DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
 
 2.	Applicant’s response filed on September 6, 2022 have been considered.  Claims 1-4, 11-13, 16-17, and 19 have been amended.  No claim has been added or deleted.  Claims 1-20 are pending.
 
Claim Rejections - 35 USC § 103

3.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

4.	Claims 1-2, 11-12, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Carey et al. (U.S. 2017/0013008 A1), hereinafter “Carey”, in view of Steele (U.S. 2019/0166153 A1).
Referring to claims 1, 11, 16:
	 	Carey teaches:
                      A computer-implemented method for monitoring a computing infrastructure having one or more target devices, the method comprising (see Carey, fig. 1, items 154a-154c [i.e., one or more targeted devices ]; [0083] ‘monitoring system’):
 	           receiving, from a plurality of evaluation services that execute on one or more agent devices, evaluation results of the one or more target devices, wherein each evaluation service included in the plurality of evaluation services performs a different evaluation task associated with the one or more target devices (see Carey, [0026] ‘…to simulate one or more security threat techniques, tactics, or practices [i.e., each evaluation service performs a different evaluation task: determining exfiltrating data, determining performing a lateral scan, determining DNS exfiltration of data, etc. ]. … may include … attempting to exfiltrate data … attempting to perform a lateral scan … and attempting Domain Name Server (DNS) exfiltration of data from the sub-network.’; [0036] ‘distributing a plurality of agents in the form of browser-executable program code to a respective plurality of end devices [i.e., executing a plurality of evaluation services on one or more agent devices, where each evaluation service performs a different evaluation task ] on a sub-network of a network, as a result of execution of the agents by browser applications on the end devices, performing a plurality of simulated security threat techniques, tactics, or practices on the sub-network, …’);
                      extracting, using a different data collector for each of the plurality of evaluation services, data from each of the evaluation results (see Carey, [0020] ‘The security assessment system may include one or more bot servers configured to receive information [i.e., extracting data from received evaluation results ] associated with a simulation initiated by the first end device [i.e., from one or more targeted devices ] and to report simulation results to one of the one or more security assessment computers controlled by the security assessor.’ [0036] ‘receiving information derived from the simulated security threat techniques, tactics, or practices and transmitted through the network,’); 
                     determining whether an issue or a vulnerability is present in the one or more target devices based on the extracted data (see Carey, [0075] ‘indicate an exfiltration [i.e., removing data ] security breach’; [0076] ‘security breach, what data is obtained, and/or which devices were scanned during the simulation,’; [0092] ‘determine whether the entity’s network is secure’; [0036] ‘based on the received information, assessing the security of the sub-network.’); and 
                     reporting the issue or the vulnerability (see [0086] ‘report certain results back to the command and control servers. …, indicative of cyber attacks or network security breaches).’).
		However, Carey does not disclose converting format.
		Steele disclose converting format (see Steele, [0059] ‘Such a program may be used to convert a file format. If the source format or target format is not recognized, then at times a third program may be available which permits the conversion to an intermediate format, which can then be reformatted.’) 
	 	It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Steele into the system of Carey to convert a format.  Carey teaches "a system and method of assessing security of a network, and performing security threat simulations.” (see Carey, [0002]).  Therefore, Steele’s teaching could enhance the system of Carey,  because Steele teaches “If the source format or target format is not recognized, then at times a third program may be available which permits the conversion to an intermediate format, which can then be reformatted.” (see Steele, [0059]).
 Referring to claims 2, 12:
	 	Carey and Steele further disclose:
           wherein each of the plurality of evaluation services returns evaluation results in a different format (see Steele, [0059] ‘If the source format or target format is not recognized, then at times a third program may be available which permits the conversion to an intermediate format, which can then be reformatted.’)
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Steele into the system of Carey to support different format.  Carey teaches "a system and method of assessing security of a network, and performing security threat simulations.” (see Carey, [0002]).  Therefore, Steele’s teaching could enhance the system of Carey,  because Steele teaches “If the source format or target format is not recognized, then at times a third program may be available which permits the conversion to an intermediate format, which can then be reformatted.” (see Steele, [0059]).

5.	Claims 3-10, 13-15, and 17-20  are rejected under 35 U.S.C. 103 as being unpatentable over Carey et al. (U.S. 2017/0013008 A1), in view of Steele (U.S. 2019/0166153 A1), further in view of Shakarian et al. (U.S. 2020/0356675 A1), hereinafter “Shakarian”.
Referring to claims 3, 13, 17:
	 	Carey and Steele further disclose: 
           determining whether the issue or the vulnerability is present comprises using one or more of a script, a rule base, or a pattern detection module; and the pattern detection module comprises a machine learning module or a neural network (see Carey, [0073] ‘a script’. And, Steele, [0025] ‘a machine learning component which is configured to detect threat patterns and anomalies in order to generate specific mitigation actions for the user.’)
	However, they do not disclose the training, and the ground truth value.
	Shakarian disclose the training, and the ground truth value (see Shakarian, [0039] ‘machine learning model are evaluated by training the model on one set of data … one of our ground-truth sources …’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Shakarian into the system of Carey to implement training, and utilize ground truth value.  Carey teaches "a system and method of assessing security of a network, and performing security threat simulations.” (see Carey, [0002]).  Therefore, Shakarian’s teaching could enhance the system of Carey,  because Shakarian teaches “Predicting the likelihood of vulnerability exploitation through the usage of machine learning techniques has interesting security implications in terms of prioritizing which vulnerabilities need to be patched first to minimize risk of cyberattack.” (see Shakrian, [0044]).
Referring to claim 4:
	 	Carey, Steele, and Shakarian further disclose:
           wherein determining whether the issue or the vulnerability is present comprises determining whether the issue or the vulnerability is present when a confidence score associated with the issue or the vulnerability of the determining is above a confidence threshold (see Shakarian, [0121] ‘all samples that are assigned confidence score greater than a threshold  are predicted as exploited.’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Shakarian into the system of Carey to use a confidence score, and a confidence threshold.  Carey teaches "a system and method of assessing security of a network, and performing security threat simulations.” (see Carey, [0002]).  Therefore, Shakarian’s teaching could enhance the system of Carey,  because Shakarian teaches “It should be noted that all the results reported in this disclosure are achieved based on hard-cut thresholds such that all samples that are assigned confidence score greater than a threshold are predicted as exploited.” (see Shakarian, [0121])
Referring to claims 5, 14:
         Carey, Steele, and Shakarian further disclose:
         confirming whether the issue or the vulnerability is present using a validation service (see Shakarian, [0061] ‘The submitted vulnerability is first verified [i.e., confirming ] before it is added to the database.’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Shakarian into the system of Carey to confirm a vulnerability present.  Carey teaches "a system and method of assessing security of a network, and performing security threat simulations.” (see Carey, [0002]).  Therefore, Shakarian’s teaching could enhance the system of Carey, because Shakarian teaches “ZDI then notifies the vendor to develop patches for the vulnerability before public disclosure.” (see Shakarian, [0061])
 Referring to claim 6:
	 	Carey, Steele, and Shakarian further disclose:
           performing a risk evaluation before using the validation service (see Carey, [0024] ‘an entity profile indicating security assessment [i.e., risk evaluation ] and simulation services [i.e., validation service ] to be administered to an entity with which the first end device is associated.’).
Referring to claim 7:
	 	Carey, Steele, and Shakarian further disclose:
           wherein the risk evaluation assesses a risk level of using the validation service on a first target device of the one or more target devices to confirm the issue or the vulnerability (see Shakarian, [0057] ‘For each vulnerability, its description, CVSS (common vulnerability scoring system) score [i.e., vulnerability level ] and vector are gathered.’  In addition,  Steele, [0052] ‘security vulnerability levels’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Shakarian into the system of Carey to assess a risk level for each vulnerability.  Carey teaches "a system and method of assessing security of a network, and performing security threat simulations.” (see Carey, [0002]).  Therefore, Shakarian’s teaching could enhance the system of Carey,  because Shakarian teaches “ZDI then notifies the vendor to develop patches for the vulnerability before public disclosure.” (see Shakarian, [0061])
Referring to claim 8:
	 	Carey, Steele, and Shakarian further disclose:
           wherein the risk evaluation is performed using one or more of a script, a rule base, or a pattern detection module (see Carey, [0073] ‘a script’. And, Steele, [0025] ‘a machine learning component which is configured to detect threat patterns and anomalies in order to generate specific mitigation actions for the user.’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Steele into the system of Carey to use machine learning to detect a pattern.  Carey teaches "a system and method of assessing security of a network, and performing security threat simulations.” (see Carey, [0002]).  Therefore, Steele’s teaching could enhance the system of Carey,  because Steele teaches “a machine learning component which is configured to detect threat patterns and anomalies in order to generate specific mitigation actions for the user.’ (see Steele, [0025]).
Referring to claim 9:
	 	Carey and Steele further disclose:
           wherein the pattern detection module comprises a machine learning module or a neural network (see Steele, [0025] ‘a machine learning component which is configured to detect threat patterns and anomalies in order to generate specific mitigation actions for the user.’).
However, they do not disclose the training, and the ground truth value.
	Shakarian disclose the training, and the ground truth value (see Shakarian, [0039] ‘machine learning model are evaluated by training the model on one set of data … one of our ground-truth sources …’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Shakarian into the system of Carey to implement training, and utilize ground truth value.  Carey teaches "a system and method of assessing security of a network, and performing security threat simulations.” (see Carey, [0002]).  Therefore, Shakarian’s teaching could enhance the system of Carey,  because Shakarian teaches “Predicting the likelihood of vulnerability exploitation through the usage of machine learning techniques has interesting security implications in terms of prioritizing which vulnerabilities need to be patched first to minimize risk of cyberattack.” (see Shakrian, [0044]).
Referring to claim 10:
	 	Carey, Steele, and Shakarian further disclose:
           collecting one or more profile metrics for a first target device of the one or more target devices; wherein the risk evaluation is based on the one or more profile metrics and a type of the issue or a type of the vulnerability (see Carey, [0071] ‘associated with the entity's profile [i.e., profile metrics for a target device ], the security assessor may store information that recognizes the requesting entity or entity user device based on the received request (e.g., based on one or more of an address (e.g., internal and/or external address) of the requesting device, a browser fingerprint, etc.), and as a result looks up the entity profile to determine if any security simulations are scheduled.’).
Referring to claims 15, 18:
	 	Carey, Steele, and Shakarian further disclose:
	performing a risk evaluation of using a plurality of validation services that are able to confirm whether the issue or the vulnerability is present (see Carey, [0086] ‘provides for more comprehensive analysis and assessment of a network's security risks.’); 
           selecting one of the validation services based on the risk evaluation (see Carey, [0067] ‘the entity may select a package that includes certain security assessments and simulations to be performed on the entity's network.’); and
            confirming whether the issue or the vulnerability is present using the selected validation service (see Shakarian, [0061] ‘The submitted vulnerability is first verified [i.e., confirming ] before it is added to the database.’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Shakarian into the system of Carey to confirm a vulnerability present.  Carey teaches "a system and method of assessing security of a network, and performing security threat simulations.” (see Carey, [0002]).  Therefore, Shakarian’s teaching could enhance the system of Carey,  because Shakarian teaches “ZDI then notifies the vendor to develop patches for the vulnerability before public disclosure.” (see Shakarian, [0061])
Referring to claim 19:
	 	Carey, Steele, and Shakarian further disclose:
           store the converted and extracted data in one or more data repositories. query the one or more data repositories using one or more queries; and display results of the one or more queries on a user interface (see Shakarian, [0059] ‘database … query’; [0100] ‘displayed’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Shakarian into the system of Carey to use data repositories to facilitate user query.  Carey teaches "a system and method of assessing security of a network, and performing security threat simulations.” (see Carey, [0002]).  Therefore, Shakarian’s teaching could enhance the system of Carey,  because Shakarian teaches “The ZDI database was queried to collect information regarding vulnerabilities that might have been disclosed by ZDI.” (see Shakarian, [0061])
Referring to claim 20:
	 	Carey, Steele, and Shakarian further disclose:
                     wherein the one or more processors are further configured to receive one or more parameters for the one or more queries using the user interface (Shakarian, [0143] ‘parameters’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Shakarian into the system of Carey to use parameters.  Carey teaches "a system and method of assessing security of a network, and performing security threat simulations.” (see Carey, [0002]).  Therefore, Shakarian’s teaching could enhance the system of Carey,  because Shakarian teaches “Parameters for all approaches were set in a manner to provide the best performance.” (see Shakarian, [0143])

Response to Arguments
6.	Applicant's arguments filed September 6, 2022 have been fully considered but they are not persuasive.
(a)	Applicant submits:
“Based on these claim mappings, to teach or suggest the above limitations of amended claim 1, Carey would need to disclose that the information associated with the simulation is received from multiple evaluation services that execute on one or more devices that are separate from the first end device. Carey would additionally need to disclose that each evaluation service included in the multiple evaluation services performs a different evaluation task associated with the first end device. Importantly, Carey contains no such teachings.” (see page 8, 2nd par.)
Examiner maintains:
As an initial matter, the amended claim 1 does not describe that “one or more devices that are separate from the first end device.”
Carey discloses: [0026] ‘…to simulate one or more security threat techniques, tactics, or practices [i.e., each evaluation service performs a different evaluation task: determining exfiltrating data, determining performing a lateral scan, determining DNS exfiltration of data, etc. ]. … may include … attempting to exfiltrate data … attempting to perform a lateral scan … and attempting Domain Name Server (DNS) exfiltration of data from the sub-network.’; [0036] ‘distributing a plurality of agents in the form of browser-executable program code to a respective plurality of end devices [i.e., executing a plurality of evaluation services on one or more agent devices, where each evaluation service performs a different evaluation task ] on a sub-network of a network, as a result of execution of the agents by browser applications on the end devices, performing a plurality of simulated security threat techniques, tactics, or practices on the sub-network, …’
Therefore, the reference discloses or suggests that the information associated with the simulation is received from multiple evaluation services that execute on one or more devices that are separate from the first end device, and that each evaluation service included in the multiple evaluation services performs a different evaluation task associated with the first end device.
(b)	Applicant submits:
“However, Carey fails to disclose that each of multiple bot servers (or of multiple other components that execute on devices that are separate from the end device and from which information or simulation results associated with a simulation on the end device are received) performs a different evaluation task associated with the end device.” (see page 8, 2nd par.)
Examiner maintains:
Carey discloses: [0026] ‘…to simulate one or more security threat techniques, tactics, or practices [i.e., each evaluation service performs a different evaluation task: determining exfiltrating data, determining performing a lateral scan, determining DNS exfiltration of data, etc. ]. … may include … attempting to exfiltrate data … attempting to perform a lateral scan … and attempting Domain Name Server (DNS) exfiltration of data from the sub-network.’; [0036] ‘distributing a plurality of agents in the form of browser-executable program code to a respective plurality of end devices [i.e., executing a plurality of evaluation services on one or more agent devices, where each evaluation service performs a different evaluation task ] on a sub-network of a network, as a result of execution of the agents by browser applications on the end devices, performing a plurality of simulated security threat techniques, tactics, or practices on the sub-network, …’
Therefore, the reference discloses or suggests that the information associated with the simulation is received from multiple evaluation services that execute on one or more devices that are separate from the first end device, and that each evaluation service included in the multiple evaluation services performs a different evaluation task associated with the first end device.

Conclusion

7.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
(a)	Pourmohammad; Sajjad et al. (US 20210312351 A1) disclose building risk analysis system with geographic risk scoring;
(b)	Narala; Mahender (US 11120380 B1) disclose Systems and methods for managing information risk after integration of an acquired entity in mergers and acquisitions;
(c)	O'Toole; Eamonn et al. (US 20210216928 A1) disclose systems and methods for dynamic risk analysis;
(d)	Bailey; Michael James (US 20210144178 A1) disclose systems and methods of information security monitoring with third-party indicators of compromise;
(e)	Haugsnes; Andreas Seip (US 20190297118 A1) disclose scalable network security detection and prevention platform;
(f)	Steele; David Michael et al. (US 20190166155 A1) disclose system for generating a communication pathway for third party vulnerability management;
(g)	Pourmohammad; Sajjad et al. (US 20190138512 A1) disclose building risk analysis system with dynamic and base line risk.
 
 8.     Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
           A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
         Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peiliang Pan whose telephone number is (571) 272-5987.  The examiner can normally be reached on Monday-Friday 8:00 am - 5:00 pm EST.
          If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
           Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/PEILIANG PAN/Examiner, Art Unit 2492                                                                                                                                                                                             



/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492