SECURITY ANALYSIS ASSISTANCE APPARATUS, SECURITY ANALYSIS ASSISTANCE METHOD, AND COMPUTER-READABLE RECORDING MEDIUM

§101 §102

DETAILED ACTION Claim Status This is first office action on the merits in response to the application filed on 7/3/2024. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-8 are currently pending and have been examined. Information Disclosure Statement The information disclosure statement(s) (IDS) submitted on 7/3/2024 is(are) in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Objections Claims 1-8 are objected to because of the following informalities: In claim 1, line 2; and claims 7-8, corresponding lines, “comprising;” should read --comprising:--. Claims 2-6 are further objected due to their dependency. Appropriate correction is required. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-8 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Under the Step 1 of the Section 101 analysis, Claims 1-7 are drawn to a system which is within the four statutory categories (i.e. a machine), and Claim 8 is drawn to a method which is within the four statutory categories (i.e., a process). Since the claims are directed toward statutory categories, it must be determined if the claims are directed towards a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea). Based on consideration of all of the relevant factors with respect to the claim as a whole, claims 1-8 are determined to be directed to an abstract idea. The rationale for this determination is explained below: Regarding Claims 1 and 7-8: Claims 1 and 7-8 are drawn to an abstract idea without significantly more. The claims recite “obtain the alerts from the security appliance, each of the security alerts identifying a network address of a device in the terminal devices, the device being a subject of each of the security alerts; specify relation between a mail address used in each of the terminal devices and a network address of each of the terminal devices based on data of Deep Packet Inspection or packet capturing of a communication path between the mail server and the terminal devices or data obtained from a request of authentication from a terminal device in the terminal devices to the mail server; obtain a mail address used in the device being a subject of each of the security alerts based on the specified relation; obtain department information for identifying a department of the organization by specifying department information associated with the obtained mail address based on organization information, the department having the device, the organization information including department information and mail addresses used in the department; analyze occurrence tendency of the security alerts for the department; and visualize a result of the occurrence tendency.” Under the Step 2A Prong One, the limitations, as underlined above, are processes that, under its broadest reasonable interpretation, cover Certain Methods Of Organizing Human Activity such as fundamental economic principles or practices (including hedging, insurance, mitigating risk). For example, but for the “security appliance”, “network address”, “device”, “mail address”, “terminal devices”, “Deep Packet Inspection”, “packet capturing”, “communication path”, and “mail server” language, the underlined limitations in the context of this claim encompass the human activity. The series of steps belong to a typical mitigating risk, because data or information such as mail address or network address are processed for alerts of suspicious events. Under the Step 2A Prong Two, this judicial exception is not integrated into a practical application. In particular, the claim only recites additional elements – “A network system for improving computer security of an organization comprising; a security analysis assistance apparatus; a mail server; terminal devices; a communication network connecting the mail server, the terminal devices, and the security analysis assistance apparatus, a security appliance configured to output security alerts of suspicious events occurred in the network system; wherein the security analysis assistance apparatus includes: a memory configured to store instructions; and a processor configured to execute the instructions to:”, “A security device for improving computer security of an organization that has terminal devices connecting with a mail server and a security appliance which outputs security alerts of suspicious events occurred in the organization via a communication network , comprising; a memory configured to store instructions; and a processor configured to execute the instructions to”, “A method for improving computer security of an organization that has terminal devices connecting with a mail server and a security appliance which outputs security alerts of suspicious events occurred in the organization via a communication network , comprising;”, “security appliance”, “network address”, “device”, “mail address”, “terminal devices”, “Deep Packet Inspection”, “packet capturing”, “communication path”, and “mail server”. The additional elements are recited at a high-level of generality (i.e., performing generic functions of an interaction) such that it amounts no more than mere instructions to apply the exception using a generic computer component, merely implementing an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea. Additionally, regarding the specification and claims, there is no improvement in the functioning of a computer or an improvement to other technology or technical field present, there is no applying or using the judicial exception to effect a particular treatment or prophylaxis for a disease or medical condition present, there is no implementing the judicial exception with or using the judicial exception in conjunction with a particular machine or manufacture that is integral to the claim present, there is no effecting a transformation or reduction of a particular article to a different state or thing present, and there is no applying or using the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment present such that the claim as a whole is more than a drafting effort designed to monopolize the exception. Accordingly, these additional elements, individually or in combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea. Under the Step 2B, the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements in the process amounts to no more than mere instructions to apply the exception using generic computer components. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claims are not patent eligible. Regarding Claims 2-6: Dependent claim 4 only further elaborates the abstract idea and do not recite additional elements. Dependent claims 2-3 and 5-6 include additional limitations, for example, “processor” (Claim 2); “processor” (Claim 3); “processor” and “device” (Claim 5); and “processor” (Claim 6), but none of these limitations are deemed significantly more than the abstract idea because, as stated above, they require no more than generic computer structures or signals to be executed, and do not recite any Improvements to the functioning of a computer, or Improvements to any other technology or technical field. Thus, taken alone, the additional elements do not amount to significantly more than the above-identified judicial exception (the abstract idea). Furthermore, looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves any other technology, and their collective functions merely provide conventional computer implementation or implementing the judicial exception on a generic computer. Therefore, whether taken individually or as an ordered combination, claims 2-6 are nonetheless rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claim(s) 1-8 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Zorlular (US 20180183827 A1). Regarding Claims 1 and 7-8, Zorlular teaches A network system for improving computer security of an organization comprising; a security analysis assistance apparatus; a mail server; terminal devices; a communication network connecting the mail server, the terminal devices, and the security analysis assistance apparatus, a security appliance configured to output security alerts of suspicious events occurred in the network system; wherein the security analysis assistance apparatus includes: a memory configured to store instructions; and a processor configured to execute the instructions to (Zorlular: Paragraph(s) 0019, 0010-0012, 0022, 0038): A security device for improving computer security of an organization that has terminal devices connecting with a mail server and a security appliance which outputs security alerts of suspicious events occurred in the organization via a communication network , comprising; a memory configured to store instructions; and a processor configured to execute the instructions to (Zorlular: Paragraph(s) 0019, 0010-0012, 0022, 0038): A method for improving computer security of an organization that has terminal devices connecting with a mail server and a security appliance which outputs security alerts of suspicious events occurred in the organization via a communication network , comprising (Zorlular: Paragraph(s) 0019, 0010-0012, 0022, 0038); obtain the alerts from the security appliance, each of the security alerts identifying a network address of a device in the terminal devices, the device being a subject of each of the security alerts (Zorlular: Paragraph(s) 0023, 0080, 0067 teach(es) Upon processing these indicators, the warning system may determine that an event, namely an email being sent, had occurred, and may assign various attributes and properties to the event, such as, for example, the time and date of the occurrence of the event, and the users, IP addresses, computers, servers or other actors involved); specify relation between a mail address used in each of the terminal devices and a network address of each of the terminal devices based on data of Deep Packet Inspection or packet capturing of a communication path between the mail server and the terminal devices or data obtained from a request of authentication from a terminal device in the terminal devices to the mail server (Zorlular: Paragraph(s) 0080-0081, 0102, 0105 teach(es) the warning system accesses indicators of a potential cyber attack related to the resource. Examples of such indicators include proxy logs, email logs, data loss prevention logs, application firewall logs, etc.; the warning system may extract various features, such as IP addresses, ports, signatures, packet headers and other characteristics, from past alerts that were determined by an analyst to be related to a cyber attack on a resource, or that were determined by an analyst not to be related to such an attack; indicators from an email server may be matched against a set of rules to determine indicators related to emails that were sent to a recipient inside the organization and that appear to be social engineering attacks against an employee of the organization); obtain a mail address used in the device being a subject of each of the security alerts based on the specified relation (Zorlular: Paragraph(s) 0023, 0025, 0060-0062 teach(es) Upon processing these indicators, the warning system may determine that an event, namely an email being sent, had occurred, and may assign various attributes and properties to the event, such as, for example, the time and date of the occurrence of the event, and the users, IP addresses, computers, servers or other actors involved. An event may or may not be indicative of any risk to a resource); obtain department information for identifying a department of the organization by specifying department information associated with the obtained mail address based on organization information, the department having the device, the organization information including department information and mail addresses used in the department (Zorlular: Paragraph(s) 0025, 0060 teach(es) an analyst reviewing whether a certain user's act of e-mailing confidential documents to the user's private email account represents activity related to a cyber attack against a resource may make better decisions when presented with information regarding prior, similar activity by the user, the user's department or the user's organization); analyze occurrence tendency of the security alerts for the department (Zorlular: Paragraph(s) 0022, 0061 teach(es) the indicators may be dynamically re-grouped and/or filtered in an interactive user interface so as to enable an analyst to quickly navigate among information associated with various alerts and efficiently evaluate the groups of alerts in the context of, for example, an audit for data breach or other activity related to a cyber attack against a resource); and visualize a result of the occurrence tendency (Zorlular: Paragraph(s) 0100 teach(es) The alert and event graph displays a graphical representation of alerts and events for the resource; displays alerts and events based on their occurrence in time and their risk score). Regarding Claim 2, Zorlular teaches all the limitations of claim 1 above; and Zorlular further teaches wherein the processor is configured to execute the instructions to analyze the occurrence tendency of the security alerts for each department of each hierarchy in hierarchical configuration of the organization, and visualize the occurrence tendency of the security alerts in aspect of the hierarchical configuration (Zorlular: Figs. 5-7; Paragraph(s) 0096-0098, 0105, 0025, 0100 teach(es) Referring to FIG. 5, example user interface illustrates a network overview provided by the warning system to an analyst to allow the analyst to review the risk level of all resources on the network that are being monitored by the warning system). Regarding Claim 3, Zorlular teaches all the limitations of claim 1 above; and Zorlular further teaches wherein the processor is configured to execute the instructions to visualize the occurrence tendency of the security alerts in aspect where occurrence rates of the security alerts are visualized (Zorlular: Figs. 5-7; Paragraph(s) 0096-0098, 0105, 0025, 0100, as stated above with respect to claim 2). Regarding Claim 4, Zorlular teaches all the limitations of claim 1 above; and Zorlular further teaches wherein the occurrence rates are categorized into a plurality of classes (Zorlular: Paragraph(s) 0087 teach(es) The alerts may dynamically be grouped and filtered, for example according to different alert types). Regarding Claim 5, Zorlular teaches all the limitations of claim 1 above; and Zorlular further teaches wherein the processor is configured to execute the instructions to visualize the occurrence tendency in aspect where a class of an upper department of a device with the highest class is the highest (Zorlular: Paragraph(s) 0087 teach(es) the alerts may be sorted by the risk score, for example so as to show the alerts starting with the highest risk score). Regarding Claim 6, Zorlular teaches all the limitations of claim 1 above; and Zorlular further teaches wherein the processor is configured to execute the instructions to visualize the occurrence tendency in aspect where occurrence tendency visualized for each higher-level department is switched to occurrence tendency visualized a lower-level department according to an operation (Zorlular: Paragraph(s) 0100 teach(es) The show historical alerts toggle switch allows the analyst, by selecting and deselecting it, to determine whether or not historical alerts, that is, alerts that have already been responded to by an analyst, should be displayed in the alert and event graph. The show events toggle switch allows the analyst by enabling or disabling it to determine whether or not events should be displayed in the alert and event graph). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Paine (US 20180255080 A1) teaches System And Method For Cyber Security Threat Detection, teaches alert and division/department/business unit inside the organization/company. Kraning (US 20180337941 A1) teaches Correlation-Driven Threat Assessment And Remediation. Siadati (US 20180124082 A1) teaches Classifying Logins, For Example As Benign Or Malicious Logins, In Private Networks Such As Enterprise Networks For Example, including alert, department, organization, and visualization. Qureshi (EP 3499839 B1) teaches Mobile Device Management And Security. Any inquiry concerning this communication or earlier communications from the examiner should be directed to CLAY LEE whose telephone number is (571)272-3309. The examiner can normally be reached Monday-Friday 8-5pm EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached at (571)270-1492. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CLAY C LEE/Primary Examiner, Art Unit 3699