DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Acknowledgments
Claims 1-20 are pending.
Applicant submitted Information Disclosure Statement.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 1/21/2026 has been entered.
Response to Arguments
Applicant's arguments filed 1/21/2026 with respect to 35 USC 101 have been fully considered but they are not persuasive. The rejection is maintained.
Applicant argues on page 9-10
Similar to SRI International Inc. v. Cisco Systems, Inc. and the prosecution history for US Patent No. 10,938,664, amended independent Claim 1 is patent eligible at least because, at Step 2A, prong two, the limitations also constitute an improvement in computer network technology…As such, the elements of Claim 1 are configured to improve the performance of computer networks, and thus constitute an improvement in computer technology.
Examiner respectfully disagrees.
The claims are not solving a technical problem but a business problem. Applicant’s Specification states the business problem of mitigating and identifying risks with respect to incidents that would compromise a business (See para 3 in Applicant’s Specification). This is a business problem and not a technical problem. A technical problem and solution is seen in the court case of McRO. The patents in McRO were an improvement on 3-D animation wherein the prior art comprised that "for each keyframe, the artist would look at the screen and, relying on her judgment, manipulate the character model until it looked right — a visual and subjective process." Thus, the patents in McRO aimed to automate a 3-D animator's tasks, specifically, determining when to set keyframes and setting those keyframes.
In addition, Applicant cites the Specification that the technical solution is better incident prioritization with respect to determining probabilities. Determining probabilities and prioritizing incident are limitations nested in the abstract idea grouping of a mental process (e.g. observation, evaluation, judgment, opinion). A user can prioritize and calculate a probability without the use of a computer.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more than the judicial exception itself.
Regarding Step 1 of subject matter eligibility for whether the claims fall within a statutory category (See MPEP 2106.03), claims 1-20 are directed to a network component that includes a processor and memory, method, and computer-readable non-transitory storage media.
Regarding step 2A-1, Claims 1-20 recite a Judicial Exception. Exemplary independent claim 1 and similarly claims 8 and 15 recite the limitations of
…analyzing network activity…in response to analyzing the network activity, correlating data … determining, in real-time, an attack tactic risk score for one or more attack tactics based on a dataset of actual loss events by using one or more algorithms to layer information assessed from the actual loss events onto a base vulnerability score associated with at least one attack tactic of the one or more attack tactics; determining an incident risk score for the incident based on the attack tactic risk score…determining a priority value for an asset based at least in part on metadata associated with the asset, wherein: the asset is associated with the incident; and the priority value represents an indication of how important the asset is to a party; and generating an asset risk score for the asset based on the priority value of the asset and the incident risk score
These limitations, as drafted, are a process that, under its broadest reasonable interpretation cover concepts of analyzing, correlating, determining, and generating data. The claim limitations fall under the abstract idea grouping of mental process, because the limitations can be performed in the human mind, or by a human using a pen and paper. For example, but for the language of a processor and computer-readable non-transitory storage media, the claim language encompasses simply analyzing network activity, correlating data, and determining/generating risk scores. These are mere data manipulation steps that do not require a computer. For example, a user can look at a data sheet of network activity and determine/generate a risk score as well as a priority value.
The claims also recite generating risk scores and these risk scores are with respect to a business as seen in para 3. These make the claims fall in the abstract idea grouping of certain methods of organizing human activity (fundamental economic principles or practices; business relations, risk mitigation). It is clear the limitations recite these abstract idea groupings, but for the recitations of generic computer components. The mere nominal recitations of generic computer components does not take the limitations out of the mental process and certain methods of organizing human activity grouping. The claims are focused on the combination of these abstract idea processes.
Regarding step 2A-2- This judicial exception is not integrated into a practical application, and the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception.
The claim recites the additional elements of network component, processor, memory, computer-readable non-transitory storage media, infrastructure and network points.
These components are recited at a high level of generality, and merely automate the steps. Each of the additional limitations is no more than mere instructions to apply the exception using a generic computer component.
The combination of these additional elements is no more than mere instructions to apply the exception using a generic computer components or software. Accordingly, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
Further, the claims do not provide for recite any improvements to the functioning of a computer, or to any other technology or technical field; applying or using a judicial exception to effect a particular treatment or prophylaxis for a disease or medical condition; applying the judicial exception with, or by use of, a particular machine; effecting a transformation or reduction of a particular article to a different state or thing; or applying or using the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception.
The dependent claims have the same deficiencies as their parent claims as being directed towards an abstract idea, as the dependent claims merely narrow the scope of their parent claims. For example, the dependent claims further describe details about the incident such as the incident will lead to a financial loss. In addition, the dependent claims further describe the loss events being breach data and insurance data.
Regarding step 2B the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because claim 1 recites
Network component, processor, memory, network points, and infrastructure
Claim 8 recites method, however a method is not considered an additional element.
Claim 8 further recites network points and infrastructure
Claim 15 further recites computer-readable non-transitory storage media embodying, infrastructure and processor
When looking at these additional elements individually, the additional elements are purely functional and generic the Applicant specification states a general-purpose computer configurations as seen in para 023.
When looking at the additional elements in combination, the Applicant’s specification merely states a general-purpose computer configurations as seen in para 023. The computer components add nothing that is not already present when the steps are considered separately. See MPEP 2106.05
Looking at these limitations as an ordered combination and individually adds nothing additional that is sufficient to amount to significantly more than the recited abstract idea because they simply provide instructions to use generic computer components, recitations of generic computer structure to perform generic computer functions that are used to "apply" the recited abstract idea. Thus, the elements of the claims, considered both individually and as an ordered combination, are not sufficient to ensure that the claim as a whole amounts to significantly more than the abstract idea itself.
Since there are no limitations in these claims that transform the exception into a patent eligible application such that these claims amount to significantly more than the exception itself, claims 1-20 are rejected under 35 U.S.C. 101.
Conclusion
The prior art made of record and not relied upon considered pertinent to Applicant’s disclosure.
Zoldi (20180270266 A1) Discloses a system and method for assessing the cybersecurity breach risk associated with a given organization is disclosed. The system and method assume no internal visibility into any organizational network.
Elgressy (11636213 B1) Discloses systems, apparatuses, and methods for more effectively preparing for and responding to cybersecurity threats directed at people or at groups of people.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUSTAFA IQBAL whose telephone number is (469)295-9241. The examiner can normally be reached Monday Thru Friday 9:30am-7:30 CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Beth Boswell can be reached at (571) 272-6737. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MUSTAFA IQBAL/Primary Examiner, Art Unit 3625