RISK ANALYSIS DEVICE, ANALYSIS TARGET ELEMENT DETERMINATION DEVICE, AND METHOD

DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . The Amendment filed 17 October 2025 has been received and considered. Claims 1-23 are pending with claims 24-25 canceled. This Action is Final. Claim Objections The objection to Claim 22 is withdrawn based on the filed amendment. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-6, 11-18, 22, and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Sharifi Mehr (US 10769045)(herein after “Mehr”) in view of Kawasaki et al. (US 20180375897). As per claims 1, 15, 23, and 23, Mehr discloses a risk analysis system and method and an analysis target element determination apparatus and method where the systems include memory with instructions executed (see column 18 lines 1-13 and column 19 line 57 through column 20 line 3) to: select a plurality of hosts included in a system to be analyzed; generate at least one virtual analysis element for each of the plurality of hosts; perform an analysis of whether an attack against the virtual analysis element of a group where a host that is an end point of the attack belongs is possible from the virtual analysis element of a group where a host that is a starting point of the attack belongs by using the virtual analysis element (see Fig. 6 and corresponding description in column 18 line 14 through column 19 line 56 where physical hosts are cloned as virtual devices for attack/vulnerability analysis); determine, as a target of a risk analysis, a host corresponding to the virtual analysis element included in a path where the attack occurs among hosts included in the system to be analyzed on the basis of an analysis result of the analysis; and perform a second analysis of whether an attack against the host that is the end point of the attack is possible from the host that is the starting point of the attack, for the host determined as a target of the risk analysis (see Figs. 4 and 7 and their corresponding descriptions in, for example, column 14 lines 39-43 and column 19 line 57 through column 21 line 40 where the cloned resources are used to detect attacks/vulnerabilities in the physical system based on an initial starting attack). Mehr fails to explicitly disclose the grouping of a plurality of hosts. However, Kawasaki et al. teaches the grouping and filtering of attackable elements based on various criteria for the creation of virtual analysis (see paragraphs [0103]-[0106]). At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the grouping and filtering of Kawasaki et al. in the Mehr system. Motivation to do so would have been to allow for removal of duplicate elements (see paragraph [0103]) thereby freeing system resources. As per claims 2 and 16, the modified Mehr and Kawasaki et al. system discloses to generate, as the virtual analysis element, a representative host that is a virtual host corresponding to one or more hosts among hosts belonging to the group (see Mehr column 19 lines 7-56 and Kawasaki et al. paragraphs [0103]-[0105] where the cloned devices are representative of the physical system). As per claims 3 and 17, the modified Mehr and Kawasaki et al. system discloses to merge attackable elements of hosts belonging to the group, and uses the merged attackable elements as an attackable element of the representative host (see Kawasaki et al. paragraphs [0103]-[0106]). As per claim 4, the modified Mehr and Kawasaki et al. system discloses to select a host with the largest number of attackable elements or one or more hosts with a predetermined number or more of attackable elements among hosts belonging to the group, and uses and use the attackable element of the selected host as an attackable element of the representative host (see Mehr column 19 lines 7-56 and Kawasaki et al. paragraphs [0103]-[0106] where the entire host is cloned or every filtered element is cloned). As per claim 5, the modified Mehr and Kawasaki et al. system discloses to select a host having an attackable element from a host of another group among hosts belonging to the group, and uses the attackable element of the selected host as an attackable element of the representative host (see Mehr column 19 lines 7-56 and Kawasaki et al. paragraphs [0103]-[0106] where different hosts and different filters will be used to create different cloned elements). As per claims 6 and 18, the modified Mehr and Kawasaki et al. system discloses to exclude, from a target of the risk analysis, a host corresponding to the representative host not included in a path where the attack occurs among hosts included in the system to be analyzed host (see Mehr column 19 lines 7-56 and Kawasaki et al. paragraphs [0103]-[0106] where certain hosts or elements thereof are not included based on the filtering and only hosts that are part of the attack or affected by the attack are analyzed). As per claims 11-14, the modified Mehr and Kawasaki et al. system discloses to group the hosts for: each subnetwork to which the hosts belong, each subnetwork to which the hosts belong, each range of the system to be analyzed separated by a predetermined boundary, each role of the hosts, and each configuration of the hosts (see Mehr column 19 lines 7-56 and Kawasaki et al. paragraphs [0103]-[0106]). Claims 7-10 and 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Mehr and Kawasaki et al. system as applied to claims 2 and 16 above, and further in view of Sellers (US 20210211466). As per claims 7-10 and 19-21, the modified Mehr and Kawasaki et al. system discloses partitioning the system into predetermined units (see Mehr column 19 lines 7-56 and Kawasaki et al. paragraphs [0103]-[0106] the various cloned hosts/components), but fails to explicitly disclose to analyze whether a transition is possible from each state of a representative host that is a starting point of the partitioned unit to each state of a representative host that is an end point of the partitioned unit, to generate the representative host for each host having an attackable element that reaches each state of the host that is the end point of the partitioned unit and to exclude hosts not part of the path. However, Sellers teaches the use of state information of an attack to determine which virtual hosts to add or remove (see paragraphs [0064]-[0066] where hosts not part of the attack will be removed to free resources to hosts that are part of the attack). At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the state information of Sellers as part of the host cloning determinations of the modified Mehr and Kawasaki et al. system. Motivation, as recognized by one of ordinary skill in the art, to do so would have been to allow the system to be more dynamic. Response to Arguments Applicant's arguments filed 17 October 2025 have been fully considered but they are not persuasive. Applicant argues the combination of Mehr and Kawasaki fail to disclose “generat[ing] at least one virtual analysis element for each of the plurality of groups" and "perform[ing] an analysis of whether an attack against the virtual analysis element of a group where a host that is an end point of the attack belongs is possible from the virtual analysis element of a group where a host that is a starting point of the attack belongs by using the virtual analysis element” and “merge attackable elements of hosts belonging to the group, and uses the merged attackable elements as an attackable element of the representative host”; and the remaining references fail to cure this deficiency. With respect to Applicant’s argument that the combination of Mehr and Kawasaki fail to disclose “generat[ing] at least one virtual analysis element for each of the plurality of groups" and "perform[ing] an analysis of whether an attack against the virtual analysis element of a group where a host that is an end point of the attack belongs is possible from the virtual analysis element of a group where a host that is a starting point of the attack belongs by using the virtual analysis element”, the Examiner respectfully disagrees. In Mehr the system creates cloned virtual resources of network resources (see, for example, Fig. 6). Furthermore, these cloned virtual resources represent different types of resources in the actual networked environment and are used to simulate an attack starting at one of the cloned virtual resources. These cloned virtual resources are organized into different types (see, for example, Fig. 4): Virtual Computing Resources, Data Storage Service, Virtual Network Service, and Authentication Service. These cloned resources represent different types, i.e. groups, and therefore there is a generation of at least one cloned resource for each of these different types. Furthermore, as shown in, for example, Fig. 4, the attack can start at one of these cloned virtual resources. While these different types of resources can be considered a “group” as claimed, it was further shown that grouping virtual device for honeypots, i.e. attack analysis, was obvious by incorporating Kawasaki. Where at a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the grouping and filtering of Kawasaki et al. in the Mehr system in order to allow for removal of duplicate elements (see paragraph [0103]) thereby freeing system resources. Therefore, the combination as put forth above, renders obvious the “generat[ing] at least one virtual analysis element for each of the plurality of groups" and "perform[ing] an analysis of whether an attack against the virtual analysis element of a group where a host that is an end point of the attack belongs is possible from the virtual analysis element of a group where a host that is a starting point of the attack belongs by using the virtual analysis element” limitation(s). With respect to Applicant’s argument that, Mehr in view of Kawasaki fails to teach to “merge attackable elements of hosts belonging to the group, and uses the merged attackable elements as an attackable element of the representative host”, the Examiner respectfully disagrees. As put forth above, Mehr in view of Kawasaki grouping of different elements and further teaches to filter these groups to eliminate duplicates. As such, when multiple of the same devices are present, they are represented by a single one of the duplicates and therefore considered merged. As such the combination of Mehr and Kawasaki renders the limitation of “merge attackable elements of hosts belonging to the group, and uses the merged attackable elements as an attackable element of the representative host”. Furthermore, assuming, arguendo, the combination fails to render this limitation obvious, this is a well-known and common technique as evidenced by previously cited Guntur column 5 lines 54-57 explicitly teaches merging honeypot resources into a single device. Thereby again showing this limitation is obvious. Applicant’s remaining arguments are moot in view of the above response. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875. The examiner can normally be reached Monday-Thursday 7:30am-5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached at (571) 270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Michael Pyzocha/ Primary Examiner, Art Unit 2409