DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This office action is in response to applicant’s amendment filed, 01 August 2022, of application filed, with the above serial number, on 20 January 2020 in which claims 1, 7, 13 have been amended and claims 4, 10, 16 have been cancelled. Claims 1-3, 5-9, 11-15, 17-18 are pending in the application. 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-3, 5-9, 11-15, 17-18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. The claims are amended such that trigger the cyberattack tools to obtain at least one packet generated by each of the cyberattack tools; analyze the packets to summarize at least one cyberattack pattern corresponding to each of the cyberattack tools; generate a call command set corresponding to the cyberattack patterns, wherein the call command set comprises the user command; and provide an application programming interface based on the call command set, so as to establish the test container are performed before the ‘execute the test container’. The test container comprises the plurality of attack tools and thus the trigger steps etc are after the executing of the test container; the test container is established after already being stored and the tools being triggered. And as amended, is the test of cyberattack of the device under test different from the cyber defense mechanism of the device under test being tested?

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-2, 5, 7-8, 11, 13-14, 17 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Deardorff et al (hereinafter “Deardorff”, 11,108,790).
As per Claim 1, Deardorff discloses a test device for testing a cyber defense mechanism of a device under test, comprising: 
a storage, configured to store a test container, wherein the test container comprises a plurality of cyberattack tools (at least col. 8:23-39, 9:8-23; attack module executing one or more attack tools to simulate malicious activity); 
a transceiver, configured to receive a user command from a user (at least col. 8:23-39, 9:8-23; upon receiving instructions from a user); and 
a processor, electrically connected with the storage and the transceiver, configured to:
trigger the cyberattack tools to obtain at least one packet generated by each of the cyberattack tools (at least col. 5:59-6:12; 9:8-17; initial state of environment is taken pre-attack, gathering snapshots during and after execution of attack tools, determining traces from malicious activity, generating signatures representing summary of detected traces; attack module using Metasploit, Powershell etc); 
analyze the packets to summarize at least one cyberattack pattern corresponding to each of the cyberattack tools (at least col. 5:59-6:12; 9:8-17; initial state of environment is taken pre-attack, gathering snapshots during and after execution of attack tools, determining traces from malicious activity, generating signatures representing summary of detected traces; attack module using Metasploit, Powershell etc; 11:1-27 signatures essentially represent summaries of malicious activity); 
generate a call command set corresponding to the cyberattack patterns, wherein the call command set comprises the user command (at least col. 5:59-6:12; 9:8-17; initial state of environment is taken pre-attack, gathering snapshots during and after execution of attack tools, determining traces from malicious activity, generating signatures representing summary of detected traces; attack module using Metasploit, Powershell etc; col. 11:1-34 user getting signature and alert and providing further measures and/or adjusting parameters of the attack tool); and 
provide an application programming interface based on the call command set, so as to establish the test container (at least col. 5:59-6:12; 9:8-17; initial state of environment is taken pre-attack, gathering snapshots during and after execution of attack tools, determining traces from malicious activity, generating signatures representing summary of detected traces; attack module using Metasploit, Powershell etc; col. 11:23-45 user and/or analysis module adjusting parameters of each attack tool);
execute the test container (at least col. 8:23-39, 9:8-23; attack module executing tools); and 
analyze, during a runtime of the test container, the user command so as to launch a test of cyberattack to the device under test according to the user command and via the transceiver, such that the cyber defense mechanism of the device under test is tested, wherein the test of cyberattack corresponds to one of the cyberattack patterns and the test of cyberattack corresponds to at least two of the cyberattack tools (at least col. 11:29-12:43; analysis module 122 may analyze this type of data to predict, e.g., what type of activity will ultimately be detected in a target environment based on executed attack tools and parameters thereof. The analysis module 122 may then instruct the attack module 114 to vary one or more parameters of the attack tools to detect certain types of activity that would otherwise be undetected).
As per Claim 2. The test device of Claim 1, wherein: the processor is further configured to generate a plurality of malicious packets according to the user command; and the transceiver is further configured to transmit the malicious packets to the device under test, such that the test of cyberattack is completed, wherein the malicious packets correspond to at least two of the cyberattack tools (at least col. 8:66-9:7; simulated malicious activity from the attack tools).
As per Claim 5. The test device of Claim 1, wherein the user command corresponds to an application programming interface of the test container, and the user command at least comprises a target internet protocol address for testing and a cyberattack pattern (at least col. 5:59-6:12; 8:40-46, 9:8-17; initial state of environment is taken pre-attack, addresses of environment, attack tools based on instructions from user, gathering snapshots during and after execution of attack tools, determining traces from malicious activity, generating signatures representing summary of detected traces; attack module using Metasploit, Powershell etc).
Claims 7-8, 11, 13-14, 17 do not, in substance, add or define any additional limitations over claims 1-2, 5 and therefore are rejected for similar reasons, supra.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 3, 6, 9, 12, 15, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Deardorff in view of ANDRIANI (hereinafter “Andriani”, 2018/0046811)  
As per Claim 3, 9, 15. Deardorff fails to explicitly disclose wherein: the processor is further configured to generate a plurality of attacking commands for a plurality of subordinate test devices according to the user command, wherein each of the subordinate test devices stores and executes the test container; and the transceiver is further configured to transmit the attacking commands to the subordinate test devices so that the subordinate test devices generate a plurality of malicious packets according to the attacking commands and transmit the malicious packets to the device under test, therefore completing the test of cyberattack, wherein the malicious packets correspond to at least two of the cyberattack tools. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Andriani. Andriani discloses, in an analogous art, a Distributed DoS DDoS attack being simulated from one or more attack nodes, wherein the simulation has one or simulators 206 in various physical locations, for example, simulator-A 206A in the US, simulator-B 206B in London to simulate an actual attack that would be sourced from multiple locations (at least Andriani paragraph 139, 351, 177; Fig. 2, 6). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Andriani’s distributed nodes performing simulation with Deardorff, as Andriani teaches (at least Andriani paragraph 3-10, 51-52) such distributed attacks are widely known and common and thus the need to simulate from more than one node is obvious and critical for an accurate simulation of Deardorff’s simulation, particularly for flooding type attacks.
As per Claim 6, 12, 18. Deardorff fails to explicitly disclose wherein the transceiver is further configured to deploy the test container to each of the subordinate test devices. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Andriani. Andriani discloses, in an analogous art, a Distributed DoS DDoS attack being simulated from one or more attack nodes, wherein the simulation has one or simulators 206 in various physical locations, for example, simulator-A 206A in the US, simulator-B 206B in London to simulate an actual attack that would be sourced from multiple locations, wherein a coordination device coordinates updates and distributes the attack vectors to the simulating nodes (at least Andriani paragraph 231-236, 139, 351, 177; Fig. 2, 6). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Andriani’s coordinating nodes distributing simulation attack vectors with Deardorff, as Andriani teaches the coordination device coordinates updates to all of the attacking nodes so they are all updates with the correct attack vectors and thus synchronized for the simulation.

Response to Arguments
Applicant's arguments filed 01 August 2022 have been fully considered but they are not persuasive.
Applicant argues that Deardorff does not disclose the features of prior claim 4 incorporated into claim 1, including in particular
generate a call command set corresponding to the cyberattack patterns, wherein the call command set comprises the user command; and 
provide an application programming interface based on the call command set, so as to establish the test container.
Applicant argues the timing is not done in Deardorff as the test container is generated before performing the test. As Applicant notes, the claim recites triggering the tools to obtain a packet, analyzing the packet(s) of the tools, then generating a call command set according to the pattern, however, the claim recites the call command set comprises the user command. But the user command is already received by the transceiver. So the user command is received but then the user command/call command set is generated according to the pattern? How can both of these happen? And these occur before the test container is executed?
Applicant argues that Deardorff has nothing to do with the technology of establishing the test container. However, the claim recites store a test container…comprises a plurality of cyberattack tools, the attack tools are triggered for the pattern to be summarized, the call command generated and establishing the test container by providing an API based on the called command set. Again, see the above 112, establishing the test container (which comprises the cyberattack tools) happens after the attack tools (stored test container) are triggered? The attack tools cannot be triggered without the test container having the tools being already stored. Deardorff clearly teaches in col. 8:23-31 the attack module executing (stored col. 7:12-15) one or more attack tools (test container). Deardorff further teaches in col. 11:1-45 the user getting the attack signature and alert(s) and providing further measures and/or adjusting parameters of each attack tool, thus Deardorff clearly teaches having a pre attack state, post attack state, during attack state, and adjusting attack(s) Fig. 8, to refine the attack based on the signature feedback.
In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., generating instructions, allowing the user to call each cyberattack tool through a single programming language) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). Deardorff teaches the user providing instructions for the sandbox generation module to generate the computing environment, configuration of the devices in the target environment and the attack module executing the attack tool(s) upon receiving instructions from the user (col. 8:23-9:16). Once a signature of the attack is made, the analysis module analyzes the signature, alerts the user and the user and analysis module can further make adjustments to the attack tool of their choice (col. 11:1-45).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY TODD whose telephone number is (303)297-4763. The examiner can normally be reached 8:30-5 MST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas Taylor can be reached on 571-272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GREGORY TODD/Primary Examiner, Art Unit 2443