DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-20 are presented for examination.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 5, 13, and 16 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Hammond (US Patent 7,346,929 B1).
As to claim 1, Hammond discloses a system and method for auditing network security, the system and method having:
receiving, by one or more computing devices, from one or more remotely located computing devices, and via one or more networks interfacing the one or more computing devices and the one or more remotely located computing devices, data describing one or more security tests configured to cause the one or more computing devices to indirectly test security of at least a particular portion of the one or more networks by communicating data to the one or more remotely located computing devices via the at least a particular portion of the one or more networks (col. 2, lines 4-13; col. 3, lines 20-26); 
executing, by the one or more computing devices and based at least in part on the data describing the one or more security tests, one or more aspects of the one or more security tests with respect to the at least a particular portion of the one or more networks (col. 2, lines 10-13); 
receiving, by the one or more computing devices, from the one or more remotely located computing devices, and via the one or more networks, data describing one or more results of the one or more security tests  (col. 2, lines 13-17); 
generating, by the one or more computing devices and based at least in part on the data describing the one or more results, data describing a graphical user interface (GUI) (col. 2, lines 13-17).

As to claim 13, Hammond discloses:
one or more processors (claim 1, lines 14-18); 
a memory storing instructions that when executed by the one or more processors cause the system to perform operations comprising (claim 1, lines 14-18): 
generating data describing one or more security tests configured to cause one or more computing devices to indirectly test security of at least a particular portion of one or more networks interfacing the system and the one or more computing devices (col. 2, lines 4-13); 
communicating, to the one or more computing devices and via the one or more networks, the data describing the one or more security tests (col. 2, lines 4-13; col. 3, lines 20-26); 
receiving, from the one or more computing devices and via the one or more networks, data generated in association with the one or more computing devices executing one or more aspects of the one or more security tests with respect to the at least a particular portion of the one or more networks (col. 2, lines 4-13; col. 3, lines 20-26); 
generating, based at least in part on the data generated in association with the one or more computing devices executing the one or more aspects of the one or more security tests, data describing one or more results of the one or more security tests (col. 2, lines 13-17); 
communicating, to the one or more computing devices and via the one or more networks, the data describing the one or more results of the one or more security tests (col. 2, lines 13-17).

As to claims 5 and 16, Hammond discloses
wherein the one or more networks comprise a distinctly identifiable local network that: comprises the one or more computing devices (110, Figure 1); 
comprises the at least a particular portion of the one or more networks (140, Figure 1); 
does not comprise the one or more remotely located computing devices (Figure 1).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 8, 12, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hammond.
As to claims 8 and 19, Hammond discloses:
wherein executing the one or more aspects of the one or more security tests comprises communicating, by the one or more computing devices and to one or more third-party computing devices (Figure 1) but does not explicitly disclose that the devices are not a part of the distinctly identifiable local network and are not affiliated with the one or more remotely located computing devices, data associated with the one or more security tests. However, since Hammond discloses that the central computer is in communication via the global computer network such as the Internet, it is obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was filed to communicate with a third-party computing device that is not part of the local or remote network (col 2, lines 49-66).

As to claim 12, Hammond discloses:
receiving, by the one or more computing devices, from the one or more remotely located computing devices, and via the one or more networks, data describing one or more security tests configured to cause the one or more computing devices to indirectly test security of the at least a particular portion of the one or more networks by communicating data to the one or more remotely located computing devices via the at least a particular portion of the one or more networks, the data describing the one or more security tests having been generated, by the one or more remotely located computing devices, based at least in part on the data describing the one or more results (col. 2, lines 4-13; col. 3, lines 20-26); 
executing, by the one or more computing devices and based at least in part on the data describing the one or more security tests, one or more aspects of the one or more security tests with respect to the at least a particular portion of the one or more networks (col. 2, lines 10-13),
but does not explicitly disclose one or more new security tests. However, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was filed to perform the steps for new security tests since it has been held that the mere duplication of steps of an invention involves only routine skill in the art.

Claim(s) 2-4, 14, 15, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hammond and further in view of Mohan et al. (US 2021/0282016 A1 and Mohan hereinafter).
As to claims 2 and 14, Hammond fails to specifically disclose:
wherein: receiving the data describing the one or more security tests comprises receiving data indicating one or more predetermined threat indicators; 
executing the one or more aspects of the one or more security tests comprises detecting data comprising at least one of the one or more predetermined threat indicators associated with a particular predetermined threat.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hammond, as taught by Mohan.
Mohan discloses a system and method for denial of service attack detection and mitigation, the system and method having:
wherein: receiving the data describing the one or more security tests comprises receiving data indicating one or more predetermined threat indicators (0059, lines 4-8); 
executing the one or more aspects of the one or more security tests comprises detecting data comprising at least one of the one or more predetermined threat indicators associated with a particular predetermined threat (0059, lines 8-11; 0070).
Given the teaching of Mohan, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hammond with the teachings of Mohan by using threat indicators to perform security tests. Mohan recites motivation by disclosing that using threat indicators to perform security tests allows for attacks to be detected and prevented for continuing (0059, lines 5-11; 0060, lines 1-4). It is obvious that the teachings of Mohan would have improved the teachings of Hammond by using threat indicators to perform security tests in order to detect and prevent attacks.

As to claims 3 and 15, Hammond fails to specifically disclose:
wherein the at least one of the one or more predetermined threat indicators comprises: an internet protocol (IP) address associated with the particular predetermined threat; a domain name associated with the particular predetermined threat; a web-address reference associated with the particular predetermined threat; a file associated with the particular predetermined threat; a hash value generated based at least in part on a file associated with the particular predetermined threat; an operating system (OS) command associated with the particular predetermined threat; data from a domain name system (DNS) record associated with the particular predetermined threat; data indicating a secure sockets layer (SSL) certificate associated with the particular predetermined threat; data indicating a protocol payload associated with the particular predetermined threat; or data indicating a query associated with the particular predetermined threat.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hammond, as taught by Mohan.
Mohan discloses:
wherein the at least one of the one or more predetermined threat indicators comprises: an internet protocol (IP) address associated with the particular predetermined threat; a domain name associated with the particular predetermined threat; a web-address reference associated with the particular predetermined threat; a file associated with the particular predetermined threat; a hash value generated based at least in part on a file associated with the particular predetermined threat; an operating system (OS) command associated with the particular predetermined threat; data from a domain name system (DNS) record associated with the particular predetermined threat; data indicating a secure sockets layer (SSL) certificate associated with the particular predetermined threat; data indicating a protocol payload associated with the particular predetermined threat; or data indicating a query associated with the particular predetermined threat (0059, lines 4-8).
Given the teaching of Mohan, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hammond with the teachings of Mohan by using threat indicators to perform security tests. Please refer to the motivation recited above with respect to claims 2 and 14 as to why it is obvious to apply the teachings of Mohan to the teachings of Hammond.

As to claim 4, Hammond fails to specifically disclose:
wherein the at least a particular portion of the one or more networks comprises one or more: network firewall devices; intrusion detection devices; security information event management devices; network routing devices; data loss protection devices; anti-malware devices; or anti-phishing devices.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hammond, as taught by Mohan.
Mohan discloses:
wherein the at least a particular portion of the one or more networks comprises one or more: network firewall devices; intrusion detection devices; security information event management devices; network routing devices; data loss protection devices; anti-malware devices; or anti-phishing devices (0060, lines 1-4).
Given the teaching of Mohan, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hammond with the teachings of Mohan by using threat indicators such as network routing devices to perform security tests. Please refer to the motivation recited above with respect to claims 2 and 14 as to why it is obvious to apply the teachings of Mohan to the teachings of Hammond.

As to claim 20, Hammond discloses:
receiving, from one or more remotely located computing devices and via one or more networks interfacing the one or more computing devices and the one or more remotely located computing devices, data indicating one or more predetermined threat indicators and describing one or more security tests configured to cause the one or more computing devices to indirectly test security of at least a particular portion of the one or more networks by communicating data to the one or more remotely located computing devices via the at least a particular portion of the one or more networks (col. 2, lines 4-13; col. 3, lines 20-26).
Hammond fails to specifically disclose: 
executing, based at least in part on the data describing the one or more security tests, one or more aspects of the one or more security tests with respect to the at least a particular portion of the one or more networks by detecting data comprising at least one of the one or more predetermined threat indicators associated with a particular predetermined threat.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hammond, as taught by Mohan.
Mohan discloses:
executing, based at least in part on the data describing the one or more security tests, one or more aspects of the one or more security tests with respect to the at least a particular portion of the one or more networks by detecting data comprising at least one of the one or more predetermined threat indicators associated with a particular predetermined threat (0059, lines 4-11; 0070).
Given the teaching of Mohan, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hammond with the teachings of Mohan by using threat indicators to perform security tests. Please refer to the motivation recited above with respect to claims 2 and 14 as to why it is obvious to apply the teachings of Mohan to the teachings of Hammond.

Claim(s) 9 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hammond as applied to claims 1 and 13 above, and further in view of Kim et al. (US 2018/0131717 A1 and Kim hereinafter).
As to claims 9 and 17, Hammond fails to specifically disclose:
wherein: the at least a particular portion of the one or more networks comprises at least one or more Internet service provider (ISP) computing devices; 
executing the one or more aspects of the one or more security tests comprises communicating, by the one or more computing devices and to the one or more ISP computing devices, data associated with the one or more security tests.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hammond, as taught by Kim.
Kim discloses a system and method for detecting distributed reflection denial of service attacks, the system and method having:
wherein: the at least a particular portion of the one or more networks comprises at least one or more Internet service provider (ISP) computing devices (0002, lines 1-5; 0057, lines 1-5); 
executing the one or more aspects of the one or more security tests comprises communicating, by the one or more computing devices and to the one or more ISP computing devices, data associated with the one or more security tests (0043, lines 1-8).
Given the teaching of Kim, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hammond with the teachings of Kim by using ISP devices. Kim recites motivation by disclosing that sending security test data to ISP network devices allows for denial of service attacks to be detected (0002, lines 1-5). It is obvious that the teachings of Kim would have improved the teachings of Hammond by using ISP network devices in order to detect denial of service attacks.

Claim(s) 10 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hammond as applied to claims 1 and 13 above, and further in view of Medvedovsky et al. (US 2019/0306188 A1 and Medvedovsky hereinafter).
As to claims 10 and 18, Hammond fails to specifically disclose:
wherein: the at least a particular portion of the one or more networks comprises at least one or more domain name system (DNS) computing devices; 
executing the one or more aspects of the one or more security tests comprises communicating, by the one or more computing devices and to the one or more DNS computing devices, data describing one or more DNS queries associated with the one or more security tests.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hammond, as taught by Medvedovsky.
Medvedovsky discloses a system and method for techniques for defense against domain name system cyber-attacks, the system and method having:
wherein: the at least a particular portion of the one or more networks comprises at least one or more domain name system (DNS) computing devices (Abstract, lines 3-6); 
executing the one or more aspects of the one or more security tests comprises communicating, by the one or more computing devices and to the one or more DNS computing devices, data describing one or more DNS queries associated with the one or more security tests (Abstract, lines 3-6).
Given the teaching of Medvedovsky, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hammond with the teachings of Medvedovsky by communicating DNS queries. Medvedovsky recites motivation by disclosing that DNS queries are used to determine an indication of an attack, thus providing security (Abstract). It is obvious that the teachings of Medvedovsky would have improved the teachings of Hammond by using DNS queries in order to determine an indication of an attack and provide security.

Allowable Subject Matter
Claims 6, 7, and 11 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Prior Art Made of Record
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Ali-Ahmad et al. (WO 2010/019918 A1) discloses a system and method for performing remote security assessment of firewalled computer.
Banzhof (WO 2014/130045 A1) discloses a system and method for remote security self-assessment framework.
Demir et al. (US Patent 8,555,391 B1) discloses a system and method for adaptive scanning.
Hanson (US 2011/0277034 A1) discloses a system and method for three-dimensional visualization of vulnerability and asset data.
Kumar et al. (US 2018/0183813 A1) discloses a system and method for improving anti-malware scan responsiveness and effectiveness using user symptoms feedback.
Sauve et al. (US 2019/0238582 A1) discloses a system and method for computer network security assessment engine.
Shannon et al. (WO 2007/016870 A1) discloses a system and method for an NSP or ISP to detect malware in its network traffic.
Xie et al. (US Patent 9,325,735 B1) discloses a system and method for selective sinkholing of malware domains by a security device via DNS poisoning.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SARAH SU whose telephone number is (571)270-3835. The examiner can normally be reached 7:30 AM - 4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/SARAH SU/Primary Examiner, Art Unit 2431