Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
The following is a non-final office action in response to communications received
December 03, 2025. Claims 1, 8 and 15 are amended. Claims 7, 14 and 20 are canceled. Therefore, claims 1-6, 8-13 and 15-19 are pending and addressed below.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set
forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this
application is eligible for continued examination under 37 CFR 1.114, and the fee set
forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on
December 03, 2025 has been entered.
Response to Arguments
Applicant's arguments filed December 03, 2025 have been fully considered but they are not persuasive for the following reasons:
Applicant's arguments with respect to the rejections of amended claims 1, 8 and
15 under 35 U.S.C 103 have been fully considered but are moot because the new ground of rejection does not rely on any citation applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. A new ground of rejection under 35 U.S.C 103 is made in view of the combination of prior art of Steele (US PG-PUB No. 20190166153 A1), McGovern (US PG-PUB No.
20090024663 A1) and Primor (US PG-PUB No. 20210360017 A1). (see below rejection details)
Therefore, claims 1, 8 and 15 are rejected under 35 U.S.C 103. As claims 2-6
are dependent directly or indirectly on claim 1, claims 9-13 are dependent directly or indirectly on claim 8, claims 16-19 are dependent directly or indirectly on claim 15, applicant’s argument with respect to the rejections of claims 2-6, 9-13 and 16-19 are moot.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-4, 6, 8-11,13 and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Steele (US PG-PUB No. 20190166153 A1) in view of McGovern (US PG-PUB No. 20090024663 A1), and in further view of Primor (US PG-PUB No. 20210360017 A1).
Regarding claim 1, claim 8 and claim 15, Steele teaches a system, a product and a method, the system assessing cyber-based data protection exposure using artificial intelligence, the system comprising: a memory device with computer-readable program code stored thereon; at least one processing device operatively coupled to the at least one memory device and the at least one communication device, wherein executing the computer-readable code is configured to cause the at least one processing device to perform the following operations (Paragraph [0003]: “The invention utilizes a two-component system (vulnerability assessment system) to detect security vulnerabilities for a user and generate a vulnerability assessment for each individual user. The first component of the system is an information threat assessment engine”. Paragraph [0004]: “The second component of the system is an analytics engine, which may comprise a machine learning component (the engine compiles an assessment using artificial intelligence) which is configured to detect threat patterns and anomalies in order to generate specific mitigation actions for the user.” Paragraph [0036]: “FIG. 1, the vulnerability assessment system 207 generally comprises a communication device 246, a processing device 248, and a memory device 250.”):
compile an assessment of cyber-based data exposure of an entity using an artificial intelligence, said entity comprised of: a set of cyber-based data; an internal set of cyber-based protective measures; an external set of cyber-based protective measures (Paragraph [0006]: “The system leverages existing data to give users a vulnerability assessment or rating based on external dark web data (SSN, email, birth date, and other personal data on the Internet) (cyber-based data), credit card misappropriation trends (from financial institution systems), and the like. The system could also leverage/source existing external privacy services such as dark web search (using email addresses or the like), or other similar services to aggregate the appropriate external data in real time. The point of the invention is to collect both internal and external data elements (a set of cyber-based data) to give users a view of their exposure via the vulnerability assessment (assessing cyber-based data protection exposure).”);
compare the assessment of cyber-based data exposure against an open-source database (Paragraph [0029]: “the system may combine internal and external vulnerability data and utilize an information threat assessment engine to review and compare user vulnerabilities (compare the assessment of cyber-based data exposure) to other users (from open-source) to identify a relative vulnerability assessment for the user.” Paragraph [0046] further discloses the other users or third parties, such as open source threat data 112 (open-source database).”);
generate an analysis of cyber-based data protection exposure associated with the entity based on the comparison of the assessment of cyber-based data exposure against the open-source database (Paragraph [0029] discloses after the comparison of the assessment of cyber-based data exposure against the open-source database, the system may then generate a user vulnerability level (generate an analysis of data protection exposure associated with the entity) that gives the user a view of vulnerabilities for privacy misappropriation.), wherein the analysis of cyber-based data protection exposure associated with the entity comprises a quantification of exposure of the set of cyber-based data comprising a range of values bracketed by a low impact value and a high impact value (Paragraph [0054]: “the security threat level described herein may include a ranking of the vulnerabilities that are potential to the user based on potential security threats. In embodiments of the invention, the ranking may include a general ranking (e.g., high, medium, low, or the like), a specific score, continuum, or the like (the analysis comprises a quantification of exposure of the set of cyber-based data comprising a range of values bracketed by a low impact value and a high impact value). In some embodiments a score may be based on the external data 110 and the internal data 120. In some embodiments the score may be a measurement of the likelihood of having a security threat event. In some embodiments, the score may be based on scoring of the weighted factors of the external data 110 and the internal data 120.”); categorize the analysis of cyber-based protection exposure associated with the entity into a set of predetermined categories (Paragraph [0050]: “Different types of assessments (a set of predetermined categories) may include self-assessments provided by the third-party to the entity, online assessments provided by the entity to the third-party, and/or onsite assessments for which a user associated with the entity travels to the third-party to review the third party processes, its applications, and/or its systems. The assessment data 126 may further include a frequency of assessments indicating how often a third party should be assessed and what type of assessments should be used to make the assessments (categorize the analysis into a set of predetermined categories).”); and
Steele fails to explicitly teach, but McGovern teaches said entity comprised of an internal set of cyber-based protective measures; an external set of cyber-based protective measures (Paragraph [0020]: “The information system 100 (information security assessment system of an organization or entity, as taught in paragraph [0019]) may have a fairly expansive IT infrastructure that is accessible by both internal clients 10 and external clients 20.” Paragraph [0021]: “the information system 100 may implement a suite of security measures (internal and external set of cyber-based protective measures)”);
Steele and McGovern are both considered to be analogous to the claimed invention because they both teach assessing data protection and information security. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the entity disclosed by Steele with adding internal and external set of cyber-based security measures disclosed by McGovern.
One of the ordinary skills in the art would have been motivated to make this modification in order to securely exchange information over public networks, as suggested by McGovern in paragraph [0021].
Steele and McGovern, hereinafter SM, fail to explicitly teach, but Primor teaches generate recommended internal and external cyber-based protective measures to reduce cyber-based data exposure of the entity based on the analysis of cyber-based data protection exposure, wherein the recommended internal and external cyber-based protective measures are drawn from the open-source database (Paragraph [0060]: “Some demonstrative embodiments may include a system and a method for generating a dynamic cyber risk assessment. The method may generate a set of cyber security risk measures according to the internal and/or external environment of an organization . The cyber secRisk measures may be calculated statistically based on a set of data collected, both from the organization and from known cyber threats (generate recommended internal and external cyber-based protective measures based on the analysis of cyber-based data protection exposure).”; Paragraph [0082]: “In some demonstrative embodiments, the external security data may include a set of security measures and best practices measures, based on known methodologies such as, for example, ISO 27001 and/or NIST and/or any other proprietary methodologies (the recommended internal and external cyber-based protective measures are drawn from the open-source database.)”).
SM and Primor are both considered to be analogous to the claimed invention because they both teach generating cyber risk assessment for data protection in information security. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system, product and method disclosed by SM with adding generating recommended internal and external cyber-based protective measures to reduce cyber-based data exposure of the entity based on the analysis of cyber-based data protection exposure, wherein the recommended internal and external cyber-based protective measures are drawn from the open-source database disclosed by Primor.
One of the ordinary skills in the art would have been motivated to make this modification in order to prevent cyberattacks and prevent damages to computers, computer networks, organizations and the like, as suggested by Primor in paragraph [0004].
Regarding claim 2, claim 9 and claim 16, SM and Primor, hereinafter SMP, teaches all of the features with respect to claim 1, claim 8 and claim 15, as outlined above.
McGovern further teaches wherein the internal set of cyber-based protective measures comprises: a set of protective protocols within the entity; a set of protective procedures within the entity; and a set of internal protective mechanisms (Paragraph [0025]: “the information system 100 may implement identity and access management (I&AM) (a set of internal/external protective procedures) at various access gateways (security measures) such as the external firewall 103 (external protective mechanism) and the internal firewall 101 (internal protective mechanism). The purpose of I&AM measures is not limited to blocking unauthorized intruders (by external protective procedures), but also to give each authorized user the appropriate type and scope of access to the information system 100 (by internal protective procedures)” Paragraph [0030] teaches security parameters identified in the Internet standards or proposed standards or protocols for information security assessment, such as IPsec protocol suite (internal/external protective protocols)).
Regarding claim 3, claim 10 and claim 17, SMP teaches all of the features with respect to claim 1, claim 8 and claim 15, as outlined above.
McGovern further teaches wherein the external set of cyber-based protective measures comprises: a set of external protective protocols; a set of external protective procedures; and a set of external protective mechanisms (Paragraph [0025]: “the information system 100 may implement identity and access management (I&AM) (a set of internal/external protective procedures) at various access gateways (security measures) such as the external firewall 103 (external protective mechanism) and the internal firewall 101 (internal protective mechanism). The purpose of I&AM measures is not limited to blocking unauthorized intruders (by external protective procedures), but also to give each authorized user the appropriate type and scope of access to the information system 100 (by internal protective procedures)”; Paragraph [0030] teaches security parameters identified in the Internet standards or proposed standards or protocols for information security assessment, such as IPsec protocol suite (internal/external protective protocols)).
Regarding claim 4, claim 11 and claim 18, SMP teaches all of the features with respect to claim 1, claim 8 and claim 15, as outlined above.
Steele further teaches wherein the set of cyber-based data comprises: a set of data received by the entity from an external source; a set of data transmitted by the entity to the external source; and a set of data stored within the entity (Paragraph [0045]: “in FIG. 2 the vulnerability assessment system may be developed based on external data 110 it receives from an external source (a set of data received by the entity from an external source) and/or internal data 120 it captures from within the entity system (a set of data stored within the entity), in order to identify potential vulnerabilities and security threats for a user. As illustrated by block 130 in FIG. 2, the external data 110 and the internal data 120 may be received through one or more APIs 130, which allows the external data source systems and/or entity systems, and the applications and systems associated therewith, to interact with the vulnerability assessment system through different systems and/or applications (data can be transmitted by the entity to the external source)”).
Regarding claim 6 and claim 13, SMP teaches all of the features with respect to claim 1 and claim 8, as outlined above.
Steele further teaches wherein the open-source database comprises a set of cyber-based threats associated with exposure of cyber-based data of the entity (Paragraph [0046]: “The open-source threat data (open-source database) 112 may include various data that is monitored by an external data source. For example, the open-source data may be a summary threat level (threats associated with exposure of cyber-based data of the entity) of third-parties based on the information that the external data source has on the third-parties.”).
Claims 5, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Steele (US PG-PUB No. 20190166153 A1), McGovern (US PG-PUB No. 20090024663 A1) and Primor (US PG-PUB No. 20210360017 A1), in further view of Brisebois et al (US Patent No. 9569626 B1).
Regarding claim 5, claim 12 and claim 19, SMP teaches all of the features with respect to claim 1, claim 8 and claim 15, as outlined above.
SMP fails to explicitly teach, but Brisebois et al, hereinafter Brisebois, teaches wherein the assessment of cyber-based data exposure comprises assessment of a set of unstructured data associated with the entity (Paragraph [0141]: “system 1100 for analyzing content exposure (assessment of cyber-based data exposure). The system 1100 includes central content sources 1176”; Paragraph [0143]: “the central content sources 1176 can store or maintain central content 1111 as part of their operation. The central content 1111 can include, for example, documents, presentations, media (e.g., audio, video, images, etc.) (unstructured data associated with the entity), communications, text strings, combinations of same and/or the like.”).
SMP and Brisebois are both considered to be analogous to the claimed invention because they both teach data security and content-exposure analysis. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the assessment disclosed by SMP with adding a set of unstructured data disclosed by Brisebois.
One of the ordinary skills in the art would have been motivated to make this modification in order to improve data security by identifying and follow-on content- exposure events, as suggested by Brisebois in paragraph [0187].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. (see OPT-892 form for details)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASMINE DAY whose telephone number is (571)272-0204. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/J.M.D./Examiner, Art Unit 2499 /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499