DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/30/2021 and 08/06/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-20 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Regarding claims 1, 10 and 15, limitation “determining by iteratively crawling the data structure a first sub-graph of objects with a risk score greater than the existing risk score of the first target object and coupled to the first target object” is unclear because there cannot be any objects with a risk score greater than the risk score of the first target object, since the first target object is the object with a greatest risk 
Claims 7 and 20 are also rejected for the reasons similar as claim 10 and 15.
Dependent claims 2-9, 11-14 and 16-20 are also rejected for inheriting the deficiencies of the independent claims from which they depend on.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-7 and 10-20 are rejected under 35 U.S.C. 103 as being unpatentable over Hasan et al. (NPL - Towards Optimal Cyber Defense Remediation in Energy Delivery Systems, 2019 IEEE GLOBAL COMMUNICATIONS CONFERENCE (GLOBECOM), IEEE, 9 December 2018 (2019-12-09), pages 1-7, IDS reference) in view of Vesely et al. (Pub. No.: US 2018/0322456).
Regarding claim 1: Hasan discloses A computer-implemented method comprising:
accessing a data structure comprised of enterprise objects sorted according to a risk score for each enterprise object (Hasan - [Page 4, Paragraph 1]: sorting the list of nodes according to their consequence values, where i enumerates nodes in ascending order by the product, Ci and maxAi);
identifying a first target object from the enterprise objects with a greatest risk score (Hasan - [Page 1,8-9]: the criticality of a node indicates the maximum amount of damages inflicted on the system when an attacker has compromised the node. [Page 4, Paragraph 1]: we first determined the maxA based on the most critical node);
Hasan - [Page 4, paragraph 1]: Next other nodes’ maxA is determined);
causing a security mitigation action based on the second sub-graph of enterprise objects (Hasan - [Page 2, first paragraph]: After calculating node’s risk, the security administrator can filter out the most critical paths and can reduce risk for those paths by selecting appropriate remediations).
However Hasan doesn’t explicitly teach, but Vesely discloses:
adding the first target object to the first sub-graph of objects thereby forming a second sub-graph of objects (Vesely - [0048]: selecting a cluster of entities from the plurality of entities with the highest ingroup affinity scores, removing the cluster of entities from the subgraph, and adding the cluster of entities to a plurality of clusters of entities. See also [0100]);
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Hasan with Vesely so that node with highest scores are selected and added to a subgraph. The modification would have allowed the system to form a new subgraph. 
Regarding claim 2: Hasan as modified discloses wherein the enterprise objects comprise at least one edge and a plurality of nodes, wherein a first node in the plurality of nodes is connected to a second node via an edge that corresponds to a behavior between the connected first and second nodes (Hasan - [Page 5, Fig. 4]: The weighted graph]).
Regarding claim 3: Hasan as modified discloses wherein identifying the first target object further comprises at least one of:
identifying a first edge with a greatest risk score; or identifying a first node with a greatest risk score (Hasan - [Page 4, Paragraph 1]: we first determined the maxA based on the most critical node).
Regarding claim 4: Hasan as modified discloses wherein determining a first sub-graph of objects with a risk score greater than the existing risk score of the first target object and coupled to the first target object by iteratively crawling the data structure further comprises:
Hasan - [Page 4, Paragraph 1]: sorting the list of nodes according to their consequence values, where i enumerates nodes in ascending order by the product, Ci and maxAi).
Regarding claim 5: Hasan as modified discloses further comprising:
calculating a risk score of a proposed sub-graph by combining the risk score of the greatest scored connected object with the first target object (Vesely - [0100]: The in-group affinity scores are then computed by summing only the scores connecting the nodes in the subgroup with other entities in the subgroup (1406)); and
determining whether the risk proposed score of the proposed sub-graph is greater than risk score of the first target object (Vesely - [0048]: ranking the entities in the plurality of entities according to their ingroup affinity scores).
The reason to combine is similar as claim 1.
Regarding claim 6: Hasan as modified discloses further comprising generating the second sub-graph of objects based on the determined risk score of the proposed sub-graph, merging the proposed sub-graph with the first target object (Vesely - [0100]: This cluster (1410) is then extracted from the subgraph (1408) and added to a plurality of clusters (1411) which the subgraph is being divided into).
The reason to combine is similar as claim 1.
Regarding claim 7: Hasan as modified discloses further comprising:
identifying a second target object from the enterprise objects with a risk score greater than the risk score of the first object (Hasan - [Page 1,8-9]: the criticality of a node indicates the maximum amount of damages inflicted on the system when an attacker has compromised the node. [Page 4, Paragraph 1]: we first determined the maxA based on the most critical node); and
determining a third sub-graph of objects coupled to the second target object with a risk score greater than the existing risk score of the second target object by iteratively crawling the data structure (Hasan - [Page 4, paragraph 1]: Next other nodes’ maxA is determined).
Regarding claims 10-14: Claims are directed to system claims and do not teach or further define over the limitations recited in claims 1, 4-7. Therefore, claims 10-14 are also rejected for similar reasons set forth in claims 1, 4-7. 
Regarding claims 15-20: Claims are directed to computer readable medium claims and do not teach or further define over the limitations recited in claims 1, 3-7. Therefore, claims 15-20 are also rejected for similar reasons set forth in claims 1, 3-7. 

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Hasan et al. (NPL - Towards Optimal Cyber Defense Remediation in Energy Delivery Systems, 2019 IEEE GLOBAL COMMUNICATIONS CONFERENCE (GLOBECOM), IEEE, 9 December 2018 (2019-12-09), pages 1-7, IDS reference) in view of Vesely et al. (Pub. No.: US 2018/0322456) and DiValentin et al. (Pub. No.: US 2018/0013777).
Regarding claim 8: Hasan as modified doesn’t explicitly teach but DiValentin discloses further comprising generating, for display on a graphical user interface, a visualization of the second sub-graph of enterprise objects (DiValentin - [0016]: Fig. 1, generate one or more visualizations 150 of the network security risks for presentation (e.g., by presentation device 152)).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Hasan and Vesely with DiValentin so that a visual representation of a graph can be generated. The modification would have allowed the system to present the risk graph to a user. 

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Hasan et al. (NPL - Towards Optimal Cyber Defense Remediation in Energy Delivery Systems, 2019 IEEE GLOBAL COMMUNICATIONS CONFERENCE (GLOBECOM), IEEE, 9 December 2018 (2019-12-09), pages 1-7, IDS reference) in view of Vesely et al. (Pub. No.: US 2018/0322456) and Milazzo et al. (Pub. No. : US 2017/0279818).
Regarding claim 9: Hasan as modified doesn’t explicitly teach but Milazzo discloses wherein causing a security mitigation action further comprises deleting malware from a device (Milazzo - [0064]: The virus mitigator 330 can mitigate malware detected by the scanner 322 to remove the threat posed by the malware).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Hasan and Vesely with Milazzo so that a malware is removed. The modification would have allowed the system to enhance security.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Jalil et al. (Patent No.: US 10,192,058) - System and method for determining an aggregate threat score
Maida et al. (Patent No.: US 10,958,667) - Determining computing system incidents using node graphs
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/