DETAILED ACTION
Status of Claims
This is a final action in reply to the response filed on February 23, 2026.
Claims 1, 7, 8, 14 and 15 have been amended.
Claims 4, 6, 11, 13, 18 and 20 have been cancelled.
Claims 1-3, 5, 7-10, 12, 14-17 and 19 are currently pending and have been examined.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments
Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action.
The rejection of claims 1-3, 5, 7-10, 12, 14-17 and 19 under 35 USC § 101 is maintained. .
Claim Rejections- 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-3, 5, 7-10, 12, 14-17 and 19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Per MPEP 2106.03 Eligibility Step 1: The Four Categories of Statutory Subject Matter [R-07.2022]. Step 1 is directed to determining whether or not the claims fall within a statutory class. Herein, claims 1-3, 5 and 7 falls within statutory class of a machine, claims 8-10, 12 and 14 falls within statutory class of a process and claims 15-17,and 19falls within statutory class of an article of manufacturing. Hence, the claims qualify as potentially eligible subject matter under 35 U.S.C §101. With Step 1 being directed to a statutory category, per MPEP 2106.04 Eligibility Step 2A: Whether a Claim is Directed to a Judicial Exception [R-07.2022]. Step 2 is the two-part analysis from Alice Corp. (also called the Mayo test). The 2019 PEG makes two changes in Step 2A: It sets forth new procedure for Step 2A (called “revised Step 2A”) under which a claim is not “directed to” a judicial exception unless the claim satisfies a two-prong inquiry. The two-prong inquiry is as follows: Prong One: evaluate whether the claim recites a judicial exception. If claim recites an exception, then Prong Two: evaluate whether the claim recites additional elements that integrate the exception into a practical application of the exception. The claim(s) recite(s) the following abstract idea indicated by non-boldface font and additional limitations indicated by boldface font:
Claim 1:
(a) a Chief Information Security Office (“CISO”) data store that contains electronic records associated with a plurality of CISO party identifiers, and, for each CISO party identifier, a communication address and at least one CISO parameter;
(b) a Chief Information Office (“CIO”) data store that contains electronic records associated with a plurality of CIO party identifiers, and, for each CIO party identifier, a communication address and at least one CIO parameter;
(c) the back-end application computer server, coupled to the CISO data store and the CIO data store, including: a computer processor, and a computer memory coupled to the computer processor and storing instructions that, when executed by the computer processor, cause the back-end application computer server to:
receive a CISO request, responsive to the CISO request, automatically create an enterprise application reference implementation, based on CISO parameters in the CISO data store, automatically transmit information about the reference implementation to a communication address associated with a CISO party, and based on CIO parameters in the CIO data store, automatically transmit information about the reference implementation to a communication address associated with a CIO party;
automatically transmit a security triage alert triggered by an enterprise predictive model, wherein security requests decisions are used to train the enterprise predictive model to adapt to changing conditions and the triage alert includes an alert identifier, an alert title, an alert priority, and an alert type;
(d) a communication port coupled to the back-end application computer server to facilitate an exchange of data with a remote device via a distributed communication network to support interactive user interface displays that include information about the reference implementation;
(e) an email server to automatically establish communication links and transmit electronic messages based on risk assessment results:
(f) a calendar server to automatically schedule tasks and communications based on CISO requests: and
(g) a workflow server to initiate actions by the enterprise based on an automatic security analysis.
Claim 8:
receiving, at a back-end application computer server, a Chief Information Security Office (“CISO”) request;
responsive to the CISO request, automatically creating an enterprise application reference implementation;
based on CISO parameters in a CISO data store, automatically transmitting information about the reference implementation to a communication address associated with a CISO party, wherein the CISO data store contains electronic records associated with a plurality of CISO party identifiers, and, for each CISO party identifier, a communication address and at least one CISO parameter; based on Chief Information Office (“CIO”) parameters in a CIO data store, automatically transmitting information about the reference implementation to a communication address associated with a CIO party, wherein the CIO data store contains electronic records associated with a plurality of CIO party identifiers, and, for each CIO party identifier, a communication address and at least one CIO parameter;
exchanging data with a remote device via a distributed communication network to support interactive user interface displays that include information about the reference implementation;
automatically transmitting a security triage alert triggered by an enterprise predictive model, wherein security requests decisions are used to train the enterprise predictive model to adapt to changing conditions and the triage alert includes an alert identifier, an alert title, an alert priority, and an alert type;
automatically establishing, by an email server, communication links and transmit electronic messages based on risk assessment results;
automatically scheduling, by a calendar server, tasks and communications based on CISO requests; and
initiating, by a workflow server, actions by the enterprise based on an automatic security analysis.
Claim 15:
receiving, at a back-end application computer server, a Chief Information Security Office (“CISO”) request;
responsive to the CISO request, automatically creating an enterprise application reference implementation;
based on CISO parameters in a CISO data store, automatically transmitting information about the reference implementation to a communication address associated with a CISO party, wherein the CISO data store contains electronic records associated with a plurality of CISO party identifiers, and, for each CISO party identifier, a communication address and at least one CISO parameter; based on Chief Information Office (“CIO”) parameters in a CIO data store, automatically transmitting information about the reference implementation to a communication address associated with a CIO party, wherein the CIO data store contains electronic records associated with a plurality of CIO party identifiers, and, for each CIO party identifier, a communication address and at least one CIO parameter; and
exchanging data with a remote device via a distributed communication network to support interactive user interface displays that include information about the reference implementation;
automatically transmitting a security triage alert triggered by an enterprise predictive model, wherein security requests decisions are used to train the enterprise predictive model to adapt to changing conditions and the triage alert includes an alert identifier, an alert title, an alert priority, and an alert type;
automatically establishing, by an email server, communication links and transmit electronic messages based on risk assessment results;
automatically scheduling, by a calendar server, tasks and communications based on CISO requests; and
initiating, by a workflow server, actions by the enterprise based on an automatic security analysis.
Per Prong One of Step 2A, the identified recitation of an abstract idea falls within at least one of the Abstract Idea Groupings consisting of: Mathematical Concepts, Mental Processes, or Certain Methods of Organizing Human Activity. Particularly, the identified recitation falls within Mental Processes, concepts performed in the human mind including observations, evaluation, judgement and opinion and Certain Methods of Organizing Human Activity such as fundamental economic principes or practices such as mitigating risk i.e., cyber security and managing personal behavior or relationships or interaction between people i.e., CISO and CIO. Per Prong Two of Step 2A, this judicial exception is not integrated into a practical application because the claim as a whole does not integrate the identified abstract idea into a practical application. The data store, back-end application computer server, computer processor, computer memory, remote device via a distributed communication network and user interface is recited at a high level of generality, i.e., as a generic computing and processing system. This data store, back-end application computer server, computer processor, computer memory, remote device via a distributed communication network and user interface is no more than mere instructions to apply the exception using a generic computing devices each comprising at least a processor, memory and display device. Claims 1, 8 and 15 uses an enterprise predictive model in its ordinary capacity, to carry out the abstract idea. Further, processor configured to cause receiving/determining/transmitting data is mere instruction to apply an exception using a generic computer component which cannot integrate a judicial exception into a practical application. Accordingly, this/these additional element(s) does/do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Thus, since the claims are directed to the determined judicial exception in view of the two prongs of Step 2A, MPEP 2106.05 Eligibility Step 2B: Whether a Claim Amounts to Significantly More [R-07.2022] is directed to Step 2B. Therein, per Step 2B the additional elements and combinations therewith are examined in the claims to determine whether the claims as a whole amounts to significantly more than the judicial exception. It is noted here that the additional elements are to be considered both individually and as an ordered combination. In this case, the claims each at most comprise additional elements of a data store, back-end application computer server, computer processor, computer memory, remote device via a distributed communication network and user interface. Taken individually, the additional limitations each are generically recited and thus does not add significantly more to the respective limitations. Further, executing all the steps/functions by a user/service subsystem is mere instruction to apply an exception using a generic computer component which cannot provide an inventive concept in Step 2B (or, looking back to Step 2A, cannot integrate a judicial exception into a practical application). For further support, the Applicant’s specification supports the claims being directed to use of a generic data store, back-end application computer server, computer processor, computer memory, remote device via a distributed communication network and user interface type structure at paragraph 0034: “The back-end application computer server 350 may also exchange information with a first remote user device 360 and a second remote user device 370 (e.g., via a firewall 365). According to some embodiments, an interactive graphical user interface platform of the back-end application computer server 350 may facilitate enterprise cyber security, recommendations, alerts, and/or the display of results via one or more remote administrator computers (e.g., to summarize system 300 performance) and/or the remote user devices 360, 370.” Paragraphs 0035-0036: “The back-end application computer server 350 and/or the other elements of the system 300 might be, for example, associated with a Personal Computer (“PC”), laptop computer, smartphone, an enterprise server, a server farm, and/or a database or similar storage devices. […] Devices, including those associated with the back-end application computer server 350 and any other apparatus described herein, may exchange information via any communication network which may be one or more of a Local Area Network (“LAN”), a Metropolitan Area Network (“MAN”), a Wide Area Network (“WAN”), a proprietary network, a Public Switched Telephone Network (“PSTN”), a Wireless Application Protocol (“WAP”) network, a Bluetooth network, a wireless LAN network, and/or an Internet Protocol (“IP”) network such as the Internet, an intranet, or an extranet. Note that any devices described herein may communicate via one or more such communication networks.” And paragraphs 0064-0065: “The computer system 1700 also may include a computer processor 1714. The computer processor 1714 may include one or more conventional microprocessors and may operate to execute programmed instructions to provide functionality as described herein. Among other functions, the computer processor 1714 may store and retrieve historical insurance data 1704 and current data 1706 in and from the data storage module 1702. Thus, the computer processor 1714 may be coupled to the data storage module 1702. The computer system 1700 may further include a program memory 1716 that is coupled to the computer processor 1714.”
Taken as an ordered combination, the claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the limitations are directed to limitations referenced in Alice Corp. that are not enough to qualify as significantly more when recited in a claim with an abstract idea include, as a non-limiting or non-exclusive examples: i. Adding the words "apply it" (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, e.g., a limitation indicating that a particular function such as creating and maintaining electronic records is performed by a computer, as discussed in Alice Corp., 134 S. Ct. at 2360, 110 USPQ2d at 1984 (see MPEP § 2106.05(f)); ii. Simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception, e.g., a claim to an abstract idea requiring no more than a generic computer to perform generic computer functions that are well-understood, routine and conventional activities previously known to the industry, as discussed in Alice Corp., 134 S. Ct. at 2359-60, 110 USPQ2d at 1984 (see MPEP § 2106.05(d)); iii. Adding insignificant extra-solution activity to the judicial exception, e.g., mere data gathering in conjunction with a law of nature or abstract idea such as a step of obtaining information about credit card transactions so that the information can be analyzed by an abstract mental process, as discussed in CyberSource v. Retail Decisions, Inc., 654 F.3d 1366, 1375, 99 USPQ2d 1690, 1694 (Fed. Cir. 2011) (see MPEP § 2106.05(g)); or v. Generally linking the use of the judicial exception to a particular technological environment or field of use, e.g., a claim describing how the abstract idea of hedging could be used in the commodities and energy markets, as discussed in Bilski v. Kappos, 561 U.S. 593, 595, 95 USPQ2d 1001, 1010 (2010) or a claim limiting the use of a mathematical formula to the petrochemical and oil-refining fields, as discussed in Parker v. Flook. The courts have recognized the following computer functions inter alia to be well-understood, routine, and conventional functions when they are claimed in a merely generic manner: performing repetitive calculations; receiving, processing, and storing data (e.g., the present claims); electronically scanning or extracting data; electronic recordkeeping; automating mental tasks (e.g., process/machine for performing the present claims); and receiving or transmitting data (e.g., the present claims). The dependent claims 2-3, 5, 7, 9-10, 12, 14 and 16-17 and 19 do not cure the above stated deficiencies, and in particular, the dependent claims further narrow the abstract idea without reciting additional elements that integrate the exception into a practical application of the exception or providing significantly more than the abstract idea. Claims 2, 9 and 16 further limit the abstract idea that the CISO request is associated with at least one of: (i) a security priority, and (ii) a security policy (a more detailed abstract idea remains an abstract idea). Claims 3, 10 and 17 further limit the abstract idea that the back-end application computer server is further to generate the reference implementation based on at least one of: (i) Chief Technology Office (“CTO”) infrastructure information, and (ii) enterprise risk information (a more detailed abstract idea remains an abstract idea). Claims 5, 12 and 19 further limit the abstract idea that the information about the reference implementation is transmitted to a CIO enterprise application team (a more detailed abstract idea remains an abstract idea). And claims 7 and 14 further limit the abstract idea that the security triage alert is transmitted to the CIO enterprise application team (a more detailed abstract idea remains an abstract idea). The identified recitation of the dependents claims falls within the Mental Processes, concepts performed in the human mind including observations, evaluation, judgement and opinion and Certain Methods of Organizing Human Activity such as fundamental economic principes or practices such as mitigating risk i.e., cyber security and managing personal behavior or relationships or interaction between people i.e., CISO and CIO. . Since there are no elements or ordered combination of elements that amount to significantly more than the judicial exception, the claims are not eligible subject matter under 35 USC §101. Thus, viewed as a whole, these additional claim element(s) do not provide meaningful limitation(s) to transform the abstract idea into a patent eligible application of the abstract idea such that the claim(s) amounts to significantly more than the abstract idea itself. Therefore, the claim(s) are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Response to Arguments
Applicant's arguments filed on 2/23/2026 have been fully considered but they are not persuasive.
With regard to the 35 U.S.C. 101 rejection, Applicant argues “that the claims do not recite an abstract idea and, if determined to recite an abstract idea, clearly integrate the abstract idea into a practical application.” In response to Applicant’s argument. Examiner respectfully disagrees. Claim 1 recites an enterprise cyber security system/method via back-end application computer server of an enterprise that receive request to create an enterprise application reference implementation, based on parameters, the information is transmitted and displayed. A security triage alert is transmitted when is triggered by an enterprise predictive model which is trained based on security request decisions as described in Applicant’s Abstract “Data may then be exchanged with a remote device via a distributed communication network to support interactive user interface displays that include information about the reference implementation.” Therefore, claim 1 recites an abstract idea falling within the Guidance's subject-matter grouping to the group of Mental Processes, concepts performed in the human mind including observations(data records such as party identifies, communication address, parameters, security requests decisions), evaluation(enterprise application reference implementations), judgement (triggering and alert based on the predictive model) and opinion (information about the reference implementation, triage alert) and Certain Methods of Organizing Human Activity such as fundamental economic principes or practices such as mitigating risk i.e., cyber security and managing personal behavior or relationships or interaction between people i.e., CISO and CIO. Per Prong Two of Step 2A, this judicial exception is not integrated into a practical application because the claim as a whole does not integrate the identified abstract idea into a practical application. The data store, back-end application computer server, computer processor, computer memory, remote device via a distributed communication network, user interface, an enterprise predictive model, email/calendar/workflow server is recited at a high level of generality, i.e., as a generic processor performing a generic computer function of receiving/determining/transmitting data. This generic processor limitation is no more than mere instructions to apply the exception using a generic computer component. Considering the claims as a whole, these additional limitations merely add generic computer activities i.e., receiving/determining/transmitting. Model retraining enables the model in production to make the most accurate predictions with the most up-to-date data. Model retraining does not change the parameters and variables used in the model. It adapts the model to the current data so that the existing parameters give healthier and up-to-date outputs. The recited data store, back-end application computer server, computer processor, computer memory, remote device via a distributed communication network, user interface, an enterprise predictive model, email/calendar/workflow serve, merely links the abstract idea to a computer environment. In this way, the data store, back-end application computer server, computer processor, computer memory, remote device via a distributed communication network, user interface, an enterprise predictive model, email/calendar/workflow serve involvement is merely a field of use which only contributes nominally and insignificantly to the recited method, which indicates absence of integration. Claim 1 uses the data store, back-end application computer server, computer processor, computer memory, remote device via a distributed communication network, user interface, an enterprise predictive model, email/calendar/workflow serve as a tool, in its ordinary capacity, to carry out the abstract idea. As to this level of computer involvement, mere automation of manual processes using generic computers does not necessarily indicate a patent-eligible improvement in computer technology. Considered as a whole, the claimed method does not improve the functioning of the computer itself or any other technology or technical field of improving security for an enterprise computer system. Further, a processor configured to cause receiving/determining/transmitting data to a device is mere instruction to apply an exception using a generic computer component which cannot integrate a judicial exception into a practical application. Accordingly, this/these additional element(s) does/do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The same rationale applies to claims 8 and 15. The rejection is maintained.
With regards to the 35 U.S.C. 103 rejections. Applicant argues that “none of the references disclose a “calendar server” as is now recited in claim 1. In response to Applicant’s argument. Examiner respectfully disagrees. Please see the updated rejection as necessitated by amendments.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5, 7-10, 12, 14-17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Acosta et al., (US 12,107,894 B1) hereinafter “Acosta” in both view of Trost et al,. (US 2022/0053016 A1) hereinafter “Trost” and Shete et al., (US 2024/0039954 A1) hereinafter “Shete”
Claim 1:
Acosta as shown discloses an enterprise cyber security system implemented via a back-end application computer server of an enterprise, the method comprising:
(a) a Chief Information Security Office (“CISO”) data store that contains electronic records associated with a plurality of CISO party identifiers, and, for each CISO party identifier, a communication address and at least one CISO parameter; (b) a Chief Information Office (“CIO”) data store that contains electronic records associated with a plurality of CIO party identifiers, and, for each CIO party identifier, a communication address and at least one CIO parameter (col. 11, lines 32-50: “The datastore 212 may store at least some data including, but not limited to, data collected from the ITAM application 112, including data associated with risk data, asset user data, asset data, service tickets, records of non-compliance, and the like. […] Asset user data may include data associated with an individual responsible for the IT user asset (e.g., organization, department, name, user identifier, address, office number, etc.). Asset data may include a type of asset (e.g., hardware, software, etc.), an asset identifier, asset location, associated department, associated organization, or the like.”);
(c) the back-end application computer server, coupled to the CISO data store and the CIO data store, including: (col. 3, lines 59-62: “device types may include stationary devices, including but not limited to servers, desktop computers, personal computers, work stations, and thin clients, such as those capable of operating in the distributed computing resource.” See also Figures 1-2);
a computer processor, and a computer memory coupled to the computer processor and storing instructions that, when executed by the computer processor, cause the back-end application computer server to: (Figure 2 and col. 8, lines 56-62: “The computing architecture 200 may include one or more processors 202 and one or more computer-readable media 204 that stores various components, applications, programs, or other data. The computer-readable media 204 may include instructions that, when executed by the one or more processors 202, cause the processors to perform the operations described herein for the system 100.”);
receive a CISO request, responsive to the CISO request, automatically create an enterprise application reference implementation, based on CISO parameters in the CISO data store, automatically transmit information about the reference implementation to a communication address associated with a CISO party, and (col. 12, lines 60-67 to col. 13 lines 1-15: “the UI 300 may include a login command 316. In such examples, responsive to receiving input via the first input control 310, the second input control 312, and the login command 316, the ITAM application 302 may access (e.g., log into) the remote service provider associated with generating service tickets associated with at-risk assets. […] responsive to receiving an input via the automation selectable option 318 (e.g., an instruction to automatically generate a service ticket), the ITAM application 302 may parse a file 304, such as file 304(1), for risk data relevant to generating a service ticket for the associated asset. the ITAM application 302 may cause one or more input fields of a service ticket generation component of the remote service provider to be filled based on the risk data. For example, the ITAM application 302 may input data associated with the asset, asset user, deadline, and a reason that the asset is at risk. The ITAM application 302 may also send an instruction to the remote service provider to generate a service ticket based on the risk data.” See also figure 3);
based on CIO parameters in the CIO data store, automatically transmit information about the reference implementation to a communication address associated with a CIO party; and (col. 12, lines 37-47: “the identifier associated with a first file 304(1), a second file 304(2), and a third file 304(3) include a date, an asset user identifier, an asset type, and a brief description of the compliance issue. For example, file 304(1) includes a date of February 20, an asset user identifier of PLDE, an asset type of hardware, and an indication that the compliance risk is associated with ownership of the asset. For another example, file 304(2) includes a date of February 20, an asset user identifier of HD6H, an asset type of software and an indication that the compliance risk is associated with an annual review of the software asset.” And col. 8, lines 17-21: “the ITAM application 112 may receive mitigation data 120 from one or more computing device(s) 108. The mitigation data 120 may include an indication that a mitigation task associated with a service ticket has been completed.);
Acosta teaches in col. 7, lines 37-48: “the service ticket generation component 118 may be configured to perform analytics regarding compliance of assets within an organization. In such examples, the service ticket generation component 118 may provide an analytical report to the ITAM computing device(s) 102 and/or computing device(s) 108 periodically (e.g., monthly, annually, etc.) and/or based on receiving a request therefor. The analytics may include qualitative and/or quantitative data regarding IT asset compliance associated with an organization. The analytical report may assist an ITAM system manager 116 and/or the organization in tracking IT compliance issues.” Acosta is silent with regard to the following limitations. However, Trost in an analogous art of risk management for the purpose of providing the following limitations as shown does:
and automatically transmit a security triage alert triggered by an enterprise predictive model, (¶ 0040: “Once the alert is identified, the alert is then classified 206 as either a security threat, or a benign activity (e.g. business as usual). Moreover, if the event is classified as a security threat, server 120 may then provide a triage solution 208 based on the type of classification of the security threat,” and ¶ 0112: “outputting the related activity, the metadata context, and the security threat event within the event sequence time window to a machine learning (ML) model; and adjusting identification of future security alerts.” See also figure 7);
wherein security requests decisions are used to train the enterprise predictive model to adapt to changing conditions and (¶ 0059-0060: “alert triage ML models may be trained using past incident outcomes (true positive, false positive, etc.) as labels. The models may use signals from baselines, prevalence, popularity, and rules as features. Each of these items may be summarized in order to be encoded in the proper format for the model. The ML models may also use enrichment data as further features, and one or more models may be used since several different alert categories exist and different alerts have vastly different expected signals (e.g., commodity malware related alerts vs. cloud data exfiltration alerts vs. insider threat alerts). A triage engine may also be deployed. The triage engine would have alerts as inputs, and processes the alerts by retrieving all related signals, retrieving any relevant enrichment data, uses pre-trained ML models to score the combination of inputs (e.g. alerts, signals, enrichments), outputs (e.g. numeric score, recommended action) and stores the results” see also ¶ 0052: “ The results may also be used for new alerting use cases and provided as starting point for machine learning/artificial intelligence training applications”);
the triage alert includes an alert identifier, an alert title, an alert priority, and an alert type; (¶ 0062: “an activity is a suspicious activity, rules are deployed that take into account the type of alert, context of the alert, and related activity.” ¶ 0083: “Based on a combination of the meta-data context score and the related activity score, the method includes classifying the type of the security threat event 1314. Such classifications include, but is not limited to, benign threats, false positive threats, mitigated threats, live threats, and the types of live threats” see also ¶ 101 “ FIG. 16 includes a GUI representation 1602 of an entire network that may have alerts associated with certain networked devices. GUI 1602 may provide representation of the network nodes, types of nodes, and the type of alerts associated with the specific nodes.” And ¶ 0049: “This metadata may include a destination IP address, a domain name associated with the alert, a URL, and a user agent.”)
Both Acosta and Trost teach asset risk management. Acosta teaches in the Abstract: “receive risk data associated with an asset and generate a service ticket based on the risk data” Trost teaches in the ¶ 0083 “The output may be provided on a display associated with the risk mitigation system, a remote user equipment, mobile device, or the like.” Thus, they are deemed to be analogous references as they are reasonably pertinent to each other and are directed towards solving similar problems within the same environment. One of ordinary skill in the art would have recognized that applying the known technique of Trost would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Trost to the teaching of Acosta in view of Shete would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such as to automatically transmit a security triage alert triggered by an enterprise predictive model wherein security requests decisions are used to train the enterprise predictive model to adapt to changing conditions and the triage alert includes an alert identifier, an alert title, an alert priority, and an alert type; into similar systems. Further, as noted by Trost “The visual representation of the threat event, the related events, the classification and the tactic/technique representation greatly improve SOC analysts' ability to solve the problem of identifying and countering network security threats.” (Trost, ¶ 0030).
In addition, Acosta teaches:
(d) a communication port coupled to the back-end application computer server to facilitate an exchange of data with a remote device via a distributed communication network to support interactive user interface displays that include information about the reference implementation (col. 3, lines 7-11: “The ITAM application may cause the service ticket and/or an indication thereof to be presented on a display for viewing by an ITAM system manager, asset user, or the like, thereby providing a means by which a compliance risk can be mitigated.” See also figures 1-7);
(e) an email server to automatically establish communication links and transmit electronic messages based on risk assessment results (col.15, lines 8-24: “responsive to receiving an input via the data retrieval selectable option 514, the ITAM application 502 may determine whether one or more emails including risk data have been received and/or are stored on a datastore. In some examples, the ITAM application 502 may determine that the email(s) include risk data based on a sender associated with the email (e.g., sender associated with a computing device configured to generate compliance reports), data included in a subject of the email (e.g., asset past due, compliance deadline approaching, etc.), data included in a text of the email (e.g., hyperlink to asset data, etc.), data included in an attached document (e.g., document title includes compliance data, etc.), etc. For example, the ITAM application 502 may receive an email from “HOME-ASSET-COMPLIANCE-MAIL” and may determine that the email includes risk data associated with an IT asset that is out of compliance.” See also Figure 6);
(f) a calendar server to automatically schedule tasks and communications based on CISO requests; and (Figure 6, note the auto-generated email i.e., schedule task based on a deadline i.e., due date in a calendar), see also col. 4, lines 45-49: “ an asset may be at risk of being out of compliance based on a determination that a deadline for an action to comply with a policy and/or regulation is within a threshold time of a current time (e.g., time associated with generating the report).”);
(g) a workflow server to initiate actions by the enterprise based on an automatic security analysis (Figure 4, col. 2, lines 37-40: “FIG. 4 illustrates the example user interface associated with the information technology asset management application of FIG. 3 , including a notification associated with file removal”);
Acosta describe that an ITAM system manager, asset user, or the like monitor IT assets for compliance in view of policies/regulations. Acosta in view of Trost is silent with regard of a Chief Information Security Officer (CISO),a Chief Information Office (CIO) and alert priority. However, Shete in an analogous art of assets risk management for the purpose of providing the following limitations as shown does:
a Chief Information Security Officer (“CISO”); a Chief Information Office (“CIO”) (¶ 0007: “communicating the display information may include the step of customizing the display information based on responsibilities that are assigned to the person associated with the organization. The person associated with the organization, for instance, may be a technician, an Information Technology (IT) professional, a Chief Information Officer (CIO), a Chief Information Security Officer (CISO), an administrator, or a security operator..” See also ¶ 0283: “the GUIs may be directed to specific users (e.g., board-level executives, CISOs, Chief Information Officers (CIOs), engineers, technicians, etc.) for reporting and guidance,.”);
an alert priority (¶0173: “Most traditional security systems categorize alerts into ‘high/medium/low’ buckets (or some other discrete categorization) as they are prone to false positives. With deception-based breach detection technology, false positives are minimal, so we granularly score every attacker action in order to build a risk-based alerting and prioritization model”);
Both Acosta and Shete teach asset risk management. Acosta teaches in the Abstract: “receive risk data associated with an asset and generate a service ticket based on the risk data” Shete teaches in the Abstract “performing risk assessment activities and preparing attained risk data for display on one or more user interfaces.” Thus, they are deemed to be analogous references as they are reasonably pertinent to each other and are directed towards solving similar problems within the same environment. Since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself - that is in the substitution of the users’ role (i.e., ITAM system manager, asset user, or the like) of Acosta for the users’ role (CISO, CIO, engineers etc.,) of Shete. Thus, the simple substitution of one known element for another producing a predictable result (e.g., user’s role in an organization) renders the claim obvious.
One of ordinary skill in the art would have recognized that applying the known technique of Shete would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Shete to the teaching of Acosta in view of Trost would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such as an alert priority into similar systems. Further, as noted by Shete “communicating the display information (block 976) may include the step of customizing the display information based on responsibilities that are assigned to the person associated with the organization.” (Shete, ¶ 0334).
Claims 8 and 15:
The limitations of claims 8 and 15 (Figure 2, reference character 204) encompass substantially the same scope as claim 1. Accordingly, those similar limitations are rejected in substantially the same manner as claim 1, as described above.
Claims 2, 9 and 16:
Acosta as shown discloses the following limitations:
wherein the CISO request is associated with at least one of: (i) a security priority, and (ii) a security policy (col. 12, lines 3-7: “The UI 300 may be associated with an ITAM application 302, such as ITAM application 112, and may be used to automatically generate a service ticket associated with an IT asset that is at risk of being out of compliance with a policy and/or regulation”);
Claims 3, 10 and 17:
Acosta as shown discloses the following limitations:
wherein the back-end application computer server is further to generate the reference implementation based on at least one of: (i) Chief Technology Office (“CTO”) infrastructure information, and (ii) enterprise risk information (col. 10, lines 23-25: “the at-risk component 218 may be configured to parse files to determine relevant risk data associated with an asset that is at risk of being out of compliance.” Col. 10, lines 53-56: “the out of compliance component 220 may be configured to parse electronic mail messages and/or attachments thereto to determine relevant risk data associated with an asset that is out of compliance.” Figure 2, note the “At-Risk Component 218” and “Out of Compliance Component 220”);
Claims 5, 12 and 19:
Acosta as shown discloses the following limitations:
wherein the information about the reference implementation is transmitted to a CIO enterprise application team (col. 7, lines 32-34: “the report of non-compliance may include a risk response used to notify a user of the asset that the asset is out of compliance.”);
Claims 7 and 14:
Acosta teaches in col. 7, lines 37-48: “the service ticket generation component 118 may be configured to perform analytics regarding compliance of assets within an organization. In such examples, the service ticket generation component 118 may provide an analytical report to the ITAM computing device(s) 102 and/or computing device(s) 108 periodically (e.g., monthly, annually, etc.) and/or based on receiving a request therefor. The analytics may include qualitative and/or quantitative data regarding IT asset compliance associated with an organization. The analytical report may assist an ITAM system manager 116 and/or the organization in tracking IT compliance issues.” Acosta is silent with regard to the following limitations. However, Trost in an analogous art of risk management for the purpose of providing the following limitations as shown does:
wherein the security triage alert triggered is transmitted to the CIO enterprise application team (¶ 0027: “The alert, signals, numeric score, and recommendation are all rendered to a security operations command/center (SOC) analyst in a Case Management tool using various appropriate visualizations, including an event timeline. The renderings are designed to provide the analyst with all the context needed to make a decision and to obviate the need for the analyst to go searching through the raw event logs in order to manually find evidence of suspicious activity” see also figures 15-16);
Both Acosta and Trost teach asset risk management. Acosta teaches in the Abstract: “receive risk data associated with an asset and generate a service ticket based on the risk data” Trost teaches in the ¶ 0083 “The output may be provided on a display associated with the risk mitigation system, a remote user equipment, mobile device, or the like.” Thus, they are deemed to be analogous references as they are reasonably pertinent to each other and are directed towards solving similar problems within the same environment. One of ordinary skill in the art would have recognized that applying the known technique of Trost would have yielded predictable results and resulted in an improved system. It would have been recognized that applying the technique of Trost to the teaching of Acosta would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate such as the security triage alert is transmitted to the CIO enterprise application team into similar systems. Further, as noted by Trost “The visual representation of the threat event, the related events, the classification and the tactic/technique representation greatly improve SOC analysts' ability to solve the problem of identifying and countering network security threats.” (Trost, ¶ 0030).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NADJA CHONG whose telephone number is (571)270-3939. The examiner can normally be reached on Monday-Friday 8:00 am - 2:00 pm ET, Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, RUTAO WU can be reached on 571.272.6045. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/NADJA N CHONG CRUZ/
Primary Examiner, Art Unit 3623