DETAILED ACTION
This Notice of Allowance is in response to applicants’ amendment and remarks filed 02/17/2022.  Claims 1, 9, and 15 have been amended.  Claims 1-20 are currently pending and have been considered as follows.
The text of those sections of Title 35 U.S. Code not included in this section can be found in the prior office action.
The prior office actions are incorporated herein by reference.  In particular, the observations with respect to claim language, and response to previously presented arguments.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Allowable Subject Matter
Claims 1-20 are allowed.
Examiner’s Statement for Reasons of Allowance
The following is an examiner’s statement of reasons for allowance:
In interpreting the currently amended claims in light of the specification, the Examiner finds the claimed invention to be patentably distinct from the prior art of record.
Independent Claims 1, 9, and 15 are allowed for the reasons argued by applicants in the remarks filed on 02/17/2022 which are persuasive.  Claims 2-8, 10-14, and 16-20 depend upon respective independent claims above and are allowed by virtue of their dependencies.
Although, the prior art of Lucangeli Obes et al. (US 20110035803 A1) discloses a “system and method for extending automated penetration testing of a target network is provided” [Abstract]; “system and method provides an automated process for planning and performing a penetration test to assess security within a network of computers, devices and applications. A computer-generated plan is provided for an attack, which isolates the user from the complexity of selecting suitable exploits for hosts in a target network. In addition, a suitable model is provided to represent these attacks so as to systematize the knowledge gained during manual penetration tests performed by expert users, thereby making penetration testing frameworks more accessible to non-experts. Further, incorporating an attack planning phase to the penetration testing framework allows, in accordance with the present invention, optimizations based on, but not limited to, coverage of the tested threats, exploit running time, reliability, or evasion of intrusion detection systems, and other control or defense systems. As is known by those having ordinary skill in the art, intrusion detection systems are devices or applications that inspect network traffic, looking for attacks and generating alerts when attacks are detected. Detection is done by inspecting packet streams looking for "static signatures of attacks," or statistical deviations from good behavior, or variations of previously-identified malicious behavior” [0028]; [0029]”,
Neither Lucangeli nor the prior art of record teaches individually or in combination the limitations listed below as recited in applicants’ amended independent claims:
[Claim 1] “based on a weighted combination of exploit action attributes, wherein, the exploit action attributes comprise a penetration parameter, a detection parameter, and a time parameter associated with each of the one or more exploit actions, the penetration parameter indicates a positive reward associated with a penetration test goal, and the weighted combination negatively adjusts the reward based on the detection parameter and the time parameter”;
[Claim 9] “based on a weighted combination of exploit action attributes, wherein, the exploit action attributes comprise a penetration parameter, a detection parameter, and a time parameter associated with each of the one or more exploit actions, the penetration parameter indicates a positive reward associated with a penetration test goal, and the weighted combination negatively adjusts the reward based on the detection parameter and the time parameter”;
[Claim 15] “based on a weighted combination of exploit action attributes, wherein, the exploit action attributes comprise a penetration parameter, a detection parameter, and a time parameter associated with each of the one or more exploit actions, the penetration parameter indicates a positive reward associated with a penetration test goal, and the weighted combination negatively adjusts the reward based on the detection parameter and the time parameter”.
The closest prior art made of record and cited consisted of the following references.
Swiler et al. (US 7013395 B11) discloses a computer system analysis tool and method that will allow for qualitative and quantitative assessment of security attributes and vulnerabilities in systems including computer networks.  Generating attack graphs wherein each node represents a possible attack state and each edge represents a change in state caused by a single action taken by an attacker or unwitting assistant. Edges are weighted using metrics such as attacker effort, likelihood of attack success, or time to succeed. Generation of an attack graph is accomplished by matching information about attack requirements (specified in "attack templates") to information about computer system configuration (contained in a configuration file that can be updated to reflect system changes occurring during the course of an attack) and assumed attacker capabilities (reflected in "attacker profiles"). High risk attack paths, which correspond to those considered suited to application of attack countermeasures given limited resources for applying countermeasures, are identified by finding "epsilon optimal paths.
Chen et al. (US 20090077666 A1) discloses analyzing security threats associated with software and computer vulnerabilities. Stakeholder values relevant for a software system are identified. The identified stakeholder values are quantified using a quantitative decision making approach to prioritize vulnerabilities of the software system. A structured attack graph is generated to include the quantified stakeholder values to define a scalable framework to evaluate attack scenarios. The structured attack graph includes two or more nodes. Based on the generated structured attack graph, structured attack paths are identified with each attack path representing each attack scenario.
Giakouminakis et al. (US 20130074188 A1) discloses a security tool that can identify vulnerabilities in a computing system and determine a risk level of the vulnerabilities based on base and optional CVSS vectors and additional factors that represent the evolving nature of vulnerabilities. Likewise, the security tool can determine an overall risk for vulnerabilities, an asset, and/or a collection of assets that encompasses a global view of an asset's risk and/or collection of assets' risk, business considerations of an entity that own and controls the asset and/or the collection of assets, and the entity's associations.
Loder et al. (US 20140351940 A1) discloses a security assessment tool that can determine computer assets in a network and provide an overall security score for the network. The overall security score can represent an objective measure of the security of the network that considers potential security threats to the computer assets, counter measures deployed in the network to address the potential security threats, and the effectiveness of the counter measures. Based on the overall security assessment, the security assessment tool can provide recommendations for improving the security of the network.
King (US 20100100930 A1) discloses a method, a multi-tenant security server apparatus and associated system for securing wireless communication of devices. The method includes transferring security policy configuration information from the security server to wireless devices. The method also includes ascertaining compliance of wireless activity of the wireless devices with the security policy configuration using client software modules installed on the wireless devices.
Martinez et al. (US 20140137257 A1) discloses a system that assesses a risk of one or more assets within an operational technology infrastructure by providing a database containing data relating to the one or more assets, calculating a threat score for the one or more assets using one or more processors communicably coupled to the database, calculating a vulnerability score for the one or more assets using the one or more processors, calculating an impact score for the one or more assets using the one or more processors, and determining the risk of the one or more assets based on the threat score, the vulnerability score and the impact score using the one or more processors.
Choi et al. (US 20150058993 A1) discloses a computer generating scoring system results based on analysis of vulnerabilities of nodes in a network configuration. The method also includes the computer applying Bayesian probability to the scoring system results and selected qualitative risk attributes wherein output accounts for dependencies between vulnerabilities of the nodes. The method also includes the computer applying a weighted-average algorithm to the output yielding at least one ranking of nodes in order of likelihood of targeting by an external attacker.
Kaplan et al. (US 20150381650 A1) discloses inviting a distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more networks and/or computers that are owned or operated by a third party; assessing reputation and skills of one or more of the researchers, and accepting a subset of the researchers who have a positive reputation and sufficient skills to perform the investigations of the computer vulnerabilities; assigning a particular computer vulnerability research project, relating to a particular network under test, to a particular researcher from among the subset of the researchers; using a computer that is logically interposed between the particular researcher and the particular network under test, monitoring communications between the particular researcher and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test; validating a report of the candidate security vulnerability of the particular network under test that is received from the particular researcher; determining and providing an award to the particular researcher in response to successfully validating the report of the candidate security vulnerability of the particular network under test that is received from the particular researcher.
Kingsford et al. (US 6574737 B1) discloses a computer network penetration test that discovers vulnerabilities in the network using a number of scan modules. The scan modules perform their scanning of the network separately but in parallel. A scan engine controller oversees the data fed to and received from the scan modules, and controls the sharing of information among the modules according to data records and configuration files that specify how a user-selected set of penetration objectives should be carried out. The system allows for penetration strategies to be attempted simultaneously and independently. Information from each strategy is shared with other strategies so each can be more effective, and together they form a very comprehensive approach to network penetration. The strategies can be throttled at different levels to allow for those that are more likely to achieve success to run at the highest speeds. While most strategies collect information from the network, at least one dedicated one analyzes the data produced by the others according to a series of rules. This analysis reduces and refines data and simplifies the design of the various strategies. Data obtained through the various strategies are stored in such a way that new data types can be stored and processed without all the strategies having to be adjusted. Strategies are run according to whether or not they can help in achieving a specified objectives. The vulnerability scan is initiated by a user who specifies what targeted network resources to scan. From that point on, the scan is data driven and models how an unwanted attacker would gain unauthorized access to the system.
Russ et al. (US 20080256638 A1) discloses a system and method for providing network penetration testing from an end-user computer.  The method includes the step of determining at least one of a version of a Web browser of a target computer, contact information associated with an end-user that uses the target computer, and applications running on the target computer. The method also includes the steps of determining exploits that are associated with the running applications and that can be used to compromise the target computer, and launching the exploits to compromise the target computer. Network penetration testing may also be provided by performing the steps of determining an operating system of a target computer, selecting one of a group of modules to use in detecting services of the target computer, and detecting the services of the target computer.
GORODISSKY et al. (US 20180219900 A1) discloses penetration testing of a networked system by a penetration testing system (e.g. that is controlled by a user interface of a computing device) are disclosed herein. In one example, a penetration testing campaign is executed according to a manual and explicit selecting of one or more network nodes of the networked system. Alternatively or additionally, a penetration testing campaign is executed according to a manually and explicitly selected node-selection condition. Alternatively or additionally, a penetration testing campaign is executed according to an automatic selecting of one or more network nodes of the networked system.
However, the prior art of record, taken by itself or in any combination, do not anticipate or make obvious the invention of the present application and in particular the claim features listed above.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicants’ disclosure.
Greenwald et al. (“Automated planning for remote penetration testing”, October 2009, IEEE Military Communications Conference, pp. 1-7)
Futoransky et al. (US 20140237606 A1) is cited for a penetration tester with a cloud computing environment that scales components.
Schultz al. (US 20170279843 A1) is cited for a forecasting risk of cyber-attacks on a targeted networks over specified time periods.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kenneth W Chang whose telephone number is (571)270-7530. The examiner can normally be reached Monday - Friday 9-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 571-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KENNETH W CHANG/Primary Examiner, Art Unit 2438                                                                                                                                                                                                        
    PNG
    media_image1.png
    35
    280
    media_image1.png
    Greyscale

06.08.2022