SECURITY ANALYSIS APPARATUS, SECURITY ANALYSIS METHOD, AND COMPUTER READABLE RECORDING MEDIUM

§101 §102 §112

DETAILED ACTION This is in response to the application filed on April 19, 2024. A preliminary amendment was filed on April 19, 2024, amending Claims 1 – 5 and 11 – 15. Claims 1 – 15, of which Claims 1, 6, and 11 are in independent form, are presented for examination. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statements (IDSs) submitted on April 19, 2024, June 12, 2024 and February 14, 2025 were filed before the mailing date of the current action. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1 – 15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. 1. Regarding Claims 1, 6, and 11, the claims recite a generalized computing device for searching for information described in a data flow diagram and a computer system to be analyzed, using a search query corresponding to an analysis rule for use in analysis, and determining a relationship between the data flow diagram and the analysis rule based on retrieved information. The limitations recite concepts that can be performed in the human mind and, therefore, are directed to an abstract idea. For example, a human can look at the topography of a computer system and determine the communication paths of each internal device that access an external device to determine if the paths all use a firewall or go through a particular IP address or port. This judicial exception is not integrated into a practical application because a generalized computing device (i.e., memory and processor executing instructions) do nothing more than merely apply the judicial exception on a computer. See MPEP 2106.05(f). Additionally, the claims are attempting to monopolize an exception (e.g. determining relationships between a data flow diagram and an analysis rule). The claimed limitations, alone and in combination, do not amount to significantly more than the judicial exception. Therefore, the claims are rejected under 35 USC 101. 2. Regarding Claims 2, 7, and 12, the additional limitations of “the data flow diagram is constructed for each test scenario of the computer system, attribute information for each of the test scenarios is added to the data flow diagram constructed for each of the test scenarios, and the analysis rule has an attribute added thereto” merely describe the type of information that is being processed and does not constitute any information that cannot be evaluated by the human mind. Additionally, the claim limitation of “comparing the attribute added to the analysis rule for use in analysis with the attribute information for each of the test scenarios; determining the test scenarios to be analyzed; and searching the data flow diagrams corresponding to the determined test scenarios using the search query” do not add any elements that are significantly more than the judicial exception described above. For example, a human can determine different test scenarios based on a particular vulnerability to evaluate a corresponding data flow diagram, such as communication using port 80 versus port 443. Therefore, the claimed limitations, alone and in combination, do not amount to significantly more than the judicial exception. 3. Regarding Claims 3, 8, and 13, the additional limitations of “cross-search the data flow diagrams corresponding to the determined test scenarios using the search query” merely indicates searching for specific information within the data flow diagrams which is a mental evaluation that is being performed by the human. Therefore, the claimed limitations, alone and in combination, do not amount to significantly more than the judicial exception. 4. Regarding Claims 4, 9, and 14, the additional limitations of “group the determined test scenarios based on the attribute added to the analysis rule for use in analysis, search the corresponding data flow graphs, per group, with the search query, compare search results of the groups, and determine the relationship between the corresponding data flow diagrams and the analysis rule” merely indicates how (by groupings) specific information within the data flow diagrams are evaluated which is a mental evaluation that is being performed by the human. Therefore, the claimed limitations, alone and in combination, do not amount to significantly more than the judicial exception. 5. Regarding Claims 5, 10, and 15, the additional limitations of “search each of the data flow diagrams corresponding to each of the determined test scenarios, and determine the relationship between the corresponding data flow diagrams and the analysis rule based on information retrieved from each of the data flow diagrams” merely indicates the searching of specific information within the data flow diagrams which is a mental evaluation that is being performed by the human. Therefore, the claimed limitations, alone and in combination, do not amount to significantly more than the judicial exception. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 2 – 5, 7 – 10, and 12 – 15 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement. 6. Claims 2, 7, and 12 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, because the specification, while being enabling for constructing or determining a data flow diagram associated with each test scenario, does not reasonably provide enablement for same data flow diagram being constructed for each test scenario as claimed. The specification does not enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the invention commensurate in scope with these claims. The claim limitation of “the data flow diagram is constructed for each test scenario of the computer system” is not supported within the Applicant’s specification [See PGPub. 2024/0419807; Fig. 4; Para. 0042-52]. The Office will interpret the limitation as multiple data flow diagrams constructed for multiple test scenarios; many to many relationship. 7. Regarding Claims 3 – 5, 8 – 10, and 13 – 15, the claims are rejected based on their dependency on Claims 2, 7, and 12 and under the same rationale. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claim(s) 1 – 15 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by PGPub. 2019/0132351 (hereinafter “Linde”). 8. Regarding Claims 1, 6, and 11, Linde discloses of a security analysis apparatus [Fig. 11; Para. 0100] comprising: at least one memory storing instructions [Fig. 11; Para. 0102-103]; and at least one processor configured to execute the instructions (Claim 11) [Fig. 11; Para. 0102-103] to: search for information described in a data flow diagram and a computer system to be analyzed, using a search query corresponding to an analysis rule for use in analysis [Figs. 4-6; Para. 0027, 0039, 0069-79, 0090, 0096], and determining a relationship between the data flow diagram and the analysis rule based on retrieved information [Figs. 4-6; Para. 0027, 0039, 0069-79, 0090, 0096] 9. Regarding Claims 2, 7, and 12, Linde discloses the limitations of Claims 1, 6, and 11. Linde further discloses that the data flow diagram is constructed for each test scenario of the computer system, attribute information for each of the test scenarios is added to the data flow diagram constructed for each of the test scenarios, and the analysis rule has an attribute added thereto [Figs. 4-6, 10B; Para. 0027, 0039, 0069-79, 0090, 0096; user modifications of data flows for compliance to security rules], and further at least one processor configured to execute the instructions to: comparing the attribute added to the analysis rule for use in analysis with the attribute information for each of the test scenarios; determining the test scenarios to be analyzed; and searching the data flow diagrams corresponding to the determined test scenarios using the search query [Figs. 4-6; Para. 0027, 0039, 0069-79, 0090, 0096]. 10. Regarding Claims 3, 8, and 13, Linde discloses the limitations of Claims 2, 7, and 12. Linde further discloses of cross-search[ing] the data flow diagrams corresponding to the determined test scenarios using the search query [Para. 0050, 0071; cross solution data flow analysis]. 11. Regarding Claims 4, 9, and 14, Linde discloses the limitations of Claims 2, 7, and 12. Linde further discloses of group[ing] the determined test scenarios based on the attribute added to the analysis rule for use in analysis, search[ing] the corresponding data flow graphs, per group, with the search query, compar[ing] search results of the groups, and determine the relationship between the corresponding data flow diagrams and the analysis rule [Fig. 5; Para. 0069-79] 12. Regarding Claims 5, 10, and 15, Linde discloses the limitations of Claims 2, 7, and 12. Linde further discloses of search[ing] each of the data flow diagrams corresponding to each of the determined test scenarios [Fig. 5; Para. 0069-79], and determin[ing] the relationship between the corresponding data flow diagrams and the analysis rule based on information retrieved from each of the data flow diagrams [Fig. 5; Para. 0069-79]. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. PGPub. 2021/0266333; PGPub. 2022/0329618; PGPub. 2022/0337619. Contacts Any inquiry concerning this communication or earlier communications from the examiner should be directed to Tae K. Kim, whose telephone number is (571) 270-1979. The examiner can normally be reached on Monday - Friday (10:00 AM - 6:30 PM EST). If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jorge Ortiz-Criado, can be reached on (571) 272-7624. The fax phone number for submitting all Official communications is (703) 872-9306. The fax phone number for submitting informal communications such as drafts, proposed amendments, etc., may be faxed directly to the examiner at (571) 270-2979. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). /TAE K KIM/Primary Examiner, Art Unit 2496