DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment / Arguments
Regarding claims 4 and 13 rejected under 35 USC 112(b):
	Applicant’s amendment is considered to overcome the applied rejection. Accordingly, the rejection has been withdrawn.

Regarding claims 6 and 15 rejected under 35 USC 112(b):
	Applicant’s amendment is considered to overcome the applied rejection. Accordingly, the rejection has been withdrawn.

Regarding claims rejected under 35 USC 101:
Applicant's arguments  have been fully considered but they are not persuasive.
Applicant argues that the amended claims are patentable under 35 USC 101. In response, it is noted that the amended independent claims incorporate language from canceled claim 2, which was itself previously rejected under 35 USC 101 (i.e., “[t]he dependent claims are likewise rejected under this analysis as above, as they merely further specify the judicial exception in greater detail… [are] not indicat[ive] of integration into a practical application nor specify limitations indicative of significantly more than the judicial exception… claims 2-3 further specify the node and path structure of the visualized graphs (the further specified representation being consistent with the examples above)”). Where Applicant has amended the independent claims to further recite a computer, a processor, and/or memory, it is noted that adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea are not considered to be sufficient—see MPEP 2106.05(f). In this case, the added limitations merely recite the base elements of any computer for performing the judicial exception.

Regarding claims rejected under 35 USC 102 / 103:
Applicant's arguments have been fully considered but they are not persuasive.
Applicant argues that the Muller reference does not teach “a first graph generation part that generates a first evaluation graph ... wherein the first evaluation graph represents a data exchange path by way of a medium between the resources.” Applicant further points to [0096] of Muller with respect to the data exchange path being an air gap and the medium being a USB. In response to Applicant's argument that the references fail to show certain features of Applicant’s invention, it is noted that the features upon which Applicant relies (i.e., the air gap and the USB as a medium) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). In this case, the claims do not further specify the data exchange path nor the medium, and the language of [0096] concerning the medium is in exemplary format. The cited portions of Muller discuss the graphical representation of pathways, and further specify that “pathways may be physical or electronic connections between the areas.” The claimed “data exchange path by way of a medium between the resources” is interpretable as any wired or wireless network connection. 
Applicant’s arguments concerning the dependent claims rely upon the above arguments. Since the parent claims stand rejected, the dependent claims likewise remain rejected.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “a first graph generation part,” “a second graph generation part,” “a display part,” “an access right storage part,” “a third graph generating part,” and “a condition receiving part”  in claims 1-8.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. For instance, at least [0087] of the specification recites that “each part (processing means, function) of a security evaluation system as shown in the first to third exemplary embodiments can be realized by a computer program that causes a processor of the computer to execute each of the above processes using its hardware.”
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to the abstract idea of a mental process (i.e., concepts performed in the human mind, such as an observation, evaluation, judgment, and/or opinion) without significantly more. The claim(s) recite(s) creating graphs of resources and resource locations, as well as displaying the graphs. However, this may be interpreted as merely creating a mental mapping for a collection of resources in a set of given areas. For instance, “a first graph generation part that generates a first evaluation graph representing a connection relationship between resources as a target for security evaluation” may be interpreted as an analyst noting that there are a number of connected computers within a facility (e.g., 2 computers in a building). Further, “a second graph generation part that generates a second evaluation graph representing a connection relationship between areas where the resources are located” may be interpreted as an analyst noting that the computers are interspersed into different rooms (e.g., each of the computers being in a separate room) which are connected by a hallway. Likewise, “a display part that displays the first evaluation graph and the second evaluation graph in association with each other” may be interpreted as the analyst visualizing the aforementioned (e.g., two nodes connected by a path, representative of either a network connection or a hallway connection).
This judicial exception is not integrated into a practical application because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea are not considered to be sufficient—see MPEP 2106.05(f). For instance, claims 1 and 10 recite “a security evaluation system,” “a computer-readable non-transient recording medium,” and “a processor and a memory device,” which are all merely the base elements of any computer for performing the judicial exception. Claim 9 appears to merely recite the judicial exception as a method.
The claims further recite elements which may be considered sufficient to amount to significantly more than the judicial exception: “a security evaluation system,” “a computer-readable non-transient recording medium,” and “a processor and a memory device.”
However, these elements are not sufficient to amount to significantly more than the judicial exception because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea are not considered to be sufficient—see MPEP 2106.05(f). In this case, the elements merely recite the base elements of any computer for performing the judicial exception. Claim 9 appears to merely recite the judicial exception as a method.
The amended / dependent claims are likewise rejected under this analysis as above, as they merely further specify the judicial exception in greater detail. They are not indicative of integration into a practical application nor specify limitations indicative of significantly more than the judicial exception. For instance, the amended claims further specify the node and path structure of the visualized graphs (the further specified representation being consistent with the examples above); claim 4 specifies an additional consideration (a given user’s access—e.g., whether an employee is allowed access into one or both of the rooms in the example above); claim 5 specifies visualizing potential attack avenues for the computers and facility (e.g., entering from the hallway into room 1 and using computer 1); claims 6-8 further specify updating the visualization based on a given condition). Claims 11-20 are substantially similar and are likewise rejected.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 3-6 and 8-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Muller (US 2015/0106941 A1).

Regarding claim 1, Muller discloses: A security evaluation system, comprising:
at least a processor; and
 a memory in circuit communication with the processor;
wherein the processor is configured to execute program instructions stored in the memory to implement:
Refer to at least FIG. 2 and [0018]-[0020] of Muller with respect to a processor and memory.
a first graph generation part that generates a first evaluation graph representing a connection relationship between resources as a target for security evaluation; 
Refer to at least the FIG. 1 and [0012]-[0014] of Muller with respect to a graphical representation of resources and their connections in a facility. 
a second graph generation part that generates a second evaluation graph representing a connection relationship between areas where the resources are located; and 
Refer to at least the FIG. 1 and [0012]-[0014] of Muller with respect to a graphical representation of resources and identified areas within a facility. 
a display part that displays the first evaluation graph and the second evaluation graph in association with each other,
Refer to at least [0021] and [0057] of Muller with respect to a GUI displaying, e.g., a graph as shown in FIG. 1, to a user. 
wherein the first evaluation graph represents a data exchange path by way of a medium between the resources, and the first graph generation part generates the first evaluation graph based on connection information between resources defining a data exchange path including a data exchange path by way of a medium between the resources.
Refer to at least [0012]-[0014] of Muller with respect to physical or electronic connections as they relate to the graphical representation. 

Regarding claim 3, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations to the graphical representation—e.g., “[p]athways may be physical or electronic connections between the areas”).

Regarding claim 4, Muller discloses: The security evaluation system according to claim 3, wherein the processor is configured to execute the program instructions to implement: an access right storage part that stores information of one or more users allowed to access the physically demarcated space among areas where resources are located, wherein the display part displays information of a user who is allowed to enter the space as additional information of the second evaluation graph.
Refer to at least “User Level” and “Admin Level” associated with each other and, e.g., Building B in FIG. 1 of Muller. 

Regarding claim 5, Muller discloses: The security evaluation system according to claim 1, wherein the processor is configured to execute the program instructions to implement: a third graph generating part that generates an attack graph for a resource as a target for the security evaluation, wherein the display part further displays the first evaluation graph and the third evaluation graph in association with each other.
Refer to at least FIG. 4, TABLE C on pages 6-7, and [0057] of Muller with respect to determining and displaying a route of attack associated with the graphical representation.  

Regarding claim 6, Muller discloses: The security evaluation system according to claim 1, wherein the processor is configured to execute the program instructions to implement: a condition receiving part that receives a display condition including at least one designation of ID of the resource or type of the resource, wherein the display part displays a resource corresponding to the display condition of the first evaluation graph and the second evaluation graph corresponding to the resource or an attack graph related to the resource.
Refer to at least [0026] and [0031] of Muller with respect to safeguard IDs. 

Regarding claim 8, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations to the graphical representation—e.g., see FIG. 1 with respect to resources which are not connected to each other and TABLE C with respect to traversal over the graph during an attack).  

Regarding independent claim 9, it is substantially similar to independent claim 1 above, and is therefore likewise rejected (i.e., see the citations).

Regarding independent claim 10, it is substantially similar to independent claim 1 above, and is therefore likewise rejected (i.e., see the citations).

Regarding claims 11-15, they are substantially similar to claims 2-6 above, and are therefore likewise rejected. 

Regarding claims 16-20, they are substantially similar to claims 2-6 above, and are therefore likewise rejected. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Muller as applied to claims 1, 3-6 and 8-20 above, and further in view of “Advanced Vulnerability Analysis and Intrusion Detection through Predictive Attack Graphs,” hereinafter “Noel.”

Regarding claim 7, Muller does not fully disclose: wherein the processor is configured to execute the program instructions to implement: a condition receiving part that receives a display condition including designation of an area where the resource is located, wherein the display part displays an area corresponding to the display condition of the second evaluation graph, a partial graph of the first evaluation graph related to the area and an attack graph related to the partial graph. However, Muller in view of Noel discloses: wherein the processor is configured to execute the program instructions to implement: a condition receiving part that receives a display condition including designation of an area where the resource is located, wherein the display part displays an area corresponding to the display condition of the second evaluation graph, a partial graph of the first evaluation graph related to the area and an attack graph related to the partial graph. 
Refer to at least FIG. 4, FIG. 9, and the last paragraph on 7 of Noel with respect to attack graph visualization via graph overview, main graph view, and a geo-spatial view. 
The teachings of Muller and Noel both concern vulnerability and attack visualization and are considered to be within the same field of art and combinable as such. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Muller to include additional views in the GUI for at least the purpose of increasing data density and thereby providing the analyst more information to work with at a time. 

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432