Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is in response to the claims filed 8/25/2020.  Claims 1-20 are pending.  Claims 1 (a machine), 8 (a non-transitory CRM), and 14 (a method) are independent.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) mental process, i.e. “concepts performed in the human mind (including an observation, evaluation, judgement, opinion) (see MPEP § 2106.04(a)(2), subsection III)”.  MPEP 2106.04(a).  In other words, the limitations of the claims individually and as a structured whole dictate a method for observing and evaluating network assets, which was performed in human minds and on pen and paper prior to automated network analysis tools.  This judicial exception is not integrated into a practical application because the claims themselves merely “apply” a mental process to be performed on a computer and do not integrate the mental process into a practical application under the analysis discussed in MPEP 2106.04(d). The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because, with the exception of a processor and memory, all of the elements of the claim are mental processes.  Thus, the claim merely applies the mental process to be performed within a computer, MPEP 2106.05.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 2, 8, 9, 14, and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Williams et al. US 2005/0257267 (filed 2004).
	As to claims 1, 8, and 14, Williams discloses a machine/CRM/method comprising:
identify one or more computing assets within a network; (“The audit server 12 also includes a scan harness 212 …. used for conducting network topology discovery, specialized checks for difficult-to-locate vulnerabilities and policy violations” Williams ¶ 106. See also ¶ 61)
determine one or more classifications for each of the one or more computing assets; (“Host groups represent selections of hosts from disparate networks that are grouped for performing audits and policy analysis.” Williams ¶ 193, see also ¶¶ 194, 205)
generate an asset library comprising a list of the one or more computing assets (“the topology analytic engine 200 generates a target file based on the map file. The target file includes a subset of the information in the map file, such as, for example, a list of IP addresses associated with the active hosts. The target file is stored locally in the audit server 12, and used by the scan harness 212 to scan the live hosts during an audit session.” Williams ¶ 116 topology information. See ¶¶ 110-115. “Network groups represent clusters of networks that are grouped for performing audits and policy analysis.” Williams ¶ 204) and the one or more classifications;  (“FIG. 26 is a screen shot of an exemplary GUI for generating host groups according to one embodiment of the invention.” Williams ¶ 193)
identify a network topology based on the one or more computing assets within the asset library; (“the topology analytic engine 200 generates a target file based on the map file. The target file includes a subset of the information in the map file, such as, for example, a list of IP addresses associated with the active hosts. The target file is stored locally in the audit server 12, and used by the scan harness 212 to scan the live hosts during an audit session.” Williams ¶ 116 topology information. See ¶¶ 110-115)
identify a first set of compromise vectors (“The policy library 42 may further include policies for detecting other network vulnerabilities as well as specialized policies developed for the particular network.” Williams ¶ 77) associated with the one or more classifications of the one or more computing assets; and (“The compliance document 340 includes the results of applying a policy template identified by a policy identifier 350, to one or more host devices in the audited network 16. The results 342 of applying one or more rules to a particular host are encapsulated by &lt;rule_results&gt; 350 and &lt;/rule_results&gt; 352 tags. Each result 342 includes a rule identifier 352, severity indicator 354, rule category type 356, host identifier 348, and network group 358. Each result 342 further includes a description 344 of the rule that is being applied, and a solution 346 associated with the rule.” Williams ¶ 155)
generate a first set of recommended actions, the first set of recommended actions comprising one or more remediation steps associated with the first set of compromise vectors. (“the P&V engine automatically makes recommendations for improving the security of the overall network. This may be done, for example, by generating a remediation task 501 for a policy or vulnerability rule violation noted in the compliance document 340. Information on the generated remediation task may also be displayed in one or more reports 500.” Williams ¶ 150. See also ¶ 158)

Williams does not disclose:
a memory device with computer-readable program code stored thereon; 
a communication device; and 
a processing device operatively coupled to the memory device and the communication device, wherein the processing device is configured to execute the computer-readable program code to: 

However, Williams is clearly a computer implemented invention as it is shown operating on a network, see Figure 1.  A person of ordinary skill in the art before the effective filing date of the claimed invention would have modified Williams by implementing the system of Williams on physical hardware using programming instructions stored in memory.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Williams in order to implement the system of Williams using the necessary computing components required to run software that interfaces with a network. 

As to claims 2, 9, and 15, Williams discloses the machine/CRM/method of claims 1, 8, and 14 and further discloses: 
(“Audits that are configured with a recurring schedule are run indefinitely, according to the specified date parameters, until the audit schedule is altered or removed.” Williams ¶ 209. “FIG. 35 is a screen shot of a GUI for re-analyzing a scan result according to one embodiment of the invention. This may be desirable if the user wants to initiate an analysis of a scan result for which no policies were initially configured. Even if a policy was initially selected during the configuration process, invocation of the re-analyze audit results function may be desirable if the user wants to apply additional policies to the scan result.” Williams ¶ 212) detect a shift in a condition associated with the one or more computing assets; (see Williams Figure 26, add a new host group, where the host group is a classification.)
dynamically update the one or more classifications based on the shift in the condition associated with the one or more computing assets; (see Williams Figure 26, add a new host group, where the host group is a classification.)
identify a second set of compromise vectors associated with the one or more classifications of the one or more computing assets; and  (“ The compliance document 340 includes the results of applying a policy template identified by a policy identifier 350, to one or more host devices in the audited network 16. The results 342 of applying one or more rules to a particular host are encapsulated by &lt;rule_results&gt; 350 and &lt;/rule_results&gt; 352 tags. Each result 342 includes a rule identifier 352, severity indicator 354, rule category type 356, host identifier 348, and network group 358. Each result 342 further includes a description 344 of the rule that is being applied, and a solution 346 associated with the rule.” Williams ¶ 155. Performing a new audit with a new host group.)
generate a second set of recommended actions, the second set of recommended actions comprising one or more remediation steps associated with the second set of compromise vectors. (“he P&V engine automatically makes recommendations for improving the security of the overall network. This may be done, for example, by generating a remediation task 501 for a policy or vulnerability rule violation noted in the compliance document 340. Information on the generated remediation task may also be displayed in one or more reports 500.” Williams ¶ 150. See also ¶ 158. Performing a new audit with a new host group.)


Claim(s) 3, 10, and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Williams et al. US 2005/0257267 (filed 2004), in view of Miettinen et al., US 2012/0185910 (filed 2011).
As to claims 3, 10, and 16, Williams discloses the machine/CRM/method of claims 2, 9, and 15 but does not disclose:
wherein the shift in the condition associated with the one or more computing assets comprises a change in geographic location of the one or more computing assets, wherein the second set of compromise vectors are associated with the change in geographic location of the one or more computing assets.

Miettinen discloses:
wherein the shift in the condition associated with the one or more computing assets comprises a change in geographic location (“a UE 101 can utilize sensors such as a global positioning system (GPS) to access GPS satellites 113 to determine context information (e.g., the location of the user)” Mattinen ¶ 42) of the one or more computing assets, (“As used herein, the term “safety score” represents a value assigned to a given context, situation, and/or place that represents a perceived or sensed level of security risk associated with the context,” Mattinen ¶ 43) wherein the second set of compromise vectors are associated with the change in geographic location of the one or more computing assets. (“As soon as the user leaves the safe place, e.g. leaves the office to commute home, the device notices this from the change in the context and determines that the device is in a less safe environment.” Miettinen ¶ 129. see also Miettinen ¶¶ 54, 103).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Williams with Miettinen by utilizing the location based context of Miettinen as a component of the policy validation of Williams.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Williams with Miettinen in order to maintain an appropriate level of security for devices in particular contexts or locations, Miettinen ¶ 1.

Claim(s) 4, 11, and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Williams et al. US 2005/0257267 (filed 2004), in view of Sheridan et al., US 2020/0137102 (filed 2011).
As to claims 4, 11, and 17, Williams discloses the machine/CRM/method of claims 1, 8, and 14 but does not disclose:
wherein determining the one or more classifications for each of the one or more computing assets is based on one or more characteristics of the one or more computing assets, the one or more characteristics comprising at least one of operating system, geographic location, and hardware configuration. 

Sheridan discloses:
wherein determining the one or more classifications for each of the one or more computing assets is based on one or more characteristics of the one or more computing assets, (“at 530, the management system assigns one or more criticality scores to the one or more assets based on (i) the one or more attributes of one or more assets, and (ii) the criticality rules table.” Sheridan ¶ 66) the one or more characteristics comprising at least one of operating system (see Sheridan Table 1, rules 9-12, OS types.), geographic location, and hardware configuration. (See Sheridan Table 1, rules 25-27, 32-34, hardware types.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Williams with Sheridan by including the criticality rules table and assigned criticalities of Sheridan in the policies of Williams.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Williams with Sheridan in order to provide asset type specific vulnerability assessments for ease of network management, Sheridan ¶ 3.

Claim(s) 5-7, 12, 13, and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Williams et al. US 2005/0257267 (filed 2004), in view of Ranum et al., US 2014/0013434 (filed 2011).
As to claims 5, 12, and 18, Williams discloses the machine/CRM/method of claims 1, 8, and 14 and further discloses:  but does not disclose:
wherein the one or more remediation steps associated with the first set of compromise vectors comprises isolating, from the network, the one or more computing assets.

Ranum discloses:
wherein the one or more remediation steps associated with the first set of compromise vectors comprises isolating, from the network, the one or more computing assets. (“in response to operation 535 detecting potential botnet participation in the network and/or operation 550 reporting potential botnet behavior based on monitored network activity and system processes, an operation 560 may attempt to isolate any internal hosts that may be have been recruited or otherwise co-opted into the botnet participation and further isolate the network from any external hosts associated with the botnet (e.g., to prevent the botnet from spreading malicious data throughout the network or otherwise using the network to spread malicious data to conduct illicit activities).” Ranum ¶ 79. See Ranum Figure 5)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Williams with Ranum by including the virus/bot detection of Ranum Figure 5 in the system of Williams.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Williams with Ranum in order to complement the system of Williams with a detection-based (Williams ¶ 65) system that uses active and passive vulnerability discovery to identify malicious data in the network (Ranum ¶ 9).

As to claims 6, 13, and 19, Williams discloses the machine/CRM/method of claims but does not disclose:
wherein the one or more remediation steps associated with the first set of compromise vectors comprises updating antivirus definitions of the one or more computing assets.

Ranum discloses:
wherein the one or more remediation steps associated with the first set of compromise vectors comprises updating antivirus definitions of the one or more computing assets. (“an operation 470 may then audit and harden malware defenses in the network to strengthen protection against malware infections. …. operation 470 may install current virus signatures associated with the BitDefender anti-virus product on the host to ensure that the appropriate protection level will be provided.” Ranam ¶ 67, see Figure 4.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Williams with Ranum by including the virus/bot detection and remediation of Ranum Figure 4 in the system of Williams.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Williams with Ranum in order to complement the system of Williams with a detection-based (Williams ¶ 65) system that uses active and passive vulnerability discovery to identify malicious data in the network (Ranum ¶ 9).

As to claims 7 and 20, Williams discloses the machine/method of claims 1 and 14 but does not disclose:
wherein the first set of compromise vectors comprises a computer virus.

Ranum discloses:
wherein the first set of compromise vectors comprises a computer virus.
 (“an operation 435 may then receive a response to the query from the cloud database, wherein the response may identify any files or enumerated processes that have cryptographic hashes matching hashes or signatures associated with known malicious code. Accordingly, leveraging all known malware hashes or signatures aggregated on the cloud database in operations 430 may enable operation 435 to detect malware across multiple anti-virus vendor technologies” Ranam ¶ 60, see Figure 4.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Williams with Ranum by including the virus/bot detection and remediation of Ranum Figure 4 in the system of Williams.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Williams with Ranum in order to complement the system of Williams with a detection-based (Williams ¶ 65) system that uses active and passive vulnerability discovery to identify malicious data in the network (Ranum ¶ 9).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Shurtleff et al., US 2020/0162503, discloses a system for monitoring, remediating and displaying vulnerabilities in an IOT network. 
Kurtz et al., US 2003/0217039, discloses network vulnerability detection and reporting.



Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/Examiner, Art Unit 2492