DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 8 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Tao (CN 107579855 A), further in view of Drihem (US 2018/0343277), and further in view of Andres (US 8,201,257).

Regarding claims 1, 8 and 15, Tao (CN 107579855 A) teaches A system, comprising: 
a target device storing secure information (see Machine Translation, page 2, [0005]: “The traditional security operation and maintenance method uses the RDBMS relational database management system to store and manage various security data”) and one or more security tools configured to protect against unauthorized access of the secure information (see Machine Translation, page 9, [0033]: “Fig. 4 is the UML diagram of the security policy domain in Fig. 1”. And see Machine Translation, page 15, [0049] and Fig. 4: “For the construction of the UML diagram of the security policy domain: according to a series of rules and security policy information formulated by the corresponding network security defense device in the network environment, the security devices, domains and interface classes are aggregated and connected with each other by behavior and policy relationships”. The Examiner interprets “a series of rules… formulated by the corresponding network security defense device” as one or more security tools configured to protect against unauthorized access of the secure information); 
(see Machine Translation, pages 18 and 19, [0054] and Fig. 9: “For the construction of UML diagrams of the threat intelligence domain: Convert the diagram model provided by the STIX threat intelligence standard into the corresponding UML diagram. Among them, threat intelligence is aggregated by attackers, victims, attack techniques, vulnerabilities, threat characteristic indicators, and attack countermeasures, and attackers are aggregated by attack motives, intrusions, threat sources, etc. It is composed of attack modes, malware, tools and other classes, and each class is connected according to the corresponding behavioral relationship”. The Examiner interprets “attackers” as “a set of predefined attack groups”. The Examiner further interprets “attack countermeasures” as a corresponding set of mitigations. The Examiner also interprets “threat intelligence”  “aggregated by attackers, victims, attack techniques, vulnerabilities, threat characteristic indicators, and attack countermeasures” as profiles for each of a set of predefined attack groups, each profile comprising a set of attack techniques used by the corresponding attack group and, for each attack technique, a corresponding set of mitigations, wherein each mitigation of the set of mitigations corresponds to a predefined approach to protecting against the attack technique, wherein each attack technique corresponds to an approach to accessing the secure information stored by the target device); 
(see Machine Translation, page 15, [0049] and Fig. 4: “For the construction of the UML diagram of the security policy domain: according to a series of rules and security policy information formulated by the corresponding network security defense device in the network environment, the security devices, domains and interface classes are aggregated and connected with each other by behavior and policy relationships”. The Examiner interprets “a series of rules” in “the security policy domain: according to a series of rules … formulated by the corresponding network security defense device in the network environment” as a set of security tools that protect against unauthorized access of the secure information stored by the target device. The Examiner further interprets “a series of rules and security policy information formulated by the corresponding network security defense device in the network environment” as control policies, wherein each control policy is associated with a set of security tools that protect against unauthorized access of the secure information stored by the target device ); 
a controls monitoring device (see Machine Translation, page 4, [0010], [0011] and Fig. 1: “A layered multi-domain visual security operation and maintenance method based on a graph database, comprising the following steps: Step 1. Build a layered multi-domain security operation and maintenance model”): 
receive the profiles (see Machine Translation, pages 5 and 6, [0016]- [0018] and Fig. 1: “The sub-steps of step 1 above are as follows: Step 11. Establish a layered operation and maintenance model including the basic security layer, the security analysis layer and the threat intelligence layer; Step 12. … add threat intelligence domain to the threat intelligence layer”. The Examiner interprets “add threat intelligence domain to the threat intelligence layer” of a layered multi-domain visual security operation and maintenance method as receive the profiles);
receive the control policies (see Machine Translation, pages 5 and 6, [0016]- [0018] and Fig. 1: “The sub-steps of step 1 above are as follows: Step 11. Establish a layered operation and maintenance model including the basic security layer, the security analysis layer and the threat intelligence layer; Step 12. Add topology domain, system service domain, security policy domain and personnel information domain to the basic security layer”. The Examiner interprets “Add… security policy domain …to the basic security layer” of a layered multi-domain visual security operation and maintenance method as receive the control policies); 
a controls health dashboard coupled to the controls monitoring device (see Machine Translation, page 5, [0014], [0015] and Fig. 1: “Step 4. Map each UML diagram of the hierarchical multi-domain security operation and maintenance model to the diagram database; Step 5. Query and analyze the graph database to realize visual security operation and maintenance”. And see Machine Translation, page 524, [0070]: “The method of the invention combines the graph database technology with the security operation and maintenance, utilizes the advantages of the graph database in processing and analyzing the strong relational model, and solves the problems of data association and visual query analysis in the security operation and maintenance”) and comprising a processor configured to: 
receive a user query associated with one or more of the controls policies or the attack groups (see Machine Translation, pages 22, 23, [0066], [0067] and Fig. 1: “Step S5, perform visual security operation and maintenance query and analysis. If you query the basic security layer, you can learn about the network environment and basic security control information”. The Examiner interprets “If you query the basic security layer, you can learn about …basic security control information” as receive a user query associated with one or more of the controls policies); and 
provide a representation  (see Machine Translation, page 23, [0067] and Fig. 1: “If you query the basic security layer, you can learn about the network environment and basic security control information”. And see Machine Translation, pages 23, 24, [0069] and Fig. 1: “For example, the threat intelligence layer can be used to understand the attacker's attack trajectory. On the one hand, it can be used to analyze the attacker's attack ideas, and on the other hand, it can be used to analyze the potential threat points in the environment. Accurate and more efficient security operation and maintenance”).

Tao fails to teach profiles for each of a set of predefined attack groups are stored in a first database (emphasis added). Tao also fails to teach control policies are stored in a second database (emphasis added). Tao also fails to teach a controls monitoring device coupled to the first database and second database and comprising a processor configured to: receive the profiles from the first database; receive the control policies from the second database (emphasis added).

In the same field of endeavor, Drihem teaches a first database configured to store profiles for each of a set of predefined attack groups (see [0039]: “Refer now to FIG. 3, a flowchart of a method of implementing cyber threat intelligence (CTI) 100. A threat feed 302 is received 312, the threat feed including cyber security incidents. The threat feed 302 is typically based on the global DB 110 of malware incidents and the cyber security incidents are malware incidents”. And see [0035] and Fig. 2: “A global database of malware incidents, referred to in this document as “global DB” 110, is a collection of data, typically implemented in a database, of security incidents and associated malware information. A malware incident includes the source and destination of the incident and an identification (for example, name or identifier) of the malware involved in the incident. In other words, a malware incident can be defined as a tuple of source, destination, and malware identifier”. And see [0030], [0031]).
Both Tao and Drihem teach storing profiles for each of a set of predefined attack groups. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao by storing profiles for each of a set of predefined attack groups in a first database, as taught by Drihem. It would have been obvious because a database enables convenient storage and retrieval of information. 
Similarly, both the control policies (security policies) of Tao and the profiles for each of a set of predefined attack groups of Drihem are information.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao by letting the control policies of Tao be stored in a database, as taught by Drihem. It would have been obvious because a database enables convenient storage and retrieval of information.
When the above modifications are made, Tao modified in view of Drihem would teach:
a first database configured to store profiles for each of a set of predefined attack groups, each profile comprising a set of attack techniques used by the corresponding attack group and, for each attack technique, a corresponding set of mitigations, wherein each mitigation of the set of mitigations corresponds to a predefined approach to protecting against the attack technique, wherein each attack technique corresponds to an approach to accessing the secure information stored by the target device; 
a second database configured to store control policies, wherein each control policy is associated with a set of security tools that protect against unauthorized access of the secure information stored by the target device, 
a controls monitoring device coupled to the first database and second database and comprising a processor configured to: 
receive the profiles from the first database; 
receive the control policies from the second database.

Tao fails to teach “profiles for each of a set of predefined attack groups, each profile comprising a set of attack techniques used by the corresponding attack group and, for each attack technique, a corresponding set of mitigations, wherein each mitigation of the set of mitigations corresponds to a predefined approach to protecting against the attack technique, wherein each attack technique corresponds to an approach to accessing the secure information stored by the target device”; “control policies, wherein each control policy is associated with a set of security tools that protect against unauthorized access of the secure information stored by the target device, wherein each security tool is configured to implement at least one mitigation of the set of mitigations included in the profiles” (emphasis added to show the defect of Tao).
In the same field of endeavor, Drihem teaches profiles (see [0034] and Fig. 2: “Each publication preferably includes one or more solutions to mitigate attacks from the malware”. The Examiner interprets “publications” as the profiles) for each of a set of predefined attack groups, each profile comprising a set of attack techniques used by the corresponding attack group (see [0035] and Fig. 2: “A global database of malware incidents, referred to in this document as “global DB” 110, is a collection of data, typically implemented in a database, of security incidents and associated malware information. A malware incident includes the source and destination of the incident and an identification (for example, name or identifier) of the malware involved in the incident. In other words, a malware incident can be defined as a tuple of source, destination, and malware identifier”. And see [0026]: “An identifier, without loss of generality, is defined as pattern. Patterns include explicit characteristics or implicit behaviors of the malware. Identifiers typically include characteristics of severity of the malware (performance impact of the malware) and confidence that the pattern is an indication of the specific malware. Identifiers can also include IOCs (indicators of compromise), such as domains, uniform resource locators (URLs), and specific files (such as an MD5 signature of the file)”. The Examiner interprets “a source” as a predefined attack group. The Examiner further interprets a malware identifier comprising “explicit characteristics or implicit behaviors of the malware” as a set of attack techniques used by the corresponding attack group) and, for each attack technique, a corresponding set of mitigations, wherein each mitigation of the set of mitigations corresponds to a predefined approach to protecting against the attack technique (see [0026]: “A rule mainly includes a malware identifier (also referred to as simply an “identifier”) and an action. …Actions include instructions on what to do with data that is identified as malware, for example to drop the data or only to detect the data (and then log and/or notify that malware data has been detected)”. And see [0034]: “each publication has an associated malware identifier (or simply “identifier”). As described above, each identifier typically includes characteristics of severity of the malware (impact of the malware) and confidence that the pattern is an indication of the specific malware. Each publication preferably includes one or more solutions to mitigate attacks from the malware”. The Examiner interprets “one or more solutions to mitigate attacks from the malware” as a corresponding set of mitigations, wherein each mitigation of the set of mitigations corresponds to a predefined approach to protecting against the attack technique. And see[0031] “Each malware publication (or simply referred to in the context of this document as a “publication”) includes intelligence that analysts and researchers gathered regarding a specific malware, threat campaign, vulnerability, or attack. … A publication typically also includes solutions—recommendations on how to block similar attacks (on a client, network, etc.) Solutions can include one or more suggestions for one or more policy rules defined according to matched malware identifiers”), wherein each attack technique corresponds to an approach to accessing the secure information stored by the target device (see [0022] and Fig. 2: “The network security device 106 protects at least one client 108 on the internal network 134”. The Examiner interprets client 108 as the target device);
control policies, wherein each control policy is associated with a set of security tools that protect against unauthorized access of the secure information stored by the target device (see [0026] and Fig. 2: “For clarity in this document, reference is to one security policy, the policy 130. It is known in the art that security policies can be implemented as one or more policies. …In general, a policy (security policy) is a collection of rules. A rule mainly includes a malware identifier (also referred to as simply an “identifier”) and an action…Actions include instructions on what to do with data that is identified as malware, for example to drop the data or only to detect the data (and then log and/or notify that malware data has been detected)”. The Examiner interprets “a policy (security policy)” as each control policy. The Examiner further interprets “a rule” as each security tool. The Examiner further interprets “a policy (security policy) is a collection of rules” as each control policy is associated with a set of security tools that protect against unauthorized access of the secure information stored by the target device), 
wherein each security tool is configured to implement at least one mitigation of the set of mitigations included in the profiles (see [0034]: “Each publication preferably includes one or more solutions to mitigate attacks from the malware”. And see [0043]: “For each identifier, a solution is added to the suggested implementation. Preferably, the retrieval of publications and suggested solutions are correlated with the security policy 130”. The Examiner interprets “publications” as the profiles. The Examiner also interprets “suggested solutions” included in each publication as at least one mitigation of the set of mitigations included in the profiles. The Examiner further interprets a rule contained in “the security policy 130” (see [0026]) as each security tool. Therefore, the Examiner interprets “the retrieval of publications and suggested solutions are correlated with the security policy 130” as wherein each security tool is configured to implement at least one mitigation of the set of mitigations included in the profiles. And see [0031]: “Each malware publication (or simply referred to in the context of this document as a “publication”) includes intelligence that analysts and researchers gathered regarding a specific malware, threat campaign, vulnerability, or attack. A publication can include technical data, and/or an analysis of where and when a certain malware is spread. A publication typically also includes solutions—recommendations on how to block similar attacks (on a client, network, etc.) Solutions can include one or more suggestions for one or more policy rules defined according to matched malware identifiers).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao by configuring each security tool to implement at least one mitigation of the set of mitigations included in the profiles, as taught by Drihem. It would have been obvious because doing so predictably achieves the commonly understood benefit of providing the system of Tao with relevant security tools that are able to mitigate the attack techniques in the profiles for attack groups.
 
Tao fails to teach “determine, based on the received profiles and the received control policies, an attack controls superset, wherein the attack controls superset comprises the set of predefined attack groups, the set of attack techniques, the set of mitigations, and the set of security tools”.
In the same field of endeavor, Drihem teaches determine, based on the received profiles and the received control policies, an attack controls superset, wherein the attack controls superset comprises the set of predefined attack groups, the set of attack techniques, the set of mitigations, and the set of security tools (see [0046] and Figs. 2, 3: “The synergistic combination of the specified inputs (the threat feed 302, the impact assessment 304, the profile 140, the policy 130, and the vulnerability report 142 for this evaluation 320 facilitates monitoring current network security threats and impact to evaluate and maintain security policy, decrease vulnerability, and dynamically implement solutions”.  And see [0039] and FIG. 3: “The threat feed 302 is typically based on the global DB 110 of malware incidents and the cyber security incidents are malware incidents”. And see [0035]: “A malware incident includes the source and destination of the incident and an identification (for example, name or identifier) of the malware involved in the incident”. The Examiner interprets  sources of malware incidents as the set of predefined attack groups. The Examiner further interprets a malware identifier comprising “explicit characteristics or implicit behaviors of the malware” as the set of attack techniques. And see [0034]: “each publication has an associated malware identifier (or simply “identifier”). … Each publication preferably includes one or more solutions to mitigate attacks from the malware”. The Examiner interprets “one or more solutions to mitigate attacks from the malware” as the set of mitigations. The Examiner interprets the threat feed 302 as the set of predefined attack groups, the set of attack techniques, the set of mitigations. And see [0026] and Fig. 2: “For clarity in this document, reference is to one security policy, the policy 130. …a policy (security policy) is a collection of rules. A rule mainly includes a malware identifier (also referred to as simply an “identifier”) and an action…Actions include instructions on what to do with data that is identified as malware, for example to drop the data or only to detect the data (and then log and/or notify that malware data has been detected)”. The Examiner interprets “a rule” as a security tool. The Examiner further interprets the policy 130 comprising a collection of rules” as the set of security tools. Therefore, the Examiner interprets “The synergistic combination of the specified inputs (the threat feed 302, … the policy 130” as determine, based on the received profiles and the received control policies, an attack controls superset, wherein the attack controls superset comprises the set of predefined attack groups, the set of attack techniques, the set of mitigations, and the set of security tools. And see abstract, [0005], [0041], [0047]).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao by letting the controls monitoring device “determine, based on the received profiles and the received control policies, an attack controls superset, wherein the attack controls superset comprises the set of predefined attack groups, the set of attack techniques, the set of mitigations, and the set of security tools”, as taught by Drihem. It would have been obvious because Drihem teaches the following: “The synergistic combination of the specified inputs (the threat feed 302, the impact assessment 304, the profile 140, the policy 130, and the vulnerability report 142 for this evaluation 320 facilitates monitoring current network security threats and impact to evaluate and maintain security policy, decrease vulnerability, and dynamically implement solutions” (see [0046]).

Tao fails to teach that the processor of the controls health dashboard is configured to “provide a representation ...of the attack controls superset that is associated with the received query” (emphasis added).
 Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao by letting the answer associated with the received query for which a representation is provided be the attack controls superset taught by Drihem. It would have been obvious because doing so predictably achieves the benefit of informing a user the attack control superset and facilitating the evaluation of security control policies by the user.
 
Tao modified in view of Drihem fails to teach that the processor of the controls health dashboard is configured to “provide a representation of a portion of the attack controls superset that is associated with the received query” (emphasis added).
However, Andres teaches that a processor is configured to “provide a representation of a portion of the attack” (see col. 12, lines 1-9 and Fig. 2: “FIG. 2 depicts a simplified screen shot of a graphical user interface display 200 of a portion of the output of the threat correlation module 104 according to one embodiment. As illustrated by the simplified screen shot of FIG. 2, the threat listing 202, in one embodiment, comprises a threat summary 204 and a threat risk level 206, such that a user can quickly scan the threats to determine which threats might most significantly affect the user's network”).
Both Andres and Tao modified in view of Drihem teach providing a representation of attack information. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao modified in view of Drihem by configuring the processor of the controls health dashboard to provide a representation of a portion of attack information, as taught by Andres, so as to prevent overwhelming a user with too much attack information. Because the attack information taught by Tao modified in view of Drihem is the attack controls superset, Tao modified in view of Drihem and Andres would teach that the processor of the controls health dashboard is configured to “provide a representation of a portion of the attack controls superset that is associated with the received query”, as recited by claims 1, 8 and 15.

Claims 2-6, 9-13, and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Tao (CN 107579855 A), further in view of Drihem (US 2018/0343277), further in view of Andres (US 8,201,257), further in view of Wright (US 9,171,253), and further in view of Fang (US 11,003,773).

Regarding claims 2, 9 and 16, Tao modified in view of Drihem and Andres fails to teach the processor of the controls monitoring device further configured to: receive telemetry data associated with whether attacks associated the set of attack techniques have been successfully prevented by the one or more tools of the target device; determine, based on the received telemetry data, a set of mitigation scores for the one or more tools of the target device; and include the set of mitigation scores in the attack control superset.
In the same field of endeavor, Wright teaches the processor of the controls monitoring device further configured to: 
receive (see  col. 3, lines 37-43 and Fig. 1: “the production security module 108 operates as a classifier to classify objects (e.g., computer files) as malware or goodware. The production security module 108 can also perform one or more actions to remediate the malware, such as blocking malicious behavior, quarantining the malware, and removing the malware”. And see col. 7, lines 59-64 and Fig. 3: “The evaluation module 306 evaluates the classification performance of each executed security module. The evaluation module 306 determines the classification performance of each security module 108 according to one or more performance metrics based on the prediction labels assigned to the test cases across the plurality of test case datasets”); 
determine, based on the received (see col. 8, lines 27-35 and Fig. 3: “the evaluation module 308 calculates the classification performance score of a security module with respect to a test case dataset based on a percentage of test cases that the security module correctly classified as malware. By calculating the classification performance score for the security module for each test case dataset, the evaluation module 308 can determine how well the security module performed over time since each test case dataset is associated with a corresponding time interval”. Because Wright teaches that the production security module 108 classifies objects (e.g., computer files) as malware or goodware and performs one or more actions to remediate the malware, the detected malwares are mitigated and the classification performance score is a mitigation score).

Both Wright and Tao modified in view of Drihem and Andres teach security tools to mitigate against attack techniques. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao modified in view of Drihem and Andres by configuring the controls monitoring device to: receive … data associated with whether attacks associated the set of attack techniques have been successfully prevented by the one or more tools of the target device; determine, based on the received … data, a set of mitigation scores for the one or more tools of the target device, as taught by Wright. It would have been obvious because Wright teaches that doing so enables the selection of  a security module from among the plurality of security modules for production based on an overall classification performance score of each security module across the plurality of test case datasets (see col. 8, lines 44-48).

Tao modified in view of Drihem and Andres fails to teach the processor of the controls monitoring device further configured to: include the set of mitigation scores in the attack control superset.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao modified in view of Drihem and Andres by including in the attack control superset of Tao modified in view of Drihem and Andres the set of mitigation scores taught by Wright. It would have been obvious because doing so predictably achieves the commonly understood benefit of quantitatively informing a user how well the security tools in the attack control superset mitigate attacks.

Tao modified in view of Drihem, Andres and Wright fails to teach that data associated with whether attacks associated the set of attack techniques have been successfully prevented by the one or more tools of the target device is telemetry data (emphasis added). 
In the same field of endeavor, Fang teaches a processor configured to receive telemetry security data (see col. 5, lines 5-19 and Fig. 1: “one or more provisional malware detection rules (i.e., a Boolean logic representation of the salient features) are generated based on the rule recommendations, and these provisional malware detection rule(s) are tested at one or more cybersecurity systems. After a prescribed period of time, for each provisional malware detection rule, if the malware analysis performance results (telemetry) associated with that provisional malware detection rule conveys a number or rate of false positive (FP) classifications below a first test threshold and/or a number or rate of false negatives (FN) classifications below a prescribed second test threshold, …the provisional malware detection rule is uploaded to one or more cybersecurity systems as a final malware detection rule for detecting and blocking malware”).
Both Fang and Tao modified in view of Drihem, Andres and Wright teach receiving security data. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao modified in view of Drihem, Andres and Wright by letting the received security data be telemetry security data, as taught by Fang. It would have been obvious because doing so predictably achieves the commonly understood benefit of testing security tools remotely in a plurality of cybersecurity devices. Because the security data taught by Tao modified in view of Drihem, Andres and Wright is data associated with whether attacks associated the set of attack techniques have been successfully prevented by the one or more tools of the target device, Tao modified in view of Drihem, Andres, Wright and Fang would teach the processor of the controls monitoring device further configured to: receive telemetry data associated with whether attacks associated the set of attack techniques have been successfully prevented by the one or more tools of the target device; determine, based on the received telemetry data, a set of mitigation scores for the one or more tools of the target device, as recited by claims 2, 9 and 16.

Regarding claims 3, 10 and 17, Wright further teaches the processor of the controls monitoring device further configured to determine the set of mitigation scores for the one or more tools of the target device by: 
detecting events associated with possible attempts to access the secure information using a technique of the set of attack techniques (see  col. 3, lines 37-43 and Fig. 1: “the production security module 108 operates as a classifier to classify objects (e.g., computer files) as malware or goodware”); 
determining, for each detected event, a corresponding mitigation of the set of mitigations and a corresponding tool of the one or more tools of the target device that implement the determined mitigation (see  col. 3, lines 37-43 and Fig. 1: “the production security module 108 operates as a classifier to classify objects (e.g., computer files) as malware or goodware. The production security module 108 can also perform one or more actions to remediate the malware, such as blocking malicious behavior, quarantining the malware, and removing the malware”); and 
determining a mitigation score of the set of mitigation scores as a percentage of the detected events prevented by the determined tool (see col. 8, lines 27-35 and Fig. 3: “the evaluation module 308 calculates the classification performance score of a security module with respect to a test case dataset based on a percentage of test cases that the security module correctly classified as malware. By calculating the classification performance score for the security module for each test case dataset, the evaluation module 308 can determine how well the security module performed over time since each test case dataset is associated with a corresponding time interval”. Because Wright teaches that the production security module 108 classifies objects (e.g., computer files) as malware or goodware and performs one or more actions to remediate and prevent the malware, the detected malwares are mitigated and the classification performance score is a mitigation score).

Regarding claims 4, 11 and 18, Tao further teaches the processor of the controls health dashboard further configured to: 
receive a second query regarding a first controls policy (see Machine Translation, pages 22, 23, [0066], [0067] and Fig. 1: “Step S5, perform visual security operation and maintenance query and analysis. If you query the basic security layer, you can learn about the network environment and basic security control information”. The Examiner interprets “If you query the basic security layer, you can learn about …basic security control information” as receive a second query regarding a first controls policy); and 
in response to the second query, provide a second representation including one or more of:  the tools associated with the first controls policy (see Machine Translation, page 23, [0067] and Fig. 1: “If you query the basic security layer, you can learn about the network environment and basic security control information”. And see Machine Translation, page 15, [0049] and Fig. 4: “For the construction of the UML diagram of the security policy domain: according to a series of rules and security policy information formulated by the corresponding network security defense device in the network environment, the security devices, domains and interface classes are aggregated and connected with each other by behavior and policy relationships”. The Examiner interprets “a series of rules” within “the security policy domain: according to a series of rules and security policy information formulated by the corresponding network security defense device in the network environment” as the tools associated with the first controls policy), a subset of the mitigations associated with the first controls policy, a subset of the attack techniques associated with the first controls policy, and a subset of the attack groups associated with the first controls policy.

Tao modified in view of Drihem fails to teach that the processor of the controls health dashboard further configured to: … in response to the second query, provide a second representation including one or more of: a subset of the tools associated with the first controls policy, a subset of the mitigations associated with the first controls policy, a subset of the attack techniques associated with the first controls policy, and a subset of the attack groups associated with the first controls policy (emphasis added).
However, Andres teaches that a processor is configured to “provide a representation including one or more of: a subset of the attack techniques” (see col. 12, lines 1-9 and Fig. 2: “FIG. 2 depicts a simplified screen shot of a graphical user interface display 200 of a portion of the output of the threat correlation module 104 according to one embodiment. As illustrated by the simplified screen shot of FIG. 2, the threat listing 202, in one embodiment, comprises a threat summary 204 and a threat risk level 206, such that a user can quickly scan the threats to determine which threats might most significantly affect the user's network”. The Examiner interprets a portion of the output of the threat correlation module 104 as a subset of the attack techniques).
Both Andres and Tao modified in view of Drihem teach providing a representation of information. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao modified in view of Drihem by configuring the processor of the controls health dashboard to provide a representation of a portion of information, as taught by Andres, so as to prevent overwhelming a user with too much information. Because the information taught by Tao modified in view of Drihem is the tools associated with the first controls policy, Tao modified in view of Drihem and Andres would teach that the processor of the controls health dashboard is configured to “… in response to the second query, provide a second representation including one or more of: a subset of the tools associated with the first controls policy, a subset of the mitigations associated with the first controls policy, a subset of the attack techniques associated with the first controls policy, and a subset of the attack groups associated with the first controls policy”.

Regarding claims 5, 12 and 19, Tao further teaches the processor of the controls health dashboard further configured to: 
receive a second query (see Machine Translation, pages 22, 23, [0066], [0067] and Fig. 1: “Step S5, perform visual security operation and maintenance query and analysis. If you query the basic security layer, you can learn about the network environment and basic security control information”); and 
in response to the second query: 
provide a first representation(see Machine Translation, page 23, [0067] and Fig. 1: “If you query the basic security layer, you can learn about the network environment and basic security control information”).

Tao fails to teach that the received second query is regarding a readiness of a first control policy to attacks by a first attack group. Tao also fails to teach that the processor of the controls health dashboard is further configured to: identify, from within the attack controls superset, a subset of the set of attack techniques that is associated with the first attack group; identify, from within the attack controls superset, a subset of the set of mitigations that is associated with protecting against attacks using the identified subset of the set of attack techniques that is associated with the first attack group; identify, from within the attack controls superset, a subset of the set of security tools that is associated with implementing the identified subset of the set of mitigations.

In the same field of endeavor, Drihem teaches regarding a readiness of a first control policy to attacks by a first attack group (see [0004]: “receiving a threat feed of cyber security incidents; receiving an impact assessment for each of said cyber security incidents; performing an evaluation of said threat feed based on said impact assessment, a security policy, a profile, and a vulnerability report; generating a suggested implementation, based on said evaluation”); and 
identify, from within the attack controls superset (see [0046] and Figs. 2, 3: “The synergistic combination of the specified inputs (the threat feed 302, the impact assessment 304, the profile 140, the policy 130, and the vulnerability report 142 for this evaluation 320 facilitates monitoring current network security threats and impact to evaluate and maintain security policy, decrease vulnerability, and dynamically implement solutions”.  The Examiner interprets “The synergistic combination of the specified inputs (the threat feed 302, … the policy 130” as the attack controls superset), a subset of the set of attack techniques that is associated with the first attack group (see [0039] and Fig. 3: “A threat feed 302 is received 312, the threat feed including cyber security incidents. The threat feed 302 is typically based on the global DB 110 of malware incidents and the cyber security incidents are malware incidents. …The threat feed 302 is preferably based on the client profile 140, providing specific cyber security threats that are relevant to the customer. For example, the client's geo-location is in the client profile 140, and the threat feed 302 is generated/filtered based on the client's geo-location and common malware indents in the same geo-location. In another example, the client's industry is included in the client profile 140, and the threat feed 302 is generated/filtered to include malware incidents particular to the client's industry”. The Examiner interprets filtering the threat feed based on the client's geo-location and common malware indents in the same geo-location as identify, from within the attack controls superset, a subset of the set of attack techniques that is associated with the first attack group); 
identify, from within the attack controls superset (see [0046] and Figs. 2, 3: “The synergistic combination of the specified inputs (the threat feed 302, the impact assessment 304, the profile 140, the policy 130, and the vulnerability report 142 for this evaluation 320 facilitates monitoring current network security threats and impact to evaluate and maintain security policy, decrease vulnerability, and dynamically implement solutions”.  The Examiner interprets “The synergistic combination of the specified inputs (the threat feed 302, … the policy 130” as the attack controls superset), a subset (The Examiner interprets filtering the threat feed based on the client's geo-location and common malware indents in the same geo-location as identify, from within the attack controls superset, a subset of the set of attack techniques that is associated with the first attack group) of the set of mitigations that is associated with protecting against attacks using the identified subset of the set of attack techniques that is associated with the first attack group (see [0043] and Fig. 3: “The global DB 110 is scanned to collect all tagged malware identifiers. The publications corresponding to the identifiers are retrieved, for example according to severity of the malware from highest to lowest severity. For each identifier, a solution is added to the suggested implementation. Preferably, the retrieval of publications and suggested solutions are correlated with the security policy 130”. And see [0034]: “Each publication preferably includes one or more solutions to mitigate attacks from the malware”. The Examiner interprets, for each malware identifier, adding a solution to mitigate attacks from the malware as identify, from within the attack controls superset, a subset of the set of mitigations that is associated with protecting against attacks using the identified subset of the set of attack techniques that is associated with the first attack group); 
identify, from within the attack controls superset (see [0046] and Figs. 2, 3: “The synergistic combination of the specified inputs (the threat feed 302, the impact assessment 304, the profile 140, the policy 130, and the vulnerability report 142 for this evaluation 320 facilitates monitoring current network security threats and impact to evaluate and maintain security policy, decrease vulnerability, and dynamically implement solutions”.  The Examiner interprets “The synergistic combination of the specified inputs (the threat feed 302, … the policy 130” as the attack controls superset), a subset (The Examiner interprets filtering the threat feed based on the client's geo-location and common malware indents in the same geo-location as identify, from within the attack controls superset, a subset of the set of attack techniques that is associated with the first attack group)of the set of security tools that is associated with implementing the identified subset of the set of mitigations (see [0043] and Fig. 3: “The global DB 110 is scanned to collect all tagged malware identifiers. The publications corresponding to the identifiers are retrieved, for example according to severity of the malware from highest to lowest severity. For each identifier, a solution is added to the suggested implementation. Preferably, the retrieval of publications and suggested solutions are correlated with the security policy 130”. And see [0026] and Fig. 2: “a policy (security policy) is a collection of rules. A rule mainly includes a malware identifier (also referred to as simply an “identifier”) and an action…Actions include instructions on what to do with data that is identified as malware, for example to drop the data or only to detect the data (and then log and/or notify that malware data has been detected)”. The Examiner interprets “a collection of rules” as the set of security tools. The Examiner further interprets adding suggested solutions which are correlated with the security policy comprising a collection of rules (“the set of security tools”) as identify, from within the attack controls superset, a subset of the set of security tools that is associated with implementing the identified subset of the set of mitigations).

Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao by letting the received second query be regarding a readiness of a first control policy to attacks by a first attack group, and configuring the processor of the controls health dashboard to: identify, from within the attack controls superset, a subset of the set of attack techniques that is associated with the first attack group; identify, from within the attack controls superset, a subset of the set of mitigations that is associated with protecting against attacks using the identified subset of the set of attack techniques that is associated with the first attack group; identify, from within the attack controls superset, a subset of the set of security tools that is associated with implementing the identified subset of the set of mitigations; as taught by Drihem. It would have been obvious because Drihem teaches that “[c]onstantly re-evaluating the customer's cyber security implementation facilitates dynamic tuning of cyber security implementation” (see abstract).

Tao modified in view of Drihem and Andres fails to teach that the processor of the controls health dashboard is further configured to: identify a mitigation score for at least a portion of the identified subset of the set of security tools; and provide a first representation comprising the identified mitigations scores.

In the same field of endeavor, Wright teaches the processor of the controls monitoring device further configured to: 
identify a mitigation score for(see col. 8, lines 27-35 and Fig. 3: “the evaluation module 308 calculates the classification performance score of a security module with respect to a test case dataset based on a percentage of test cases that the security module correctly classified as malware. By calculating the classification performance score for the security module for each test case dataset, the evaluation module 308 can determine how well the security module performed over time since each test case dataset is associated with a corresponding time interval”. Because Wright teaches that the production security module 108 classifies objects (e.g., computer files) as malware or goodware and performs one or more actions to remediate the malware, the detected malwares are mitigated and the classification performance score is a mitigation score).

Both Wright and Tao modified in view of Drihem and Andres teach security tools to mitigate against attack techniques. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao modified in view of Drihem and Andres by configuring the controls monitoring device to: identify a mitigation score for… the set of security tools, as taught by Wright; and letting the provided first representation taught by Tao modified in view of Drihem and Andres comprise the identified mitigations scores taught by Wright. It would have been obvious because Wright teaches that doing so enables the selection of  a security module from among the plurality of security modules for production based on an overall classification performance score of each security module across the plurality of test case datasets (see col. 8, lines 44-48). Because the set of security tools taught by Tao modified in view of Drihem and Andres is at least a portion of the identified subset of the set of security tools, Tao modified in view of Drihem, Andres and Wright would teach that the processor of the controls health dashboard is further configured to: identify a mitigation score for at least a portion of the identified subset of the set of security tools; and provide a first representation comprising the identified mitigations scores.

Regarding claims 6, 13 and 20, Tao modified in view of Drihem and Andres fails to teach the processor of the controls monitoring device further configured to: intermittently receive new telemetry data associated with whether attacks associated the set of attack techniques have been successfully prevented by the one or more tools of the target device; determine, based on the new telemetry data, a set of updated mitigation scores for the one or more tools of the target device; and update the set of mitigation scores to include the new mitigation scores in the attack control superset.
In the same field of endeavor, Wright teaches the processor of the controls monitoring device further configured to: 
intermittently (see col. 8, lines 31-35: “By calculating the classification performance score for the security module for each test case dataset, the evaluation module 308 can determine how well the security module performed over time since each test case dataset is associated with a corresponding time interval”) receive new (see col. 1, lines 19-24: “the target property that the classification systems are trained to classify are typically time dependent. That is, the target property that the classification systems are trained to identify may change over time; this is referred to as concept drift. As the target property changes, the predictions of the classification systems become less accurate over time”. And see col. 4, lines 22-31: “The security server 102 divides the set of test cases into a plurality of distinct datasets based on time. By dividing the set of test cases into different datasets that are each associated with a corresponding interval of time and evaluating different versions of the production security module 108 with respect to the different datasets, the security server 102 can identify a version of the production security module 108 that is least susceptible to concept drift for production”) associated with whether attacks associated the set of attack techniques have been successfully prevented by the one or more tools of the target device (see  col. 3, lines 37-43 and Fig. 1: “the production security module 108 operates as a classifier to classify objects (e.g., computer files) as malware or goodware. The production security module 108 can also perform one or more actions to remediate the malware, such as blocking malicious behavior, quarantining the malware, and removing the malware”. And see col. 7, lines 59-64 and Fig. 3: “The evaluation module 306 evaluates the classification performance of each executed security module. The evaluation module 306 determines the classification performance of each security module 108 according to one or more performance metrics based on the prediction labels assigned to the test cases across the plurality of test case datasets”); 
determine, based on the new (see col. 8, lines 31-35: “By calculating the classification performance score for the security module for each test case dataset, the evaluation module 308 can determine how well the security module performed over time since each test case dataset is associated with a corresponding time interval”) mitigation scores for the one or more tools of the target device (see col. 8, lines 27-35 and Fig. 3: “the evaluation module 308 calculates the classification performance score of a security module with respect to a test case dataset based on a percentage of test cases that the security module correctly classified as malware. By calculating the classification performance score for the security module for each test case dataset, the evaluation module 308 can determine how well the security module performed over time since each test case dataset is associated with a corresponding time interval”. Because Wright teaches that the production security module 108 classifies objects (e.g., computer files) as malware or goodware and performs one or more actions to remediate the malware, the detected malwares are mitigated and the classification performance score is a mitigation score).
Both Wright and Tao modified in view of Drihem and Andres teach security tools to mitigate against attack techniques. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao modified in view of Drihem and Andres by configuring the controls monitoring device to: intermittently receive new … data associated with whether attacks associated the set of attack techniques have been successfully prevented by the one or more tools of the target device; determine, based on the new … data, a set of updated mitigation scores for the one or more tools of the target device, as taught by Wright. It would have been obvious because Wright teaches that doing so enables the evaluation module 308 to determine how well the security module performed over time since each test case dataset is associated with a corresponding time interval (see col. 8, lines 27-35).

Tao modified in view of Drihem and Andres fails to teach the processor of the controls monitoring device further configured to: update the set of mitigation scores to include the new mitigation scores in the attack control superset.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao modified in view of Drihem and Andres by including in the attack control superset of Tao modified in view of Drihem and Andres the new mitigation scores taught by Wright. It would have been obvious because doing so predictably achieves the commonly understood benefit of quantitatively informing a user how well the security tools in the attack control superset mitigate attacks over time. When such a modification is made, Tao modified in view of Drihem, Andres and Wright would teach the processor of the controls monitoring device further configured to:… update the set of mitigation scores to include the new mitigation scores in the attack control superset.

Tao modified in view of Drihem, Andres and Wright fails to teach that data associated with whether attacks associated the set of attack techniques have been successfully prevented by the one or more tools of the target device is telemetry data (emphasis added). 
In the same field of endeavor, Fang teaches a processor configured to receive telemetry security data (see col. 5, lines 5-19 and Fig. 1: “one or more provisional malware detection rules (i.e., a Boolean logic representation of the salient features) are generated based on the rule recommendations, and these provisional malware detection rule(s) are tested at one or more cybersecurity systems. After a prescribed period of time, for each provisional malware detection rule, if the malware analysis performance results (telemetry) associated with that provisional malware detection rule conveys a number or rate of false positive (FP) classifications below a first test threshold and/or a number or rate of false negatives (FN) classifications below a prescribed second test threshold, …the provisional malware detection rule is uploaded to one or more cybersecurity systems as a final malware detection rule for detecting and blocking malware”).
Both Fang and Tao modified in view of Drihem, Andres and Wright teach receiving security data. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao modified in view of Drihem, Andres and Wright by letting the received security data be telemetry security data, as taught by Fang. It would have been obvious because doing so predictably achieves the commonly understood benefit of testing security tools remotely in a plurality of cybersecurity devices. Because the security data taught by Tao modified in view of Drihem, Andres and Wright is data associated with whether attacks associated the set of attack techniques have been successfully prevented by the one or more tools of the target device, Tao modified in view of Drihem, Andres, Wright and Fang would teach the processor of the controls monitoring device further configured to: intermittently receive new telemetry data associated with whether attacks associated the set of attack techniques have been successfully prevented by the one or more tools of the target device; determine, based on the new telemetry data, a set of updated mitigation scores for the one or more tools of the target device, as recited by claims 6, 13 and 20.

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Tao (CN 107579855 A), further in view of Drihem (US 2018/0343277), further in view of Andres (US 8,201,257), and further in view of Official Notice.

Regarding claims 7 and 14, Drihem further teaches the processor of the controls monitoring device further configured to determine the attack controls superset by: …determining a product of the set of predefined attack groups, the set of attack techniques, the set of mitigations, the set of tools, (see [0046] and Figs. 2, 3: “The synergistic combination of the specified inputs (the threat feed 302, … the policy 130, and the vulnerability report 142 for this evaluation 320 facilitates monitoring current network security threats and impact to evaluate and maintain security policy, decrease vulnerability, and dynamically implement solutions”.  And see [0039] and FIG. 3: “The threat feed 302 is typically based on the global DB 110 of malware incidents and the cyber security incidents are malware incidents”. And see [0035]: “A malware incident includes the source and destination of the incident and an identification (for example, name or identifier) of the malware involved in the incident”. The Examiner interprets  sources of malware incidents as the set of predefined attack groups. The Examiner further interprets a malware identifier comprising “explicit characteristics or implicit behaviors of the malware” as the set of attack techniques. And see [0034]: “each publication has an associated malware identifier (or simply “identifier”). … Each publication preferably includes one or more solutions to mitigate attacks from the malware”. The Examiner interprets “one or more solutions to mitigate attacks from the malware” as the set of mitigations. The Examiner interprets the threat feed 302 as the set of predefined attack groups, the set of attack techniques, the set of mitigations. And see [0026] and Fig. 2: “For clarity in this document, reference is to one security policy, the policy 130. …a policy (security policy) is a collection of rules. A rule mainly includes a malware identifier (also referred to as simply an “identifier”) and an action…Actions include instructions on what to do with data that is identified as malware, for example to drop the data or only to detect the data (and then log and/or notify that malware data has been detected)”. The Examiner interprets “a rule” as a tool. The Examiner further interprets the policy 130 comprising a collection of rules” as the set of tools. Therefore, the Examiner interprets “The synergistic combination of the specified inputs (the threat feed 302, … the policy 130” as the processor of the controls monitoring device further configured to determine the attack controls superset by: …determining a product of the set of predefined attack groups, the set of attack techniques, the set of mitigations, the set of tools).
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao by configuring the controls monitoring device “to determine the attack controls superset by: … determining a product of the set of predefined attack groups, the set of attack techniques, the set of mitigations, the set of toolsfacilitates monitoring current network security threats and impact to evaluate and maintain security policy, decrease vulnerability, and dynamically implement solutions” (see [0046]).

Tao modified in view of Drihem and Andres fails to teach the processor of the controls monitoring device further configured to determine the attack controls superset by: determining a union of a set of telemetry data source identifiers and a set of control policy identifiers.
The Examiner takes Official Notice that it is a well-known technique to determine a union of a set of telemetry data source identifiers and a set of control policy identifiers.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao modified in view of Drihem and Andres by configuring the controls monitoring device to determine the attack controls superset by: determining a union of a set of telemetry data source identifiers and a set of control policy identifiers, as taught by Official Notice. It would have been obvious because doing so predictably achieves the commonly understood benefit of obtaining information on all available control tools from both the telemetry data source and the second database storing control policies. 

Tao modified in view of Drihem and Andres fails to teach the determined product used to determine the attack controls superset includes the determined union.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to improve Tao modified in view of Drihem and Andres by letting the determined product used to determine the attack controls superset include the determined union taught by Official Notice. It would have been obvious because doing so predictably achieves the commonly understood benefit of obtaining a comprehensive attack controls superset including information on all available control tools from both the telemetry data source and the second database storing control policies.  When such a modification is made, Tao modified in view of Drihem, Andres and Official Notice would teach the processor of the controls monitoring device further configured to determine the attack controls superset by: determining a union of a set of telemetry data source identifiers and a set of control policy identifiers; and determining a product of the set of predefined attack groups, the set of attack techniques, the set of mitigations, the set of tools, and the determined union.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZHIMEI ZHU/Examiner, Art Unit 2495