Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 2/18/22 has been entered.

Response to Arguments
In communications filed on 1/19/2022, claims 1, 8-10, 13, 20-22, 25, and 26 are presented for examination. Claims 1 and 13 are independent.
Amended claim(s): 1 and 13.
Rejection of claims under prior art have been withdrawn pursuant to amendments to the independent claims including 
Pursuant to an Examiner’s Amendment (see below), previously withdrawn dependent claims 2, 4, 5, 7, 11, 12, 14, 16, 17, 19, 23, and 24 are rejoined. Restriction requirement is withdrawn. Final claim listing pursuant to the Examiner’s Amendment below includes claims 1, 2, 4, 5, 7-14, 16, 17, and 19-26.    

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given by Mr. Jason Feldmar on 3/16/2022.  
The application has been amended as follows:

	1.	(CURRENTLY AMENDED) A computer-implemented method for acting on cyber risks, comprising:
	gathering system characteristics and system information for a cyber system;

	generating a system model of a cyber environment for the cyber system, wherein:
the system model comprises multiple layers, wherein each of the multiple layers comprises components, wherein connections exist between different components on different layers of the multiple layers, and wherein the connections between layers are compositional;
the multiple layers comprise a hardware layer, a software layer, a file layer, and a work process layer;
the components of the work process layer comprise work processes, wherein each work process comprises a mission task or objective that contributes to a mission goal;
the components of the file layer comprise data that supports the work processes;
the components of the software layer comprise applications that supports the file layer or work processes; 
the components of the hardware layer comprise hardware infrastructure for the cyber system, and supports the software layer;
the generating the system model comprises modeling entities of the cyber system using a graph based approach, wherein:
each unique element in the hardware layer, software layer, file layer, and workflow process layer, corresponds to a vertex of a graph;
associated to each vertex are one or more attributes that make up properties of the model; and
edges of the graph are specified by connections between the unique elements and each edge represents a relationship between vertices connected by the edge;
	converting one or more features from cyber threat reports to one or more semantically relevant queries over the system model, wherein the converting is based on the multiple layers;
	reasoning over the multiple layers of the system model to generate one or more answers relevant to the one or more semantically relevant queries, wherein the one or more answers form a part of actionable intelligence, and wherein the reasoning is over at least one of the file layer and the work process layer; and
	executing attack models over the system model to generate comprehensive actionable intelligence, wherein the comprehensive actionable intelligence is based on the part of the actionable intelligence.

	2.	(ORIGINAL) (gathering - system characteristics and system information )The computer-implemented method of claim , wherein the system characteristics and system information comprises:
	network configuration information;
	common attributes of one or more end hosts; and
	attributes of the one or more end hosts that are not exposed to a network and cannot be deduced remotely.

	3.	(CANCELED) (gathering – using a script on end host)The computer-implemented method of claim , wherein the gathering is performed by a script executing on an end host. 

	4.	(ORIGINAL) (gathering – steps of FIG 2)The computer-implemented method of claim , wherein the gathering comprises:
	passing the system characteristics and system information through a data parser to parse system characteristics and system information into a readable format;
	a firewall and network parser reading firewall and network confirmation to change a format of the firewall and network configuration information into the readable format;
	a software package parser reading package information regarding packages installed on an end host, and outputting a file containing a subset of the package information for the installed packages;

	the vulnerability database tool storing a local instance of a National Vulnerability Database (NVD) database;
	storing, in a cyber database, the system characteristics and information, firewall and network configuration information, and the CVE information for each of the packages installed on the end host, wherein the cyber database is accessed by the pre-processing.

	5.	(ORIGINAL) (pre-processing)The computer-implemented method of claim , wherein the pre-processing comprises performing, for each host on a network: 
	gathering package and version information from the host;
	searching, based on the package and version information, a national vulnerability database, and generating a list of common vulnerabilities and exposures (CVEs) that are relevant to the host;
	cross referencing the list of CVEs with information from one or more vendor specific databases to eliminate CVEs that are already patched; and
	outputting a true positive list as valid CVEs for the host.


	modeling entities of the cyber system using a graph based approach, wherein:
the system model comprises a hardware layer, a software layer, a file layer, and a work process layer;
the work process layer comprises work processes that comprise mission tasks or objectives;
the file layer comprises data that supports the work processes;
the software layer comprises applications that supports the data or work processes; 
the hardware layer comprises hardware infrastructure for the cyber system;
each unique element in the hardware layer, software layer, file layer, and workflow process layer, corresponds to a vertex of a graph;
associated to each vertex are one or more attributes that make up properties of the model; and
edges of the graph are specified by connections between the unique elements and each edge represents a relationship between vertices connected by the edge.
	
	7.	(ORIGINAL) (converting features details)The computer-implemented method of claim , wherein the converting one or more features from cyber threat reports to the one or more semantically relevant queries over the system model comprises:
	interfacing with data in the system model based on an underlying reasoning infrastructure to provide domain-specific semantically relevant language for the one or more semantically relevant queries. 

	8.	(ORIGINAL) (reasoning to generate answers relevant to query)The computer-implemented method of claim , wherein the reasoning comprises:
	utilizing the system characteristics and system information as one or more facts;
	accepting one or more rules to operate on the one or more facts; and
	conducting the reasoning using logical deduction over the one or more rules and one or more facts. Additional Language: wherein the reasoning utilizes a deductive first-order logic based reasoning approach.


	9.	(ORIGINAL) (reasoning -uncertainty calculus)The computer-implemented method of claim 8, wherein the reasoning further comprises, for each of the one or more generated answers:

passing each of the one or more factors through an age function, wherein the age function computes an age value confidence, for each factor, with respect to age; and
aggregating the age value confidences for all factors to determine the confidence score for the fact; and
	combining the confidence scores for all of the facts to determine an analysis score for the generated answer.

	10.	(ORIGINAL) (reasoning -uncertainty answer ranking)The computer-implemented method of claim 8, wherein the reasoning further comprises:
ranking the one or more answers by the confidence scores; and
utilizing the ranking to select one or more of the one or more answers.

	11.	(ORIGINAL) (executing attack models)The computer-implemented method of claim , wherein the executing comprises:
	generating an attack tree comprising multiple nodes comprising a root node and ancestor nodes, wherein:
the root node of the multiple nodes is an objective of an attacker;

	forwarding the attack tree to a threat model simulation engine that translates the attack tree into the one or more semantically relevant queries that are processed to generate the one or more answers, wherein:
	the one or more semantically relevant queries are formed via one or more model attributes on each leaf node, of the multiple nodes, and how an attacker would pivot from one leaf node to another leaf node; and
	presenting a user with the one or more semantically relevant queries, wherein each of the one or more semantically relevant queries represents a different attack campaign that was run on the system model.

	12.	(ORIGINAL) (attack model details)The computer-implemented method of claim 11, wherein:
	the generating the attack tree comprises:
	constructing the attack tree;
	annotating the attack tree for execution over the system model, wherein the annotating comprises annotating the one or more leaf nodes with attributes contained in the system model, wherein the annotating enables the one or 
	reconciling the annotated attack tree with the system model by matching up annotations of the attack tree with the attributes of the system model, wherein the reconciling traverses the attack tree via an entry node, of the multiple nodes, and determines unique paths from the root node to the entry node. 

	13.	(CURRENTLY AMENDED) An apparatus for reducing risk from cyber attacks comprising:
	(a)	a computer having a memory;
	(b)	a cyber analytics and visualization environment (CAVE) application executing on the computer, wherein the CAVE application:
	(1)	gathers system characteristics and system information for a cyber system;
	(2)	pre-processes the system characteristics and system information to identify vulnerabilities that are relevant to the cyber system;
	(3)	generates a system model of a cyber environment for the cyber system, wherein:
the system model comprises multiple layers, wherein each of the multiple layers comprises 
the multiple layers comprise a hardware layer, a software layer, a file layer, and a work process layer;
the components of the work process layer comprise work processes that comprise a mission task or objective that contributes to a mission goal;
the components of the file layer comprise data that supports the work processes;
the components of the software layer comprise applications that supports the file layer or work processes; 
the components of the hardware layer comprise hardware infrastructure for the cyber system, and supports the software layer; and
the generation of the system model comprises modeling entities of the cyber system using a graph based approach, wherein:
each unique element in the hardware layer, software layer, file layer, and workflow process layer, corresponds to a vertex of a graph;
associated to each vertex are one or more attributes that make up properties of the model; and
edges of the graph are specified by connections between the unique elements and each edge represents a relationship between vertices connected by the edge;
(4)	converts one or more features from cyber threat reports to one or more semantically relevant queries over the system model, wherein the converting is based on the multiple layers;
	(5)	reasons over the multiple layers of the system model to generate one or more answers relevant to the one or more semantically relevant queries, wherein the one or more answers form a part of actionable intelligence, and wherein the reasoning is over at least one of the file layer and the work process layer; and
	(6)	executes attack models over the system model to generate comprehensive actionable intelligence, wherein the comprehensive actionable intelligence is based on the part of the actionable intelligence.

	14.	(ORIGINAL) (gathering - system characteristics and system information )The apparatus of claim 13, wherein the system characteristics and system information comprises:
	network configuration information;
	common attributes of one or more end hosts; and


	15.	(CANCELED) (gathering – using a script on end host)The apparatus of claim 13, wherein the CAVE application performs the gathering using a script executing on an end host. 

	16.	(ORIGINAL) (gathering – steps of FIG 2)The apparatus of claim 13, wherein the CAVE application gathers by:
	passing the system characteristics and system information through a data parser to parse the system characteristics and system information into a readable format;
	a firewall and network parser reading firewall and network confirmation to change a format of the firewall and network configuration information into the readable format;
	a software package parser reading package information regarding packages installed on an end host, and outputting a file containing a subset of the package information for the installed packages;
	providing the file to a vulnerability database tool that associates common vulnerabilities and exposures (CVE) information with each of the packages installed on the end host;
	the vulnerability database tool storing a local instance of a National Vulnerability Database (NVD) database;
	storing, in a cyber database, the system characteristics and information, firewall and network configuration information, and the CVE information for each of the packages installed on 

	17.	(ORIGINAL) (pre-processing)The apparatus of claim 13, wherein the CAVE application performs the pre-processing by performing, for each host on a network: 
	gathering package and version information from the host;
	searching, based on the package and version information, a national vulnerability database, and generating a list of common vulnerabilities and exposures (CVEs) that are relevant to the host;
	cross referencing the list of CVEs with information from one or more vendor specific databases to eliminate CVEs that are already patched; and
	outputting a true positive list as valid CVEs for the host.

	18.	(CANCELED) (generating system model details)The apparatus of claim 13, wherein the CAVE application generates the system model by:
	modeling entities of the cyber system using a graph based approach, wherein:
the system model comprises a hardware layer, a software layer, a file layer, and a work process layer;
the work process layer comprises work processes that comprise mission tasks or objectives;
the file layer comprises data that supports the work processes;
the software layer comprises applications that supports the data or work processes; 
the hardware layer comprises hardware infrastructure for the cyber system;
each unique element in the hardware layer, software layer, file layer, and workflow process layer, corresponds to a vertex of a graph;
associated to each vertex are one or more attributes that make up properties of the model; and
edges of the graph are specified by connections between the unique elements and each edge represents a relationship between vertices connected by the edge.
	
	19.	(ORIGINAL) (converting features details)The apparatus of claim 13, wherein the CAVE application converts one or more features from cyber threat reports to the one or more semantically relevant queries over the system model by:
	interfacing with data in the system model based on an underlying reasoning infrastructure to provide domain-specific 

	20.	(ORIGINAL) (reasoning to generate answers relevant to query)The apparatus of claim 13, wherein the CAVE application reasons by:
	utilizing the system characteristics and system information as one or more facts;
	accepting one or more rules to operate on the one or more facts; and
	conducting the reasoning using logical deduction over the one or more rules and one or more facts. Additional Language: wherein the reasoning utilizes a deductive first-order logic based reasoning approach.


	21.	(ORIGINAL) (reasoning -uncertainty calculus)The apparatus of claim 20, wherein the CAVE application reasons by performing, for each of the one or more generated answers:
	assigning each of the one or more facts a confidence score that is dependent on one or more factors, wherein for each fact, the assigning comprises:
passing each of the one or more factors through an age function, wherein the age function computes an age value confidence, for each factor, with respect to age; and
aggregating the age value confidences for all factors to determine the confidence score for the fact; and


	22.	(ORIGINAL) (reasoning -uncertainty answer ranking)The apparatus of claim 20, wherein the CAVE application further reasons by:
ranking the one or more answers by the confidence scores; and
utilizing the ranking to select one or more of the one or more answers.

	23.	(ORIGINAL) (executing attack models)The apparatus of claim 13, wherein the CAVE application executes by:
	generating an attack tree comprising multiple nodes comprising a root node and ancestor nodes, wherein:
the root node of the multiple nodes is an objective of an attacker;
one or more ancestor nodes of the root node represent sub-goals that must be completed to achieve an objective;
	forwarding the attack tree to a threat model simulation engine that translates the attack tree into the one or more semantically relevant queries that are processed to generate the one or more answers, wherein:
	the one or more semantically relevant queries are formed via one or more model attributes on each leaf node, 
	presenting a user with the one or more semantically relevant queries, wherein each of the one or more semantically relevant queries represents a different attach campaign that was run on the system model.

	24.	(ORIGINAL) (attack model details)The apparatus of claim 23, wherein:
	the CAVE application generates the attack tree by:
	constructing the attack tree;
	annotating the attack tree for execution over the system model, wherein the annotating comprises annotating the one or more leaf nodes with attributes contained in the system model, wherein the annotating enables the one or more leaf nodes to be mapped to assets of the cyber system; and
	reconciling the annotated attack tree with the system model by matching up annotations of the attack tree with the attributes of the system model, wherein the reconciling traverses the attack tree via an entry node, of the multiple nodes, and determines unique paths from the root node to the entry node. 

25.	(PREVIOUSLY PRESENTED)	The computer-implemented method of claim , wherein:
the one or more semantically relevant queries are specific to the cyber system

26.	(PREVIOUSLY PRESENTED)	The apparatus of claim 13, wherein:
the one or more semantically relevant queries are specific to the cyber system


Allowable Subject Matter
Claims 1, 2, 4, 5, 7-14, 16, 17, and 19-26 are allowed.
The following is an examiner’s statement of reasons for allowance: Independent claim limitation: “the generation of the system model comprises modeling entities of the cyber system using a graph based approach, wherein: each unique element in the hardware layer, software layer, file layer, and workflow process layer, corresponds to a vertex of a graph; associated to each vertex are one or more attributes that make up properties of the model; and edges of the graph are specified by connections between the unique elements and each edge represents a relationship between vertices connected by the edge" in .
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED A ZAIDI whose telephone number is (571)270-5995. The examiner can normally be reached Monday-Thursday: 5:30AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/SYED A ZAIDI/Primary Examiner, Art Unit 2432