of Davis).
The combination of Ahuja and Davis teaches the method of determining a number of hosts in the network that exchanged data traffic with the second asset during a time period (see paragraph 35 of Ahuja) but fails to disclose:
The time period being greater than or equal to 1 day and less than or equal to 31 days;
However, in the same field of endeavor, Akella teaches this limitation as, (paragraph 57 of Akella, communication data associated with computing device 116 through computing device 120 is collectively received by network gateway 108 and transmitted to database 102. Database 102 is configured to store temporal communication data associated with computing device 116 through computing device 120. Temporal communication data associated with a computing device (such as computing device 116) is defined as historical communication data over a past period of time (e.g., two weeks, six months, or some other past time interval), and also communication data for a present time interval).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Ahuja and Davis to include the above limitation using the teaching of Akella in order to collect the communication data between the devices within the limited period of time and determine how critical the devices are each other (see paragraph 57 of Akella).

	As per claim 18 Ahuja in view of Davis and further in view of Akella discloses:
	The system of claim 17, wherein the operations further comprise: identifying a number of users associated with the hosts that exchanged data traffic with the second asset during the time period, wherein generating the second security metric is based on the number of users. (Paragraph 34 of Ahuja, traffic rules 248 can be used to determine that a given asset is more or less critical to a computing environment, organization, etc., based for instance on the amount of traffic originating from, passing through, or received at the asset).

As per claim 20 Ahuja in view of Davis and further in view of Akella discloses:
	The system of claim 17, wherein the operations further comprise: causing a user device to output at least one of the first security metric or the second security metric. (Paragraph 36 of Ahuha, in some implementations, additional rules, such as user rules 250 can defined and used in automated criticality assessments of assets. User rules 250 can map associations between an asset and certain important users, such as administrators, security managers, executives, attorneys, and other users, user types, roles, permission levels, security clearances, etc. to increase the criticality rating of asset).

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Ahuja (US Pub. No. 2014/0173739) in view of Davis (US Pub. No. 2020/0204576) and further in view of Akella (US Pub. No. 2021/0279565) and Coskun (US Pub. No. 2018/0097828).

	As per claim 19 Ahuja in view of Davis and further in view of Akella discloses:
	The system of claim 17, wherein determining the number of hosts comprises: identifying, based on the network data, addresses of the hosts; (paragraph 21 of Ahuja, a set of one or more assets can be selected and defined by the user as having a particular level of criticality based on the asset's position within a hierarchy, IP address, type of asset, etc).
The combination of Ahuja, Davis and Akella teaches the method of identifying network data that identifies data flows associated with a second asset in the network (see paragraph 34 of Ahuja) but fails to disclose:
Generating shortened addresses by extracting a subset of the most significant digits of the addresses, the shortened addresses being shorter than the addresses; and determining the number of hosts based on a number of the shortened addresses.
However, in the same field of endeavor, Coskun teaches this limitation as, (paragraph 87 of Coskun, IP addresses can be clustered together based on a similarity metric which i) yields higher values (e.g., related to how similar they are) between IP addresses which belong to the same cluster, and ii) yields lower values between IP addresses which do not belong to the same cluster).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Ahuja, Davis and Akella to include the above limitation using the teaching of Coskun in order to identifying if the asset belongs to the same cluster (see paragraph 87 of Coskun). 

Conclusion
The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is Dayan (US Pub. No. 10,896,268). Dayan discloses the methods and systems for implementing a security configuration change based on one or more base events and a current security configuration.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/TESHOME HAILU/Primary Examiner, Art Unit 2434