Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
This action is in reply to the amendments and remarks filed on 07/08/2022.
Claims 1-18 are pending.
Claims 1-2, 6-7, 12-13, and 18 have been amended.

Response to Arguments
Applicant’s arguments, with respect to the objection(s) of the specification paragraph 0007, have been considered but they are not persuasive. An attempt was made by the applicant to resolve the objection; however, the text still appears in the revised paragraph 0007. Therefore, the objection in maintained.

Applicant’s arguments, with respect to the objection(s) of the specification’s hyperlink, have been fully considered and are persuasive. Therefore, the objections set forth in the previous office action have been withdrawn.

Applicant’s arguments, with respect to the objection(s) of claim(s) 6, 12, and 18, have been fully considered and are persuasive. Therefore, the objections set forth in the previous office action have been withdrawn. However, in view of amendments, further claim objections have been made.


Applicant’s arguments, with respect to the rejection(s) of claim(s) 2 under 35 U.S.C. 112(b), have been fully considered and are persuasive. Therefore, the rejections set forth in the previous office action have been withdrawn.

Applicant’s arguments, with respect to the rejection(s) of claim(s) 1-20 under 35 U.S.C. 101, have been fully considered and are persuasive. Therefore, the rejections set forth in the previous office action have been withdrawn.

Applicant’s arguments, with respect to the rejection(s) of claim(s) 1, 7, and 13 under 35 U.S.C. 103, have been considered but they are not persuasive. Specifically, the applicant argues that no art of record teaches the amended claim 1, 7, and 13 limitations. The examiner respectfully disagrees. 
Applicant’s spec paragraphs 0005 and 0040-0041 merely states the amended claim “element[s]” at a high level and fail to specifically define the “element[s]” or their operations; therefore, the amended claim “element[s]” will be given definitions under BRI. 
Sites, paragraphs 0022, 0119, 0141, 0151-0153, 0163-0165 and Fig. 1 teach user information and “records” of “network” clients in a “database” being “partitioned” or “arranged” (electronically processing the computer readable database to output a set of cyber-vector entryways data for said virtual node system data) for use in determining client user vulnerability to a “malicious attack”. The processed information/records being taught to include instances such as representations of “a phish instance for a user which may include a detailed representation of the user and their phishing and training history at a given point of time”, determination of “a frequency score to predict a frequency at which a user is to be hit with a malicious attack” and/or “a risk score of the user based at least on the frequency score, the severity score and the propensity score” (including an attack attribute data element, a data type at risk attribute data element, a threat actor capability attribute data element, an ease of accessibility attribute data element), and a “Remediation training tracker” and counter (a strength of mitigating controls attribute data element with a cyber-vector processor module). Further, paragraphs 0022, 0119, 0141, 0151-0153, 0163-0165 and Fig. 1 teach user history information and “records” of “network” clients as mapped above (machine learning training data including a set of centrality of containers of nodes from predetermined computer readable risk data) including representations of data as mapped above (associated with said nodes, said attack attribute data element, said data type at risk attribute data element, said threat actor capability attribute data element, said ease of accessibility attribute data element, and said strength of mitigating controls attribute data element); paragraphs 0055-0058, 0119, and 0151 teach the data is used to train “[a]rtificial intelligence machine learning system” (machine learning controller) models, including a “convolutional neural network” (with convolutional neural network segments data using convolutional filters without external identification); paragraphs 0022, 0193-0194, and 0203-0206 teach the ML model outputting “a group risk score based on a function of risk scores of each user within the group” of client users (so as to create a set of computer readable most probable cyber-vector conduits associated with said plurality of network record connections of said enterprise data commutations network) for responding to “a type of malicious attack at a point in time”.
See 35 U.S.C. 103 section for full mapping of claim 1, 7, and 13 limitations necessitated by applicant amendments.


Specification
The disclosure is objected to because of the following informalities: 
Paragraph 0007 contains unrecognizable text in line 9 and should be corrected.
Appropriate correction is required.

Claim Objections
Claims 1, 7, and 13 are objected to because of the following informalities:
Claims 1, 7, and 13 recite analogous typos stating “an ease of accessibility attribute data element, a strength of mitigating controls attribute data element with a cyber-vector processor module”; and an optional way to amend these would analogously read “data element, and a strength of mitigating controls attribute”, or “data element, or a strength of mitigating controls attribute”.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-18 are rejected under 35 U.S.C. 103 as being unpatentable over Sites et al (US Pub 20190356679) hereinafter Sites, in view of Gamble et al (US Pub 20190342307) hereinafter Gamble.
Regarding claims 1, 7, and 13, Sites teaches an electronic computer implemented method of data communication, a system configured for data communication, the system comprising: one or more hardware processors configured by machine-readable instructions, and a computing platform configured for data communication, the computing platform comprising: a non-transient computer-readable storage medium having executable instructions embodied thereon; and one or more hardware processors configured to execute the executable instructions to (paragraphs 0036-0038 teach computing devices including CPUs executing “instructions” from “memory” for performing the embodiments of the disclosure): 
electronically creating a computer readable database including a plurality of network record connections for an enterprise data commutations network based on a set of computer readable virtual node system data of said enterprise data commutations network with a node processor module (paragraphs 0022, 0037-0039, 0068-0069, 0119, 0126, and Fig. 1 teach “client nodes” as devices in a connected “network” used by users generating “records” (plurality of network record connections for an enterprise data commutations network based on a set of computer readable virtual node system data of said enterprise data commutations network with a node processor module); paragraphs 0022, 0141, and 0151 teach “database” (creating a computer readable database) of (including) user history information and “records” from clients); 
electronically processing the computer readable database to output a set of cyber-vector entryways data for said virtual node system data including an attack attribute data element, a data type at risk attribute data element, a threat actor capability attribute data element, an ease of accessibility attribute data element, a strength of mitigating controls attribute data element with a cyber-vector processor module (Examiner note: Applicant’s spec paragraphs 0005 and 0040-0041 merely states the amended claim “element[s]” at a high level and fail to specifically define the “element[s]” or their operations; therefore, the amended claim “element[s]” will be given definitions under BRI.
Sites, paragraphs 0022, 0119, 0141, 0151-0153, 0163-0165 and Fig. 1 teach user information and “records” of “network” clients in a “database” being “partitioned” or “arranged” (electronically processing the computer readable database to output a set of cyber-vector entryways data for said virtual node system data) for use in determining client user vulnerability to a “malicious attack”. The processed information/records being taught to include instances such as representations of “a phish instance for a user which may include a detailed representation of the user and their phishing and training history at a given point of time”, determination of “a frequency score to predict a frequency at which a user is to be hit with a malicious attack” and/or “a risk score of the user based at least on the frequency score, the severity score and the propensity score” (including an attack attribute data element, a data type at risk attribute data element, a threat actor capability attribute data element, an ease of accessibility attribute data element), and a “Remediation training tracker” and counter (a strength of mitigating controls attribute data element with a cyber-vector processor module)); 
electronically receiving and processing the set of cyber-vector entryway data with a machine learning controller with convolutional neural network segments data using convolutional filters without external identification based on a machine learning training data including a set of centrality of containers of nodes from predetermined computer readable risk data associated with said nodes, said attack attribute data element, said data type at risk attribute data element, said threat actor capability attribute data element, said ease of accessibility attribute data element, and said strength of mitigating controls attribute data element so as to create a set of computer readable most probable cyber-vector conduits associated with said plurality of network record connections of said enterprise data commutations network (paragraphs 0022, 0119, 0141, 0151-0153, 0163-0165 and Fig. 1 teach user history information and “records” of “network” clients as mapped above (machine learning training data including a set of centrality of containers of nodes from predetermined computer readable risk data) including representations of data as mapped above (associated with said nodes, said attack attribute data element, said data type at risk attribute data element, said threat actor capability attribute data element, said ease of accessibility attribute data element, and said strength of mitigating controls attribute data element); paragraphs 0055-0058, 0119, and 0151 teach the data is used to train “[a]rtificial intelligence machine learning system” (machine learning controller) models, including a “convolutional neural network” (with convolutional neural network segments data using convolutional filters without external identification); paragraphs 0022, 0193-0194, and 0203-0206 teach the ML model outputting “a group risk score based on a function of risk scores of each user within the group” of client users (so as to create a set of computer readable most probable cyber-vector conduits associated with said plurality of network record connections of said enterprise data commutations network) for responding to “a type of malicious attack at a point in time”); and 
electronically outputting the set of most probable cyber-vector conduits to a graphical display screen and transmitting, via an external data commutations network, an electronic message notification of said set of most probable cyber-vector conduits (paragraphs 0122, 0137, and 203-206 teaches ML giving “group risk score” of all client user’s risk (outputting the set of most probable cyber-vector conduits) and displaying on a “screen” the user probability of attack (to a graphical display screen), and that the risk is communicated through, as taught in paragraphs 0023-0025, 0042, 0045, and 0140-0141, a “network” to other networks for communication with the devices for display (and transmitting, via an external data commutations network, an electronic message notification of said set of most probable cyber-vector conduits)).

Sites at least implies electronically outputting the set of most probable cyber-vector conduits to a graphical display screen and transmitting, via an external data commutations network, an electronic message notification of said set of most probable cyber-vector conduits (see mapping above), however Gamble teaches electronically outputting the set of most probable cyber-vector conduits to a graphical display screen and transmitting, via an external data commutations network, an electronic message notification of said set of most probable cyber-vector conduits (paragraphs 0010 and 0102 teach training “a neural network” on “known attack chains” to be clustered for enabling cyber security “alert generation for identified attacks” and attack chains between “machines” (most probable cyber-vector conduits); and paragraphs 0045, 0077-0079, and 0105 teach “display[ing] an interface with visual elements corresponding to security incidents”, and communicating the information over “multiple networks” to devices or components (and transmitting, via an external data commutations network, an electronic message notification of said set of most probable cyber-vector conduits)).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to implement Gamble’s teachings of a NN for predicting cyber-attack chains and displaying alerts on an interface into Sites’ teaching of using an ML model to predict client user group risk of responding to “a type of malicious attack at a point in time” in order to better “help ensure security mechanisms are focusing on investigating the significant threats” (Gamble, paragraph 0005).

Regarding claims 2, 8, and 14, the combination of Sites and Gamble teach all the claim limitations of claims 1, 7, and 13 above; and further teach further comprising electronically processing with said machine learning controller, a set of network system diagrams to create the set of virtual node system data (Sites, paragraphs 0022, 0141, 0151-0153, and Fig. 1 teach user history information and “records” of “network” clients (a set of network system diagrams); paragraphs 0022, 0193-0194, and 0203-0206 teach the ML model outputting (processing with said machine learning controller) “a group risk score based on a function of risk scores of each user within the group” of client users data (a set of network system diagrams to create the set of virtual node system data) for responding to “a type of malicious attack at a point in time”).

Regarding claims 3, 9, and 15, the combination of Sites and Gamble teach all the claim limitations of claims 1, 7, and 13 above; and further teach wherein the machine learning controller comprises deep machine learning (Sites, paragraphs 0058, 0060, 0119, and 0151 teach an ML “system” (controller) utilizing “Deep learning”).

Regarding claims 4, 10, and 16, the combination of Sites and Gamble teach all the claim limitations of claims 1, 7, and 13 above; and further teach wherein the machine learning training data includes at least one chain of attack attribute data element (Gamble, paragraphs 0010 and 0102 teach training “a neural network” on (machine learning training data includes) “known attack chains” (at least one chain of attack attribute data element) to be clustered for enabling cyber security “alert generation for identified attacks” and attack chains between “machines”).
Sites and Gamble are combinable for the same rationale as set forth above with respect to claims 1, 7, and 13.

Regarding claims 5, 11, and 17, the combination of Sites and Gamble teach all the claim limitations of claims 1, 7, and 13 above; and further teach wherein the machine learning training data includes at least one likelihood of attack attribute data element (Gamble, paragraph 0017 teaches “descriptive data” being “probability indicating likelihood that the security event is a false positive” (at least one likelihood of attack attribute data element); paragraph 0013 teaches descriptive data used to create graphs; and paragraphs 0016 and 0102 teach a “neural network” trained on (machine learning training data includes) the graphs (at least one likelihood of attack attribute data element)).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to implement Gamble’s teachings of training a NN on attack likelihood data for predicting cyber-attack chains into Sites’ teaching of using an ML model to predict client user group risk of responding to “a type of malicious attack at a point in time” in order to better “help ensure security mechanisms are focusing on investigating the significant threats” (Gamble, paragraph 0005).

Regarding claims 6, 12, and 18, the combination of Sites and Gamble teach all the claim limitations of claims 1, 7, and 13 above; and further teach wherein the machine learning training data includes at least one Global Position System location attribute data element extracted from a mapping application programming interface for at least one node of said virtual node system data (Gamble, paragraphs 0045-0047, 0061, 0105, and 0110 teach “user login at atypical location” (at least one GPS location attribute data element) on an “interface application” of the user’s device (extracted from a mapping application programming interface for at least one node of said virtual node system data) to generate graph; and paragraphs 0016 and 0102 teach a “neural network” trained on (machine learning training data includes) the graphs (at least one GPS location attribute data element)).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to implement Gamble’s teachings of training a NN on location data for predicting cyber-attack chains into Sites’ teaching of using an ML model to predict client user group risk of responding to “a type of malicious attack at a point in time” in order to better “help ensure security mechanisms are focusing on investigating the significant threats” (Gamble, paragraph 0005).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CLINT MULLINAX whose telephone number is 571-272-3241.  The examiner can normally be reached on Mon - Fri 8:00-4:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexey Shmatov can be reached on 571-270-3428.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/C.M./Examiner, Art Unit 2123                                                                                                                                                                                                        

/ALEXEY SHMATOV/Supervisory Patent Examiner, Art Unit 2123