DETAILED ACTION
Examiner's Note:  The Examiner has pointed out particular references contained in the prior art of record within the body of this action for the convenience of the Applicant.  Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply.  Applicant, in preparing the response, should consider fully the entire reference as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the Examiner.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s remarks filed on 05/25/2022 have been fully considered. 
Regarding claim[s] 1 – 20 under the various obviousness rejections, applicant’s remarks are not persuasive, therefore, see the examiner’s response to such remarks in the office action below. 
The examiner will answer all other remarks that do not concern the prior art rejections, if any, in the office action below. 
Applicant states on page[s] 2 of the remarks as filed: “
A. Independent Claims 1 and 11 Patentable Over Strom and Sadeh-Koniecpol

Claims 1-4, 6, 7, 10-14, 16, 17 and 20 are rejected on the ground of non-statutory obviousness-type double patenting as being unpatentable over Claims 1, 2, 4, 5, 16, 17, 19 and 20 of commonly owned U.S. Patent No. 10,979,448 (‘448 patent), Applicant traverses this rejection and requests the Examiner to hold this rejection in abeyance until allowable subject matter is identified in the instant application.”
	In response the examiner points out that rejection is maintained until applicant’s files the appropriate e-terminal disclaimer, or the appropriate claim amendments to
distinguish the subject matter from pending claims from the subject matter from the
already patented claims.

Applicant states on page[s] 3 and 4 of the remarks as filed: “To establish prima facie obviousness of a claimed invention, all the claimed limitations must be taught or suggested by the prior art. Claim 1, as amended, recites in part:

identifying ... a set of expected responses for responding to a simulated attack. ..;
comparing ... the responses to the simulated attack to the set of expected
responses for responding to the simulated attack; 
determining ... which ... of the set of expected responses for responding to the
simulated attack have occurred or not occurred among the responses to the simulated
attack.

Claim 11, although different in scope, recites similar elements. The combination of Strom and Sadeh-Koniecpol fails to teach or suggest at least the above elements of Claims 1 and 11.

The combination of Strom and Sadeh-Koniecpol does not identify a set of expected
responses for responding to a simulated attack. The Office action cites to the selection of adversary’s techniques of Strom that emulate adversary’s behavior as evidence of identifying a set of expected responses for responding to a simulated attack. However, the adversary techniques of Strom are different from expected responses for responding to a simulated attack at least because the adversary techniques of Strom illustrate the actions of the attacker, not the responses to the attacks that would be experienced by the victims of the attacker. In short, by identifying adversary’s techniques, Strom does not identify responses to the attacks, but rather characteristics of the actual attacks themselves. (See, Strom, col 2, lines 44-47; See also, Strom col. 1, lines 32-59, explaining the concept of “red teaming”). Meanwhile, Sadeh-Koniecpol does not compensate for this deficiency by Strom — and the Office action does not state otherwise.
Instead, Sadeh-Koniecpol focuses on sensing user responses to the attacks, which is different from identifying expected responses to a simulated attack. Therefore, this combination fails to teach or suggest this element.”

	In response the examiner isn’t persuaded, the examiner points to the prior art of Strom. Specifically, at col. 2, lines 44 – 47, According to some embodiments, an adversary's known techniques are selected to emulate that adversary's behavior within the network, which can be useful to test the configuration and security of a network against a known set of techniques]. Then further of Strom at col. 11, lines 35 – 40, A system for simulating a cyber-attack on a computer network is described below. The system includes a server node for managing a simulated cyber-attack and a plurality of client nodes that execute the commands of and communicate data with the server node. 
	>>>>What one of ordinary skill in the art would know of the above identified teachings of Strom, the victim’s response that allowed for the adversary’s successful tactics/method is known before the testing of the configuration and security of the network using the adversary’s tactics. More importantly, of the identified teachings above, Strom already knows the victims responses [i.e. applicant’s set of expected response/responses] before the known adversary’s tactics are used to test [i.e. applicant’s simulated attack] the configuration and security of a network. Thus, applicants argued features above are an obvious variation of the combination of Strom in view of Sadeh-Koniecpol. This meets applicant’s remark of: “The Office action cites to the selection of adversary’s techniques of Strom that emulate adversary’s behavior as evidence of identifying a set of expected responses for responding to a simulated attack. However, the adversary techniques of Strom are different from expected responses for responding to a simulated attack at least because the adversary techniques of Strom illustrate the actions of the attacker, not the responses to the attacks that would be experienced by the victims of the attacker.”
***The examiner’s response above applies to the same or similar remarks made on page[s] 4 and 5 regarding claim[s] 1, and 11 of the remarks as filed. 

Applicant states on page[s] 4 and 5 of the remarks as filed: “
II. Dependent Claims Rejected Under 35 U.S.C. §103

Claims 3-5, 9, 13-15 and 19 are rejected under 35 U.S.C. §103 as unpatentable over
Strom and Sadeh-Koniecpol in view of U.S. Patent Publication No. 2014/0249927 to De Angelo et al. (“De Angelo”). Claims 6 and 16 are rejected under 35 U.S.C. §103 as unpatentable over Strom and Sadeh-Koniecpol in view of U.S. Patent Publication No. 2018/0248896 to Challitia et al. (“Challitia”). Claims 10 and 20 are rejected under 35 U.S.C. §103 as unpatentable over Strom and Sadeh-Koniecpol in view of U.S. Patent Publication No. 2017/0302683 to Kawauchi et al. (“Kawauchi’). Claims 3-5, 6, and 9-10 depend on and incorporate all of the patentable subject matter of independent Claim 1. Claims 13-15, 16, and 19-20 depend on and incorporate all of the patentable subject matter of independent Claim 11. Applicant traverses these rejections and submits that any combination of Strom, Sadeh-Koniecpol, De Angelo, Kawauchi and Challitia,
fails to teach or suggest each and every element of the claimed invention.

For the reasons discussed above, Applicant submits that independent Claims 1 and 11 are patentable and in condition for allowance. The Examiner cites references De Angelo, Kawauchi and Challitia only for purposes of the dependent Claims, and therefore, these references do not detract from the patentability of the independent Claims. Because Claims 3-5, 6, and 9-10 depend on and incorporate all of the patentable subject matter of independent Claim 1 and Claims 13-15, 16, and 19-20 depend on and incorporate all of the patentable subject matter of independent Claim 11, Applicant submits that dependent Claims 3-5, 6, 9-10, 13-15, 16, and 19-20 are also patentable and in condition for allowance. Therefore, Applicant requests the Examiner to withdraw the rejection of Claims 3-5, 6, 9-10, 13-15, 16, and 19-20 under 35 U.S.C.§103.”
In response the examiner isn’t persuaded, the examiner points out that applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Response to Amendment
Status of the instant application:
Claim[s] 1 – 20 are pending in the instant application. 
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/25/2022, the submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based e-Terminal Disclaimer may be filled out completely online using web-screens. An e-Terminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about e-Terminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim[s] 1 – 4, 6, 7, 10 – 14, 16, 17, 20 are rejected on the ground of non-statutory double patenting as being unpatentable over claim[s] 12, 4, 5, 16, 17, 19, 20 of U.S. Patent No. 10979448. Although the claims at issue are not identical, they are not patentably distinct from each other because both the pending application and the patent claim the same or similar subject matter in the following manner: 
Systems and methods that minimize an organization’s risk of cybersecurity attack, by simulated cybersecurity attacks. The risk is determined by incident response tracking. The risk is mitigated by incident response training responsive to the simulation outcome. A server executes a simulation cybersecurity attack on a plurality of users and their computer systems of an origination’s network and tracks responses to interactions with computer systems or network components to the simulated cybersecurity attack. Then validating whether one or more responses of a predetermined set of responses have occurred in response to the simulated security attack on the computer systems or network components.
Also, see the table below for a claim by claim comparison. 
Pending US Application # 17/225931
US PAT # 10979448
1. A method comprising:
identifying, by one or more processors, a set of expected responses for responding to a simulated attack to be executed against one or more computer systems on a network;
monitoring, by the one or more processors, responses to the simulated attack executed against the one or more computer systems on the network;
comparing, by the one or more processors, the responses to the simulated attack to the set of expected responses for responding to the simulated attack;
determining, by one or more processors, which one or more of the set of expected responses for responding to the simulated attack have occurred or not occurred among the responses to the simulated attack; and
providing, by the one or more processors for display on a display device, information identifying which of the one or more of the set of expected responses for responding to the simulated attack have occurred or not occurred.

1. A method of validating responses to a simulated cybersecurity attack, the method comprising:
storing, by a server, a predetermined set of expected responses identified to minimize an impact of a simulated cvbersecuritv attack on an entity;
executing, by a server, a simulated cybersecurity attack on a plurality of users associated with a plurality of computer systems on a network of an entity,
tracking, by the server responsive to monitoring the plurality of computer systems and the network, a plurality of responses of one or more users of the plurality of users of the entity to minimize an-the impact of the simulated cybersecurity attack on the entity, each of the plurality of responses identifying an interaction with at least one of the plurality of computer systems or component of the network;
comparing, by the server, a timing of the plurality of responses tracked by the server to  the predetermined set of expected responses stored by the server to determine compliance by the entity to the predetermined set of expected responses;
determining, by the server responsive to the comparison of the plurality of responses to the predetermined set of expected responses stored by the server, which of the predetermined set of expected responses stored by the server have occurred or not occurred within the plurality of the responses tracked by the server responsive to monitoring the plurality of computer systems and the network; and.
displaying, by the server, which of the predetermined set of expected responses that occurred or did not occur within the plurality of responses.

2.    The method of claim 1, wherein the set of expected responses are identified as to minimize an impact of the simulated attack.
1. A method of validating responses to a simulated cybersecurity attack, the method comprising:
storing, by a server, a predetermined set of expected responses identified to minimize an impact of a simulated cvbersecuritv attack on an entity;
executing, by a server, a simulated cybersecurity attack on a plurality of users associated with a plurality of computer systems on a network of an entity,
tracking, by the server responsive to monitoring the plurality of computer systems and the network, a plurality of responses of one or more users of the plurality of users of the entity to minimize an-the impact of the simulated cybersecurity attack on the entity, each of the plurality of responses identifying an interaction with at least one of the plurality of computer systems or component of the network;
comparing, by the server, a timing of the plurality of responses tracked by the server to  the predetermined set of expected responses stored by the server to determine compliance by the entity to the predetermined set of expected responses;
determining, by the server responsive to the comparison of the plurality of responses to the predetermined set of expected responses stored by the server, which of the predetermined set of expected responses stored by the server have occurred or not occurred within the plurality of the responses tracked by the server responsive to monitoring the plurality of computer systems and the network; and.
displaying, by the server, which of the predetermined set of expected responses that occurred or did not occur within the plurality of responses.

3.    The method of claim 1, further comprising monitoring, by the one or more processors, a timing of the responses to the simulated attack.
2.  The method of claim 1, further comprising recording, by the server responsive to the plurality of responses, a length of time for the one or more users of the plurality of users of the entity to perform one or more responses of the predetermined set of expected responses.
4.    The method of claim 3, further comprising comparing, by the one or more processors, the timing of the responses to timing associated with the set of expected responses.
2.  The method of claim 1, further comprising recording, by the server responsive to the plurality of responses, a length of time for the one or more users of the plurality of users of the entity to perform one or more responses of the predetermined set of expected responses.
6.    The method of claim 1, wherein the set of expected responses comprise one or more of identification of a primary attack point of the simulated attack, disconnection of one or more infected computer systems from the network, identification of a version of ransomware, isolation of the ransomware, location of decryption keys or reporting to one or more third parties.
4.  The method of claim 1, wherein the one or more responses of the predetermined set of responses comprises one or more of identification of a primary attack point of the simulated cybersecurity attack, disconnection of one or more infected computer systems from the network, isolation of one or more computers that are associated with the one or more infected computer systems, or reporting to one or more third parties.
7.    The method of claim 1, wherein the responses comprise an interaction with at least one of the one or more computer systems or a component of the network.
1. A method of validating responses to a simulated cybersecurity attack, the method comprising:
storing, by a server, a predetermined set of expected responses identified to minimize an impact of a simulated cvbersecuritv attack on an entity;
executing, by a server, a simulated cybersecurity attack on a plurality of users associated with a plurality of computer systems on a network of an entity,
tracking, by the server responsive to monitoring the plurality of computer systems and the network, a plurality of responses of one or more users of the plurality of users of the entity to minimize an-the impact of the simulated cybersecurity attack on the entity, each of the plurality of responses identifying an interaction with at least one of the plurality of computer systems or component of the network;
comparing, by the server, a timing of the plurality of responses tracked by the server to  the predetermined set of expected responses stored by the server to determine compliance by the entity to the predetermined set of expected responses;
determining, by the server responsive to the comparison of the plurality of responses to the predetermined set of expected responses stored by the server, which of the predetermined set of expected responses stored by the server have occurred or not occurred within the plurality of the responses tracked by the server responsive to monitoring the plurality of computer systems and the network; and.
displaying, by the server, which of the predetermined set of expected responses that occurred or did not occur within the plurality of responses.

10. The method of claim 1, wherein the simulated attack is a simulated ransomware attack.
5.  The method of claim 1, wherein the simulated cybersecurity attack is a simulated ransomware attack.
11.    A system comprising:
one or more processors, coupled to memory and configured to:
identify a set of expected responses for responding to a simulated attack to be executed against one or more computer systems on a network;
monitor responses to the simulated attack executed against the one or more computer systems on the network;
compare the responses to the simulated attack to the set of expected responses for responding to the simulated attack;
determine which one or more of the set of expected responses for responding to the simulated attack have occurred or not occurred among the responses to the simulated attack; and
provide for display on a display device information identifying which of the one or more of the set of expected responses for responding to the simulated attack have occurred or not occurred.

16. A system of validating responses to a simulated cybersecurity attack, the system comprising:
a server comprising one or more processors, coupled to memory and configured to:
store a predetermined set of expected responses identified to minimize an impact of a simulated cybersecurity attack on an entity;
execute a simulated cybersecurity attack on a plurality of users associated with a plurality of computer systems on a network of an entity,
track, responsive to monitoring the plurality of computer systems and the network, a plurality of responses of one or more users of the plurality of users of the entity to minimize an-the impact of the simulated cybersecurity attack on the entity, each of the plurality of responses identifying an interaction with at least one of the plurality of computer systems or components of the network;
compare a timing of the plurality of responses tracked by the server to a the predetermined set of expected responses stored by the server to determine compliance by the entity to the predetermined set of expected responses; 
 determine, responsive to the comparison of the plurality of responses to the predetermined set of expected responses stored by the server,  which of the predetermined set of expected responses stored by the server have occurred or not occurred within the plurality of the responses tracked by the server responsive to monitoring the plurality of computer systems and the network; and
display which of the predetermined set of expected responses that occurred or did not occur within the plurality of responses.
12.    The system of claim 11, wherein the set of expected responses minimize an impact of the simulated attack.
16. A system of validating responses to a simulated cybersecurity attack, the system comprising:
a server comprising one or more processors, coupled to memory and configured to:
store a predetermined set of expected responses identified to minimize an impact of a simulated cybersecurity attack on an entity;
execute a simulated cybersecurity attack on a plurality of users associated with a plurality of computer systems on a network of an entity,
track, responsive to monitoring the plurality of computer systems and the network, a plurality of responses of one or more users of the plurality of users of the entity to minimize an-the impact of the simulated cybersecurity attack on the entity, each of the plurality of responses identifying an interaction with at least one of the plurality of computer systems or components of the network;
compare a timing of the plurality of responses tracked by the server to a the predetermined set of expected responses stored by the server to determine compliance by the entity to the predetermined set of expected responses; 
 determine, responsive to the comparison of the plurality of responses to the predetermined set of expected responses stored by the server,  which of the predetermined set of expected responses stored by the server have occurred or not occurred within the plurality of the responses tracked by the server responsive to monitoring the plurality of computer systems and the network; and
display which of the predetermined set of expected responses that occurred or did not occur within the plurality of responses.
13.    The system of claim 11, wherein the one or more processors are further configured to monitor a timing of the responses to the simulated attack.
17. The system of claim 16, wherein the server is further configured to record, responsive to the plurality of responses, a length of time for the one or more users of the plurality of users of the entity to perform one or more responses within the predetermined set of expected responses.
14.    The system of claim 13, wherein the one or more processors are further configured to compare the timing of the responses to timing associated with the set of expected responses.
17. The system of claim 16, wherein the server is further configured to record, responsive to the plurality of responses, a length of time for the one or more users of the plurality of users of the entity to perform one or more responses within the predetermined set of expected responses.
16. The system of claim 11, wherein the set of expected responses comprises one or more of identification of a primary attack point of the simulated attack, disconnection of one or more infected computer systems from the network, identification of a version of ransomware, isolation of the ransomware, location of decryption keys or reporting to one or more third parties.
19. The system of claim 16, wherein the one or more responses of the predetermined set of responses comprises one or more of identification of a primary attack point of the simulated cybersecurity attack, disconnection of one or more infected computer systems from the network, isolation of one or more computers that are associated with the one or more infected computer systems, or reporting to one or more third parties.
17.    The system of claim 11, wherein the responses comprises an interaction with at least one of the one or more computer systems or a component of the network.
16. A system of validating responses to a simulated cybersecurity attack, the system comprising:
a server comprising one or more processors, coupled to memory and configured to:
store a predetermined set of expected responses identified to minimize an impact of a simulated cvbersecuritv attack on an entity:
execute a simulated cybersecurity attack on a plurality of users associated with a plurality of computer systems on a network of an entity,
track, responsive to monitoring the plurality of computer systems and the network, a plurality of responses of one or more users of the plurality of users of the entity to minimize an-the impact of the simulated cybersecurity attack on the entity, each of the plurality of responses identifying an interaction with at least one of the plurality of computer systems or components of the network;
compare a timing of the plurality of responses tracked by the server to a the predetermined set of expected responses stored by the server to determine compliance by the entity to the predetermined set of expected responses; 
 determine, responsive to the comparison of the plurality of responses to the predetermined set of expected responses stored by the server,  which of the predetermined set of expected responses stored by the server have occurred or not occurred within the plurality of the responses tracked by the server responsive to monitoring the plurality of computer systems and the network; and
display which of the predetermined set of expected responses that occurred or did not occur within the plurality of responses.
20.    The system of claim 11, wherein the simulated attack is a simulated ransomware attack.
20. The system of claim 16, wherein the simulated cybersecurity attack is a simulated ransomware attack.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
Claim[s] 1, 2, 7, 8, & 11, 12, 17, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Strom [US PAT # 10218735] in view of Sadeh – Koniecpol [US PGPUB # 2017/0103674]
As per claim 1. Strom does teach a method [col. 9, lines 10 – 14, Described herein are methods, systems, and devices for simulating cyber-adversary attacks on networks to determine what network resources may include weakness to a cyber-attack and how the weaknesses may be used to operate within a network] comprising:
identifying, by one or more processors, a set of expected responses for responding to a simulated attack to be executed against one or more computer systems on a network [col. 2, lines 44 – 47, According to some embodiments, an adversary's known techniques are selected to emulate that adversary's behavior within the network, which can be useful to test the configuration and security of a network against a known set of techniques];
monitoring, by the one or more processors, responses to the simulated attack executed against the one or more computer systems on the network [Figure # 14, and col. 27, lines 36 – 43, After the simulation server transmits the instructions to perform a selected action, the server may observe responses from one or more host computers that have executed the instructed action in step 1412. Based on the observed responses, the server can update the knowledge base at step 1416 to incorporate new knowledge about the state of the target network and/or adversary. The new knowledge can be used to update the internal model of the logic engine.];
comparing, by the one or more processors [col. 11, lines 6 – 21, the computers referred herein can employ multiple processor designs], the responses to the simulated attack to the set of expected responses [col. 2, lines 44 – 47, According to some embodiments, an adversary's known techniques are selected to emulate that adversary's behavior within the network, which can be useful to test the configuration and security of a network against a known set of techniques] for responding to the simulated attack [col. 11, lines 35 – 40, A system for simulating a cyber-attack on a computer network is described below. The system includes a server node for managing a simulated cyber-attack and a plurality of client nodes that execute the commands of and communicate data with the server node.]. 
Strom does not clearly teach determining, by one or more processors, which one or more of the set of expected responses have occurred or not occurred among the responses for responding to the simulated attack; and
providing, by the one or more processors for display on a display device, information identifying which of the one or more of the set of expected responses for responding to the simulated attack have occurred or not occurred.
However, Sadeh – Koniecpol does teach determining, by one or more processors, which one or more of the set of expected responses have occurred or not occurred among the responses [paragraph: 0090, lines 1 – 2, The system [i.e. applicant’s one or more processors] may detect an interaction event comprising action of the user (or lack thereof) in response to the mock attack 120] for responding to the simulated attack [paragraph: 0078, lines 23 – 27, In an actual context of use, when the user is presented with a mock attack situation, the user does not a priori know that the situation is a mock attack created to evaluate his or her readiness or susceptibility to different threat scenarios]; and
providing, by the one or more processors for display on a display device, information identifying which of the one or more of the set of expected responses for responding to the simulated attack [paragraph: 0078, lines 23 – 27, In an actual context of use, when the user is presented with a mock attack situation, the user does not a priori know that the situation is a mock attack created to evaluate his or her readiness or susceptibility to different threat scenarios.] have occurred or not occurred [paragraph: 0090, lines 1 – 2, The system may detect an interaction event comprising action of the user (or lack thereof) in response to the mock attack 120].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Strom as modified and Sadeh - Koniecpol in order for the monitoring and assessing of network attacks against networks and devices thereon of Strom as modified to include mock attack simulations that do not indicate that the user is being tested in simulated attack of Sadeh - Koniecpol. This would allow for the improving the security readiness or prevention of attacks on the network and network devices. See paragraph 0079, lines 1 - 4 of Sadeh - Koniecpol.
As per claim 2. Strom does teach the method of claim 1, wherein the set of expected responses are identified as to minimize an impact of the simulated attack [Strom, Figure # 4 and col. 18, lines 2 – 7, FIG. 4 is a flow diagram illustrating method 400 for simulating a cyber-attack on a network in accordance with some embodiments. Method 400 is performed by a system (e.g., system 100, FIG. 1) with a server, a plurality of computers, and a communication network connecting the server and the plurality of computers. ].
As per claim 7. Strom as modified does teach the method of claim 1, wherein the responses comprise an interaction with at least one of the one or more computer systems or a component of the network [Sadeh – Koniecpol, paragraph: 0078, lines 1 – 9, Cybersecurity training via mock attacks involves sensing user susceptibility to one or more threat scenarios by presenting a user with a mock attack situation in his or her actual context of use of a software program, a device, a service, or some other computer-mediated process. The system senses the user's response to the mock attack situation (or lack thereof) in an actual, everyday context of use (software program, a device, a service, or some other computer-mediated process).].
As per claim 8. Strom as modified does teach the method of claim 1, further comprising determining, by the one or more processors, a performance of an entity with respect to the simulated attack based at least on the entity’s compliance to the set of expected responses [Sadeh – Koniecpol, paragraph: 0090, lines 1 – 2, The system may detect an interaction event comprising action of the user (or lack thereof) in response to the mock attack 120].
As per system claim 11 that includes the same or similar claim language as method claim 1, and is similarly rejected.
***The examiner notes that applicant’s recited: “one or more processors,” “memory,” is taught by the prior art of Strom at col. 2, lines 44 – 47. 
As per system claim 12 that includes the same or similar claim limitations as method claim 2, and is similarly rejected.

As per system claim 17 that includes the same or similar claim limitations as method claim 7, and is similarly rejected.

As per system claim 18 that includes the same or similar claim limitations as method claim 8, and is similarly rejected.

Claim[s] 3 – 5, 9, 13 – 15, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Strom [US PAT # 10218735] in view of Sadeh – Koniecpol [US PGPUB # 2017/0103674] as applied to claim[s] 1 above, and further in view of De Angelo et al. [US PGPUB # 2014/0249927]
As per claim 3. Strom and Sadeh – Koniecpol do teach what is taught in the rejection of claim # 1 above. 
Strom and Sadeh – Koniecpol do not clearly teach the method of claim 1, further comprising monitoring, by the one or more processors, a timing of the responses to the simulated attack.
However, De Angelo does teach the method of claim 1, further comprising monitoring, by the one or more processors, a timing of the responses to the simulated attack [De Angelo, paragraph: 0115, lines 1-15, in a storage means, represented by a data tree, or portion thereof, a matrix, a sequence, a pattern, a container with meta data, or other, comprising one or more of the following, alone, or in set, combination, or permutation: 1) response time to select an action].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Strom and De Angelo in order for the monitoring and assessing of network attacks against networks and devices thereon of Strom, to include cyclic or iterative responses from user of such networks and devices of De Angelo. This would allow for an improved user situational awareness of the network and devices that could be potentially under attack. See paragraph 0006 of De Angelo.
As per claim 4. Strom as modified does teach the method of claim 3, further comprising comparing, by the one or more processors, the timing of the responses to timing associated with the set of expected responses [De Angelo, paragraph: 0115, lines 1-15, in a storage means, represented by a data tree, or portion thereof, a matrix, a sequence, a pattern, a container with meta data, or other, comprising one or more of the following, alone, or in set, combination, or permutation: 1) response time to select an action, 2) response time to select an action per type of event, 3) response time to reject all actions, 4) response time to select an alternate set of actions, 5) response time to select an action from an alternate set, 6) the decision support system event generated by the decision support system, 7) the notification content, type, and means, 8) the action option event or events sent to the display means, 9) the action option chosen by the user, 10) the alternate action open chosen by the user, 11) a user selected specific concurrence or rating 92 of one or more action options or action option types, 12) a user selected specific concurrence or rating 91 of one or more notifications or notification types, 13) the rejection of all action options by the user, 14) the recording by the system of the failure by a user to respond after a set duration of time 15) the recording by the system of the time for the user to make a response].
As per claim 5. Strom as modified does teach the method of claim 3, further comprising providing, by the one or more processors for display on the display device, information identifying the timing of the responses [De Angelo, paragraph: 0044, lines 1 – 6, Response interface screens or means do not generally include the means for 1) a user to directly reject one or more, or all, action options presented, 2) the computer system to report a lack of response after a set time (a null) if there is no response from the user, 3) the user to view and select alternative action options not initially presented as optimal, 4) the system to record, integrate, or learn from the lack of response of a user, the time taken to respond by the user].
As per claim 9. Strom as modified does teach the method of claim 8, further comprising providing, by the one or more processors for display on the display device, a visual representation of a time that the entity took to provide the responses and the time that a benchmark specified the entity to provide the responses [De Angelo, paragraph: 0044, lines 1 – 6, Response interface screens or means do not generally include the means for 1) a user to directly reject one or more, or all, action options presented, 2) the computer system to report a lack of response after a set time (a null) if there is no response from the user, 3) the user to view and select alternative action options not initially presented as optimal, 4) the system to record, integrate, or learn from the lack of response of a user, the time taken to respond by the user].
As per system claim 13 that includes the same or similar claim limitations as method claim 3, and is similarly rejected. 

As per system claim 14 that includes the same or similar claim limitations as method claim 4, and is similarly rejected. 

As per system claim 15 that includes the same or similar claim limitations as method claim 5, and is similarly rejected. 

As per system claim 19 that includes the same or similar claim limitations as method claim 9, and is similarly rejected. 

Claim[s] 6, 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Strom [US PAT # 10218735] in view of Sadeh – Koniecpol [US PGPUB # 2017/0103674] as applied to claim[s] 1 above, and further in view of Challitia et al. [US PGPUB # 2018/0248896]
As per claim 6. Strom and Sadeh – Koniecpol do teach what is taught in the rejection of claim # 1 above. 
Strom and Sadeh – Koniecpol do not clearly teach the method of claim 1, wherein the set of expected responses comprise one or more of identification of a primary attack point of the simulated attack, disconnection of one or more infected computer systems from the network, identification of a version of ransomware, isolation of the ransomware, location of decryption keys or reporting to one or more third parties.
However, Challitia does teach the method of claim 1, wherein the set of expected responses comprise one or more of identification of a primary attack point of the simulated attack, disconnection of one or more infected computer systems from the network, identification of a version of ransomware, isolation of the ransomware [paragraph 0053, lines 12-16, In an embodiment, the system may quarantine the machine off the network by disabling network connectivity (to both wireless and wired connectivity protocols) so that the ransomware cannot spread to other machines connected by network], location of decryption keys or reporting to one or more third parties.
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Strom as modified and Chailita in order for the monitoring and assessing of network attacks against networks and devices thereon of Strom as modified to include real time dynamic behavior monitoring of networks and device for changing fixtures of the network of Chailita. This would allow for monitoring and assessing by enhancing detection rates, proactive protection measures, before the attack occurs. See paragraph 0055, lines 5 -8 of Chailita.
As per system claim 16 that includes the same or similar claim limitations as method claim 6, and is similarly rejected. 

Claim[s] 10, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Strom [US PAT # 10218735] in view of Sadeh – Koniecpol [US PGPUB # 2017/0103674] as applied to claim[s] 1 above, and further in view of Kawauchi et al. [US PGPUB # 2017/0302683]
As per claim 10. Strom and Sadeh – Koniecpol do teach what is taught in the rejection of claim # 1 above. 
Strom and Sadeh – Koniecpol do not clearly teach the method of claim 1, wherein the simulated attack is a simulated ransomware attack.
However, Kawauchi does teach the method of claim 1, wherein the simulated attack is a simulated ransomware attack [paragraph 0011, lines 1 - 10, In order to solve the problems described above, an attack observation apparatus according to the present invention is an attack observation apparatus being an environment where malware is run and an attack of the malware is observed, and includes: a low-interactive simulation environment to execute on a terminal a predetermined response to communication coming from the malware; a high-interactive simulation environment to execute a response to the communication coming from the malware with using a virtual machine which simulates the terminal].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Strom as modified and Kawauchi in order for the monitoring and assessing of network attacks against networks and devices thereon of Strom as modified, to include using a low interactive simulation environment or a high interactive simulation environment for determining if malware is present of Kawauchi. This would allow for monitoring and assessing large scale networks, network devices using fewer computer resources. See paragraph 0012 of Kawauchi.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT SHAIFER - HARRIMAN whose telephone number is (571)272-7910. The examiner can normally be reached M - F: 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571- 272- 3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DANT B SHAIFER HARRIMAN/          Primary Examiner, Art Unit 2434