CTFR 18/183,094 CTFR 84351 Notice of Pre-AIA or AIA Status 07-03-aia AIA 15-10-aia The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA. Claim Rejections - 35 USC § 101 07-04-01 AIA 07-04 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-6, 8-15, 17-24, and 26-30 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Independent claims 1, 10 and 19: Claims 1 is drawn to “a method”, claim 10 is drawn to “apparatus”, and claim 19 is drawn to “a non-transitory computer readable medium”, therefore each of these claim groups falls under one of four categories of statutory subject matter (process/method, machines/products/apparatus, manufactures, and compositions of matter). Claims 1, 10 and 19 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claims 1, 10 and 19 recites obtaining, at a resource group auditor, a set of paths from a plurality of access domains to a plurality of targets; assessing, at the resource group auditor, the set of paths to obtain a first subset of the set of paths that are unsecured, assessing, at the resource group auditor, a first portion of the set of paths that include one or more protection units to obtain a second subset of the set of paths that are path violation free; assessing, at the resource group auditor, a second portion of the set of paths that include the one or more protection units to obtain a third subset of the set of paths that include a path violation; and generating, at the resource group auditor, a report that includes the first subset and the third subset, determining, based on the report, that the first subset of the set of paths and the third subset of the set of paths are incorrectly configured; and based on determining that the first subset of the set of paths and the third subset of the set of paths are incorrectly configured, performing a corrective action comprising a configuration update of at least one protection unit of the one or more protection units. The limitation steps under its broadest reasonable interpretation, covers performance of the limitation in the mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind then it falls within the mental process/human activity grouping of abstract ideas. Accordingly, the claim recites an abstract idea. This judicial exception is not integrated into a practical application because the claim does not recite additional elements that integrate the judicial exception into a practical application. Claims 10 and 19 recite the additional elements of “at least one processor” as recited in the claim. However, at least one processor are recited at a high level of generality and are generic computer components such that they amount to no more than mere instructions to apply the exception using a generic computer. Mere instructions to apply an exception using a generic computer cannot provide an inventive concept. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Considering the claims as a whole, looking at the elements individually and in an ordered combination, does not integrate the abstract idea into a practical application using the considerations set forth above. The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of the processor and the memory including computer program codes are recited at a high level of generality and are generic computer components such that they amount to no more than mere instructions to apply the exception using a generic computer. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Thus, the claimed elements, either individually, or in the ordered combination do not add significantly more to the abstract idea. Dependent claims 2-9, 11-18 and 20-27 further clarify the concept recited in independent claims, however this clarification still falls under the concept recited in the independent claims and do not amount to significantly more than the judicial exception. Claim Rejections - 35 USC § 103 07-06 AIA 15-10-15 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 07-20-aia AIA The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 07-23-aia AIA The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. 07-21-aia AIA Claim s 1-6, 8-15, 17-24, and 26-30 are rejected under 35 U.S.C. 103 as being unpatentable over Brucker et al (2017/0171215) in views of Wang et al (WO 2022/269526) and Williams et al (7627891) . For claim 1, Brucker teaches that method for auditing resource groups across protection units (abstract), the method comprising: obtaining, at a resource group auditor, a set of paths from a plurality of access domains to a plurality of targets (Brucker teaches that a group represents a path or a set of paths that is necessary to successfully complete the process, this group enable the auditor to assess the violations together, which provides a deeper insight why a certain access control restrictions was violated, enables the analysis violations to be prioritized based on the risk/value associated with a certain goal and an auditor would need to analyze the unstructured log files for granted and denied access control decisions as Brucker teaches in par.35); assessing, at the resource group auditor, the set of paths to obtain a first subset of the set of paths that are unsecured (Brucker teaches that there are several paths and each path defining a series of tasks or subsets from a respective predecessor task that are performed to achieve the goal of the process, and providing the grouped violations which is unsecured path based on paths in the set of paths as Brucker teaches in par.5); assessing, at the resource group auditor, a first portion of the set of paths that include one or more protection units to obtain a second subset of the set of paths that are path violation free (Brucker teaches that portion of paths includes the task or subset and the process model are processed based on Algorithm 2, described above, to provide the set of granted accesses meaning path violation free as Brucker teaches in par.4 and 5 and 49); assessing, at the resource group auditor, a second portion of the set of paths that include the one or more protection units to obtain a third subset of the set of paths that include a path violation (Brucker teaches a task or subsets corresponding to the access control violation, processing the task and the process model to provide correlation data including one or more of grouped violations, a set of granted accesses, and a set of violations which third subsets as Brucker teaches as in par.4, and 62), determining, based on the report, that the first subset of the set of paths and the third subset of the set of paths are incorrectly configured (Brucker teaches that The policy management system 206 includes a policy/security store 218 (database) that stores configurations that describe the current security policy (e.g., the access control policy, user-role-configuration, etc.) of respective processes. In some examples, an administrator 228 can interact with the policy management system 206 using a computing device 230 (e.g., to create, edit, or delete policies) as Brucker teaches in par.52). Brucker fails to teach generating, at the resource group auditor, a report that includes the first subset and the third subset, based on determining that the first subset of the set of paths and the third subset of the set of paths are incorrectly configured, performing a corrective action comprising a configuration update of at least one protection unit of the one or more protection units. Wang teaches, similar system, generating, at the resource group auditor, a report that includes the first subset and the third subset (Wang teaches that Based on the verification results, the Compliance Verifier and Report complies an auditing report which includes a list of instances that violate the security property and provides this auditing report to the system auditor as Wang teaches in par.2 in page 20). It would have been obvious to one ordinary skill in the art before effective filling date to modify Brucker to include generating report as taught and suggested by Wang the purpose of facilitating formal verification of compliance of a security property in a virtual infrastructure is disclosed, the security manager being configured to acquire a plurality of datapoints from the virtual infrastructure, wherein each datapoint represents an instance to be verified as to its compliance to the security property (Wang, abstract). Williams teaches, similar system, based on determining that the first subset of the set of paths and the third subset of the set of paths are incorrectly configured, performing a corrective action comprising a configuration update of at least one protection unit of the one or more protection units (Williams teaches that The compliance server 10 analyzes data gathered by the audit servers 12, and assesses policy violations and vulnerability risks, and makes recommendations for improving the security and policies of the network. The compliance server 10 further aids in the creation, configuration, editing, testing, and deployment of security and regulation policies for use during the network audits. The compliance server 10 also provides consolidated visibility into the security of the network and the various assessments that have been made about policy compliance, via various types of reports that may be generated manually or automatically based on predetermined conditions, by generating a remediation task 501 for a policy or vulnerability rule violation noted in the compliance document 340. Information on the generated remediation task may also be displayed in one or more reports 500. Such information may indicate whether the task is for a policy violation or a vulnerability detection, the name of the policy or vulnerability rule, the severity measure for the rule, an address of the host in which the violation or vulnerability was noted, and the date in which the violation or vulnerability was detected. A network administrator may then assign the remediation task to a particular person or entity for improving the security of the global network. The status of the assigned remediation task is tracked and made available in the reports 500 generated by the system, ARS may then notify its users accordingly. These users may update their tasks via the ARS, or, if associated with an authorized user of the network security audit system, update the tasks via the remediation update function. Updates made via the third-party ARS are pulled into the network security audit system, and transmitted to the remediation update function as Williams teaches in col.5, lines 59-68, col.17, lines 59- 68 and col.19, lines 10-40). It would have been obvious to one ordinary skill in the art before effective filling date to modify Brucker to include a configuration update of at least one protection unit of the one or more protection units as taught and suggested by Williams the purpose of providing automated assessment of security and regulatory policies, network vulnerability analysis, manages remediation efforts, and makes recommendations for improving the security of the network, to help prevent attacks before they occur (Williams, col.1, lines 25-30). For claims 2, 11, 20 , Brucker, as modified by Wang and Williams, further teaches that further comprising determining the first subset based on determining that paths in the first subset are not secured by any protection units (Brucker teaches that access control violations can be grouped based on the goal(s) to be achieved by the underlying process. The idea of grouping access control violations based on the underlying process (e.g., the process model) is based on the observation that users do not want to execute a certain task. Instead, users would like to achieve a particular goal or goals as Brucker teaches in par.4 and 34). For claims 3, 12, 21 , Brucker, as modified by Wang and Williams, further teaches further comprising determining, by the resource group auditor, that the second subset includes paths that are path violation free based on determining that a data unit is allowed to pass from one of the plurality of access domains to one of the plurality of targets via one or more protection units (Brucker teaches that the PDP evaluates, at runtime, an access control request and decides, based on the current security state, if this request should be granted or not. For example, the PDP 214 can receive an access control request from a PEP 212 , can determine an access control decision, communicate the access control decision back to the PEP 212 , and log the access control decision in the system log 208 . For example, the PDP 214 can approve/disapprove an approve absence request (e.g., the approve absence task 104 of FIG. 1) based on who is providing the approval (e.g., if the same user that requested travel is also approving the absence, the access control decision can be a denial as Brucker teaches in par.49). For claims 4, 13, 22 , Brucker, as modified by Wang and Williams, further teaches further comprising determining, by the resource group auditor, that the third subset includes paths having a violation based on determining that a conflict exists between a first protection unit and a second protection unit along a path of the third subset (Brucker teaches that the correlation between such that enforces a security policy and logs access control decisions (e.g., access granted/denied), as well as overridden access control requests (e.g., break-glass). For example, a PEP 212 can transmit an access control request and receive an access control decision, which can be communicated to a user as Brucker teaches in par.48 and 49). For claims 5, 14, 23 , Brucker, as modified by Wang and Williams, further teaches wherein the conflict comprises a determination that a particular access domain of the plurality of targets is allowed to access a particular target or the plurality of targets according to a first configuration of the first protection unit, and that the particular access domain is not allowed to access the particular target according to a second configuration of the second protection unit (Brucker teaches that the correlation data includes grouped violations, a set of granted accesses, and/or a set of violations. In some examples, the task and the process model are processed based on Algorithm 1, described above, to provide the grouped violations. In some examples, the task and the process model are processed based on Algorithm 2, described above, to provide the set of granted accesses and the set of violations. The correlation data is transmitted to a client-side computing device for display to a user ( 408 ). For example, the VCM 216 transmits the correlation data to the computing device 226 for display to the auditor as Brucker teach in par.62). For claims 6, 15, 24 , Brucker, as modified by Wang and Williams, further teaches wherein the report is assessed by an access control administrator to determine whether to perform a corrective action (Brucker teaches that the policy management system 206 enables security policies to be created, edited, and deleted as Brucker teaches in par.52). For claims 8, 17, 26 , Brucker, as modified by Wang and Williams, further teaches wherein assessing the first portion of the set of paths to obtain the second subset comprises: removing the first subset from the set of paths to obtain a set of remaining paths (Brucker teachers that of removing or deleting paths as Brucker teaches in par.42 and 52); dividing a resource group associated with an access domain of the plurality of access domains into one or more resource group portions (Brucker teaches that violations and/or access grants are grouped based on log information. In some examples, violations and/or granted accesses that are necessary to achieve a certain goal (a (successful) end state of the underlying process) are grouped. In some examples, a group represents a path or a set of paths that is necessary to successfully complete the process as Brucker teaches in par.34-36); and performing a traversal between the access domain and a target of the plurality of targets for a resource group portion of the one or more resource group portions to determine that the target is accessible by the access domain within the resource group portion (Brucker teaches that of a user tries to override a denied access control decision, and a set of paths that result in a successful execution of the process is ordered by the number of access control constraints that subsequently need to be overridden. This set of paths, ordered from the path with the least number of overrides to the paths with the most overrides, is presented to the user as a recommendation on how to proceed. In some implementations, the user might have the choice to select between different tasks. In such an example, the system could present the user with the options for all tasks the user might want to override to allow the users to select the next step with the total least number of subsequent overrides as Brucker teaches in par.58). For claims 9, 18, 27 , Brucker, as modified by Wang and Williams, further teaches wherein assessing the second portion of the set of paths to obtain the third subset comprises: removing the first subset from the set of paths to obtain a set of remaining paths (Brucker teachers that of removing or deleting one of the paths as Brucker teaches in par.42 and 52); dividing a resource group associated with an access domain of the plurality of access domains into one or more resource group portions (Brucker teaches that violations and/or access grants are grouped based on log information. In some examples, violations and/or granted accesses that are necessary to achieve a certain goal (a (successful) end state of the underlying process) are grouped. In some examples, a group represents a path or a set of paths that is necessary to successfully complete the process as Brucker teaches in par.34-36); and performing a traversal between the access domain and a target of the plurality of targets for a resource group portion of the one or more resource group portions to determine that access to the target from the access domain is blocked by at least one protection unit (Brucker teaches that of a user tries to override a denied access control decision, and a set of paths that result in a successful execution of the process is ordered by the number of access control constraints that subsequently need to be overridden. This set of paths, ordered from the path with the least number of overrides to the paths with the most overrides, is presented to the user as a recommendation on how to proceed. In some implementations, the user might have the choice to select between different tasks. In such an example, the system could present the user with the options for all tasks the user might want to override to allow the users to select the next step with the total least number of subsequent overrides as Brucker teaches in par.58). For claim 10 , Brucker teaches that an apparatus for auditing resource groups across protection units (abstract), the apparatus comprising: at least one memory; and at least one processor coupled to the at least one memory (par.63) and configured to: obtain a set of paths from a plurality of access domains to a plurality of targets (Brucker teaches that a group represents a path or a set of paths that is necessary to successfully complete the process, this group enable the auditor to assess the violations together, which provides a deeper insight why a certain access control restrictions was violated, enables the analysis violations to be prioritized based on the risk/value associated with a certain goal and an auditor would need to analyze the unstructured log files for granted and denied access control decisions as Brucker teaches in par.35); assess the set of paths to obtain a first subset of the set of paths that are unsecured (Brucker teaches that there are several paths and each path defining a series of tasks or subsets from a respective predecessor task that are performed to achieve the goal of the process, and providing the grouped violations which is unsecured path based on paths in the set of paths as Brucker teaches in par.5); assess a first portion of the set of paths that include one or more protection units to obtain a second subset of the set of paths that are path violation free (Brucker teaches that portion of paths includes the task or subset and the process model are processed based on Algorithm 2, described above, to provide the set of granted accesses meaning path violation free as Brucker teaches in par.4 and 5 and 49); assess a second portion of the set of paths that include the one or more protection units to obtain a third subset of the set of paths that include a path violation (Brucker teaches a task or subsets corresponding to the access control violation, processing the task and the process model to provide correlation data including one or more of grouped violations, a set of granted accesses, and a set of violations which third subsets as Brucker teaches as in par.4, and 62), determine, based on the report, that the first subset of the set of paths and the third subset of the set of paths are incorrectly configured (Brucker teaches that The policy management system 206 includes a policy/security store 218 (database) that stores configurations that describe the current security policy (e.g., the access control policy, user-role-configuration, etc.) of respective processes. In some examples, an administrator 228 can interact with the policy management system 206 using a computing device 230 (e.g., to create, edit, or delete policies) as Brucker teaches in par.52). Brucker fails to teach generate a report that includes the first subset and the third subset, based on determining that the first subset of the set of paths and the third subset of the set of paths are incorrectly configured, performing a corrective action comprising a configuration update of at least one protection unit of the one or more protection units. Wang teaches, similar system, generate, at the resource group auditor, a report that includes the first subset and the third subset (Wang teaches that Based on the verification results, the Compliance Verifier and Report complies an auditing report which includes a list of instances that violate the security property and provides this auditing report to the system auditor as Wang teaches in par.2 in page 20). It would have been obvious to one ordinary skill in the art before effective filling date to modify Brucker to include generating report as taught and suggested by Wang the purpose of facilitating formal verification of compliance of a security property in a virtual infrastructure is disclosed, the security manager being configured to acquire a plurality of datapoints from the virtual infrastructure, wherein each datapoint represents an instance to be verified as to its compliance to the security property (Wang, abstract). Williams teaches, similar system, based on determining that the first subset of the set of paths and the third subset of the set of paths are incorrectly configured, performing a corrective action comprising a configuration update of at least one protection unit of the one or more protection units (Williams teaches that The compliance server 10 analyzes data gathered by the audit servers 12, and assesses policy violations and vulnerability risks, and makes recommendations for improving the security and policies of the network. The compliance server 10 further aids in the creation, configuration, editing, testing, and deployment of security and regulation policies for use during the network audits. The compliance server 10 also provides consolidated visibility into the security of the network and the various assessments that have been made about policy compliance, via various types of reports that may be generated manually or automatically based on predetermined conditions, by generating a remediation task 501 for a policy or vulnerability rule violation noted in the compliance document 340. Information on the generated remediation task may also be displayed in one or more reports 500. Such information may indicate whether the task is for a policy violation or a vulnerability detection, the name of the policy or vulnerability rule, the severity measure for the rule, an address of the host in which the violation or vulnerability was noted, and the date in which the violation or vulnerability was detected. A network administrator may then assign the remediation task to a particular person or entity for improving the security of the global network. The status of the assigned remediation task is tracked and made available in the reports 500 generated by the system, ARS may then notify its users accordingly. These users may update their tasks via the ARS, or, if associated with an authorized user of the network security audit system, update the tasks via the remediation update function. Updates made via the third-party ARS are pulled into the network security audit system, and transmitted to the remediation update function as Williams teaches in col.5, lines 59-68, col.17, lines 59-68 and col.19, lines 10-40). It would have been obvious to one ordinary skill in the art before effective filling date to modify Brucker to include a configuration update of at least one protection unit of the one or more protection units as taught and suggested by Williams the purpose of providing automated assessment of security and regulatory policies, network vulnerability analysis, manages remediation efforts, and makes recommendations for improving the security of the network, to help prevent attacks before they occur (Williams, col.1, lines 25-30). For claim 19 , Brucker teaches that A non-transitory computer-readable medium having stored thereon instructions that, when executed by at least one processor (par.4), cause the at least one processor to: obtain a set of paths from a plurality of access domains to a plurality of targets(Brucker teaches that a group represents a path or a set of paths that is necessary to successfully complete the process, this group enable the auditor to assess the violations together, which provides a deeper insight why a certain access control restrictions was violated, enables the analysis violations to be prioritized based on the risk/value associated with a certain goal and an auditor would need to analyze the unstructured log files for granted and denied access control decisions as Brucker teaches in par.35); assess the set of paths to obtain a first subset of the set of paths that are unsecured (Brucker teaches that there are several paths and each path defining a series of tasks or subsets from a respective predecessor task that are performed to achieve the goal of the process, and providing the grouped violations which is unsecured path based on paths in the set of paths as Brucker teaches in par.5); assess a first portion of the set of paths that include one or more protection units to obtain a second subset of the set of paths that are path violation free (Brucker teaches that portion of paths includes the task or subset and the process model are processed based on Algorithm 2, described above, to provide the set of granted accesses meaning path violation free as Brucker teaches in par.4 and 5 and 49); assess a second portion of the set of paths that include the one or more protection units to obtain a third subset of the set of paths that include a path violation (Brucker teaches a task or subsets corresponding to the access control violation, processing the task and the process model to provide correlation data including one or more of grouped violations, a set of granted accesses, and a set of violations which third subsets as Brucker teaches as in par.4, and 62). determine, based on the report, that the first subset of the set of paths and the third subset of the set of paths are incorrectly configured (Brucker teaches that The policy management system 206 includes a policy/security store 218 (database) that stores configurations that describe the current security policy (e.g., the access control policy, user-role-configuration, etc.) of respective processes. In some examples, an administrator 228 can interact with the policy management system 206 using a computing device 230 (e.g., to create, edit, or delete policies) as Brucker teaches in par.52). Brucker fails to teach generate a report that includes the first subset and the third subset, based on determining that the first subset of the set of paths and the third subset of the set of paths are incorrectly configured, performing a corrective action comprising a configuration update of at least one protection unit of the one or more protection units. Wang teaches, similar system, generate, at the resource group auditor, a report that includes the first subset and the third subset (Wang teaches that Based on the verification results, the Compliance Verifier and Report complies an auditing report which includes a list of instances that violate the security property and provides this auditing report to the system auditor as Wang teaches in par.2 in page 20). It would have been obvious to one ordinary skill in the art before effective filling date to modify Brucker to include generating report as taught and suggested by Wang the purpose of facilitating formal verification of compliance of a security property in a virtual infrastructure is disclosed, the security manager being configured to acquire a plurality of datapoints from the virtual infrastructure, wherein each datapoint represents an instance to be verified as to its compliance to the security property (Wang, abstract). Williams teaches, similar system, based on determining that the first subset of the set of paths and the third subset of the set of paths are incorrectly configured, performing a corrective action comprising a configuration update of at least one protection unit of the one or more protection units (Williams teaches that The compliance server 10 analyzes data gathered by the audit servers 12, and assesses policy violations and vulnerability risks, and makes recommendations for improving the security and policies of the network. The compliance server 10 further aids in the creation, configuration, editing, testing, and deployment of security and regulation policies for use during the network audits. The compliance server 10 also provides consolidated visibility into the security of the network and the various assessments that have been made about policy compliance, via various types of reports that may be generated manually or automatically based on predetermined conditions, by generating a remediation task 501 for a policy or vulnerability rule violation noted in the compliance document 340. Information on the generated remediation task may also be displayed in one or more reports 500. Such information may indicate whether the task is for a policy violation or a vulnerability detection, the name of the policy or vulnerability rule, the severity measure for the rule, an address of the host in which the violation or vulnerability was noted, and the date in which the violation or vulnerability was detected. A network administrator may then assign the remediation task to a particular person or entity for improving the security of the global network. The status of the assigned remediation task is tracked and made available in the reports 500 generated by the system, ARS may then notify its users accordingly. These users may update their tasks via the ARS, or, if associated with an authorized user of the network security audit system, update the tasks via the remediation update function. Updates made via the third-party ARS are pulled into the network security audit system, and transmitted to the remediation update function as Williams teaches in col.5, lines 59-68, col.17, lines 59-68 and col.19, lines 10-40). It would have been obvious to one ordinary skill in the art before effective filling date to modify Brucker to include a configuration update of at least one protection unit of the one or more protection units as taught and suggested by Williams the purpose of providing automated assessment of security and regulatory policies, network vulnerability analysis, manages remediation efforts, and makes recommendations for improving the security of the network, to help prevent attacks before they occur (Williams, col.1, lines 25-30). For claim 28 , Brucker, as modified by Wang and Williams, fails to teach wherein the configuration update comprises adding an additional protection unit of the one or more protection units to at least one path of the first subset of the set of paths that are unsecured. Williams further teaches that wherein the configuration update comprises adding an additional protection unit of the one or more protection units to at least one path of the first subset of the set of paths that are unsecured (Williams teaches that remediation management and reporting sub-module 412 provides a GUI for assigning remediation tasks, updating tasks status, adding third-party ARS, and generating associated reports as Williams teaches in col.5, lines 59-68, col.17, lines 59-68 and col.19, lines 10-40 and col.21, lines 10-35). It would have been obvious to one ordinary skill in the art before effective filling date to modify Brucker to include an additional protection unit as taught and suggested by Williams the purpose of providing automated assessment of security and regulatory policies, network vulnerability analysis, manages remediation efforts, and makes recommendations for improving the security of the network, to help prevent attacks before they occur (Williams, col.1, lines 25-30). For claim 29 , Brucker, as modified by Wang and Williams, fails to teach wherein the configuration update comprises changing at least one path of the third subset of the set of paths to propagate through at least one protection unit of the one or more protection units. Williams further teaches wherein the configuration update comprises changing at least one path of the third subset of the set of paths to propagate through at least one protection unit of the one or more protection units (Williams teaches that Remediation tasks may be assigned based on roles, geographic responsibility, and the like. If the answer is YES, the status of the remediation task is changed to an assigned state 30 as Williams teaches in col.5, lines 59-68, col.17, lines 59-68 and col.19, lines 10-40 and col.21, lines 10-35). It would have been obvious to one ordinary skill in the art before effective filling date to modify Brucker to include changing at least one path as taught and suggested by Williams the purpose of providing automated assessment of security and regulatory policies, network vulnerability analysis, manages remediation efforts, and makes recommendations for improving the security of the network, to help prevent attacks before they occur (Williams, col.1, lines 25-30). For claim 30 , Brucker, as modified by Wang and Williams, fails to teach wherein the configuration update comprises removing at least one or more paths of the first subset of the set of paths or one or more paths of the third subset of the set of paths. Williams further teaches wherein the configuration update comprises removing at least one or more paths of the first subset of the set of paths or one or more paths of the third subset of the set of paths (Williams teaches that Audit configuration functions encompass the creation, editing, and removal of audit configurations, which, according to one embodiment of the invention, represent specific schemes for performing network security audits as Williams teaches in col.5, lines 59-68, col.17, lines 59-68 and col.19, lines 10-40 and col.21, lines 10-35). It would have been obvious to one ordinary skill in the art before effective filling date to modify Brucker to include changing at least one path as taught and suggested by Williams the purpose of providing automated assessment of security and regulatory policies, network vulnerability analysis, manages remediation efforts, and makes recommendations for improving the security of the network, to help prevent attacks before they occur (Williams, col.1, lines 25-30). Response to Amendments/Arguments Applicant’s arguments with respect to claim(s) 1-6, 8-15, 17-24, and 26-30 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. With respect to applicant argument of 101 rejection that the current amendment overcome the 101 rejections, however, the examiner respectfully disagrees with applicant because claims still do not include additional elements that are sufficient to amount to significantly more than the judicial exception. The newly amended language still directed to steps of determining i.e. also categorized as mental steps. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of processor, memory and supervised learning model are recited at a high level of generality and are generic computer components such that they amount to no more than mere instructions to apply the exception using a generic computer. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Thus, the claimed elements, either individually, or in the ordered combination do not add significantly more to the abstract idea. The applicant’s arguments regarding the amendment limitation in claims 1, 10 and 19, has been considered but is moot, because the examiner applied new art, Williams et al (7627891), that covers newly claimed limitation. Regarding dependent claims arguments, said arguments are moot because the applied references are not considered to have alleged differences, and therefore are considered to properly show that for which they were cited. Conclusion 07-40 AIA Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL . See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to AYUB A MAYE whose telephone number is (571)270-5037. The examiner can normally be reached Monday-Friday 9AM-5PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached at 571-272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /AYUB A MAYE/Examiner, Art Unit 2436 /KHOI V LE/Primary Examiner, Art Unit 2436 Application/Control Number: 18/183,094 Page 2 Art Unit: 2436 Application/Control Number: 18/183,094 Page 3 Art Unit: 2436 Application/Control Number: 18/183,094 Page 4 Art Unit: 2436 Application/Control Number: 18/183,094 Page 5 Art Unit: 2436 Application/Control Number: 18/183,094 Page 6 Art Unit: 2436 Application/Control Number: 18/183,094 Page 7 Art Unit: 2436 Application/Control Number: 18/183,094 Page 8 Art Unit: 2436 Application/Control Number: 18/183,094 Page 9 Art Unit: 2436 Application/Control Number: 18/183,094 Page 10 Art Unit: 2436 Application/Control Number: 18/183,094 Page 11 Art Unit: 2436 Application/Control Number: 18/183,094 Page 12 Art Unit: 2436 Application/Control Number: 18/183,094 Page 13 Art Unit: 2436 Application/Control Number: 18/183,094 Page 14 Art Unit: 2436 Application/Control Number: 18/183,094 Page 15 Art Unit: 2436 Application/Control Number: 18/183,094 Page 16 Art Unit: 2436 Application/Control Number: 18/183,094 Page 17 Art Unit: 2436 Application/Control Number: 18/183,094 Page 18 Art Unit: 2436 Application/Control Number: 18/183,094 Page 19 Art Unit: 2436 Application/Control Number: 18/183,094 Page 20 Art Unit: 2436 Application/Control Number: 18/183,094 Page 21 Art Unit: 2436 Application/Control Number: 18/183,094 Page 22 Art Unit: 2436 Application/Control Number: 18/183,094 Page 23 Art Unit: 2436 Application/Control Number: 18/183,094 Page 24 Art Unit: 2436 Application/Control Number: 18/183,094 Page 25 Art Unit: 2436