DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office Action is in response to Application 17127686 filed on 12/18/2020. Claims 1, 11 and 21 are independent claims.  Claims 1-30 have been examined and are pending in this application. This Office Action is made Non-Final.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/18/2020 and 05/10/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections – 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1, 5-7, 9, 11, 15-17, 19, 21, 25-27 and 29 are rejected under 35 U. S. C. 101 as being directed to non-statutory subject matter as being directed to an abstract idea without being integrated into a practical application or significantly more.

Regarding claims 1, 11 and 21, the claim is directed to an abstract idea as reciting the limitations “generating, a report for the user identifying the malicious activity or the vulnerable configurations within the operating system.” The aforementioned steps are “mental process” as broadly interpreted said steps could be performed in the human mind. Therefore, the claim recites an abstract idea.  
Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that utilize determination result into a practical application.  It’s noted that the claims recite additional elements (i.e., processor/memory, processing system).  However, said additional elements are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of detecting or determining operation etc.,) such that it amounts no more than mere instructions to apply the exception or abstract idea using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.   As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. See US Application 20190149572, US application 10802889. As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component.  Therefore, the claim is directed to non-statutory subject matter.
Regarding dependent claims 5-7, 9, 15-17, 19, 25-27 and 29; claims 5-7, 9, 15-17, 19, 25-27 and 29 are rejected under 35 U.S.C. 101 as being directed to an abstract idea without being integrated into a practical application or significantly more for the same reason discussed above.  It’s noted that claims 5-7, 9, 15-17, 19, 25-27 and 29 recite additional steps, such as “create the workflow; identifying the ports and services; identifying the one or more comprised user accounts; create a new workflow.” However, said steps are not sufficiently to be consider as integrating an abstract idea into a practical application.  As result claims 5-7, 9, 15-17, 19, 25-27 and 29 are also rejected under 35 U.S.C. 101 as being directed to an abstract idea without being integrated into a practical application or significantly more.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 8, 11-15, 18, 21-25 and 28 are rejected under 35 U.S.C. 103 as being unpatentable over GORODISSKY et al. (“GORODISSKY,” US 20190149572, published 05/16/2019) in view Ganesan et al. (“Ganesan,” US 10802889, published on 10/13/2020)

Regarding Claim 1;
GORODISSKY discloses a computer-implemented method for performing penetration testing, the method comprising (par 0009; fig. 1A; an automated penetration testing system): 
directly connecting one or more robots into an operating system of a platform (par 0304; fig. 1A; the penetration testing software module installed and executed on a single computing device or comprise multiple software components that reside on multiple computing device; par 303; attack agent—a software module that can be installed on a network node and can be executed by a processor of that network node for partially or fully implementing the attack function of a penetration test [according to specification par 0044; the robot components in some embodiments include, but are not limited to [] executors, agents]);
executing, by the one or more robots, a workflow to simulate the penetration testing of the operating system to identify malicious activity or vulnerable configurations within the operating system (par 0156; fig. 10; the executing of the first penetration testing campaign comprises performing one or more validation operations for validating vulnerabilities; par 0260; If it is determined that the networked system can be compromised, then the one or more security vulnerabilities of the networked system are identified; par 0311; examples for compromising a network node are reading a file without having read permission for it, modifying a file without having write permission for it, deleting a file without having delete permission for it [] changing a configuration); and 
generating, by the one or more robots, a report for the user identifying the malicious activity or the vulnerable configurations within the operating system (par 0277; fig. 13C; output generated by the penetration testing campaign. This includes, among other things, data about any security vulnerability of the networked system tested by the penetration testing campaign that is detected by the campaign; par 0118; reporting, by the penetration testing system, at least one security vulnerability determined to exist in the networked system by the executing of the single penetration testing campaign, wherein the reporting comprises at least one of [] electronically transmitting the report containing information about the at least one security vulnerability).
GORODISSKY disclose performing automated penetration testing using one or more modules as recited above, but do not explicitly disclose robotic process automation (RPA).
However, in an analogous art, Ganesan discloses monitoring for robotic processes system/method that includes:
robotic process automation (RPA) (Ganesan: Col 3, lines 32-34; RPA platforms for robotic processes can be inbuilt with a tool to monitor the activity and performance of each robotic process).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Ganesan with the method/system of GORODISSKY to include robotic process automation (RPA). One would have been motivated to determine real-time statuses of the first robotic process and the second robotic process using the homogeneous data. Provide an additional layer of security to the robotic process (Ganesan: abstract and Col 7, lines 21-22).
	
Regarding Claim 2;
The combination of GORODISSKY and Ganesan disclose the computer-implemented method of claim 1, 
Ganesan discloses wherein the directly connecting of the one or more robots comprising: utilizing the one or more robots configured to perform a RPA process, and reassigning the one or more robots to perform the task (Ganesan: Col 6, lines 19- 35; provide a universal RPA gateway that is capable of discovering and tracking robotic processes built and deployed via multiple third-party RPA platforms [] utilized to track robotic processes and can allow for customization of existing robotic processes [] adding or deleting robotic processes, starting, stopping or restarting robotic processes, assigning, reassigning or changing the task of a robotic process).
One would have been motivated to determine real-time statuses of the first robotic process and the second robotic process using the homogeneous data. Provide an additional layer of security to the robotic process (Ganesan: abstract and Col 7, lines 21-22).
GORODISSKY further discloses perform the penetration testing (par 0156; fig. 10; the executing of the first penetration testing campaign comprises performing one or more validation operations for validating vulnerabilities).

Regarding Claim 3;
The combination of GORODISSKY and Ganesan disclose the computer-implemented method of claim 1, 
Ganesan discloses wherein the directly connecting of the one or more robots comprising: deploying the one or more robots unassigned to one another RPA process, and assigning the one or more robots to perform the task (Ganesan: Col 6, lines 19- 35; provide a universal RPA gateway that is capable of discovering and tracking robotic processes built and deployed via multiple third-party RPA platforms [] run-time robotic workforce management activities can include adding or deleting robotic processes, starting, stopping or restarting robotic processes, assigning, reassigning or changing the task of a robotic process).
One would have been motivated to determine real-time statuses of the first robotic process and the second robotic process using the homogeneous data. Provide an additional layer of security to the robotic process (Ganesan: abstract and Col 7, lines 21-22).
GORODISSKY further discloses perform the penetration testing (par 0156; fig. 10; the executing of the first penetration testing campaign comprises performing one or more validation operations for validating vulnerabilities).

Regarding Claim 4; 
The combination of GORODISSKY and Ganesan disclose the computer-implemented method of claim 1, 
GORODISSKY discloses wherein the executing of the penetration testing comprising: accessing the workflow specific for the operating system; and executing the workflow to cause the one or more robots to simulate the penetration testing (GORODISSKY: par 0024; penetration testing by accessing and attempting to attack the tested networked system [] the verification is done by simulating the results of that operation or sequence of operations; par 303; attack agent—a software module that can be installed on a network node and can be executed by a processor of that network node for partially or fully implementing the attack function of a penetration test par 0156; the executing of the first penetration testing campaign comprises performing one or more validation operations for validating vulnerabilities; par 0260; If it is determined that the networked system can be compromised, then the one or more security vulnerabilities of the networked system are identified).

Regarding Claim 5;
The combination of GORODISSKY and Ganesan disclose the computer-implemented method of claim 1, 
GORODISSKY discloses wherein the executing of the penetration testing comprising: recording, by the one or more robots, actions performed by a penetration tester during a penetration test; and using, by the one or more robots, the recorded actions to create the workflow to simulate the penetration test (GORODISSKY: par 0024; penetration testing by accessing and attempting to attack the tested networked system [] the verification is done by simulating the results of that operation or sequence of operations; par 303; attack agent—a software module that can be installed on a network node and can be executed by a processor of that network node for partially or fully implementing the attack function of a penetration test; par 0277; output generated by the penetration testing campaign. This includes, among other things, data about any security vulnerability of the networked system tested by the penetration testing campaign that is detected by the campaign; par 0118; reporting, by the penetration testing system, at least one security vulnerability determined to exist in the networked system by the executing of the single penetration testing campaign, wherein the reporting comprises at least one of [] electronically transmitting the report containing information about the at least one security vulnerability).



Regarding Claim 8;
The combination of GORODISSKY and Ganesan disclose the computer-implemented method of claim 1, 
GORODISSKY discloses upon directly connecting with the operating system, determining, by the one or more robots, type of the operating system (GORODISSKY: par 0304; fig. 1A; the penetration testing software module installed and executed on a single computing device or comprise multiple software components that reside on multiple computing device; par 303; attack agent—a software module that can be installed on a network node and can be executed by a processor of that network node for partially or fully implementing the attack function of a penetration test; pars 0174-175; validation is selected for a given vulnerability, a given damaging operation, a given scenario template or a given campaign may be based on any type of reasoning. Specific examples are: based on the type of damaging operation caused to the tested networked system as a result of successfully exploiting the vulnerability); and loading, by the one or more robots, the workflow associated with the type of operating system in order to execute the simulation of the penetration testing (GORODISSKY: par 0304; fig. 1A; the penetration testing software module installed and executed on a single computing device or comprise multiple software components that reside on multiple computing device; par 303; attack agent—A software module that can be installed on a network node and can be executed by a processor of that network node for partially or fully implementing the attack function of a penetration test; pars 0174-175; validation is selected for a given vulnerability, a given damaging operation, a given scenario template or a given campaign may be based on any type of reasoning. Specific examples are: based on the type of damaging operation caused to the tested networked system as a result of successfully exploiting the vulnerability).  

Regarding Claim 11;
This Claim recites an apparatus that perform the same steps as method of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  

Regarding Claim 12;
This Claim recites an apparatus that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.  

Regarding Claim 13;
This Claim recites an apparatus that perform the same steps as method of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.  




Regarding Claim 14;
This Claim recites an apparatus that perform the same steps as method of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.  

Regarding Claim 15;
This Claim recites an apparatus that perform the same steps as method of Claim 5, and has limitations that are similar to Claim 5, thus are rejected with the same rationale applied against claim 5.  

Regarding Claim 18;
This Claim recites an apparatus that perform the same steps as method of Claim 8, and has limitations that are similar to Claim 8, thus are rejected with the same rationale applied against claim 8.  

Regarding Claim 21;
This Claim recites a computer program that perform the same steps as method of Claim 1, and has limitations that are similar to Claim 1, thus are rejected with the same rationale applied against claim 1.  




Regarding Claim 22;
This Claim recites a computer program that perform the same steps as method of Claim 2, and has limitations that are similar to Claim 2, thus are rejected with the same rationale applied against claim 2.  

Regarding Claim 23;
This Claim recites a computer program that perform the same steps as method of Claim 3, and has limitations that are similar to Claim 3, thus are rejected with the same rationale applied against claim 3.  

Regarding Claim 24;
This Claim recites a computer program that perform the same steps as method of Claim 4, and has limitations that are similar to Claim 4, thus are rejected with the same rationale applied against claim 4.  

Regarding Claim 25;
This Claim recites a computer program that perform the same steps as method of Claim 5, and has limitations that are similar to Claim 5, thus are rejected with the same rationale applied against claim 5.  




Regarding Claim 28;
This Claim recites a computer program that perform the same steps as method of Claim 8, and has limitations that are similar to Claim 8, thus are rejected with the same rationale applied against claim 8.  

Claims 6-7, 16-17 and 26-27 are rejected under 35 U.S.C. 103 as being unpatentable over GORODISSKY et al. (US 20190149572) in view Ganesan et al. (US 10802889) and further in view of VELA et al (“VELA,” US 20210273967, filed on 06/26/2019)

Regarding Claim 6;
The combination of GORODISSKY and Ganesan disclose the computer-implemented method of claim 1, 
GORODISSKY wherein the executing of the penetration testing comprising: scanning, by the one or more robots, ports and services open or available within the OS, and identifying the ports and services with vulnerabilities and weak credential logins (GORODISSKY: par 0017; “A campaign of penetration testing” is a specific run of a specific test of a specific networked system by the penetration testing system; par 303; attack agent—a software module that can be installed on a network node and can be executed by a processor of that network node for partially or fully implementing the attack function of a penetration test; par 0029; a penetration testing system has a frequent need to identify a vulnerability that would compromise a given network node [] Operating System might be compromised by sending it a specific network message through a specific Internet port).
The combination of GORODISSKY and Ganesan disclose identifying the ports and services with vulnerabilities as recited above, but do not explicitly disclose identifying the weak credential logins.
However, in an analogous art, VELAE discloses securing a network system/method that includes:
identifying the weak credential logins (VELAE: par 0006; attempt to automate techniques for penetration testing; par 0037; the identification module identifies the vulnerability as easy remote access to a network, then the cyber-attack can be selected to compromise user accounts on remote access applications using weak or manufacturers' default passwords).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of VELAE with the method/system of GORODISSKY and Ganesan to include identifying the weak credential logins. One would have been motivated to determine an effectiveness rating of the penetration and configured to provide a feedback to the identification module based on at least the effectiveness rating of the penetration (VELAE: abstract).
	
Regarding Claim 7;
The combination of GORODISSKY and Ganesan disclose the computer-implemented method of claim 1, 
GORODISSKY discloses wherein the executing of the penetration testing comprising: attempting to access, by the one or more robots, one or more user accounts to identify one or more compromised user accounts (GORODISSKY: par 0122; a particular vulnerability for a particular network node:  the identity of the node's user—is it someone with access to top-level confidential data, or someone with little or no access to confidential data; par 303; attack agent—a software module that can be installed on a network node and can be executed by a processor of that network node for partially or fully implementing the attack function of a penetration test; par 0260; If it is determined that the networked system can be compromised, then the one or more security vulnerabilities of the networked system are identified); and identifying the one or more comprised user accounts that are granted access during the penetration testing (GORODISSKY: par 0122; a particular vulnerability for a particular network node:  the identity of the node's user—is it someone with access to top-level confidential data, or someone with little or no access to confidential data; par 303; attack agent—a software module that can be installed on a network node and can be executed by a processor of that network node for partially or fully implementing the attack function of a penetration test; par 0033; testing whether the given vulnerability succeeds in compromising the given node by actually attempting to compromise the node by exploiting the vulnerability, and then finding out if the attempt was successful and the node was indeed compromised).
The combination of GORODISSKY and Ganesan disclose all the limitations as recited above, but do not explicitly disclose wherein the attempting to access of the one or more user accounts comprises using default login credentials for each the one or more user accounts.
However, in an analogous art, NUMAINVILLE discloses attack detection system/method that includes:
wherein the attempting to access of the one or more user accounts comprises using default login credentials for each the one or more user accounts (VELAE: par 0006; attempt to automate techniques for penetration testing; par 0037; the identification module identifies the vulnerability as easy remote access to a network, then the cyber-attack can be selected to compromise user accounts on remote access applications using weak or manufacturers' default passwords).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of VELAE with the method/system of GORODISSKY and Ganesan to include wherein the attempting to access of the one or more user accounts comprises using default login credentials for each the one or more user accounts. One would have been motivated to determine an effectiveness rating of the penetration and configured to provide a feedback to the identification module based on at least the effectiveness rating of the penetration (VELAE: abstract).




Regarding Claim 16;
This Claim recites an apparatus that perform the same steps as method of Claim 6, and has limitations that are similar to Claim 6, thus are rejected with the same rationale applied against claim 6.  

Regarding Claim 17;
This Claim recites an apparatus that perform the same steps as method of Claim 7, and has limitations that are similar to Claim 7, thus are rejected with the same rationale applied against claim 7.  

Regarding Claim 26;
This Claim recites a computer program that perform the same steps as method of Claim 6, and has limitations that are similar to Claim 6, thus are rejected with the same rationale applied against claim 6.  

Regarding Claim 27;
This Claim recites a computer program that perform the same steps as method of Claim 7, and has limitations that are similar to Claim 7, thus are rejected with the same rationale applied against claim 7.  



Claims 9, 19 and 29 are rejected under 35 U.S.C. 103 as being unpatentable over GORODISSKY et al. (US 20190149572) in view Ganesan et al. (US 10802889) and further in view of Ghare et al. (“Ghare,” US 20200159648, published on 05/21/2020)

Regarding Claim 9;
The combination of GORODISSKY and Ganesan disclose the computer-implemented method of claim 1, 
GORODISSKY discloses simulating the penetration testing (GORODISSKY: par 0024; penetration testing by accessing and attempting to attack the tested networked system [] the verification is done by simulating the results of that operation or sequence of operations).
The combination of GORODISSKY and Ganesan disclose simulating the penetration testing as recited above, but do not explicitly disclose workflow to create a new workflow for simulating the penetration testing, or combining, by the system admin robot, two or more workflows to create a new workflow for simulating.
However, in an analogous art, Ghare discloses robotics application development system/method that includes:
modifying, by a system admin robot, one or more steps in a workflow to create a new workflow for simulating the testing, or combining, by the system admin robot, two or more workflows to create a new workflow for simulating the penetration testing (Ghare; par 0021; management service generate the simulation environment for testing of the application using a simulated robotic device; par 0026; the robotic device management service monitors performance of the fleet of robotic devices based on actions performed by the robotic devices and any data obtained from the robotic devices [] provide data corresponding to the issue to the customer to allow the customer to determine a course of action (e.g., modifying the simulation parameters and executing a new simulation of the application, modifying the computer-executable code for the application, etc.).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Ghare with the method/system of GORODISSKY and Ganesan to include modifying, by a system admin robot, one or more steps in a workflow to create a new workflow for simulating the penetration testing, or combining, by the system admin robot, two or more workflows to create a new workflow for simulating the penetration testing. One would have been motivated to a selection of a simulation environment for testing the application. In response to the request, the robotic device management service selects a set of resources on which to execute the simulation in the simulation environment (Ghare; abstract).

Regarding Claim 19;
This Claim recites an apparatus that perform the same steps as method of Claim 9, and has limitations that are similar to Claim 9, thus are rejected with the same rationale applied against claim 9.  

Regarding Claim 29;
This Claim recites a computer program that perform the same steps as method of Claim 9, and has limitations that are similar to Claim 9, thus are rejected with the same rationale applied against claim 9.  

Claims 10, 20 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over GORODISSKY et al. (US 20190149572) in view Ganesan et al. (US 10802889) and further in view of ERICKSON et al. (“ERICKSON,” US 20180200891, published on 07/19/208)

Regarding Claim 10;
The combination of GORODISSKY and Ganesan disclose the computer-implemented method of claim 1, 
GORODISSKY discloses receiving, by a system admin robot, the report identifying the malicious activity, misconfigurations or vulnerabilities within the operating system (GORODISSKY: par 303; software module that can be installed on a network node and can be executed by a processor of that network node for partially or fully implementing the attack function of a penetration test; par 0277; fig. 13C; output generated by the penetration testing campaign. This includes, among other things, data about any security vulnerability of the networked system tested by the penetration testing campaign that is detected by the campaign; par 0118; reporting, by the penetration testing system, at least one security vulnerability determined to exist in the networked system).
The combination of GORODISSKY and Ganesan disclose  all the limitations as recited above, but do not explicitly disclose executing, by the system admin robot, a workflow to perform corrective measures removing the malicious activity, misconfigurations or vulnerabilities within the operating system.  
However, in an analogous art, ERICKSON controlling the movement of mobile robots system/method that includes:
executing, by the system admin robot, a workflow to perform corrective measures removing the malicious activity, misconfigurations or vulnerabilities within the operating system (ERICKSON: par 0053; if the antivirus scan operation indicates that a software virus is included in the mobile robot's subsystem, the software virus removed from the subsystem).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of ERICKSON with the method/system of GORODISSKY and Ganesan to include executing, by the system admin robot, a workflow to perform corrective measures removing the malicious activity, misconfigurations or vulnerabilities within the operating system. One would have been motivated to determine whether the software state of the mobile robot meets the software requirement (ERICKSON: abstract).
	
Regarding Claim 20;
This Claim recites an apparatus that perform the same steps as method of Claim 10, and has limitations that are similar to Claim 10, thus are rejected with the same rationale applied against claim 10
Regarding Claim 30;
This Claim recites a computer program that perform the same steps as method of Claim 10, and has limitations that are similar to Claim 10, thus are rejected with the same rationale applied against claim 10.  


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/C.W./Examiner, Art Unit 2439    



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439