EVALUATING A SYSTEM ASPECT OF A SYSTEM

§103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Response to Amendment The Amendment filed on 07/21/2025 has been entered. Claims 1-22 are pending of which claims 1 and 12 are independent claims. Response to Arguments The applicant's arguments filed on 07/21/2025 regarding claims 1-22 have been fully considered but applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Specifically, while the claim recites “a process evaluation rating metric”, the specification lacks a detailed description of term. As established in Ariad Pharms., Inc. v. Eli Lilly & Co., 598 F.3d 1336, 1351, 94 USPQ2d 1161,5 1172 (Fed. Cir. 2010), the specification must convey with reasonable clarity to those skilled in the art that the inventor had possession of the claimed invention. Merely stating that machine learning is used, without further elaboration, does not satisfy this requirement. Claims 1-22 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected to make and/or use the invention. The specification fails to enable a person having ordinary skill in the art to make and use the claimed invention without undue experimentation. The absence of details regarding the specific machine learning algorithms employed and how the machine learning model arrives at the conclusion whether the homomorphic encryption is involved in the mode training leaves the skilled artisan without the necessary guidance to implement the claimed invention. As per In re Wands, 858 F.2d 731, 737, 8 USPQ2d 1400, 1404 (Fed. Cir. 1988). Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-20 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention. Regarding claim 1, Key limitations, "a process evaluation rating metric" and “one or more analysis system outputs” is presented purely as functional labels with no objective boundaries, leaving readers unable to determine where infringement begins or ends. Every operative verb (applying, encrypting, providing and storing) is recited only by its desired outcome. Because a person having ordinary skill in the art could not ascertain the claim scope with reasonable certainty, the claims are indefinite under 35 U.S.C § 112(b). Independent 14 and 20 are also rejected for the same rational as claim 1. Dependent claims 2-13, 25-29 are also rejected for inheriting the deficiencies of the independent claims from which they depend on. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 8-14 and 19-22 are rejected under 35 U.S.C. 103 as being unpatentable over Basu et al. (Patent No.: US 11,087,261, hereinafter Basu) in view of Isaacson et al. (Pub. No.: US 2020/0167870, hereinafter Isaacson) and Gourisetti et al. (Pub. No.: US 2021/0110319, hereinafter Gourisetti). Regarding claim 1: Basu discloses A method for operating an analysis system that includes one or more computing entities comprises: receiving, by the analysis system from a system user interface module, a request for an evaluation of at least a portion of a system under test (Basu - [Col. 36, Line 40-44]: Examples of interface(s) which may be displayed to a user in conjunction with predictive analysis computer 2330 providing information to, or obtaining information from, a user are presented in FIG. 3); wherein the evaluation is regarding a process evaluation rating metric (Basu - [Col. 33, Line 32-36]: No matter the type of processes implemented by the entity 2240 however, it may be useful to measure or otherwise analyze (including predicting, simulating, optimizing, etc.) the performance of such a process utilizing a performance metric); determining, by the analysis system, one or more analysis system outputs from a list of analysis system outputs for the evaluation (Basu - [Col. 38, Line 24-29]: what-if analysis computer 2360 may determine a list of performance metrics which may be most affected by variations in the one or more influencers. A user can thus specify values within the value ranges for one or more of the influencers and the optimization computer will calculate values for the list of performance metrics); However, Basu doesn’t explicitly teach, but Isaacson discloses: determining, by the analysis system, analysis parameters for the system under test (Isaacson - [0024]: identification of a plurality of associated asset attributes related to one or a plurality of perils); determining, by the analysis system, evaluation data requirements and assets of the system under test based upon the analysis parameters (Isaacson - [0037]: the analytics will determine which data and attributes of the asset are to be captured (403)); sending, by the analysis system, a query to retrieve evaluation data from s data extraction module based upon the analysis parameters and the evaluation data requirements regarding the assets of the system under test (Isaacson - [0038]: captures the data from the site regarding the asset in a manner guided by the application based on the attribute selection data downloaded to the smart phone (405)); It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Basu with Isaacson so that the data to be analyzed is collected based on the type of peril, requirement and attributes of assets. The modification would have allowed the system to collect data for analysis. However, the combination of Basu and Isaacson doesn’t explicitly teach, but Gourisetti discloses: retrieving, by the analysis system, desired system proficiency data from a system proficiency resource based on the evaluation data and the evaluation data requirements (Gourisetti - [0023]: the identified business processes and functions can be determined based on regulatory functional requirements (such as through the federal energy regulatory commission (FERC)). The impacts on business continuity can be captured through the impacts on business processes and functions, using quantitative risk metrics, such as will value-at-risk and ISO/IEC 31010 risk assessment techniques); and evaluating, by the analysis system, the evaluation data based upon the analysis parameters, the evaluation data requirements, and the desired system proficiency data to produce one or more evaluation outputs (Gourisetti - [0028]: frameworks can provide relative quantification of consequences and risk factors in part by mapping the hierarchical and sequential relationships between various attributes of the subject system or organization. The attributes can include a layered list of critical cyber assets and their associated data flows, system applications, engineering consequences, responsible entities, hosting facilities, and business consequences). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Basu and Isaacson with Gourisetti so that the data is evaluated based on various requirement, attribute and proficiency. The modification would have allowed the system to be more secure. Regarding claim 2: Basu as modified discloses wherein an evaluation output of the one or more evaluation outputs comprises: one or more evaluation ratings; one or more system aspect deficiencies; or one or more auto-corrections of the one or more system aspect deficiencies (Gourisetti - [0028]: include frameworks that can combine rudimentary and convoluted processes to translate framework outputs into risk-informed investment strategies. Disclosed examples can be further used to mitigate risk and to enforce protection measures based on established business objectives). The reason to combine is in the same rational as claim 1. Regarding claim 3: Basu as modified discloses wherein determining, by the analysis system, the analysis parameters for the system under test comprises: receiving, by the analysis system, input via the system user interface module (Basu - [Col. 28, Line 6-8]: the user-proposed deviating influencer values are explicitly proposed by a user and are received via user input device 1190); and processing, by the analysis system, the input to produce the analysis parameters for the system under test (Basu - [Col. 6, Line 6-8]: determining the relationship of influencers and performance indicators includes determining the contribution of each influencer to the value of a projected performance parameter). Regarding claim 8: Basu as modified discloses wherein the analysis parameters identify at least one of: a system aspect; at least one evaluation perspective; and at least one evaluation viewpoint (Basu - [Col. 8, Line 14]: parameters associated with the system). Regarding claim 9: Basu as modified discloses wherein the assets of the system under test comprise security assets (Gourisetti - [0021]: in the process of risk assessment the assets and assets groups that are essential to ensure the continuity of critical business functions can be identified. Data and information requirements can be analyzed to identify critical assets, including by using cybersecurity standards/policies). The reason to combine is in the same rational as claim 1. Regarding claim 10: Basu as modified discloses wherein the security assets comprise at least one of: security breach protection assets; security breach prevention assets; security breach detection assets; security breach mitigation assets; or security breach recovery assets (Gourisetti - [0039]: This risk management process is based on several factors, including asset identification, threat analysis, vulnerability analysis, preliminary risk evaluation, interim analysis and reporting, risk acceptance criteria, risk mitigation measures). The reason to combine is in the same rational as claim 1. Regarding claim 11: Basu as modified discloses wherein the security assets of the system under test comprise security solutions, that include at least one of: anti-virus/malware hardware asset solutions; anti-virus/malware software asset solutions; firewall solutions; endpoint protection solutions; patch management solutions; security education solutions; awareness training solutions; incident response solutions; encryption hardware; encryption software; security evaluation solutions; vulnerability management solutions; software vulnerability scanning/testing solutions; advanced persistent threat protection solutions; web security solutions; secure email gateway solutions; data loss prevention solutions; end user public cloud security solutions; or user access solutions (Gourisetti - [0109]: cybersecurity vulnerabilities can be mitigated by allowing tracing through a cascade of actual system events, by using a framework that is constructed from identified processes and engineering principles applied to the processes). The reason to combine is in the same rational as claim 1. Regarding claims 12-14 and 19-22: Claims are directed to apparatus/system claims and do not teach or further define over the limitations recited in claims 1-3 and 8-11. Therefore, claims 12-14 and 19-22 are also rejected for similar reasons set forth in claims 1-3 and 8-11. Claims 4-7 and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Basu et al. (Patent No.: US 11,087,261, hereinafter Basu) in view of Isaacson et al. (Pub. No.: US 2020/0167870, hereinafter Isaacson) and Gourisetti et al. (Pub. No.: US 2021/0110319, hereinafter Gourisetti) and Bennett et al. (Pub. No.: US 2010/0275263, hereinafter Bennett). Regarding claims 4 and 15: Basu as modified doesn’t explicitly teach but Bennett discloses further comprises: receiving, by the analysis system, feedback input via the system user interface module (Bennett - [0145]: Receiving altered security assessment information from the user); and based upon the feedback input, the analysis system altering at least one: the assets of the system under test; or the analysis parameters to produce altered analysis parameters (Bennett - [0146]: Determining first and second data points. The first data point is determined using the security assessment information and is representative of the existing risk exposure. The second data point is determined using the altered security assessment information). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Basu, Isaacson and Gourisetti with Bennett so that altered data point is made based on feedback assessment information. The modification would have allowed the system to be more secure. Regarding claims 5 and 16: Basu as modified doesn’t explicitly teach but Bennett discloses further comprises: determining, by the analysis system, data gathering parameters based upon the analysis parameters (Bennett - [0012]: the system uses a combination of assessment results (e.g., someone checking the security on a server) and technical assessment results (e.g., third party security scanners) to feed the risk model. A risk formula includes a likelihood and probability calculation. The risk module can gather historical data, current data, or both); determining, by the analysis system, data analysis parameters based upon the analysis parameters; and determining, by the analysis system, evaluation parameters based upon the analysis parameters (Bennett - [0088]: This control analysis step establishes the scope of the risk analysis, the relationship between the assets involved, the involved assets' classification, and the assessment control scores related to the involved assets). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Basu, Isaacson and Gourisetti with Bennett so that different parameters are determined to allow the system to enhance data analysis. Regarding claims 6 and 17: Basu as modified discloses further comprises: receiving, by the analysis system, feedback input via the system user interface module (Bennett - [0145]: Receiving altered security assessment information from the user); and based upon the feedback input, the analysis system altering at least one: the assets of the system under test; or the analysis parameters to produce altered analysis parameters (Bennett - [0146]: Determining first and second data points. The first data point is determined using the security assessment information and is representative of the existing risk exposure. The second data point is determined using the altered security assessment information). The reason to combine is in the same rational as claim 5. Regarding claims 7 and 18: Basu as modified discloses wherein altering the analysis parameters to produce the altered analysis parameters includes at least one of: altering, by the analysis system, the data gathering parameters based upon the altered analysis parameters; altering, by the analysis system, the data analysis parameters based upon the altered analysis parameters; and altering, by the analysis system, the evaluation parameters based upon the altered analysis parameters (Bennett - [0015]: Many different future inputs are provided to the what-if system (possibly from many different users or many different sources), the system's charts, reports, and graphs make it easier for a user to comprehend the vast amount of input data and to identify potential future security problems). The reason to combine is in the same rational as claim 5. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Park et al. (Pub. No.: US 2017/0331839) - CYBER-SECURITY PRESENCE MONITORING AND ASSESSMENT Norrman et al. (Patent No.: US 10,592,938) - System And Methods For Vulnerability Assessment And Provisioning Of Related Services And Products For Efficient Risk Suppression Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729. The examiner can normally be reached M-F 8:30-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MENG LI/ Primary Examiner, Art Unit 2437