DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
New corrected drawings in compliance with 37 CFR 1.121(d) are required in this application because Fig.3-6: the lines and texts are pixelated and blurry. The images are unsatisfactory for reproduction. 
 Applicant is advised to employ the services of a competent patent draftsperson outside the Office, as the U.S. Patent and Trademark Office no longer prepares new drawings. The corrected drawings are required in reply to the Office action to avoid abandonment of the application. The requirement for corrected drawings will not be held in abeyance.
The use of the terms: “Microsoft”, “Apache” and “Google”, which are trade/service names or  marks used in commerce, has been noted in this application, specifically within the Drawings. The terms should be accompanied by the generic terminology; furthermore the term should be capitalized wherever it appears or, where appropriate, include a proper symbol indicating use in commerce such as ™, SM , or ® following the term.
Although the use of trade names and marks used in commerce (i.e., trademarks, service marks, certification marks, and collective marks) are permissible in patent applications, the proprietary nature of the marks should be respected and every effort 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-3, 5, 8-10, 12, 15-17 and 19 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Ellis et al. U.S. Patent Application Publication 2016/0028758.
Claims 1, 8 and 15,
	Ellis discloses 
	A system for predicting cyber security risk, the system comprising:
a cyber security risk prediction server configured to:
	collect network parameters of a network associated with an enterprise at risk from cyber security threats (para 0039- Data collection agents are distributed on the network from a management console as will be described further relative to FIG. 2. Agents may be packaged as part of software distribution builds, as appliances that sit on the network or as SaaS nodes in the Cloud.  Theses agents are interpreted to be internal to the enterprise because data is collected on internal devices, as described in para 0093. Additionally, Para 0041- The collector agent software handles the collection of event data, negotiation of security keys with a management server, and tokenization of targeted data from selected netflows. Agent software can run as a SaaS offering, an 
	collect threat intelligence data from a plurality of data sources external to the enterprise at risk from cyber security threats (para 0039- further discloses data collection agents are also distributed throughout the Internet to collect external data, see Fig. 2, item 72E);
	perform an Extract, Transform and Load (ETL) from one or more databases based on the network parameters to obtain relevant threat intelligence data (fig. 1 discloses the collection of data from various sources in item 72,
para 0229- logging data is extracted into SQL tables containing network parameters [mapped to the extraction step], 
Fig. 3 discloses the application of the Rules table to process the collected data. Also see para 0095-0098 for additional transformations. [mapped to the Transform step], 
Para 0101-discloses filtering of records/events that are irrelevant, resulting in relevant records/events. The data is communicated in item 86. [mapped to the Load step]. ) 
	wherein the one or more databases store the threat intelligence data from the plurality of data sources external to the enterprise at risk from cyber security threats (para 0096-the data tables include the data from the data collection, see para 0039 for types of data collected. Data collected from the Internet is an external source) , 
and 

	analyze the relevant threat intelligence data to obtain a predicted threat assessment for the enterprise at risk from cyber security threats (para 0087-0089- discloses the decision engine analyzes the correlated data to determine the likelihood of a threat outcome. Also see Fig. 6).
Ellis further discloses the method is performed by a processor and computer-readable media in paragraph 0093.
Claim 2, 9 and 16,
	wherein the network parameters comprise one or more of the following: types of technology deployed in the network associated with the enterprise, types of network equipment in the network associated with the enterprise, a network location of the types of network equipment, a geographic location of the types of network equipment, and exposure to third party networks in the network associated with the enterprise (para 00121- The logging server and all client machines must have forward and reverse entries in the local DNS. If the network does not have a DNS server, create entries in each system's /etc./hosts. Proper name resolution is required so that log entries are not rejected by the logging server. Also see para 0120-0123, para 0088- discloses the decision engine analyzing the attributes of events including source, node type and attribute type. Para 0048- location information is collected).

	further comprising generating a threat assessment report providing the predicted threat assessment (para 0104- In more detail, there are different probabilities at different levels 116, 117 and 118 which creates multiple possible outcomes 119. By multiplying the payoffs and probabilities for each of the levels 116, 117 and 118 and adding the possible payoffs, a final payoff 120 is calculated for each of the potential outcomes 119. The highest payoff 120 calculated at box 121 may then be used to form a prediction, wherein the process 110 will perform step 122 to Send Prediction Result to Communication Engine 60 at step 123).
Claims 5, 12 and 19,
	wherein the predicted threat assessment comprises a prospective cyber security threat score that assigns a metric value measuring an overall threat level faced by the enterprise at risk from cyber security threats (para 0187-0188- each reporting message contains a severity of threat level, ranging 0-7.).

	Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

s 4, 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Ellis et al. U.S. Patent Application Publication 2016/0028758 in view of Stolte et al. U.S. Patent Publication 10,587,644.
Claims 4, 11 and 18,
	Although Ellis discloses substantial limitations of the claimed invention, it fails to explicitly disclose:	
	wherein the threat assessment report comprises one or more of: an individual threat rating score for each of the types of technology deployed in the network associated with the enterprise, a plurality of potential financial losses to the enterprise for each of the types of technology deployed in the network associated with the enterprise, a maximum probable financial loss to the enterprise, and a technology heat map providing a geographic representation of cyber threats based on the network parameters of the network associated with the enterprise. 
	In an analogous art, Stolte discloses 
	wherein the threat assessment report comprises one or more of: an individual threat rating score for each of the types of technology deployed in the network associated with the enterprise, a plurality of potential financial losses to the enterprise for each of the types of technology deployed in the network associated with the enterprise, a maximum probable financial loss to the enterprise, and a technology heat map providing a geographic representation of cyber threats based on the network parameters of the network associated with the enterprise. (Col 18, lines 5-25- discloses reporting the maximum financial risk of security threats) 
. 

Claims 6, 13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ellis et al. U.S. Patent Application Publication 2016/0028758 in view of Weith et al. U.S. Patent Application Publication 2017/0359220.
Claims 6, 13 and 20,
	Although Ellis discloses substantial limitations of the claimed invention, it fails to explicitly disclose:	
	wherein the prospective cyber security threat score is normalized against a plurality of other enterprises at risk from cyber security threats.
	In an analogous art, Weith discloses
	wherein the prospective cyber security threat score is normalized against a plurality of other enterprises at risk from cyber security threats (para 0026- normalizes the risk scores by clustering organizations).
	One of ordinary skill in art before the effective filing date of the invention would have found it obvious to combine the score normalization of Weith with the system of Ellis to produce the predictable result of normalizing the security threat scores. One of ordinary skill in the art would be motivated to combine Weith with Ellis to benchmark the threat scores relative to similar enterprises. (Weith para 0026). 

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Ellis et al. U.S. Patent Application Publication 2016/0028758 in view of Ocepek et al. U.S. Patent Application Publication 2020/0120126.


	Although Ellis discloses substantial limitations of the claimed invention, it fails to explicitly disclose:	
	wherein the threat intelligence data from the plurality of data sources external to the enterprise at risk from cyber security threats comprises one or more of the following: dark web data; technology vulnerabilities; deep web data; upstream, downstream and peer network threats; data from hacker discussion boards; changes to behavioral Tactics, Techniques and Procedures (TTP); global internet infrastructure vulnerabilities; and vulnerabilities in supply chain networks for the enterprise. (para 0037)
	In an analogous art, Ocepek discloses
 	wherein the threat intelligence data from the plurality of data sources external to the enterprise at risk from cyber security threats comprises one or more of the following: dark web data; technology vulnerabilities; deep web data; upstream, downstream and peer network threats; data from hacker discussion boards; changes to behavioral Tactics, Techniques and Procedures (TTP); global internet infrastructure vulnerabilities; and vulnerabilities in supply chain networks for the enterprise. (para 0024- disclose the exploit vulnerability data sources include the Dark web and social media websites [mapped to discussion boards].)
	One of ordinary skill in art before the effective filing date of the invention would have found it obvious to combine the risk intelligence sources of Ocepek with the system of Ellis to produce the predictable result of evaluate potential risks for known vulnerabilities in the Dark Web.  One of ordinary skill in the art would be motivated to 

Conclusion
Related Prior art:
	Wiener et al. U.S. Patent Application Publication 2020/0153863- discloses presenting the security risks in a distributed environment in a heatmap. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSEPH M COUSINS whose telephone number is (571)270-7746. The examiner can normally be reached 9:00am -5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Tonia Dollinger can be reached on (571) 272-4170. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For 

/JMC/Examiner, Art Unit 2459         

/TONIA L DOLLINGER/Supervisory Patent Examiner, Art Unit 2459