Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the instant Application 17/011,494 filed on 9/3/2020. Claims 1-20 are pending. This Office Action is Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 9/3/2020, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claim 8 is objected to because of the following informalities:  
Regarding Claim 8, the claim is missing an ending ‘.’ a proper form of punctuation is needed.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 7, 8, 10-15 and 17-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Levin et al. (US  2020/0310889) in view of Glenn et al. (US 2019/0258804).
	
	As per claim 1, Levin teaches a computing platform, comprising: at least one processor; a communication interface communicatively coupled to the at least one processor; and memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing platform to (Levin, Paragraph 0003 recites “Generally discussed herein are devices, systems, machine-readable mediums, and methods for cloud resource computer security. A system can include processing circuitry, and a memory device coupled to the processing circuitry, the memory device including instructions stored thereon for execution by the processing circuitry to perform operations for computer security,”):
	receive, via the communication interface and from a computing device, indications of usage of a plurality of controls associated with an enterprise computing system; identify, based on a mapping between the plurality of controls and a plurality of attack vectors, one or more controls of the plurality of controls that are mapped to an attack vector (Levin, Paragraph 0034 recites “Typically, an attack on the server 102 is different than an attack on the VM 104, which is different than an attack on a container, etc. These different attack vectors are usually handled by instantiating different security techniques with monitoring at each device. Also, these attack vectors can be related, as an attack on a container can be triggered by an impersonation attack, which can be detected by identifying an increase in failed login attempts or abnormal usage of a resource of the cloud infrastructure 112 (relative to the user permitted to access). Further, these typical attacks result in a number of alerts being provided to the customer (a security officer of the customer) without explanation that the alerts regard or might regard a related security breach event. These alerts are generally from disparate sources that have different scope and severity metrics. The security officer is then forced to determine the importance of and relation between the security alerts. With an increasing number of threat vectors, corresponding detection types, or types of resources being accessed in the cloud infrastructure 112 by a customer, the number of alert detection sources, scopes, and metrics increases to become quickly unmanageable.” Levin is teaching a monitoring of devices about their usage in an enterprise, and the relationship between an attack vector and the usages that are suspicious);
	determine, based on indications of usage of the one or more controls, respective compliance scores of the one or more controls (Levin, Paragraph 0055 recites “The rule with the threshold can include, for example, “provide alert for resource X if determined importance to user is greater the Z1” or “provide alert for alert type W if determined importance is greater than Z2”. The threshold can be learned by the user alert profile generator 226 based on user characteristics of the user, user characteristics of similar users, or a combination thereof. For example, if a user mostly provides a not relevant feedback for alert type A1, then the threshold for reporting alerts of type A1 in the future can increase.” Compliance would appear to be used to determine if a control is compliant or operating within a threshold.  Levin teaches a threshold in accordance with resources in a network, which is seen as synonymous). 
	But fails to teach determine, based on the respective compliance scores, a vulnerability score associated with the attack vector; and send, via the communication interface to the computing device, an indication of the determined vulnerability score associated with the attack vector.
	However, in an analogous art Glenn teaches determine, based on the respective compliance scores, a vulnerability score associated with the attack vector (Glenn, Paragraph 0049 recites “The vulnerability exposure scoring module 306 may then map the detected vulnerability to a score according to a predefined mapping. For example, in one embodiment, the vulnerability exposure scoring module 306 may utilize a Common Vulnerability Scoring System (CVSS) to generate the vulnerability scores. Particularly, an embodiment may utilize an Attack Vector (AV) metric in determining the vulnerability scores. In other embodiments, the vulnerability exposure scoring module 306 may obtain vulnerabilities and associated scores from a vulnerability scanner that executes externally to the workloads 138 (e.g., on a separate scanning server) to scan the workloads 138 and report the results of the scan to the vulnerability exposure scoring module 306.” Compliance scores are taught by Levin and this limitation is taught by the combination of Levin in view of Glenn);
	and send, via the communication interface to the computing device, an indication of the determined vulnerability score associated with the attack vector (Glenn, Paragraph 0074 recites “ The segmentation server 120 obtains 802 vulnerability exposure scores associated with each port 134 on workloads 138 operating in an administrative domain 150. The segmentation server 120 aggregates 804 the vulnerability exposure scores to generate aggregate vulnerability exposure information. … The segmentation server 120 outputs 808 the presentation (e.g., via a web interface) to enable an administrator to view and interact with the vulnerability exposure information.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Glenn’s generating vulnerability exposure scores in a segmented computing environment with Levin’s cloud security using security alert feedback because the use of creating vulnerability scores is a good way of assessing the severity of computer system security vulnerabilities.


	As per claim 7, Levin in combination with Glenn teaches the computing platform of claim 1, Levin further teaches wherein a compliance score of zero may indicate that a control is not used at the enterprise computing system (Levin, Paragraph 0059 recites “This allows flexibility to provide different scores to different alerts based on the alert itself and based on the properties of the findings if the alert generator 356. In some embodiments, the threshold (if there is a threshold) in the alert rules 232 can be used by the user specific alert scorer 360 to determine the personalized scored alert 362.” A threshold depicts if rule is to be made or not. When there is no threshold then the Compliance would be zero.).

	As per claim 8, Levin in combination with Glenn teaches the computing platform of claim 1, Levin further teaches wherein a compliance score that is greater than zero may indicate that a control used at the enterprise computing system (Levin, Paragraph 0059 recites “This allows flexibility to provide different scores to different alerts based on the alert itself and based on the properties of the findings if the alert generator 356. In some embodiments, the threshold (if there is a threshold) in the alert rules 232 can be used by the user specific alert scorer 360 to determine the personalized scored alert 362.” A threshold depicts if rule is to be made or not. When there is no threshold then the Compliance would be zero.).

	As per claim 10, Levin in combination with Glenn teaches the computing platform of claim 1, Levin further teaches wherein the computer-readable instructions, when executed by the at least one processor, cause the computing platform to: compare the determined vulnerability score with a threshold vulnerability score; and responsive to determining that the determined vulnerability score is lower than the threshold vulnerability score, transmit, via the communication interface to the computing device, an indication that the one or more controls are not compliant (Levin, Paragraph 0055 recites “The rule with the threshold can include, for example, “provide alert for resource X if determined importance to user is greater the Z1” or “provide alert for alert type W if determined importance is greater than Z2”. The threshold can be learned by the user alert profile generator 226 based on user characteristics of the user, user characteristics of similar users, or a combination thereof. For example, if a user mostly provides a not relevant feedback for alert type A1, then the threshold for reporting alerts of type A1 in the future can increase.”).

	As per claim 11, Levin in combination with Glenn teaches the computing platform of claim 10, Levin further teaches wherein the computer-readable instructions, when executed by the at least one processor, cause the computing platform to: determine, based on the mapping, one or more additional controls mapped to the attack vector, wherein the one or more additional controls are not being used at the enterprise computing system; and send, via the communication interface to the computing device, an indication of the one or more additional controls (Levin, Paragraph 0055 recites “The rule with the threshold can include, for example, “provide alert for resource X if determined importance to user is greater the Z1” or “provide alert for alert type W if determined importance is greater than Z2”. The threshold can be learned by the user alert profile generator 226 based on user characteristics of the user, user characteristics of similar users, or a combination thereof. For example, if a user mostly provides a not relevant feedback for alert type A1, then the threshold for reporting alerts of type A1 in the future can increase.”).

	As per claim 12, Levin in combination with Glenn teaches the computing platform of claim 11, Levin further teaches wherein the one or more additional controls comprise at least one control among the one or more controls (Levin, Paragraph 0034 recites “Typically, an attack on the server 102 is different than an attack on the VM 104, which is different than an attack on a container, etc. These different attack vectors are usually handled by instantiating different security techniques with monitoring at each device. Also, these attack vectors can be related, as an attack on a container can be triggered by an impersonation attack, which can be detected by identifying an increase in failed login attempts or abnormal usage of a resource of the cloud infrastructure 112 (relative to the user permitted to access). Further, these typical attacks result in a number of alerts being provided to the customer (a security officer of the customer) without explanation that the alerts regard or might regard a related security breach event. These alerts are generally from disparate sources that have different scope and severity metrics. The security officer is then forced to determine the importance of and relation between the security alerts. With an increasing number of threat vectors, corresponding detection types, or types of resources being accessed in the cloud infrastructure 112 by a customer, the number of alert detection sources, scopes, and metrics increases to become quickly unmanageable.”).

	As per claim 13, Levin in combination with Glenn teaches the computing platform of claim 1, Glenn further teaches wherein the determining the vulnerability score is based on a quantity of the one or more controls that are mapped to the attack vector (Glenn, Paragraph 0049 recites “The vulnerability exposure scoring module 306 may then map the detected vulnerability to a score according to a predefined mapping. For example, in one embodiment, the vulnerability exposure scoring module 306 may utilize a Common Vulnerability Scoring System (CVSS) to generate the vulnerability scores. Particularly, an embodiment may utilize an Attack Vector (AV) metric in determining the vulnerability scores. In other embodiments, the vulnerability exposure scoring module 306 may obtain vulnerabilities and associated scores from a vulnerability scanner that executes externally to the workloads 138 (e.g., on a separate scanning server) to scan the workloads 138 and report the results of the scan to the vulnerability exposure scoring module 306.” Compliance scores are taught by Levin and this limitation is taught by the combination of Levin in view of Glenn).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Glenn’s generating vulnerability exposure scores in a segmented computing environment with Levin’s cloud security using security alert feedback because the use of creating vulnerability scores is a good way of assessing the severity of computer system security vulnerabilities.

	As per claim 14, Levin in combination with Glenn teaches the computing platform of claim 1, Glenn further teaches wherein the computer-readable instructions, when executed by the at least one processor, cause the computing platform to: determine one or more additional vulnerability scores associated with one or more other attack vectors among the plurality of attack vectors; determine an aggregate vulnerability score based on the vulnerability score of the attack vector and the one or more other additional vulnerability scores associated with the one or more other attack vectors; and send, via the communication interface to the computing device, an indication of the aggregate vulnerability score (Glenn, Paragraph 0074 recites “FIG. 8 is a flowchart illustrating an example embodiment of a process for aggregating vulnerability exposure scores to generate a presentation of vulnerability exposure information. The segmentation server 120 obtains 802 vulnerability exposure scores associated with each port 134 on workloads 138 operating in an administrative domain 150. The segmentation server 120 aggregates 804 the vulnerability exposure scores to generate aggregate vulnerability exposure information. Depending on configuration settings or user requests, the segmentation 120 may aggregate the vulnerability scores in different ways. For example, the segmentation server 120 may generate port number scores by combining vulnerability exposures scores associated with a particular port number for all workloads within 138 a tier or other predefined group. Furthermore, the segmentation server 120 may generate group level scores by combining vulnerability scores associated with all workloads 138 in a tier or other predefined group across all port numbers. The segmentation server 120 then generates 806 a presentation of the aggregate vulnerability exposure information (e.g., as illustrated in FIG. 4 described above). The segmentation server 120 outputs 808 the presentation (e.g., via a web interface) to enable an administrator to view and interact with the vulnerability exposure information.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Glenn’s generating vulnerability exposure scores in a segmented computing environment with Levin’s cloud security using security alert feedback because the use of creating vulnerability scores is a good way of assessing the severity of computer system security vulnerabilities.

Regarding claims 15 and 20, claims 15 and 20 are directed to a method and a non-transitory readable medium associated with the computing platform of claim 1. Claims 15 and 20 are of similar scope to claim 1, and are therefore rejected under similar rationale.

Regarding claim 17, claim 17 is directed to a similar method associated with the computing platform of claim 10 respectively. Claim 17 is similar in scope to claim 10, respectively, and are therefore rejected under similar rationale. 

Regarding claim 18, claim 18 is directed to a similar method associated with the computing platform of claim 11 respectively. Claim 18 is similar in scope to claim 11, respectively, and are therefore rejected under similar rationale. 

Regarding claim 19, claim 19 is directed to a similar method associated with the computing platform of claim 7 respectively. Claim 19 is similar in scope to claim 7, respectively, and are therefore rejected under similar rationale. 


Claim 2 is/are rejected under 35 U.S.C. 103 as being unpatentable over Levin et al. (US  2020/0310889) and Glenn et al. (US 2019/0258804) and in further view of Ruane et al. (US 2021/0226779).

	As per claim 2, Levin in combination with Glenn teaches the computing platform of claim 1, but fails to teach wherein the enterprise computing system comprises a plurality of sub-systems, and wherein the attack vector targets one or more sub-systems within the plurality of sub-systems.
	However, in an analogous art Ruane teaches wherein the enterprise computing system comprises a plurality of sub-systems, and wherein the attack vector targets one or more sub-systems within the plurality of sub-systems(Ruane, Paragraph 0015 recites “Reducing the number of command types also reduces the number of attack vectors that may be used to gain unauthorized access to memory sub-systems thereby providing an additional security benefit.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Ruane’s dynamic command extension for a memory sub-system with Levin’s cloud security using security alert feedback because the use of having attack vectors per subsystem is beneficial to have information for all areas which could be exploited.



Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Levin et al. (US  2020/0310889) and Glenn et al. (US 2019/0258804) and in further view of Chen Kaidi (US 2021/0377288).

	As per claim 9, Levin in combination with Glenn teaches the computing platform of claim 8, but fails to teach wherein the computer-readable instructions, when executed by the at least one processor, cause the computing platform to determine the compliance score of the control based on: a total quantity of protocols associated with the control; and a quantity of protocols, among the protocols associated with the control, used at the enterprise computing system.
	However, in an analogous art Chen Kaidi teaches wherein the computer-readable instructions, when executed by the at least one processor, cause the computing platform to determine the compliance score of the control based on: a total quantity of protocols associated with the control; and a quantity of protocols, among the protocols associated with the control, used at the enterprise computing system (Chen Kaidi, Paragraph 0065 recites “ For example, the machine learning model may be trained using malicious network traffic logs, where the aggregate values may be determined using different weights and/or attributes trained from the malicious network traffic log. Further, at step 428, the service provider determines an aggregate value threshold, such as a threshold score or percentage for the aggregate values. For example, the service provider may set the aggregate value threshold as 65%, where aggregate values in the malicious log signature are required to be at or above 65% to utilize within a search of the additional log signatures.” It is interpreted that by using a plurality of protocols that the goal is to get an aggregate value, which is taught by Chen Kaidi).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chen Kaidi’s identifying patterns in computing attacks through an automated traffic variance finder with Levin’s cloud security using security alert feedback because the use of aggregate values helps to create and potentially a more accurate value, since it takes into account other variables.

Allowable Subject Matter
Claims 3-6 and 16 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439