DETAILED ACTION
 	Claims 1, 6, 9, 13, 15-17, 19, 21-22, 26, 31, 34, 38, 40-42, 45-46 and 50 are pending. Claims 2-5, 7-8, 10-12, 14, 18, 20, 23-25, 27-30, 32-33, 35-37, 39, 43-44 and 47-49 are canceled. This is in response to the application filed on November 21, 2019 which claims priority to a foreign application filed on May 23, 2017.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1, 9, 13,  21, 26, 38, 45 and 50 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Patent 9,558,677 (hereinafter Sadeh-Koniecpol) 
 	Regarding claim 1, Sadeh-Koniecpol discloses a system comprising a log generator, the log generator comprising a processor, the processor configured to: 
generate, for each attack training scenario of one or more attack training scenarios, one or more fictitious log files identifiable by an Operational Log Monitoring System (OLMS) of an organization as log files of one or more Operational Information Technology (IT) Systems (OITSs) of the organization, each fictitious log file comprising one or more log entries identifiable by the OLMS as evidence of an attack, on at least one OITS of the OITSs, wherein the attack is defined by the attack training scenario; and provide the fictitious log files to the OLMS, thereby causing the OLMS to analyze the fictitious log, files, identify the evidence, and generate one or more alerts of the attacks (col. 11-12 discloses a training system (e.g. an organization of OTISs) generating different mock attacks types (e.g. fictitious log files). Fig. 3 and col. 24 - col. 26, line 52 provides training examples for different types of mock-attack data where the user received a training intervention (e.g. alert) after the user failed to identify a mock attack). 
 	Regarding claim 9, Sadeh-Koniecpol discloses wherein the alerts are provided to one or more security analysts of the organization for training purposes (col. 9, lines 48-54 and col. 10, lines 40-43 discloses a system administrator, via administrator client, providing the training interventions when user(s) fail a mock attack training. Col. 15, lines 66 discloses there can be more than one administrator client). 

 	Regarding claim 13, Sadeh-Koniecpol discloses wherein the provide includes placing the fictitious log files in a first location monitored by the OLMS (col. 17, lines 63-67) or in a second location accessible by a connector of the OLMS, the connector configured to collect and parse the fictitious log files of a given OITS of the OITSs. 
	 Regarding claim 21, Sadeh-Koniecpol discloses a Security Incident Response System (SIRS), the SIRS configured to:
 	receive the alerts from the OLMS; provide the alerts to the security analysts; provide, to the security analysts, one or more suggested actions in response to the alerts; receive at least one instruction, from the security analysts, based on the suggested actions (as presented in claims 1 and 9, the administrator provides the intervention, but in reality a policy manager is the one issuing the intervention selected from the training inventions database 22 shown in Fig. 2 (col. 8, lines 45-54). The administrator carries out the intervention to the user. Hence, the policy manager can be viewed as the SIRS); 
 	preform the instruction on the OITS in a first mode of the SIRS, being a live mode, and not performing the instruction on the OITS in a second mode, being a training mode (col. 17, lines 13-34 disclose the mock attack is real time not in training mode, because if knowing in training mode the user may not response the same way if not knowing being tested). 
 	Regarding claim 26, Sadeh-Koniecpol discloses a method comprising: generating, by a processor, for each attack training scenario of one or more attack training scenarios, one or more fictitious log files identifiable by an Operational Log Monitoring System (OLMS) of an organization as log files of one or more Operational Information Technology (IT) Systems (OITSs) of the organization, each fictitious log file comprising one or more log entries identifiable by the OLMS as evidence of an attack, on at least one OITS of the OITSs, wherein the attack is defined by the attack training scenario; and providing, by the processor, the fictitious log files to the OLMS, thereby causing the OLMS to analyze the fictitious log files, identify the evidence, and generate one or more alerts of the attacks (see claim 1 rejection).  	Regarding claim 38, Sadeh-Koniecpol discloses wherein the providing includes placing the fictitious log files in a first location monitored by the OLMS or in a second location accessible by a connector of the OLMS, the connector configured to collect and parse the fictitious log files of a given OITS of the OITSs (see claim 13 rejection). 
 	Regarding claim 45, Sadeh-Koniecpol discloses providing a Security Incident Response System (SIRS), the SIRS configured to: receive the alerts from the OLMS; provide the alerts to the security analysts; provide, to the security analysts, one or more suggested actions in response to the alerts; receive at least one instruction, from the security analysts, based on the suggested actions; and preform the instruction on the OITS in a first mode of the SIRS, being a live mode, and not performing the instruction on the OITS in a second mode, being a training mode (see claim 21 rejection). 
 	Regarding claim 50, Sadeh-Koniecpol discloses a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor of a computer to perform a method comprising: generating, for each attack training scenario of one or more attack training scenarios, one or more fictitious log files identifiable by an Operational Log Monitoring System (OLMS) of an organization as log files of one or more Operational Information Technology (IT) Systems (OITSs) of the organization, each fictitious log file comprising one or more log entries identifiable by the OLMS as evidence of an attack, on at least one OITS of the OITSs, wherein the attack is defined by the attack training scenario; and providing the fictitious log files to the OLMS, thereby causing the OLMS to analyze the fictitious log files, identify the evidence, and generate one or more alerts of the attacks (see claim 1 rejection).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 6, 15-16, 19, 22, 31, 34, 40-41 and 46 are rejected under 35 U.S.C. 103 as being unpatentable over Sadeh-Koniecpol in view of KR1460589B1 (hereinafter Jeon)
 	Regarding claim 6, Sadeh-Koniecpol discloses each type of attack such email phishing, URL browsing, etc. but not a current version for each corresponding type of attack. wherein the processor is further configured to receive information identifying each OITS of the OITSs for which the fictitious log files are generated, the information including at least a type and a current version of the corresponding OITS, and wherein the fictitious log files are generated based on the received information. Jeon discloses cyber training attack that use version simulation between a control server provides different versions for simulation environment corresponding to the configuration of the network trainings such as DDoS (Distributed Denial of Service), APT (Advanced Persistent Threat), etc. (see Figs. 1-2 and related text on col. 7- col. 9). Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Sadeh-Koniecpol with Jeon to further teach the above recited features. One would have done so to improve the training simulation as disclosed in Jeon (Abstract).

 	Regarding claim 15, the combination of Sadeh-Koniecpol and Jeon discloses comprising one or more TRaining IT Systems (TRITSs), wherein (a) each TRITS is a copy of a corresponding OITS of the OITSs (Jeon, Figs. 1-2 and related text discloses perform the training in a virtual environment (e.g. TRIT) for each version of mock data), and (b) at least one of the TRITS comprises attack evidence indicative of the attack, thereby enabling the security analysts to investigate the attack evidence (Sadeh-Koniecpol discloses the policy manager analyzes various type of data based on the attack that the user failed to generate the intervention (col. 8, lines 45-67). 
 	Regarding claim 16, the combination of Sadeh-Koniecpol and Jeon discloses an assessment system configured to calculate a grade for at least one of the security analysts, based on one or more actions performed on the TRITS by the security analyst and on expected actions defined by a Security Operation Center (SOC) manager of the organization (Jeon discloses a score can be given to either attacker or defender (e.g. the administrator in Sadeh-Koniecpol that provides the intervention) (see where Jeon discloses “…if…there is malware files on a virtual server or production server, the server checks the version control exercises between the unique code that is given in advance to log the data type for the content (100) is transmitted to. In this case, the attacker is reflected on the score by a predetermined score value on the basis of the log data. As another example, the network utilization is 70% or more (a successful attack state) or below (defense is successful state) to check and control server version simulation between the unique code is assigned in advance to the log data with respect to the form that the check information (100) is transmitted to. If found to be a successful attack, the attacker's reflected in the score, if defense is found to be successful, the defender will be reflected in the score.”). Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Sadeh-Koniecpol with Jeon to further teach the above recited features. One would have done so to improve the training simulation by not only evaluate the user or attacker but also the administrator for how effective the solution provided by the administrator. 	Regarding claim 19, the combination of Sadeh-Koniecpol and Jeon discloses wherein the TRITSs are installed on an isolated environment, isolated from the OITSs environment, and wherein the TRITS can be accessed by the security analysts through a one directional connection (Jeon provides training in a virtual environment and scores are obtained by a training system server but does not discloses whether the test environment can get information from the training system server that calculate the scores).  	Regarding claim 22, the combination of Sadeh-Koniecpol and Jeon discloses an assessment system configured to calculate a grade for at least one of the security analysts, based on the at least instruction and on expected instructions provided by a Security Operation Center (SOC) manager of the organization (see claim 16 rejection).  	Regarding claim 31, the combination of Sadeh-Koniecpol and Jeon discloses receiving, by the processor, information identifying each OITS of the OITSs for which the fictitious log files are generated, the information including at least a type and a current version of the corresponding OITS, and wherein the fictitious log files are generated based on the received information (see claim 6 rejection).  	Regarding claim 34, Sadeh-Koniecpol discloses wherein the alerts are provided to one or more security analysts of the organization for training purposes (see claim 9 rejection).  	Regarding claim 40, the combination of Sadeh-Koniecpol and Jeon discloses providing one or more TRaining IT Systems (TRITSs), wherein (a) each TRITS is a copy of a corresponding OITS of the OITSs, and (b) at least one of the TRITS comprises attack evidence indicative of the attack, thereby enabling the security analysts to investigate the attack evidence (see claim 15 rejection).  	Regarding claim 41, the combination of Sadeh-Koniecpol and Jeon discloses providing an assessment system configured to calculate a grade for at least one of the security analysts, based on one or more actions performed on the TRITS by the security analyst and on expected actions defined by a Security Operation Center (SOC) manager of the organization (see claim 16 rejection).  	Regarding claim 46, the combination of Sadeh-Koniecpol and Jeon discloses providing an assessment system configured to calculate a grade for at least one of the security analysts, based on the at least instruction and on expected instructions provided by a Security Operation Center (SOC) manager of the organization (see claim 22 rejection). 
Allowable Subject Matter
Claims 17 and 42 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
inquiry communication
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRI M TRAN whose telephone number is (571)270-1994. The examiner can normally be reached Mon-Fri: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRI M TRAN/Primary Examiner, Art Unit 2432