DETAILED ACTION
-Claims 1-4, 8-9, 11, 15-17 are amended.
-Claims 1-20 are pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s Remarks filed on 12/12/2025 have been fully considered however they are not persuasive because text diagrams are diagrams. In addition, receiving the specification and the context information in Adebayo implicitly teaches receiving at least a portion of the diagram in Fig.2 of Adebayo.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claims 1-14 and 16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites the terms “the service diagram” which lack antecedent basis. For the purpose of examination, claim 1 is interpreted as reciting “the architectural diagram”.
Claims 2-7 depend on claim 1 and therefore inherit this rejection.
Claims 1 and 8 recite, on lines 3 and 5 respectively, the terms “of the customer”, which lack antecedent basis. The claims are being interpreted as reciting “of a customer”.
Claims 2-7 and 9-14 depend on claims 1 and 8, respectively, therefore they inherit this rejection.
Claims 2, 9 and 16 recite multiple times the terms “the security threat”, which lack antecedent basis. The claims are being interpreted as reciting “a security threat”.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Adebayo et al (US Pub.No.2023/0229812) in view of Pandurangi et al (US Pub.No.2022/0046059).
Re Claim 1. Adebayo discloses a method comprising: receiving an architectural diagram indicative of a service architecture associated with a service of the customer, analyzing the architectural diagram (i.e. Regarding the technical specification information 134 and/or context information 136, such data can be input to the model 113 and analyzed by the model 113. Further, the technical specification information 134 and/or context information 136 can be labeled by the model to provide identification of a source of the technical specification information 134 and/or context information 136. In view of the analysis, the model 113 can generally pair and/or recognize portions of the various data sets that are directed to similar and/or same rules, regulations, requirements and/or the like. In this way, a compliance domain-specific model 113 (e.g., based on the set of target/associate domains) can be generated) [Adebayo, para.0042],
Adebayo does not explicitly disclose whereas Pandurangi does: to determine a textual description of the service diagram (i.e. the CSPM process 550 includes identifying findings, compliance violations, regulatory violations, etc. based on the configurations 504 (step 552). The discovered configurations 504 are compared against built-in security policies for identifying misconfigurations at the security policy and resource level. It also provides a complete mapping of security policies within various compliance frameworks. The user interface 506 can include intuitive dashboards and reports for reviewing this information….. the CSPM process 550 includes analyzing risk based on the findings and the violations (step 553). Here, the CSPM process enables various cloud governance features, including risk-based prioritization of the security posture, policy management (e.g., overrides, exceptions, etc.,) and configuration of private benchmarks for organizations that have multiple compliance standards or information security teams that need to customize the policy set for a specific architecture. Further, the analyzing can include a machine learning-based risk analysis to assess the exposure of the organization to security breaches………….) [Pandurangi, para.0090-0091];
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Adebayo with Pandurangi because there is a need for Cloud Security Posture Management (CSPM) to assist tenants in identifying and remediating problems with their cloud infrastructure [Pandurangi, para.0005].
Adebayo further discloses: providing the textual description of the architectural diagram to a policy predictor model trained to predict a control mapping based on service information related to the service of the customer (i.e. the context information 236 from one or more entities (e.g., having the varying sets of regulations/standards/rules) can be sorted by the context component………………the model 213 can execute a context result data generation task and supply context result data (e.g., the context results 246) to define the plurality of contexts for one or more target domains. …………………….. as an output of the context component 212, base results 244 based on the target domain and varying context results 246 based on the varying associate domains can be output…………The compliance control 250 can comprise an aggregate mapping of the base results 244 and of the context results 246. That is, turning next to the mapping component 214, the mapping component can generally map the compliance control 250 for a target domain based on the model 213 trained by an active learning process that incorporates the plurality of contexts representing relationships between entities and associate domain specific dependencies. Put another way, the mapping component 214 can take as input the base results 244 and context results 246 and can output a set of mapping results defining the compliance control 250) [Adebayo, para.0061-0062, 0065-0066, Note: the compliance control is the predicted control mapping]; receiving, from the policy predictor model, a predicted control mapping associated with a predicted security policy and a predicted security control (i.e. the mapping component 214 can take as input the base results 244 and context results 246, can aggregate the results 244/246, and can output a set of mapping results defining the compliance control 250. The mapping results can include the aforementioned labeling, notes, comments and/or metadata) [Adebayo, para.0066], (i.e. As an output, the aggregated mapping results 250 (e.g., compliance control 250) can be provided by the mapping component 214 and/or model 213) [Adebayo, para.0074], (i.e. The compliance control information can comprise one or more checks, such as security checks, specified in the target and/or associate domain information) [Adebayo, para.0043] an implementation of the predicted security control enables the service of the customer to comply with a service requirement associated with the predicted security policy (i.e. security compliance, is the process of ensuring that a minimum of security requirements is met) [Adebayo, para.0002]; and automatically applying the predicted security control to the service of the customer (i.e. enriching, by the system (e.g., training component), a subsequent execution of the model by feeding, by the system, the mapping result to the model…………. AI-supported and/or even automatic generation and/or updating of mapping results for a compliance control based on one or more associate domains,) [Adebayo, para.0097-0101].
Re Claim 2. Adebayo in view of Pandurangi discloses the method of claim 1, Pandurangi further discloses: wherein the textual description comprising at least one of: an attack vector associated with the security threat, a description of the security threat (i.e. the CSPM process 550 includes identifying findings, compliance violations, regulatory violations, etc. based on the configurations 504 (step 552). The discovered configurations 504 are compared against built-in security policies for identifying misconfigurations at the security policy and resource level. It also provides a complete mapping of security policies within various compliance frameworks. The user interface 506 can include intuitive dashboards and reports for reviewing this information……….. the analyzing can include a machine learning-based risk analysis to assess the exposure of the organization to security breaches………….) [Pandurangi, para.0090-0091] or a description of mitigation of the security threat (i.e. When organizations deploy cloud infrastructure manually, they can need to update their configuration guides and remediate resources to make them compliant with all security policies in their private benchmark. The CSPM system 500 and CSPM process 550 offers security policy remediation guidance in the form of easy to understand steps using a cloud provider console and command lines or scripts when possible) [Pandurangi, para.0102].
The same motivation to modify with Pandurangi, as in claim 1, applies.
Re Claim 3. Adebayo in view of Pandurangi discloses the method of claim 1, wherein the service of the customer is deployed in a multi-cloud environment (i.e. Hybrid cloud: the cloud infrastructure is a composition of two or more clouds (private, community or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing among clouds)) [Adebayo, para.0151],
Adebayo does not explicitly disclose: and wherein the method further comprises: receiving, from a first cloud environment of the multi-cloud environment, a first subset of the service information comprising service information associated with a first resource of the service, the first resource operating in the first cloud environment; and receiving, from a second cloud environment of the multi-cloud environment, a second subset of the service information comprising service information associated with a second resource of the service, the second resource operating in the second cloud environment, however Adebayo describes the nature of the multi-cloud environment where resources of a customer may be allocated in different cloud environments (i.e. access to a shared pool of configurable computing resources (e.g., networks, network bandwidth, servers, processing, memory, storage, applications, virtual machines and/or services) that can be rapidly provisioned and released with minimal management effort or interaction with a provider of the service………. computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to demand. There is a sense of location independence in that the consumer generally has no control or knowledge over the exact location of the provided resources…………… these resources can include one or more application software licenses. Security can provide identity verification for cloud consumers and/or tasks, as well as protection for data and/or other resources) [Adebayo, para.0139-0142, 0158].
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the multi-cloud environment described by Adebayo-Pandurangi to include collecting service information for all the resources of a client provisioned in the different cloud environments because it yields the expected result of ensuring security compliance across all the client’s resources.
Re Claim 4. Adebayo in view of Pandurangi discloses the method of claim 1, further comprising: providing the predicted control mapping to the customer (i.e. outputting, by the system (e.g., interfacing component 218), the final mapping results) [Adebayo, para.0089], (i.e. the mapping result generated by the system can provide tracking of context-specific results as compared to base results. This can aid administrating entities in making better compliance control decisions by balancing and/or comparing context-specific and base results) [Adebayo, para.0007].
Re Claim 5. Adebayo in view of Pandurangi discloses the method of claim 1, further comprising: receiving a labeled training dataset comprising a textual description of a first security policy that is labeled with a first control mapping identifier associated with the first security policy and a first security control (i.e. each context results 246 can comprise a vector of derived attributes. The context results 246 can comprise one or more labelings and/or metadata characterizing and/or identifying the target domain upon which the context information is base…………. varying validated context informations 236 (e.g., based on the different target domains) can be provided. A first context information can define a first validation of the context result data 246, and a second context information can define a second validation of the context result data 246, for example. Further, the first and second validations can be labeled based on the respective context preferences) [Adebayo, para.0062-0064]; iteratively training the policy predictor model based on a first subset of the labeled training dataset using a supervised machine learning algorithm (i.e. the training component can feed the mapping results 250 to the model 213, such as to enrich a subsequent execution of the model. In one or more cases, any of the feedback 260 can be fed and/or otherwise input to the model 213. Indeed, such iterative training can further enhance results provided by the model 213, providing further detailed, efficient and/or more accurate results relative to future executions of the model 213) [Adebayo, para.0077], (i.e. The validation can include analysis, approval and/or feedback by one or more entities associated with the respective target domains and/or by one or more other administrating entities…………..the feedback 260 can be analyzed by the model 213 to generate updated context information 236) [Adebyo, para.0063] to predict the first control mapping identifier based on a similarity to the textual description of the first security policy (i.e. facilitate compliance mapping of compliance control information from a plurality of domains, such as a target domain and one or more associate domains. The mapping results can comprise context-specific labeling for identifying differences and/or inherent similarities among the varying domains) [Adebayo, para.0037] (i.e. a common result across all contexts (e.g., across target and associate domains) can be represented by Equation 1 and can describe the most common/agreed mapping and/or context results……. given searcher context(s) X, a result context can be provided, as represented by Equation 3, which can define a set of search context for which the searcher is interested, and/or which can describe the result from contexts similar to that specified in the search criteria based on a selected proximity threshold………. For example, context information A (236A) and context information B (236B) can be derived from different target domains. As illustrated, the different context information 236 (e.g., 236A and 236B) can comprise differences including, but not limited to, one or more base languages, terminologies, interpretations, level of technical granularity and/or omissions. As additional inputs, the standard/technical specification information 234 can be derived from the target domain. As discussed above, these derivations can be provided by the context component 212 and/or model) [Adebayo, para.0068-0074]; validating the policy predictor model based on a second subset of the labeled training dataset (i.e. the output compliance control 250 can be further validated, amended and/or otherwise edited. This can be again facilitated by the feedback component 215 and/or interfacing component 218, in a manner the same as and/or similar to that described above with respect to validation of the context results 246, with respect to additional feedback 260. As a result, updated mapping results 250U (e.g., updated compliance control 250U) can be output by the mapping component 214 and/or compliance mapping system) [Adebayo, para0075]; and deploying the policy predictor model (i.e. such iterative training can further enhance results provided by the model 213, providing further detailed, efficient and/or more accurate results relative to future executions of the model 213) [Adebayo, para.0077].
Re Claim 6. Adebayo in view of Pandurangi discloses the method of claim 1, wherein the service information comprises at least one of: a service requirement associated with the service (i.e. compliance control information can comprise one or more checks, such as security checks, specified in the target and/or associate domain information) [Adebayo, para.0043]; a security threat associated with the service; an attack vector associated with the security threat; a description of the security threat; or a description of mitigation of the security threat.
Re Claim 7. Adebayo in view of Pandurangi discloses the method of claim 1, wherein the predicted security control comprises a control associated with at least one of: a framework developed by a subject matter expert; a standard developed by a standards setting organization; or a regulation developed by a regulatory agency (i.e. the target and associate domains can be based upon different rules and/or regulations for compliance, such as security compliance, from different entities, such as individual entities, federal, state, local, associations, organizations, businesses and/or the like) [Adebayo, para.0044, also 0028].
Re Claims 8-14. these claims are similar to claims 1-7 respectively, therefore they are rejected in a similar manner.
Re Claims 15-20. these claims are similar to claims 1-2 and 4-7 respectively, therefore they are rejected in a similar manner.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285. The examiner can normally be reached Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached at 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434