DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 3/6/2026 has been placed of record in the file.
Claims 1, 9, and 17 have been amended.
Claims 1, 3-7, 9, 11-15, 17, and 19-23 are pending.
The applicant’s arguments with respect to claims 1, 3-7, 9, 11-15, 17, and 19-23 have been considered but are moot in view of the following new grounds of rejection.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 3/6/2026 has been entered.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 6, 7, 9, 14, 15, 17, and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Bogren et al. (U.S. Patent Application Publication Number 2022/0232031), hereinafter referred to as Bogren, in view of Lin et al. (U.S. Patent Number 11,470,106), hereinafter referred to as Lin, further in view of Krishnan et al. (U.S. Patent Application Publication Number 2020/0153850), hereinafter referred to as Krishnan.
Bogren disclosed techniques for providing a cyber risk assessment service. In an analogous art, Lin disclosed techniques for building models for assessing the risk of cyberattacks. Also in an analogous art, Krishnan disclosed techniques for generating security profiles for resources based on security risk factors. All of these systems are directed toward risk assessment and risk management for computer networks.
Regarding claim 1, Bogren discloses a method, comprising: identifying digital and physical assets of an enterprise for monitoring (paragraphs 17 and 18, enterprise network); identifying data partners associated with the enterprise (paragraph 33, vendors that interface with enterprise); identifying network security information of the data partners included in a data supply chain of the enterprise (paragraph 33, vendor monitoring data); generating a computer readable model of the enterprise including representations of digital and physical assets, and data partners; the computer readable model including representations of the network security information of the data partners included in the data supply chain of the enterprise (paragraph 36, generates security score based on customer risk data); applying a risk analysis to the computer readable model (paragraph 36, combines threat environment level and security posture and derives threat level assessment score); and displaying results of the risk analysis at a user interface (paragraph 42, user interface).
Bogren does not explicitly state that the network security information of the data partners is hardware and software applications of the data partners. However, gathering network data in such a fashion was well known in the art as evidenced by Lin. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Bogren by adding the ability that the network security information of the data partners is hardware and software applications of the data partners as provided by Lin (see column 5, lines 50-57, hardware and software components). One of ordinary skill in the art would have recognized the benefit that establishing network information in this way would assist in generating risk scores that are more semantically meaningful and less impacted by human biases (see Lin, column 1, lines 25-43).
Bogren does not explicitly state identifying a potentially exploitable vulnerability in the data supply chain of the enterprise based on the computer readable model and estimating a potential liability associated with the potentially exploitable vulnerability. However, gathering network data in such a fashion was well known in the art as evidenced by Lin. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Bogren by adding the ability for identifying a potentially exploitable vulnerability in the data supply chain of the enterprise based on the computer readable model and estimating a potential liability associated with the potentially exploitable vulnerability as provided by Lin (see column 8, lines 15-18, detects vulnerabilities in machine set, and column 11, line 64 through column 12, line 4, tracks risk score). One of ordinary skill in the art would have recognized the benefit that establishing network information in this way would assist in generating risk scores that are more semantically meaningful and less impacted by human biases (see Lin, column 1, lines 25-43).
Bogren does not explicitly state that the risk analysis is a simulated risk analysis, the simulated risk analysis simulating a remediation measure, and predicting an amount of reduction in the potential liability associated with the simulated remediation measure. However, performing simulations in such a fashion was well known in the art as evidenced by Lin. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Bogren by adding the ability that the risk analysis is a simulated risk analysis, the simulated risk analysis simulating a remediation measure, and predicting an amount of reduction in the potential liability associated with the simulated remediation measure as provided by Lin (see column 4, lines 45-61, simulates remediation plans and compares risk score reductions). One of ordinary skill in the art would have recognized the benefit that analyzing network information in this way would assist in generating risk scores that are more semantically meaningful and less impacted by human biases (see Lin, column 1, lines 25-43).
The combination of Bogren and Lin does not explicitly state determining third-party software dependencies included in the software applications and identifying publicly disclosed vulnerabilities associated with the third-party software dependencies, wherein the potentially exploitable vulnerability is identified as at least one of the publicly disclosed vulnerabilities. However, assessing vulnerabilities in such a fashion was well known in the art as evidenced by Krishnan. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Bogren and Lin by adding the ability for determining third-party software dependencies included in the software applications and identifying publicly disclosed vulnerabilities associated with the third-party software dependencies, wherein the potentially exploitable vulnerability is identified as at least one of the publicly disclosed vulnerabilities as provided by Krishnan (see paragraph 31, analyzes third-party components using correlation with publicly available vulnerability databases to determine security risk). One of ordinary skill in the art would have recognized the benefit that assessing vulnerabilities in this way would assist in improved vetting for third-party executable content (see Krishnan, paragraph 3).
Regarding claim 6, the combination of Bogren, Lin, and Krishnan discloses wherein applying a simulated risk analysis to the computer readable model comprises modeling risk scenarios using a variety of simulation techniques including Markov Chains and Monte Carlo simulations (Bogren, paragraph 34, Markov chain Monte Carlo method).
Regarding claim 7, the combination of Bogren, Lin, and Krishnan discloses determining remediation measures based upon the simulated risk analysis; and displaying the remediation measures at a graphical user interface (Bogren, paragraph 41, remedial actions, and paragraph 42, user interface, and Lin, column 5, lines 5-11, recommends remediation plans to user).
Regarding claim 9, Bogren discloses a computer configured to access a storage device, the computer comprising: a processor; and a non-transitory, computer-readable storage medium storing computer-readable instructions that when executed by the processor cause the computer to perform: identifying digital and physical assets of an enterprise for monitoring (paragraphs 17 and 18, enterprise network); identifying data partners associated with the enterprise (paragraph 33, vendors that interface with enterprise); identifying network security information of the data partners included in a data supply chain of the enterprise (paragraph 33, vendor monitoring data); generating a computer readable model of the enterprise including representations of digital and physical assets, and data partners; the computer readable model including representations of the network security information of the data partners included in the data supply chain of the enterprise (paragraph 36, generates security score based on customer risk data); applying risk analysis to the computer readable model (paragraph 36, combines threat environment level and security posture and derives threat level assessment score); and displaying results of the risk analysis at a user interface (paragraph 42, user interface).
Bogren does not explicitly state that the network security information of the data partners is hardware and software applications of the data partners. However, gathering network data in such a fashion was well known in the art as evidenced by Lin. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Bogren by adding the ability that the network security information of the data partners is hardware and software applications of the data partners as provided by Lin (see column 5, lines 50-57, hardware and software components). One of ordinary skill in the art would have recognized the benefit that establishing network information in this way would assist in generating risk scores that are more semantically meaningful and less impacted by human biases (see Lin, column 1, lines 25-43).
Bogren does not explicitly state identifying a potentially exploitable vulnerability in the data supply chain of the enterprise based on the computer readable model and estimating a potential liability associated with the potentially exploitable vulnerability. However, gathering network data in such a fashion was well known in the art as evidenced by Lin. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Bogren by adding the ability for identifying a potentially exploitable vulnerability in the data supply chain of the enterprise based on the computer readable model and estimating a potential liability associated with the potentially exploitable vulnerability as provided by Lin (see column 8, lines 15-18, detects vulnerabilities in machine set, and column 11, line 64 through column 12, line 4, tracks risk score). One of ordinary skill in the art would have recognized the benefit that establishing network information in this way would assist in generating risk scores that are more semantically meaningful and less impacted by human biases (see Lin, column 1, lines 25-43).
Bogren does not explicitly state that the risk analysis is a simulated risk analysis, the simulated risk analysis simulating a remediation measure, and predicting an amount of reduction in the potential liability associated with the simulated remediation measure. However, performing simulations in such a fashion was well known in the art as evidenced by Lin. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Bogren by adding the ability that the risk analysis is a simulated risk analysis, the simulated risk analysis simulating a remediation measure, and predicting an amount of reduction in the potential liability associated with the simulated remediation measure as provided by Lin (see column 4, lines 45-61, simulates remediation plans and compares risk score reductions). One of ordinary skill in the art would have recognized the benefit that analyzing network information in this way would assist in generating risk scores that are more semantically meaningful and less impacted by human biases (see Lin, column 1, lines 25-43).
The combination of Bogren and Lin does not explicitly state determining third-party software dependencies included in the software applications and identifying publicly disclosed vulnerabilities associated with the third-party software dependencies, wherein the potentially exploitable vulnerability is identified as at least one of the publicly disclosed vulnerabilities. However, assessing vulnerabilities in such a fashion was well known in the art as evidenced by Krishnan. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Bogren and Lin by adding the ability for determining third-party software dependencies included in the software applications and identifying publicly disclosed vulnerabilities associated with the third-party software dependencies, wherein the potentially exploitable vulnerability is identified as at least one of the publicly disclosed vulnerabilities as provided by Krishnan (see paragraph 31, analyzes third-party components using correlation with publicly available vulnerability databases to determine security risk). One of ordinary skill in the art would have recognized the benefit that assessing vulnerabilities in this way would assist in improved vetting for third-party executable content (see Krishnan, paragraph 3).
Regarding claim 14, the combination of Bogren, Lin, and Krishnan discloses wherein applying a simulated risk analysis to the computer readable model comprises modeling risk scenarios using a variety of simulation techniques including Markov Chains and Monte Carlo simulations (Bogren, paragraph 34, Markov chain Monte Carlo method).
Regarding claim 15, the combination of Bogren, Lin, and Krishnan discloses wherein the instructions, when executed by the processor, further cause the computer to perform: determining remediation measures based upon the simulated risk analysis; and displaying the remediation measures at a graphical user interface (Bogren, paragraph 41, remedial actions, and paragraph 42, user interface, and Lin, column 5, lines 5-11, recommends remediation plans to user).
Regarding claim 17, Bogren discloses a computer program product, comprising: a non-transitory computer-readable storage medium having computer-readable program code embodied therewith, the computer-readable program code executable by a processor, and comprising: computer-readable program code configured to identify digital and physical assets of an enterprise for monitoring (paragraphs 17 and 18, enterprise network); computer-readable program code configured to identify data partners associated with the enterprise (paragraph 33, vendors that interface with enterprise); computer-readable program code configured to identify network security information of the data partners included in a data supply chain of the enterprise (paragraph 33, vendor monitoring data) computer-readable program code configured to generate a computer readable model of the enterprise including representations of digital and physical assets, and data partners, the computer readable model including representations of the network security information of the data partners included in the data supply chain of the enterprise (paragraph 36, generates security score based on customer risk data); computer-readable program code configured to apply risk analysis to the computer readable model (paragraph 36, combines threat environment level and security posture and derives threat level assessment score); and computer-readable program code configured to display results of the risk analysis at a user interface (paragraph 42, user interface).
Bogren does not explicitly state that the network security information of the data partners is hardware and software applications of the data partners. However, gathering network data in such a fashion was well known in the art as evidenced by Lin. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Bogren by adding the ability that the network security information of the data partners is hardware and software applications of the data partners as provided by Lin (see column 5, lines 50-57, hardware and software components). One of ordinary skill in the art would have recognized the benefit that establishing network information in this way would assist in generating risk scores that are more semantically meaningful and less impacted by human biases (see Lin, column 1, lines 25-43).
Bogren does not explicitly state identifying a potentially exploitable vulnerability in the data supply chain of the enterprise based on the computer readable model and estimating a potential liability associated with the potentially exploitable vulnerability. However, gathering network data in such a fashion was well known in the art as evidenced by Lin. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Bogren by adding the ability for identifying a potentially exploitable vulnerability in the data supply chain of the enterprise based on the computer readable model and estimating a potential liability associated with the potentially exploitable vulnerability as provided by Lin (see column 8, lines 15-18, detects vulnerabilities in machine set, and column 11, line 64 through column 12, line 4, tracks risk score). One of ordinary skill in the art would have recognized the benefit that establishing network information in this way would assist in generating risk scores that are more semantically meaningful and less impacted by human biases (see Lin, column 1, lines 25-43).
Bogren does not explicitly state that the risk analysis is a simulated risk analysis, the simulated risk analysis simulating a remediation measure, and predicting an amount of reduction in the potential liability associated with the simulated remediation measure. However, performing simulations in such a fashion was well known in the art as evidenced by Lin. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Bogren by adding the ability that the risk analysis is a simulated risk analysis, the simulated risk analysis simulating a remediation measure, and predicting an amount of reduction in the potential liability associated with the simulated remediation measure as provided by Lin (see column 4, lines 45-61, simulates remediation plans and compares risk score reductions). One of ordinary skill in the art would have recognized the benefit that analyzing network information in this way would assist in generating risk scores that are more semantically meaningful and less impacted by human biases (see Lin, column 1, lines 25-43).
The combination of Bogren and Lin does not explicitly state determining third-party software dependencies included in the software applications and identifying publicly disclosed vulnerabilities associated with the third-party software dependencies, wherein the potentially exploitable vulnerability is identified as at least one of the publicly disclosed vulnerabilities. However, assessing vulnerabilities in such a fashion was well known in the art as evidenced by Krishnan. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Bogren and Lin by adding the ability for determining third-party software dependencies included in the software applications and identifying publicly disclosed vulnerabilities associated with the third-party software dependencies, wherein the potentially exploitable vulnerability is identified as at least one of the publicly disclosed vulnerabilities as provided by Krishnan (see paragraph 31, analyzes third-party components using correlation with publicly available vulnerability databases to determine security risk). One of ordinary skill in the art would have recognized the benefit that assessing vulnerabilities in this way would assist in improved vetting for third-party executable content (see Krishnan, paragraph 3).
Regarding claim 21, the combination of Bogren, Lin, and Krishnan discloses wherein applying a simulated risk analysis comprises simulating adding a data partner in a particular way that the data partner is to be integrated into the data supply chain and further comprising determining potential risk associated with adding the data partner in the particular way that the data partner is to be integrated into the data supply chain (Lin, column 18, lines 13-33, isolating machines).
Regarding claim 22, the combination of Bogren, Lin, and Krishnan discloses wherein applying a simulated risk analysis comprises simulating adding a particular software program in the data supply chain and further comprising determining potential impact of adding the particular software program into the data supply chain (Lin, column 18, lines 13-33, applying patch).
Regarding claim 23, the combination of Bogren, Lin, and Krishnan discloses wherein applying a simulated risk analysis comprises simulating removing a particular software program from the data supply chain and further comprising determining potential impact of removing the particular software program from the data supply chain (Lin, column 18, lines 13-33, applying patch).
Claims 3-5, 11-13, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bogren in view of Lin, in view of Krishnan, further in view of Crabtree et al. (U.S. Patent Application Publication Number 2021/0092161), hereinafter referred to as Crabtree.
The combination of Bogren, Lin, and Krishnan disclosed techniques for providing a cyber risk assessment service. In an analogous art, Crabtree disclosed techniques for cybersecurity data gathering. Both systems are directed toward risk assessment and risk management for computer networks.
Regarding claim 3, the combination of Bogren, Lin, and Krishnan does not explicitly state wherein identifying data partners comprises analyzing network traffic through a Domain Name Server (DNS) associated with the enterprise and extracting information regarding destination addresses of data communications. However, gathering network data in such a fashion was well known in the art as evidenced by Crabtree. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Bogren, Lin, and Krishnan by adding the ability that identifying data partners comprises analyzing network traffic through a Domain Name Server (DNS) associated with the enterprise and extracting information regarding destination addresses of data communications as provided by Crabtree (see paragraph 69, establishes network information including DNS records). One of ordinary skill in the art would have recognized the benefit that establishing network information in this way would assist in managing collaborative databases in an adversarial information environment (see Crabtree, paragraph 5).
Regarding claim 4, the combination of Bogren, Lin, Krishnan, and Crabtree discloses executing a reverse look-up of a database to determine respective geographic locations associated with the destination addresses; and storing the respective geographic locations associated with the destination addresses together in a computer readable medium (Crabtree, paragraph 70, runs reverse DNS Lookup to determine domains).
Regarding claim 5, the combination of Bogren, Lin, Krishnan, and Crabtree discloses converting the information regarding the destination addresses of the data communications to a unified data format; normalizing the information regarding the destination addresses of the data communications; and storing the information regarding the destination addresses of the data communications together on a single computer readable medium, in the unified data format (Crabtree, paragraph 113, normalization and schematization).
Regarding claim 11, the combination of Bogren, Lin, and Krishnan does not explicitly state wherein identifying data partners comprises analyzing network traffic through a Domain Name Server (DNS) associated with the enterprise and extracting information regarding destination addresses of data communications. However, gathering network data in such a fashion was well known in the art as evidenced by Crabtree. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Bogren, Lin, and Krishnan by adding the ability that identifying data partners comprises analyzing network traffic through a Domain Name Server (DNS) associated with the enterprise and extracting information regarding destination addresses of data communications as provided by Crabtree (see paragraph 69, establishes network information including DNS records). One of ordinary skill in the art would have recognized the benefit that establishing network information in this way would assist in managing collaborative databases in an adversarial information environment (see Crabtree, paragraph 5).
Regarding claim 12, the combination of Bogren, Lin, Krishnan, and Crabtree discloses wherein the instructions, when executed by the processor, further cause the computer to perform: executing a reverse look-up of a database to determine respective geographic locations associated with the destination addresses; and storing the respective geographic locations associated with the destination addresses together in a computer readable medium (Crabtree, paragraph 70, runs reverse DNS Lookup to determine domains).
Regarding claim 13, the combination of Bogren, Lin, Krishnan, and Crabtree discloses wherein the instructions, when executed by the processor, further cause the computer to perform: converting the information regarding the destination addresses of the data communications to a unified data format; normalizing the information regarding the destination addresses of the data communications; and storing the information regarding the destination addresses of the data communications together on a single computer readable medium, in the unified data format (Crabtree, paragraph 113, normalization and schematization).
Regarding claim 19, the combination of Bogren, Lin, and Krishnan does not explicitly state wherein identifying data partners comprises analyzing network traffic through a Domain Name Server (DNS) associated with the enterprise and extracting information regarding destination addresses of data communications. However, gathering network data in such a fashion was well known in the art as evidenced by Crabtree. Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Bogren, Lin, and Krishnan by adding the ability that identifying data partners comprises analyzing network traffic through a Domain Name Server (DNS) associated with the enterprise and extracting information regarding destination addresses of data communications as provided by Crabtree (see paragraph 69, establishes network information including DNS records). One of ordinary skill in the art would have recognized the benefit that establishing network information in this way would assist in managing collaborative databases in an adversarial information environment (see Crabtree, paragraph 5).
Regarding claim 20, the combination of Bogren, Lin, Krishnan, and Crabtree discloses the computer-readable program code further comprising: computer-readable program code configured to execute a reverse look-up of a database to determine respective geographic locations associated with the destination addresses; and computer-readable program code configured to store the respective geographic locations associated with the destination addresses together in a computer readable medium (Crabtree, paragraph 70, runs reverse DNS Lookup to determine domains).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached at 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Victor Lesniewski/Primary Examiner, Art Unit 2493