Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsMicrosoft Technology Licensing, LLC › 18620756
Last updated: April 19, 2026
Application No. 18/620,756

CONTEXTUAL ATTACK DISRUPTION ENGINE IN A SECURITY MANAGEMENT SYSTEM

Final Rejection §101§103
Filed
Mar 28, 2024
Examiner
VANG, MENG
Art Unit
2443
Tech Center
2400 — Computer Networks
Assignee
Microsoft Technology Licensing, LLC
OA Round
2 (Final)
77%
Grant Probability
Favorable
3-4
OA Rounds
2y 11m
To Grant
99%
With Interview

Interview Optional

+28.1% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 293 resolved cases, 2023–2026

Examiner Intelligence

VANG, MENG View full profile →
Grants 77% — above average
77%
Career Allow Rate
226 granted / 293 resolved
+19.1% vs TC avg
Strong +28% interview lift
Without
With
+28.1%
Interview Lift
resolved cases with interview
Typical timeline
2y 11m
Avg Prosecution
28 currently pending
Career history
321
Total Applications
across all art units

Statute-Specific Performance

§101
15.4%
-24.6% vs TC avg
§103
45.8%
+5.8% vs TC avg
§102
11.8%
-28.2% vs TC avg
§112
17.1%
-22.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 293 resolved cases

Office Action

§101 §103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Examiner’s Note Claim 17 recites “One or more computer-storage media having…”. It is noted that paragraph 0104 of the specification as filed states that “Computer storage media excludes signals per se.” Therefore, the claimed “One or more computer-storage media” in claim 17 are not signals per se. Response to Amendment This office action is in reply to Applicant’s Response dated 10/29/2025. Claims 1, 3, 5, 10-12, and 14-20 are amended. Claims 1-20 remain pending in the application. Response to Arguments The Applicant argues (see page 9), with respect to the rejection of claims 1-20 under 35 U.S.C. 101, that claim is directed to a specific and technologically rooted improvement in computer functionality-namely, a context-based attack disruption framework that dynamically associates each resource in a predicted attack path with a quantified cost and classifies those costs as positive or negative to guide disruption planning. The Applicant argues (see page 10) that the approach addresses known technical deficiencies in conventional threat analysis tools, which typically provide only aggregate or probabilistic assessments of attack paths. The claimed invention introduces an engine-driven computational model that performs: Real-time identification of attack paths and contextual objects…Automated generation of disruption plans. These are not generic data-processing operations. The invention therefore provides a technological solution to a technological problem: how to automatically and adaptively prioritize disruption actions based on resource-specific impact in real-time attack prediction. The Applicant argues (see page 10) that the recited features collectively define a specialized computer architecture that improves contextual attack modeling and disruption planning. The Applicant argues (see page 11) that Claim 1 recites meaningful, technically specific limitations that improve contextual attack modeling, impact quantification, and disruption planning within computing environments and that the claim defines a detailed process for generating and updating a contextual attack disruption framework. The Applicant argues on pages 12-13 that the claim is directed to technological solution to a technological problem, improvement in computer capabilities or technology, meaningful limitations and particularity of application. The Applicant argues (see pages 14-15) that Claim 1 is not directed to a mental process, fundamental economic principle, or method of organizing human activity, the claims are integrated into a practical application and the claims recite an inventive concept. In response to the Applicant’s argument, the Examiner respectfully disagrees. First, claim 1 does not require or recite any prioritization of disruption actions. For the sake of argument, even if the claim does recite “prioritize disruption actions based on resource-specific impact in real-time attack prediction”, prioritizing disruption actions is a mental process since humans prioritize actions in the mind. Additionally, the claim does not recite updating of a contextual attack disruption framework. Second, claim 1 recites “identifying a security incident, generating a security incident predictive model analysis… generating a security incident impact analysis… generating an attack disruption plan…” These steps merely involve identifying information and generating information, which are performed in the human mind. Applicant argues (see page 11) that Claim 1 recites meaningful, technically specific limitations that improve contextual attack modeling, impact quantification, and disruption planning within computing environments. Modeling, quantification and planning are mental processes that are carried out by generic computer components. Claim 1 fails to recite using the identified information, result of analysis or disruption plan to improve the system. The Applicant fails to show how merely analyzing and generating information without using the information to improve the system functionality would result in improvement in computer functionality. Therefore, claim 1 is not directed to the specific asserted solution, specialized computer architecture or improvement in computer functionality. Instead, the claim focuses on steps that qualify as mental processes and abstract idea for which computers are used to perform generic function or merely executing “apply it” to the abstract idea. The Applicant argues (see pages 18-19), with respect to the rejection of claim 1 under 35 U.S.C 103, that claim 1 recites “wherein the attack path context associates resources in the predicted attack path with a quantified cost, the quantified cost including positive costs for compromised steps and negative costs for disruptable steps." The Applicant argues that Du's cost modeling is aggregate in nature and limited to end-point or terminal nodes, not to each resource within an attack path. In response, the Examiner respectfully disagrees. First, claim 1 recites “the attack path context associates resources in the predicted attack path with a quantified cost”. This limitation does not mean that each resource must be associated with a quantified cost. In other words, “associates resources in the predicted attack path with a quantified cost” is not the same as “associates each resource in the predicted attack path with a quantified cost”. Second, Du teaches that calculating the terminal risk protection cost and that for the terminal risk, the security policy adopted by each terminal in the system is D, D = [d1, d2, ..., di], then all terminal risk defense cost… (Du, see page 5, lines 16-20, see page 8, lines 13-23). Note the term “resources” is not defined in the claims and each terminal in Du is a resource in the path. Clearly, each terminal (resources) in the path is associated with a quantified cost (calculated terminal risk protection cost). Third, a new ground of rejection is made in view of the amendments made to the claims. The combination of Chiu et al. (U.S. PGPub 2024/0056469), Du et al. (CN 116170194, see English translated copy), Baltes et al. (U.S. PGPub 2020/0034574) and a new reference (Mehmedagic et al. (WO 2018024809)) is now relied upon to teach all of the features of claim 1. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claims 1, 11 and 17 satisfy Step 1 because the claims are a process, article of manufacture or machine. In Step 2A prong 1, claim 1 recites “identifying a security incident… generating a security incident predictive model analysis… generating an attack path context… generating a security incident impact analysis… generating an attack disruption plan…”, which, under the broadest reasonable interpretation, are steps that are performed in the human mind. Claim 1 merely involves identifying, analyzing and generating information. Such steps of identifying, analyzing and generating information are performed in the human mind or by using a pen and paper. Claim 17 recites “based on communicating the request, receiving a security posture visualization comprising contextual attack disruption data…causing a display…”, which is performed in the human mind. Claim 17 involves gathering information and identifying information to be displayed. Such step of identifying information to be displayed is performed in the human mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Claim 11 recites limitations similar to claim 1 and therefore, claim 11 also falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claims recite an abstract idea. In Step 2A prong 2, the judicial exception is not integrated into a practical application because processor and memory are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer component. The claims also recite the additional steps of “communicating the attack disruption plan”, “communicating the contextual attack disruption data…” and “communicating a request for a security posture…” and “causing display…”. However, these steps are insignificant extra-solution activity, e.g., mere data gathering or displaying data in conjunction with the abstract idea. These steps are performed to gather data so that the data can be analyzed by an abstract mental process and the result of the mental process can be displayed. Adding insignificant extra-solution activity to the judicial exception is not enough to qualify as “significantly more”. The additional elements or steps do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. In Step 2B, the claim do not include additional elements that are sufficient to amount to significantly more than the judicial exception because memory and processor are general purpose computer components, which are well-understood, routine and conventional (see Decasper et al. (U.S. PGPub 2007/0192474) paragraph 0004 where include conventional components such as a processor, a memory (e.g., RAM)… a network interface, such as a conventional modem), performing the steps recited in the claims and are not sufficient to transform a judicial exception into a patentable invention. Regarding claims 2-10, 12-16 and 18-20, claims 2-10, 12-16 and 18-20 recite “the security incident is a multi-stage security incident…hypothetical sequence of steps…”, “generating the security incident predictive model analysis…”, “comprises a predicted quantified security incident cost…”, “…based on determining positive costs and negative costs…”, “generating the attack disruption plan is based on the predicted attack plan…”, “generating a plurality attack disruption plans as candidate attack disruption plan…”, “…generating a security posture visualization comprising contextual attack disruption data…”, “communicating, from a security management client, a request for a security posture…causing display of the security posture visualization”, and “receiving an indication…communicating the indication to execute the remediation…” However, these features are merely information, involve selecting or identifying information, generating information or are insignificant extra-solution activities (requesting or gathering data, visualization or displaying data). While claim 10 recites “communicating the indication to execute the remediation action…”, claim 10 does not specify what the “remediation action” is and does not require the execution of the remediation action. Therefore, under the broadest reasonable interpretation, “communicating the indication to execute the remediation action…”, as claimed, is an insignificant extra-solution activity such as displaying data. Thus, claims 2-10, 12-16 and 18-20 do not add meaningful limitation to the abstract idea. The elements recited in claims 1-20, when considered individually or in an ordered combination, fail to amount to significantly more than the abstract idea. Accordingly, claims 1-20 are not eligible. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-16 are rejected under 35 U.S.C. 103 as being unpatentable over Chiu et al. (U.S. PGPub 2024/0056469) in view of Du et al. (CN 116170194, see English translated copy) further in view of Baltes et al. (U.S. PGPub 2020/0034574) further in view of Mehmedagic et al. (WO 2018/024809). Regarding claims 1 and 11, Chiu teaches A computerized system comprising: one or more computer processors; and computer memory storing computer-useable instructions that, when used by the one or more computer processors, cause the one or more computer processors to perform operations, the operations comprising: identifying a security incident; (Chiu, see figs. 1-3; see paragraphs 0022-0023 where collect data, by reading a plurality of accounts, a plurality of machines, and network resource data... network resource data are selected from...the network resource data includes records of each account logging in the plurality of machines for access, or the result data of endpoint detection & response (EDR) analysis, or a log file of each machine...the attacked targets and the intrusion start point accounts are determined...) generating a security incident predictive model analysis that includes a predicted attack path; generating an attack path context for the predicted attack path, (Chiu, see figs. 1-3; see paragraphs 0024-0026 where evaluated values between nodes on all paths from the start point account to the attacked target are calculated. The path from the start point account to the attacked target refers to a path formed by the machine logged in with the start point account accessing the machine of the attacked target directly, or indirectly by connecting to other machines...all nodes and pointing arrows in the Top K paths are extracted. According to step S13, the evaluated values between nodes on all paths from the start point accounts to the attacked targets are calculated, and thus, the evaluated value of each path can be calculated...) However, Chiu does not explicitly teach wherein the attack path context comprises a contextual object associated with quantifying a security incident cost; wherein the attack path context associates resources in the predicted attack path with a quantified cost, generating a security incident impact analysis for the predicted attack path; generating an attack disruption plan; and Du teaches wherein the attack path context comprises a contextual object associated with quantifying a security incident cost; (Du, see abstract where based on attack loss of the node related to the attack path, corresponding cost…; see page 3, lines 17-20 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost...; see page 10, lines 1-10 where represents the ith terminal to the maximum possible attack path; F) represents probability value of the ith terminal at t-n time maximum possible attack path occurrence...calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost) wherein the attack path context associates resources in the predicted attack path with a quantified cost, (Du, see abstract where based on attack loss of the node related to the attack path, corresponding cost…; see page 3, lines 17-20 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost...; see page 10, lines 1-10 where represents the ith terminal to the maximum possible attack path; F) represents probability value of the ith terminal at t-n time maximum possible attack path occurrence...calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost; see page 5, lines 16-20 calculating the terminal risk protection cost; see page 8, lines 13-23 for the terminal risk, the security policy adopted by each terminal in the system is D, D = [d1, d2, ..., di], then all terminal risk defense cost… ) generating a security incident impact analysis for the predicted attack path; (Du, see abstract where based on attack loss of the node related to the attack path, corresponding cost…; see page 3, lines 17-20 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost...; see page 10, lines 1-10 where represents the ith terminal to the maximum possible attack path; F) represents probability value of the ith terminal at t-n time maximum possible attack path occurrence...calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost) generating an attack disruption plan; and (Du, see page 3, lines 17-20 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost...; see page 4, lines 9-20 where generating attack path module, used for combining the influence factor and time of the security risk...for the risk assessment path, selecting the security policy model based on the requirement of the system security level, so as to adapt the dynamic change of terminal risk and system security requirements; see page 5, lines 17-25 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost and system security level...selecting the security policy model based on all terminal risk prevention cost and system security level requirement in the system, so as to adapt the dynamic change of terminal risk and system security requirement) It would have been obvious to one of ordinary skill in the art, at the time the invention as filed, to combine Chiu and Du to provide the technique of the attack path context comprises a contextual object associated with quantifying a security incident cost, the attack path context associates resources in the predicted attack path with a quantified cost, generating a security incident impact analysis for the predicted attack path and generating an attack disruption plan of Du in the system of Chiu in order to adapt the dynamic change of terminal risk and system security requirement (Du, see page 3, lines 17-19). However, Chiu-Du does not explicitly teach communicating the attack disruption plan. Baltes teaches communicating the attack disruption plan. (Baltes, see fig. 4; see paragraph 0063 where cybersecurity vulnerabilities whose cybersecurity priority level is at or exceeded the threshold cybersecurity priority level is remedied...this remedying step can include obtaining a new software module or a new hardware component that is configured to address the at least one cybersecurity vulnerability and/or that is based on at least one of the plurality of associated malicious actions. And, in a more particular embodiment, the remedying step can further include installing the new software module or the new hardware component into the targeted object...) It would have been obvious to one of ordinary skill in the art, at the time the invention as filed, to combine Chiu-Du and Baltes to provide the technique of communicating the attack disruption plan of Baltes in the system of Chiu-Du in order to address cybersecurity vulnerabilities according to their respective priority as some cybersecurity vulnerabilities may prove more dangerous and create a risk of greater damage than other cybersecurity vulnerabilities (Baltes, see paragraphs 0001-0002). However, Chiu-Du-Baltes does not explicitly teach the quantified cost including positive costs for compromised steps and negative costs for disruptable steps; Mehmedagic teaches the quantified cost including positive costs for compromised steps and negative costs for disruptable steps; (Mehmedagic, see fig. 11B-11D; see paragraph 00180 a network fault propagation through the various network levels of an operational industrial SDN ... indicative of an unauthorized intrusion or a cyberattack…; see paragraph 00178 the estimated cost of repair is determined to be $300 and may be based on: maintenance personnel cost/hour * hours worked (e.g., $100/hour *0.5 hour)+ material cost (e.g., $250)... estimated down time (positive costs), cost of repair (negative costs)...) It would have been obvious to one of ordinary skill in the art, at the time the invention as filed, to combine Chiu-Du-Baltes and Mehmedagic to provide the technique of the quantified cost including positive costs for compromised steps and negative costs for disruptable steps of Mehmedagic in the system of Chiu-Du-Baltes in order to reduce financial losses (Mehmedagic, see paragraph 0004). Regarding claim 2, Chiu-Du-Baltes-Mehmedagic teaches wherein the security incident is a multi-stage security incident associated with a first step in an attack path sequence and one or more additional steps in the attack path sequence, (Chiu, see figs. 1-3; see paragraphs 0026-0027 where pointing arrows in the Top K paths are extracted. According to step S13, the evaluated values between nodes on all paths from the start point accounts to the attacked targets...; see paragraph 0030 where with nodes A and B as the attacked targets 10 and accounts C and D as intrusion start point accounts 20, an AD attacked path graph can be plotted through analysis of the network resources (steps S2 and S15). All paths where a machine logged in with account C accesses attacked targets A and B indirectly via other machines E and F include: C->E->A, C->E->F->A and C->E->F->B. All paths where a machine logged in with account D accesses the attacked targets A and B indirectly via other machine F include: D->F->A and D->F->B...) wherein the first step has been executed; and (Chiu, see figs. 1-3; see paragraphs 0026-0027 where pointing arrows in the Top K paths are extracted. According to step S13, the evaluated values between nodes on all paths from the start point accounts to the attacked targets...; see paragraph 0030 where with nodes A and B as the attacked targets 10 and accounts C and D as intrusion start point accounts 20, an AD attacked path graph can be plotted through analysis of the network resources (steps S2 and S15). All paths where a machine logged in with account C accesses attacked targets A and B indirectly via other machines E and F include: C->E->A, C->E->F->A and C->E->F->B. All paths where a machine logged in with account D accesses the attacked targets A and B indirectly via other machine F include: D->F->A and D->F->B...) wherein the predicted attack path is identified based on the first step, the predicted attack path is a hypothetical sequence of steps that an attack follows to compromise a computing environment. (Chiu, see figs. 1-3; see paragraphs 0026-0027 where pointing arrows in the Top K paths are extracted. According to step S13, the evaluated values between nodes on all paths from the start point accounts to the attacked targets...; see paragraph 0030 where with nodes A and B as the attacked targets 10 and accounts C and D as intrusion start point accounts 20, an AD attacked path graph can be plotted through analysis of the network resources (steps S2 and S15). All paths where a machine logged in with account C accesses attacked targets A and B indirectly via other machines E and F include: C->E->A, C->E->F->A and C->E->F->B. All paths where a machine logged in with account D accesses the attacked targets A and B indirectly via other machine F include: D->F->A and D->F->B...) Regarding claims 3 and 12, Chiu-Du-Baltes-Mehmedagic teaches wherein generating the security incident predictive model analysis is based on a security incident predictive model, the security incident predictive model comprises a plurality of predicted attack paths, (Chiu, see figs. 1-3; see paragraphs 0026-0027 where pointing arrows in the Top K paths are extracted. According to step S13, the evaluated values between nodes on all paths from the start point accounts to the attacked targets...; see paragraph 0030 where with nodes A and B as the attacked targets 10 and accounts C and D as intrusion start point accounts 20, an AD attacked path graph can be plotted through analysis of the network resources (steps S2 and S15). All paths where a machine logged in with account C accesses attacked targets A and B indirectly via other machines E and F include: C->E->A, C->E->F->A and C->E->F->B. All paths where a machine logged in with account D accesses the attacked targets A and B indirectly via other machine F include: D->F->A and D->F->B...) the plurality of predicted attack paths are associated with corresponding attack path contexts and the security incident impact analysis. (Du, see abstract where based on attack loss of the node related to the attack path, corresponding cost…; see page 3, lines 17-20 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost...; see page 10, lines 1-10 where represents the ith terminal to the maximum possible attack path; F) represents probability value of the ith terminal at t-n time maximum possible attack path occurrence...calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost) The motivation regarding to the obviousness to claims 1 and 11 is also applied to claim 3 and 12. Regarding claims 4 and 13, Chiu-Du-Baltes-Mehmedagic teaches wherein the security incident impact analysis comprises a predicted quantified security incident cost associated with a plurality of contextual objects associated the predicted attack path. (Du, see abstract where based on attack loss of the node related to the attack path, corresponding cost…; see page 3, lines 17-20 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost...; see page 10, lines 1-10 where represents the ith terminal to the maximum possible attack path; F) represents probability value of the ith terminal at t-n time maximum possible attack path occurrence...calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost) The motivation regarding to the obviousness to claims 1 and 11 is also applied to claims 4 and 13. Regarding claims 5 and 14, Chiu-Du-Baltes-Mehmedagic teaches wherein generating the security impact analysis is based on determining the positive costs and the negative costs associated with contextual objects of the predicted attack path. (Du, see abstract where based on attack loss of the node related to the attack path, corresponding cost…; see page 3, lines 17-20 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost...; see page 10, lines 1-10 where represents the ith terminal to the maximum possible attack path; F) represents probability value of the ith terminal at t-n time maximum possible attack path occurrence...calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost) The motivation regarding to the obviousness to claims 1 and 11 is also applied to claims 5 and 14. Regarding claims 6 and 15, Chiu-Du-Baltes-Mehmedagic teaches wherein generating an attack disruption plan is based on the predicted attack path, the attack path context, and the security incident impact analysis. (Du, see page 3, lines 17-20 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost...; see page 4, lines 9-20 where generating attack path module, used for combining the influence factor and time of the security risk...for the risk assessment path, selecting the security policy model based on the requirement of the system security level, so as to adapt the dynamic change of terminal risk and system security requirements; see page 5, lines 17-25 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost and system security level...selecting the security policy model based on all terminal risk prevention cost and system security level requirement in the system, so as to adapt the dynamic change of terminal risk and system security requirement) The motivation regarding to the obviousness to claims 1 and 11 is also applied to claims 6 and 15. Regarding claim 7, Chiu-Du-Baltes-Mehmedagic teaches wherein generating the attack disruption plan comprises generating a plurality attack disruption plans as candidate attack disruption plan, (Du, see page 3, lines 17-20 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost...; see page 4, lines 9-20 where generating attack path module, used for combining the influence factor and time of the security risk...for the risk assessment path, selecting the security policy model based on the requirement of the system security level, so as to adapt the dynamic change of terminal risk and system security requirements; see page 5, lines 17-25 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost and system security level...selecting the security policy model based on all terminal risk prevention cost and system security level requirement in the system, so as to adapt the dynamic change of terminal risk and system security requirement) wherein the attack disruption plan is a designated attack disrupted plan selected based on a total expected loss value. (Du, see page 3, lines 17-20 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost...; see page 4, lines 9-20 where generating attack path module, used for combining the influence factor and time of the security risk...for the risk assessment path, selecting the security policy model based on the requirement of the system security level, so as to adapt the dynamic change of terminal risk and system security requirements; see page 5, lines 17-25 where calculating the terminal risk protection cost (loss value), selecting the security policy model based on the terminal risk defense cost (loss value) and system security level...selecting the security policy model based on all terminal risk prevention cost and system security level requirement in the system, so as to adapt the dynamic change of terminal risk and system security requirement) The motivation regarding to the obviousness to claims 1 and 11 is also applied to claim 7. Regarding claims 8 and 16, Chiu-Du-Baltes-Mehmedagic teaches wherein a security posture management engine supports generating a security posture visualization comprising contextual attack disruption data associated with the security incident and a plurality of predicted attack paths. (Chiu, see figs. 2-3; see paragraph 0031 where all nodes of the Top K paths and the pointing arrows between the nodes are extracted (steps S3 and S14). For example, according to the above 5 evaluated values of all the paths, the following top 3 paths are extracted: Path C->E->F->A, Path D->F->A and Path C->E->F->B. The AD attacked path graph as shown in FIG. 4 is plotted according to nodes A, B, C, D, E and F...when the possible attacked path C->E->F->A is presented, the pointing arrow on the attacked path is presented as a solid line or one color, while the pointing arrow that is not on the attacked path is presented as dashed lines or another color...) Regarding claim 9, Chiu-Du-Baltes-Mehmedagic teaches the operations further comprising: communicating, from a security management client, a request for a security posture of a computing environment; (Baltes, see fig. 2; see paragraph 0050 where indicators may be obtained by recalling (requesting) certain data from a database 84...one or more automated software or firmware tests may be run (requested) to obtain one or more indicators that can be used to obtain an impact metric... more than one impact metric may be obtained....) based on communicating the request, receiving a security posture visualization (Baltes, see fig. 2; see paragraph 0050 where indicators may be obtained by recalling (requesting) certain data from a database 84...one or more automated software or firmware tests may be run (requested) to obtain one or more indicators that can be used to obtain an impact metric... more than one impact metric may be obtained....) The motivation regarding to the obviousness to claim 1 is also applied to claim 9. comprising contextual attack disruption data associated with the security incident and a plurality of predicted attack paths; and (Chiu, see figs. 1-3; see paragraphs 0024-0026 where evaluated values between nodes on all paths from the start point account to the attacked target are calculated. The path from the start point account to the attacked target refers to a path formed by the machine logged in with the start point account accessing the machine of the attacked target directly, or indirectly by connecting to other machines...all nodes and pointing arrows in the Top K paths are extracted. According to step S13, the evaluated values between nodes on all paths from the start point accounts to the attacked targets are calculated, and thus, the evaluated value of each path can be calculated...) causing display of the security posture visualization. (Chiu, see figs. 2-3; see paragraph 0031 where all nodes of the Top K paths and the pointing arrows between the nodes are extracted (steps S3 and S14). For example, according to the above 5 evaluated values of all the paths, the following top 3 paths are extracted: Path C->E->F->A, Path D->F->A and Path C->E->F->B. The AD attacked path graph as shown in FIG. 4 is plotted according to nodes A, B, C, D, E and F...when the possible attacked path C->E->F->A is presented, the pointing arrow on the attacked path is presented as a solid line or one color, while the pointing arrow that is not on the attacked path is presented as dashed lines or another color...) Regarding claim 10, Chiu-Du-Baltes-Mehmedagic teaches the operations further comprising: receiving an indication to execute a remediation action associated with contextual attack disruption data; and (Baltes, see fig. 4; see paragraph 0063 where cybersecurity vulnerabilities whose cybersecurity priority level is at or exceeded the threshold cybersecurity priority level is remedied...this remedying step can include obtaining a new software module or a new hardware component that is configured to address the at least one cybersecurity vulnerability and/or that is based on at least one of the plurality of associated malicious actions. And, in a more particular embodiment, the remedying step can further include installing the new software module or the new hardware component into the targeted object...) communicating the indication to execute the remediation action to cause execution of the remediation action. (Baltes, see fig. 4; see paragraph 0063 where cybersecurity vulnerabilities whose cybersecurity priority level is at or exceeded the threshold cybersecurity priority level is remedied...this remedying step can include obtaining a new software module or a new hardware component that is configured to address the at least one cybersecurity vulnerability and/or that is based on at least one of the plurality of associated malicious actions. And, in a more particular embodiment, the remedying step can further include installing the new software module or the new hardware component into the targeted object...) The motivation regarding to the obviousness to claim 1 is also applied to claim 10. Claim 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Baltes et al. (U.S. PGPub 2020/0034574) in view of Chiu et al. (U.S. PGPub 2024/0056469) further in view of Du et al. (CN 116170194, see English translated copy) further in view of Mehmedagic et al. (WO 2018/024809). Regarding claim 17, Baltes teaches One or more computer-storage media having computer-executable instructions embodied thereon that, when executed by a computing system having a processor and memory, cause the processor to perform operations, the operations comprising: communicating a request for a security posture of a computing environment; (Baltes, see fig. 2; see paragraph 0050 where indicators may be obtained by recalling (requesting) certain data from a database 84...one or more automated software or firmware tests may be run (requested) to obtain one or more indicators that can be used to obtain an impact metric... more than one impact metric may be obtained....) based on communicating the request, receiving a security posture visualization (Baltes, see fig. 2; see paragraph 0050 where indicators may be obtained by recalling (requesting) certain data from a database 84...one or more automated software or firmware tests may be run (requested) to obtain one or more indicators that can be used to obtain an impact metric... more than one impact metric may be obtained....) However, Baltes does not explicitly teach comprising contextual attack disruption data associated with the security incident and a plurality of predicted attack paths; wherein a predicted attack path from the plurality of predicted paths comprises an attack path context, causing a display of the security posture visualization. Chiu teaches comprising contextual attack disruption data associated with the security incident and a plurality of predicted attack paths; (Chiu, see figs. 1-3; see paragraphs 0024-0026 where evaluated values between nodes on all paths from the start point account to the attacked target are calculated. The path from the start point account to the attacked target refers to a path formed by the machine logged in with the start point account accessing the machine of the attacked target directly, or indirectly by connecting to other machines...all nodes and pointing arrows in the Top K paths are extracted. According to step S13, the evaluated values between nodes on all paths from the start point accounts to the attacked targets are calculated, and thus, the evaluated value of each path can be calculated...) wherein a predicted attack path from the plurality of predicted paths comprises an attack path context, (Chiu, see figs. 1-3; see paragraphs 0024-0026 where evaluated values between nodes on all paths from the start point account to the attacked target are calculated. The path from the start point account to the attacked target refers to a path formed by the machine logged in with the start point account accessing the machine of the attacked target directly, or indirectly by connecting to other machines...all nodes and pointing arrows in the Top K paths are extracted. According to step S13, the evaluated values between nodes on all paths from the start point accounts to the attacked targets are calculated, and thus, the evaluated value of each path can be calculated...) causing a display of the security posture visualization. (Chiu, see figs. 2-3; see paragraph 0031 where all nodes of the Top K paths and the pointing arrows between the nodes are extracted (steps S3 and S14). For example, according to the above 5 evaluated values of all the paths, the following top 3 paths are extracted: Path C->E->F->A, Path D->F->A and Path C->E->F->B. The AD attacked path graph as shown in FIG. 4 is plotted according to nodes A, B, C, D, E and F...when the possible attacked path C->E->F->A is presented, the pointing arrow on the attacked path is presented as a solid line or one color, while the pointing arrow that is not on the attacked path is presented as dashed lines or another color...) It would have been obvious to one of ordinary skill in the art, at the time the invention was filed, to combine Baltes and Chiu to provide the technique of a security posture visualization comprising contextual attack disruption data associated with the security incident and a plurality of predicted attack paths, an attack path context, and causing a display of the security posture visualization of Chiu in the system of Baltes in order to facilitate rapid vulnerability repair or corresponding operations (Chiu, see paragraph 0003). However, Baltes-Chiu does not explicitly teach wherein the attack path context comprises contextual objects associated with quantifying a security incident cost, Du teaches wherein the attack path context comprises contextual objects associated with quantifying a security incident cost, (Du, see abstract where based on attack loss of the node related to the attack path, corresponding cost…; see page 3, lines 17-20 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost...; see page 10, lines 1-10 where represents the ith terminal to the maximum possible attack path; F) represents probability value of the ith terminal at t-n time maximum possible attack path occurrence...calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost; see page 5, lines 16-20 calculating the terminal risk protection cost; see page 8, lines 13-23 for the terminal risk, the security policy adopted by each terminal in the system is D, D = [d1, d2, ..., di], then all terminal risk defense cost… ) It would have been obvious to one of ordinary skill in the art, at the time the invention as filed, to combine Baltes-Chiu and Du to provide the technique of the attack path context comprises contextual objects associated with quantifying a security incident cost of Du in the system of Baltes-Chiu in order to adapt the dynamic change of terminal risk and system security requirement (Du, see page 3, lines 17-19). However, Baltes-Chiu-Du does not explicitly teach wherein the attack path context associates resources in the predicted attack path with a quantified cost, the quantified cost including positive costs for compromised steps and negative costs for disruptable steps; and Mehmedagic teaches wherein the attack path context associates resources in the predicted attack path with a quantified cost, the quantified cost including positive costs for compromised steps and negative costs for disruptable steps; and (Mehmedagic, see fig. 11B-11D; see paragraph 00180 a network fault propagation through the various network levels of an operational industrial SDN ... indicative of an unauthorized intrusion or a cyberattack…; see paragraph 00178 the estimated cost of repair is determined to be $300 and may be based on: maintenance personnel cost/hour * hours worked (e.g., $100/hour *0.5 hour)+ material cost (e.g., $250)... estimated down time (positive costs), cost of repair (negative costs)...) It would have been obvious to one of ordinary skill in the art, at the time the invention as filed, to combine Baltes-Chiu-Du and Mehmedagic to provide the technique of the attack path context associates resources in the predicted attack path with a quantified cost, the quantified cost including positive costs for compromised steps and negative costs for disruptable steps of Mehmedagic in the system of Baltes-Chiu-Du in order to reduce financial losses (Mehmedagic, see paragraph 0004). Regarding claim 18, Baltes-Chiu-Du-Mehmedagic teaches the operations further comprising: identifying the security incident; (Chiu, see figs. 1-3; see paragraphs 0022-0023 where collect data, by reading a plurality of accounts, a plurality of machines, and network resource data... network resource data are selected from...the network resource data includes records of each account logging in the plurality of machines for access, or the result data of endpoint detection & response (EDR) analysis, or a log file of each machine...the attacked targets and the intrusion start point accounts are determined...) generating a security incident predictive model analysis that includes the predicted attack path; generating the attack path context for the predicted attack path, (Chiu, see figs. 1-3; see paragraphs 0024-0026 where evaluated values between nodes on all paths from the start point account to the attacked target are calculated. The path from the start point account to the attacked target refers to a path formed by the machine logged in with the start point account accessing the machine of the attacked target directly, or indirectly by connecting to other machines...all nodes and pointing arrows in the Top K paths are extracted. According to step S13, the evaluated values between nodes on all paths from the start point accounts to the attacked targets are calculated, and thus, the evaluated value of each path can be calculated...) generating a security incident impact analysis for the predicted attack path; (Du, see abstract where based on attack loss of the node related to the attack path, corresponding cost…; see page 3, lines 17-20 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost...; see page 10, lines 1-10 where represents the ith terminal to the maximum possible attack path; F) represents probability value of the ith terminal at t-n time maximum possible attack path occurrence...calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost) generating an attack disruption plan; and (Du, see page 3, lines 17-20 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost...; see page 4, lines 9-20 where generating attack path module, used for combining the influence factor and time of the security risk...for the risk assessment path, selecting the security policy model based on the requirement of the system security level, so as to adapt the dynamic change of terminal risk and system security requirements; see page 5, lines 17-25 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost and system security level...selecting the security policy model based on all terminal risk prevention cost and system security level requirement in the system, so as to adapt the dynamic change of terminal risk and system security requirement) communicating the attack disruption plan. (Baltes, see fig. 4; see paragraph 0063 where cybersecurity vulnerabilities whose cybersecurity priority level is at or exceeded the threshold cybersecurity priority level is remedied...this remedying step can include obtaining a new software module or a new hardware component that is configured to address the at least one cybersecurity vulnerability and/or that is based on at least one of the plurality of associated malicious actions. And, in a more particular embodiment, the remedying step can further include installing the new software module or the new hardware component into the targeted object...) The motivations regarding to the obviousness to claim 17 are also applied to claim 18. Regarding claim 19, Baltes-Chiu-Du-Mehmedagic teaches wherein generating the security incident predictive model analysis is based on a security incident predictive model, the security incident predictive model comprises the plurality of predicted attack paths, (Chiu, see figs. 1-3; see paragraphs 0026-0027 where pointing arrows in the Top K paths are extracted. According to step S13, the evaluated values between nodes on all paths from the start point accounts to the attacked targets...; see paragraph 0030 where with nodes A and B as the attacked targets 10 and accounts C and D as intrusion start point accounts 20, an AD attacked path graph can be plotted through analysis of the network resources (steps S2 and S15). All paths where a machine logged in with account C accesses attacked targets A and B indirectly via other machines E and F include: C->E->A, C->E->F->A and C->E->F->B. All paths where a machine logged in with account D accesses the attacked targets A and B indirectly via other machine F include: D->F->A and D->F->B...) the plurality of predicted attack paths are associated with corresponding attack path contexts and security incident impact analysis. (Du, see abstract where based on attack loss of the node related to the attack path, corresponding cost…; see page 3, lines 17-20 where calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost...; see page 10, lines 1-10 where represents the ith terminal to the maximum possible attack path; F) represents probability value of the ith terminal at t-n time maximum possible attack path occurrence...calculating the terminal risk protection cost, selecting the security policy model based on the terminal risk defense cost) The motivations regarding to the obviousness to claim 17 are also applied to claim 19. Regarding claim 20, Baltes-Chiu-Du-Mehmedagic teaches wherein a security posture management engine supports generating the security posture visualization comprising the contextual attack disruption data associated with the security incident and the plurality of predicted attack paths. (Chiu, see figs. 2-3; see paragraph 0031 where all nodes of the Top K paths and the pointing arrows between the nodes are extracted (steps S3 and S14). For example, according to the above 5 evaluated values of all the paths, the following top 3 paths are extracted: Path C->E->F->A, Path D->F->A and Path C->E->F->B. The AD attacked path graph as shown in FIG. 4 is plotted according to nodes A, B, C, D, E and F...when the possible attacked path C->E->F->A is presented, the pointing arrow on the attacked path is presented as a solid line or one color, while the pointing arrow that is not on the attacked path is presented as dashed lines or another color...) The motivations regarding to the obviousness to claim 17 are also applied to claim 20. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG VANG whose telephone number is (571)270-7023. The examiner can normally be reached M-F 8AM-2PM, 3PM-5PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, NICHOLAS TAYLOR can be reached at (571) 272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MENG VANG/Primary Examiner, Art Unit 2443
Read full office action

Prosecution Timeline

Mar 28, 2024
Application Filed
Jul 29, 2025
Non-Final Rejection — §101, §103
Oct 10, 2025
Applicant Interview (Telephonic)
Oct 10, 2025
Examiner Interview Summary
Oct 29, 2025
Response Filed
Feb 05, 2026
Final Rejection — §101, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

18/586,382
Patent 12602478
MALWARE MONITORING AND DETECTION
2y 5m to grant Granted Apr 14, 2026
18/444,639
Patent 12592834
SYSTEM AND METHOD FOR GENERATING A DIGITAL CERTIFICATE FOR A USER USING A DECENTRALIZED BLOCKCHAIN
2y 5m to grant Granted Mar 31, 2026
18/646,252
Patent 12592841
ACTIVE-ACTIVE REPLICATION IN BLOCKCHAIN TABLES WITH PRIMARY KEY CONSTRAINTS
2y 5m to grant Granted Mar 31, 2026
18/409,866
Patent 12586395
CREATING MACHINE LEARNING MODELS FOR DETECTING THE APPLICATION OF SPECIFIC DEEPFAKE TOOLS
2y 5m to grant Granted Mar 24, 2026
18/620,589
Patent 12587446
MANAGING NETWORK DEVICE CONFIGURATIONS BASED ON CONFIGURATION FRAGMENTS
2y 5m to grant Granted Mar 24, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

3-4
Expected OA Rounds
77%
Grant Probability
99%
With Interview (+28.1%)
2y 11m
Median Time to Grant
Moderate
PTA Risk
Based on 293 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month