DETAILED ACTION
This office action is in response to the original application filed on March 29, 2021.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Claims 1-20 are pending.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 4-5, 12, 15-16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Craig (US Pub. No. 2019/0222593) in view of Vashist (US Pub. No. 2014/0082730).

	As per claim 1 Craig discloses:
A method performed by a computing device for classifying a type of exploit comprising: extracting one or more keywords included in first information of a target exploit: (paragraph 5 of Craig, the method includes receiving a plurality of cyber incident reports; extracting keywords from the plurality of cyber incident reports).
Classifying the target exploit as a first type attack corresponding to one of the one or more keywords based on vulnerability information of a target device obtained from a vulnerability collection channel: (paragraph 5 of Craig, applying a shallow machine learning technique to at least the keywords and identifications of the plurality of networked assets to obtain an identification of a first subset of the networked assets vulnerable to at least a first threat scenario (i.e., the claimed classifying the target exploit as a first type attack) and an identification of the first threat scenario).
Classifying the target exploit as a second type attack, the second type attack being a subtype of the classified first type attack based on the one of the one or more keywords; (paragraph 5 of Craig, applying a deep machine learning technique to at least the identification of a first subset of the networked assets vulnerable to the first threat scenario, the identification of the first threat scenario, the keywords, and identifications of the plurality of networked assets, to obtain an identification of a second subset of the networked assets vulnerable (i.e., the claimed classifying the target exploit as a second type attack) to at least a second threat scenario and an identification of the second threat scenario)
Detecting the target exploit associated with the first information of the target exploit based on the classified second type attack. (Paragraph 5 of Craig, simulating the plurality of networked assets and the second threat scenario to identify at least one path through the plurality of networked assets vulnerable to at least a third threat scenario; and outputting an identification of the at least one path through the plurality of networked assets and an identification of the at least a third threat scenario).
Craig teaches the method of identifying and outputting the at least one path of network assets vulnerablity (see paragraph 5 of Craig) but fails to disclose the method of generating a detection rule.
However, in the same field of endeavor, Vashist teaches this limitation as, (Paragraph 13 of Vashist, an embodiment disclosed herein is directed to a method for detecting and predicting network attacks comprising acquiring attack alerts and indicator values representative of network traffic; converting the alerts and indicator values into vectors; using the vectors to generate training data representative of the alerts and the indicator values; and implementing a learning algorithm to process the training data to generate decision rules used to detect or predict network attacks).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Craig and include the above limitation using the teaching of Vashist in order to enhance the security of network system by generating a decision rules that detect a network attacks (see paragraph 13 of Vashist).

Claims 12 and 20 are rejected under the same reason set forth in rejection of claim 1:

As per claim 4 Craig in view of Vashist discloses:
The method of claim 1, wherein the first information of the target exploit is fourth information of exploit for the target device included in a target domain among a plurality of domains connected to a network. (Paragraph 40 of Craig, the domain asset to be protected is WAP (Wireless Access Point) in the domain’s taxonomy, which may be obtained by using an Associative Rule Mapping machine learning technique, belonging to the shallow class of machine learning techniques, to the domain’s asset description database).

Claim 15 is rejected under the same reason set forth in rejection of claim 4:

As per claim 5 Craig in view of Vashist discloses:
The method of claim 1 further comprises updating at least some of a plurality of detection rules based on a classification result of a plurality of exploits. (Paragraph 23 of Craig, some embodiments iterate the identifying steps each time a new, updated report comes in, that is an update to the initial incident report. Further, some embodiments prune the branches of the possible cyber-attack tree as they become obsolete, and add new leaves, intermediate nodes, or top level nodes as they become identified in the updated incident reports).

Claim 16 is rejected under the same reason set forth in rejection of claim 5:

Claims 2 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Craig (US Pub. No. 2019/0222593) in view of Vashist (US Pub. No. 2014/0082730) and further in view of Lee (US Pub. No. 2015/0113646).

As per claim 2:
The combination of Craig Vashist teaches the method of identifying and outputting the at least one path of network assets vulnerablity (see paragraph 5 of Craig) but fails to disclose:
The method of claim 1, wherein the first information of the target exploit comprises an exploit code, wherein extracting the one of the one or more keywords comprises extracting the one of the one or more keywords based on a payload portion within the exploit code.
However, in the same field of endeavor, Lee teaches this limitation as, (Paragraph 39 of Lee, the apparatus for improving the detection performance of the intrusion detection system according to the embodiment of the present invention extracts all consecutive character string patterns that may occur in the packet payloads of all detection events, generated for a predetermined period of time, from detection rules in which False Positive (FP) events occur, generates TC-keyword trees for respective True Positive (TP) and FP events, and compares the generated TC-keyword trees with each other).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Craig and Vashist to include the above limitation using the teaching of Lee in order to enhance the security of the computing system by extracting keyword from the exploiting code (see paragraph 39 of Lee).

Claim 13 is rejected under the same reason set forth in rejection of claim 2:

Claims 3 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Craig (US Pub. No. 2019/0222593) in view of Vashist (US Pub. No. 2014/0082730) and further in view of Sabharwal (US Pub. No. 2019/0354595).

As per claim 3:
The combination of Craig Vashist teaches the method of identifying and outputting the at least one path of network assets vulnerablity (see paragraph 5 of Craig) but fails to disclose:
The method of claim 1, wherein the first information of the target exploit includes second information collected through web crawling from one or more exploit collection channels, wherein the vulnerability information is cross-related with the first information of the target exploit and includes third information collected through web crawling from one or more vulnerability collection channels.
However, in the same field of endeavor, Sabharwal teaches this limitation as, (paragraph 6 of Sabharwal, the document finder module may enable a web crawler to crawl web resources in order to find a plurality of documents associated to a plurality of predefined domains. The keyword determination module may determine a set of keywords, relevant to each predefined domain, from the plurality of documents found by the web crawler and a rank associated to each keyword of the set of keywords. In one aspect, the keyword determination module determines the set of keywords and the rank by using at least one keyword extraction algorithm based on text rank).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Craig and Vashist to include the above limitation using the teaching of Sabharwal in order to find documents and determine a set of keywords from the documents to detect a network attack (see paragraph 6 of Sabharwal).

Claim 14 is rejected under the same reason set forth in rejection of claim 3:

Claims 6, 8-9, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Craig (US Pub. No. 2019/0222593) in view of Vashist (US Pub. No. 2014/0082730) and further in view of Yoshimi (US Pub. No. 2012/0255005).

As per claim 6:
The combination of Craig Vashist teaches the method of identifying and outputting the at least one path of network assets vulnerablity (see paragraph 5 of Craig) but fails to disclose:
The method of claim 5, wherein the updating comprises calculating an increasing or decreasing trend of the number of the classified second type attack; and raising a strength of a response to the second type attack whose number has an increasing trend based on the calculation.
However, in the same field of endeavor, Yoshimi teaches this limitation as, (abstract of Yoshimi, an information processing apparatus including: an attack detection unit that detects an attack; and a strength adjustment unit that incrementally raises the strength of a security measure every time that an attack is detected by the attack detection unit) and (paragraph 64 of Yoshimi, the security level increase every time than an attack is detected, since the number of recalculations increase by such an amount, as a result, the difficulty of attacks increases and the probability that the attacker is able to obtain confidential information decreases).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Craig and Vashist to include the above limitation using the teaching of Yoshimi in order to enhance the security of the system by adjusting the strength of security measure based on the detecting attack (see abstract of Yoshimi).

Claim 17 is rejected under the same reason set forth in rejection of claim 6:

As per claim 8:
The combination of Craig Vashist teaches the method of identifying and outputting the at least one path of network assets vulnerablity (see paragraph 5 of Craig) but fails to disclose:
The method of claim 5, wherein the updating comprises calculating an increasing or decreasing trend of the number of the classified second type attack; and lowering a strength of a response to the second type attack whose number has a decreasing trend based on the calculation.
However, in the same field of endeavor, Yoshimi teaches this limitation as, (paragraph 8 of Yoshimi, the strength adjustment unit may incrementally lower the strength of the security measure every time that a predetermined condition is satisfied).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Craig and Vashist to include the above limitation using the teaching of Yoshimi in order to enhance the security of the system by adjusting the strength of security measure based on the predetermined condition (see paragraph 8 of Yoshimi).

As per claim 9:
The combination of Craig Vashist teaches the method of identifying and outputting the at least one path of network assets vulnerablity (see paragraph 5 of Craig) but fails to disclose:
The method of claim 5, wherein the updating comprises calculating an increasing or decreasing trend of the number of the classified second type attack; and deleting a detection rule corresponding to the second type attack whose number has a decreasing trend based on the calculation, or designating the detection rule as a modification target.
However, in the same field of endeavor, Yoshimi teaches this limitation as, (paragraph 8 of Yoshimi, the strength adjustment unit may incrementally lower the strength of the security measure every time that a predetermined condition is satisfied).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Craig and Vashist to include the above limitation using the teaching of Yoshimi in order to enhance the security of the system by adjusting the strength of security measure based on the predetermined condition (see paragraph 8 of Yoshimi).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Craig (US Pub. No. 2019/0222593) in view of Vashist (US Pub. No. 2014/0082730) and further in view of Spisak (US Pub. No. 2020/0092319).

As per claim 7:
The combination of Craig Vashist teaches the method of identifying and outputting the at least one path of network assets vulnerablity (see paragraph 5 of Craig) but fails to disclose:
The method of claim 5, wherein the updating comprises calculating an increasing or decreasing trend of the number of the classified second type attack; and raising a priority of a detection rule corresponding to the second type attack whose number has an increasing trend based on the calculation.
However, in the same field of endeavor, Spisak teaches this limitation as, (paragraph 87 of Spisak, the dynamic security vulnerability and response priority logic 132 evaluates the criticality/value of the various computing resources and the security trends identified by the security trend analysis logic 124 to identify a ranked or prioritized listing of the security vulnerabilities and corresponding security responses that are applicable to the enterprise infrastructure environment 140 for the current dynamic conditions of the enterprise infrastructure environment 140).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Craig and Vashist to include the above limitation using the teaching of Spisak in order to enhance the security of the system by adjusting the priority of the detection system based on the security trends (see paragraph 87 of Spisak).

Claims 10 andd 18 are rejected under 35 U.S.C. 103 as being unpatentable over Craig (US Pub. No. 2019/0222593) in view of Vashist (US Pub. No. 2014/0082730) and furher in view of Kao US Pub. No. 2008/0148408).

As per claim 10:
The combination of Craig Vashist teaches the method of identifying and outputting the at least one path of network assets vulnerablity (see paragraph 5 of Craig) but fails to disclose:
The method of claim 1, wherein the first type attack includes a Denial of Service (DoS) attack, wherein the second type attack includes one or more of a Buffer Overflow attack, Crafted GET Request attack, Crafted POST Request attack, ICMP Flooding attack, SYN Flooding attack and Invalid URL Path attack.
However, in the same field of endeavor, Kao teaches this limitation as, (paragraph 26 of Kao, the detection on web page vulnerability is divided into a penetrable test and an unpenetrable test, wherein the penetrable test refers to an attack for obtaining other privileges or hidden data, such as SQL injection, buffer overflow, privilege escalation, directory traversal; while the unpenetrable test refers to an attack that may cause a service paralysis or a loss of service demanders, such as denial of service (DoS), and cross site scripting (XSS)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Craig and Vashist to include the above limitation using the teaching of Kao in order to substitute one method of the other (i.e., one attack type to the other attack type) to get the same result of securing the computing system.

Claim 18 is rejected under the same reason set forth in rejection of claim 10:

Claims 11 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Craig (US Pub. No. 2019/0222593) in view of Vashist (US Pub. No. 2014/0082730) and further in view of Jeon (US Pub. No. 2009/0119777).

As per claim 11:
The combination of Craig Vashist teaches the method of identifying and outputting the at least one path of network assets vulnerablity (see paragraph 5 of Craig) but fails to disclose:
The method of claim 1, wherein the first type attack includes a SQL injection attack, wherein the second type attack includes one or more of a Union-based SQL Injection attack, Blind-based SQL Injection attack, Time-based SQL Injection attack, and Error-based SQL Injection attack.
However, in the same field of endeavor, Jeon teaches this limitation as, (paragraph 36 of Jeon, the attack type may include at least one of SQL injection, Blind SQL Injection and XSS (Cross-Site Scripting, hereinafter, referred to as `XSS`)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Craig and Vashist to include the above limitation using the teaching of Jeon in order to substitute one method of the other (i.e., one attack type to the other attack type) to get the same result of securing the computing system.

Claim 19 is rejected under the same reason set forth in rejection of claim 11: 

Conclusion
The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is Sato (US Pub. No. 2016/0140344). Sato discloses: 
In a security information management device, security information, which is information related to security, is collected. The security information management device extracts, by referring to a security dictionary storing therein a keyword related to security for each attribute, a keyword from referer security information that becomes a source to be compared with security information for relevance thereto, and calculates, by comparing the extracted keyword with a keyword included in the collected security information, relevance between the referer security information and the security information. The security information management device then output security information having higher calculated relevance more preferentially.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/TESHOME HAILU/Primary Examiner, Art Unit 2434