Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

DETAILED ACTION
This is a reply to the application filed on 11/25/2020, in which, claim(s) 1-20 are pending. Claim(s) 1 and 13 are independent.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/27/2021 and 02/11/2022, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.
The information disclosure statement (IDS) submitted on 11/25/2020 and 11/25/2020, has been reviewed. The submission fails to comply with 37 CFR 1.98(a)(2), which requires a legible copy of each cited foreign patent document; each non-patent literature publication or that portion which caused it to be listed; and all other information or that portion which caused it to be listed. It has been placed in the application file, but the information referred to therein has not been considered.

Drawings
The drawings filed on 11/25/2020 are accepted by The Examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  
Claims 1-20 are non-provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over:
          Claims 1-26 of Patent 10,855,718.

Although the conflicting claims are not identical, they are not patentably distinct from each other because claims 1-20 are anticipated by claims 1-26 of Patent 10,855,718.
Patent No. 10,855,718 (16/042,283)  
Instant Application No.(17/104,537) 
Claim 1. A method comprising: 


identifying, by an advisement system executing on a server in a computing environment comprising a plurality of computing assets, an incident associated with a computing asset of the plurality of computing assets; 

determining a classification for the computing asset, wherein the classification for the computing asset is determined based on data indicating that the computing asset is associated with more incoming network connections than outgoing network connections, wherein the data is collected prior to the identification of the incident, and wherein the classification is selected from a set of classifications including: a target asset, a source asset, or an infrastructure asset; 
determining a response to the incident based on the classification, wherein the response includes one or more actions; and 
implementing, by the advisement system, the one or more actions to respond to the incident.
Claim 1. A computer-implement method comprising: 

identifying, by an advisement system executing on a server in a computing environment comprising a plurality of computing assets, an incident associated with a computing asset of the plurality of computing assets; 

determining a classification for the computing asset, wherein the classification for the computing asset is determined based on data indicating that the computing asset is associated with more outgoing network connections than incoming network connections, and wherein the data is collected prior to the identification of the incident; 


determining a response to the incident based on the classification, wherein the response includes one or more actions; and 

implementing, by the advisement system, the one or more actions to respond to the incident.  



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Cabrera et al. (US 2015/0381641 A1, cited by the applicant in the 11/25/2020 IDS) in view of Martinez et al. (US 2014/0137257 A1, cited by the applicant in the 11/25/2020 IDS) further in view of Qureshi et al. (US 2014/0007222 A1).
Regarding Claims 1, and 13, Cabrera discloses
identifying, by an advisement system executing on a server in a computing environment comprising a plurality of computing assets, an incident associated with a computing asset of the plurality of computing assets ([0053], “if the regional asset management computing environment 121 determines (i.e. identifies) the activities associated with one or more user accounts or profiles poses a potential security threat to the application 124, the regional asset management computing environment 121 can be configured to notify the central asset management computing environment 110, or other computing environments, of the potential security threat”); 
and wherein the data is collected prior to the identification of the incident ([0047], “The central asset management computing environment 110 maintains a table, database, or other data structure of prior operating characteristics, patterns, events”, i.e. data is collected prior to the incident); 
determining a response to the incident, wherein the response includes one or more actions ([0053], “to notify the central asset management computing environment 110, or other computing environments, of the potential security threat to enable the central asset management computing environment 110 to take remedial action” as to initiating a response to the security threat”); and 
implementing, by the advisement system, the one or more actions to respond to the incident ([0070], “applies the rules defined by the local security threat policy 317 to take appropriate course of action against the potential security threat”).  
Cabrera does not explicitly teach but Martinez teaches 
determining a classification for the computing asset ([0088], “Assets are classified”).
Cabrera and Martinez are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to identify an incident with an asset and determine a response to the incident (as disclosed by Cabrera) based on asset classification (as taught by Martinez). The motivation/suggestion would have been to identify and prioritize critical assets, cyber threats, and cyber vulnerabilities for operational technology (OT) infrastructures in critical sectors (Cabrera, [0008]).
The combined teaching of Cabrera and Martinez does not explicitly teach but Qureshi teaches 
data indicating that the computing asset is associated with more outgoing network connections than incoming network connections ([0340], “device receives much fewer incoming network connections than it generates outgoing connections”),
Cabrera, Martinez and Qureshi are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to identify an incident with an asset and determine a response to the incident based on asset classification (as taught by the combined teaching of Cabrera and Martinez) based on asset data with more outgoing network connections (as taught by Qureshi). The motivation/suggestion would have been to protect the enterprise system from security threats and vulnerabilities (Qureshi, [0219]).

Regarding Claims 2, and 14, the combined teaching of Cabrera, Martinez and Qureshi teaches
obtaining supplemental information related to the incident from a website or a database (Cabrera, [0043], “an event (as supplemental information related to the security threat) that is associated with a potential security threat”, “an event is defined in terms of one or more patterns of operational characteristics associated with a virtual asset and or an application” from websites and/or databases); and 
wherein determining the response to the incident is further based on the supplemental information (Cabrera, [0070], “to take appropriate course of action against the potential security threat”).

Regarding Claims 3, and 15, the combined teaching of Cabrera, Martinez and Qureshi teaches
wherein identifying the incident associated with the computing asset comprises obtaining a notification of the incident, wherein the notification includes a network address, a domain name, or a process name associated with the incident (Cabrera, [0043], “receives a notification of an event that is associated with a potential security threat”, [0053], “An example of a suspicious operational characteristic of the application 124 can include the detection of a user account or profile that requests information from the application 124 and forwards the information to an IP address within the third geographic region 140”), and wherein the method further comprises: 
obtaining supplemental information related to the incident from a website or a database based on the notification (Cabrera, [0043], “an event (as supplemental information related to the security threat) that is associated with a potential security threat”, “an event is defined in terms of one or more patterns of operational characteristics associated with a virtual asset and or an application” from websites and/or databases such as [0064], “a regional security threat database”); and 
wherein determining the response to the incident is further based on the supplemental information (Cabrera, [0070], “to take appropriate course of action against the potential security threat”).

Regarding Claims 4, and 16, the combined teaching of Cabrera, Martinez and Qureshi teaches
determining a criticality rating for the computing asset (Martinez, [0083], “to classify assets into critical, critical-cyber and non-critical (as a criticality rating) according to the level of criticality”); and 
wherein determining the response to the incident is further based on the criticality rating for the computing asset (Cabrera, [0070], “to take appropriate course of action against the potential security threat”, Martinez, [0083]).

Regarding Claims 5, and 17, the combined teaching of Cabrera, Martinez and Qureshi teaches
determining data accessible to the computing asset (Martinez, [0088], “gathering pre-VARM data to evaluate a baseline security”); 
determining a criticality rating for the computing asset based on the data accessible to the computing asset (Martinez, [0083], “to classify assets into critical, critical-cyber and non-critical (as a criticality rating) according to the level of criticality”, [0088], “setting a scope and objectives and gathering pre-VARM data to evaluate a baseline security… Customer data is gathered…and processed”); and 
wherein determining the response to the incident is further based on the criticality rating for the computing asset (Cabrera, [0070], Martinez, [0083]).

Regarding Claims 6, and 18, the combined teaching of Cabrera, Martinez and Qureshi teaches
wherein the classification is a first classification, wherein a second classification of the computing asset comprises a role for the computing asset in association with the incident, and wherein the response to the incident is determined based on the first classification and the second classification (Martinez, [0083], “to classify assets into critical, critical-cyber and non-critical (as a criticality rating) according to the level of criticality”, [0088], “setting a scope and objectives and gathering pre-VARM data to evaluate a baseline security… Customer (as a role for the computing asset) data is gathered…and processed”, Cabrera, [0070]).  

Regarding Claims 7, and 19, the combined teaching of Cabrera, Martinez and Qureshi teaches
wherein the classification is a first classification, wherein a second classification of the computing asset comprises a role for the computing asset in association with the incident, wherein the role for the computing asset is determined based on communication traits of the computing asset in association with the incident, and wherein the response to the incident is determined based on the first classification and the second classification (Martinez, [0083], “to classify assets into critical, critical-cyber and non-critical (as a criticality rating) according to the level of criticality”, [0088], “setting a scope and objectives and gathering pre-VARM data to evaluate a baseline security… Customer (as a role for the computing asset) data is gathered…and processed”, [0061], “to gather data from the customer. This data will be gathered from a customer asset data database or will have to be created. Both cyber and physical assets are considered”, as communication traits of the computing asset, Cabrera, [0070]).  

Regarding Claims 8, and 20, the combined teaching of Cabrera, Martinez and Qureshi teaches
wherein the classification is one of: a target asset, a source asset, or an infrastructure asset (Martinez, [0053], “A critical asset is defined as an infrastructure component”).

Regarding Claim 9, the combined teaching of Cabrera, Martinez and Qureshi teaches
wherein the incident is a first incident, the computing asset is a first computing asset, the classification is a first classification, the data is first data, and the response is a first response (refer to claim 1 rejections), and wherein the method further comprises: 
identifying a second incident associated with a second computing asset of the plurality of computing assets (Cabrera, [0043], “indicates a (second) potential security threat can be defined by a pattern of increased user traffic to one instance of an application);  
determining a second classification for the second computing asset (Martinez, [0083], “to classify assets into critical, critical-cyber and non-critical according to the level of criticality”), wherein the second classification for the second computing asset is determined based on second data indicating that the second computing asset is associated with more incoming network connections than outgoing network connections (Cabrera, [0043], “indicates a potential security threat can be defined by a pattern of increased user traffic to one instance of an application (i.e. more incoming network connections) in one geographic region”); 
determining a second response to the second incident based on the second classification; and implementing, by the advisement system, the second response (Cabrera, [0053], [0070], Martinez, [0083], “to classify assets into critical, critical-cyber and non-critical according to the level of criticality”).  

Regarding Claim 10, the combined teaching of Cabrera, Martinez and Qureshi teaches
wherein the response comprises one or more action recommendations (Cabrera, [0053], “to enable the central asset management computing environment 110 to take remedial action, such as to notify the user associated with the user account, suspend account privileges/activities, notify a tenant of the virtual asset 123, and/or notify one or more security personnel of the flag computing activities”), and wherein the method further comprises: 
causing display of the one or more action recommendations (Martinez, [0157], “displays the resulting risk level”, “allows users to see a list of possible mitigation response processes” as the one or more action recommendations); and 
receiving input selecting the one or more actions from the one or more action recommendations (Martinez, [0157], “allows users to select a set of mitigation response processes”).

Regarding Claim 11, the combined teaching of Cabrera, Martinez and Qureshi teaches
wherein the computing asset comprises a virtual computing element or a physical computing element (Cabrera, [0043], “virtual assets and/or applications”).

Regarding Claim 12, the combined teaching of Cabrera, Martinez and Qureshi teaches
wherein identifying the incident associated with the computing asset comprises obtaining a notification of the incident (Cabrera, [0043], “receives notifications of potential security threats against the virtual assets and/or applications”) from a security information and event management (SIEM) system (Martinez, [0259], “The security information and event management (SIEM) system”).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497