DETAILED ACTION
This office action is in response to the claims filed on 5/19/2020.  Claim(s) 1-19 is/are pending and are examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 5/18/2020 and 9/24/2021 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto. 
Claim Interpretations - 35 USC § 112(f)
The following is a quotation of 35 U.S.C. 112 (f): 
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
	As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
	Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
	Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  
Such claim limitation(s) is/are: “output device outputting a classification report including the classification indicating the pass state or the fail state of the new configuration data” in claim 7; “wherein the output device outputs the pass state or the fail state in the classification report as a framework compliance report with the pass state or the fail state being relative to the predetermined framework” in claim 9; “an input device for receiving training configuration data, security standards data, and new configuration data” in claim 12; “an output device outputting a classification report including the classification” in claim 12; “wherein the output device outputs the pass state or the fail state in a pass/fail compliance report as the classification report” in claim 17; and “wherein the output device outputs the pass state or the fail state in a framework compliance report as the classification report, with the pass state or the fail state being relative to the predetermined framework” in claim 18.

	Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim(s) 1-19 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without adding significantly more.  The analysis is as follows: Step 1: Claims 1-6 are directed to a method.  Claims 7-19 are directed to devices.Step 2A Prong 1: Claims 1, 7, and 12 recite mental processes.  The limitation of “raining a predictor module of a processor using the training configuration data and the security standards data to perform a logistic regression; generating a classification of the new configuration data as having a pass state or a fail state” of claim 1 and similar limitations in claims 7 and 12 are mental processes.  This is actually a task that humans perform before clever computers can be adapted to perform this task.  The claims are written in such a high degree on generality, that one cannot argue that a rudimentary example cannot be made that could be performed by the mind.  Claims 4, 6, 8-9 11, 15-16 and 18-20 further describe the mental process in a high degree of generality.  Step 2A Prong 2: The judicial exception is not integrated into a practical application.  Claim 1 recites a generic receiving/inputting and outputting step which is simply a broadly recited data gathering and outputting steps which are extra solution activities that does not integrate the judicial exception into a practical application.  These steps are also recited in independent claims 7 and 12.  Claims 2 and 14 recite a generic database and the extra solution activity of storing.  Claims 3, 5, 10, and 17 recite extra solution activities further describing the inputting or outputting of data.  Claim 13 recites a generic display which is part of a generic computer.  Similarly, claims 7-19 incorporate a generic processor. Accordingly, these limitations do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.  Thus, the claim is directed to an abstract idea with information being ephemerally manipulated and is mental process.
	Step 2B: The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception.  As discussed above, generic computing components are recited for inputting, outputting and saving information which are an extra solution activities that does not integrate the judicial exception into a practical application.  Mere instructions to apply an exception using generic computer components cannot provide an inventive concept.  In this case, the claims do not even provide generic computer components.  The claims are not patent eligible.  
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112 (b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claim(s) 5-6, 10-11, and 19  is/are rejected under 35 U.S.C. 112 (b), as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.

Regarding claim(s) 5-6, 10-11, and 19, the phrase “the old configuration data” makes the claims indefinite and unclear in that it lacks antecedent basis.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-4, 7-9, and 12-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Rosler et al. (US 2019/0354881 A1), in view of Laskawiec (US 2021/0232473 A1). 
Regarding claims 1, 7, and 12, Rosler teaches:
“A method (Rosler, Fig. 10, ¶ 73-74 teaches processor, input and outputting devices for performing the disclosed method) comprising: 	receiving training data (Rosler, Figs. 1 and 3, ¶ 27-35 teaches historical audit information which is used as training data), security standards data (Rosler, Figs. 1 and 3, ¶ 27-35 teaches historical audit information which includes data about the number of deviations from the security policies and the severity of the deviations), and new configuration data at an input device (Rosler, Figs. 2 and 4, ¶ 39-42, current system configuration settings and corresponding security requirements are received); 	training a predictor module of a processor using the training data and the security standards data (Rosler, Figs. 1 and 3, ¶ 27-35 teaches training data which includes data about the number of deviations from the security policies and the severity of the deviations and used to train the machine learning classifier); 	generating a classification of the new configuration data as having a pass state or a fail state (Rosler, ¶ 45-47, once the data for the current setup is preprocessed, it is fed into the model and given a pass or fail for the prospective audit); and 	outputting a classification report including the classification at an output device indicating the pass state or the fail state of the new configuration data (Rosler, Figs. 6 and 8, ¶ 48 teaches generating a report containing the pass or fail, i.e. satisfactory or unsatisfactory state of the current setup as well as the particular deviations from the security policy)”.
	Rosler does not, but in related art, Laskawiec teaches:	“training configuration data (Laskawiec, ¶ 23 teaches using configuration data in a computing environment as training data for a machine learning classifier); 
	using the training configuration data to perform logistic regression (Laskawiec, ¶ 23 teaches using configuration data in a computing environment as training data for a machine learning classifier and performing a logistic regression on the training data)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Rosler and Laskawiec, to modify the configuration testing system Rosler to include the use of a configuration data as training data and logistic regression to train data in a machine learning algorithm.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
 
Regarding claims 2 and 14, Rosler in view of Laskawiec teaches:
“The method of claim 1 (Rosler in view of Laskawiec teaches the limitations of the parent claims as discussed above), further comprising: 	storing the training configuration data, the security standards data, and the new configuration data in a database (Rosler, ¶ 41 the information is stored in a database including additional information.  Rosler, Figs. 1 and 3, ¶ 27-35 teaches historical audit information which includes data about the number of deviations from the security policies and the severity of the deviations)”.

Regarding claims 3, 8 and 17, Rosler in view of Laskawiec teaches:
“The method of claim 1 (Rosler in view of Laskawiec teaches the limitations of the parent claims as discussed above), wherein the output device outputs the pass state or the fail state in a pass/fail compliance report as the classification report (Rosler, Figs. 6 and 8, ¶ 48 teaches generating a report containing the pass or fail, i.e. satisfactory or unsatisfactory state of the current setup as well as the particular deviations from the security policy)”.

Regarding claims 4, 9, and 18, Rosler in view of Laskawiec teaches:
“The method of claim 1 (Rosler in view of Laskawiec teaches the limitations of the parent claims as discussed above), wherein the security standards data includes a predetermined framework (Rosler, ¶ 41-46 the security standard are defined in security policies); and 	wherein the output device outputs the pass state or the fail state in a framework compliance report as the classification report, with the pass state or the fail state being relative to the predetermined framework (Rosler, Figs. 6 and 8, ¶ 48 teaches generating a report containing the pass or fail, i.e. satisfactory or unsatisfactory state of the current setup as well as the particular deviations from the security policy)”.

Regarding claim 13, Rosler in view of Laskawiec teaches:
“The system of claim 12 (Rosler in view of Laskawiec teaches the limitations of the parent claims as discussed above), wherein the output device is a display for displaying the classification report (Rosler, ¶ 48 and 77 teaches displaying the report on a display)”.

Regarding claim 15, Rosler in view of Laskawiec teaches:
“The system of claim 12 (Rosler in view of Laskawiec teaches the limitations of the parent claims as discussed above), wherein the classification is a binary classification (Rosler, ¶ 25 teaches a binary classification of satisfactory or unsatisfactory)”.

Regarding claim 16, Rosler in view of Laskawiec teaches:
“The system of claim 12 (Rosler in view of Laskawiec teaches the limitations of the parent claims as discussed above), wherein the classification includes one of a pass state and a fail state of the new configuration data (Rosler, Figs. 6 and 8, ¶ 48 teaches generating a report containing the pass or fail, i.e. satisfactory or unsatisfactory state of the current setup as well as the particular deviations from the security policy)”.

Claim(s) 5-6, 10-11 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Rosler, in view of Laskawiec in view of Sinha et al. (US 2018/0308026 A1).
Regarding claims 5 and 10, Rosler in view of Laskawiec teaches:
“The method of claim 1 (Rosler in view of Laskawiec teaches the limitations of the parent claims as discussed above)”.
Rosler in view of Laskawiec does not, but in related art, Sinha teaches: 	“adding the new configuration data to the old configuration data (Sinha, ¶ 74 teaches using a linear regression machine learning system for a risk analysis model and using the current output to update the model and add to the corpus of information forming the existing model)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Rosler, Sinha, and Laskawiec, to modify the configuration testing system Rosler and Laskawiec to include the use of a continuously updating logistic regression machine learning algorithm as new samples are tested.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results. 

Regarding claims 6, 11, and 19, Rosler in view of Laskawiec in view of Sinha teaches:
“The method of claim 5 (Rosler in view of Laskawiec in view of Sinha teaches the limitations of the parent claims as discussed above), further comprising: 	retraining the predictor module with the new configuration data and the old configuration data to update the logistic regression of future configuration data (Sinha, ¶ 74 teaches using a linear regression machine learning system for a risk analysis model and using the current output to update the model and add to the corpus of information forming the existing model)”.


Conclusion
	In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507 and can normally be reached on Monday - Friday 8:30 AM - 5PM EST.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/STEPHEN T GUNDRY/Examiner, Art Unit 2435