Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
The following is a final office action in response to communications received January 13, 2026. Claims 1 and 9 have been amended. New claims 10-15 are added. Therefore, claims 1-15 are pending and addressed below.
Response to Arguments
Applicant’s arguments filed January 13, 2026 have been fully considered but they are not persuasive for the following reasons:
Applicant’s arguments with respect to the rejections of amended claims 1 and 9 under 35 U.S.C 102(a)(1) have been fully considered but are moot because a new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. A new ground of rejection under 35 U.S.C 103 is made in view of the combination of prior art of Shinke et al (US PG-PUB No. 20220179966 A1) and Hicks et al (US PG-PUB No. 20210294685 A1). (see below rejection details)
Therefore, claims 1 and 9 are rejected under 35 U.S.C 103. As claims 2-8 and 10-15 are dependent directly or indirectly on claim 1, applicant’s argument with respect to the rejections of claim 2-8 and 10-15 are moot.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-15 are rejected under 35 U.S.C. 103 as being unpatentable over Shinke et al (US PG-PUB No. 20220179966 A1) in view of Hicks et al (US PG-PUB No. 20210294685 A1).
Regarding claim 1 and claim 9, Shinke teaches a security measure determination device and method, the security measure determination device comprising: a processor; and a memory; the memory being configured to hold (Paragraph [0046]: “The information processing device 10 (security measure determination device) is an apparatus that supports user's security design.”; Paragraph [0291]: “The information processing device 10 includes, as a hardware configuration, a processor 11 (processor), an output unit 12, an input unit 13, a main storage unit 14, an auxiliary storage unit 15 (memory), a communication unit 16, and a display unit 17.”):
component information indicating elements that form the component (Paragraph [0062]: “The constraint condition information includes at least system requirements. In the present embodiment, the constraint condition information includes system requirements (includes the component information: hardware and software information) and security requirements."; FIG. 1 is a functional configuration of an information processing device 10 which includes all the units or functional blocks that are implemented by hardware and software.);
rule information indicating a requirement that is required, in a rule concerning security, of a component included in a subject system (Paragraph [0050]: “the security requirements (rule information) are a condition for security characteristics of the security measures technology to be introduced into the target system in the specification. For example, functions (prevention, inhibition, detection, and recovery) of the security measures technology are an example of the security characteristics of the security measures technology.”);
constraint condition information indicating a plurality of constraint conditions about specifications of the component (Paragraph [0051]: “the system requirements (constraint condition information) are a condition of a function that needs to be satisfied by the system in operating the system in the specification.”); and
measure plan information indicating measure plans that satisfy the requirement and constraint conditions required to be satisfied in order to implement the measure plans, the processor being configured to: associate the requirement indicated by the rule information with the measure plans indicated by the measure plan information as measure plans that satisfy the requirement; select, based on the constraint conditions that are Indicated by the measure plan information of the measure plans associated with the requirement, and the plurality of constraint conditions that are indicated by the constraint condition information, a measure plan from the measure plans associated with the requirement; and generate data for displaying the selected measure plan (Paragraph [0065]: “In the specification, the threat-handling measures information (measure plan information) is information in which a threat obtained from the threat information obtaining unit 105, a security measures technology effective against the threat, and a security characteristic of the security measures technology, are associated with each other (associate the requirements with the security measure plans).”; Paragraph [0068]: “The evaluation value determination unit 1073 extracts a list of security measures technologies satisfying the requirements information, based on the requirement information (select security measure plans associated with the requirement), the threat-handling measures information and the influence information.”; Paragraph [0070]: “The evaluation value determination unit 1073 outputs a list of security measures technologies (satisfying the common constraint condition) (security measure plans satisfy the requirement and constraint conditions) and evaluation values of the security measures technologies (to be used for each calculation process) as calculation input information to the algorithm calculation units 1074a, 1074b, and 1074c.”; Paragraph [0079]: “The algorithm calculation units 1074a, 1074b and 1074c output ranking results to the calculation output unit 1075.”; Paragraph [0081]: “The calculation output unit 1075 generates measures technology set information (generate data for displaying the selected measure plans), based on the ranking results”; Paragraph [0089]: “The display unit 111 displays the measures technology set information (displaying the selected measure plans) received from the technology set output 109.”).
Shinke is not relying on automatically generating the constraint condition information.
However, Hicks teaches the processor being configured to automatically generate the constraint condition information from the component information (Paragraph [0328]: “The auto-correct function 233 receives a deficiency 232 and interprets it to determine a deficiency type, i.e., a nature of the understanding issue, the implementation issue, and/or the operation issues. Continuing with the outdated policy example, the nature of the understanding issue is that there is a newer version of the policy. Since there is a newer version available, the auto-correct function 233 can update the policy to the newer version for the system (e.g., an auto-correction). In addition to making the auto-correction 235, the analysis system creates an accounting 236 of the auto-correction (e.g., creates a record). The record includes an identity of the deficiency, date information, what auto-correction was done, how it was done, verification that it was done, and/or more or less data as may be desired for recording auto-corrections.”; Paragraph [0329]: “the analysis system generates a report regarding the extra asset (generate the constraint condition information form the component information) and the related deficiencies.”);
Shinke and Hicks are both considered to be analogous to the claimed invention because they both teach security measure determination. Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the processor disclosed by Shinke with adding automatically generate the constraint condition information from the component information disclosed by Hicks.
One of the ordinary skills in the art would have been motivated to make this modification in order to identify and auto-correct any deficiencies of extra asset that was not included in the disclosed data, based on constraint (policy), as suggested by Hicks in paragraph [0329].
Regarding claim 2, Shinke and Hicks teach all of the features with respect to claim 1, as outlined above.
Shinke further teaches wherein the processor is configured to generate data for displaying a selection basis indicating that the plurality of constraint conditions that are indicated by the constraint condition information satisfy constraint conditions that are associated with the selected measure plan in the measure plan information (Paragraph [0070]: “The evaluation value determination unit 1073 outputs a list of security measures technologies (satisfying the common constraint condition) (security measure plans satisfy the requirement and constraint conditions)).
Regarding claim 3, Shinke and Hicks teach all of the features with respect to claim 1, as outlined above.
Shinke further teaches wherein the component includes an OS, a CPU, and a memory, and wherein the plurality of constraint conditions that are indicated by the constraint condition information and the constraint conditions that are indicated by the measure plan information each include at least one of a condition about an OS type of the component, a condition about CPU performance of the component, a condition about a memory capacity of the component, or a condition about an operational status of the component (Paragraph [0291]: “The information processing device 10 (security measure determination device) is, for example, a computer (a computer includes an OS, a CPU and a memory).”; Paragraph [0051]: “the system requirements (constraint condition information) are a condition of a function that needs to be satisfied by the system in operating the system in the specification.”; One of the ordinary skills in the art would understand the system requirements include the OS type, CPU performance and memory capacity. They also specify other hardware and software needs like storage space, graphics cards, and necessary drivers to ensure a program or device runs successfully.).
Regarding claim 4, Shinke and Hicks teach all of the features with respect to claim 1, as outlined above.
Shinke further teaches wherein the rule information indicates a threat to the requirement, wherein the measure plan information indicates an association between the threat and the measure plans, and wherein the processor is configured to associate, based on the threat that is indicated by the rule information and the threat that is indicated by the measure plan information, the requirement indicated by the rule information with the measure plans indicated by the measure plan information as measure plans that satisfy the requirement (Paragraph [0065]: “In the specification, the threat-handling measures information (measure plan information) is information in which a threat obtained from the threat information obtaining unit 105, a security measures technology effective against the threat, and a security characteristic of the security measures technology, are associated with each other (association between the threat and the measure plans that satisfy the requirement).”).
Regarding claim 5, Shinke and Hicks teach all of the features with respect to claim 1, as outlined above.
Shinke further teaches wherein the processor is configured to select a measure plan for which a combination of at least one constraint condition out of the plurality of constraint conditions that are indicated by the constraint condition information satisfies the constraint conditions that are indicated by the measure plan information of the measure plans associated with the requirement, out of the measure plans associated with the requirement (Paragraph [0044]: “The ranking unit (a component of the security measure determination device) classifies the one or more security measures technologies (selected measure plans) into a security measures technology satisfying a common constraint condition indicating the system requirements and a security measures technology not satisfying the common constraint condition, based on the common constraint condition information and the influence information, and ranks the security measures technology satisfying the common constraint condition.”).
Regarding claim 6, Shinke and Hicks teach all of the features with respect to claim 1, as outlined above.
Shinke further teaches wherein the memory is configured to hold information indicating a target security level, wherein the rule information is configured to hold information indicating, for each security level, whether the requirement is to be satisfied at the each security level, wherein the constraint conditions that are indicated by the measure plan information include first conditions required of the component to satisfy in order to implement the measure plans, and second conditions about security levels of the measure plans, and wherein the processor is configured to: identify, from the rule information, a requirement to be satisfied at the target security level; associate the identified requirement with measure plans indicated by the measure plan information as measure plans that satisfy the identified requirement; and select a measure plan out of the measure plans associated with the identified requirement, based on: the first conditions and the second conditions that are associated, in the measure plan information, with the measure plans associated with the identified requirement; the plurality of constraint conditions that are indicated by the constraint condition information; and the target security level (Paragraph [0048]: “The information processing device 10 ranks one or more security measures technologies satisfying a constraint condition, based on an evaluation value (The evaluation value is the target security level. For each security level, the requirement is to be satisfied) of the security measures technology with at least system requirements as the constraint condition (first conditions). The information processing device 10 outputs the ranking result, thereby supporting selection determination of the security measures technology by the user who selects the security measures technology.”; Paragraph [0058]: “Here, the evaluation value (security level, also is the second conditions) is an eigenvalue of a security measures technology used when an algorithm calculation unit 1074 ranks the security measures technology. Examples of the evaluation value include a security strength, a total loss in a case where no measures are taken, an introduction cost, an operation cost, and the like.”; Paragraph [0113]: “In Fig. 11A, the security measures technology (measure plans) satisfying the common constraint condition (first conditions) is associated with the security strength (an example of the evaluation value (security level, second conditions)).”; The processor of the device is configured to identify a requirement to be satisfied at the security level, associate the requirement with measure plan, select a measure plan based on the first conditions and the second conditions that are associated with the requirement.).
Regarding claim 7, Shinke and Hicks teach all of the features with respect to claim 6, as outlined above.
Shinke further teaches wherein the processor is configured to generate data for displaying a selection basis indicating that the plurality of constraint conditions that are indicated by the constraint condition information satisfy one of the first conditions that is associated with the selected measure plan in the measure plan information, and that one of the second conditions that is associated with the selected measure plan in the measure plan information satisfies the target security level (Paragraph [0048]: “The information processing device 10 outputs the ranking result, thereby supporting selection determination of the security measures technology by the user who selects the security measures technology (generate data for displaying a selection basis).”; Paragraph [0113]: “In Fig. 11A, the security measures technology (measure plans) satisfying the common constraint condition (first conditions) is associated with the security strength (an example of the evaluation value (security level, second conditions)).”).
Regarding claim 8, Shinke and Hicks teach all of the features with respect to claim 6, as outlined above.
Shinke further teaches wherein the processor is configured to select a measure plan for which a combination of at least one constraint condition out of the plurality of constraint conditions that are indicated by the constraint condition information satisfies the first conditions that are indicated by the measure plan information of the measure plans associated with the identified requirement, out of the measure plans associated with the identified requirement (Paragraph [0044]: “The ranking unit (a component of the security measure determination device) classifies the one or more security measures technologies (selected measure plans) into a security measures technology satisfying a common constraint condition indicating the system requirements (the constraint condition information satisfies the first conditions) and a security measures technology not satisfying the common constraint condition, based on the common constraint condition information and the influence information, and ranks the security measures technology satisfying the common constraint condition.”).
Regarding claim 10, Shinke and Hicks teach all of the features with respect to claim 1, as outlined above.
Shinke further teaches the security measure determination device further comprising a component information input reception module configured to display, on a display device, a user interface through which a designer is to input the component information via an input device (Paragraph [0061]: “The requirements information obtaining unit (also referred to as a common constraint condition information obtaining unit or a constraint condition information obtaining unit) 106 (component information input reception module via an input device) obtains requirements information (also referred to as common constraint condition information or constraint condition information) (requirements information includes the component information) indicating a requirement for a security design of the target system by the user's input (user interface through which a designer is to input the component information), and manages the requirements information in, for example, a table format shown in FIG. 6.”; Paragraph [0089]: “The display unit 111 (display device) displays the measures technology set information received from the technology set output 109.”).
Regarding claim 11, Shinke and Hicks teach all of the features with respect to claim 1, as outlined above.
Hicks teaches the security measure determination device further comprising a constraint condition management module configured to generate the constraint condition information from the component information (as explained in the claim 1 above, Hicks teaches in Paragraph [0329]: “the analysis system generates a report regarding the extra asset (generate the constraint condition information form the component information) and the related deficiencies.”), Shinke further teaches the constraint condition management module configured to store the constraint condition information in the memory, and analyze the constraint condition information (Paragraph [0090]: “The storage unit 110 stores various types of information (store the constraint condition information in the memory) to be used by the information processing device 10 (constraint condition management module) according to the embodiment.”; Paragraph [0294]: “The main storage unit 14 is, for example, a memory such as a read only memory (ROM) and a random access memory (RAM).”; Paragraph [0068]: “The evaluation value determination unit 1073 (analyze and evaluate the constraint condition information) extracts a list of security measures technologies satisfying the requirements information, based on the requirement information, the threat-handling measures information and the influence information.”).
Regarding claim 12, Shinke and Hicks teach all of the features with respect to claim 1, as outlined above.
Shinke is not relying on, but Hicks teaches wherein the component is a control instrument included in a control system, and wherein the control instrument is a programmable logic controller or an IoT gateway (Paragraph [0174]: “The computing resource include a core control module 41 (the component is a control instrument included in a control system)”; Paragraph [0177]: “The core control module 41 coordinates data communications between the processing module(s) 43 and the network(s) 14 via the I/O and/or peripheral control module 46, the network interface module(s) 55, and a network card 58 or 59.”; Paragraph [0958]: “Such a processing device (the security measure determination device) may be a microprocessor, micro-controller, digital signal processor, microcomputer, central processing unit, field programmable gate array, programmable logic device, state machine, logic circuitry, analog circuitry, digital circuitry, and/or any device that manipulates signals (analog and/or digital) based on hard coding of the circuitry and/or operational instructions (the control instrument is a programmable logic controller).“).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the component disclosed by Shinke with adding the control instrument disclosed by Hicks.
One of the ordinary skills in the art would have been motivated to make this modification in order to coordinate the transfer of data and/or operational instructions between memory and processor, as suggested by Hicks in paragraph [0175].
Regarding claim 13, Shinke and Hicks teach all of the features with respect to claim 1, as outlined above.
Shinke is not relying on, but Hicks teaches wherein the component information includes a component field indicating the component and an element field indicating, for each component, information about elements that form the component, and wherein the element field indicates types of an OS and a chip of a CPU that are installed in the component (Paragraph [0615]: “Disclosed device information and application information relevant to issue recovery includes a list of devices (software and/or hardware) (components) and a list of applications (e.g., a list of system applications (e.g., operating systems) (elements) and a list of user applications)… a detailed inventory of organization (component information includes different components as listed) network devices, applications, operating systems, servers (component), databases, etc.”; Paragraph [0620]: “Server information (for each component, like the server for example, include elements that form the component) may include location, server model, operating system, CPUs (element field indicates types of an OS and a chip of a CPU that are installed in the component), memory, total disk, system handle, system serial number, domain name system (DNS) entry, IP address, applications, associated devices, certificates, etc.).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the component information disclosed by Shinke with adding component field and element field disclosed by Hicks.
One of the ordinary skills in the art would have been motivated to make this modification in order to effectively identify suspicious activity for evaluation and recovery purposes, as suggested by Hicks in paragraph [0615].
Regarding claim 14, Shinke and Hicks teach all of the features with respect to claim 4, as outlined above.
Shinke further teaches wherein the processor is configured to associate the requirement with the measure plans by mapping the measure plan information onto the rule information based on the threat indicated by the rule information and the threat indicated by the measure plan information (Paragraph [0225]: “In step S715 of FIG. 26, the combination selection unit 1077 generates combination information indicating a security measures technology that is effective against a threat (indicated by the threat information) (mapping the measure plan information based on the threat information) and eliminates a remaining threat, based on the threat information related to the unprocessed threat and the threat measures information.”; Paragraph [0226] to [0229] shows the mapping of the measure plan information onto the rule information based on the threats indicated by the rule and the measure plan information.).
Regarding claim 15, Shinke and Hicks teach all of the features with respect to claim 2, as outlined above.
Shinke further teaches wherein the selection basis indicates that the plurality of constraint conditions that are indicated by the constraint condition information satisfy constraint conditions required of the selected measure plan to satisfy (Paragraph [0048]: “The information processing device 10 ranks one or more security measures technologies satisfying a constraint condition, based on an evaluation value of the security measures technology with at least system requirements as the constraint condition (the plurality of constraint conditions that are indicated by the constraint condition information satisfy constraint conditions required of the selected measure plan to satisfy). The information processing device 10 outputs the ranking result (the processor generates data), thereby supporting selection determination of the security measures technology by the user who selects the security measures technology (a selection basis).”).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. (see PTO-892 form for details)
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASMINE DAY whose telephone number is (571)272-0204. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/J.M.D./Examiner, Art Unit 2499 /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499