Response to Amendment
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	This action is responsive to application filed on 8/29/22.  Claims 1-20 are presented for examination.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Swiller et al (USPN. 7,013,395) in view of Hadar et al (USPN. 2020/0177617).

Regarding claim 1, Swiller discloses a system comprising: one or more processors; and a memory; one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions that (fig. 2, network and machines): 
obtain a graph having a plurality of paths, a path includes nodes and edges, wherein a node represents a user, group or device, wherein an edge represents a relationship between each node connected to an edge, the graph representative of a tenant of a cloud service, wherein a node is classified as sensitive or non-sensitive (fig. 2, graph structure A-G, col. 7, lines 7-11, 50-55 and 59-63, all nodes other than GOAL nodes are non-sensitive, attach graph in a cloud network comprising plurality of machines and types of users);
identify a risky edge in paths that lead to a sensitive node (fig. 2 ,col. 9, lines 27-42 and col. 10, lines 23-35, added vulnerability by use of type of nodes, distance, edge weight); and 
perform an action to eliminate the relationship between the nodes connected to the risky edge (fig. 2, col. 10, lines 21-34, Node C with number 10 does not represent the shortest path as it has value of 10 and is therefore eliminated from the path to node 2), but Swiller does not explicitly teach wherein the identification of the risky edge is based on a number of distinct non-sensitive nodes that cannot be reached when the risky edge is detached from the graph, a number of distinct detached sensitive nodes that cannot be reached when the risky edge is detached from the graph, and a number of distinct paths containing the risky edge.
	However, Hadar teaches identification of the risky edge is based on a number of distinct non-sensitive nodes that cannot be reached when the risky edge is detached from the graph, a number of distinct detached sensitive nodes that cannot be reached when the risky edge is detached from the graph, and a number of distinct paths containing the risky edge (figs. 3 and 7, pars. 24, 50 and 89, remediation action and recommendations by analyzing nodes, edges between nodes and properties, and par. 92, set of attack paths and  disable the ability to traverse on a path, Hadar).  Hence, it would have been obvious to one of ordinary skill in the art at the effective filing time of the application to integrate Hadar’s analyzing of nodes and edges for evaluating risk to Swiller’s analysis tool (par. 50, Hadar).  One would have been motivated to combine Swiller and Hadar to improve risk assessment of nodes.  

2. Swiller in view of Hadar teach,
wherein an edge represents one of the relationships of Administrator-Of, Has-Session, and Member-Of (fig. 2, Machines B, C, “Normal User”, “password of user” and Server Daemon access, Swiller). 

3. Swiller in view of Hadar teach,
wherein the one or more programs include further instructions to perform actions that: update the graph periodically during operation of the cloud service (fig. 2, col. 9, lines 34-37, upon user gaining a plain text password on Machines B and C, the path is updated by the user gaining additional access to gain root, Swiller).  

4. Swiller in view of Hadar teach,
wherein the one or more programs include further instructions to perform actions that: determine if another risky edge exists from the updated graph (fig. 2, col. 10, lines 19-27, the attacker gains access via edge A, added vulnerability shown in edges B,C and D, Swiller). 

5. Swiller in view of Hadar teach,
wherein the one or more programs include further instructions to perform actions that: identify the risky edge from a risk score for each edge in the graph, the risk score  based on a number of distinct detached non-sensitive nodes that cannot be reached when the risky edge is detached from the graph, the number of distinct detached sensitive nodes that cannot be reached when the risky edge is detached from the graph, and the number of distinct paths containing the risky edge (figs. 3 and 7, pars. 24, 50 and 89, remediation action and recommendations by analyzing nodes, edges between nodes and properties, and par. 92, set of attack paths and disable the ability to traverse on a path to node, Hadar).  

6. Swiller in view of Hadar teach,
wherein the risk score is a weighted sum of the number of distinct detached nonsensitive nodes that cannot be reached when the risky edge is detached from the graph, and the number of distinct paths containing the risky edge (figs. 3 and 7, pars. 24, 50 and 89, remediation action and recommendations by analyzing nodes, edges between nodes and properties, and par. 92, set of attack paths and disable the ability to traverse on a path to node, Hadar and further see fig. 2 and 10, lines 35-43, analysis of all paths based on shortest distance.  Note that each edge has different risk based on vulnerability such as edge weight, col. 7, lines 7-11, Swiller).

7. Swiller in view of Hadar teach,
wherein the one or more programs include further instructions to perform actions that: identify the risky edge from a risk score, the risk score applies a first weight to the number of distinct detached non-sensitive nodes that cannot be reached when the risky edge is detached from the graph, applies a second weight to the number of distinct detached sensitive nodes that cannot be reached when the risk edge is detached from the graph, and applies a third weight to the number of distinct paths containing the risky edge (figs. 3 and 7, pars. 24, 50 and 89, remediation action and recommendations by analyzing nodes, edges between nodes and properties, and par. 92, set of attack paths and disable the ability to traverse on a path to node, Hadar and further see fig. 2 and col. 5, lines 10-30, defense placement based on critical nodes, conflicting  criteria, and weight function based on edge metrics comprising weights. Swiller).

Regarding claim 8, Swiller discloses a method, comprising:
representing entities having access to resources in a tenant of a cloud service in a graph, the graph having plurality of paths, each path including nodes of entities and edges representing a relationship between two connected entities, at least one node representing a sensitive entity, at least one node representing a non-sensitive entity (fig. 2, network and machines with tenants, paths); 
determining whether a first edge in the graph is on a lateral movement path by traversing each path of the plurality of paths in the graph from a sensitive entity to each connected non-sensitive entity and computing a score for the first edge (fig. 2, graph structure A-G, col. 7, lines 7-11, 50-55 and 59-63, all nodes other than GOAL nodes are non-sensitive, attack graph in a cloud network comprising plurality of machines and types of users, and col. 9, lines 27-42 and col. 10, lines 23-35, added vulnerability by use of type of nodes/users, distance and edge weight wherein initial attacker on Path A opens the vulnerability on all paths B, C, and D), but does not teach the score is based on a number of distinct non-sensitive nodes that cannot be reached when the risky edge is detached from the graph, a number of distinct detached sensitive nodes that cannot be reached when the risky edge is detached from the graph, and a number of distinct paths containing the first edge.
However, Hadar teaches calculating a number of distinct non-sensitive nodes that cannot be reached when the risky edge is detached from the graph, a number of distinct detached sensitive nodes that cannot be reached when the risky edge is detached from the graph, and a number of distinct paths containing the first edge (figs. 3 and 7, pars. 24, 50 and 89, remediation action and recommendations by analyzing nodes, edges between nodes and properties, and par. 92, set of attack paths and  disable the ability to traverse on a path, Hadar).  Hence, it would have been obvious to one of ordinary skill in the art at the effective filing time of the application to integrate Hadar’s analyzing of nodes and edges for evaluating risk to Swiller’s analysis tool (par. 50, Hadar).  One would have been motivated to combine Swiller and Hadar to improve risk assessment of nodes.  
Swiller in view of Hadar combined teach,
based on the score for the first edge, eliminating a relationship between entities connected to the edge determined to be on the lateral movement path (fig. 2, col. 10, lines 21-34, Node C with number 10 does not represent the shortest path as it has value of 10 and is therefore eliminated from the path to node 2, Swiller).  

9. Swiller in view of Hadar teach,
wherein a weight is applied to the number of distinct detached non-sensitive entities that cannot be reached when the first edge is detached from the graph (fig. 2 A-G and col. 10, lines 35-43, analysis of all paths based on shortest distance.  Note that each edge has different risk based on vulnerability such as edge weight, col. 7, lines 7-11, Swiller).

10. Swiller in view of Hadar teach,
wherein a weight is applied to the number of distinct detached sensitive entities that cannot be reached when the first edge is detached from the graph (fig. 2 A-G, and col. 10, lines 35-43, analysis of all paths based on shortest distance.  Note that each edge has different risk based on vulnerability such as edge weight, col. 7, lines 7-11, Swiller).

11. Swiller in view of Hadar teach,
wherein a weight is applied to the number of distinct paths containing the first edge (col. 5, lines 11-29, edge weights, optimal paths, all paths and time used to determine defense placement, Swiller).

12. Swiller in view of Hadar teach,
wherein the score is a sum of the number of distinct detached non-sensitive entities that cannot be reached when detached from the graph, the number of distinct detached sensitive entities that cannot be reached when detached from the graph and the number of distinct paths containing the first edge (figs. 3 and 7, pars. 24, 50 and 89, remediation action and recommendations by analyzing nodes, edges between nodes and properties, and par. 92, set of attack paths and disable the ability to traverse on a path to node, Hadar and further see fig. 2 and 10, lines 35-43, analysis of all paths based on shortest distance.  Note that each edge has different risk based on vulnerability such as edge weight, col. 7, lines 7-11, Swiller).

13. Swiller in view of Hadar teach,
wherein the score is sum of the first weight applied to the number of distinct detached non-sensitive entities that cannot be reached when detached from the graph, a second weight applied to a number of distinct detached sensitive entities that cannot be reached when detached from the graph, and a third weight applied to a number of distinct paths containing the edge  (figs. 3 and 7, pars. 24, 50 and 89, remediation action and recommendations by analyzing nodes, edges between nodes and properties, and par. 92, set of attack paths and disable the ability to traverse on a path to node, Hadar and further see fig. 2, col. 10, lines 26-43, risk assessment on different paths, distances, types of nodes and passwords granted, see risk score based on cost to the attacker and edge weights, see also optimal paths).  

14. Swiller in view of Hadar teach,
wherein an edge represents a relationship of Administrator- Of, Has-Session, or Member-Of (fig. 2, Machines B, C, “Normal User”, “password of user” and Server Daemon access).

15. Swiller in view of Hadar teach,
wherein an entity represents a user account, a group, or a device (fig. 2, user account, Root or normal).  

Regarding claim 16, Swiller discloses a device, comprising: a processor coupled to a memory; wherein the processor is configured to  perform actions to (fig. 2, network and machines):
 obtain a graph having a plurality of paths, a path includes nodes connected by edges, a node associated with a sensitive entity or a non-sensitive entity, an edge representing a relationship between two connected nodes, wherein the graph represents a configuration of entities having access to resources of a tenant of a cloud service (fig. 2, graph structure A-G, col. 7, lines 7-11, 50-55 and 59-63, all nodes other than GOAL nodes are non-sensitive, attach graph in a cloud network comprising plurality of machines and types of users);
compute a risk score for each edge in each path of the plurality of paths (fig. 2, col. 10, lines 26-43, risk assessment on different paths, distances, types of nodes and passwords granted, see risk score based on cost to the attacker and edge weights, see also optimal paths),
but does not explicitly teach the risk score based on a number of distinct detached non-sensitive nodes that cannot be reached when the edge is detached from the graph, a number of distinct detached sensitive nodes that cannot be reached when the edge is detached from the graph, and a count of distinct paths containing the edge.
However, Hadar teaches calculating a number of distinct detached non-sensitive nodes that cannot be reached when the edge is detached from the graph, a number of distinct detached sensitive nodes that cannot be reached when the edge is detached from the graph, and a count of distinct paths containing the edge. (figs. 3 and 7, pars. 24, 50 and 89, remediation action and recommendations by analyzing nodes, edges between nodes and properties, and par. 92, set of attack paths and  disable the ability to traverse on a path, Hadar).  Hence, it would have been obvious to one of ordinary skill in the art at the effective filing time of the application to integrate Hadar’s analyzing of nodes and edges for evaluating risk to Swiller’s analysis tool (par. 50, Hadar).  One would have been motivated to combine Swiller and Hadar to improve risk assessment of nodes.   
Swiller in view of Hadar teach,
identify a risky edge in a path based on a risk score (fig. 2 and col. 5, lines 10-30, defense placement based on critical nodes, conflicting criteria, and weight function based on edge metrics comprising weights, Swiller).

17. Swiller in view of Hadar teach,
wherein an edge represents an Administrator-Of, Has- Session, or Member-Of relationship between two connected nodes (fig. 2, Machines B, C, “Normal User”, “password of user” and Server Daemon access).   

18. Swiller in view of Hadar teach,
wherein a node represents a user account, a device or group (fig. 2, user account, Root or normal).    

Regarding device claims 19 and 20, they comprise similar limitations to rejected above claims 12 and 13, and are at least rejected to on the merits.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure in the field of risk assessment:
USPN. 8,938,781

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MARCIN R FILIPCZYK whose telephone number is (571)272-4019. The examiner can normally be reached M-F 7-4 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alford Kindred can be reached on 571-272-4037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




November 23, 2022

/MARCIN R FILIPCZYK/Primary Examiner, Art Unit 2153