Notice of Pre-AIA  or AIA  Status
	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
	Claims 1-20 are pending.
Information Disclosure Statement PTO-1449 
	The Information Disclosure Statement submitted by applicant on 09-16-2021 and 05-20-2022 have been considered. Please see attached PTO-1449. 
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claims 18 and 20 are rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  
Claims 18  and 20 recite “The system of claim 1”, however, claim 1 is a method claim, not a system claim. For the purpose of the examination, claims 18 and 20 are considered as being dependents of system claim 17.
Claim Rejections - 35 USC § 101
	835 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

	Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
	The claims when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance are directed to abstract idea. Claim 17 for example, is directed to a system for characterizing the spread of malware. Claim recite a system and, therefore, is a process and falls within one of the four statutory subject matter.  Claim recites the limitations of : a plurality of computing devices that collect threat information…a computer that receives the threat information…identifies an action that causes the identified threat to spread…identifies assets that could be affected…by the threat and…sending a message….. The collecting/receiving  step is recited at a high level of generality (i.e., as a general means of collecting/receiving information that identifies a threat) and amount to mere data gathering, which is a form of extra solution activity. Identifying an action that causes the identified threat to spread, and identifying assets that could be affected, under the broadest reasonable interpretation are directed to organizing human activity accept for the recitation of computer. That is other than reciting computer  nothing in claim element precludes the step from particularly being perform through human activity. For example, but for the computers a human simply could receive a list that identifies threats and action causing the threat, the human could identify the action by simply looking at the received list. Further, a human simply could identify assets that could be affected by  the spread of the threat, for example, by looking at a list of the affected assets, and sending a message regarding the assets that could be affected by the threat. Thus, the claim recites organizing human activity when analyzed under step 2A prong 1.
	Claim when analyzed under step 2A, Prong 2, recites additional element of  “computing devices”, “computer” and “computer network”.  Each of the additional limitation is no more than mere instruction to apply the exception using a generic computer component. The combination of these additional elements is no more than mere instructions to apply the exception using a generic computer component. Thus, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limitations on practicing the abstract idea.
	Claim further when evaluated under step 2B it is no more than what is well-understood, routine, conventional activity in the field. The additional elements of the claim do not amount to significantly more than the judicial exception. The specification does not provide any indication that the “computing devices “computers” and “computer network”, are anything other than a generic computer component. The mere collection of receipt of information and identifying action by use of computer is a well-understood, routing and conventional function when it is claimed in a merely generic manner as it is here. 
	Independent claim 1 and 9 are rejected under 35 U.S.C. 101 for being directed to abstract idea for the same reason discussed above with respect to claim 17.
	Dependent claims 2-8, 10-16 and 18-20 do not cure the deficiency of the independent claims and are rejected under 35 U.S.C. 101 for being directed to abstract idea.

Claim Rejections - 35 USC § 103
		The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	Claims  1, 5-9 and 13-17 are rejected under 35 U.S.C. 103 as being unpatentable over Kraemer et al. (US Patent No.11,102,223) in view of Aziz et al. et al. (US Patent No. 10,893,059).
	As per claims 1, 9 and 17, Kraemer discloses a method for characterizing the spread of malware, the method comprising:	receiving information that identifies a threat to computers at a computer network (column 7, lines, 27-35 and 65-67, events 60 include information that has a potential security impact on the user devices 102 and its process and is generated in response to detecting a specific process has been compromised by malware; and  aggregator stores received events 60); identifying an action that causes the identified threat to spread to other computers at the computer network (figure 5, column 12, lines 52-61, the event 60-3 include event information including event description and event detail. Event description includes for example summary text with value “funds transfer phishing attack and worm attachment”. The worm attachment identifies an action that causes the identified threat to spread);
 identifying assets that [could be] affected by the spread of the threat to the other computers (column 14, lines 8-12, threat description includes a name and/or ID of one or more application involved , text describing the threat, and a list of user devices 102 affected) ; and sending a message to a computing device (column 15, lines 45-53,  Telemeter system receives threats 40, including threat description and events) regarding the assets that [could be] affected by the spread of the threat (column 15, lines 63-66, the treat description includes a name of applications involved, text describing the threat, a list of user devices affected by threat), the message identifying the threat and the action that causes the threat to spread to the other computers (column 13, line 45- column 13, lines 5-2, event information includes a value indication for example worm attachment which identifies threat and action (phishing attack and worm attachment)).
	While Kraemer discloses identifying assets that are affected by the spread of the threat and sending a message regarding the assets that are affected by the threat, Kraemer does not explicitly disclose, but in an analogous art Aziz discloses identifying assets that could be affected and sending message regarding the assets that could be affected by the threat (column 18, lines 44-63, at step 520 malware detection system provide its determination that  end point device (asset) is possibly (could be) affected by malicious,  at step 525 at step 530 the security logic engine receives an indicator (message) from possible attack on the end point device). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kraemer with Aziz, in order to achieve the predictable result of enhancing detection of  an attack on a network. 
	Kraemer furthermore discloses a non-transitory computer-readable medium and processor as claimed in claim 9 (column 20, lines 23-26, claim 24) and a plurality of computing devices that collect threat information that identifies a threat to devices at a computer network as claimed in claim 17 (column 7, lines 19-29, security agents).
	As per claims 5 and 13, Kraemer furthermore discloses  receiving information that identifies a second threat; and sending a message regarding the second threat to one or more computing devices (column 17, liens 29-37, at step 426, method creates an alert message including the attack description and sends the message to the SIEM. The method determines whether there are any more attack related threats to process in step 428 and loops back to step 412 to process more attacks (second threat). It is noted that lopping back or transitioning to step 412  and 407 for processing of more threats (i.e., second threat, third threat)  is followed by creating and sending the attack description regarding any additional threat (second threat) as shown by Kraemer in figure 6).
	As per claims 6 and 14, Kraemer furthermore discloses identifying at least one action that causes the second threat to spread to other computing devices, wherein the message regarding the second threat identifies the at least one action that causes the second threat to spread to the other computing devices (column 12, lines 52-57 and figure 5, received event 60-3 includes event description 62-3 including among other elements summary text indicating phishing attack and worm attachment (action that causes the threat to spread)). 
	As per claim 7 and 15, Kraemer furthermore discloses receiving information that identifies a plurality of other threats that are spreading to the other computers at the computer network (column 12, line 32- column 13, line 35 and figure 5, event 62-1 to 62-7 identifying a plurality of threats).
	As per claim 8 and 16,  Kraemer furthermore discloses, wherein the threat is at least one of a computer virus, spam, or spyware (column 7, lines 30-34, detecting that a specific process has been compromised by malware).

	Claims   2, 10 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Kraemer et al. (US Patent No.11,102,223) in view of Aziz et al. et al. (US Patent No. 10,893,059), further in view of Goldberg  et al. (US Publication No. 2007/0016955), further in view of Cheng et al. (US Patent No. 2018/0144139).
	As per claims 2, 10 and 18, Kraemer furthermore discloses 
	identifying a type of damage that can be caused at the computer network by the threat; (column 7, lines 27-29, events 60 include information that has a potential security impact on the devices and it process, column 8, lines 52-57,” identifying a type of damage as a “fund transfer phishing attack”). 
	Kraemer in view of Aziz does not explicitly disclose, identifying a cost to rectify a single instance of the type of damage; estimating a total number of computers at the computer network that the threat could affect; and estimating a total cost of rectifying the type of damage at the total number of computers, the total cost estimate identified according to a formula that includes the cost to rectify the single instance of the type of damage and the estimated total number of computers that the threat could affect. However, in an analogous art, Goldberg discloses identifying a cost to rectify a single instance of the type of damage (paragraph [0091], calculating current risk for each asset, current asset risk is the current risk to given asset, in percentage relative to the total value of assets in the system , taking into account the currently implemented countermeasures); estimating a total number of computers at the computer network (paragraph [0067], calculating the total value of all system assets. Value of all system asset s is calculated by summing the ValA of all assets); estimating a total cost of rectifying the type of damage at the total number of computers, the total cost estimate identified according to a formula that includes the cost to rectify the single instance of the type of damage and the estimated total number of computers (paragraph [0036] and [0099], calculating the total system minimal risk , minimal value of system risk is the financial value of the risk to the system if all countermeasure are implemented. It is calculated by summing the multiplications of the asset’s minimal risk MinAR by the asset’s value ValA for each of the assets in the system. Minimal system risk (MinSR) is the risk to the system, in percents relative to the total value of all assets, if all countermeasures are implemented).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kraemer and Aziz with  Goldberg. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to perform risk management of a given system having known vulnerabilities and weakness, based on the assets values of the system.
	Kraemer in view of Aziz and Goldberg does not explicitly disclose estimating a total number of computers at the computer network that the threat could affect. However, estimating a total number of computers at the computer network that the threat could affect is well known in art of computer security as illustrated by Cheng ( paragraph [0210] and figure 23, the number of IoT devices estimated at different risk level are displayed).	
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kraemer, Aziz and Goldberg with Cheng. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to achieve the predictable result of assessing vulnerability of  the network by determining risk associated with  plurality of computer devices of the network.
	
	Claims  3, 11 and 19, are rejected under 35 U.S.C. 103 as being unpatentable over Kraemer et al. (US Patent No.11,102,223) in view of Aziz et al. et al. (US Patent No. 10,893,059), further in view of Wiener et al. (US Publication No. 2020/0153863).
	As per claims 3, 11 and 19, Kraemer  in view of Aziz discloses all limitations of claim as applied to claim 1 above. Kraemer in view of Aziz does  not explicitly disclose but in an analogous art, Wiener discloses  generating a visualization that identifies a potential extent of the spread of the threat to the other computers (paragraph [0148], notify other managed networks of threats, determine the extent and rat of a threat’s spreading, paragraph [0164], GUIs that provide a representation of the state of commuting device and the applications, figure 8A-8C).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kraemer and Aziz with Wiener. This would have been obvious because one of ordinary skill in the art would have been motived to present the potential security threats discovered across a network to a user in an easy-to understand fashion.

	 Claims 4, 12 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kraemer et al. (US Patent No.11,102,223) in view of Aziz et al. et al. (US Patent No. 10,893,059), further in view of Kuo et al. (US Publication No. 2009/0083852).
	As per claims 4, 12 and 20, Kraemer  in view of Aziz discloses all limitations of claim as applied to claim 1 above. Kraemer in view of Aziz does  not explicitly disclose but in an analogous art, Kuo discloses  generating a signature from data associated with the threat; and sending the signature to one or more computing devices (paragraph [0033], hashes returned by server 206), wherein the one or more computing devices generate a new signature from received computer data and compare the new signature with the signature generated from the data associated with the threat (paragraph [0033], after the node has received the response form server 206, the node determine whether a file is a malware file by computing a hash (signature) of the file and comparing the hash with the hash (signature) received from server 206).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kraemer and Aziz with Kuo. This would have been obvious because one of ordinary skill in the art would have been motived to do so in order to achieve the predictable result of identifying computer files that are infected with malware.
	
References Cited, Not Used

	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
	Carver et al., US Publication No. 2018/0124098, discloses Methods, systems, and apparatus, for incident response. In one aspect, a system includes a cognitive engine that is configured to receive data identifying actions performed in response to a computer security threat. Based on the data identifying the actions performed in response to the computer security threat, the system generates one or more workflows and a particular workflow that are associated with the computer security threat and that
each identify one or more actions to remediate the computer security threat. 
	Grieco et al., US Pub No. 2016/0232358, discloses a vulnerability assessment system obtains application metadata for each of a plurality of executable applications observed at one or more devices forming part of an organization's IT infrastructure. The application metadata includes unique software identifiers for each of the plurality of executable applications. The vulnerability assessment system obtains global security risk metadata for executable applications observed at the one or more devices. The vulnerability assessment system maps one or more unique software identifiers in the application metadata to global security risk metadata that corresponds to applications identified by the one or more unique software identifiers, thereby generating a vulnerable application dataset.

Conclusion
	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437