DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This Office Action is in response to Application filed on May 02, 2022 in which claims 40-58 are presented for examination; claims 1-39 were canceled.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on May 19, 2022 and October 05, 2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 41-58 are objected to under 37 CFR 1.75(c) as being in improper form because a claim cannot be dependent on a canceled claim.  See MPEP § 608.01(n).  Accordingly, the claim 41-58 not been further treated on the merits.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 40-58 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-38 of U.S. Patent No. 11,347,797. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 40-58 of the present application are being anticipated by claims 1-38 of US Patent No. 11,347,797.


Application No. 17/734,864
Patent No. 11,347,797
40. (New) A method of constructing a graph data structure representing a
prospective asset inventory graph, the method comprising: defining a plurality of nodes within the graph data structure, each node representing an asset of a network; defining a plurality of edges within the graph data structure, each edge representing a connection between two respective nodes of the plurality of nodes, such that each node of the plurality of nodes is connected by at least one edge; defining a plurality of matching criteria indicative of a probability of common ownership between any node of the plurality of nodes and any other node of the plurality of nodes; by applying the plurality of matching criteria to the two respective nodes of at least some
edges of the plurality of edges, defining weights within the graph data structure for the at least some edges, each weight representing a probability that the two respective nodes of the edge are commonly owned; and culling at least one node from the graph data structure based on a culling criterion.

41. (New) The method of claim 1, wherein the culling criterion comprises a manual input.

42. (New) The method of claim 1, wherein the culling criterion comprises an edge of the node having a weight that is less than a threshold value.

43. (New) The method of claim 1, wherein defining the plurality of matching criteria comprises: identifying metadata for known assets of the network; selecting predetermined metadata about the known assets; canonicalizing the predetermined metadata to form canonicalized metadata; searching an asset database for matches to the canonicalized metadata; and identifying metadata that is likely an artifact of a registration process rather than an indicia of ownership or control.

44. (New) The method of claim 4, wherein the metadata comprises at least one of a hostname, a list of vulnerabilities, a list of open ports used, estimated geolocation of the asset, operating system used for the asset, service banners of the asset, TLS certificate details of the asset, an IP address, a DNS type indicator, DNS registration data, ASN information of the IP address, or contents of technology stack indicative of one or more of a language of a web application, an API of the web application, or HTTP links that include social signals.
45. (New) The method of claim 1, wherein a weight of an edge is a sum of individual matching weights, whereby the weight of the edge is increased for a larger number of matches.

46. (New) The method of claim 1, wherein the plurality of nodes is derived from an ownership data structure indicative of asset ownership or asset relationship.

47. (New) The method of claim 7, wherein the ownership data structure comprises one or more of a Domain Naming System (DNS) database, an ASN registry, a historical DNS database, a corporate ownership document database, a historical lookup database, and/or a WHOIS database.

48. (New) The method of claim 7, wherein the ownership data structure comprises one or more of a binary tree, a sharded set of files, a lookup table, an API, and/or an mtbl.

49. (New) The method of claim 1, wherein the culling criterion comprises at least one of human input, one or more blacklists, or a machine learning output indicative of a node not being a commonly owned asset.

50. (New) The method of claim 1, further comprising: formatting a representation of the graph data structure into a display format; and presenting the display format on a display. 

51. (New) The method of claim 1, wherein the plurality of nodes comprises one or more of a domain, an Internet-connected asset, a subdomain, an IP address, a virtual host, a web server, a name server, IoT device, a desktop computer, a network printer, a mail server, a device connected to the Internet or an internal network, a content delivery network, a proxy, a firewall, an intrusion detection system, a router, and/or a switch.

52. (New) The method of claim 1, wherein the plurality of nodes comprises at least one device capable of accepting network traffic.

53. (New) The method of claim 1, wherein the plurality of matching criteria comprise one or more of: a first test for whether a first node of an edge shares a common registration e-mail address with a second node of the edge; a second test for whether the first node of the edge shares a common registration e-mail address domain with the second node of the edge; a third test for whether the first node of the edge was registered using e-mail address with an e-mail domain matching that of the second node of the edge;
a fourth test for whether the first node of the edge and the second node of the edge share a WHOIS field in common; a fifth test for whether the first node of the edge and the second node of the edge both include hosted content that refers back to a common host; a sixth test for whether the first node of the edge and the second node of the edge both use a common certificate authority; a seventh test for whether the first node of the edge or the second node of the edge hosts pages that include links to particular other sites, excluding a pre-determined set of common linked-to sites; an eighth test for correlation between the first node of the edge and the second node of the edge and/or common links found in both the first node of the edge and the second node of the edge; a ninth test for whether the first node of the edge and the second node of the edge share a common IP address; a tenth test for whether the first node of the edge and the second node of the edge share a classless inter-domain routing (CIDR) block in common; or an eleventh test for whether the first node of the edge and the second node of the edge share a CIDR feature in common.

54. (New) The method of claim 1, wherein the culling includes at least one of: filtering of addresses on a pre-determined list of reusable internal addresses; or filtering for top level domains (TLDs) that are on a pre-determined list of commonly reused TLDs or portions of TLDs on a pre-determined list of commonly reused portions of TLDs.

55. (New) The method of claim 1, wherein defining weights within the graph data structure includes at least one of: adjusting a probability based on whether the probability is initially determined based on usages of address spaces wherein ultimate addresses are shielded by overlapping address ranges that are reusable over a plurality of unrelated entities; adjusting a probability based on a pre-determined list of linkages between known providers sharing an address space; adjusting a probability based on a pre-determined list of privacy services, whereby correlations for unrelated parties using a given privacy service are deemed less correlated than if they were related parties; adjusting a probability based on known providers sharing IP space via a privacy service used by a plurality of unrelated parties; adjusting a probability based on two nodes sharing of one or more of a domain proxy service, a domain privacy service, blank or undefined whois results, an e-mail address, a phone number, a physical address, a whois entry, a corporate address or placeholder results; adjusting a probability based on whether two nodes have pointer (PTR) records for hostnames to a shared top-level domain; adjusting a probability based on whether an autonomous system number (ASN) is designated as being reserved or private; adjusting a probability based on a rule that indicates a false positive for common ownership; or adjusting a probability based on top-level domains (TLDs) that are used over unrelated entities.

56. (New) The method of claim 16, wherein the usages of address spaces comprise one or more of internal RFC 1918 addresses, RFC 4193 addresses, RFC 6890 addresses, RFC 3927 addresses, loopback addresses, local link addresses, broadcast addresses, carrier grade NAT, unique local addressing, and/or non-routable Internet protocol addresses.

57. (New) The method of claim 16, wherein adjusting the probability based on the rule involves applying a plurality of rules to the plurality of edges.

58. (New) The method of claim 1, wherein defining weights within the graph data structure includes adjusting a probability based on manual feedback indicative of false positives.

1. A method of constructing a graph data structure representing a prospective asset inventory graph and comprising nodes, each node representing an asset of a network, and edges, each edge representing a connection between nodes and at least some edges having weights represented in the graph data structure and indicative of common control of assets represented in the graph data structure, the method comprising: storing a representation of at least one seed asset in the graph data structure; extending the prospective asset inventory graph to include an additional node based on a matching criteria indicative of the additional node being presumed to be under the common control of the assets based on the matching criteria indicating a match between the additional node and an existing node already on the prospective asset inventory graph; assigning confidence levels to at least some of the nodes, wherein a confidence level of a given node corresponds to a likelihood that the asset of the given node is a commonly controlled asset; recursively applying the matching criteria between the additional node and a third node representing a third asset not already represented on the prospective asset inventory graph; culling branches of the prospective asset inventory graph based on identification of edges having weights less than an indicia threshold indicative of common control; and updating the graph data structure based on the extending and culling.

2. The method of claim 1, wherein extending comprises: reading the prospective asset inventory graph to identify metadata for known assets comprising a set of assets already on the prospective asset inventory graph; selecting predetermined metadata about the known assets; canonicalizing the predetermined metadata to form canonicalized metadata; searching an asset database for matches to the canonicalized metadata; filtering out nodes for assets where metadata is likely an artifact of a registration process rather than an indicia of ownership or control; and for each remaining match, adding that asset to the prospective asset inventory graph.

3. The method of claim 1, wherein a weight of an edge of the prospective asset inventory graph is a sum of individual matching weights, whereby the weight of the edge is increased for a larger number of matches.
4. The method of claim 1, wherein additional nodes are derived from a data structure indicative of asset ownership or asset relationship.

5. The method of claim 4, wherein the data structure comprises one or more of a Domain Naming System (DNS) database, an ASN registry, a historical DNS database, a corporate ownership document database, a historical lookup database, and/or a WHOIS database, and wherein extending the graph data structure comprises searching the Domain Naming System (DNS) database, the historical DNS databases, and/or the WHOIS database to identify nodes satisfying a matching criteria.

6. The method of claim 4, wherein the data structure comprises one or more of a binary tree, a sharded set of files, a lookup table, an API, and/or an mtbl.
7. The method of claim 1, wherein culling comprises obtaining manual inputs reflective of human input, blacklists, and/or machine learning output indicative of an object not being a commonly controlled asset.

8. The method of claim 1, wherein recursively applying the matching criteria is performed automatically and selections comprise a subset of available methods of linking, based on selective depth, confidence, settings, or other criteria, with selection comprising including methods and/or excluding methods.

9. The method of claim 1, wherein recursively applying the matching criteria is performed according to a user-defined recursion and selections comprise a subset of available methods of linking, based on selective depth, confidence, settings, or other criteria, with selection comprising including methods and/or excluding methods.

10. The method of claim 1, further comprising: formatting a representation of the prospective asset inventory graph into a display format; and presenting the display format on a display.

11. The method of claim 1, wherein metadata about assets on the prospective asset inventory graph comprises one or more of a hostname, a list of vulnerabilities, a list of open ports used, estimated geolocation of the asset, operating system used for the asset, service banners of the asset, TLS certificate details of the asset, an IP address, a DNS type indicator, DNS registration data, and/or ASN information of the IP address.

12. The method of claim 11, wherein metadata further comprises contents of technology stack indicative of one or more of a language of a web application, an API of the web application, and/or HTTP links that include social signals.

13. The method of claim 1, wherein assets of the network comprise one or more of a domain, an Internet-connected asset, a subdomain, an IP address, a virtual host, a web server, a name server, IoT device, a desktop computer, a network printer, a mail server, a device connected to the Internet or an internal network, a content delivery network, a proxy, a firewall, an intrusion detection system, a router, and/or a switch.

14. The method of claim 1, wherein assets of the network comprise one or more device capable of accepting network traffic.
15. The method of claim 1, wherein a first asset is a first domain, a second asset is a second domain, the first asset is on the prospective asset inventory graph, and the matching criteria comprises one or more of: a first test for whether the second domain shares a common registration e-mail address with the first domain; a second test for whether the second domain shares a common registration e-mail address domain with the first domain; a third test for whether the second domain was registered using e-mail address with an e-mail domain matching that of the first domain; a fourth test for whether the second domain and the first domain share a WHOIS field in common; an fifth test for whether the second domain and the first domain both include hosted content that refers back to a common host; and a sixth test for whether the second domain and the first domain both use a common certificate authority.

16. The method of claim 15, wherein at least one test is performed using historical data.

17. The method of claim 15, wherein at least one domain is a subdomain.

18. The method of claim 15, wherein at least one test is performed with respect to a state at a particular time.

19. The method of claim 1, wherein the matching criteria comprises a test to check whether a site has pages that include links to particular other sites, excluding a pre-determined set of common linked-to sites.

20. The method of claim 1, wherein the matching criteria comprises a test of correlation between a first site and a second site and/or common links found in both the first site and the second site.

21. The method of claim 1, further comprising filtering of addresses on a pre-determined list of reusable internal addresses.

22. The method of claim 1, further comprising filtering for TLDs that are on a pre-determined list of commonly reused TLDs or portions of TLDs on a pre-determined list of commonly reused portions of TLDs.

23. The method of claim 1, further comprising adjusting correlations based on whether correlation is initially determined based on usages of address spaces wherein ultimate addresses are shielded by overlapping address ranges that are reusable over a plurality of unrelated entities.

24. The method of claim 23, wherein the usages of address spaces comprise one or more of internal RFC 1918 addresses, RFC 4193 addresses, RFC 6890 addresses, RFC 3927 addresses, loopback addresses, local link addresses, broadcast addresses, carrier grade NAT, unique local addressing, and/or non-routable Internet protocol addresses.

25. The method of claim 1, further comprising adjusting correlations based on a pre-determined list of linkages between known providers sharing an address space.

26. The method of claim 1, further comprising adjusting correlations based on a pre-determined list of privacy services, whereby correlations for unrelated parties using a given privacy service are deemed less correlated than if they were related parties.

27. The method of claim 1, wherein a first asset is a first subdomain, a second asset is a second subdomain, the first asset is on the prospective asset inventory graph, and the matching criteria comprises one or more of: a first test for whether the second subdomain and the first subdomain share a common IP address; a second test for whether the second subdomain and the first subdomain share a CIDR block in common; and a third test for whether the second subdomain and the first subdomain share a CIDR feature in common.

28. The method of claim 1, further comprising reducing probability of linkages caused by known providers sharing IP space via a privacy service used by a plurality of unrelated parties.

29. The method of claim 28, wherein sharing is of one or more of an e-mail address, a phone number, a physical address, a whois entry, and/or a corporate address.

30. The method of claim 1, further comprising reducing probability of linkages caused by sharing of one or more of a domain proxy service, a domain privacy service, blank or undefined whois results, and/or placeholder results.

31. The method of claim 1, further comprising user-defined recursion.
32. The method of claim 1, further comprising processing based on whether two or more IPs both have PTR records for hostnames to a shared top-level domain.

33. The method of claim 1, further comprising reducing probability of linkages caused by top-level domains that are used over unrelated entities.
34. The method of claim 33, wherein effective TLDs or TLDs are treated as being correlated with a pre-determined tunable weight of correlation.

35. The method of claim 1, wherein ASNs designated as being reserved or private are deemed uncorrelated.

36. A method of processing a graph data structure representing a prospective asset inventory graph and comprising nodes, each representing an asset of a network, and edges, each representing a connection between nodes and at least some edges having weights represented in the graph data structure and indicative of common control of assets represented in the graph data structure, the method comprising: obtaining a representation of the graph data structure; obtaining matching criteria indicative of common control of the assets as between a first node and a second node; obtaining a rule set corresponding to probable false positive indications of common control; and applying the rule set to the graph data structure to reduce a first weight between the first node and the second node when a rule in the rule set indicates that the matching criteria indicates a condition leading to a false positive indication.

37. The method of claim 36, wherein applying the rule set to the graph data structure to reduce the first weight comprises processing a plurality of rules of the rule set that each indicate a likely false positive common control indication.

38. The method of claim 36, further comprising applying manual feedback indicative of false positives to reduce the first weight.



Allowable Subject Matter
Claims 40-58 would be allowable if the proper dependencies of claims 41-58 are indicated and a Terminal Disclaimer is filed in response to this Office Action.

The following is a statement of reasons for the indication of allowable subject matter: the present disclosure generally relates to managing assets in a distributed computing environment. More particularly, to apparatus and techniques for performing searches of network-connected assets to identify assets under control of an entity. The closest prior art of record, Sowizral et al. US Publication No. 2002/0089508 A1 and Avidar et al. US Patent No. 10,425,340 disclose similar methodologies. However, the closest prior art of record, Sowizral et al. US Publication No. 2002/0089508 A1 and Avidar et al. US Patent No. 10,425,340 failed to show “constructing a graph data structure representing a prospective asset inventory graph, the method comprising: defining a plurality of nodes within the graph data structure, each node representing an asset of a network; defining a plurality of edges within the graph data structure, each edge representing a connection between two respective nodes of the plurality of nodes, such that each node of the plurality of nodes is connected by at least one edge; defining a plurality of matching criteria indicative of a probability of common ownership between any node of the plurality of nodes and any other node of the plurality of nodes; by applying the plurality of matching criteria to the two respective nodes of at least some edges of the plurality of edges, defining weights within the graph data structure for the at least some edges, each weight representing a probability that the two respective nodes of the edge are commonly owned; and culling at least one node from the graph data structure based on a culling criterion”.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FRANTZ COBY whose telephone number is (571)272-4017. The examiner can normally be reached Monday-Thursday 7AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571 270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/FRANTZ COBY/Primary Examiner, Art Unit 2456
                                                                                                                                                                                                        December 14, 2022