DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

                                                                     Response to Amendment
The Amendment filed on August 11, 2022 has been entered. Claims 1, and 9 were amended. Claims 2-5, and 10-11 were canceled. No claims were added. As a result, claims 1, 6-9, and 12-20 are pending, of which claims 1, 9 and 17 are in independent form.

                                                                      Response to Arguments
In view of the remarks, submitted on August 11, 2022, applicant’s arguments have been carefully and respectfully considered but are not persuasive. 

On Pages 11 and 12 of remarks by applicant, the applicant argues that the cited references do not appear to teach or suggest the claim elements “a second computer-enabled software tool that identifies mitigation and recovery actions against the adversarial cybersecurity-related activities based on the pattern analysis in order to protect the software and hardware nodes from being compromised by the present and future adversarial, as claimed”. However, the examiner is relying on Bulut reference to teaches “a second computer-enabled software tool that identifies mitigation and recovery actions against the adversarial cybersecurity-related activities based on the pattern analysis in order to protect the software and hardware nodes from being compromised by the present and future adversarial, as claimed” (Bulut, Para. 0034, patches can be developed and transmitted to and/or received by the machines to fix or mitigate machine vulnerabilities. Patches can be rated in terms of vulnerability and impact the patch can have on a fix).  

The applicant argues that the examiner points to the tool of Bulut while stating that McNamee teaches “a sensor that collects data of adversarial cybersecurity-related activities posed against software and hardware nodes in the computer network”. However, the examiner is relying on McNamee reference to teach “a sensor that collects data of adversarial cybersecurity-related activities posed against software and hardware nodes in the computer network” and contends:
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Chari and Bulut to incorporate the teachings of McNamee to include a sensor that collects data of adversarial cybersecurity-related activities posed against software and hardware nodes in the computer network (McNamee, Fig. 7, Para.0065); a processor that: aggregates the data (McNamee, Para.0008). Doing so would aid to focus on who and what are being attacked rather than detecting evidence of infection and are not designed to inform the end-user that an infection has been detected (McNamee, Para. 0004).

The section that the applicant extracted from office action is not the correct citation. The correct citation is stated above.
On page 13 of remarks the applicant refers to Hosotani’s teaching, however there is no reference relying on Hosotani in the office action.

Regarding the combination of Chari with respect to claims 1, 9, and 17, It is applicant’s opinion that adding the Bulut and McNamee references provide no reasonable combination. However, a person of ordinary skill is also a person of ordinary creativity, not an automation, and in many cases will be able to fit teaching of multiple patents together like pieces of a puzzle. Furthermore, “The test for obviousness is not whether the feature of secondary reference may be bodily incorporated into the structure of the primary reference…Rather, the test is what the combined teachings of those references would have suggested to those of ordinary skill in the art”. In the instant case Bulut and McNamee provide additional information that would suggest a modification of Chari.
Therefore, the Applicant’s argument is not persuasive. Thus, the examiner maintains the rejection under 35 USC § 103.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6-8 are rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (US 2018/0330103 A1) in view of Bulut et al. (US 2019/0102548 A1) and further in view of McNamee et al. (US 2010/0154059 A1).

In regards to claim 1, Chari discloses a system for providing cybersecurity resilience fora computer network, the system comprising:
and performs patter analysis of the aggregated data by (i) analyzing data relationships of the adversarial cybersecurity-related activities (Chari, Para. 0095, set of components of the regulated service and edges between nodes representing relationships between related components in the set of components based on the vulnerability and risk metrics corresponding to each component in the set of components (step 614)), and (ii) identifying the software and hardware nodes in the computer network that are vulnerable to the adversarial cybersecurity-related activities (Chari, Para.0072, in the attack graph based on the vulnerability and risk metrics and the sensitivity, integrity, and criticality ranks identified above for each component of the regulated service);
a first computer-enabled software tool that predicts current actions and intentions of adversarial intruders that are a source of the adversarial cybersecurity-related activities in the computer network by assessing an impact of present and future adversarial cybersecurity- related activities that will compromise the software and hardware nodes in the computer network based on the pattern analysis wherein said pattern analysis utilizes Markov Chain analysis or Dirichlet distribution functions (Chari, Fig. 5, Para. 0082, Illustrative embodiments also may generate multi-step attack paths, where illustrative embodiments connect one vulnerability to another vulnerability. Such a path containing two or more edges, such as, for example, edge1, edge2, and edge3, represents a potential attack where an attacker needs to exploit the vulnerability of edge1, then the vulnerability of edge2, and then the vulnerability of edge3 to compromise the component represented by the destination node of edge3 and Paras. 89- 91, note Chari does not explicitly utilized Markov Chain analysis, however the attack graph in Fig. 5 includes nodes that represent a state such as node 508, and edge 518 indicates that an action corresponding to node 522 (i.e., completing analysis on the virtual machine); and wherein the pattern analysis comprises any of artificial intelligence, machine learning, and graph thinking (Chari, Para.0091, attack graph 500 also includes AND edge 518 between node 520 and node 522. AND edge 518 indicates that an action corresponding to node 522 (i.e., completing analysis on the virtual machine) is to be carried out prior to carrying out an action corresponding to node 520 (i.e., accessing the virtual machine)) and wherein the first computer-enabled software tool mimics operational activities of the adversarial intruders that are the source of the adversarial cybersecurity-related activities in the computer network (Chari, Para.0095, attack graph 232 in FIG. 2 or attack graph 500in FIG. 5. Further, the computer calculates a level of compromise ability of sensitive data in the set of sensitive data for each component represented by a node in the attack graph based on the vulnerability and risk metrics corresponding to each respective component and edge paths between nodes of related components (step 616)) and wherein the processor creates a graphical representation of a data path containing the adversarial cybersecurity-related activities in the computer network using the data relationships of the adversarial cybersecurity-related activities (Chari, Para. 0095, the computer generates an attack graph that includes nodes representing components in the set of components of the regulated service and edges between nodes representing relationships between related components in the set of components based on the vulnerability and risk metrics corresponding to each component in the set of components (step 614).
Chari fails to disclose a second computer-enabled software tool that identifies mitigation and recovery actions against the adversarial cybersecurity-related activities based on the pattern analysis in order to protect the software and hardware nodes from being compromised by the present and future
adversarial cybersecurity-related activities and to recover the software and hardware nodes that have been compromised and wherein the mitigation and recovery actions identified by the second computer-enabled software tool comprises any of preventive action and recovery action against an occurrence and spread of the adversarial cybersecurity-related activities to the software and hardware nodes in the computer network.
However, Bulut teaches a second computer-enabled software tool that identifies mitigation and recovery actions against the adversarial cybersecurity-related activities based on the pattern analysis in order to protect the software and hardware nodes from being compromised by the present (Bulut, Para. 0034, if a specific physical machine has a CVE often, then a patch with a rating often can be applied to the physical machine to mitigate a vulnerability) and future adversarial cybersecurity-related activities and to recover the software and hardware nodes that have been compromised (Bulut, Para. 0043, wherein the learning component 310can analyze previous risks and input data received from the remote workstation device 316 to predict future risks or vulnerabilities to the server devices) and wherein the mitigation and recovery actions identified by the second computer-enabled software tool comprises any of preventive action and recovery action against an occurrence and spread of the adversarial cybersecurity-related activities to the software and hardware nodes in the computer network (Bulut, Para. 0006, the computer executable components of the system can also comprise a learning component that analyzes risk data associated with a previous risk received from a workstation device, resulting in a risk prediction and Para. 0007, patch a server group to mitigate a vulnerability of the first server device and a second server device).
Chari and Bulut are both considered to be analogous to the claim invention because they are in the same field of monitoring a computer network for assessing and preventing a cybersecurity activity posed against the hardware and software nodes of the network. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Chari to incorporate the teachings of Bulut to include a second computer-enabled software tool that identifies mitigation and recovery actions against the adversarial cybersecurity-related activities based on the pattern analysis in order to protect the software and hardware nodes from being compromised by the present (Bulut, Para.0034) and future adversarial cybersecurity-related activities and to recover the software and hardware nodes that have been compromised (Bulut, Para. 0043) wherein the mitigation and recovery actions identified by the second computer-enabled software tool comprises any of preventive action and recovery action against an occurrence and spread of the adversarial cybersecurity-related activities to the software and hardware nodes in the computer network (Bulut, Para. 0006). Doing so would help to aid machines operating within the same environment to benefit from the same software patch (e.g., patch group) to mitigate common vulnerabilities. For example, an application can be executed on multiple servers. Thus, a webserver, a database, and/or a cache, can run an application on multiple servers or different physical machines, which can increase vulnerability to malware, viruses, attacks, etc. Because some machines can share common vulnerabilities, grouping the machines together and applying a patch to the group can create a better defense and/or security against common vulnerabilities, as opposed to patching the machines one at a time (Bulut, Para. 0026).
Chari and Bulut fail to disclose, a sensor that collects data of adversarial cybersecurity-related activities posed against software and hardware nodes in the computer network a processor that: aggregates the data;
However, McNamee teaches a sensor that collects data of adversarial cybersecurity-related activities posed against software and hardware nodes in the computer network (McNamee, Fig. 7, Para. 0065, each group of network sensors may forward the detailed alerts to one of a plurality of aggregators 2060, 2065 and 206c. Each aggregator can forward the summary alerts to the reporting infrastructure):
a processor that: aggregates the data (McNamee, Para.0008, an apparatus for aggregating a plurality of alerts associated with one or more client computers coupled to a network); Chari and Bulut are both considered to be analogous to the claim invention because they are in the same field of detecting cybersecurity attack against the nodes, in the connected network such as internet and identifying remedy and recovery against the cybersecurity attack. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Chari and Bulut to incorporate the teachings of McNamee to include a sensor that collects data of adversarial cybersecurity-related activities posed against software and hardware nodes in the computer network (McNamee, Fig. 7, Para.0065); a processor that: aggregates the data (McNamee, Para.0008). Doing so would aid to focus on who and what are being attacked rather than detecting evidence of infection and are not designed to inform the end-user that an infection has been detected (McNamee, Para. 0004).

In regards to claim 6, the system of claim 5, the combination of Chari, Bulut and McNamee teaches wherein the data relationships comprise local and global causality relationships and dependencies in context-specific environments involved with the adversarial cybersecurity-related activities associated with the software and hardware nodes in the computer network that are of interest (Chari, Figs. 3 and5), wherein the software and hardware nodes in the computer network that are of interest are identified as vertices of the graphical re presentation of the data path (Chari, Fig. 5), and wherein the local and global causality relationships and dependencies 7 comprise edges of the graphical
representation of the data path (Chari. Para. 0089, Attack graph 500 also includes a plurality of edges, such as edges 252inFIG.2, which connect related nodes. In addition, the edges may include labels, such as labels 254 in FIG. 2).

In regards to claim7, the system of claim 5, the combination of Chari, Bulut and McNamee teaches wherein the processor utilizes a recurrent neural network that estimates which of the software and hardware nodes within a selected range of connectivity have been subjected to the adversarial cybersecurity-related activities based on any of: detected adversarial cybersecurity-related activities on any of the software and hardware nodes within the selected range of connectivity (Bulut, Para. 0043, the learning algorithm can then use the aforementioned data to determine if the same or similar malware attack can occur on the physical machine 104and share the same or similar patch with a grouped physical machine 106), and predicted adversarial cybersecurity-related activities based on any of: cybersecurity alerts generated by the sensor; vulnerability scanning reports stored in memory and retrieved by the processor; data analytic reports stored in memory and retrieved by the processor; and machine learning of operational attributes of the software and hardware nodes in the computer network (Bulut, Para. 0006, the computer executable components of the system can also comprise a learning component that analyzes risk data associated with a previous risk received from a workstation device, resulting in a risk prediction). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Chari to incorporate the teachings of Bulut to include wherein the processor utilizes a recurrent neural network that estimates which of the software and hardware nodes within a selected range of connectivity have been subjected to the adversarial cybersecurity-related activities based on any of: detected adversarial cybersecurity-related activities on any of the software and hardware nodes within the selected range of connectivity (Bulut, Para.0043), and predicted adversarial cybersecurity-related activities based on any
of: cybersecurity alerts generated by the sensor; vulnerability scanning reports stored in memory and retrieved by the processor; data analytic reports stored in memory and retrieved by the processor;
and machine learning of operational attributes of the software and hardware nodes in the computer network (Bulut, Para. 0006). Doing so would help to enable convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, network bandwidth, servers, processing, memory, storage, applications, virtual machines, and services) that can be rapidly provisioned and released with minimal management effort or inter action with a provider of the service (Bulut, Para. 0025).

In regards to claim 8, the system of claim 1, the combination of Chari, Bulut and McNamee teaches wherein the first computer-enabled software tool is selected to perform actions either autonomously from, or collaboratively with, other first computer- enabled software tools that predict adversarial cybersecurity-related activities in the computer network based on the pattern analysis (Chari, Para.0082, Illustrative embodiments also may generate multi-step attack paths, where illustrative embodiments connect one vulnerability to another vulnerability. Such a path containing two or more edges, such as, for example, edge 1, edge2, and edge3, represents a potential attack where an attacker needs to exploit the vulnerability of edge1, then the vulnerability of edge2, and then the vulnerability of edge3 to compromise the component represented by the destination node of edge3), and wherein the second computer-enabled software tool is selected to perform actions either autonomously from, or collaboratively with, other second computer-enabled software tools that identify mitigation and recovery actions against the adversarial cybersecurity-related activities (Bulut, Para. 0033 and Para. 0034, fa specific physical machine has a CVE often, then a patch with a rating often can be applied to the physical machine to mitigate a vulnerability). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Chari to incorporate the teachings of Bulut to include wherein the second computer-enabled software tool is selected to perform actions either autonomously from, or collaboratively with, other second computer-enabled software tools that identify mitigation and recovery actions against the adversarial cyber security-related activities (Bulut, Para.0033 and Para.0034). Doing so would help to aid machines operating within the same environment to benefit from the same software patch (e.g., patch group) to mitigate common vulnerabilities. For example, an application can be executed on multiple servers. Thus, a webserver, a database, and/or a cache, can run an application on multiple servers or different physical machines, which can increase vulnerability to malware, viruses, attacks, etc. Because some machine scan shar e common vulnerabilities, grouping the machines together and applying a patch to the group can create a better defense and/or security against common vulnerabilities, as opposed to patching the machines one at a time (Bulut, Para.0026).

Claims 9, 12, 14-15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (US 2018/0330103 A1) in view of Bulut et al. (US 2019/0102548 A1).

In regards to claim 9, Chari discloses a method of providing cybersecurity resilience fora computer network, the method comprising: aggregating data of malware activities posed against software and hardware nodes in a computer network (Chari, Para.0066, Aggregation of information regarding distributed components of the regulated service may include, for example, common vulnerabilities and exposures (CVE) identifiers; Common Vulnerability Scoring System (CVSS) scores, Confidentiality, Integrity, and Availability (CIA) ratings, data flow and control flow of each component); generating a graphical representation of data relationships of the malware activities associated with the software and hardware nodes in the computer network (Chari, Para. 0033, generating a data-centric attack graph representing components of the regulated service and propagating risk to related components along edge paths in the attack graph connecting related components); identifying the software and hardware nodes in the computer network that are vulnerable to the malware activities based on the data relationships activities (Chari, Para. 0072, in the attack graph based on the vulnerability and risk metrics and the sensitivity, integrity, and criticality ranks identified above for each component of the regulated service);
predicting current actions and intentions of adversarial intruders that area source of the malware activities in the computer network by assessing an impact of present and future malware activities in the computer network based on the identified software and hardware nodes in the computer network that are vulnerable to the malware activities based on the data relationships (Chari, Para. 0082, Illustrative embodiments also may generate multi-step attack paths, where illustrative embodiments connect one vulnerability to another vulnerability. Such a path containing two or more edges, such as, for example, edge1, edge2, and edge3, represents a potential attack where an attacker needs to exploit the vulnerability of edge1, then the vulnerability of edge2, and then the vulnerability of edge3 to compromise the component represented by the destination node of edge3); and wherein the data relationships comprise any of data analytics, data temporal causality analysis, and data regression analysis (Chari, Para.0091, attack graph 500 also includes AND edge 518 between node 520 and node 522. AND edge 518 indicates that an action corresponding to node 522/ (i.e., completing analysis on the virtual machine) is to be carried out prior to carrying out an action corresponding to node 520 (i.e., accessing the virtual machine));
Chari fails to disclose identifying mitigation and recovery actions against the malware activities based on the data relationships in order to protect the software and hardware nodes from being compromised by the malware activities and to recover the software and hardware nodes that have been compromised by the malware activities and wherein the data comprises cyber sensor measurements for intrusion detection of the computer network, vulnerability scanning of the computer network, network traffic and monitoring of the computer network, and generated incident reports of the computer network.
However, Bulut teaches identifying mitigation and recovery actions against the malware activities based on the data relationships in order to protect the software and hardware nodes from being compromised by the malware activities (Bulut, Para. 0034, if a specific physical machine has a CVE of ten, then a patch with a rating often can be applied to the physical machine to mitigate a vulnerability) and to recover the software and hardware nodes that have been compromised by the malware activities (Bulut, Para. 0026, because some machines can share common vulnerabilities,
grouping the machines together and applying a patch to the group can create a better defense and/or security against common vulnerabilities, as opposed to patching the machines one at a time) and wherein the data comprises cyber sensor measurements for intrusion detection of the computer network, vulnerability scanning of the computer network, network traffic and monitoring of the computer network, and generated incident reports of the computer network (Bulut, Para.0042, if the control device 112 receives an indication that a physical machines 104,106, 110 has experienced a reduction in performance, then the control device 112 can scan the physical machine 104, 106,110 for an indication of malware). Chari and Bulut are both considered to be analogous to the claim invention because they are in the same field of monitoring a computer network for assessing and preventing a cybersecurity activity posed against the hardware and software nodes of the network. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Charito incorporate the teachings of Bulut to include teaches identifying mitigation and recovery actions against the malware activities based on the data relationships in order to protect the software and hardware nodes from being compromised by the malware activities (Bulut, Para.0034) and to recover the software and hardware nodes that have been compromised by the malware activities (Bulut, Para. 0026) and wherein the data comprises cyber sensor measurements for intrusion detection of the computer network, vulnerability scanning of the computer network, network traffic and monitoring of the computer network, and generated incident reports of the computer network (Bulut, Para.0042).
Doing so would help to aid machines operating within the same environment to benefit from the same software patch (e.g., patch group) to mitigate common vulnerabilities. For example, an application can be executed on multiple servers. Thus, a web server, a database, and/or a cache, can run an application on multiple servers or different physical machines, which can increase vulnerability to malware, viruses, attacks, etc. Because some machines can share common vulnerabilities, grouping the machines together and applying a patch to the group can create a better defense and/or security against common vulnerabilities, as opposed to patching the machines one at a time (Bulut, Para. 0026).

In regards to claim 12, the method of claim 9, comprising: the combination of Chari and Bulut teaches determining key paths within the graphical representation containing the software and hardware nodes in the computer network that are vulnerable to the malware activities (Chari, Para. 0044, For example, input/output unit212 may provide a connection for user in out through a keypad, a keyboard, a mouse, and/or some other suitable input device); and providing malware infection labels on the graphical re presentation for the software and hardware nodes in the computer network that are predicted to be vulnerable to the malware activities (Chari, Para. 0081, illustrative embodiments may label an edge with a CVE identifier, a type of access or attack, such as remote, method used, such as remote shell, and the like).

In regards to claim 14, the method of claim 9, comprising: the combination of Chari and Bulut teaches generating a context-specific graphical representation containing nodes and edges representing software and hardware assets in the computer network (Chari, Para.0095, the computer generates an attack graph that includes nodes representing components in the set of components of the regulated service and edges between nodes representing relationships between related components in the set of components based on the vulnerability and risk metrics corresponding to each component in the set of components (step 614)); and labeling the nodes as being either known malware-infected labeled nodes or unknown malware-infected labeled nodes (Chari, Para. 0081, illustrative embodiments may label an edge with a CVE identifier, a type of access or attack, such as remote, method used, such as remote shell, and the like).

In regards to claim 15, the method of claim 14, the combination of Chari and Bulut teaches comprising predicting an infection status of nodes that are affected by malware infection propagation in the computer network (Chari, Para. 0110, the computer calculates a cumulative sensitive data risk for each node in the attack graph based on a propagated sensitive data risk along all incoming edge paths of a component and the local sensitive data risk corresponding to that particular component (step 906)).

In regards to claim 17, Chari discloses a machine-readable storage medium comprising computer-executable instructions that when executed by a computer cause a processor of the computer to (Chari, Para.0014): aggregate data of benign and malicious cybersecurity-related activities posed against software and hardware nodes in a computer network (Chari, Para.0066, Aggregation of information regarding distributed components of the regulated service may include, for example, common vulnerabilities and exposures (CVE) identifiers; Common Vulnerability Scoring System (CVSS) scores, Confidentiality, Integrity, and Availability (CIA) ratings, data flow and control flow of each component); identify the software and hardware nodes in the computer network that are vulnerable to malicious cybersecurity-related activities (Chari, Para.0072, in the attack graph based on the vulnerability and risk metrics and the sensitivity, integrity, and criticality ranks identified above for each component of the regulated service);
instruct a first computer-enabled software tool to predict current actions and intentions of
adversarial intruders that area source of the malicious cyber security-related activities by assessing an impact of present and future benign and malicious cybersecurity- related activities in the computer network based on a pattern analysis of the benign and malicious cybersecurity-related activities (Chari, Para. 0082, Illustrative embodiments also may generate multi-step attack paths, where illustrative embodiments connect one vulnerability to another vulnerability. Such a path containing two or more edges, such as, for example, edge1, edge2, and edge3, represents a potential attack where an attacker needs to exploit the vulnerability of edge1, then the vulnerability of edge2, and then the vulnerability of edge3 to compromise the component represented by the destination node of edge3); and
Chari fails to disclose instruct a second computer-enabled software tool to identify mitigation and recovery actions against the malicious cybersecurity-related activities that will compromise the software and hardware nodes in the computer network based on the pattern analysis.
However, Bulut teaches instruct a second computer-enabled software tool to identify mitigation and recovery actions against the malicious cybersecurity-related activities that will compromise the software and hardware nodes in the computer network based on the pattern analysis (Bulut, Para. 0034, if a specific physical machine has a CVE of ten, then a patch with a rating often can be applied to the physical machine to mitigate a vulnerability. Furthermore, the patches can be applied to software running in any environment, which is especially important in for the cloud network 102, 108 operations because anyone can access the cloud). Chari and Bulut are both considered to be analogous to the claim invention because they are in the same field of monitoring a computer network for assessing and preventing a cybersecurity activity posed against the hardware and software nodes of the network.
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Chari to incorporate the teachings of Bulut to include instruct a second computer-enabled software tool to identify mitigation and recovery actions against the malicious cybersecurity-related activities that will compromise the software and hardware nodes in the computer network based on the pattern analysis (Bulut, Para. 0034). Doing so would help to aid machines operating within the same environment to benefit from the same software patch (e.g., patch group) to mitigate common vulnerabilities. For example, an application can be executed on multiple servers. Thus, a web server, a database, and/or a cache, can run an application on multiple servers or different physical machines, which can increase vulnerability to malware, viruses, attacks, etc. Because some machines can share common vulnerabilities, grouping the machines together and applying a patch to the group can create a better defense and/or security against common vulnerabilities, as opposed to patching the machines one at a time (Bulut, Para.0026).

In regards to claim18, the machine-readable storage medium of claim 17, the combination of Chari and Bulut teaches wherein the computer-executable instructions, when executed, further cause
the processor to utilize any of logistic regression and partially-observable Markov decision processing to identify the software and hardware nodes in the computer network that are vulnerable to the malicious cybersecurity-related activities (Bulut, Para, 0044, for example, naive Bayes, Bayesian networks, decision trees, neural networks, fuzzy logic models, and probabilistic classification models providing different patterns of independence can be employed. Classification of risks in accordance with CVE numbers as used herein also may be inclusive of statistical regression that is utilized to develop models of priority).
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Chari to incorporate the teachings of Bulut to include wherein the computer-executable instructions, when executed, further cause the processor to utilize any of logistic regression and partially-observable Markov decision processing to identify the software and hardware nodes in the computer network that are vulnerable to the malicious cybersecurity-related activities (Bulut, Para, 0044). Doing so would help to enable convenient, on- demand network access to a shared pool of configurable computing resources (e.g., networks, network bandwidth, servers, processing, memory, storage, applications, virtual machines, and services) that can be rapidly provisioned and released with minimal management effort or interaction with a provider of the service (Bulut, Para. 0025).

In regards to claim19, the machine-readable storage medium of claim 17, the combination of Chari and Bulut teaches wherein the computer-executable instructions, when executed, further cause the processor to train a long short-term memory network for performing machine learning to identify the software and hardware nodes in the computer network that are vulnerable to the malicious cybersecurity-related activities (Chari, Fig.5 and Para.0091, Attack graph 500 also includes AND edge 518 between node 520 and node 522. AND edge 518 indicates that an action corresponding to node 522 (i.e., completing analysis on the virtual machine)).

In regards to claim 20, the machine-readable storage medium of claim 17, the combination of Chari and Bulut teaches wherein the computer-executable instructions, when executed, further cause the processor to: create most-likely data patterns and relationships of the software and hardware nodes in the computer network that are vulnerable to the malicious cybersecurity-related activities (Chari, Para.0033, generating a data-centric attack graph representing components of the regulated service and propagating risk to related components along edge paths in the attack graph connecting related components); and create queries to search the data patterns and relationships to identify a cybersecurity environment associated with the software and hardware nodes in the computer network that are vulnerable to the malicious cybersecurity-related activities (Chari, Para. 0081, a user who can send an access request for sensitive data, and the like. Furthermore, illustrative embodiments generate an edge in the attack graph from node A to node X).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (US 2018/0330103 A1) in view of Bulut et al. (US 2019/0102548 A1), and further in view of STOKES, Ill et al. (US 2018/0367548 A1).

In regards to claim 13, the method of claim 12, comprising: Chari in view of Bulut fails to teach determining connected components of the software and hardware nodes represented in the graphical representation at different time intervals; reshaping each graphical component by filtering unnecessary nodes and links; determining motifs to be searched fora specific context of a cybersecurity environment related to the computer network based on any of profiling and modeling of a context-specific environment of a target node in the computer network, wherein the target node comprises a central node in the graphical representation such that the k-hop neighbors of the central node are determined
using a breadth-first search process; searching the motifs that represent the key paths and regions of each graphical representation; for nodes of motifs that have the malware infection labels, using a semi- supervised learning process and a neural network to predict the malware infection labels of other nodes at successive time intervals within a selected range of connectivity of the context-specific environment with selected software and hardware nodes and links; computing malware infection weights of the links in the motifs of a specific context; and predicting malware infection status labels of the nodes in the specific context.
However, STOKES teaches determining connected components of the software and hardware nodes represented in the graphical representation at different time intervals (STOKES, Para. 0045, Because paths are intended to model lateral movement across nodes within a network, several time constraints may be added to filter out impossible paths); reshaping each graphical component by filtering unnecessary nodes and links (STOKES, Para. 0058, at 230, nodes and/or paths may be filtered from the graph 173 to decrease the number of paths that are to be subsequently processed by the path- rate score module); determining motifs to be searched fora specific context of a cybersecurity environment related to the computer network based on any of profiling and modeling of a context- specific environment of a target node in the computer network (STOKES, Para. 0064, For inbound path analysis, search for other compromised computers which connect to the known infected computer (node G)), wherein the target node comprises a central node in the graphical representation such that the k-hop neighbors of the central node are determined using a breadth-first search process (STOKES, Para. 0064, for inbound path analysis, search for other compromised computers which connect to the known infected computer (node G). The connection can either be direct or indirect. A direct connection occurs between a computer which directly connects to the compromised computer (i.e., 1 -hop away), such as nodes D, E, and F with respect to node G); searching the motifs that represent the key paths and regions of each graphical representation (STOKES, Fig.5 and Para.0073, one suspicious computer (node
K) in the network has generated an alert indicating a potential remote file execution, a key component of lateral movement. The lateral movement path is recovered from rare paths which include the computer involved with the remote file execution detection); for nodes of motifs that have the malware infection labels (Fig. 5, Para. 0072, a network connection graph 500 useful for describing general detection with respect to tracking malicious lateral movement across a computer network), using a semi-supervised learning process and a neural network to predict the malware infection labels of other nodes at successive time intervals within a selected range of connectivity of the context-specific environment with selected software and hardware nodes and links (STOKES, Fig. 3, Para. 0041, number of hops in suspicious paths which can also be considered the desired sub pathlength. It has been determined that the number of K-hop paths in the network increases exponentially as K increases); computing malware infection weights of the links in the motifs of a specific context (STOKES, Para. 0069, 0070, with respect to FIG. 3, the paths in to compromised node G from nodes A, B, C, D, E, and F are analyzed as set forth above); and predicting malware infection status labels of the nodes in the specific context (STOKES, Fig. 3, Para.0066, a known compromised node (denoted as nod G) is discovered and the task is to identify the unknown compromised computers and user accounts (dashed nodes C, F, 1, L, and M)along the malicious access path (dashed lines)). Chari, Bulut and STOKES are all considered to be analogous to the claim invention because they are in the same field of monitoring a computer network for assessing and preventing a cybersecurity activity posed against the hardware and software nodes of the network.
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Chari and Bulut to incorporate the teachings of STOKES to include determining connected components of the software and hardware nodes represented in the graphical representation at different time intervals (STOKES, Para.0045); reshaping each graphical component by filtering unnecessary nodes and links (STOKES, Para.0058); determining
motifs to be searched for a specific context of a cybersecurity environment related to the computer network based on any of profiling and modeling of a context-specific environment of a target node in the computer network (STOKES, Para.0064), wherein the target node comprises a central node in the graphical representation such that the k-hop neighbors of the central node are determined using a breadth-first search process (STOKES, Para.0064); searching the motifs that represent the key paths and regions of each graphical representation (STOKES, Fig. 5 and Para.0073); for nodes of motifs that have the malware infection labels (Fig.5, Para. 0072), using a semi-supervised learning process and a neural network to predict the malware infection labels of other nodes at successive time intervals within a selected range of connectivity of the context-specific environment with selected software and hardware nodes and links (STOKES, Fig. 3, Para.0041); computing malware infection weights of the links in the motifs of a specific context (STOKES, Para. 0069, 0070); and predicting malware infection status labels of the nodes in the specific context (STOKES, Fig. 3, Para. 0066). Doing so would aid to identify potential malicious lateral movement paths. System and security events may be used to generate a network connection graph and detect re mote file executions, for use in tracking malicious lateral movement across a computer network, such as a compromised computer network (STOKES, Para. 0005).

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (US 2018/0330103 A1) in view of Bulut et al. (US 2019/0102548 A1), and further in view of Mei et al. (US 2020/0162412 A1).

In regards to claim 16, the method of claim 15, comprising: Chari in view of Bulut fails to teach identifying a malware infection status label of all nodes that are denoted as being unknown malware- infected; identifying potential infection propagation paths from the known malware-infected labeled nodes to the unknown malware-infected labeled; computing infection propagation weights of the edges
of the identified potential infection propagation paths, wherein an infection propagation weight of each edge equals a probability that a communication with malware infection can be established between two nodes of the edge; computing the infection propagation weights of the nodes of the identified potential infection propagation paths, wherein the infection propagation weight of each edge of the node equals a maximum average of incoming and outgoing infection propagation weights of the node;
and determining whether the infection propagation weight of the node is greater than a selected infection probability.
However, Mei teaches identifying a malware infection status label of all nodes that are denoted as being unknown malware-infected (Mei, Para. 0039 and Para.0040); identifying potential infection propagation paths from the known malware-infected labeled nodes to the unknown malware-infected labeled nodes (Mei, Para. 0027, attached and/or embedded digital graphics and images can be converted into input for the neural network and normalized if necessary); computing infection propagation weights of the edges of the identified potential infection propagation paths (Mei, Fig.5, and Para. 0075,a “feed-forward” computation, where information propagates from input neurons 502 to the output neurons 506), wherein an infection propagation weight of each edge equals a probability that a communication with malware infection can be established between two nodes of the edge (Mei, Para.0075, the error relative to the training data is then processed in “feed-back” computation, where the hidden neurons 504 and input neurons 502 receive information regarding the error propagating backward from the output neurons $06); computing the infection propagation weights of the nodes of the identified potential infection propagation paths (Mei, Fig.5, and Para. 0075, a “feed-forward” computation), wherein the infection propagation weight of each edge of the node equals a maximum average of incoming and outgoing infection propagation weights of the node (Mei, Para. 0077, the current output by a given weight is determined as l=V/r, where Vis the input voltage from the input neuron 602 and r is the set resistance of the weight 604); and determining whether the infection propagation weight of the node is greater than as elected infection probability (Mei, Para.0075, once the backward error propagation has been completed, weight updates are performed, with the weighted connections 508 being updated to account for the received error). Chari, Bulut and Meiare all considered to be analogous to the claim invention because they are in the same field of monitoring a computer network for assessing and preventing a cybersecurity activity posed against the hardware and software nodes of the network. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Chari and Bulut to incorporate the teachings of Meito include identifying a malware infection status label of all nodes that are denoted as being unknown malware- infected (Mei, Para.0039 and Para. 0040): identifying potential infection propagation paths from the known malware-infected labeled nodes to the unknown malware-infected labeled nodes (Mei, Para. 0027); computing infection propagation weights of the edges of the identified potential infection propagation paths (Mei, Fig. 5, and Para. 0075), wherein an infection propagation weight of each edge equals a probability that a communication with malware infection can be established between two nodes of the edge (Mei, Para. 0075); computing the infection propagation weights of the nodes of the identified potential infection propagation paths (Mei, Fig. 5, and Para. 0075), wherein the infection propagation weight of each edge of the node equals a maximum average of incoming and outgoing infection propagation weights of the node (Mei, Para. 0077); and determining whether the infection propagation weight of the node is greater than as elected infection probability (Mei, Para.0075). Doing so would aid the neural network to use such learning to determine if and when the contents of an electronic message are inappropriate or unsuited for the individual(s) or groups listed in the Addressee field of the electronic message (Mei, Para.0017).

Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571) 272-0248. The examiner can normally be reached 9:30 AM- 6:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/G.F./
Examiner, Art Unit 2496

/JORGE L ORTIZ CRIADO/               Supervisory Patent Examiner, Art Unit 2496