Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
The instant application having Application No. 16/969,010 is presented for examination by the examiner.

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d).  The certified copy has been received.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-10 are rejected under 35 U.S.C. 101 as directed to the non-statutory subject matter of a computer program.  The claims lack the necessary physical articles or objects to constitute a machine or manufacture within the meaning of 35 U.S.C. 101.  They are clearly not a series of steps or acts to be a process, nor are they a combination of chemical compounds to be a composition of matter.  As such, they fail to fall within a statutory category. 
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract idea without significantly more. The claim(s) recite(s) steps to evaluate a system’s security and thus grouped as a certain method of organizing human interactions. This judicial exception is not integrated into a practical application because the claims are directed to an abstract idea with additional generic computer elements, and the generically recited computer elements do not add a meaningful limitation to the abstract idea because they amount to simply implementing the abstract idea on a computer. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements, when considered separately and in combination, they do not add significantly more (also known as an “inventive concept”) to the exception.  The server is merely following instructions to evaluate if information about the system is effective/sufficient or not.  The claims are not directed to how a system may independently acquire such data from a computer system.  Instead, it merely executes an algorithm to score the system based on the information presented to it.  Humans are quite capable of interpreting information and giving it a score relative to some risk.  Risk analysis is a human interaction.  There are many examples of this practice in the real world.  Mechanics inspect vehicles with safety concerns, insurers determine how risky it is to cover a particular person or object, and even computer experts are contracted to look at a system and evaluate the security.  The claims do not add significantly more to this abstract idea and therefore the claims are not directed to patent eligible subject matter.
Invitation to Participate in DSMER Pilot Program
The present application satisfies the criteria for participation set forth in the Federal Register Notice entitled “Deferred Subject Matter Eligibility Response (DSMER) Pilot Program.” Therefore, the examiner invites applicant to participate in the DSMER pilot program. 

An applicant who accepts the invitation to participate in this pilot program must still file a reply to every Office action mailed in this application, but may defer presenting arguments or amendments in response to subject matter eligibility (SME) rejection(s) until the earlier of final disposition of the application, or the withdrawal or obviation of all other outstanding non-SME rejections. A final disposition for purposes of this pilot program occurs upon the earliest of: mailing of a notice of allowance; mailing of a final Office action; filing of a notice of appeal; filing of a request for continued examination; or abandonment of the application. Other than applicant’s ability to defer responding to SME rejections, participation in the DSMER pilot program does not alter the normal examination process (e.g., as outlined in MPEP 700), and applicant must still respond to all non-SME rejections when replying to Office actions. 

Further information about the pilot program, including an explanation of the criteria for receiving an invitation, and the conditions of participation, is provided in the Federal Register Notice announcing the program, which is available on the pilot program website https://www.uspto.gov/patents/initiatives/patent-application-initiatives/deferred-subject-matter-eligibility-response.

Applicant has two choices with respect to this invitation:
(1) Applicant may elect to participate in the DSMER pilot program. To effect this choice, applicant MUST accept this invitation by filing a completed request form PTO/SB/456 with a timely response to this Office action. The DSMER Pilot request form must be signed in accordance with 37 CFR § 1.33(b) by a person having authority to prosecute the application, and must be submitted via the USPTO’s patent electronic filing systems (EFS-Web or Patent Center). The form is available on the pilot program website https://www.uspto.gov/patents/initiatives/patent-application-initiatives/deferred-subject-matter-eligibility-response. If the form is properly completed and timely received, the application will be entered into the pilot program.

(2) Applicant may decline to participate in the pilot program. No action is required from applicant to effect this choice, because if applicant does not timely file a properly completed form PTO/SB/456, the application will not be entered into the pilot program.



 
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 4-7 and 14 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention. 

As per claims 4-6, the introduction of the second evaluation values renders the claim indefinite.  Claim 1 appears to only created a single second evaluation value based on the combination of security function requirements.  It is therefore unclear when multiples values are references.  For purposes of examination the later claim second evaluation values are interpreted as the second evaluation value from claim 1.  Appropriate correction is required.
As per claims 7 and 14, a target value is introduced again and its relationship to the target value in the parent claim is unclear.  Also, the phrase “receives an input of a target value of an item” is unclear.  Does this mean a target value for an item is received?  Moreover, an item is recited again in another confusing phrase, “an item corresponding to the item including the target value received”.  There appears to be some similarity between the statement and the phrase when the item is first defined but its unclear.  




Claim Interpretation

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “unit configured to” in claim 1.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.  The specification discloses each of these unit executes inside of the CPU (see Fig. 2).
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.



Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.




Claims 1-14 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by USP Application Publication 2013/028336 to Macy et al., hereinafter Macy.

As per claims 1 and 11, Macy the server including: a CPU; and a storage device where a program is stored, the CPU configured to execute the program stored in the storage device (0214), teaches a hierarchy generation unit configured to generate information regarding a plurality of system hierarchies in an evaluation subject system [collector (0100); Fig 1-10, 16, 24; and 0031]; 
an evaluation unit configured to, based on the information regarding the plurality of system hierarchies (0025) generated by the hierarchy generation unit, calculate a first evaluation value of protection effectiveness (individual KPIs; Fig. 1: 12, 20, 28, 30] based on a security function requirement included in each of the plurality of system hierarchies (Fig. 1: 18, 20), and calculate a second evaluation value of protection effectiveness based on a combination of the security function requirements [Fig. 1:34 and 0030; overall system KPI]; and 
a verification unit configured to verify whether each of the security function requirements in the evaluation subject system is in excess or insufficient, based on the first evaluation value calculated by the evaluation unit, the second evaluation value calculated by the evaluation unit (0037, 0039, Figs 4 and 5), and a target value (0062 and 0082) [KPI of each component in the hierarchy are scored according to ideal or expected level.   For some of the evaluation criteria, being in excess of ideal is risky and others being below ideal is risky].

As per claims 2 and 12, Macy teaches wherein the hierarchy generation unit generates the information regarding the plurality of system hierarchies, the plurality of system hierarchies including: a first system hierarchy related to functional safety (Fig. 2: 106); a second system hierarchy configured to transmit and receive data to and from the first system hierarchy (Fig. 2: 104, 104a); and an (n + 1)th system hierarchy configured to transmit and receive the data to and from the (n)th system hierarchy (Fig. 2, 102-1,2,…n), (n)th increased in a sequential order from the second hierarchy (n > 2).

As per claims 3 and 13, Macy teaches in the sequential order from the second system hierarchy to the (n)th system hierarchy, calculate the first evaluation value of the protection effectiveness in each of the system hierarchies based on the security function requirement included in each of the system hierarchies [KPI of each subset in 104; 0025 and 0026); and based on the first evaluation value of the protection effectiveness in each of the system hierarchies calculated, calculate the first evaluation value of overall protection effectiveness within a range from the first system hierarchy to the (n)th system hierarchy [overall KPI for Fig. 2-106; see also Fig. 1-14].

As per claim 4, Macy teaches the verification unit determines that each of the security function requirements is sufficient when a corresponding one of the second evaluation values calculated by the evaluation unit is equal to or more than the target value (0037; situation when low KPI value is risky).
As per claim 5, Macy teaches the verification unit determines that each of the security function requirements is insufficient when a corresponding one of the second evaluation values calculated by the evaluation unit is less than the target value. (0037; situation when high KPI value is risky).
As per claim 6, Macy teaches when each of the security function requirements is determined as sufficient, the verification unit specifies a maximum value of the first evaluation values (0039), based on which the corresponding one of the second evaluation values has been calculated and determined as sufficient (0026 and 0039).
As per claims 7 and 14, Macy teaches the hierarchy generation unit receives an input of a target value [hardened profile] of an item that concurrently satisfies a target value of a functional safety requirement and the target value of the security function requirement (0213), and the evaluation unit calculates the first evaluation value of the protection effectiveness in each of the system hierarchies in an item corresponding to the item including the target value received through the input [0213; KPI determined by counting violation to the set of hardened profile/rules].
As per claim 8, Macy teaches the first system hierarchy corresponds to a physical control layer (0058).
As per claim 9, Macy teaches the hierarchy generation unit receives a system specification [expected answers, and cyber security profiles], and generates the information regarding the plurality of system hierarchies based on a system type [examples listed throughout 0045-0096] included in the system specification received (0043, 0062, and 0082).
As per claim 10, Macy teaches the hierarchy generation unit receives an operation configured to specify each of the plurality of system hierarchies, and generates the information regarding the plurality of system hierarchies in accordance with the operation received (0097 and 0100).




Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.
USP 10,250,619: teaches evaluating cyber security through hierarchy layers of the system.


Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Thursday, 7:30am - 5:00pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431