DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
No information disclosure statement(s) (IDS) was filed before the mailing date of this office action.  Accordingly, no information disclosure statement is being considered by 
the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5 and 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. 20220232033 A1 to Vaidya, and further in view of US-PGPUB No. 20190222604 A1 to Vaidya et al. (hereinafter “Shray”)
Regarding claim 1:
Vaidya discloses:
A method for verifying configurations of security technologies deployed on a computer network (¶02: “… a method and system for verifying security infrastructure… to dynamically simulating security breach and attack scenarios to methodically test security infrastructure readiness.”) comprising:   
deploying a phase (¶82: “… a combined attacker-target module is running on the target system … sending a spear-phishing email …”), within an attack validation scenario (¶56: “… using an attack simulation traffic generator 610 …”) analogous to a network security threat (¶56: “… attacks against … target 20 …”), to a target asset (¶82 “… the target system …”, see Fig. 1a-b: “Target 20”) on the network (see Fig 1a: “Local Network 50 ”, Fig. 1b: “Internet 60”), the phase associated with a polling window (¶56: “… records the results …”) and a target response type (¶72: “… successful (breached) or failed (blocked) attacks.”)  and executed by the target asset (¶82: “… a combined attacker-target module is running on the target system …”) during a phase window (¶56: “… goes through each root node … and executes (simulates) the actual attack simulation for each …”); 
in response to confirming logging of the phase by the security technology and in response to a difference between a first event type of the first event and the target response type of the phase, generating a prompt to reconfigure the security technology to respond to behaviors analogous to the phase, on the computer network, according to the target response type (¶79: “…  If the current UpdateEvent is to update the configuration … the logic will proceed to perform the operations in blocks 1328 through 1338 to handle the configuration update …  the configuration download is performed … and a determination is made in a decision block 1334 to whether the configuration download is successful. If so, the logic proceeds to a block 1334 to sync with the configuration database which contains configuration and RunProfiles with relevant information.”). 
However, Vaidya does not disclose the following limitations taught by Shray:
during the polling window following the phase window, polling a log of a security technology deployed on the network for a sequence of events associated with the target asset (Shray, ¶90: “…  the procedure takes current and last results databases as input … In a block 1810, the last and current results are loaded into the state cache for a faster processing access”);  
calculating correlation scores (Shray, ¶90: “… responsiveness score …”) for events, in the sequence of events, based on proximities of timestamps of events, in the sequence of events, to the phase window (Shray, ¶90: “FIG. 18 is a logical flow representation of one embodiment of how to calculate responsiveness score from the given current and last result databases (data sets).”); 
in response to a first correlation score of a first event, in the sequence of events, exceeding a threshold score, confirming logging of the phase by the security technology (Shray, ¶93: “… the procedure compares the current configuration data sets entries (unique identifiers) one by one with the configuration of the last run data set, counts the different number of entries, and if they are more than threshold number, consider the difference to be high enough.”); 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Vaidya to incorporate the procedure to take current and logged events, and determine the corresponding responsiveness score and thus the correlation of the  data events with respect to the bottom threshold and top threshold values, as disclosed by Shray, such modification would allow the system to determine if the test results match with the expected results where a higher responsiveness score (correlation score) indicates a test is run successfully and the induced threat detected.
Regarding claim 2:
The combination of Vaidya and Shray discloses:
The method of Claim 1, further comprising: 49 of 64ATIQ-M01-US 
deploying a second phase (Vaidya, ¶85: “ Simulated Example-3: … a password cracker (attack-3) is executed …”), within the attack validation scenario, to a second asset on the computer network (Vaidya, ¶85: “… the target server …”), the second phase associated with a second polling window and a second target response type and executed by the second asset during a second phase window (Vaidya,¶84: “ In simulated Example-3 and Example-4, a separate attacker and target modules are used.”, ¶58: “… the DTS engine … executes (simulates) the  actual attack simulation …”, ¶82: “… a combined attacker-target module is running on the target system … The attacker module simulates sending a spear-phishing email to the user on the target system. If an infrastructure security solution running either on the target system or on the network does not block the phishing email, then it simulates as if the user clicks on the received phishing email …”); 
during the second polling window following the second phase window, polling the log of the security technology for a second sequence of events associated with the second asset (Shray, ¶90: “…  the procedure takes current and last results databases as input … In a block 1810, the last and current results are loaded into the state cache for a faster processing access”);
 calculating correlation scores for events, in the second sequence of events, based on proximities of timestamps of events, in the second sequence of events, to the second phase window (Shray, ¶90: “FIG. 18 is a logical flow representation of one embodiment of how to calculate responsiveness score from the given current and last result databases (data sets).”); and 
in response to correlation scores of the second sequence of events falling below the threshold score (Shray, ¶93: “If the last and current results sets are too different …): 
flagging the security technology for failing to log the second phase (Shray, ¶93: “If the last and current results sets are too different, the answer to decision block 1855 is YES and the logic proceeds to a block 1860 which uses another procedure C illustrated in FIG. 10 …  to predict a threat responsiveness score TRCp from historical trend data.”); and 
generating a second prompt to reconfigure the security technology to log behaviors analogous to the second phase on the computer network (Vaidya, ¶79: “…  If the current UpdateEvent is to update the configuration … the logic will proceed to perform the operations in blocks 1328 through 1338 to handle the configuration update …  the configuration download is performed … and a determination is made in a decision block 1334 to whether the configuration download is successful. If so, the logic proceeds to a block 1334 to sync with the configuration database which contains configuration and RunProfiles with relevant information.”).  
The same motivation which is applied to claim 1 applies to claim 2.
Regarding claim 3:
The combination of Vaidya and Shray discloses:
The method of Claim 1, further comprising assigning a duration of the polling window to the phase based on a network event log latency limit specified in a service level agreement of the security technology (Shray, ¶82: “The process receives an input 1410 including … historical threat responsiveness indices and/or alternatively a time stamp for which to potentially provide a predicted value for the responsiveness at that time.”).  
The same motivation which is applied to claim 1 applies to claim 3.
Regarding claim 4:
The combination of Vaidya and Shray discloses:
The method of Claim 1, further comprising: 
deploying the phase to a second asset on the computer network (Vaidya, ¶84: “In simulated Example-3 and Example-4, a separate attacker and target modules are used. The attacker and target modules are running on two separate systems on the local network of a company, one acting as the attacker and the other is the real target system where security verification needs to be performed.”), the phase associated with a second polling window and a second target response type and executed by the second asset during a second phase window (¶58: “… the DTS engine … executes (simulates) the  actual attack simulation …”, ¶82: “… a combined attacker-target module is running on the target system … The attacker module simulates sending a spear-phishing email to the user on the target system. If an infrastructure security solution running either on the target system or on the network does not block the phishing email, then it simulates as if the user clicks on the received phishing email …”); 50 of 64ATIQ-M01-US 
during the second polling window following the second phase window, polling the log of the security technology for a second sequence of events associated with the second asset (Shray, ¶90: “…  the procedure takes current and last results databases as input … In a block 1810, the last and current results are loaded into the state cache for a faster processing access”); 
calculating correlation scores for events, in the second sequence of events, based on proximities of timestamps of events, in the second sequence of events, to the second phase window (Shray, ¶90: “FIG. 18 is a logical flow representation of one embodiment of how to calculate responsiveness score from the given current and last result databases (data sets).”); 
in response to correlation scores of the second sequence of events falling below the threshold score, polling the log for a third sequence of events, associated with the second asset, during an extended polling window succeeding the second polling window (Shray, ¶93: “If the last and current results sets are too different, the answer to decision block 1855 is YES and the logic proceeds to a block 1860 which uses another procedure C illustrated in FIG. 10 …  to predict a threat responsiveness score TRCp from historical trend data.”); 
calculating correlation scores for events, in the third sequence of events, based on proximities of timestamps of events, in the third sequence of events, to the second phase window (Shray, ¶90: “FIG. 18 is a logical flow representation of one embodiment of how to calculate responsiveness score from the given current and last result databases (data sets).”); 
in response to a second correlation score of a second event, in the third sequence of events, exceeding the threshold score, confirming logging of the second phase by the security technology (Shray, ¶93: “… the procedure compares the current configuration data sets entries (unique identifiers) one by one with the configuration of the last run data set, counts the different number of entries, and if they are more than threshold number, consider the difference to be high enough.”); and 
in response to confirming logging of the phase by the security technology and in response to a second event type of the second event matching the second target response type of the second phase (Vaidya, ¶73: “…  simulate the attack … record the result in the result parameter cache … compare the result to expected results. If the results match …”): 
confirming configuration of the security technology to respond to the second phase (Vaidya, ¶73: “… If the results match, then the logic continues down the branch …”); and
generating a second prompt to reconfigure the security technology to reduce latency for responding to behaviors analogous to the second phase on the computer network (Vaidya, ¶79: “…  If the current UpdateEvent is to update the configuration … the logic will proceed to perform the operations in blocks 1328 through 1338 to handle the configuration update …  the configuration download is performed … and a determination is made in a decision block 1334 to whether the configuration download is successful. If so, the logic proceeds to a block 1334 to sync with the configuration database which contains configuration and RunProfiles with relevant information.”). 
The same motivation which is applied to claim 1 applies to claim 4.
Regarding claim 5:
The combination of Vaidya and Shray discloses:
The method of Claim 1: 
further comprising, at the target asset, executing an action according to the phase during the phase window, the action associated with the target response type (Vaidya, ¶82: “If an infrastructure security solution running either on the target system or on the network does not block the phishing email, then it simulates as if the user clicks on the received phishing email (attack-2). The attacker module will (attack-3) simulate downloading a RAT (remote-access-terminal) like malware.”); 
In addition to the above limitation, claim 5 substantially recites the same limitations as claim 1, therefore it is rejected by the same rationale.
Regarding claim 13:
The combination of Vaidya and Shray discloses:
The method of Claim 1, further comprising: 
in response to confirming logging of the phase by the security technology and in response to the first event type of the first event matching the target response type of the phase, confirming configuration of the security technology to respond to the phase (Vaidya, ¶73: “Block 1132 is configured to simulate the attack, and then decision block 1134 is to record the result in the result parameter cache and block 1136 is to compare the result to expected results. If the results match, then the logic continues down the branch …”); 
deploying a second phase (Vaidya, ¶88: “… generates various Denial-of-Service (DoS) (attacks-2) …”), within the attack validation scenario, to a second asset (Vaidya, ¶88: “… web-app server …”) on the computer network, the second phase associated with a second polling window (Vaidya, ¶56: “… records the results …”) 56 of 64ATIQ-M01-US and a second target response type (Vaidya, ¶72: “… successful (breached) or failed (blocked) attacks.”) and executed by the second asset during a second phase window (Vaidya, ¶56: “… goes through each root node … and executes (simulates) the actual attack simulation for each …”); 
during the second polling window following the second phase window, polling a second log of a second security technology deployed on the computer network for a second sequence of events associated with the second asset (Shray, ¶90: “…  the procedure takes current and last results databases as input … In a block 1810, the last and current results are loaded into the state cache for a faster processing access”); 
calculating correlation scores for events, in the second sequence of events, based on proximities of timestamps of events, in the second sequence of events, to the second phase window (Shray, ¶90: “… responsiveness score …”, ¶95: “… correlation co-efficient (R) is calculated using the above values of scores and time.”); 
in response to a second correlation score of a second event, in the second sequence of events, exceeding the threshold score, confirming logging of the second phase by the second security technology (Shray, ¶93: “… the procedure compares the current configuration data sets entries (unique identifiers) one by one with the configuration of the last run data set, counts the different number of entries, and if they are more than threshold number, consider the difference to be high enough.”); 
in response to confirming logging of the second phase by the second security technology and in response to a second event type of the second event matching the second target response type of the second phase, confirming configuration of the second security technology to respond to the second phase (Vaidya, ¶73: “…  simulate the attack … record the result in the result parameter cache … compare the result to expected results. If the results match, then the logic continues down the branch …”); and 
in response to confirming configuration of the security technology to respond to the phase and in response to confirming configuration of the second security technology to respond to the second phase, confirming configuration of security technologies deployed on the computer network to respond malicious attacks, analogous to the attack validation scenario, on the computer network (Vaidya, ¶89: “By simulating sets of attacks in various sequences based on results observed from each prior attack to methodically verify various infrastructure detection and enforcement points, IT security teams will be enabled to better understand how effective their security infrastructure readiness is against such threats that evolve over a breach life-cycle.”).
The same motivation which is applied to claim 1 applies to claim 13.
Regarding claim 14:
The combination of Vaidya and Shray discloses:
The method of Claim 1: 57 of 64ATIQ-M01-US 
wherein generating the prompt to reconfigure the security technology comprises generating the prompt to reconfigure the security technology to respond to behaviors analogous to the phase, at the target asset, according to the target response type (Vaidya, ¶79: “…  If the current UpdateEvent is to update the configuration … the logic will proceed to perform the operations in blocks 1328 through 1338 to handle the configuration update …  the configuration download is performed … and a determination is made in a decision block 1334 to whether the configuration download is successful. If so, the logic proceeds to a block 1334 to sync with the configuration database which contains configuration and RunProfiles with relevant information.”); and 
further comprising: 
deploying a second instance of the phase (Vaidya, ¶83: “… downloading a Ransomware or Crypto-lock type of malware. …”) to a second asset (Vaidya, ¶83: “… user’s machine …”) on the computer network, the second instance of the phase associated with a second polling window (Vaidya, ¶83: “… copying a system file in to a temp file and encrypt it …”) and executed by the second asset during a second phase window (Vaidya, ¶83: “…  establishes a command-and-control (C&C) connection with an external C&C module … then simulates receiving an encryption key from C&C to use as encryption key …”); 
during the second polling window following the second phase window, polling the log of the security technology for a second sequence of events associated with the second asset (Shray, ¶90: “…  the procedure takes current and last results databases as input … In a block 1810, the last and current results are loaded into the state cache for a faster processing access”);
calculating correlation scores for events, in the second sequence of events, based on proximities of timestamps of events, in the second sequence of events, to the second phase window (Shray, ¶90: “… responsiveness score …”, ¶95: “… correlation co-efficient (R) is calculated  using the above values of scores and time.”); 
in response to a second correlation score of a second event, in the second sequence of events, exceeding the threshold score, confirming logging of the second instance of the phase by the security technology (Shray, ¶93: “… the procedure compares the current configuration data sets entries (unique identifiers) one by one with the configuration of the last run data set, counts the different number of entries, and if they are more than threshold number, consider the difference to be high enough.”); and 
in response to confirming logging of the second instance of the phase by the security technology and in response to a second event type of the second event matching the target response type of the phase, confirming configuration of the security technology to respond to the second phase at the second asset (Vaidya, ¶73: “Block 1132 is configured to simulate the attack, and then decision block 1134 is to record the result in the result parameter cache and block 1136 is to compare the result to expected results. If the results match, then the logic continues down the branch …”).  
The same motivation which is applied to claim 1 applies to claim 14.
Regarding claim 15:
The combination of Vaidya and Shray discloses:
The method of Claim 14, further comprising deploying a third instance of the phase (Vaidya, ¶85: “… attacker module scans available application ports …”) to a third asset (Vaidya, ¶85: “… the target server …”) on the computer network, the third instance of the phase associated with a third polling window (Vaidya, ¶56: “… records the results …”) and executed by the third asset during a third phase window (Vaidya, ¶85: “…an access to the machine is simulated. The attacker module will then start collecting information like dumping target system information (attack-5), crawling through database server (attack-6) and then simulate shadow-IT connection like accessing external storage system (attack-7) to exfiltrate the data out of the company.”); 
during the third polling window following the third phase window, polling the log of the security technology for a third sequence of events associated with the third asset (Shray, ¶90: “…  the procedure takes current and last results databases as input … In a block 1810, the last and current results are loaded into the state cache for a faster processing access”); 
calculating correlation scores for events, in the third sequence of events, based on proximities of timestamps of events, in the third sequence of events, to the third phase window (Shray, ¶90: “… responsiveness score …”, ¶95: “… correlation co-efficient (R) is calculated using the above values of scores and time.”); and 
generating a map of responses to instances of the phase, executed by assets throughout the network, based on events types of the first event, the second event, and the third event (Vaidya, ¶88: “… generates various Denial-of-Service (DoS) (attacks-2) and performs repeated web-crawling operations (attacks-3) to build the web-app map.”).  
The same motivation which is applied to claim 1 applies to claim 15.
Claim16 is rejected under 35 U.S.C. 103 as being unpatentable over Vaidya, Shray and further in view of US-PGPUB No. 20190104022 A1 to Power et al. (hereinafter “Power”)
Regarding claim 16:
The combination of Vaidya and Shray discloses the method of claim 1 but does not disclose the following limitations taught by Power:
further comprising: 
at a first time, characterizing a first network fingerprint of the computer network (Power, ¶68: “… a reference fingerprint …”); and 
at a second time succeeding the first time, characterizing a second network fingerprint of the computer network (Power, ¶68: “… an operational fingerprint”); and 
wherein deploying the phase to the target asset comprises deploying the phase to the target asset for execution by the target asset in response to a difference between the first network fingerprint and the second network fingerprint (Power, ¶70: “FAM 456 compares the reference fingerprint to the operational fingerprint, and may compute variation on a sliding window, or according to an instantaneous variation such as a standard deviation.”) exceeding a threshold difference (Power, ¶70: “In the case that FAM 456 detects a difference in the fingerprint exceeding a threshold, which may be an instantaneous threshold, or which may include a sliding window in which it exceeds a certain variance over time, an actuation action trigger may be sent to orchestrator 444 with appropriate metadata to enable orchestrator 444 to adjust the behavior of the VNF 408.”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Vaidya and Shray to incorporate the functionality of the Fingerprint Analytic Module (FAM) to compare the reference fingerprint to the operational fingerprint and flag an alert condition when the difference exceeds a threshold, as disclosed by Power, such modification would be used to flag a condition, even if all of the individual metrics are within their individual tolerance when the composite fingerprint metric goes out of tolerance over time.
Claims 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Vaidya, Shray and further in view of US-PGPUB No. 2005/0235352 A1 to Staats et al. (hereinafter “Staats”)
Regarding claim 17:
The combination of Vaidya and Shray discloses:
The method of Claim 1: 
wherein generating the prompt to reconfigure the security technology comprises generating the prompt to reconfigure the particular feature of the security technology (Vaidya, ¶79: “…  If the current UpdateEvent is to update the configuration … the logic will proceed to perform the operations in blocks 1328 through 1338 to handle the configuration update …  the configuration download is performed … and a determination is made in a decision block 1334 to whether the configuration download is successful. If so, the logic proceeds to a block 1334 to sync with the configuration database which contains configuration and RunProfiles with relevant information.”);
However, the combination of Vaidya and Shray does not disclose the following limitations taught by Staats:
further comprising, in response to confirming logging of the phase by the security technology and in response to the difference between the first event type of the first event and the target response type of the phase: 
accessing a feature map of the security technology (Staats, ¶69: “The global status maps and site views module 162 may read the latest data polled for each device 14 and the network elements that are monitored by them.”); 
accessing a current feature setting of the security technology (Staats, ¶07: “… periodically polling a device connected to the network, automatically determining whether a configuration of the device is current, automatically setting a new configuration for the device when the configuration is not current, and automatically transmitting the new configuration to the device.”); and 
correlating the difference between the first event type of the first event and the target response type of the phase to a particular feature in the feature map based on the current feature setting of the security technology (Staats, ¶83: “… the log information received from each device 14 may be compressed and encrypted, and may represent information associated with, for example, a firewall system, an intrusion prevention system, an anti-virus system, a content filtering system, an anti-spam system, etc. residing at the particular device 14. Once the logger manager 86 receives the log information, the logger manager 86 correlates the log information”);  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Vaidya and Shray to incorporate the functionality of the method to periodically poll a device connected to a network and automatically determine the status of the security configuration of the device, as disclosed by Staats, such modification would allow the system to automatically install current configurations to the device, and to correlate information received to determine network performance.
Regarding claim 18:
The combination of Vaidya Shray and Staats discloses:
The method of Claim 17, further comprising: 
in response to reconfiguration of the particular feature of the security technology according to the prompt, deploying a second instance of the phase to the target asset, the second instance of the phase associated with a second polling window (Vaidya, ¶83: “… copying a system file in to a temp file and encrypt it …”) and executed by the target asset during a second phase window (Vaidya, ¶83: “…  establishes a command-and-control (C&C) connection with an external C&C module … then simulates receiving an encryption key from C&C to use as encryption key …”); 
during the second polling window following the second phase window, polling the log of the security technology for a second sequence of events associated with the second asset (Shray, ¶90: “…  the procedure takes current and last results databases as input … In a block 1810, the last and current results are loaded into the state cache for a faster processing access”); 
calculating correlation scores for events, in the second sequence of events, based on proximities of timestamps of events, in the second sequence of events, to the second phase window (Shray, ¶90: “… responsiveness score …”, ¶95: “… correlation co-efficient (R) is calculated using the above values of scores and time.”); 60 of 64ATIQ-M01-US 
in response to a second correlation score of a second event, in the second sequence of events, exceeding the threshold score, confirming logging of the second instance of the phase by the security technology (Shray, ¶93: “… the procedure compares the current configuration data sets entries (unique identifiers) one by one with the configuration of the last run data set, counts the different number of entries, and if they are more than threshold number, consider the difference to be high enough.”); and 
in response to confirming logging of the second instance of the phase by the security technology and in response to a second event type of the second event matching the target response type of the phase (Vaidya, ¶73: “Block 1132 is configured to simulate the attack, and then decision block 1134 is to record the result in the result parameter cache and block 1136 is to compare the result to expected results. If the results match, then the logic continues down the branch …”): 
confirming configuration of the security technology to respond to the second phase at the second asset (Vaidya, ¶73: “Block 1132 is configured to simulate the attack, and then decision block 1134 is to record the result in the result parameter cache and block 1136 is to compare the result to expected results. If the results match, then the logic continues down the branch …”); and 
confirming correlation between the particular feature and the difference between the first event type of the first event and the target response type of the phase (Shray, ¶93: “… the procedure compares the current configuration data sets entries (unique identifiers) one by one with the configuration of the last run data set, counts the different number of entries, and if they are more than threshold number, consider the difference to be high enough.”). 
The same motivation applied to claim 1, with regards to Shray, applies to claim 18.
Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Vaidya, US-PGPUB No. 2015/0128274 A1 to Giokas et al. (hereinafter “Giokas”), US-PGPUB No. 2021/0149385 A1 to Cohen et al. (hereinafter “Cohen”) and further in view of US-PGPUB No. 2016/0085954 A1 to Tunnell et al. (hereinafter “Tunnell”)
Regarding claim 19:
Vaidya discloses:
A method for verifying configurations of security technologies deployed on a computer network comprising (¶02: “… a method and system for verifying security infrastructure… to dynamically simulating security breach and attack scenarios to methodically test security infrastructure readiness.”):
deploying a phase (¶82: “… sending a spear-phishing email …”), within an attack validation scenario (¶56: “… using an attack simulation traffic generator 610 …”) analogous to a network security threat (¶56: “… attacks against … target 20 …”), to a target asset (¶82 “… to a target system.”, see Fig. 1a-b: “Target 20”) on the network (see Fig 1a: “Local Network 50 ”, Fig. 1b: “Internet 60”), the phase associated with a polling window (¶56: “… records the results …”), designating a target alert response type (¶72: “… failed (blocked) attacks.”), and executed by the target asset (¶82: “… a combined attacker-target module is running on the target system …”) during a phase window (¶56: “… goes through each root node … and executes (simulates) the actual attack simulation for each …”); 
However, Vaidya does not disclose the following limitation taught by Giokas:
during the polling window following the phase window, polling an alert feed (Giokas, ¶153: “… edit and update the feeds …”) for a sequence of alerts (Giokas, ¶126: “…  threat indicators …”)  associated with the target asset and published by a security technology deployed on the network (Giokas, ¶126: “…  an aggregator can receive threat indicators from heterogeneous sources via an external network (e.g., Intranet). These sources may include threat intelligence repositories or security intelligence repositories. The threat intelligence maybe crowd sourced from various feeds including … websites on which security companies publish latest threat information, etc.”);
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Vaidya to incorporate the functionality of the aggregator to receive threat indicators from published threat information feeds, as disclosesd by Giokas, such modification would allow the system to receive threat indicators from heterogeneous sources that would be categorized into lists of threat indicators and input to a correlation engine to provide  a better indication of the threats. 
The combination of Vaidya and Giokas does not disclose the following limitation taught by Cohen:
 calculating correlation scores for alerts, in the sequence of alerts, based on proximities of timestamps of alerts (Cohen, ¶105: “Alarms which were active at a certain time (or started or ended before or after a time of interest)”), in the sequence of alerts, to the phase window (Cohen, ¶07: “…  the processing unit is configured to determine a plurality of correlation scores for the plurality of data signals paired with the plurality of alarm data …”); 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the combination of the  teachings of Vaidya and Giokas to incorporate the functionality of the processing unit to determine a plurality of correlation scores for a plurality of alarm data, as disclosed by Cohen, such modification would allow the system to correlate such alarm data to a current alarm data and determine a threat exists when the correlation score is higher compared to a given threshold. 61 of 64ATIQ-M01-US 
The combination of Vaidya, Giokas and Cohen does not disclose the following limitations taught by Tunnell:
based on the target alert response type: 
in response to a first correlation score of a first alert, in the sequence of alerts, exceeding a threshold score, confirming configuration of the security technology to generate alerts responsive to behaviors analogous to the phase on the computer network (Tunnell, ¶31: “If the resultant correlation score is sufficiently high, (e.g., exceeding a predetermined threshold) … This appropriately high correlation score … approves an action.”); and 
in response to absence of at least one alert, in the sequence of alerts, exceeding the threshold score, generating a prompt to reconfigure the security technology to generate alerts responsive to behaviors analogous to the phase on the computer network (Tunnell, ¶32: “If the correlation score is below the predetermined threshold … alerting authorities of a potential security breach.”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Vaidya, Giokas and Cohen to incorporate the functionality of the method to calculate the correlation score and alert authorities of a potential breach when the score falls below a predetermined score, as disclosed by Tunnell, such modification would allow the system to alert or prompt users to take action including reconfiguring the security technology.
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Vaidya, Shray, Tunnell and further in view of US-PGPUB No. 2007/0113281 A1 to Leach
Regarding claim 20:
Vaidya discloses:
A method for verifying configurations of security technologies deployed on a computer network (¶02: “… a method and system for verifying security infrastructure… to dynamically simulating security breach and attack scenarios to methodically test security infrastructure readiness.”) comprising: 
deploying a phase (¶82: “… sending a spear-phishing email …”), within an attack validation scenario (¶56: “… using an attack simulation traffic generator 610 …”) analogous to a network security threat, to a target asset (¶82 “… to a target system.”, see Fig. 1a-b: “Target 20”)  on the network (see Fig 1a: “Local Network 50 ”, Fig. 1b: “Internet 60”) at a first time, the phase specifying a set of phase parameters including a polling window (¶56: “… records the results …”), a target security technology within a set of security technologies active on the network, and a target response type (¶72: “… successful (breached) or failed (blocked) attacks.”);
However, Vaidya does not disclose the following limitation taught by Shray:
calculating a correlation score (Shray, ¶90: “… responsiveness score …”, ¶95: “… correlation co-efficient (R) …”) based on correlations between security event data in the phase validation docket and the set of phase parameters (Shray ¶95: “In block 1935 the correlation co-efficient (R) is calculated using the above values of scores and time.”); 
The same motivation which is applied to claim 1, with respect to Shray, applies to claim 19.
The combination of Vaidya and Shray does not disclose the following limitations taught by Tunnell:
in response to the correlation score exceeding a threshold score, confirming detection of the phase by the target security technology (Tunnell, ¶31: “If the resultant correlation score is sufficiently high, (e.g., exceeding a predetermined threshold) … This appropriately high correlation score … approves an action.”); 62 of 64ATIQ-M01-US 
in response to the correlation score falling below the threshold score, flagging the target security technology for failing to detect the phase (Tunnell, ¶32: “If the correlation score is below the predetermined threshold … alerting authorities of a potential security breach.”).
The same motivation which is applied to claim 19, with regards to Tunnell, applies to claim 20.
The combination of Vaidya, Shray and Tunnel does not disclose the following limitations taught by Leach:
within the polling window following the first time, pooling security event data logged by the target security technology (Leach, ¶236: “The management station would take in information about the present threats from the threat feeds.”) in a phase validation docket (Leach, ¶231: “… a management station …”);
in response to confirming detection of the phase by the target security technology and in response to a difference between the target response type and security event data in the phase validation docket (Leach, ¶237: “… the management station …”), flagging the target security technology for failing to fulfill the target response type (Leach, ¶237: “The management station would compare the calculated results with the input protection targets and flag in a report each of the targets which is either being exceeded given the present threat levels or is close to being exceeded.”); 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Vaidya, Shray and Tunnell to incorporate the functionality of the management station to calculate the likelihood and distribution of threats and flag assets whose threat level is exceeded or close to be exceeded, as disclosed by Leach, such modification would allow the system to alert or prompt authorities to take appropriate remedial actions including reconfiguring the security technology.
Allowable Subject Matter
Claims 9-10 objected to as being dependent upon a rejected independent base claim 1 and claims 6-8 objected to as being dependent upon a rejected dependent claim 5, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Claims 11-12 are also objected based on their dependency on claim 10.
The following is the examiner’s statement of reasons for allowance: 
With respect to claim 6, Vaidya in view of Shray fails to disclose polling the log of the security technology for the sequence of events during the polling window which comprises pooling the sequence of events written to the log of the security technology and published to an alert feed by the security technology during the polling window, generating the prompt comprises, in response to the first event comprising a detection event and based on the target response type comprising alerting, flagging the security technology for failing to alert on the action and 52 of 64ATIQ-M01-US generating the prompt to reconfigure alerting parameters of the security technology to publish alerts for behaviors analogous to the action on the computer network.
With respect to claim 7, Vaidya in view of Shray fails to disclose flagging the security technology for failing to prevent the action and generating the prompt to adjust sensitivity of the security technology to autonomously execute prevention actions responsive to behaviors analogous to the action on the computer network in response to the first event comprising a detection event and based on the target response type following generating the prompt.
With respect to claim 8, Vaidya in view of Shray fails to disclose pooling the sequence of events written to the log of the security technology and published to an alert feed by the security technology during the polling window, and generating the prompt comprises, flagging the security technology for failing to alert on the action and generating the prompt to adjust sensitivity of the security technology to publish alerts, in place of prevention actions, responsive to behaviors analogous to the action on the computer network, in response to the first event comprising a prevention event and based on the target response type comprising alerting.
With respect to claim 9, Vaidya in view of Shray fails to disclose deploying the phase to the target asset which comprises deploying the phase, defining an action comprising an indicator of compromise, to the target asset and calculating correlation scores for events, in the sequence of events, comprises for each event in the sequence of events, calculating a correlation score for the event inversely proportional to a time offset between a timestamp of the event and the phase window and as a function of presence of a value corresponding to the indicator of compromise in the event.
With respect to claim 10, Vaidya in view of Shray fails to disclose, during the polling window, polling a second log of a second security technology deployed on the network for a second sequence of events associated with the target asset and calculating correlation scores for events, in the second sequence of events, based on proximities of timestamps of events, in the second sequence of events, to the phase window, confirming logging of the phase by the security technology comprises confirming logging of the phase by a suite of security technologies, comprising the security technology and the second security technology, deployed on the 54 of 64ATIQ-M01-US network in response to at least one event, in the sequence of events and the second sequence of events, exceeding the threshold score and generating the prompt comprises generating the prompt to reconfigure the suite of security technologies to respond to behaviors analogous to the phase, on the computer network, according to the target response type in response to absence of at least one event, in the sequence of events and the second sequence of events, exceeding the threshold score and representing an event type matching the target response type.
Claims 11 and 12 are indicated as allowable subject matters based on their dependence on claim 10.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Espino (US-PGPUB No. 20200184026- A1)- disclosed methods, systems and computer program products are described herein that enable executing simulation scenarios against a computing system simulation model to determine one or more appropriate modifications to a physical, operating computing system.
Higbee et al. (US-PGPUB No. 20160301705-A1)- disclosed methods, network devices, and machine-readable media for an integrated environment for automated processing of reports of suspicious messages, and furthermore, to a network for distributing information about detected phishing attacks.
Kras et al. (US-PGPUB No. 20200177612 -A1)- disclosed Systems and methods are disclosed that are useful for minimizing organization risk in the case of a cybersecurity attack, through computer-based simulation of cybersecurity attacks, incident response tracking and incident response training provided responsive to the simulation outcome.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491                                                                                                                                                                                                        
/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491