DETAILED ACTION 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This action is in response to the communications and remarks filed on 06/16/2022. Claims 1 and 9 have been amended. Claims 1-20 have been examined and are pending.
Response to Arguments
Applicant's amendments and arguments see pages 7-10 of remarks have been fully considered and are persuasive. In response to applicant’s arguments regarding the claims 1-20 after a complete search of the entire relevant prior art the examiner has determined the claims are in condition for allowance. The previous 103 rejections of claims 1-20 have been withdrawn.
The claims are now in condition for allowance.
Allowable Subject Matter
Applicant's arguments have been considered and are determined to be persuasive. Accordingly, the previously presented rejections are withdrawn.
Claims 1-20 are allowed.
The following is an examiner's statement of reasons for allowance:
The closest prior art, as previously recited, Dourado ("Design of connection networks with bounded number of non-terminal vertices"), Tripathy ("Risk based Security Enforcement in Software Defined Network"), Agarwal 20190147161 A1, Trivellato 20200412758 A1, and Moscovici et al 20170214702 A1 are also generally directed to identifying a connection tree for a computing environment based on forwarding rules for virtual nodes in the computing environment, wherein the connection tree comprises a plurality of connections between the nodes; [Dourado, p. 40, para 3: A connection tree for a subset W ⊆ V (G) is an acyclic, connected subgraph T of G, where W ⊆ V (T) and all leaves of T are in W. Clearly, every Steiner tree for W is a connection tree. In a connection tree, there are three types of vertices: (1) the vertices of W, called terminals; (2) the vertices in V (T)\W with degree two in T, called linkers; (3) the vertices in V (T)\W with degree at least three in T, called routers. p. 40, para 4: In addition, in some situations... deciding routing policies over the internet for multicast traffic.]; for each connection in the connection tree, determining a threat value based at least on a protocol associated with the connection; [Tripathy, p. 323: The proposed security function determines threat value of different SDN entities by analyzing vulnerability and exposure with respect to Common Vulnerability Scoring System (CVSS). The risk of a given traffic is calculated as cumulative threat values of the SDN entities that guides the flow controller in generating secure flow rules for the forwarding switches. Section 4.1.2 Threat model for a switch: The vulnerability of a switch Vs is determined as the ratio sum of the Common Vulnerability Scores (CVS) of the protocols running on the switch. Agarwal ¶¶0126-0129 and 0140:  Fig. 16 breaks down in flowchart with step 1402 where a visual diagram of an overall system that generates threat report for each component and/or component group; where user identifies the type and place of any communication protocols between components. At step 1410 the user analyzes the various attack vectors to determine what compensating controls may be included to protect the asset. At step 1412 the user adds or removes compensating controls to the diagram and/or toggles compensating controls between ON/OFF states. At step 1414 the user determines the effectiveness of the compensating controls or other risk management methods (such as changing communication protocols, changing the relative location of the asset within the modeled environment, adding non-compensating control elements between the asset and attack locations, and so forth). Fig. 17 goes further to show a tree diagram that determines an attack vector for a selected asset for asset selected or associated component with relevant threat attack paths. For example, the system then determines that threat 1722, through component 1708, is a threat to asset 1702, and thus attack vector 1726 (shown by lines of heavier weight) is shown between threat 1722 to asset 1702... visually diagramming a system/process using database-stored components (including communication protocols and compensating controls); calculating one or more minimum or maximum spanning trees for the virtual nodes based on the connection tree; [Dourado, p. 41, section 2 Computational Complexity Results, para 1: As it is well-known, a spanning tree can be found in polynomial time [5], but finding a Steiner tree is NP-hard [3]. Moore, ¶¶0322-0323: evaluated messages or one or more rules to be processed; an expression without limitation may express: a minimum spanning tree]; generating a threat based on the one or more minimum or maximum spanning trees. [Shenoi, ¶¶0067-0068:  inventive method allows the network administrator to identify a threat, or target packet, and send a hyperspeed signal to any node in the network before a target packet arrives at a node under attack... Intelligence involves integrating time-sensitive information from all sources into concise, accurate and objective reports related to a threat situation. ¶0070: Hyperspeed signaling enables projecting holographic network topologies and transfiguring networks; which enables network topologies to be dynamically manipulated to adapt to environment/context of threat. ¶¶0077-0078: Hyperspeed communication ca be based on route variation implemented in (maximum/minimum) spanning tree. Trivellato, ¶¶0015 and 0116: alerts are indicators of problems/ongoing threats; misconfiguration alerts may be based on a spanning tree protocol (STP) network topology change. Moscovici, ¶¶0089 and 0090: once potential threat detected, threat propagation module in chard of communicating it to C3. In case Protect is disconnected, threat propagation module. 0133: use of lot of data to compute predictors using decision trees]
However, none of Dourado, Tripathy, Agarwal, Trivellato, Moscovici and Shenoi teach or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims, claims 1, 9, and 17.  For example, none of the cited prior art teaches or suggest identifying a connection tree for a computing environment based on forwarding rules for virtual nodes in the computing environment, wherein the connection tree comprises a plurality of connections between the virtual nodes; for each connection in the connection tree, determining a threat value based at least on a protocol associated with the connection; calculating one or more minimum or maximum spanning trees for the virtual nodes based on the threat values and the connection tree; generating a threat propagation summary based on the one or more minimum or maximum spanning trees, in view of other limitations of claims 1, 9, and 17.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."
The closest prior art made of record are:
Dourado et al ("Design of connection networks with bounded number of non-terminal vertices") teaches spanning tree problem and the steiner tree problem aim at obtaining an acyclic subgraph connecting a set of terminal points and satisfying some properties. Both problems have several important network applications. Let G be a graph. A connection tree of a subset W ⊆ V (G) is an acyclic, connected subgraph T of G such that W ⊆ V (T) and all leaves of T are in W. In a connection tree, there are three types of vertices: (1) terminal vertices, i.e., those belonging to W; (2) non-terminal vertices with degree two in T, called linkers; (3) non-terminal vertices with degree at least three in T, called routers. Motivated by its large potential applicability, we propose a new problem in graphs, called terminal connection problem (tcp), where the number of non-terminal vertices (linkers and/or routers) is bounded by a constant value. In this work, we prove NP-complete and polynomial cases for variants of the tcp. (Figure 1 and 1 Introduction, ¶3-4).
Ramanathan et al (20200052997 A1) teaches a MANET protocol, comprising: receiving a data packet (DP) from a current sender (CS) by a recipient, defining: an identity of the CS, a prior sender (PS) from which CS received DP, and a target recipient (ID), a count (HC) of hops previously traversed by DP, and a sequence identifier (SI); updating a forwarding table (FT) to mark CS as being reachable in one hop, and PS as being reachable in two hops via CS as next hop; determining if ID is the recipient; determining whether to rebroadcast by recipient, if and only if the SI is not present in a list of prior SIs; and selectively rebroadcasting DP by recipient in dependence on said determining, modified by: replacement of CS with an identity of the recipient, PS with CS, and ID with a next hop from the FT if present, and incrementing HC. (¶0022-0023, 0027, 0035-0036).
Trivellato et al (20200412758 A1) teaches systems, methods, and related technologies for determining a comprehensive risk score or value are described. The risk score determination may include selecting an entity communicatively coupled to a network and determining a cyber-attack likelihood value and a cyber-attack impact value associated with the entity. A cyber-attack risk may then be determined based on the cyber-attack likelihood value and a cyber-attack impact value associated with the entity. An operational failure likelihood value and an operational failure impact value associated with the entity can be determined. An operational failure risk based on the operational failure likelihood value and the operational failure impact value associated with the entity can be determined. A risk value may then be determined for the entity based on the cyber-attack risk and the operational failure risk and the risk value for the entity can be stored. (¶0092-0094 0116 0120 0120 and 0148-0164).
Argyros et al (20190164092 A1) teaches a protocol user interface (UI) element on a graphical user interface is generated, in which the protocol UI element includes an input field and is assigned with a weight value. The weight value is determined at least based upon data entered into the input field of the protocol UI element. The weight value assigned to the protocol UI element is adjusted based on historical event data associated with a protocol corresponding to the protocol UI element. Data entered into the input field of the protocol UI element is parsed. A risk assessment score based on the adjusted weight value and parsed data is dynamically calculated, in which the risk assessment score indicates a likelihood that an adverse event will occur as a result of violating the protocol. (¶).
Agarwal (20190147161 A1) teaches threat model chaining methods include providing one or more databases including a threat model components, threats, each threat associated with at least one of the threat model components, and compensating controls, each compensating control associate with one of the threats, providing a diagram interface configured to display a relational diagram defining a first threat model, and configuring the diagram interface to add a component group to the first threat model include in it a second threat model. Attack simulation methods include providing the one or more databases and diagram interface and configuring the diagram interface to visually display attack paths of threats associated with diagrammed threat model components which compromise a selected threat model component. Attack simulation systems include one or more computing devices coupled with one or more databases configured to store and interrelate threats, threat model components, and compensating controls, and allow diagramming and defining of threat models. (Fig. 13 and ¶0093-0095).
Johnson et al (20160012560 A1) teaches a method of providing an emergency or crisis plan to a user is disclosed that includes receiving a plurality of user-inputted answers associated with a user-identified account and corresponding to a plurality of questions concerning at least one of a potential threat, a potential hazard, and a potential vulnerability associated with the user. A server system assigns a weighted value to each of the plurality of user-inputted answers and provides, to the electronic computing device of the user, a plurality of response protocols, each of the plurality of response protocols corresponding to an action to be taken by the user in response to the potential threat, hazard, and/or vulnerability of the user. The plurality of user-inputted answers are converted into an assessment matrix that ranks the potential threat, hazard, and/or vulnerability. (¶0137-0138 and 0151).
Guo (CN109995740 A) teaches a method for discovering potential or ongoing network threat events on a network, in particular to a threat detection method based on deep protocol analysis. The device is characterized by comprising the following steps: a data packet capture module collects a data packet from the Ethernet; or obtains all the data packets flowing through the network outlet through the port mirror image of the switch; and transmits the obtained original data packet to a protocol identification module, performs IP recombination on the original data packet by the protocol identification module, starts TCP session recombination when it is found that the original data packet has a TCP session identifier, and transmits the recombined network layer data and application layer data to a deep protocol analysis module. Meanwhile, compared with similar existing methods, the method can analyze most common network protocols, can go deep into the protocols, directly analyzes the loads of the protocols, and is good in adaptability and detection effect. (¶).
Moore et al (20070061487 A1) teaches an invention relates to hardware, software and electronic service components and systems to provide large-scale, reliable, and secure foundations for distributed databases and content management systems, combining unstructured and structured data, and allowing post-input reorganization to achieve a high degree of flexibility. (¶0213-0215).
Hu (CN102984140 A) teaches a malicious software feature fusion analytical method and a system based on shared behavior segments. The method includes deploying, collecting and analyzing nodes of malicious software, and constructing a distributed hash table (DHT) module; collecting samples of the malicious software and segmented into segment sets, and calculating local statistical properties; sharing to the DHT, gathering global features of the behavior segments, and returning to source nodes; the source nodes calculating candidate neighbor node sets and performing similar calculation of behavior characteristics through remote nodes of the candidate neighbor node sets to construct an adjacency relation diagram of the behavior characteristics; and generating an aggregation three for aggregation based on the adjacency relation diagram of the behavior characteristics, and outputting root behavior characteristics. The system comprises a plurality of nodes, each node comprises a characteristic segmenting module, the DHT module, a behavior segment synergy sharing module, a neighbor behavior characteristic discovering module and a behavior characteristic gradual aggregation module. The method and the system have the advantages of being high in analytical accuracy and performances and good in expandability. (¶Abstract).
Mester (US20060130142 A1) teaches methods and apparatus, including computer program products, for propagation protection within a network. A transparent network appliance monitors data being transmitted from a first portion of the network to a second portion of the network through the network appliance and analyzes the data to determine whether the data represents a threat to the network. The network appliance transmits the data to the second portion of the network if the data does not represent a threat to the network or prevents transmission of the data to the second portion of the network if the data represents a threat to the network. (¶0013-0014, 0027 0076).
Chua et al (9,178,807 B1) teaches a controller device for a software defined network (SDN) includes one or more interfaces for communicating with network devices in the software defined network, and one or more processors configured to determine connections between the network devices, determine one or more paths for network traffic between the network devices based on the determination of the connections, and program the network devices to direct network traffic along the one or more paths (Col 14, lines 32-52).
Moscovici et al (20170214702 A1) teaches distributed techniques for detecting atypical or malicious wireless communications activity are disclosed. A server can iteratively generate sets of filters based at least in part upon observation data received from one or more Protects. The filters can be used by the Protect(s) to distinguish between sniffed wireless messages that are to be discarded and those that are to be reported to the server. The server can provide the generated sets of filters to the Protect(s) to cause the Protect(s) to process additional sniffed wireless messages utilizing the one or more sets of filters. Updated filters can cause fewer subsequent sniffed wireless messages to be reported than would have been reported by use of previous filters. Limited activity reporting by the Protect(s) enables a reduced communication load compared to full activity reporting without degrading the ability of the server to detect the atypical or malicious wireless communications activity. (¶¶0224-0225)
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Sakinah White Taylor/Primary Examiner, Art Unit 2497