DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 08/27/2020.
Status of claims in the instant application:
Claims 1-20 are pending.
Priority
The instant application claims benefit of 62/893,350 filed on 08/29/2019.
Information Disclosure Statement
Information Disclosure Statements (IDS) filed on 08/20/2021, 09/10/2021 and 10/15/2021 have been considered, and a signed copies of the IDS forms have been attached to this office action.
Drawings
Drawings filed on 08/27/2020 have been inspected, and it’s in compliance with MPEP 608.02.
Specification
Specification filed on 08/27/2020 has been inspected and it’s in compliance with MPEP 608.01.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f):
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f). The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) because the claim limitations use a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are:
Claims 1, 2, 3, 4, 5, 6, 7 and 10 recite, “ … intelligent-adversary simulator is configured to …”
Claims 1 recites “… a formatting module is configured to …”
Claims 8 and 9 recite, “… a profile manager module configured to …”
Because these claim limitations are being interpreted under 35 U.S.C. 112(f), they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
Examiner has investigated the disclosure (Published application) of the instant application and finds the following descriptions there:
“Para [0009]: FIG. 1 illustrates a block diagram of an embodiment of an intelligent-adversary simulator configured to construct a graph of a virtualized instance of a network and to simulate the compromise of a spread of the cyber threat being simulated in the simulated cyber-attack scenario on connections between the devices connected to the virtualized network.
Para [0019]: The intelligent-adversary simulator, such as an AI Threat Hunter, can be coded to use a virtual network constructor to construct a graph of a virtualized instance of a network including i) devices connecting to the virtualized instance of the network as well as ii) all actual connections and pathways through the virtualized instance of the network. The virtualized instance of the network is based on an actual physical network under analysis. The graph of the virtualized instance of the network is constructed in order to for its simulator to run one or more simulated cyber-attack scenarios on the virtualized instance of the network in order to identify one or more, e.g. most, critical devices connecting to the virtualized instance of the network from a security standpoint, and then put this information into a generated report. The report with its observations helps a human cyber professional prioritize which critical devices connecting to the virtualized instance of the network should have a priority to allocate security resources to them based on the simulated cyber-attack scenarios; and thus, by correspondence which actual network devices in the network under analysis should have a priority to allocate security resources to them. Note, during a simulation, the intelligent-adversary simulator can be coded to calculate one or more paths of least resistance for a cyber threat in the cyber-attack scenario to compromise 1) a virtualized instance of a source device, originally compromised by the cyber threat, 2) through to other virtualized instances of components of the virtualized network, 3) until reaching an end goal of the cyber-attack scenario in the virtualized network. The graph, data, security, pathways, devices, user behaviour, etc. are all based on actual historic knowledge of connectivity and behaviour patterns of users and devices within the actual network under analysis.
Para [0020]: The intelligent-adversary simulator can use the library of cyber-attack scenarios to simulate multiple types of compromise of a given device in a network via cooperation with, for example, the artificial intelligence models trained on cyber threats, and then different goals and purposes of a malicious cyber threat, such set out in the library of cyber-attack scenarios. The compromise of the source device can be an infection spread initial to and then from the source device in the virtualized instance of the network under analysis. The compromise of the source device can be, for example, a wrongful use of access credentials of a user by a malicious actor, unauthorized data exfiltration by a user, a virus/malware, etc. The intelligent-adversary simulator can use adapted versions of AI algorithms and AI models trained originally on the application of graph theory in epidemiology for many of the cyber-attack scenarios to simulate a spread of the cyber-attack through the virtualized instance of the network under analysis. The spread of a disease can be modelled on the connections between individuals and/or devices and then an instructor component can factor in coefficients for ease of transmission between those individuals. The intelligent-adversary simulator has a library of AI algorithms and AI models trained on the application of graph theory to construct a graph of a virtualized instance of a network, its network devices, pathway connectivity within the network, spread. The intelligent-adversary simulator runs an adversary simulation that again has been adapted partially from disease epidemiology theory to automatically identify which devices within an organization's network would cause the most damage to the organization if infected, and then output a report allowing the security team to allocate defensive resources appropriately. 
Para [0094]: The formatting module can be coded to generate the report with the identified critical devices connecting to the virtualized instance of the network that should have the priority to allocate security resources to them, along with one or more portions of the constructed graph (See FIG. 2). The formatting module can have an autonomous email-report composer that cooperates with the various AI models and modules of the cyber security appliance 100 as well as at least a set of one or more libraries of sets of prewritten text and visual representations to populate on templates of pages in the email threat report. The autonomous email-report composer can compose an email threat report on cyber threats that is composed in a human-readable format with natural language prose, terminology, and level of detail on the cyber threats aimed at a target audience being able to understand the terminology and the detail. The modules and AI models cooperate with the autonomous email-report composer to indicate in the email threat report, for example, an email attack's 1) purpose and/or 2) targeted group (such as members of the finance team, or high-level employees).
Para [0036]: The cyber security appliance 100 can also include a profile manager module. The profile manager module can be coded to communicate and cooperate with the intelligent-adversary simulator, the one or more processors to execute its instructions, and the one or more non-transitory storage mediums to store its software and a database of profile tags. The profile manager module can be coded to maintain a profile tag on all of the devices connecting to the actual network under analysis based on their behaviour and security characteristics and then supply the profile tag for each of the devices connecting to the virtualized instance of the network when the construction of the graph occurs. Note, because the profile manager module maintains the profile tag for each device before the simulation is carried out, many simulations and cyber-attack scenario can be performed in a short amount of time, as this eliminates a need to search and query for known data about each device being simulated each time a cyber-attack scenario is run during the simulation, and need not be performed each time when the simulation is run day after day.”
Examiner interprets that, based on at-least the above descriptions of  the instant application, that various modules recited in the identified claim limitations above are software applications that are run on hardware/processor for performing the recited functions. 
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f), applicant may:  (1) amend the claim limitations to avoid them being interpreted under 35 U.S.C. 112(f) (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitations recite sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f).
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim 1-20 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
	Claim 1 recites, “ …where, during a simulation, the intelligent-adversary simulator is configured to calculate one or more paths of least resistance for a cyber threat in the cyber-attack scenario to compromise 1) a virtualized instance of a source device, originally compromised by the cyber threat …”
	It’s not clear from the claim language what “ device originally compromised” means in the above claim language. Is it that that simulator is detecting that the device is compromised or that the device was already identified as compromised before the simulation is run/executed. The language of the claim is vague and unclear that makes the claim indefinite, and hence rejected as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
	Claim 1 recites, “… 3) until reaching an end goal of the cyber- attack scenario in the virtualized network, all based on historic knowledge of connectivity and behaviour patterns of users and devices within the actual network under analysis”
	It’s not clear from the claim language what “all” is referring to. The language of the claim is vague and unclear that makes the claim indefinite, and hence rejected as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
	Claim 1 recites, “… but not calculate every theoretically possible path from the virtualized instance of the source device to the end goal of the cyber-attack scenario, each time a hop is made from one device in the virtualized network to another device in the virtualized network in order to reduce an amount of computing cycles needed by the one or more processing units as well as an amount of memory storage needed in the one or more non-transitory storage mediums …”
	The claim language does not clarify how the exclusion of paths are done to achieve the result of “reduced computing cycles and reduced memory usages”. The claim language reads like a simple disclaimer. The language of the claim is vague and unclear that makes the claim indefinite, and hence rejected as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
	The dependent claims 2-10 does not rectify the issues identified above for claim1 and hence they are also similarly rejected as being indefinite. Also claims 11-20 recites limitations similar to claims 1-10, and hence similarly rejected as hence rejected as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 10 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 10 recites “The apparatus of claim 1, further comprising:
… where the intelligent- adversary simulator has access to and obtains a wealth of actual network data from the network under analysis from the data store and the Al models of normal pattern of life for entities in the network under analysis, which means paths of least resistance through possible routes in this network can be computed during the simulation even when a first possible route of least resistance ….” 
Claim 1 recites, “… the intelligent-adversary simulator is configured to calculate one or more paths of least resistance for a cyber threat in the cyber-attack scenario …; …where the intelligent-adversary simulator is configured to calculate the paths of least resistance from the virtualized instance of the source device through to other virtualized instances of components of the virtualized network …”
Claim10 is dependent on claim 1, but it’s not clear from the language of claim 10 if  “paths of least resistance” as recited in the claim 10 is the same “paths of least resistance” as in claim 1 or are different ones. Therefore, the language of claim 1 is ambiguous, and that makes claim 1 indefinite, and hence rejected as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
**** Note: For examinations purposes “paths of least resistance” is claim 10 is interpreted as the same as in claim 1. Applicant can consider to amend claim 10 to recite “the paths of least resistance” to provide proper antecedent basis.
Claim Eligibility
Examiner has investigated the claims of the instant application and concludes that the claims do fall in at-least one of “process, machine, manufacture, or composition of matter, or any new and useful improvement thereof”.
	It also of the Examiner’s opinion that that the claims do not recite any abstract idea as categorized in “2019 Revised Patent Eligibility Guidelines.”
	Furthermore, the “one or more non-transitory storage mediums” as in claim 1 is considered as hardware element[s], and hence the apparatus claims 1-10 are not considered as “software per se”
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2018/0295154 A1 to Crabtree et al.  (hereinafter “Crabtree”) in view of Pub. No.: US 2016/0205122 A1 to Bassett (hereinafter “Bassett”).
Regarding Claim 1. Crabtree discloses An apparatus (Crabtree, FIG. 19, Para [0091-0092]: … Referring now to FIG. 19, there is shown a block diagram depicting an exemplary computing device 10 suitable for implementing at least a portion of the features or functionalities disclosed herein …), comprising:
an intelligent-adversary simulator is configured to construct a graph of a virtualized instance of a network including i) devices connecting to the virtualized instance of the network as well as ii) connections and pathways through the virtualized instance of the network, where the virtualized instance of the network is based on an actual network under analysis (Crabtree, Claim 1, Abstract: … A system for mitigation of cyberattacks employing an advanced cyber decision platform comprising a time series data store, a directed computational graph module, an action outcome simulation module, and observation and state estimation module, wherein the state of a network is monitored and used to produce a cyber-physical graph representing network resources, simulated network events are produced and monitored … An advanced cyber decision platform for mitigation of cyberattacks, the platform comprising: a time series data store comprising at least a processor, a memory, and a plurality of programming instructions stored in the memory and operating on the processor, wherein the programmable instructions, when operating on the processor, cause the processor to” monitor a plurality of network events; produce time-series data comprising at least a record of a network event and the time at which the event occurred; an observation and state estimation module comprising at least a processor, a memory, and a plurality of programming instructions stored in the memory and operating on the processor, wherein the programmable instructions, when operating on the processor, cause the processor to: monitor a plurality of connected resources on a network; produce a cyber-physical graph representing at least a portion of the plurality of connected resources, the cyber-physical graph comprising at least the logical relationships between the portion of the plurality of connected resources on the network and the physical relationships between any connected resources that comprise at least a hardware device; …), where the graph of the virtualized instance of the network is constructed in order to run a simulated cyber-attack scenario on the virtualized instance of the network in order to identify one or more critical devices connecting to the virtualized instance of the network from a security standpoint, and then put this information into a generated report; and thus, help prioritize which critical devices connecting to the virtualized instance of the network should have a priority to allocate security resources to them based on the simulated cyber-attack scenario (Crabtree, Para [0066-0069]: … The data is analyzed 264 to determine whether network vulnerabilities exist for which a patch has not yet been created and/or applied. If the assessment determines that such a vulnerability exists 265, whether or not all software has been patched according to manufacturer recommendations, the system administrator is notified of the potential vulnerability, along with contextually-based, tactical recommendations for optimal response based on potential impact 266. Otherwise, network activity is allowed to continue normally 267 … Simulations run may also include the predictive effects of any attack mitigating actions on normal and critical operation of the enterprise's IT systems and corporate users. Similarly, a chief information security officer may use the cyber-decision platform to predictively analyze 406a what corporate information has already been compromised, predictively simulate the ultimate information targets of the attack that may or may not have been compromised and the total impact of the attack what can be done now and in the near future to safeguard that information. Further, during retrospective forensic inspection of the attack, the forensic responder may use the cyber-decision platform 405a to clearly and completely map the extent of network infrastructure through predictive simulation and large volume data analysis. The forensic analyst may also use the platform's capabilities to perform a time series and infrastructural spatial analysis of the attack's progression with methods used to infiltrate the enterprise's subnets and servers. Again, the chief risk officer would perform analyses of what information 407a was stolen and predictive simulations on what the theft means to the enterprise as time progresses. Additionally, the system's predictive capabilities may be employed to assist in creation of a plan for changes of the IT infrastructural that should be made that are optimal for 
remediation of cybersecurity risk under possibly limited enterprise budgetary constraints in place at the company so as to maximize financial outcome …), where, during a simulation, the intelligent-adversary simulator is configured to calculate one or more paths [of least resistance] for a cyber threat in the cyber-attack scenario to compromise 1) a virtualized instance of a source device, originally compromised by the cyber threat, 2) through to other virtualized instances of components of the virtualized network, 3) until reaching an end goal of the cyber- attack scenario in the virtualized network, all based on historic knowledge of connectivity and behaviour patterns of users and devices within the actual network under analysis (Crabtree, Para [0079, 0085, 0097, 0100]: … FIG. 15 is a flow diagram of an exemplary method 1500 for mitigating compromised credential threats, according to one aspect. According to the aspect, impact assessment scores (as described previously, referring to FIG. 9) may be collected 1501 for user accounts in a directory, so that the potential impact of any given credential attack is known in advance of an actual attack event. This information may be combined with a CPG 1502 as described previously in FIG. 11, to contextualize impact assessment scores within the infrastructure (for example, so that it may be predicted what systems or resources might be at risk for any given credential attack). A simulated attack may then be performed 1503 to use machine learning to improve security without waiting for actual attacks to trigger a reactive response. A blast radius assessment (as described above in FIG. 9) may be used in response 1504 to determine the effects of the simulated attack and identify points of weakness, and produce a recommendation report 1505 for improving and hardening the infrastructure against future attacks …),
However, Crabtree does not explicitly teach, but Bassett from same or similar field of endeavor teaches, “… calculate one or more paths of least resistance (Bassett, Abstract: … An improved method for analyzing computer network security has been developed. The method first establishes multiple nodes, where each node represents an actor, an event, a condition, or an attribute related to the network security. Next, an estimate is created for each node that reflects the ease of realizing the event, condition, or attribute of the node. Attack paths are identified that represent a linkage of nodes that reach a condition of compromise of network security. Next, edge probabilities are calculated for the attack paths. The edge probabilities are based on the estimates for each node along the attack path. Next, an attack graph is generated that identifies the easiest conditions of compromise of network security and the attack paths to achieving those conditions. Finally, attacks are detected with physical sensors on the network, that predict the events and conditions. When an attack is detected, security alerts are generated in response to the attacks …) ”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bassett into the teachings of Crabtree, because it discloses that “the attack graph is used to conduct ‘what-if’ scenarios which simulate the difference in knowledge between the threat actor and the organization. This simulated difference may reveal differences in the probability of consequences and attack paths and therefore their priority. These differences allow improved mitigation planning, improved detection, and the ability to detect imperfections in the information an organization has about its security posture (Bassett, Para [0085])”.
Crabtree further discloses:
a formatting module is configured to generate the report with the identified critical devices connecting to the virtualized instance of the network that should have the priority to allocate security resources to them (Crabtree, Para [0068]: … FIG. 3 is a process diagram showing a general flow 300 of business operating system functions in use to mitigate cyberattacks. Input network data which may include network flow patterns 321, the origin and destination of each piece of measurable network traffic 322, system logs from servers and workstations on the network 323, endpoint data 323a, any security event log data from servers or available security information and event (SIEM) systems 324, external threat intelligence feeds 324a, identity or assessment context 325, external network health or cybersecurity feeds 326, Kerberos domain controller or ACTIVE DIRECTORY™ server logs or instrumentation 327 and business unit performance related data 328, among many other possible data types for which the invention was designed to analyze and integrate, may pass into 315 the business operating system 310 for analysis as part of its cyber security function. These multiple types of data from a plurality of sources may be transformed for analysis 311, 312 using at least one of the specialized cybersecurity, risk assessment or common functions of the business operating system in the role of cybersecurity system, such as, but not limited to network and system user privilege oversight 331, network and system user behavior analytics 332, attacker and defender action timeline 333, SIEM integration and analysis 334, dynamic benchmarking 335, and incident identification and resolution performance analytics 336 among other possible cybersecurity functions; value at risk (VAR) modeling and simulation 341, anticipatory vs. reactive cost estimations of different types of data breaches to establish priorities 342, work factor analysis 343 and cyber event discovery rate 344 as part of the system's risk analytics capabilities; and the ability to format and deliver customized reports and dashboards 351, perform generalized, ad hoc data analytics on demand 352, continuously monitor, process and explore incoming data for subtle changes or diffuse informational threads 353 and generate cyber-physical systems graphing 354 as part of the business operating system's common capabilities  …),
46one or more processing units are configured to execute software instructions associated with the intelligent-adversary simulator and the formatting module (Crabtree, Para [0009]: … According to one aspect, a system for detection and mitigation of cyberattacks employing an advanced cyber decision platform comprising: a time series data store comprising at last a processor, a memory, and a plurality of programming instructions stored in the memory and operating on the processor, wherein upon operating the software instructions the processor is configured to monitor a plurality of network events and produce time-series data …), and
one or more non-transitory storage mediums are configured to store at least software associated with the intelligent-adversary simulator (Crabtree, Para [0009]: … According to one aspect, a system for detection and mitigation of cyberattacks employing an advanced cyber decision platform comprising: a time series data store comprising at last a processor, a memory, and a plurality of programming instructions stored in the memory and operating on the processor, wherein upon operating the software instructions the processor is configured to monitor a plurality of network events and produce time-series data …), and
where the intelligent-adversary simulator is configured to calculate the paths of least resistance from the virtualized instance of the source device through to other virtualized instances of components of the virtualized network until reaching an end goal of the cyber-attack scenario (Crabtree, Para [0069]: …  FIG. 4 is a process flow diagram of a method for segmenting cyberattack information to appropriate corporation parties 400. As previously disclosed 200, 351, one of the strengths of the advanced cyber-decision platform is the ability to finely customize reports and dashboards to specific audiences, concurrently is appropriate. This customization is possible due to the devotion of a portion of the business operating system's programming specifically to outcome presentation by modules which include the observation and state estimation service 140 with its game engine 140a and script interpreter 140b. In the setting of cybersecurity, issuance of specialized alerts, updates and reports may significantly assist in getting the correct mitigating actions done in the most timely fashion while keeping all participants informed at predesignated, appropriate granularity. Upon the detection of a cyberattack by the system 401 all available information about the ongoing attack and existing cybersecurity knowledge are analyzed, including through predictive simulation in near real time 402 to develop both the most accurate appraisal of current events and actionable recommendations concerning where the attack may progress and how it may be mitigated … Simulations run may also include the predictive effects of any attack mitigating actions on normal and critical operation of the enterprise's IT systems and corporate users. Similarly, a chief information security officer may use the cyber-decision platform to predictively analyze 406a what corporate information has already been compromised, predictively simulate the ultimate information targets of the attack that may or may not have been compromised and the total impact of the attack what can be done now and in the near future to safeguard that information. Further, during retrospective forensic inspection of the attack, the forensic responder may use the cyber-decision platform 405a to clearly and completely map the extent of network infrastructure through predictive simulation and large volume data analysis. The forensic analyst may also use the platform's capabilities to perform a time series and infrastructural spatial analysis of the attack's progression with methods used to infiltrate the enterprise's subnets and servers. Again, the chief risk officer would perform analyses of what information 407a was stolen and predictive simulations on what the theft means to the enterprise as time progresses. Additionally, the system's predictive capabilities may be employed to assist in creation of a plan for changes of the IT infrastructural that should be made that are optimal for remediation of cybersecurity risk under possibly limited enterprise budgetary constraints in place at the company so as to maximize financial outcome …); but not calculate every theoretically possible path from the virtualized instance of the source device to the end goal of the cyber-attack scenario, each time a hop is made from one device in the virtualized network to another device in the virtualized network in order to reduce an amount of computing cycles needed by the one or more processing units as well as an amount of memory storage needed in the one or more non-transitory storage mediums (Crabtree, Para [0079]: … FIG. 9 is a flow diagram of an exemplary method 900 for measuring the effects of cybersecurity attacks, according to one aspect. According to the aspect, impact assessment of an attack may be measured using a DCG 155 to analyze a user account and identify its access capabilities 901 (for example, what files, directories, devices or domains an account may have access to). This may then be used to generate 902 an impact assessment score for the account, representing the potential risk should that account be compromised. In the event of an incident, the impact assessment score for any compromised accounts may be used to produce a “blast radius” calculation 903, identifying exactly what resources are at risk as a result of the intrusion and where security personnel should focus their attention. To provide proactive security recommendations through a simulation module 125, simulated intrusions may be run 904 to identify potential blast radius calculations for a variety of attacks and to determine 905 high risk accounts or resources so that security may be improved in those key areas rather than focusing on reactive solutions …).
Regarding Claim 2. The combination of  Crabtree-Bassett discloses the apparatus of claim 1, Crabtree further discloses, “further comprising :
where the intelligent-adversary simulator is configured to create the graph of the virtualized network, with its nets and subnets, where two or more of the devices connecting to the virtualized network are assigned with different weighting resistances to malicious compromise from the cyber threat being simulated in the cyber-attack scenario during the simulation (Crabtree, Para [0065]: … FIG. 2A is a process diagram showing a general flow of the process used to detect rogue devices and analyze them for threats 220. Whenever a device is connected to the network 221, the connection is immediately sent to the rogue device detector 222 for analysis. As disclosed below at 300, the advanced cyber decision platform uses machine learning algorithms to analyze system-wide data to detect threats. The connected device is analyzed 223 to assess its device type, settings, and capabilities, the sensitivity of the data stored on the server to which the device wishes to connect, network activity, server logs, remote queries, and a multitude of other data to determine the level of threat associated with the device. If the threat reaches a certain level 224, the device is automatically prevented from accessing the network 225, and the system administrator is notified of the potential threat, along with contextually-based, tactical recommendations for optimal response based on potential impact 226. Otherwise, the device is allowed to connect to the network 227 …).”
Regarding Claim 3. The combination of  Crabtree-Bassett discloses the apparatus of claim 1, Crabtree further discloses, “further comprising:
where the intelligent-adversary simulator is configured to search and query,
two or more of i) a data store, ii) modules, and iii) one or more Artificial Intelligence (AI) models making up a cyber security appliance protecting the actual 47network under analysis from cyber threats, on what, i) the data store, ii) the modules, and iii) the one or more Al models in the cyber security appliance, already know about the network, and its components, under analysis to create the graph of the virtualize instance of the network (Crabtree, Para [0057], Claim 8: … According to one aspect, the advanced cyber decision platform, a specifically programmed usage of the business operating system, continuously monitors a client enterprise's normal network activity for behaviors such as but not limited to normal users on the network, resources accessed by each user, access permissions of each user, machine to machine traffic on the network, sanctioned external access to the core network and administrative access to the network's identity and access management servers in conjunction with real-time analytics informing knowledge of cyberattack methodology. The system then uses this information for two purposes: First, the advanced computational analytics and simulation capabilities of the system are used to provide immediate disclosure of probable digital access points both at the network periphery and within the enterprise's information transfer and trust structure and recommendations are given on network changes that should be made to harden it prior to or during an attack. Second, the advanced cyber decision platform continuously monitors the network in real-time both for types of traffic and through techniques such as deep packet inspection for pre-decided analytically significant deviation in user traffic for indications of known cyberattack vectors … A method for mitigation of cyberattacks employing an advanced cyber decision platform comprising the steps of: a) continuously monitoring the network for server access requests using digital signatures; b) analysis of the access requests for threats to the network using machine learning algorithms to analyze system-wide data; c) automatic blocking of the device's access to the network if a threat is detected, and notification of the threat to the system administrator, along with contextually-based, tactical recommendations for optimal response based on potential impact …),
where the graph of the virtualize instance of the network is created with two or more of
1) known characteristics of the network itself, 2) pathway connections between devices on that network, 3) security features and credentials of devices and/or their associated users, and 4) behavioural characteristics of the devices and/or their associated users connecting to that network, which all of this information is obtained from what was already know about the network from the cyber security appliance (Crabtree, Para [0057], Claim 8: … According to one aspect, the advanced cyber decision platform, a specifically programmed usage of the business operating system, continuously monitors a client enterprise's normal network activity for behaviors such as but not limited to normal users on the network, resources accessed by each user, access permissions of each user, machine to machine traffic on the network, sanctioned external access to the core network and administrative access to the network's identity and access management servers in conjunction with real-time analytics informing knowledge of cyberattack methodology. The system then uses this information for two purposes: First, the advanced computational analytics and simulation capabilities of the system are used to provide immediate disclosure of probable digital access points both at the network periphery and within the enterprise's information transfer and trust structure and recommendations are given on network changes that should be made to harden it prior to or during an attack. Second, the advanced cyber decision platform continuously monitors the network in real-time both for types of traffic and through techniques such as deep packet inspection for pre-decided analytically significant deviation in user traffic for indications of known cyberattack vectors … A method for mitigation of cyberattacks employing an advanced cyber decision platform comprising the steps of: a) continuously monitoring the network for server access requests using digital signatures; b) analysis of the access requests for threats to the network using machine learning algorithms to analyze system-wide data; c) automatic blocking of the device's access to the network if a threat is detected, and notification of the threat to the system administrator, along with contextually-based, tactical recommendations for optimal response based on potential impact  …).”
Regarding Claim 4. The combination of  Crabtree-Bassett discloses the apparatus of claim 1, Crabtree further discloses, “further comprising:
where the intelligent-adversary simulator is configured to create the virtualized version of the network and its network devices; and thus, does not degrade or compromise the actual network, or its actual network devices, under analysis when running the simulation (Crabtree, Para [0057], Claim 8: … According to one aspect, the advanced cyber decision platform, a specifically programmed usage of the business operating system, continuously monitors a client enterprise's normal network activity for behaviors such as but not limited to normal users on the network, resources accessed by each user, access permissions of each user, machine to machine traffic on the network, sanctioned external access to the core network and administrative access to the network's identity and access management servers in conjunction with real-time analytics informing knowledge of cyberattack methodology. The system then uses this information for two purposes: First, the advanced computational analytics and simulation capabilities of the system are used to provide immediate disclosure of probable digital access points both at the network periphery and within the enterprise's information transfer and trust structure and recommendations are given on network changes that should be made to harden it prior to or during an attack. Second, the advanced cyber decision platform continuously monitors the network in real-time both for types of traffic and through techniques such as deep packet inspection for pre-decided analytically significant deviation in user traffic for indications of known cyberattack vectors … A method for mitigation of cyberattacks employing an advanced cyber decision platform comprising the steps of: a) continuously monitoring the network for server access requests using digital signatures; b) analysis of the access requests for threats to the network using machine learning algorithms to analyze system-wide data; c) automatic blocking of the device's access to the network if a threat is detected, and notification of the threat to the system administrator, along with contextually-based, tactical recommendations for optimal response based on potential impact …), and
where the virtualized network, and its network components connecting to the network, being tested during the simulation are up to date and accurate for a time the actual network under analysis is being tested and simulated because the intelligent-adversary simulator is configured to obtain actual network data collected by two or more of 1) modules, 2) a data store, and 3) one or more Al models of a cyber security appliance protecting the actual network under analysis from cyber threats (Crabtree, Para [0057], Claim 8: … According to one aspect, the advanced cyber decision platform, a specifically programmed usage of the business operating system, continuously monitors a client enterprise's normal network activity for behaviors such as but not limited to normal users on the network, resources accessed by each user, access permissions of each user, machine to machine traffic on the network, sanctioned external access to the core network and administrative access to the network's identity and access management servers in conjunction with real-time analytics informing knowledge of cyberattack methodology. The system then uses this information for two purposes: First, the advanced computational analytics and simulation capabilities of the system are used to provide immediate disclosure of probable digital access points both at the network periphery and within the enterprise's information transfer and trust structure and recommendations are given on network changes that should be made to harden it prior to or during an attack. Second, the advanced cyber decision platform continuously monitors the network in real-time both for types of traffic and through techniques such as deep packet inspection for pre-decided analytically significant deviation in user traffic for indications of known cyberattack vectors … A method for mitigation of cyberattacks employing an advanced cyber decision platform comprising the steps of: a) continuously monitoring the network for server access requests using digital signatures; b) analysis of the access requests for threats to the network using machine learning algorithms to analyze system-wide data; c) automatic blocking of the device's access to the network if a threat is detected, and notification of the threat to the system administrator, along with contextually-based, tactical recommendations for optimal response based on potential impact …).”
Regarding Claim 5. The combination of  Crabtree-Bassett discloses the apparatus of claim 1, Crabtree further discloses, “further comprising:
where the intelligent-adversary simulator is configured to simulate the compromise of a spread of the cyber threat being simulated in the simulated cyber- attack scenario on connections between the devices connected to the virtualized network, and where the intelligent-adversary simulator is configured to then perform a calculation on an ease of transmission of the cyber threat between those devices, including key network devices (Crabtree, Para [0087]: … FIG. 17 is a flow diagram of an exemplary method 1700 for Kerberos “golden ticket” attack detection, according to one aspect. Kerberos is a network authentication protocol employed across many enterprise networks to enable single sign-on and authentication for enterprise services. This makes it an attractive target for attacks, which can result in persistent, undetected access to services within a network in what is known as a “golden ticket” attack. To detect this form of attack, behavioral analytics may be employed to detect erroneously-issued authentication tickets, whether from incorrect configuration or from an attack. According to the aspect, an advanced cyber decision platform may continuously monitor a network 1701, informing a CPG in real-time of all traffic associated with people, places, devices, or services 1702. Machine learning algorithms detect behavioral anomalies as they occur in real-time 1703, notifying administrators with an assessment of the anomalous event 1704 as well as a blast radius score for the particular event and a network resiliency score to advise of the overall health of the network. By automatically detecting unusual behavior and informing an administrator of the anomaly along with contextual information for the event and network, a compromised ticket is immediately detected when a new authentication connection is made …).”
Regarding Claim 6. The combination of  Crabtree-Bassett discloses the apparatus of claim 1, Crabtree further discloses, “further comprising:
where the intelligent-adversary simulator is configured to construct the graph of the virtualized version of the network from knowledge known and stored by modules, a data store, and one or more Al models of a cyber security appliance protecting an actual network under analysis, where the knowledge known and stored is obtained at least from ingested traffic from the actual network under analysis (Crabtree, Para [0057], Claim 8: … According to one aspect, the advanced cyber decision platform, a specifically programmed usage of the business operating system, continuously monitors a client enterprise's normal network activity for behaviors such as but not limited to normal users on the network, resources accessed by each user, access permissions of each user, machine to machine traffic on the network, sanctioned external access to the core network and administrative access to the network's identity and access management servers in conjunction with real-time analytics informing knowledge of cyberattack methodology. The system then uses this information for two purposes: First, the advanced computational analytics and simulation capabilities of the system are used to provide immediate disclosure of probable digital access points both at the network periphery and within the enterprise's information transfer and trust structure and recommendations are given on network changes that should be made to harden it prior to or during an attack. Second, the advanced cyber decision platform continuously monitors the network in real-time both for types of traffic and through techniques such as deep packet inspection for pre-decided analytically significant deviation in user traffic for indications of known cyberattack vectors … A method for mitigation of cyberattacks employing an advanced cyber decision platform comprising the steps of: a) continuously monitoring the network for server access requests using digital signatures; b) analysis of the access requests for threats to the network using machine learning algorithms to analyze system-wide data; c) automatic blocking of the device's access to the network if a threat is detected, and notification of the threat to the system administrator, along with contextually-based, tactical recommendations for optimal response based on potential impact …), and
where the intelligent-adversary simulator is configured to model a compromise by the cyber threat through the virtualized version of the network based upon how likely it would be for the cyber-attack to spread to achieve either of 1) a programmable end goal of that cyber-attack scenario set by a user, or 2) set by default an end goal scripted into the selected cyber-attack scenario (Crabtree, Para [0057], Claim 8: … According to one aspect, the advanced cyber decision platform, a specifically programmed usage of the business operating system, continuously monitors a client enterprise's normal network activity for behaviors such as but not limited to normal users on the network, resources accessed by each user, access permissions of each user, machine to machine traffic on the network, sanctioned external access to the core network and administrative access to the network's identity and access management servers in conjunction with real-time analytics informing knowledge of cyberattack methodology. The system then uses this information for two purposes: First, the advanced computational analytics and simulation capabilities of the system are used to provide immediate disclosure of probable digital access points both at the network periphery and within the enterprise's information transfer and trust structure and recommendations are given on network changes that should be made to harden it prior to or during an attack. Second, the advanced cyber decision platform continuously monitors the network in real-time both for types of traffic and through techniques such as deep packet inspection for pre-decided analytically significant deviation in user traffic for indications of known cyberattack vectors … A method for mitigation of cyberattacks employing an advanced cyber decision platform comprising the steps of: a) continuously monitoring the network for server access requests using digital signatures; b) analysis of the access requests for threats to the network using machine learning algorithms to analyze system-wide data; c) automatic blocking of the device's access to the network if a threat is detected, and notification of the threat to the system administrator, along with contextually-based, tactical recommendations for optimal response based on potential impact …).”
Regarding Claim 7. The combination of  Crabtree-Bassett discloses the apparatus of claim 1, Crabtree further discloses, “further comprising:
where the intelligent-adversary simulator is configured to integrate within a cyber security appliance and cooperate with components within the cyber security appliance installed and protecting the network from cyber threats by making use of 49outputs, data collected, and functionality from two or more of a data store, other modules, and one or more Al models already existing in the cyber security appliance (Crabtree, Para [0087]: … FIG. 17 is a flow diagram of an exemplary method 1700 for Kerberos “golden ticket” attack detection, according to one aspect. Kerberos is a network authentication protocol employed across many enterprise networks to enable single sign-on and authentication for enterprise services. This makes it an attractive target for attacks, which can result in persistent, undetected access to services within a network in what is known as a “golden ticket” attack. To detect this form of attack, behavioral analytics may be employed to detect erroneously-issued authentication tickets, whether from incorrect configuration or from an attack. According to the aspect, an advanced cyber decision platform may continuously monitor a network 1701, informing a CPG in real-time of all traffic associated with people, places, devices, or services 1702. Machine learning algorithms detect behavioral anomalies as they occur in real-time 1703, notifying administrators with an assessment of the anomalous event 1704 as well as a blast radius score for the particular event and a network resiliency score to advise of the overall health of the network. By automatically detecting unusual behavior and informing an administrator of the anomaly along with contextual information for the event and network, a compromised ticket is immediately detected when a new authentication connection is made …), and
where the comprise of the source device is an infection spread to and from the source device in the virtualized instance of the network under analysis, where a likelihood of the compromise is tailored and accurate to an actual device being simulated because the cyber-attack scenario is based upon security credentials and behaviour characteristics from actual traffic data fed to the modules, data store, and Al models of the cyber security appliance (Crabtree, Para [0087]: … FIG. 17 is a flow diagram of an exemplary method 1700 for Kerberos “golden ticket” attack detection, according to one aspect. Kerberos is a network authentication protocol employed across many enterprise networks to enable single sign-on and authentication for enterprise services. This makes it an attractive target for attacks, which can result in persistent, undetected access to services within a network in what is known as a “golden ticket” attack. To detect this form of attack, behavioral analytics may be employed to detect erroneously-issued authentication tickets, whether from incorrect configuration or from an attack. According to the aspect, an advanced cyber decision platform may continuously monitor a network 1701, informing a CPG in real-time of all traffic associated with people, places, devices, or services 1702. Machine learning algorithms detect behavioral anomalies as they occur in real-time 1703, notifying administrators with an assessment of the anomalous event 1704 as well as a blast radius score for the particular event and a network resiliency score to advise of the overall health of the network. By automatically detecting unusual behavior and informing an administrator of the anomaly along with contextual information for the event and network, a compromised ticket is immediately detected when a new authentication connection is made …).”
Regarding Claim 8. The combination of  Crabtree-Bassett discloses the apparatus of claim 1, Crabtree further discloses, “further comprising:
a profile manager module configured to communicate and cooperate with the intelligent-adversary simulator, where the profile manager module is configured to maintain a profile tag on all of the devices connecting to the actual network under analysis based on their behaviour and security characteristics and then supply the profile tag for the devices connecting to the virtualized instance of the network when the construction of the graph occurs (Crabtree, Para [0065]: … FIG. 2A is a process diagram showing a general flow of the process used to detect rogue devices and analyze them for threats 220. Whenever a device is connected to the network 221, the connection is immediately sent to the rogue device detector 222 for analysis. As disclosed below at 300, the advanced cyber decision platform uses machine learning algorithms to analyze system-wide data to detect threats. The connected device is analyzed 223 to assess its device type, settings, and capabilities, the sensitivity of the data stored on the server to which the device wishes to connect, network activity, server logs, remote queries, and a multitude of other data to determine the level of threat associated with the device. If the threat reaches a certain level 224, the device is automatically prevented from accessing the network 225, and the system administrator is notified of the potential threat, along with contextually-based, tactical recommendations for optimal response based on potential impact 226. Otherwise, the device is allowed to connect to the network 227 …).”
Regarding Claim 9. The combination of  Crabtree-Bassett discloses the apparatus of claim 1, Crabtree further discloses, “further comprising:
wherein a profile manager module is configured to maintain a profile tag for each device before the simulation is carried out; and thus, eliminates a need to search and query for known data about each device being simulated during the simulation (Crabtree, Para [0065]: … FIG. 2A is a process diagram showing a general flow of the process used to detect rogue devices and analyze them for threats 220. Whenever a device is connected to the network 221, the connection is immediately sent to the rogue device detector 222 for analysis. As disclosed below at 300, the advanced cyber decision platform uses machine learning algorithms to analyze system-wide data to detect threats. The connected device is analyzed 223 to assess its device type, settings, and capabilities, the sensitivity of the data stored on the server to which the device wishes to connect, network activity, server logs, remote queries, and a multitude of other data to determine the level of threat associated with the device. If the threat reaches a certain level 224, the device is automatically prevented from accessing the network 225, and the system administrator is notified of the potential threat, along with contextually-based, tactical recommendations for optimal response based on potential impact 226. Otherwise, the device is allowed to connect to the network 227 …), and
where the profile manager module is configured to maintain the profile tag on each device based on their behaviour as detected by a network module cooperating 50with network probes ingesting traffic data for network devices and network users in the network under analysis as well as cooperation and analysis with the Al models modelling a normal pattern of life for entities in that network under analysis (Crabtree, Para [0065]: … FIG. 2A is a process diagram showing a general flow of the process used to detect rogue devices and analyze them for threats 220. Whenever a device is connected to the network 221, the connection is immediately sent to the rogue device detector 222 for analysis. As disclosed below at 300, the advanced cyber decision platform uses machine learning algorithms to analyze system-wide data to detect threats. The connected device is analyzed 223 to assess its device type, settings, and capabilities, the sensitivity of the data stored on the server to which the device wishes to connect, network activity, server logs, remote queries, and a multitude of other data to determine the level of threat associated with the device. If the threat reaches a certain level 224, the device is automatically prevented from accessing the network 225, and the system administrator is notified of the potential threat, along with contextually-based, tactical recommendations for optimal response based on potential impact 226. Otherwise, the device is allowed to connect to the network 227 …).”
Regarding Claim 10. The combination of  Crabtree-Bassett discloses the apparatus of claim 1, Crabtree further discloses, “further comprising:
where the intelligent-adversary simulator is configured to search and query i) ingested network traffic data as well as ii) analysis on that network traffic data from one or more Al models within the cyber security appliance, where the intelligent- adversary simulator has access to and obtains a wealth of actual network data from the network under analysis from the data store and the Al models of normal pattern of life for entities in the network under analysis, which means paths of least resistance through possible routes in this network can be computed during the simulation even when a first possible route of least resistance 1) is not previously known or 2) has not been identified by a human before to determine a spread of the cyber threat from device-to-device (Crabtree, Para [0057], Claim 8: … According to one aspect, the advanced cyber decision platform, a specifically programmed usage of the business operating system, continuously monitors a client enterprise's normal network activity for behaviors such as but not limited to normal users on the network, resources accessed by each user, access permissions of each user, machine to machine traffic on the network, sanctioned external access to the core network and administrative access to the network's identity and access management servers in conjunction with real-time analytics informing knowledge of cyberattack methodology. The system then uses this information for two purposes: First, the advanced computational analytics and simulation capabilities of the system are used to provide immediate disclosure of probable digital access points both at the network periphery and within the enterprise's information transfer and trust structure and recommendations are given on network changes that should be made to harden it prior to or during an attack. Second, the advanced cyber decision platform continuously monitors the network in real-time both for types of traffic and through techniques such as deep packet inspection for pre-decided analytically significant deviation in user traffic for indications of known cyberattack vectors … A method for mitigation of cyberattacks employing an advanced cyber decision platform comprising the steps of: a) continuously monitoring the network for server access requests using digital signatures; b) analysis of the access requests for threats to the network using machine learning algorithms to analyze system-wide data; c) automatic blocking of the device's access to the network if a threat is detected, and notification of the threat to the system administrator, along with contextually-based, tactical recommendations for optimal response based on potential impact …).”



Regarding Claim 11. This is a method claim corresponding to the apparatus claim 1, and recites all the same or similar limitations as claim 1, and hence similarly rejected as claim 1.
Regarding Claim 12. This is a method claim corresponding to the apparatus claim 2, and recites all the same or similar limitations as claim 2, and hence similarly rejected as claim 2.
Regarding Claim 13. This is a method claim corresponding to the apparatus claim 3, and recites all the same or similar limitations as claim 3, and hence similarly rejected as claim 3.
Regarding Claim 14. This is a method claim corresponding to the apparatus claim 4, and recites all the same or similar limitations as claim 4, and hence similarly rejected as claim 4.
Regarding Claim 15. This is a method claim corresponding to the apparatus claim 5, and recites all the same or similar limitations as claim 5, and hence similarly rejected as claim 5.
Regarding Claim 16. This is a method claim corresponding to the apparatus claim 6, and recites all the same or similar limitations as claim 6, and hence similarly rejected as claim 6.
Regarding Claim 17. This is a method claim corresponding to the apparatus claim 7, and recites all the same or similar limitations as claim 7, and hence similarly rejected as claim 7.
Regarding Claim 18. This is a method claim corresponding to the apparatus claim 8, and recites all the same or similar limitations as claim 8, and hence similarly rejected as claim 8.
Regarding Claim 19. This is a method claim corresponding to the apparatus claim 9, and recites all the same or similar limitations as claim 9, and hence similarly rejected as claim 9.
Regarding Claim 20. This is a method claim corresponding to the apparatus claim 10, and recites all the same or similar limitations as claim 10, and hence similarly rejected as claim 10.
Pertinent Prior Arts
The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure.
US 20210021629 A1; Dani et al.: Dani discloses methods and systems for generating an attack path based on user and system risk profiles are presented. The method comprises determining user information associated with a computing device; determining system exploitability information of the computing device; determining system criticality information of the computing device; determining a risk profile for the computing device based on the user information, the system exploitability information, and the system criticality information; and generating an attack path based on the risk profile. The attack path indicates a route through which an attacker accesses the computing device. The system exploitability information indicates one or more of: the vulnerability associated with the computing device, an exposure window associated with the computing device, and a protection window associated with the computing device. The system criticality information indicates one or more: assets associated with the computing device and services associated with the computing device. 
Dani discloses that the vulnerability information may be used to simulate attack execution operations (e.g., red teaming/pentesting attack scenarios) in order to better understand vulnerable points within one's IT infrastructure. In some cases, the vulnerability information (e.g., comprised in the risk profile discussed below) may facilitate automatically selecting the most vulnerable or most lucrative assets (e.g., computing device, hardware and/or software resources) within a given computing system/device. In other cases, the data obtained from the vulnerability information may be “ingested” or processed by other systems (e.g., Artificial Intelligence software, machine learning resources, Qualys Breach and Attack Simulation system, etc.) in order to develop more robust computer security systems, tools, and security models. The systems discussed in this disclosure are able to determine computer security vulnerability information for a user, and/or organization, and/or a computing device associated the user and/or the organization and are subsequently used to generate attack paths.
US 20190342307 A1; GAMBLE et al.: GAMBLE discloses a cybersecurity platform is described that processes collected data using a data model to identify and link anomalies and in order to identify generate security events and intrusions. The platform generates graph data structures using the security anomalies extended using additional data. The graph data structures represent links between nodes, the links being events, the nodes being machines and user accounts. The platform processes the graph data structures by combining similar nodes or grouping security events with common features to behaviour indicative of a single or multiple security events to identify chains of events which together represent an attack.
GAMBLE also discloses that the Security platform 100 can generate simulations that mimic the actions and techniques of sophisticated hackers. During these assessments, security platform 100 can configure rules linked to issues identified that were not easily detectable using conventional security tools. Security platform 100 can build models that identify security threats (e.g. via event detection 112) by analyzing volumes of network logs, user behaviour, and other relevant information. Security platform 100 can limit the number of abnormal events that trigger generation of notifications by security alerts 126 to those that are relevant from a security prospective using rules and parameters. Security platform 100 can minimize or avoid over optimizing the model to remove false positives as this can often result in a large number of false positives and potentially removed important alerts for (actual) threats. Security platform 100 can flag events generated by event detection 112 using data analytics processes and append additional context so that security alert unit 126 flags key threats for investigation and alert generation.
PAT US 10320813 B1; Ahmed et al.: Ahmed discloses that A service provider may deploy a security threat detection and mitigation platform in a multi-tenant virtualization environment that includes pluggable data collection, data analysis, and response components. The data analysis components may apply machine learning techniques to generate (based on training data sets) and refine (based on subsequently received data sets and feedback about the resulting classifications) predictors configured to detect particular types of security threats, such as denial of service attacks, botnets, scans, or remote desktop attacks. A data collection layer may collect, filter, organize, and curate network packet traffic data, network packet header data, or other information emitted by computing instances or applications executing on them, and provide the curated data as streams to the analysis layer. A response layer may automatically take action in response to threat detection  (which may be overridden by an administrator) and may store classification data for subsequent analysis, feedback, and predictor refinement.
US 20210021629 A1; Dani et al.: Dani discloses methods and systems for generating an attack path based on user and system risk profiles are presented. The method comprises determining user information associated with a computing device; determining system exploitability information of the computing device; determining system criticality information of the computing device; determining a risk profile for the computing device based on the user information, the system exploitability information, and the system criticality information; and generating an attack path based on the risk profile. The attack path indicates a route through which an attacker accesses the computing device. The system exploitability information indicates one or more of: the vulnerability associated with the computing device, an exposure window associated with the computing device, and a protection window associated with the computing device. The system criticality information indicates one or more: assets associated with the computing device and services associated with the computing device. 
Dani discloses that the vulnerability information may be used to simulate attack execution operations (e.g., red teaming/pentesting attack scenarios) in order to better understand vulnerable points within one's IT infrastructure. In some cases, the vulnerability information (e.g., comprised in the risk profile discussed below) may facilitate automatically selecting the most vulnerable or most lucrative assets (e.g., computing device, hardware and/or software resources) within a given computing system/device. In other cases, the data obtained from the vulnerability information may be “ingested” or processed by other systems (e.g., Artificial Intelligence software, machine learning resources, Qualys Breach and Attack Simulation system, etc.) in order to develop more robust computer security systems, tools, and security models. The systems discussed in this disclosure are able to determine computer security vulnerability information for a user, and/or organization, and/or a computing device associated the user and/or the organization and are subsequently used to generate attack paths.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434
/KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434