Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
This office action is responsive to communication filed on 06/21/2022, claims 1-20 have been examined.
Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
Determining the scope and contents of the prior art.


Ascertaining the differences between the prior art and the claims at issue.

Resolving the level of ordinary skill in the pertinent art.

Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-4,11,12,14-17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kirti et al. (US20170251013A1) hereinafter Kirti in view of  Ladnai et al. (US20170302685A1) hereinafter  Ladnai, and further in view of Gauci (US20160357774A1) hereinafter Gauci.
As per claim 1. A computer-implemented method (Kirti, par0013 teaches a computer-implemented method is disclosed at a computer system of a security management system. All of the steps may be performed by the security management system. The method may include obtaining data about network activity by a user on a network of an organization. The method may include identifying, using the data about the network activity, an application that has been accessed by the user on the network. The method may include determining, using the data about the network activity, access information about the network activity corresponding to the application that has been accessed by the user. The method may include searching using the access information, for domain information about the application. The method may include determining security information about the application. The method may include computing, using the security information, a measure of security for the application that has been accessed. The method may include performing, by applying a security policy based on the measure of security, a remediation action for the application).
for modeling (Kirti, par0081 teaches machine learning techniques can then be applied to detect threats and provide recommendations concerning how to respond to threats. Threat models can be developed [modeling] to detect threats that are known or unknown or emerging).
operational risk, (Kirti, par0043 teaches many organizations try to block such applications or websites but that makes employees unhappy due to impact on productivity [operational risk]. Moreover, employees often try to bypass such barrier, e.g., by using an external VPN service, mobile data service, etc. A recent industry trend is not to block such services to ensure that employees are productive. However, IT departments need visibility to the applications or websites used so that they can proactively monitor and block questionable or malicious applications).
application dependencies to identify, the method comprising: (Kirti, par0056 teaches security monitoring and control system 102 can monitor application activity based on network activity by client devices of an organization through network data from one or more agents operating on network devices. Security monitoring and control system 102 can analyze and correlate data from applications [application dependencies] to provides a deep visibility into the activities in an organization and helps to detect [identify] anomalies or emerging threats and security risks based on application usage).
by a processor (Kirti, par0067, 0084 teaches security monitoring and control system 102 may include one or more processing units (or processor(s))… the software may be stored in a memory and may be executed by one or more processing units… the system 300 includes applications or software modules to perform analytics on collected data… the applications or software modules may be stored and, when executed, configure the processor 301 to perform certain functions or processes. These applications can include a threat detection and prediction analytics application 312 and/or descriptive analytics application 313).
gathering data about applications or computing systems (Kirti, par0009 teaches the security monitoring and control system may communicate with distributed computing systems, such as multiple service provider systems (e.g., cloud service provider systems) to access data about applications used on devices used for an organization. The security monitoring and control system can obtain [gathering data] network data about network traffic to identify unique applications. Such techniques can provide a deep visibility into the activities of applications used in an organization, which can helps to detect anomalies or emerging threats with regard to application usage and user behavior in the organization's computing environment).
in a cloud computing environment or in an enterprise datacenter; (Kirti, par0063 teaches an organization may have one or more computing environments, such as a computing environment 240 and a computing environment 260. Each of the computing environments may be a cloud computing environment or an enterprise computing environment. Each of the computing environments may provide a client device of a user of an organization with access to computing resources of an organization).
identify operational mismatches (Kirti, par0114 teaches predictive analytics can also include identifying threats based on activity such as a user not accessing a particular cloud application in several months and then showing high activity [mismatch] in the next month or a user downloading one file every week for the past several weeks, demonstrating a potential advanced persistent threat (APT) scenario. In several embodiments of this disclosure, data collected over time is used to build models of normal behavior (e.g., patterns of events and activity) and flag behavior that deviates [operational mismatches] from normal as abnormal behavior. After one or more flagged event or activity is characterized as a true or false positive (e.g., by user feedback), the information can be provided back to one or more machine learning algorithms to automatically modify parameters of the system).
between the applications; and (Kirti, par0097 teaches Information provided to the controls management platform can be retrieved from an application catalog database using metadata based schema mapping).
deploying an alert for the identified (Kirti, par0051 teaches analytics may also include providing [deploying] an alert and recommending remedial measures in the cloud(s) in which suspicious activity is detected [for the identified] and/or remedial measures to be taken in clouds other than those showing suspicious activity. In many embodiments of this disclosure, processes for detecting and analyzing applications on devices within a network of an organization involve collecting and combining information from various data sources).
an alert for the identified operational mismatches. (Kirti, par0206 teaches the graphical interfaces may enable a user to configure customized alerts on creating policies that matches [opposite policies will be created for mismatches] certain conditions such as risk app score, app category, user risk score etc).
updating, using the data, (Kirti, par0128 teaches the registry may be maintained and automatically updated based on new and/or updated information about application usage).
          Kirti does not explicitly discloses graph database, updating a database using the data, the graph database representing relationships as mapped between the applications, analyzing the data in the graph database, based on the relationships, summarizing the data of nodes connected to the computing system based on.
          Ladnai however discloses graph database (Ladnai, par0117 teaches implementations may include a number of different event graphs stored in a data store [graph database] that can be used together to detect, prevent, or determine the root causes for suspicious activity or other activity of interest, e.g., a security event. As discussed herein, the event graphs may be filtered before being stored in the data store, which can remove system activity that is not of interest in such analyses. The event graphs may be searchable, e.g., for analysis of event graphs including similar computing objects or events. The event graphs may also or instead be linked to one another, e.g., event graphs including similar computing objects or events. The event graphs may be presented to a user on a user interface or the like, e.g., an interactive user interface that allows a user to see similar or related event graphs, search the event graphs, link between event graphs, and so forth).
updating a, database using the data (Ladnai, par0077 teaches techniques may include monitoring activity for one or more endpoints and recording the activity in a data recorder or the like. The data recorder may include a database or data store. The data recorder may act as a rolling buffer, e.g., storing a large amount of data for predetermined time windows before overwriting [updating] old data with new data).
the graph database representing relationships as mapped between the applications, analyzing the data in the graph database (Ladnai, par0092, par0118 teaches the analysis facility 340 may create an event graph. In general, the event graph [graph database] may represent information in the data log 322 in a graph where objects 312 are nodes and events 314 are edges connecting the nodes to one another based on causal or other relationships as generally contemplated herein. The event graph may be used by the analysis facility 340 or other component(s) of the system 300 as part of a root cause analysis and to identify objects 312 compromised by the root cause.. An event graph may use a conventional structure of nodes (computing objects) and events (edges) to represent causal relationships among computing objects [relationships as mapped between the applications]. This permits the use of a wide range of graph-based techniques to assist in analysis of the context leading up to a detected event).
based on the relationships, (Ladnai, par0099 teaches the causal relationships monitored by the system may include dependencies that form a link or an association between computing objects or events. Useful causal relationships may include a data flow, e.g., linking computing objects based on the flow of data from one computing object to another computing object…the causal relationships may include a network flow. For example, a computing object may access a URL or other remote resource or location and receive data).
summarizing the data of nodes connected to the computing system based on (Ladnai, par0087 teaches the monitoring facility 330 may work in conjunction with the data recorder 320 to instrument the endpoint 310 so that any observable events 314 by or involving various objects 312 can be monitored and recorded. It will be appreciated that various filtering rules and techniques may be used to synopsize, summarize [summarizing the data of nodes connected to the computing system based on], filter, compress or otherwise process information captured by the data recorder 320 to help ensure that relevant information is captured while maintaining practical limits on the amount of information that is gathered).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of graph database, updating a database using the data, the graph database representing relationships as mapped between the applications, analyzing the data in the graph database, based on the relationships, summarizing the data of nodes connected to the computing system based on, as taught by Ladnai in the computer-implemented method of Kirti, so event graph may be traversed in a reverse order from the point of an identified security event to preceding computing objects, once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised, see Ladnai par0003.
          Kirti and Ladnai do not explicitly disclose operational requirements set for at least one application of the applications and operational requirements set for at least one further application, identifying when a computing system of the computing systems has high entropy; the high entropy.
          Gauci however discloses operational requirements set for at least one application of the applications and (Gauci, par0066-0067 teaches once a model is obtaining sufficient accuracy (e.g., top selected application is being selected with a sufficiently high accuracy) [based on the operational requirements set], then the model can be implemented…..After being trained, prediction models may more accurately suggest applications [at least one application of the applications] and actions according to the most recent interaction patterns between the user and the mobile device. Training prediction models may be most effective when a large amount of historical information has been recorded).
operational requirements set for at least one further application. (Gauci, par0138 teaches the action can depend on whether the model predicts just one application or a group of application. For example, if there is an opportunity to make three recommendations instead of one, then that also would change the probability distribution, as a selection of any one of the three would provide a correct prediction [based on the operational requirements set]. A model that was not confident for recommendation of one application might be sufficiently confident for three. Embodiments can perform adding another application [at least one further application] to a group of application being predicted by the model (e.g., a next most used application not already in the group), thereby making the model more confident. If the model is based on a prediction of more than one application, the user interface provided would then provide for an interaction with more than application).
identifying when a system has high entropy; the high entropy (Gauci, par0118 teaches high entropy would have many applications having similar probability of being selected [identifying when a system has high entropy], with maximum entropy having the same probability for all applications. With maximum entropy the likelihood of selecting the correct application is the smallest, since all of the applications have an equal probability, and no application is more probable than another).
computing system of the computing systems (Gauci, par0162-0163 teaches communication module 824 facilitates communication with other devices over one or more external ports 836 or via wireless circuitry 808 and includes various software components for handling data received from wireless circuitry 808 and/or external port 836. External port 836 is adapted for coupling directly to other devices [computing system of the computing systems] or indirectly over a network (e.g., the Internet, wireless LAN, etc.).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of operational requirements set for at least one application of the applications and operational requirements set for at least one further application, identifying when a computing system of the computing systems has high entropy; the high entropy, as taught by Gauci in the computer-implemented method of Kirti and Ladnai, so as modern mobile devices become more integrated with modern day life, the number of applications stored on the mobile devices increases, having numerous applications may allow the mobile device to be particularly useful to the user, see Gauci, par0002.

As per claim 2.  Kirti, Ladnai and Gauci disclose the computer-implemented method of claim 1.
          Kirti further discloses the data further comprising common metadata. (Kirti, par0128 teaches the software defined security configuration data received about a cloud application's security controls can be used at step 406 to generate security controls metadata, that is, normalized descriptors for entering the information into a common database).

As per claim 3.  Kirti, Ladnai and Gauci disclose the computer-implemented method of claim 2.
          Kirti further discloses the common metadata further comprising compliance information.  (Kirti, par0128 teaches the security controls metadata is categorized at step 408 (mapped into categories) and indexed. The categorization may comply with a standard specified by a security organization and/or may be certified and/or audited by a third party).

As per claim 4.  Kirti, Ladnai and Gauci disclose the computer-implemented method of claim 3.
          Kirti further discloses the compliance information further comprising operational service level objectives. (Kirti, par0128 teaches in addition, security controls metadata and/or the categorization of metadata may be formulated around the requirements of a particular regulation or standard. For example, regulations and standards such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act, FedRAMP, and Payment Card Industry Data Security Standard (PCI DSS) may require reporting and audit trails. Security controls metadata can be formatted in a way to display the types of information required by the regulations and standards and facilitate the generation of reports needed).

As per claim 11.  Kirti, Ladnai and Gauci disclose the computer-implemented method of claim 1.
          Kirti further discloses wherein the cloud computing environment is hosted by a plurality of different cloud services, the different cloud services being at least one of a public cloud, private cloud, and on-premise data center. (Kirti, par0266 teaches Cloud infrastructure system 2802 may provide the cloud services via different deployment models. For example, services may be provided under a public cloud model in which cloud infrastructure system 2802 is owned by an organization selling cloud services (e.g., owned by Oracle Corporation) and the services are made available to the general public or different industry enterprises. As another example, services may be provided under a private cloud model in which cloud infrastructure system 2802 is operated solely for a single organization and may provide services for one or more entities within the organization. The cloud services may also be provided under a community cloud model in which cloud infrastructure system 2802 and the services provided by cloud infrastructure system 2802 are shared by several organizations in a related community. The cloud services may also be provided under a hybrid cloud model, which is a combination of two or more different models).

As per claim 12.  Kirti, Ladnai and Gauci disclose the computer-implemented method of claim 11.
          Kirti further discloses further comprising determining operational risk (Kirti, par0207 teaches organization information and security information may include information disclosed herein, such as with respect to determining a measure of risk of an application. Application usage information may indicate information about usage of an application, such as type of operations/actions performed (e.g., mass export of data from or contacts download for the application or excessive number of file access), a category of applications accessed (e.g., apps associated with a malware website, an information leakage website, or apps/tools used by hackers will increase the user risk score), or an abnormal deviation from usage of an application).
throughout the plurality of the different cloud services. (Kirti, par0275 teaches cloud infrastructure system 2802 may provide comprehensive management of cloud services (e.g., SaaS, PaaS, and IaaS services) in the cloud infrastructure system. In one embodiment, cloud management functionality may include capabilities for provisioning, managing and tracking a customer's subscription received by cloud infrastructure system 2802, and the like).

As per claim 14.  A system, the system comprising: a processor; and a memory communicatively coupled to the processor, the memory storing instructions executable by the processor to perform a method comprising: (Kirti, par0012 teaches In some embodiments, a system is disclosed herein including one or more processors; and a memory accessible to the one or more processors, wherein the memory stores one or more instructions which, upon execution by the one or more processors, causes the one or more processors to perform the methods disclosed herein. In some embodiments, a system is disclosed which comprises means for performing any of the methods disclosed herein).
for modeling (Kirti, par0081 teaches machine learning techniques can then be applied to detect threats and provide recommendations concerning how to respond to threats. Threat models can be developed [modeling] to detect threats that are known or unknown or emerging).
operational risk, (Kirti, par0043 teaches many organizations try to block such applications or websites but that makes employees unhappy due to impact on productivity [operational risk]. Moreover, employees often try to bypass such barrier, e.g., by using an external VPN service, mobile data service, etc. A recent industry trend is not to block such services to ensure that employees are productive. However, IT departments need visibility to the applications or websites used so that they can proactively monitor and block questionable or malicious applications).
application dependencies to identify, (Kirti, par0056 teaches security monitoring and control system 102 can monitor application activity based on network activity by client devices of an organization through network data from one or more agents operating on network devices. Security monitoring and control system 102 can analyze and correlate data from applications [application dependencies] to provides a deep visibility into the activities in an organization and helps to detect [identify] anomalies or emerging threats and security risks based on application usage).
by a processor (Kirti, par0067, 0084 teaches security monitoring and control system 102 may include one or more processing units (or processor(s))… the software may be stored in a memory and may be executed by one or more processing units… the system 300 includes applications or software modules to perform analytics on collected data… the applications or software modules may be stored and, when executed, configure the processor 301 to perform certain functions or processes. These applications can include a threat detection and prediction analytics application 312 and/or descriptive analytics application 313).
gathering data about applications or computing systems (Kirti, par0009 teaches the security monitoring and control system may communicate with distributed computing systems, such as multiple service provider systems (e.g., cloud service provider systems) to access data about applications used on devices used for an organization. The security monitoring and control system can obtain [gathering data] network data about network traffic to identify unique applications. Such techniques can provide a deep visibility into the activities of applications used in an organization, which can helps to detect anomalies or emerging threats with regard to application usage and user behavior in the organization's computing environment).
in a cloud computing environment or in an enterprise datacenter; (Kirti, par0063 teaches an organization may have one or more computing environments, such as a computing environment 240 and a computing environment 260. Each of the computing environments may be a cloud computing environment or an enterprise computing environment. Each of the computing environments may provide a client device of a user of an organization with access to computing resources of an organization).
identify operational mismatches(Kirti, par0114 teaches predictive analytics can also include identifying threats based on activity such as a user not accessing a particular cloud application in several months and then showing high activity [mismatch] in the next month or a user downloading one file every week for the past several weeks, demonstrating a potential advanced persistent threat (APT) scenario. In several embodiments of this disclosure, data collected over time is used to build models of normal behavior (e.g., patterns of events and activity) and flag behavior that deviates [operational mismatches] from normal as abnormal behavior. After one or more flagged event or activity is characterized as a true or false positive (e.g., by user feedback), the information can be provided back to one or more machine learning algorithms to automatically modify parameters of the system).
between the applications; and (Kirti, par0097 teaches Information provided to the controls management platform can be retrieved from an application catalog database using metadata based schema mapping).
deploying an alert for the identified(Kirti, par0051 teaches analytics may also include providing [deploying] an alert and recommending remedial measures in the cloud(s) in which suspicious activity is detected [for the identified] and/or remedial measures to be taken in clouds other than those showing suspicious activity. In many embodiments of this disclosure, processes for detecting and analyzing applications on devices within a network of an organization involve collecting and combining information from various data sources).
an alert for the identified operational mismatches. (Kirti, par0206 teaches the graphical interfaces may enable a user to configure customized alerts on creating policies that matches [opposite policies will be created for mismatches] certain conditions such as risk app score, app category, user risk score etc).
updating, using the data, (Kirti, par0128 teaches the registry may be maintained and automatically updated based on new and/or updated information about application usage).
          Kirti does not explicitly discloses graph database, updating a database using the data, the graph database representing relationships as mapped between the applications, analyzing the data in the graph database, based on the relationships, summarizing the data of nodes connected to the computing system based on.
          Ladnai however discloses graph database (Ladnai, par0117 teaches implementations may include a number of different event graphs stored in a data store [graph database] that can be used together to detect, prevent, or determine the root causes for suspicious activity or other activity of interest, e.g., a security event. As discussed herein, the event graphs may be filtered before being stored in the data store, which can remove system activity that is not of interest in such analyses. The event graphs may be searchable, e.g., for analysis of event graphs including similar computing objects or events. The event graphs may also or instead be linked to one another, e.g., event graphs including similar computing objects or events. The event graphs may be presented to a user on a user interface or the like, e.g., an interactive user interface that allows a user to see similar or related event graphs, search the event graphs, link between event graphs, and so forth).
updating a, database using the data (Ladnai, par0077 teaches techniques may include monitoring activity for one or more endpoints and recording the activity in a data recorder or the like. The data recorder may include a database or data store. The data recorder may act as a rolling buffer, e.g., storing a large amount of data for predetermined time windows before overwriting [updating] old data with new data).
the graph database representing relationships as mapped between the applications, analyzing the data in the graph database (Ladnai, par0092, par0118 teaches the analysis facility 340 may create an event graph. In general, the event graph [graph database] may represent information in the data log 322 in a graph where objects 312 are nodes and events 314 are edges connecting the nodes to one another based on causal or other relationships as generally contemplated herein. The event graph may be used by the analysis facility 340 or other component(s) of the system 300 as part of a root cause analysis and to identify objects 312 compromised by the root cause.. An event graph may use a conventional structure of nodes (computing objects) and events (edges) to represent causal relationships among computing objects [relationships as mapped between the applications]. This permits the use of a wide range of graph-based techniques to assist in analysis of the context leading up to a detected event).
based on the relationships, (Ladnai, par0099 teaches the causal relationships monitored by the system may include dependencies that form a link or an association between computing objects or events. Useful causal relationships may include a data flow, e.g., linking computing objects based on the flow of data from one computing object to another computing object…the causal relationships may include a network flow. For example, a computing object may access a URL or other remote resource or location and receive data).
summarizing the data of nodes connected to the computing system based on (Ladnai, par0087 teaches the monitoring facility 330 may work in conjunction with the data recorder 320 to instrument the endpoint 310 so that any observable events 314 by or involving various objects 312 can be monitored and recorded. It will be appreciated that various filtering rules and techniques may be used to synopsize, summarize [summarizing the data of nodes connected to the computing system based on], filter, compress or otherwise process information captured by the data recorder 320 to help ensure that relevant information is captured while maintaining practical limits on the amount of information that is gathered).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of graph database, updating a database using the data, the graph database representing relationships as mapped between the applications, analyzing the data in the graph database based on the relationships, summarizing the data of nodes connected to the computing system based on, as taught by Ladnai in the computer-implemented system of Kirti, so event graph may be traversed in a reverse order from the point of an identified security event to preceding computing objects, once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised, see Ladnai par0003.
          Kirti and Ladnai do not explicitly disclose operational requirements set for at least one application of the applications and operational requirements set for at least one further application, identifying when a computing system of the computing systems has high entropy; the high entropy.
          Gauci however discloses operational requirements set for at least one application of the applications and (Gauci, par0066-0067 teaches once a model is obtaining sufficient accuracy (e.g., top selected application is being selected with a sufficiently high accuracy) [based on the operational requirements set], then the model can be implemented…..After being trained, prediction models may more accurately suggest applications [at least one application of the applications] and actions according to the most recent interaction patterns between the user and the mobile device. Training prediction models may be most effective when a large amount of historical information has been recorded).
operational requirements set for at least one further application. (Gauci, par0138 teaches the action can depend on whether the model predicts just one application or a group of application. For example, if there is an opportunity to make three recommendations instead of one, then that also would change the probability distribution, as a selection of any one of the three would provide a correct prediction [based on the operational requirements set]. A model that was not confident for recommendation of one application might be sufficiently confident for three. Embodiments can perform adding another application [at least one further application] to a group of application being predicted by the model (e.g., a next most used application not already in the group), thereby making the model more confident. If the model is based on a prediction of more than one application, the user interface provided would then provide for an interaction with more than application).
identifying when a system has high entropy; the high entropy (Gauci, par0118 teaches high entropy would have many applications having similar probability of being selected [identifying when a system has high entropy], with maximum entropy having the same probability for all applications. With maximum entropy the likelihood of selecting the correct application is the smallest, since all of the applications have an equal probability, and no application is more probable than another).
computing system of the computing systems (Gauci, par0162-0163 teaches communication module 824 facilitates communication with other devices over one or more external ports 836 or via wireless circuitry 808 and includes various software components for handling data received from wireless circuitry 808 and/or external port 836. External port 836 is adapted for coupling directly to other devices [computing system of the computing systems] or indirectly over a network (e.g., the Internet, wireless LAN, etc.).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of operational requirements set for at least one application of the applications and operational requirements set for at least one further application, identifying when a computing system of the computing systems has high entropy; the high entropy, as taught by Gauci in the computer-implemented system of Kirti and Ladnai, so as modern mobile devices become more integrated with modern day life, the number of applications stored on the mobile devices increases, having numerous applications may allow the mobile device to be particularly useful to the user, see Gauci, par0002.

As per claim 15.  Kirti, Ladnai and Gauci disclose the computer-implemented system of claim 14.
          Kirti further discloses the data further comprising common metadata. (Kirti, par0128 teaches the software defined security configuration data received about a cloud application's security controls can be used at step 406 to generate security controls metadata, that is, normalized descriptors for entering the information into a common database).

As per claim 16.  Kirti, Ladnai and Gauci disclose the computer-implemented system of claim 15.
          Kirti further discloses the common metadata further comprising compliance information.  (Kirti, par0128 teaches the security controls metadata is categorized at step 408 (mapped into categories) and indexed. The categorization may comply with a standard specified by a security organization and/or may be certified and/or audited by a third party).

As per claim 17.  Kirti, Ladnai and Gauci disclose the computer-implemented system of claim 16.
          Kirti further discloses the compliance information further comprising operational service level objectives. (Kirti, par0128 teaches in addition, security controls metadata and/or the categorization of metadata may be formulated around the requirements of a particular regulation or standard. For example, regulations and standards such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act, FedRAMP, and Payment Card Industry Data Security Standard (PCI DSS) may require reporting and audit trails. Security controls metadata can be formatted in a way to display the types of information required by the regulations and standards and facilitate the generation of reports needed).

As per claim 20.  Kirti, Ladnai and Gauci disclose the computer-implemented system of claim 14.
          Kirti further discloses the alert being deployed via. (Kirti, par0122 teaches in many embodiments of the invention, an alert may be visual and may appear in a user console such as a controls management platform discussed further above. In several embodiments, an alert is communicated over a network such as by email, short message service (SMS) or text messaging, or web-based user console. Alerts may be communicated as secure messages (e.g., over a secure communication channel or requiring a key or login credentials to view).
an application programming interface. (Kirti, par0092, par0156 teaches the software defined security configuration data can be collected by utilizing an API (application programming interface) made available by the cloud application). Some data sources may be interacted with via a specified application programming interface (API).

Claims 5-7 are rejected under 35 U.S.C. 103 as being unpatentable over Kirti in view of  Ladnai, further in view of Gauci, and further in view of Sengupta et al. (US20130054536A1) hereinafter Sengupta.
As per claim 5.  Kirti, Ladnai and Gauci disclose the computer-implemented method of claim 4.
          Kirti, Ladnai and Gauci do not explicitly disclose the operational service level objectives including a recovery time objective and a recovery point objective.
          Sengupta however discloses the operational service level objectives including (Sengupta, par0042 teaches the DR service provider may agree to provide the customer with a service that conforms to a service level agreement (SLA). The SLA may include the negotiated parameters. In the case of multiple customers, each of the customers may have a service level agreement that falls into one of multiple bands or categories, such as Gold, Silver and Bronze). 
a recovery time objective and a recovery point objective. (Sengupta, par0095 teaches the recovery time objectives (RTO) and/or the recovery point objectives (RPO) of the customers may be formulated as one or more constraints).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of the operational service level objectives including a recovery time objective and a recovery point objective, as taught by Sengupta in the computer-implemented method of Kirti, Ladnai and Gauci, so distributing backup data over multiple data centers provide a protection level that may indicate if a particular number of the data centers fail, then the backup data is recoverable from encoded fragments of the backup data stored on the data centers that did not fail, see Sengupta par0008.

As per claim 6.  Kirti, Ladnai, Gauci and Sengupta disclose the computer-implemented method of claim 5.
          Kirti, Ladnai and Gauci do not explicitly disclose further comprising creating an operations policy based on a difference between the recovery time objective and the recovery time objective on a dependent system.
          Sengupta however discloses further comprising creating an operations policy based on a difference between (Sengupta, par0064 teaches the data placement planner 108 may generate the distribution plan 102 without performing an actual backup in accordance with the distribution plan 102. The actual backup may be performed by the backup component, for example. Alternatively, the data placement planner 108 may perform the backup. There is a difference between data recovery and full application recovery. Restoring and/or recovering data in a proper manner may be a first step in recovering the recovery site 112. Data recovery may be made full or partial depending on what services the client wants to bring up (in staggered manner) once the recovery happens. The data placement planner 108 may plan for full data recovery. Application recovery, such as application configuration, restart and health-check, may be performed before full application recovery. Application recovery may or may not be addressed by the data placement planner 108).
the recovery time objective and the recovery time objective (Sengupta, par0064 teaches results for multiple distribution plans 102 for the five hypothetical customers listed in Table 3 were generated. Various deadlines (RPOs and RTOs) for customers were selected, and the quanta 230 corresponding to the selected RPO and RTO for each of the customers are listed below in Table 9).
on a dependent system. (Sengupta, par0064 teaches data recovery may be made full or partial depending on what services the client wants to bring up (in staggered manner) once the recovery happens. The data placement planner 108 may plan for full data recovery. Application recovery, such as application configuration, restart and health-check, may be performed before full application recovery).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of further comprising creating an operations policy based on a difference between the recovery time objective and the recovery time objective on a dependent system, as taught by Sengupta in the computer-implemented method of Kirti, Ladnai and Gauci, so distributing backup data over multiple data centers provide a protection level that may indicate if a particular number of the data centers fail, then the backup data is recoverable from encoded fragments of the backup data stored on the data centers that did not fail, see Sengupta par0008.

As per claim 7.  Kirti, Ladnai, Gauci and Sengupta disclose the computer-implemented method of claim 6.
          Kirti, Ladnai and Gauci do not explicitly disclose further comprising creating the operations policy based on a difference, between the recovery point objective and the recovery point objective, on a dependent system.
          Sengupta however discloses further comprising creating the operations policy based on a difference between (Sengupta, par0064 teaches the data placement planner 108 may generate the distribution plan 102 without performing an actual backup in accordance with the distribution plan 102. The actual backup may be performed by the backup component, for example. Alternatively, the data placement planner 108 may perform the backup. There is a difference between data recovery and full application recovery. Restoring and/or recovering data in a proper manner may be a first step in recovering the recovery site 112. Data recovery may be made full or partial depending on what services the client wants to bring up (in staggered manner) once the recovery happens. The data placement planner 108 may plan for full data recovery. Application recovery, such as application configuration, restart and health-check, may be performed before full application recovery. Application recovery may or may not be addressed by the data placement planner 108).
the recovery point objective and the recovery point objective (Sengupta, par0064 teaches results for multiple distribution plans 102 for the five hypothetical customers listed in Table 3 were generated. Various deadlines (RPOs and RTOs) for customers were selected, and the quanta 230 corresponding to the selected RPO and RTO for each of the customers are listed below in Table 9).
on a dependent system. Sengupta, par0064 teaches data recovery may be made full or partial depending on what services the client wants to bring up (in staggered manner) once the recovery happens. The data placement planner 108 may plan for full data recovery. Application recovery, such as application configuration, restart and health-check, may be performed before full application recovery).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of further comprising creating the operations policy based on a difference, between the recovery point objective and the recovery point objective, on a dependent system, as taught by Sengupta in the computer-implemented method of Kirti, Ladnai and Gauci, so distributing backup data over multiple data centers provide a protection level that may indicate if a particular number of the data centers fail, then the backup data is recoverable from encoded fragments of the backup data stored on the data centers that did not fail, see Sengupta par0008.

Claims 8 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Kirti in view of  Ladnai further in view of Gauci and further in view of Sengupta, and further in view of Coffing (US20190273746A1) hereinafter Coffing.
As per claim 8.  Kirti, Ladnai, Gauci and Sengupta disclose the computer-implemented method of claim 7.
          Kirti further discloses the operations policy, operational risk, (Kirti, par0043 teaches many organizations try to block such applications or websites but that makes employees unhappy due to impact on productivity [operational risk]. Moreover, employees often try to bypass such barrier, e.g., by using an external VPN service, mobile data service, etc. A recent industry trend is not to block such services to ensure that employees are productive. However, IT departments need visibility to the applications or websites used so that they can proactively monitor and block questionable or malicious applications).
          Kirti, Ladnai, Gauci and Sengupta do not explicitly disclose being based on a predetermined amount of minimum.
          Coffing however discloses being based on a predetermined amount of minimum (Coffing, par0052 teaches a risk profile indicating extremely low risk levels overall (e.g., below a predetermined minimum threshold) may be allowed to proceed without further risk mitigation, while a risk profile indicating extremely high risk levels (e.g., above a predetermined maximum threshold) may be denied notwithstanding any available risk mitigation workflows).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of being based on a predetermined amount of minimum, as taught by Coffing in the computer-implemented method of Kirti, Ladnai, Gauci and Sengupta, so modern-day consumers have ever-increasing expectations that their service providers serve them in customized, efficient, and secure fashion, these enterprises may rely on identity and access management systems to authenticate and authorize certain users to access certain resources or services, see Coffing par0003.

As per claim 9.  Kirti, Ladnai, Gauci, Sengupta and Coffing disclose the computer-implemented method of claim 8.
          Kirti further discloses the operations policy, operational risk, (Kirti, par0043 teaches many organizations try to block such applications or websites but that makes employees unhappy due to impact on productivity [operational risk]. Moreover, employees often try to bypass such barrier, e.g., by using an external VPN service, mobile data service, etc. A recent industry trend is not to block such services to ensure that employees are productive. However, IT departments need visibility to the applications or websites used so that they can proactively monitor and block questionable or malicious applications).
          Kirti, Ladnai, Gauci and Sengupta do not explicitly disclose being based on a predetermined amount of maximum.
          Coffing however discloses being based on a predetermined amount of maximum (Coffing, par0052 teaches A risk profile indicating extremely low risk levels overall (e.g., below a predetermined minimum threshold) may be allowed to proceed without further risk mitigation, while a risk profile indicating extremely high risk levels (e.g., above a predetermined maximum threshold) may be denied notwithstanding any available risk mitigation workflows).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of based on a predetermined amount of maximum, as taught by Coffing in the computer-implemented method of Kirti, Ladnai, Gauci and Sengupta, so modern-day consumers have ever-increasing expectations that their service providers serve them in customized, efficient, and secure fashion, these enterprises may rely on identity and access management systems to authenticate and authorize certain users to access certain resources or services, see Coffing par0003.

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Kirti in view of  Ladnai further in view of Gauci further in view of Sengupta and further in view of Maes et al. (US20150180949A1) hereinafter Maes.
As per claim 10.  Kirti, Ladnai, Gauci and Sengupta disclose the computer-implemented method of claim 6.
          Kirti does not explicitly discloses in the graph database.
          Ladnai however discloses in the graph database. (Ladnai, par0117 teaches implementations may include a number of different event graphs stored in a data store [graph database] that can be used together to detect, prevent, or determine the root causes for suspicious activity or other activity of interest, e.g., a security event. As discussed herein, the event graphs may be filtered before being stored in the data store, which can remove system activity that is not of interest in such analyses. The event graphs may be searchable, e.g., for analysis of event graphs including similar computing objects or events. The event graphs may also or instead be linked to one another, e.g., event graphs including similar computing objects or events. The event graphs may be presented to a user on a user interface or the like, e.g., an interactive user interface that allows a user to see similar or related event graphs, search the event graphs, link between event graphs, and so forth).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of in the graph database, as taught by Ladnai in the computer-implemented method of Kirti, so event graph may be traversed in a reverse order from the point of an identified security event to preceding computing objects, once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised, see Ladnai par0003.
          Kirti, Ladnai, Gauci and Sengupta do not explicitly disclose wherein the creating the operations policy includes: identifying targets in the cloud computing environment or in the enterprise datacenter using labels associated with an operations template.
          Maes however discloses wherein the creating the operations policy includes: identifying targets in the cloud computing environment or in the enterprise datacenter (Maes, par0038 teaches the application model (120) or blueprints (125) can identify 
infrastructure (115) resources and what is needed [identifying targets in the cloud computing environment] from the cloud infrastructure 
(115) for deployment or retirement of the given application.  A user or 
designer may be allowed to change the blueprints (125) and/or application model 
(120) for a deployment of the application (170).  Such a change in deployments 
can be achieved on another cloud configuration (e.g., from a private cloud to a 
public cloud) to provide the desired information to execute the application on 
the different configuration even if the cloud is based on different APIs, 
network resources, and so forth).
using labels associated with an operations template (Maes, par0040 teaches selecting which model (120) to use can be achieved by selecting from 
different models in a set of models or via matching of a label [using labels associated] associated to 
different model types specified in the policies (135), for example.  In one 
example, the middleware (105) may automatically select which application model 
(120) is to be matched with the best suited templates and used with the 
application (170).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of wherein the creating the operations policy includes: identifying targets in the cloud computing environment or in the enterprise datacenter using labels associated with an operations template, as taught by Maes in the computer-implemented method of Kirti, Ladnai, Gauci and Sengupta, so with cloud computing, a user may be able to grow the user presence on a network dynamically and spontaneously based on the traffic the user services is experiencing at any given time, the user may use the resources available to run computations, store data, and share with or provide these as a service to other users., see Maes par0001.

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Kirti in view of  Ladnai further in view of Gauci further in view of Sengupta further in view of Maes, and further in view of Tarui et al. (US20050154576A1) herein after Tarui.
As per claim 13.  Kirti, Ladnai, Gauci, Sengupta and Maes disclose the computer-implemented method of claim 10.
          Kirti does not explicitly discloses the graph database.
          Ladnai however discloses the graph database (Ladnai, par0117 teaches implementations may include a number of different event graphs stored in a data store [graph database] that can be used together to detect, prevent, or determine the root causes for suspicious activity or other activity of interest, e.g., a security event. As discussed herein, the event graphs may be filtered before being stored in the data store, which can remove system activity that is not of interest in such analyses. The event graphs may be searchable, e.g., for analysis of event graphs including similar computing objects or events. The event graphs may also or instead be linked to one another, e.g., event graphs including similar computing objects or events. The event graphs may be presented to a user on a user interface or the like, e.g., an interactive user interface that allows a user to see similar or related event graphs, search the event graphs, link between event graphs, and so forth).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of the graph database, as taught by Ladnai in the computer-implemented method of Kirti, so event graph may be traversed in a reverse order from the point of an identified security event to preceding computing objects, once a root cause is identified, the event graph may be traversed forward from the root cause to identify other computing objects that are potentially compromised, see Ladnai par0003.
          Kirti, Ladnai, Gauci, Sengupta and Maes do not explicitly disclose further comprising: validating the operations policy by simulating the operations policy using.
          Tarui however discloses further comprising: validating the operations policy by simulating the operations policy using. (Tarui, par0086-0090 teaches FIG. 4 shows an input/output screen 2010 of the simulator. On the output screen are displayed an operation status output block 2012, a policy application log output block 2011, and a policy input editor block 2013. A policy is optimized in the following steps:
(1) An (initial) policy is inputted with use of the policy editor.
 (2) The simulator simulates the autonomic management system behavior.
(3) The simulation result is displayed on the screen 2010.
(4) Observing the operation status 2012, the system behavior is checked whether it has problem or not (for example, whether or not the maximum response time defined by SLA is exceeded in any simulation cycle).
(If there is no problem in system behavior, the optimization is finished.)
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of the graph database, as taught by Tarui in the computer-implemented method of Kirti, Ladnai, Gauci, Sengupta and Maes, so autonomic management policy simulator can verify the propriety of each created policy less-expensively and fast in an autonomic management system operated under the control of the subject policy, see Tarui par0020.

Claims 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Kirti in view of  Ladnai, further in view of Gauci, and further in view of Shelksohn et al. (US20180095976A1) hereinafter Shelksohn.
As per claim 18.  Kirti, Ladnai and Gauci disclose the computer-implemented system of claim 14.
          Kirti further discloses , the alert further comprising a human readable. (Kirti, par0122 teaches in many embodiments of the invention, an alert may be visual and may appear in a user console such as a controls management platform discussed further above. In several embodiments, an alert is communicated over a network such as by email, short message service (SMS) or text messaging, or web-based user console. Alerts may be communicated as secure messages (e.g., over a secure communication channel or requiring a key or login credentials to view).
          Kirti, Ladnai and Gauci do not explicitly disclose pdf file.
          Shelksohn however discloses pdf file (Shelksohn, par0149 teaches generating a mobile PDF file using a barcode from the screenshot image, the additional ticket information, and a file template).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of pdf file, as taught by Shelksohn in the computer-implemented method of Kirti, Ladnai and Gauci, so on internet-centric systems such as online ticket marketplaces, electronic files representative of tickets to events and data related to the files may be transferred between users, providing a convenient forum via which buyers and sellers may exchange the files representative of tickets, see Shelksohn par0003.

As per claim 19.  Kirti, Ladnai and Gauci disclose the computer-implemented system of claim 14.
          Kirti further discloses the alert further comprising a. (Kirti, par0122 teachesIn many embodiments of the invention, an alert may be visual and may appear in a user console such as a controls management platform discussed further above. In several embodiments, an alert is communicated over a network such as by email, short message service (SMS) or text messaging, or web-based user console. Alerts may be communicated as secure messages (e.g., over a secure communication channel or requiring a key or login credentials to view).
          Kirti, Ladnai and Gauci do not explicitly disclose machine readable image.
          Shelksohn however discloses machine readable image (Shelksohn, par0037 teaches the portion of ticket information may be an image of less than the entire ticket, a ticket on a digital wallet, an optical, machine readable image of a ticket, a ticket in a particular format (e.g., mobile only or portable document format (PDF) only)).
          Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide the functionality of machine readable image, as taught by Shelksohn in the computer-implemented method of Kirti, Ladnai and Gauci, so on internet-centric systems such as online ticket marketplaces, electronic files representative of tickets to events and data related to the files may be transferred between users, providing a convenient forum via which buyers and sellers may exchange the files representative of tickets, see Shelksohn par0003.

Conclusion
The prior art made of record and not relied upon is considered pertinent are -
• Woolward et al. (US20170279770A1) – Related art in the area of producing a firewall rule set, an exemplary method may include receiving metadata about a deployed container from a container orchestration layer and generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container can communicate.
• Ashley (20160234250) – Related art in the area of configuration data extracted from a parsed workload definition document that is related to any security policy of any of the network appliances to be deployed, a security template library is accessed to select a security template for each network appliance that will implement the one or more security policy for that network appliance to be deployed.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MONISHWAR MOHAN whose telephone number is (571)272-2907. The examiner can normally be reached Monday - Thursday 7:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on (571) 272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/M.M./Examiner, Art Unit 2442                                                                                                                                                                                                        

/WILLIAM G TROST IV/Supervisory Patent Examiner, Art Unit 2442