Detailed Action
Claims 1-20 are presented for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-8, 10-15 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Joshi et al (US pub.No.2014/0337974).

Re Claim 1. Joshi discloses method of evaluating cyber assets, comprising: obtaining, from a plurality of data sources in an experimental environment, raw data generated in response to execution of a cyber asset (i.e. A vulnerability present in Adobe Acrobat Reader.RTM., CVE-2009-0927 [20], was simulated as it was reproducible in a small controlled environment and has the of characteristics necessary for validation of the system 100. The vulnerability was a stack based overflow in Adobe Acrobat Reader.RTM., which allowed remote executors to execute arbitrary code. The attack resided in the Annots.api plug-in of Adobe Acrobat Reader.RTM. The vulnerability database of the IBM.RTM. Proventia Network Scanner was set to a level where it could not detect the CVE-2009-0927 attack directly. The attack payload was embedded in a PDF file and was configured to open up a TCP port for a remote machine on execution……………….Web data sources (nontraditional data sources 130) that output unstructured text data, such as vulnerability description feeds (CVE, CCE, CPE, CVSS, XCCDF, OVAL) [2], hacker forums, chat rooms, blogs, etc., were traversed to get a set of named entities out of the unstructured text)  [Joshi, para.0069-0071, see also para.0041-0043, Note: unstructured data is interpreted as raw data]; and generating, from the raw data, at least one instance model corresponding to the respective plurality of data sources, the at least one instance model comprising a plurality of instances of concepts represented in a cyber impact ontology (i.e. After analyzing the data from these sensors, the information extracted is added to a knowledge base. Reasoning logic rules, which correlate multiple separate and/or distinct data sensors, are also stored in the knowledge base. The extracted information and the reasoning logic rules are used to identify the situation or context in which an attack can occur. The reasoning logic rules are preferably expressed in the same ontology as that used for representing the data) [Joshi, para.0045], (i.e. Web data sources (nontraditional data sources 130) that output unstructured text data, such as vulnerability description feeds (CVE, CCE, CPE, CVSS, XCCDF, OVAL) [2], hacker forums, chat rooms, blogs, etc., were traversed to get a set of named entities out of the unstructured text. The CVE description [20] and a technology blog post [21] were chosen as text from which the named entities were to be extracted. The named entities were then asserted by the ontology module 110A onto the knowledge base module 110C using the terms in the ontology, and were used by the reasoning logic module 110B for decision making. OpenCalais [22], an open source semantic analysis tool, was used as the entity and concept analyzing module 140. OpenCalais took unstructured text data as input and output a set of named entities. OpenCalais also tried to group the named entities in certain classes. OpenCalais was given unstructured text data from two web links…………………………. FIGS. 10A-10C show a summary of the Adobe attack, the unstructured text data used, and the steps executed by the system 100, respectively, to conclude the occurrence of an attack. The named entities extracted from the entity and concept analyzing module 140 (OpenCalais) and the IBM.RTM. Proventia ES750 Network Scanner are asserted into the knowledge base module 110C in the form of N3-triples by the ontology module 110A) [Joshi, para.0071-0072, 0076].
	Joshi does not teach all the above cited paragraphs in the same embodiment however it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to combine the embodiments of Joshi because such modifications are suggested in Joshi: The description of the present invention is intended to be illustrative, and not to limit the scope of the claims. Many alternatives, modifications, and variations will be apparent to those skilled in the art [Joshi, para.0094]. The motivation applies to the dependent claims.

Re Claims 8 and 15. These claims recite features similar to those in claim 1, therefore they are rejected in a similar manner.

Re Claims 3, 10 and 17. Joshi discloses the features of claims 1, 8 and 15, Joshi further discloses: wherein the plurality of data sources comprises a network sensor (i.e. Examples of traditional data sources include, but are not limited to, network activity monitors, host based activity monitors, hardware security sensors and IDPSs) [Joshi, para.0044].

Re Claims 4, 11 and 18. Joshi discloses the features of claims 1, 8 and 15, Joshi further discloses: wherein the at least one instance model comprises at least one derived aggregate attribute (i.e. the collaborative processing system 110 aggregates the data from the data sources, applies reasoning logic to the aggregated data and detects potential threats/intrusions based on the reasoning logic applied to the aggregated data) [Joshi, para.0054, see also para.0065-0066].

Re Claims 5, 12 and 19. Joshi discloses the features of claims 4, 11 and 18, Joshi further discloses: wherein the at least one derived aggregate attribute is selected from the group consisting of a success attribute (i.e. These complex rules operate across a variety of data sources and at a high level of abstraction. For instance, a rule could say that if blogs are describing potential flaws in some software X and that same software X is installed on a computer and its corresponding process Y is opening connection to a previously never connected IP address in country Z, then there is an attack) [Joshi, para.0065,0066], an attribution attribute (i.e. The log also pointed out the product using this service, i.e., Adobe Acrobat Reader.RTM.) [Joshi, para.0075], a collateral damage attribute (i.e. and a set of key classes that are relevant in terms of data representation of a vulnerability were identified. Specifically, the following seven classes of relevance were identified:…… Consequences: Final result of an attack (e.g. Denial of Service)…..) [Joshi, para.0080,0083], 
a speed attribute (i.e. a threat or attack can be determined using data that is spatially (e.g., geographically) and temporally separated. This results in a context aware IDPS that is better equipped to stop creative attacks, such as those that follow a low-and-slow intrusion pattern) [Joshi, para.0045], a detectability attribute (i.e. The logs from these systems were also used as packet captures where threats/attacks were not detected) [Joshi, para.0070], 
and an adaptability attribute (i.e. In the text "This vulnerability is present in Adobe Acrobat X and earlier versions . . . " the phrase "and earlier versions" indicates that all Adobe Acrobat versions before version 10 are also vulnerable to the threat. These words hold key information about other versions that are vulnerable. The NER_Modifier class identifies these terms. It was observed that such terms were generally described immediately before or after a Software term or an Operating System term. Identifying these pieces of text leverages the identification of product versions that may be susceptible to the vulnerability) [Joshi, para.0086, Note: identifying that a vulnerability affects multiple versions of a products teaches an adaptability attribute].

Re Claims 6, 13 and 20. Joshi discloses the features of claims 1, 8 and 15, Joshi further discloses: wherein the at least one instance model comprises a plurality of semantic graphs (i.e. FIG. 7 shows an example of an ontology backbone of the collaborative processing system 110 [18] [19]. It gives a high-level overview of the reasoning mechanism being used by the reasoning logic module 110B for analysis and result deduction. Each of the classes of the ontology have properties which give important information regarding that class. For example, the `system` class has properties like `hasMaliciousProcess`, `maliciousProcessDetails`, `hasAffectedProduct`, `affectedProductDetails`, `outboundAccess`, `portDetails` etc. which map information from a network activity monitor 120A and unstructured text data from a nontraditional data source 130) [Joshi, para.0068, Fig.7 depicts multiple connected subgraphs, for example the Input Validation graph and the Logic Exploit graph are subgraphs in the Means subgraph].

Re Claims 7 and 14. Joshi discloses the features of claims 1 and 8, Joshi further discloses: wherein the experimental environment comprises one or more experimental components configured to emulate one or more components of a target system (i.e. The system 100 was tested by simulating an attack in a controlled environment on a local network (a private Ethernet based network consisting of 2 desktop machines and an IBM ES750 Network Scanner) and observing the results of the system 100,) [Joshi, para.0069].

Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Joshi et al (US pub.No.2014/0337974) in view of Smith et al (US Pub. No. 2019/0349426).

Re Claims 2, 9 and 16. Joshi discloses the features of claims 1, 8 and 15, Joshi further discloses: wherein generating the at least one instance model comprises executing a plurality of semantic transformers (i.e. FIGS. 8A and 8B show the unstructured text data given to the entity and concept analyzing module 140. The text shown in FIG. 8A is a CVE text description [20] and FIG. 8B is a Juniper Networks.RTM. link text description [21]. The entity and concept analyzing module 140 (OpenCalais) takes the unstructured text data and attaches semantically rich metadata (such as the topic being discussed, entities that pop up in the text, events and facts that occur, etc.) to the content.) [Joshi, para.0073], 
 	Joshi does not explicitly disclose whereas Smith does: wherein at least semantic transformer in the plurality of semantic transformers is configured as a removable plug-in (i.e. A semantic translator 10630 may be used to translate the sematic representation of the payload in the ingress data 10602 to the sematic representation used for the payload in the egress data 10610. This may involve, for example, using a first data semantics plug-in 10632 to convert the payload from a first sematic representation 10608, such as HTML to an intermediate state,) [Smith, para.00790].
	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Joshi with Smith because Many different semantic representations may be used, and the plug-ins may be selected based on the translations needed [Smith, para.00790].



Pertinent prior art made of record, however not relied upon, includes:
Huang et al (US Pub. No.2016/0226895) describes a security monitoring system operated by a downstream client continually collects event information indicating events that have occurred within the computing environment of the downstream client. The monitoring system, using software provided by a threat analytics system, aggregates the event information into a secure and space efficient data structure. The monitoring system transmits the data structures storing event information to the threat analytics system for further processing. The threat analytics system also receives threat indicators from intelligence feed data sources. The threat analytics system compares the event information received from each security monitoring system against the threat indicators collected from the intelligence feed data sources to identify red flag events. The threat analytics system processes the event information to synthesize all information related to the red flag event and reports the red flag event to the downstream client.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285. The examiner can normally be reached Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434