DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 7/7/2022 has been placed of record in the file.
Claims 1, 8, 10, 17, and 19 have been amended.
Claims 1-20 are pending.
The applicant’s arguments with respect to claims 1-20 have been considered but are moot in view of the following new grounds of rejection.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 8/10/2022 has been entered.

Claim Rejections - 35 USC § 103
7.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
8.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

9.	Claims 1, 4-10, and 13-19 are rejected under 35 U.S.C. 103 as being unpatentable over Carver et al. (U.S. Patent Application Publication Number 2015/0365438), hereinafter referred to as Carver, in view of Phillips et al. (U.S. Patent Application Publication Number 2006/0095965), hereinafter referred to as Phillips.
Carver disclosed techniques for automatically implementing a response to one or more security incidents.  In an analogous art, Phillips disclosed techniques for using security measures to protect computing devices in a network.  Both systems deal with protecting resources in a computing network.
Regarding claim 1, Carver discloses a computer-implemented method performed by an advisement computing system, the method comprising: receiving incident data indicating an occurrence of an incident involving a first computing asset of a plurality of computing assets of a networked computing environment (paragraph 48, security incident identified); obtaining relationship data indicating relationships among particular ones of the plurality of computing assets of the networked computing environment (paragraph 26, endpoints in communication with device); identifying a security action to be performed responsive to identification of the incident, wherein the security action is identified based in part on the relationship data (paragraph 50, response strategy selected), wherein the security action, when implemented, prevents the first computing asset from initiating communications with a second computing asset of the plurality of computing assets (paragraph 52, limits devices with which compromised computing device may communicate); and initiating implementation of the security action (paragraph 52, response strategy implemented).
Carver does not explicitly state wherein the security action, when implemented, does not prevent the first computing asset from receiving communications from the second computing asset, and wherein the security action, when implemented, further does not prevent the first computing asset from sending outbound data.  However, limiting network communications in such a fashion was well known in the art as evidenced by Phillips.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Carver by adding the ability that the security action, when implemented, prevents the first computing asset from initiating communications with a second computing asset of the plurality of computing assets, but does not prevent the first computing asset from receiving communications from the second computing asset, and that the security action, when implemented, further does not prevent the first computing asset from sending outbound data as provided by Phillips (see paragraph 69, blocks access to and from specific communication ports while permitting other activities to flow freely, and blocks activity initiated by particular device).  One of ordinary skill in the art would have recognized the benefit that providing protective measures in such a way would assist in securing a computer system against computer exploits according to the individual computer system’s needs (see Phillips, paragraph 21).
Regarding claim 4, the combination of Carver and Phillips discloses wherein the relationship data is based on network data obtained by software agents running in the networked computing environment (Carver, paragraph 13, software components).
Regarding claim 5, the combination of Carver and Phillips discloses wherein identifying the security action includes: identifying one or more suggested security actions to be supplied to an administrator, and identifying a selected security action by the administrator (Carver, paragraph 56, possible actions, and paragraph 57, operator selects possible action).
Regarding claim 6, the combination of Carver and Phillips discloses wherein identifying the incident in the first computing asset in the plurality of computing assets comprises receiving a notification of the incident in the first computing asset from a security information and event management (SIEM) (Carver, paragraph 38, SIEM).
Regarding claim 7, the combination of Carver and Phillips discloses wherein the security action includes at least one of: taking a snapshot of the first computing asset, segregating the first computing asset from other assets of the plurality of computing assets, removing an application executing on the first computing asset, or blocking a particular internet protocol address related to the incident (Carver, paragraph 27, taking snapshot, removing files, blocking communications, etc.).
Regarding claim 8, the combination of Carver and Phillips discloses maintaining a file hash blacklist on the second computing asset to prevent transfer of data associated with the incident to the second computing asset (Carver, paragraph 15, identified indicator is hash of file).
Regarding claim 9, the combination of Carver and Phillips discloses obtaining enrichment information related to the incident based on a property of the incident, wherein the security action is identified based at least in part on the enrichment information (Carver, paragraph 16, insights).
Regarding claim 10, Carver discloses a system comprising: a first electronic device to implement an advisement computing system, the advisement computing system including instructions that upon execution cause the advisement computing system to: receive incident data indicating an occurrence of an incident involving a first computing asset of a plurality of computing assets of a networked computing environment (paragraph 48, security incident identified); obtain relationship data indicating relationships among particular ones of the plurality of computing assets of the networked computing environment (paragraph 26, endpoints in communication with device); identify a security action to be performed responsive to identification of the incident, wherein the security action is identified based in part on the relationship data (paragraph 50, response strategy selected), wherein the security action, when implemented, prevents the first computing asset from initiating communications with a second computing asset of the plurality of computing assets (paragraph 52, limits devices with which compromised computing device may communicate); and initiate implementation of the security action (paragraph 52, response strategy implemented); and a second one or more electronic devices to implement a security detection system, the security detection system including instructions that upon execution cause the security detection system to: obtain data reflecting operation of the first computing asset, determine that the data indicates a potential incident, and send incident data to the advisement computing system (paragraph 17, monitors data sources and records incident).
Carver does not explicitly state wherein the security action, when implemented, does not prevent the first computing asset from receiving communications from the second computing asset, and wherein the security action, when implemented, further does not prevent the first computing asset from sending outbound data.  However, limiting network communications in such a fashion was well known in the art as evidenced by Phillips.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Carver by adding the ability that the security action, when implemented, prevents the first computing asset from initiating communications with a second computing asset of the plurality of computing assets, but does not prevent the first computing asset from receiving communications from the second computing asset, and that the security action, when implemented, further does not prevent the first computing asset from sending outbound data as provided by Phillips (see paragraph 69, blocks access to and from specific communication ports while permitting other activities to flow freely, and blocks activity initiated by particular device).  One of ordinary skill in the art would have recognized the benefit that providing protective measures in such a way would assist in securing a computer system against computer exploits according to the individual computer system’s needs (see Phillips, paragraph 21).
Regarding claim 13, the combination of Carver and Phillips discloses wherein the relationship data is based on network data obtained by software agents running in the networked computing environment (Carver, paragraph 13, software components).
Regarding claim 14, the combination of Carver and Phillips discloses wherein identifying the security action includes: identifying one or more suggested security actions to be supplied to an administrator, and identifying a selected security action by the administrator (Carver, paragraph 56, possible actions, and paragraph 57, operator selects possible action).
Regarding claim 15, the combination of Carver and Phillips discloses wherein identifying the incident in the first computing asset in the plurality of computing assets comprises receiving a notification of the incident in the first computing asset from a security information and event management (SIEM) (Carver, paragraph 38, SIEM).
Regarding claim 16, the combination of Carver and Phillips discloses wherein the security action includes at least one of: taking a snapshot of the first computing asset, segregating the first computing asset from other assets of the plurality of computing assets, removing an application executing on the first computing asset, or blocking a particular internet protocol address related to the incident (Carver, paragraph 27, taking snapshot, removing files, blocking communications, etc.).
Regarding claim 17, the combination of Carver and Phillips discloses wherein the instructions, upon execution, further cause the advisement computing system to maintain a file hash blacklist on the second computing asset to prevent transfer of data associated with the incident to the second computing asset (Carver, paragraph 15, identified indicator is hash of file).
Regarding claim 18, the combination of Carver and Phillips discloses obtaining enrichment information related to the incident based on a property of the incident, wherein the security action is identified based at least in part on the enrichment information (Carver, paragraph 16, insights).
Regarding claim 19, Carver discloses a non-transitory computer-readable storage medium storing instructions which, when executed by one or more processors, cause performance of operations comprising: receiving incident data indicating an occurrence of an incident involving a first computing asset of a plurality of computing assets of a networked computing environment (paragraph 48, security incident identified); obtaining relationship data indicating relationships among particular ones of the plurality of computing assets of the networked computing environment (paragraph 26, endpoints in communication with device); identifying a security action to be performed responsive to identification of the incident, wherein the security action is identified based in part on the relationship data (paragraph 50, response strategy selected), wherein the security action, when implemented, prevents the first computing asset from initiating communications with a second computing asset of the plurality of computing assets (paragraph 52, limits devices with which compromised computing device may communicate); and initiating implementation of the security action (paragraph 52, response strategy implemented).
Carver does not explicitly state wherein the security action, when implemented, does not prevent the first computing asset from receiving communications from the second computing asset, and wherein the security action, when implemented, further does not prevent the first computing asset from sending outbound data.  However, limiting network communications in such a fashion was well known in the art as evidenced by Phillips.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Carver by adding the ability that the security action, when implemented, prevents the first computing asset from initiating communications with a second computing asset of the plurality of computing assets, but does not prevent the first computing asset from receiving communications from the second computing asset, and that the security action, when implemented, further does not prevent the first computing asset from sending outbound data as provided by Phillips (see paragraph 69, blocks access to and from specific communication ports while permitting other activities to flow freely, and blocks activity initiated by particular device).  One of ordinary skill in the art would have recognized the benefit that providing protective measures in such a way would assist in securing a computer system against computer exploits according to the individual computer system’s needs (see Phillips, paragraph 21).

10.	Claims 2, 11, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Carver in view of Phillips, further in view of Orr et al. (U.S. Patent Application Publication Number 2005/0216956), hereinafter referred to as Orr.
The combination of Carver and Phillips disclosed techniques for automatically implementing a response to one or more security incidents.  In an analogous art, Orr disclosed techniques for stopping the spread of self-propagating attack code.  Both systems deal directly with responding to security incidents in a computing network.
Regarding claim 2, the combination of Carver and Phillips discloses generating the relationship data based on network data indicating network communications between pairs of computing assets from the plurality of computing assets (Carver, paragraph 26, endpoints in communication with device).
The combination of Carver and Phillips does not explicitly state wherein the network data includes information indicating at least one: an amount of data communicated between particular ones of the plurality of computing assets, or how often data is communicated between particular ones of the plurality of computing assets.  However, monitoring network communications in such a fashion was well known in the art as evidenced by Orr.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Carver and Phillips by adding the ability that the network data includes information indicating at least one: an amount of data communicated between particular ones of the plurality of computing assets, or how often data is communicated between particular ones of the plurality of computing assets as provided by Orr (see paragraph 40, usage model describes relationships between network devices, and paragraph 18, frequency information).  One of ordinary skill in the art would have recognized the benefit that responding to threats in such a way would assist in addressing attacks with less disruption to business processes (see Orr, paragraph 13).
Regarding claim 11, the combination of Carver and Phillips discloses generating the relationship data based on network data indicating network communications between pairs of computing assets from the plurality of computing assets (Carver, paragraph 26, endpoints in communication with device).
The combination of Carver and Phillips does not explicitly state wherein the network data includes information indicating at least one: an amount of data communicated between particular ones of the plurality of computing assets, or how often data is communicated between particular ones of the plurality of computing assets.  However, monitoring network communications in such a fashion was well known in the art as evidenced by Orr.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Carver and Phillips by adding the ability that the network data includes information indicating at least one: an amount of data communicated between particular ones of the plurality of computing assets, or how often data is communicated between particular ones of the plurality of computing assets as provided by Orr (see paragraph 40, usage model describes relationships between network devices, and paragraph 18, frequency information).  One of ordinary skill in the art would have recognized the benefit that responding to threats in such a way would assist in addressing attacks with less disruption to business processes (see Orr, paragraph 13).
Regarding claim 20, the combination of Carver and Phillips discloses generating the relationship data based on network data indicating network communications between pairs of computing assets from the plurality of computing assets (Carver, paragraph 26, endpoints in communication with device).
The combination of Carver and Phillips does not explicitly state wherein the network data includes information indicating at least one: an amount of data communicated between particular ones of the plurality of computing assets, or how often data is communicated between particular ones of the plurality of computing assets.  However, monitoring network communications in such a fashion was well known in the art as evidenced by Orr.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Carver and Phillips by adding the ability that the network data includes information indicating at least one: an amount of data communicated between particular ones of the plurality of computing assets, or how often data is communicated between particular ones of the plurality of computing assets as provided by Orr (see paragraph 40, usage model describes relationships between network devices, and paragraph 18, frequency information).  One of ordinary skill in the art would have recognized the benefit that responding to threats in such a way would assist in addressing attacks with less disruption to business processes (see Orr, paragraph 13).

11.	Claims 3 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Carver in view of Phillips, in view of Amsler (U.S. Patent Application Publication Number 2014/0259170), further in view of Piesco et al. (U.S. Patent Application Publication Number 2006/0010493), hereinafter referred to as Piesco.
The combination of Carver and Phillips disclosed techniques for automatically implementing a response to one or more security incidents.  In an analogous art, Amsler disclosed techniques for a risk assessment and managed security system for dealing with cyber threats.  Also in an analogous art, Piesco disclosed techniques for an attack impact prediction system for providing network security for computer networks.  All of these systems deal directly with responding to security incidents in a computing network.
Regarding claim 3, the combination of Carver and Phillips does not explicitly state identifying a criticality rating for the first computing asset, wherein identifying the security action to be performed responsive to identification of the incident is further based on the criticality rating.  However, using a criticality rating in such a fashion was well known in the art as evidenced by Amsler.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Carver and Phillips by adding the ability for identifying a criticality rating for the first computing asset, wherein identifying the security action to be performed responsive to identification of the incident is further based on the criticality rating as provided by Amsler (see paragraph 41, ranks devices by criticality).  One of ordinary skill in the art would have recognized the benefit that providing such information would assist in supplying a more comprehensive approach to presenting and analyzing security data (see Amsler, paragraph 4).
The combination of Carver, Phillips, and Amsler does not explicitly state identifying the criticality rating for the first computing asset based on data accessible by the first computing asset or based on a number of the plurality of computing assets relying on the first computing asset.  However, determining a criticality rating in such a fashion was well known in the art as evidenced by Piesco.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Carver, Phillips, and Amsler by adding the ability for identifying the criticality rating for the first computing asset based on data accessible by the first computing asset or based on a number of the plurality of computing assets relying on the first computing asset as provided by Piesco (see paragraph 41, criticality score based on number of users supported, importance of data maintained, etc.).  One of ordinary skill in the art would have recognized the benefit that considering criticality would assist in providing improved responses to detected network intrusions (see Piesco, paragraph 7).
Regarding claim 12, the combination of Carver and Phillips does not explicitly state wherein the instructions, upon execution, further cause the advisement computing system to: identify a criticality rating for the first computing asset, wherein identifying the security action to be performed responsive to identification of the incident is further based on the criticality rating.  However, using a criticality rating in such a fashion was well known in the art as evidenced by Amsler.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Carver and Phillips by adding the ability for identifying a criticality rating for the first computing asset, wherein identifying the security action to be performed responsive to identification of the incident is further based on the criticality rating as provided by Amsler (see paragraph 41, ranks devices by criticality).  One of ordinary skill in the art would have recognized the benefit that providing such information would assist in supplying a more comprehensive approach to presenting and analyzing security data (see Amsler, paragraph 4).
The combination of Carver, Phillips, and Amsler does not explicitly state identifying the criticality rating for the first computing asset based on data accessible by the first computing asset or based on a number of the plurality of computing assets relying on the first computing asset.  However, determining a criticality rating in such a fashion was well known in the art as evidenced by Piesco.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Carver, Phillips, and Amsler by adding the ability for identifying the criticality rating for the first computing asset based on data accessible by the first computing asset or based on a number of the plurality of computing assets relying on the first computing asset as provided by Piesco (see paragraph 41, criticality score based on number of users supported, importance of data maintained, etc.).  One of ordinary skill in the art would have recognized the benefit that considering criticality would assist in providing improved responses to detected network intrusions (see Piesco, paragraph 7).

Conclusion
12.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Victor Lesniewski/Primary Examiner, Art Unit 2493