Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
1. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on August 14, 2025 has been entered.
2. Claims 1-2, 4-17, and 19-21 are pending in this application.
Claim Interpretation
3. The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
4. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in claim 17 of this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
Claim Rejections - 35 USC § 101
5. 35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
6. Claims 1-2, 4-17, and 19-21 are rejected under 35 U.S.C. 101 because the claim invention is directed to a judicial exception (i.e., law of nature, natural phenomenon, or abstract idea) without significantly more.
Independent claim 1, which is analyzing as the following:
Step 1: This part of the eligibility analysis evaluates whether the claim falls within any statutory category. See MPEP 2106.03. The claim recites a method for monitoring network security. Thus, the claim is to a process, which is one of the statutory categories of invention. (Step 1: YES).
Step 2A, Prong One: This part of the eligibility analysis evaluates whether the claim recites a judicial exception. As explained in MPEP 2106.04, subsection II, a claim “recites” a judicial exception when the judicial exception is “set forth” or “described” in the claim.
The claim recites a method for monitoring network security. The claim recites the steps: providing subscription access to a plurality of users…; continuously and in real-time extracting machine-readable facts…; associating risk identifiers with at least come of the extracted machine-readable facts; continuously deriving and storing risk profiles…; providing an ontology that associates a different subset of the monitored entities…; adjusting the ontology overtime; continuously aggregating the risk score for the scored entities…, wherein the aggregated computer security risk scores express security risks to the third-party organizational entities; continuously determining whether the aggregated organizational risk score meets …, and issuing a real-time alert in response to the meeting or the predetermined criteria for each of a plurality of the third-party organizational entities to each subscribing user for the third-party organization entity.., under its broadest reasonable interpretation when read in light of the Specification, falls within “Certain Methods of Organizing Human Activity” grouping of abstract ideas as they cover performance of fundamental economic principles or practices including hedging, insurance, mitigating risk; commercial or legal interactions including agreements in the form of contracts, legal obligations, advertising, marketing or sales activities or behaviors, business relations; managing personal behavior or relationships or interactions between people including social activities, teaching and following rules or instructions. See MPEP 2106.04(a)(2), subsection III.
Therefore, the claim recites an abstract idea. (Step 2A, Prong One: YES).
Step 2A, Prong Two: This part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception or whether the claim is “directed to” the judicial exception. This evaluation is performed by (1) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (2) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. See MPEP 2106.04(d).
The claim recites the additional elements of “a plurality of users whose systems interface with one or more of a plurality of third-party organizational entities possessing digital assets over the computer network”; “wherein the real-time alert is issued for organizational entities whose systems interface with one or more of the subscribing users over the computer network”; and “electrically issuing a real-time alert.” The claim also recites that the steps of “providing subscription access to a plurality of users…; continuously and in real-time extracting machine-readable facts…; associating risk identifiers with at least come of the extracted machine-readable facts; continuously deriving and storing risk profiles…; providing an ontology that associates a different subset of the monitored entities…; adjusting the ontology overtime; continuously aggregating the risk score for the scored entities…, continuously determining whether the aggregated organizational risk score meets …, and issuing a real-time alert..,” are performed by a processor.
The additional elements “a plurality of users whose systems interface with one or more of a plurality of third-party organizational entities possessing digital assets over the computer network”; “wherein the real-time alert is issued for organizational entities whose systems interface with one or more of the subscribing users over the computer network”; and “electrically issuing a real-time alert” are mere data gathering, transmitting and outputting recited at a high level of generality, and thus are insignificant extra-solution activity. See MPEP 2106.05(g) (“whether the limitation is significant”). In addition, all uses of the recited judicial exceptions require such data gathering and outputting, and, as such, these limitations do not impose any meaningful limits on the claim. These limitations amount to necessary data gathering, transmitting and outputting. See MPEP 2106.05. Moreover, these additional elements do not provide any improvement to the technology, improvement to the functioning of the computer, improvement to the user interface, improvement to the network, they are just merely used as general means for collecting and transmitting data. It is similar to other concepts that have been identified by the courts Gathering and analyzing information using conventional techniques and displaying the result, TLI Communications, 823 F.3d at 612-13, 118 USPQ2d at 1747-48; Collecting information, analyzing it, and displaying certain results of the collection and analysis, Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016).
Further, the steps of “providing subscription access to a plurality of users…; continuously and in real-time extracting machine-readable facts…; associating risk identifiers with at least come of the extracted machine-readable facts; continuously deriving and storing risk profiles…; providing an ontology that associates a different subset of the monitored entities…; adjusting the ontology overtime; continuously aggregating the risk score for the scored entities…, continuously determining whether the aggregated organizational risk score meets …, and electrically issuing a real-time alert…”, are recited as being performed by the processor. The processor is recited at a high level of generality. In the limitations “providing subscription access to a plurality of users…; and electrically issuing a real-time alert…”, the processor is used as a tool to perform the generic computer function of gathering, transmitting, and outputting data. See MPEP 2106.05(f). In limitations “continuously and in real-time extracting machine-readable facts…; associating risk identifiers with at least come of the extracted machine-readable facts; continuously deriving and storing risk profiles…; providing an ontology that associates a different subset of the monitored entities…; adjusting the ontology overtime; continuously aggregating the risk score for the scored entities…, continuously determining whether the aggregated organizational risk score meets …”, the processor is used to perform an abstract idea, as discussed above in Step 2A, Prong One, such that it amounts to no more than mere instructions to apply the exception using a generic computer. See MPEP 2106.05(f). The additional elements recite generic computer components the processor, a storage device, and software programming instructions that are recited a high-level of generality that merely perform, conduct, carry out, implement, and/or narrow the abstract idea itself. Accordingly, the additional elements evaluated individually and in combination do not integrate the abstract idea into a practical application because they comprise or include limitations that are not indicative of integration into a practical application such as adding the words "apply it" (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea -- See MPEP 2106.05(f).
Even when viewed in combination, these additional elements do not integrate the recited judicial exception into a practical application (Step 2A, Prong Two: NO), and the claim is directed to the judicial exception (Step 2A, Prong One: YES).
Step 2B: This part of the eligibility analysis evaluates whether the claim as a whole, amounts to significantly more than the recited exception i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. See MPEP 2106.05.
The additional elements “a plurality of users whose systems interface with one or more of a plurality of third-party organizational entities possessing digital assets over the computer network”; “wherein the real-time alert is issued for organizational entities whose systems interface with one or more of the subscribing users over the computer network”; and “electrically issuing a real-time alert” were found to be insignificant extra-solution activity in Step 2A, Prong Two, because they were determined to be insignificant limitations as necessary data gathering and outputting. However, a conclusion that an additional element is insignificant extra solution activity in Step 2A, Prong Two should be re-evaluated in Step 2B. See MPEP 2106.05, subsection I.A. At Step 2B, the evaluation of the insignificant extra-solution activity consideration takes into account whether or not the extra-solution activity is well understood, routine, and conventional in the field. See MPEP 2106.05(g).
As discussed in Step 2A, Prong Two above, the additional elements of “a plurality of users whose systems interface with one or more of a plurality of third-party organizational entities possessing digital assets over the computer network”; “wherein the real-time alert is issued for organizational entities whose systems interface with one or more of the subscribing users over the computer network”; and “electrically issuing a real-time alert” are recited at a high level of generality. These elements amount to gathering and transmitting data over a network and are well-understood, routine, conventional activity. See MPEP 2106.05(d), subsection II. The courts have recognized the following computer functions as well understood, routine, and conventional functions when they are claimed in a merely genetic manner (e.g., at a high level of generality) or as insignificant extra-solution activity: Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610, 118 USPQ2d 1744, 1745 (Fed. Cir. 2016) (using a telephone for image transmission); OIP Techs., Inc., v. Amazon.com, Inc., 788 F.3d 1359, 1363, 115 USPQ2d 1090, 1093 (Fed. Cir. 2015) (sending messages over a network); buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355, 112 USPQ2d 1093, 1096 (Fed. Cir. 2014) (computer receives and sends information over a network).
As discussed in Step 2A, Prong Two above, the recitation of the processor to perform limitations “providing subscription access to a plurality of users…; continuously and in real-time extracting machine-readable facts…; associating risk identifiers with at least come of the extracted machine-readable facts; continuously deriving and storing risk profiles…; providing an ontology that associates a different subset of the monitored entities…; adjusting the ontology overtime; continuously aggregating the risk score for the scored entities…, continuously determining whether the aggregated organizational risk score meets …, and issuing a real-time alert…”, amounts to no more than mere instructions to apply the exception using a generic computer component.
Even when considered in combination, these additional elements represent mere instructions to implement an abstract idea or other exception on a computer and insignificant extra-solution activity, which do not provide an inventive concept. Therefore, the claim is not patent eligible. (Step 2B: NO).
Independent claim 16, which is analyzing as the following:
Step 1: This part of the eligibility analysis evaluates whether the claim falls within any statutory category. See MPEP 2106.03. The claim recites a system for monitoring network security. Thus, the claim is to a machine, which is one of the statutory categories of invention. (Step 1: YES).
Step 2A, Prong One: This part of the eligibility analysis evaluates whether the claim recites a judicial exception. As explained in MPEP 2106.04, subsection II, a claim “recites” a judicial exception when the judicial exception is “set forth” or “described” in the claim.
The claim recites a system for monitoring network security. The claim recites the steps: providing subscription access to a plurality of users…; continuously and in real-time extracting machine-readable facts…; continuously deriving and storing risk profiles…; providing an ontology that associates a different subset of the monitored entities…; adjusting the ontology overtime and associating a different subset of the monitored entities…; continuously aggregating the risk score for the scored entities…, wherein the aggregated computer security risk scores express security risks to the third-party organizational entities; continuously determining whether the aggregated organizational risk score meets …, and issuing a real-time alert in response to the meeting or the predetermined criteria for each of a plurality of the third-party organizational entities to each subscribing user for the third-party organization entity.., under its broadest reasonable interpretation when read in light of the Specification, falls within “Certain Methods of Organizing Human Activity” grouping of abstract ideas as they cover performance of fundamental economic principles or practices including hedging, insurance, mitigating risk; commercial or legal interactions including agreements in the form of contracts, legal obligations, advertising, marketing or sales activities or behaviors, business relations; managing personal behavior or relationships or interactions between people including social activities, teaching and following rules or instructions. See MPEP 2106.04(a)(2), subsection III.
Therefore, the claim recites an abstract idea. (Step 2A, Prong One: YES).
Step 2A, Prong Two: This part of the eligibility analysis evaluates whether the claim as a whole integrates the recited judicial exception into a practical application of the exception or whether the claim is “directed to” the judicial exception. This evaluation is performed by (1) identifying whether there are any additional elements recited in the claim beyond the judicial exception, and (2) evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. See MPEP 2106.04(d).
The claim recites the additional elements of “a subscription interface”; “ a fact monitoring interface”; “machine-readable ontology storage”; “ an alert interface”; “a plurality of users whose systems interface with one or more of a plurality of third-party organizational entities possessing digital assets over the computer network”; “wherein the alert interface issues the real-time alert for organizational entities whose systems interface with one or more of the subscribing users over the computer network.” The claim also recites that the steps of “providing subscription access to a plurality of users…; continuously and in real-time extracting machine-readable facts…; continuously deriving and storing risk profiles…; providing an ontology that associates a different subset of the monitored entities…; adjusting the ontology overtime and associating a different subset of the monitored entities…; continuously aggregating the risk score for the scored entities…, wherein the aggregated computer security risk scores express security risks to the third-party organizational entities; continuously determining whether the aggregated organizational risk score meets …, and issuing a real-time alert...,” are performed by a processor.
The additional elements “a subscription interface”; “ a fact monitoring interface”; “machine-readable ontology storage”; “ an alert interface”; “a plurality of users whose systems interface with one or more of a plurality of third-party organizational entities possessing digital assets over the computer network”; “wherein the alert interface issues the real-time alert for organizational entities whose systems interface with one or more of the subscribing users over the computer network” are mere data gathering, transmitting and outputting recited at a high level of generality, and thus are insignificant extra-solution activity. See MPEP 2106.05(g) (“whether the limitation is significant”). In addition, all uses of the recited judicial exceptions require such data gathering and outputting, and, as such, these limitations do not impose any meaningful limits on the claim. These limitations amount to necessary data gathering, transmitting and outputting. See MPEP 2106.05. Moreover, these additional elements do not provide any improvement to the technology, improvement to the functioning of the computer, improvement to the interfaces, improvement to the network, they are just merely used as general means for collecting and transmitting data. It is similar to other concepts that have been identified by the courts Gathering and analyzing information using conventional techniques and displaying the result, TLI Communications, 823 F.3d at 612-13, 118 USPQ2d at 1747-48; Collecting information, analyzing it, and displaying certain results of the collection and analysis, Electric Power Group, LLC v. Alstom S.A., 830 F.3d 1350, 1354, 119 USPQ2d 1739, 1742 (Fed. Cir. 2016).
Further, the steps of “providing subscription access to a plurality of users…; continuously and in real-time extracting machine-readable facts…; continuously deriving and storing risk profiles…; providing an ontology that associates a different subset of the monitored entities…; adjusting the ontology overtime and associating a different subset of the monitored entities…; continuously aggregating the risk score for the scored entities…, wherein the aggregated computer security risk scores express security risks to the third-party organizational entities; continuously determining whether the aggregated organizational risk score meets …, and issuing a real-time alert…”, are recited as being performed by the processor. The processor is recited at a high level of generality. In the limitations “providing subscription access to a plurality of users…; and electrically issuing a real-time alert…”, the processor is used as a tool to perform the generic computer function of gathering, transmitting, and outputting data. See MPEP 2106.05(f). In limitations “continuously and in real-time extracting machine-readable facts…; continuously deriving and storing risk profiles…; providing an ontology that associates a different subset of the monitored entities…; adjusting the ontology overtime and associating a different subset of the monitored entities…; continuously aggregating the risk score for the scored entities…, wherein the aggregated computer security risk scores express security risks to the third-party organizational entities; continuously determining whether the aggregated organizational risk score meets…”, the processor is used to perform an abstract idea, as discussed above in Step 2A, Prong One, such that it amounts to no more than mere instructions to apply the exception using a generic computer. See MPEP 2106.05(f). The additional elements recite generic computer components the processor, a storage device, and software programming instructions that are recited a high-level of generality that merely perform, conduct, carry out, implement, and/or narrow the abstract idea itself. Accordingly, the additional elements evaluated individually and in combination do not integrate the abstract idea into a practical application because they comprise or include limitations that are not indicative of integration into a practical application such as adding the words "apply it" (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea -- See MPEP 2106.05(f).
Even when viewed in combination, these additional elements do not integrate the recited judicial exception into a practical application (Step 2A, Prong Two: NO), and the claim is directed to the judicial exception (Step 2A, Prong One: YES).
Step 2B: This part of the eligibility analysis evaluates whether the claim as a whole, amounts to significantly more than the recited exception i.e., whether any additional element, or combination of additional elements, adds an inventive concept to the claim. See MPEP 2106.05.
The additional elements “a subscription interface”; “ a fact monitoring interface”; “machine-readable ontology storage”; “ an alert interface”; “a plurality of users whose systems interface with one or more of a plurality of third-party organizational entities possessing digital assets over the computer network”; “wherein the alert interface issues the real-time alert for organizational entities whose systems interface with one or more of the subscribing users over the computer network” were found to be insignificant extra-solution activity in Step 2A, Prong Two, because they were determined to be insignificant limitations as necessary data gathering and outputting. However, a conclusion that an additional element is insignificant extra solution activity in Step 2A, Prong Two should be re-evaluated in Step 2B. See MPEP 2106.05, subsection I.A. At Step 2B, the evaluation of the insignificant extra-solution activity consideration takes into account whether or not the extra-solution activity is well understood, routine, and conventional in the field. See MPEP 2106.05(g).
As discussed in Step 2A, Prong Two above, the additional elements of “a subscription interface”; “ a fact monitoring interface”; “machine-readable ontology storage”; “ an alert interface”; “a plurality of users whose systems interface with one or more of a plurality of third-party organizational entities possessing digital assets over the computer network”; “wherein the alert interface issues the real-time alert for organizational entities whose systems interface with one or more of the subscribing users over the computer network” are recited at a high level of generality. These elements amount to gathering and transmitting data over a network and are well-understood, routine, conventional activity. See MPEP 2106.05(d), subsection II. The courts have recognized the following computer functions as well understood, routine, and conventional functions when they are claimed in a merely genetic manner (e.g., at a high level of generality) or as insignificant extra-solution activity: Receiving or transmitting data over a network, e.g., using the Internet to gather data, Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610, 118 USPQ2d 1744, 1745 (Fed. Cir. 2016) (using a telephone for image transmission); OIP Techs., Inc., v. Amazon.com, Inc., 788 F.3d 1359, 1363, 115 USPQ2d 1090, 1093 (Fed. Cir. 2015) (sending messages over a network); buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355, 112 USPQ2d 1093, 1096 (Fed. Cir. 2014) (computer receives and sends information over a network).
As discussed in Step 2A, Prong Two above, the recitation of the processor to perform limitations ““providing subscription access to a plurality of users…; continuously and in real-time extracting machine-readable facts…; associating risk identifiers with at least come of the extracted machine-readable facts; continuously deriving and storing risk profiles…; providing an ontology that associates a different subset of the monitored entities…; adjusting the ontology overtime; continuously aggregating the risk score for the scored entities…, continuously determining whether the aggregated …”, amounts to no more than mere instructions to apply the exception using a generic computer component.
Even when considered in combination, these additional elements represent mere instructions to implement an abstract idea or other exception on a computer and insignificant extra-solution activity, which do not provide an inventive concept. Therefore, the claim is not patent eligible. (Step 2B: NO).
Regarding independent claim 17, Alice Corp. establishes that the same analysis should be used for all categories of claims. Therefore, independent claim 17 directed to a system, is also rejected as ineligible subject matter under 35 U.S.C. 101 for substantially the same reasons as independent method claim 1.
Regarding dependent claims 2, 4-15, and 19-21, the dependent claims do not impart patent eligibility to the abstract idea of the independent claim. The dependent claims rather further narrow the abstract idea and the narrower scope does not change the outcome of the two-part Mayo test. Narrowing the scope of the claims is not enough to impart eligibility as it is still interpreted as an abstract idea, a narrower abstract idea.
Regarding dependent claim 2, the claim simply refines the abstract idea by further reciting responding to user requests to explore the ontological relationships that led to the aggregated organizational risk score, that fall under the category of Organizing Human Activity grouping of abstract ideas as described above in the independent claim 1. Thus, the dependent claim does not add any additional element or subject matter that provides a technological improvement (i.e., an integration into a practical application under Step 2A-Prong Two), results in the claim being directed to patent eligible subject matter or include an element or feature that is significantly more than the recited abstract idea (i.e., a technological inventive concept under Step 2B).
Regarding dependent claims 4-8, the claims recite the additional elements wherein the step of electronically reporting includes issuing a report that includes the aggregated organizational entity risk score; issuing a report that further includes a plurality of visual elements that visually summarize the ontological relationships…; issuing an interactive report that includes a plurality of controls that allow the user to explore the ontological relationships…; issuing an interactive report that includes a plurality of visual elements that visually summarize the ontological relationships…; presenting visual elements presents the visual elements as a series of textual links that visually summarize the ontological relationships…; which are mere data gathering and outputting recited at a high level of generality, and thus are insignificant extra-solution activity. See MPEP 2106.05(g) (“whether the limitation is significant”). In addition, all uses of the recited judicial exceptions require such data gathering and outputting, and, as such, these limitations do not impose any meaningful limits on the claim. These limitations amount to necessary data gathering and outputting. See MPEP 2106.05. Moreover, these additional elements do not provide any improvement to the technology, improvement to the functioning of the computer, improving the user interface, they are just merely used as general means for collecting and outputting data. (See claim 1 above). Thus, the dependent claims do not add any additional element or subject matter that provides a technological improvement (i.e., an integration into a practical application under Step 2A-Prong Two), results in the claim being directed to patent eligible subject matter or include an element or feature that is significantly more than the recited abstract idea (i.e., a technological inventive concept under Step 2B).
Regarding dependent claims 9-15, the claims simply refine the abstract idea by further reciting continuously updating the ontological relationships using an ongoing ontology maintenance process; wherein the ontological relationships include relationships between different organizational entities…, that fall under the category of Organizing Human Activity grouping of abstract ideas as described above in the independent claim 1. Thus, the dependent claims do not add any additional element or subject matter that provides a technological improvement (i.e., an integration into a practical application under Step 2A-Prong Two), results in the claim being directed to patent eligible subject matter or include an element or feature that is significantly more than the recited abstract idea (i.e., a technological inventive concept under Step 2B).
Regarding dependent claims 19-21, the claims recite the additional elements wherein the continuously and in real time extracting machine-readable facts relating to a number of topics from electronic sources extracts the machine-readable facts from internet sources…; which are mere data gathering and outputting recited at a high level of generality, and thus are insignificant extra-solution activity. See MPEP 2106.05(g) (“whether the limitation is significant”). In addition, all uses of the recited judicial exceptions require such data gathering and outputting, and, as such, these limitations do not impose any meaningful limits on the claim. These limitations amount to necessary data gathering and outputting. See MPEP 2106.05. Moreover, these additional elements do not provide any improvement to the technology, improvement to the functioning of the computer, improving the network, they are just merely used as general means for collecting and outputting data. (See claim 1 above). Thus, the dependent claims do not add any additional element or subject matter that provides a technological improvement (i.e., an integration into a practical application under Step 2A-Prong Two), results in the claim being directed to patent eligible subject matter or include an element or feature that is significantly more than the recited abstract idea (i.e., a technological inventive concept under Step 2B).
Therefore, none of the dependent claims alone or as an ordered combination add limitations that qualify as significantly more than the abstract idea.
Accordingly, claims 1-2, 4-17, and 19-21 are not draw to eligible subject matter as they are directed to an abstract idea without significantly more and are rejected under 35 USC § 101 as being directed to non-statutory subject matter.
Novelty and Non-Obviousness
7. No prior arts were applied to the claims because the Examiner is unaware of any prior arts, alone or in combination, which disclose at least the limitations of “providing a machine-readable ontology that associates a different subset of the monitored entities to each of a plurality of the third-party organizational entities possessing digital assets, adjusting the machine-readable ontology over time, for each of the third-party organizational entities, continuously aggregating computer security risk scores for the monitored entities in the subset of the monitored entities identified for that third-party organizational entity by the ontology, to derive a different aggregated computer security risk score for each of the third-party organizational entities, wherein the aggregated computer security risk scores express security risks to the third-party organizational entities” recited in the independent claims 1, 16, and 17.
Response to Arguments/Amendment
8. Applicant's arguments with respect to claims 1-2, 4-17, and 19-21 have been fully considered but are not persuasive.
I. Claim Interpretation
The Applicant did not traverse the 112(f) Claim Interpretation and the presume 112(f) as stated above.
According, the Claim Interpretation is maintained
II. Claim Rejections - 35 USC § 101
Claims 1-2, 4-17, and 19-21 are rejected under 35 U.S.C. 101 because the claim invention is directed to a judicial exception (i.e., law of nature, natural phenomenon, or abstract idea) without significantly more. (See details above).
1. In response to the Applicant’s arguments that Claims are not directed to “Organizing Human Activity”, the Examiner respectfully disagrees and submits that:
The claim recites the following limitations: providing subscription access to a plurality of users…; continuously and in real-time extracting machine-readable facts…; associating risk identifiers with at least come of the extracted machine-readable facts; continuously deriving and storing risk profiles…; providing an ontology that associates a different subset of the monitored entities…; adjusting the ontology overtime; continuously aggregating the risk score for the scored entities…, wherein the aggregated computer security risk scores express security risks to the third-party organizational entities; continuously determining whether the aggregated organizational risk score meets …, and issuing a real-time alert in response to the meeting or the predetermined criteria for each of a plurality of the third-party organizational entities to each subscribing user for the third-party organization entity.., under its broadest reasonable interpretation when read in light of the Specification, falls within “Certain Methods of Organizing Human Activity” grouping of abstract ideas as they cover performance of fundamental economic principles or practices including hedging, insurance, mitigating risk; commercial or legal interactions including agreements in the form of contracts, legal obligations, advertising, marketing or sales activities or behaviors, business relations; managing personal behavior or relationships or interactions between people including social activities, teaching and following rules or instructions. See MPEP 2106.04(a)(2), subsection III.
The Specification, page 1 described that “Systems according to the invention can help network administrators to detect, understand, and meaningfully assess risks posed by interacting with organizational entities. By continuously aggregating risk scores for threats posed by organizations, these administrators can quickly learn of changes to these risk levels. And openly presenting the triggering conditions for the underlying rules that lead to the aggregated risk score can also allow system administrators to understand and address these risk levels”, thus, under its broadest reasonable interpretation when read in light of the Specification, the claimed invention falls within “Certain Methods of Organizing Human Activity” grouping of abstract ideas (mitigating risk; managing personal behavior or relationships or interactions between people, teaching and following rules or instructions). See MPEP 2106.04(a)(2), subsection III. Therefore, the claims recite an abstract idea.
2. In response to the Applicant’s arguments regarding to the Decisions Finding Subject Matter Statutory, the Examiner submits that:
SRI Int’l: the claimed invention recites detecting suspicious activity by using network monitors and analyzing network packets were found to be an improvement in computer network technology. In contrast, the present claims recite the additional elements “a subscription interface”; “ a fact monitoring interface”; “machine-readable ontology storage”; “ an alert interface”; “a plurality of users whose systems interface with one or more of a plurality of third-party organizational entities possessing digital assets over the computer network”; “wherein the alert interface issues the real-time alert for organizational entities whose systems interface with one or more of the subscribing users over the computer network”, which are mere data gathering, transmitting and outputting recited at a high level of generality, and thus are insignificant extra-solution activity. See MPEP 2106.05(g) (“whether the limitation is significant”). In addition, all uses of the recited judicial exceptions require such data gathering and outputting, and, as such, these limitations do not impose any meaningful limits on the claim. These limitations amount to necessary data gathering, transmitting and outputting. See MPEP 2106.05. Moreover, these additional elements do not provide any improvement to the technology, improvement to the functioning of the computer, improvement to the interfaces, improvement to the network, they are just merely used as general means for collecting and transmitting data.
DDR Holdings: the claimed invention provides a modification of conventional Internet hyperlink protocol to dynamically produce a dual-source hybrid webpage. In contrast, the present claims recite the additional elements “a subscription interface”; “ a fact monitoring interface”; “machine-readable ontology storage”; “ an alert interface”; “a plurality of users whose systems interface with one or more of a plurality of third-party organizational entities possessing digital assets over the computer network”; “wherein the alert interface issues the real-time alert for organizational entities whose systems interface with one or more of the subscribing users over the computer network”, which are mere data gathering, transmitting and outputting recited at a high level of generality, and thus are insignificant extra-solution activity. See MPEP 2106.05(g) (“whether the limitation is significant”). In addition, all uses of the recited judicial exceptions require such data gathering and outputting, and, as such, these limitations do not impose any meaningful limits on the claim. These limitations amount to necessary data gathering, transmitting and outputting. See MPEP 2106.05. Moreover, these additional elements do not provide any improvement to the technology, improvement to the functioning of the computer, improvement to the interfaces, improvement to the network, they are just merely used as general means for collecting and transmitting data.
For these reasons there is no inventive concept in the claims, and thus the claims are not patent eligible.
Accordingly, the 101 rejection is maintained.
III. Claim Rejections - 35 USC § 103
The Affidavit under 37 CFR 1.132 filed on August 14, 2025 is sufficient to overcome the rejection of claims 1-2, 4-17, and 19-21 based upon the Amendment.
Accordingly, the 103 rejection has been withdrawn.
Conclusion
9. Claims 1-2, 4-17, and 19-21 are rejected.
10. The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure:
Hay et al. (US 2018/0121657) disclose a system for evaluating security risks including a processor to detect a set of vulnerabilities for an application based on static analysis of the application and calculate a risk score associated with each of the vulnerabilities based on additional characteristics of the application.
Mahabir et al. (US 2017/0244740) disclose methods and systems for enhancing data security in a computer network.
Heckman et al. (US 2019/0207968) disclose methods and systems for providing an integrated assessment of risk management and maturity for an organizational cybersecurity/privacy program.
Barkovic et al. (US 2019/0104156) disclose systems and methods for configuration vulnerability checking and remediation.
Hoernecke et al. (US 2017/0098086) disclose systems and methods for monitoring and assessing the security and risk presented by applications deployed in a complex computing environment.
11. Any inquiry concerning this communication or earlier communications from the examiner should be directed to examiner NGA B NGUYEN whose telephone number is (571) 272-6796. The examiner can normally be reached on Monday-Friday 7AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Beth Boswell can be reached on (571) 272-6737. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/NGA B NGUYEN/Primary Examiner, Art Unit 3625 December 6, 2025