DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 4, 5, 8, 11, 12, 15, 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Risoldi et. al. (U.S Patent Application Publication No. 20200311630 A1), in view of Nhlabatsi et. al. (U.S Patent Application Publication No. 20200351295 A1).

Regarding claim 1, Risoldi discloses A computer-implemented method for security of enterprise networks (Par. [0027], The ARM 110 evaluates risk on a variety of scales to comprehensively contextualize the risk of the enterprise system, allowing fine-grained risk visualization.), the method being executed by one or more processors and comprising: 
5receiving analytical attack graph (AAG) data representative of one or more AAGs ( Par. [0068], The ARM 110 retrieves 415 data for the assets of the identified asset topography from the database 150. The ARM 110 determines 420 likelihood scores and impact scores for the assets. The ARM 110 constructs 425 a model attack graph for the asset topography and calculates 430 risk scores for the assets), each AAG representing one or more lateral paths between configuration items ( Par. [0066], FIG. 3 includes a model attack graph 300 illustrating an asset topology including a CMO, an endpoint, an intranet server, and a crown jewel application server. The model attack graph 300 includes various paths that could be taken during an attack.) within an enterprise network (Par. [0066], The ARM 110 simulates threat scenarios affecting assets of the enterprise system 140);
15determining that at least one process risk value exceeds a threshold process risk value (Par. [0042], The application server 130 may specifically generate user interfaces detailing the risk scores of third-party vendors, and send alerts (e.g., to managers of the ARM 110) when the risk scores of third-party vendors reach or exceed a threshold risk score value.), and in response, adjusting one or more security controls within the enterprise network ( Par. [0082], The application server 130 displays a list of targeted recommendations for a particular asset on the particular asset's panel. In this way, controls for addressing vulnerabilities may be automatically collected, analyzed, and recommended, with prioritization of high-risk vulnerabilities that have breached the threshold for the measure of effectiveness for the respective control. In some embodiments, some or all of the recommendations (Recommendations are listed in par. [0081]) may be automatically implemented. For example, security patches may be automatically applied to a system.).  
Risoldi discloses a method of using attack graphs to generate risk scores. The method adjusts one or more security controls based on a determination that the risk scores exceeds a certain threshold. Risoldi fails to disclose the particular methods of calculating risk scores for configuration items. 
However, Nhlabatsi teaches  calculating, for each configuration item in a set of configuration items, a process risk value for each impact in a set of impacts achievable within the configuration item (Par. [0030], The example risk evaluation system 104 may also include a risk calculator 160 configured to generate relevant threat sets 162, 164 for each vulnerability 142, 144 of each component 112, 114, 116 and to calculate a component risk 170 for each component 112, 114, 116 based on its relevant threat set 162, 164.), 10for a first impact, a first process risk value being calculated based on a multi-path formula in response to determining that multiple paths in the AAG lead to the first impact (Par. [0048], In some embodiments, as an attacker 302 advances through a path, each successful compromise of a component 112, 114, 116 constitutes a risk of that component 112, 114, 116. Thus, in such embodiments, the path risk 172 for all relevant threats 132, 134, 136, 138 is a sum of all the component risks 170 of each component 112, 114, 116 in the path and may be calculated by Equation 6 below), and, for a second impact, a second process risk value being calculated based on a single-path formula (Par. [0048], The path risk 172 may also be calculated from a subset of threats 132, 134, 136, 138 in one or more relevant threat sets 162, 164, for example, from Equation 7 below.) in response to determining that a single path in the AAG leads to the second impact (Par. [0058], The example screen 600 may also include a section for all of the possible path risks 172 for a selected component 112, 114, 116. For example, in the illustrated embodiment, because the authentication server 308 is the selected component 112, 114, 116 as stated above, the path risk 172 is shown of the only possible path an attacker 302 could take to reach the authentication server 308 (i.e., 302-306-308). An attacker 302 could not reach the authentication server 308 through the database server 312 in the illustrated embodiment because, as indicated by the model, there is not a connection from the database server 312 to the authentication server 308.)); 
Risoldi and Nhlabatsi are considered analogous references to the claimed invention as they both pertain to a method of calculating risk scores for components of a network based on attack graphs. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Risoldi using the method of calculating risks by aggregating the risk scores of components along an attack path as taught by Nhlabatsi. Such modifications will take into consideration the vulnerabilities of all components along an attack path leading to a particular impact and help adjust security controls accordingly.

Regarding claim 4, the combination of Risoldi and Nhlabatsi teaches the method of claim 1. Risoldi further discloses wherein adjusting one or more security controls within the 30enterprise network comprises implementing at least one security control (Par. [0081],  Recommendations may each include a control to implement to address the respective vulnerability, which may come with respective measures of effectiveness and messages to display using the user interface).  (Par. [0082], In some embodiments, some or all of the recommendations may be automatically implemented. For example, security patches may be automatically applied to a system.).

Regarding claim 5, the combination of Risoldi and Nhlabatsi teaches the method of claim 1. 
Risoldi further discloses wherein adjusting one or more security controls within the enterprise network comprises one or more of rolling back at least one security control of the one or more security controls and implementing at least one additional security 5control (Par. [0081],  Recommendations may each include a control to implement to address the respective vulnerability, which may come with respective measures of effectiveness and messages to display using the user interface).  (Par. [0082], In some embodiments, some or all of the recommendations may be automatically implemented. For example, security patches may be automatically applied to a system.).
  
Regarding claim 8, Risoldi discloses One or more non-transitory computer-readable storage media coupled to one or more processors and having instructions stored thereon which, when executed by the one or more processors (Par. [0067], FIG. 6 is a block diagram illustrating components of an example machine able to read instructions from a machine-readable medium and execute them in a processor (or controller).), cause the one or more processors to perform operations for security of enterprise networks (Par. [0027], The ARM 110 evaluates risk on a variety of scales to comprehensively contextualize the risk of the enterprise system, allowing fine-grained risk visualization.), the operations comprising: 
5receiving analytical attack graph (AAG) data representative of one or more AAGs ( Par. [0068], The ARM 110 retrieves 415 data for the assets of the identified asset topography from the database 150. The ARM 110 determines 420 likelihood scores and impact scores for the assets. The ARM 110 constructs 425 a model attack graph for the asset topography and calculates 430 risk scores for the assets), each AAG representing one or more lateral paths between configuration items ( Par. [0066], FIG. 3 includes a model attack graph 300 illustrating an asset topology including a CMO, an endpoint, an intranet server, and a crown jewel application server. The model attack graph 300 includes various paths that could be taken during an attack.) within an enterprise network (Par. [0066], The ARM 110 simulates threat scenarios affecting assets of the enterprise system 140);
15determining that at least one process risk value exceeds a threshold process risk value (Par. [0042], The application server 130 may specifically generate user interfaces detailing the risk scores of third-party vendors, and send alerts (e.g., to managers of the ARM 110) when the risk scores of third-party vendors reach or exceed a threshold risk score value.), and in response, adjusting one or more security controls within the enterprise network ( Par. [0082], The application server 130 displays a list of targeted recommendations for a particular asset on the particular asset's panel. In this way, controls for addressing vulnerabilities may be automatically collected, analyzed, and recommended, with prioritization of high-risk vulnerabilities that have breached the threshold for the measure of effectiveness for the respective control. In some embodiments, some or all of the recommendations (Recommendations are listed in par. [0081]) may be automatically implemented. For example, security patches may be automatically applied to a system.).  
Risoldi discloses a method of using attack graphs to generate risk scores. The method adjusts one or more security controls based on a determination that the risk scores exceeds a certain threshold. Risoldi fails to disclose the particular methods of calculating risk scores for configuration items. 
However, Nhlabatsi teaches  calculating, for each configuration item in a set of configuration items, a process risk value for each impact in a set of impacts achievable within the configuration item (Par. [0030], The example risk evaluation system 104 may also include a risk calculator 160 configured to generate relevant threat sets 162, 164 for each vulnerability 142, 144 of each component 112, 114, 116 and to calculate a component risk 170 for each component 112, 114, 116 based on its relevant threat set 162, 164.), 10for a first impact, a first process risk value being calculated based on a multi-path formula in response to determining that multiple paths in the AAG lead to the first impact (Par. [0048], In some embodiments, as an attacker 302 advances through a path, each successful compromise of a component 112, 114, 116 constitutes a risk of that component 112, 114, 116. Thus, in such embodiments, the path risk 172 for all relevant threats 132, 134, 136, 138 is a sum of all the component risks 170 of each component 112, 114, 116 in the path and may be calculated by Equation 6 below), and, for a second impact, a second process risk value being calculated based on a single-path formula (Par. [0048], The path risk 172 may also be calculated from a subset of threats 132, 134, 136, 138 in one or more relevant threat sets 162, 164, for example, from Equation 7 below.) in response to determining that a single path in the AAG leads to the second impact (Par. [0058], The example screen 600 may also include a section for all of the possible path risks 172 for a selected component 112, 114, 116. For example, in the illustrated embodiment, because the authentication server 308 is the selected component 112, 114, 116 as stated above, the path risk 172 is shown of the only possible path an attacker 302 could take to reach the authentication server 308 (i.e., 302-306-308). An attacker 302 could not reach the authentication server 308 through the database server 312 in the illustrated embodiment because, as indicated by the model, there is not a connection from the database server 312 to the authentication server 308.)); 
Risoldi and Nhlabatsi are considered analogous references to the claimed invention as they both pertain to a method of calculating risk scores for components of a network based on attack graphs. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Risoldi using the method of calculating risks by aggregating the risk scores of components along an attack path as taught by Nhlabatsi. Such modifications will take into consideration the vulnerabilities of all components along an attack path leading to a particular impact and help adjust security controls accordingly.

Regarding claim 15, Risoldi discloses A system, comprising:
 one or more processors (fig. 6, block 602); and 
a computer-readable storage device coupled to the one or more processors and having instructions stored thereon which, when executed by the one or more processors (Par. [0067], FIG. 6 is a block diagram illustrating components of an example machine able to read instructions from a machine-readable medium and execute them in a processor (or controller).), cause the one or more processors to perform operations for security of enterprise networks (Par. [0027], The ARM 110 evaluates risk on a variety of scales to comprehensively contextualize the risk of the enterprise system, allowing fine-grained risk visualization.), the operations comprising: 
5receiving analytical attack graph (AAG) data representative of one or more AAGs ( Par. [0068], The ARM 110 retrieves 415 data for the assets of the identified asset topography from the database 150. The ARM 110 determines 420 likelihood scores and impact scores for the assets. The ARM 110 constructs 425 a model attack graph for the asset topography and calculates 430 risk scores for the assets), each AAG representing one or more lateral paths between configuration items ( Par. [0066], FIG. 3 includes a model attack graph 300 illustrating an asset topology including a CMO, an endpoint, an intranet server, and a crown jewel application server. The model attack graph 300 includes various paths that could be taken during an attack.) within an enterprise network (Par. [0066], The ARM 110 simulates threat scenarios affecting assets of the enterprise system 140);
15determining that at least one process risk value exceeds a threshold process risk value (Par. [0042], The application server 130 may specifically generate user interfaces detailing the risk scores of third-party vendors, and send alerts (e.g., to managers of the ARM 110) when the risk scores of third-party vendors reach or exceed a threshold risk score value.), and in response, adjusting one or more security controls within the enterprise network ( Par. [0082], The application server 130 displays a list of targeted recommendations for a particular asset on the particular asset's panel. In this way, controls for addressing vulnerabilities may be automatically collected, analyzed, and recommended, with prioritization of high-risk vulnerabilities that have breached the threshold for the measure of effectiveness for the respective control. In some embodiments, some or all of the recommendations (Recommendations are listed in par. [0081]) may be automatically implemented. For example, security patches may be automatically applied to a system.).  
Risoldi discloses a method of using attack graphs to generate risk scores. The method adjusts one or more security controls based on a determination that the risk scores exceeds a certain threshold. Risoldi fails to disclose the particular methods of calculating risk scores for configuration items. 
However, Nhlabatsi teaches  calculating, for each configuration item in a set of configuration items, a process risk value for each impact in a set of impacts achievable within the configuration item (Par. [0030], The example risk evaluation system 104 may also include a risk calculator 160 configured to generate relevant threat sets 162, 164 for each vulnerability 142, 144 of each component 112, 114, 116 and to calculate a component risk 170 for each component 112, 114, 116 based on its relevant threat set 162, 164.), 10for a first impact, a first process risk value being calculated based on a multi-path formula in response to determining that multiple paths in the AAG lead to the first impact (Par. [0048], In some embodiments, as an attacker 302 advances through a path, each successful compromise of a component 112, 114, 116 constitutes a risk of that component 112, 114, 116. Thus, in such embodiments, the path risk 172 for all relevant threats 132, 134, 136, 138 is a sum of all the component risks 170 of each component 112, 114, 116 in the path and may be calculated by Equation 6 below), and, for a second impact, a second process risk value being calculated based on a single-path formula (Par. [0048], The path risk 172 may also be calculated from a subset of threats 132, 134, 136, 138 in one or more relevant threat sets 162, 164, for example, from Equation 7 below.) in response to determining that a single path in the AAG leads to the second impact (Par. [0058], The example screen 600 may also include a section for all of the possible path risks 172 for a selected component 112, 114, 116. For example, in the illustrated embodiment, because the authentication server 308 is the selected component 112, 114, 116 as stated above, the path risk 172 is shown of the only possible path an attacker 302 could take to reach the authentication server 308 (i.e., 302-306-308). An attacker 302 could not reach the authentication server 308 through the database server 312 in the illustrated embodiment because, as indicated by the model, there is not a connection from the database server 312 to the authentication server 308.)); 
Risoldi and Nhlabatsi are considered analogous references to the claimed invention as they both pertain to a method of calculating risk scores for components of a network based on attack graphs. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Risoldi using the method of calculating risks by aggregating the risk scores of components along an attack path as taught by Nhlabatsi. Such modifications will take into consideration the vulnerabilities of all components along an attack path leading to a particular impact and help adjust security controls accordingly.

Apparatus claim 11 relates to the apparatus using the method as claimed in method claim 4. Therefore, apparatus claim 11 is rejected for the same reason of obviousness as claim 4.
Apparatus claim 12 relates to the apparatus using the method as claimed in method claim 5. Therefore, apparatus claim 12 is rejected for the same reason of obviousness as claim 5.
System claim 18 relates to the system using the method as claimed in method claim 4. Therefore, system claim 18 is rejected for the same reason of obviousness as claim 4.
System claim 19 relates to the system using the method as claimed in method claim 5. Therefore, system claim 19 is rejected for the same reason of obviousness as claim 6.

Claims 6, 13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Risoldi in view of Nhlabatsi and further in view of Levy et. al. (U.S Patent Application Publication No. 20190319987 A1).

Regarding claim 6, the combination of Risoldi and Nhlabatsi teaches the method of claim 1.  The combination taches a method of implementing security controls, but fails to teach a method of measuring the effectiveness of the implemented security controls.
However, Levy teaches wherein the one or more security controls (Par. [0217],  As shown in step 1708, the method 1700 may include authenticating the user to the remote resource according to the authentication model selected in step 1706.) are determined to be ineffective in response to the process risk value one of remaining static and increasing after implementing the one or more security controls (Par. [0219], As shown in step 1712, the method 1700 may include updating the authentication model based on the updated risk scores. Based on the updated authentication model, the user's current authentication may or may not continue to be valid. Thus for example, when at least one of the first risk score and the second risk score increases such that it exceeds a threshold, the method may include deauthenticating the user and selecting a new authentication model (i.e. determined to be ineffective) for the user and the device based on the new risk scores.).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Risoldi and Nhlabatsi in claim 1 using the method of determining the ineffectiveness of security controls using risk scores as taught by Levy. Doing so will allow dynamic regulation of security controls using the risk scores (Levy, Par. [0219]).

Apparatus claim 13 relates to the apparatus using the method as claimed in method claim 6. Therefore, apparatus claim 13 is rejected for the same reason of obviousness as claim 6.

System claim 20 relates to the system using the method as claimed in method claim 6. Therefore, system claim 20 is rejected for the same reason of obviousness as claim 6.

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Risoldi in view of Nhlabatsi and further in view of Berger et. al. (U.S Patent No. 11283824 B1), hereinafter Berger.

Regarding claim 7, the combination of Risoldi and Nhlabatsi teaches the method of claim 1. Risoldi in the combination teaches security controls that will be automatically implemented based on calculated risk scores. The combinations fails to teach one or more security controls provided in ISO/JEC 27001 as part of the security controls.
However,  Berger teaches  wherein the one or more security controls comprise one or more security controls provided in ISO/JEC 27001 (Col. 15, lines 4-12, In one specific non-limiting embodiment, a cybersecurity framework may be based at least partly on a standardized set of requirements, such as National Institute of Standards and Technology (“NIST”) 800-171, NIST 800-53, the Payment Card Industry Data Security Standard (“PCI DSS”), International Organization for Standardization/International Electrotechnical Commission (“ISO/IEC”) 27001, or the Center for Internet Security (“CIS”) Critical Security Controls.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Risoldi and Nhlabatsi in claim 1 using the method of implementing one or more security controls provided in ISO/JEC 27001 as taught by Berger. Since these are standardized security controls, they will provide the obvious advantage of improving the security of the system.

Apparatus claim 14 relates to the apparatus using the method as claimed in method claim 7. Therefore, apparatus claim 14 is rejected for the same reason of obviousness as claim 7.

Allowable Subject Matter
Claims 2, 3, 9, 10, 16 and 17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Akella (U.S Patent No. US 20210336981 A1) teaches a method of generating micro-an aggregate risk score for a device in a network using static and dynamic risk scores.
Lokamathe (U.S Patent No. 10601854 B2) teaches a method of identifying and mitigating risks in heterogeneous dynamic networks using attack tree.
 Any inquiry concerning this communication or earlier communications from the examiner should be directed to Dawit Woldemariam whose telephone number is (571)272-2560. The examiner can normally be reached on 7:30 AM - 5:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado, can be reached on (571)272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/Dawit Woldemariam/
Art Unit 2496

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496