TECHNIQUES FOR MAPPING SECURITY CONTROLS TO CYBER THREATS

§101 §103 §DP

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Detailed Action Office Action is in response to the instant Application 18/930,026 filed on 10/29/2024. Claims 1-19 are pending. This Office Action is Non-Final. Information Disclosure Statement The information disclosure statement (IDS), submitted on 10/29/2024 and 7/17/2025, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1, 7, 10-11, 17 and 19 are rejected under 35 USC 101 as being directed to an abstract idea without being integrated into a practical application or being significantly more. Regarding claim 1, the claim recites the limitations “defining a plurality if security control capability nodes …;” “defining a plurality of cyber threat …;” and “establishing a plurality of edges,” Broadly interpreted, the aforementioned steps are directed to mental processes as said steps could be performed in the human mind. Therefore, the claims recite an abstract idea. Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that could be considered that the abstract idea is being integrated into a practical application. It’s noted that the claim recites the operations ““creating a mapping…”. However, said operations are not sufficient to consider that the abstract idea is being interpreted into a practical application. Said operations are recited at a high level of generality in gathering/processing/storing information, which are a form of insignificant extra-solution activity. It’s also noted that the claims recite additional limitation/elements (i.e., system, processing circuitry, processor, memory, etc.,). However, said additional elements are recited at a high-level of generality (i.e., as a generic computing device performing a generic computer functions) such that it amounts no more than mere instructions to apply the exception or abstract idea using generic computer components. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claims do not include additional elements/limitations/embodiments that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component. Therefore, the claim is directed to non-statutory subject matter. Regarding claims 7, 9, 17 and 19, claims 7, 9, 17 and 19 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims recite an abstract idea and the claims do not positively recite any other operations that could be considered as the abstract idea is being integrated into a practical application or significantly more. It’s noted that claim 7 and recites the limitations: “analyzing control capability data …”. Said steps are either directed to mental processes and/or in a form of insignificant extra-solution activities; The aforementioned steps are not sufficient to consider that the abstract idea is being integrated into a practical application or significantly more. Therefore, claims 7, 9, 17 and 19 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1, 10 and 11 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 10 and 11 of U.S. Patent No. 12,184,687. Although the claims at issue are not identical, they are not patentably distinct from each other because all the limitations of claims 1, 10 and 11 of the instant Application, with regards to a mapping security for cyber threats system and limitations therein are being met and are anticipated by the limitations recited in 1, 10 and 11 of U.S. Patent No. 12,184,687. Regarding claims 2-9 and 12-19; claims 2-9 and 12-19 are also rejected under Double Patenting for similar reasons respectively and are dependent on claims 1 and 11 and therefore inherit the rejection from issues of the independent claims. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claim(s) 1-4, 7, 9-14, 17 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree et al (US 2023/0370439) in view of Ghosh et al. (US 2023/0171313). As per claim 1, Crabtree teaches a method for security control mapping, comprising: defining a plurality of security control capability nodes corresponding to a plurality of security control capabilities of a plurality of security controls; defining a plurality of cyber threat pattern nodes corresponding to a plurality of cyber threat patterns of a plurality of cyber threats (Crabtree, Paragraph 0091 recites “FIG. 30 is a flow diagram illustrating an exemplary method for using distributed sensor nodes to classify Internet traffic and identify risks, according to one aspect. When a sensor node 2901a-c is installed on a network 3010, it may be configured to have visibility into, and to monitor, Internet traffic at the network's edge 3020, such as web requests, access logins, port scans, ping or other ICMP requests, or other traffic. This monitored traffic may then be analyzed 3030 to identify traffic patterns as well as associate various traffic with domains or addresses from which it originated or through which it is flowing, such as proxy servers, relays, or VPN connections that may “hop” through various servers and networking nodes before reaching a destination, and to build records of observed events, event types, and patterns that may be stored for future use (for example, to perform new analysis using historical data, or for training of machine learning models using batches of logged traffic data as training input sets). This analyzed traffic information can then be relayed 3040 to other sensor nodes via the Internet 2900, so that multiple sensors' traffic data can be correlated to identify broader patterns and identify potential threats such as domains associated with suspicious or malicious traffic. For example, traffic across multiple locations can be analyzed to identify common domains or requests, which may indicate patterns of suspicious behavior that can be used to develop a “threat landscape” that can be employed to proactively identify risky traffic as it is observed by maintaining knowledge of identified risky traffic and its connections to various hosts, domains, and locations that are observed by sensors in the distributed network.”). But fails to teach establishing a plurality of edges, wherein the plurality of edges collectively represent a predetermined effectiveness of each security control capability of the plurality of security control capabilities for addressing at least one respective cyber threat pattern of the plurality of cyber threat patterns; creating a mapping including the plurality of security control capability nodes connected at least via the plurality of edges to the plurality of cyber threat pattern nodes. However, in an analogous art Ghosh teaches establishing a plurality of edges, wherein the plurality of edges collectively represent a predetermined effectiveness of each security control capability of the plurality of security control capabilities for addressing at least one respective cyber threat pattern of the plurality of cyber threat patterns (Ghosh, Paragraphs 0037-0038 recites “In some embodiments, the method 200 begins at operation 202, where the processor analyzes a physical environment. In some embodiments, one or more portions of the physical environment may have an edge computing resource requirement (e.g., based on contextual/situational need). In some embodiments the edge computing resource requirement may be based on a determining/identifying that current edge computing resources in a portion are losing computing effectiveness/power/resiliency/etc. In some embodiments, the method 200 may proceed to decision block 204, where the processor determines, based on the analyzing from operation 202, if one or more additional edge computing resources are to be placed in a surrounding area associated with the one or more portions of the physical environment.”); creating a mapping including the plurality of security control capability nodes connected at least via the plurality of edges to the plurality of cyber threat pattern nodes (Ghosh, Paragraph 0040 recites “If, at decision block 204, it is determined that additional edge computing resources are needed, the method 200 may proceed to operation 206, where the processor automatically situates the one or more additional edge computing resources on a material handling device in the surrounding area and that is directed toward the one or more portions of the physical environment (e.g., situates a resource on a conveyor belt that is headed toward the portion needing additional resources). In some embodiments, after operation 206, the method 200 may end.”). It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Ghosh’s context aware edge computing with Crabtree’s policy - aware vulnerability mapping and attack planning because it offers the advantage of having the proper resources needed to have effective edge computing. As per claim 2, Crabtree in combination with Ghosh teaches the method of claim 1, Crabtree further teaches performing at least one remediation action based on the mapping (Crabtree, Paragraph 0091 recites “This traffic and threat data can then be exported 3050 for use by other systems or networks, for example for use in signal filtering at an edge server as described below in FIG. 31, or for incorporation into processing by an ACDP 100 for use in enhancing security policies or enforcing privilege assurance, as described in detail below.”). As per claim 3, Crabtree in combination with Ghosh teaches the method of claim 2, Crabtree further teaches wherein the plurality of cyber threats is a plurality of first cyber threats, wherein performing the at least one remediation action further comprises: determining at least one cyber threat pattern of a second cyber threat; and determining at least one control capability for mitigating the second cyber threat based on the determined at least one cyber threat pattern threat and the mapping, wherein the at least one remediation action is determined based further on the determined at least one control capability for mitigating the second cyber threat (Crabtree, Paragraph 0091 recites “This analyzed traffic information can then be relayed 3040 to other sensor nodes via the Internet 2900, so that multiple sensors' traffic data can be correlated to identify broader patterns and identify potential threats such as domains associated with suspicious or malicious traffic. For example, traffic across multiple locations can be analyzed to identify common domains or requests, which may indicate patterns of suspicious behavior that can be used to develop a “threat landscape” that can be employed to proactively identify risky traffic as it is observed by maintaining knowledge of identified risky traffic and its connections to various hosts, domains, and locations that are observed by sensors in the distributed network. This traffic and threat data can then be exported 3050 for use by other systems or networks, for example for use in signal filtering at an edge server as described below in FIG. 31, or for incorporation into processing by an ACDP 100 for use in enhancing security policies or enforcing privilege assurance, as described in detail below.” By identifying of broader patterns would read on second patterns, which are used for a threat landscape.). As per claim 4, Crabtree in combination with Ghosh teaches the method of claim 2, Crabtree further teaches wherein performing the remediation actions includes reconfiguring at least one of the plurality of security controls (Crabtree, Paragraph 0091 recites “This traffic and threat data can then be exported 3050 for use by other systems or networks, for example for use in signal filtering at an edge server as described below in FIG. 31, or for incorporation into processing by an ACDP 100 for use in enhancing security policies or enforcing privilege assurance, as described in detail below.”). As per claim 7, Crabtree in combination with Ghosh teaches the method of claim 1, Crabtree further teaches analyzing control capability data of the plurality of security controls by at least applying capability identification rules defining aspects of code which are indicative of control capabilities, wherein the plurality of security control capability nodes is defined based on the analysis of the control capability data (Crabtree, Paragraph 0091 recites “This monitored traffic may then be analyzed 3030 to identify traffic patterns as well as associate various traffic with domains or addresses from which it originated or through which it is flowing, such as proxy servers, relays, or VPN connections that may “hop” through various servers and networking nodes before reaching a destination, and to build records of observed events, event types, and patterns that may be stored for future use (for example, to perform new analysis using historical data, or for training of machine learning models using batches of logged traffic data as training input sets). This analyzed traffic information can then be relayed 3040 to other sensor nodes via the Internet 2900, so that multiple sensors' traffic data can be correlated to identify broader patterns and identify potential threats such as domains associated with suspicious or malicious traffic. For example, traffic across multiple locations can be analyzed to identify common domains or requests, which may indicate patterns of suspicious behavior that can be used to develop a “threat landscape” that can be employed to proactively identify risky traffic as it is observed by maintaining knowledge of identified risky traffic and its connections to various hosts, domains, and locations that are observed by sensors in the distributed network.”). As per claim 9, Crabtree in combination with Ghosh teaches the method of claim 1, Crabtree further teaches wherein each security control is a cybersecurity tool (Crabtree, Paragraph 0150 recites “Behavioral analysis engine 819 may batch process and aggregate overall usage logs, access logs, KERBEROS session data, SAML session sata, or data collected through the use of other network monitoring tools commonly used in the art such as BRO or SURICATA.”). Regarding claims 10 and 11, claims 10 and 11 are directed to a non-transitory readable medium and a system associated with the method of claim 1. Claims 10 and 11 are of similar scope to claim 1, and are therefore rejected under similar rationale. Regarding claim 12, claim 12 is directed to a similar system associated with the method of claim 2 respectively. Claim 12 is similar in scope to claim 2, respectively, and are therefore rejected under similar rationale. Regarding claim 13, claim 13 is directed to a similar system associated with the method of claim 3 respectively. Claim 13 is similar in scope to claim 3, respectively, and are therefore rejected under similar rationale. Regarding claim 14, claim 14 is directed to a similar system associated with the method of claim 4 respectively. Claim 14 is similar in scope to claim 4, respectively, and are therefore rejected under similar rationale. Regarding claim 17, claim 17 is directed to a similar system associated with the method of claim 7 respectively. Claim 17 is similar in scope to claim 7, respectively, and are therefore rejected under similar rationale. Regarding claim 19, claim 19 is directed to a similar system associated with the method of claim 9 respectively. Claim 19 is similar in scope to claim 9, respectively, and are therefore rejected under similar rationale. Claim(s) 5 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree et al (US 2023/0370439) and Ghosh et al. (US 2023/0171313) and in further view of Martin et al. (US 2021/0026960). As per claim 5, Crabtree in combination with Ghosh teaches the method of claim 2, but fails to teach deduplicating instances of asset-identifying data generated by the plurality of security controls, wherein deduplicating the instances includes uniquely identifying each of the instances as corresponding to a respective protected computing asset by correlating between sets of the asset-identifying data output by respective security controls of the plurality of security controls based on the mapping; identifying at least one security control gap based on the deduplicated instances, wherein the at least one remediation action is determined based further on the identified at least one security control gap. However, in an analogous art Martin teaches deduplicating instances of asset-identifying data generated by the plurality of security controls, wherein deduplicating the instances includes uniquely identifying each of the instances as corresponding to a respective protected computing asset by correlating between sets of the asset-identifying data output by respective security controls of the plurality of security controls based on the mapping; identifying at least one security control gap based on the deduplicated instances, wherein the at least one remediation action is determined based further on the identified at least one security control gap (Martin, Paragraph 0032 recites “Once a virus is detected, the virus detection software 134 is configured to perform one or more corrective actions (e.g., alert system administration of an attack, stop data deduplication, remove the virus from the data stream before it is delivered to other data storage blocks, perform data replicas to a secondary set of data storage blocks and backup targets, and apply restore procedures to perform recovery and remediation processes after an incident)”. It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Martin’s Virus detection & mitigation of storage arrays with Crabtree’s policy - aware vulnerability mapping and attack planning because it offers the advantage of protecting against the spread of an attack through a network. Regarding claim 15, claim 15 is directed to a similar system associated with the method of claim 5 respectively. Claim 15 is similar in scope to claim 5, respectively, and are therefore rejected under similar rationale. Claim(s) 6 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree et al (US 2023/0370439) and Ghosh et al. (US 2023/0171313) and in further view of DeNovo et al. (US 2008/0282320). As per claim 6, Crabtree in combination with Ghosh teaches the method of claim 2, but fails to teach identifying at least one security control gap based on the mapping, wherein identifying the at least one security control gap further includes determining a path of exploitation between a respective computing asset and at least one of the plurality of security controls, wherein the at least one remediation action is determined based further on the identified at least one security control gap. However, in an analogous art DeNovo teaches identifying at least one security control gap based on the mapping, wherein identifying the at least one security control gap further includes determining a path of exploitation between a respective computing asset and at least one of the plurality of security controls, wherein the at least one remediation action is determined based further on the identified at least one security control gap (DeNovo, Paragraph 0007 recites “The apparatus further includes a information risk assessment plan formed from the request for the information risk assessment, a set of information assessment templates and test cases formed from the information risk assessment plan, a set of information risk assessment tests conducted on the IT system using the assessment templates and test cases, a set of test results generated by the risk assessment tests, one or more security control gaps identified by the assessment responses and one or more gap remediation plans formed from the identified security gaps.”). It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use DeNovo’s Security Compliance Methodology And Tool with Crabtree’s policy - aware vulnerability mapping and attack planning because it offers the advantage of more accurate risk assessment. Regarding claim 16, claim 16 is directed to a similar system associated with the method of claim 6 respectively. Claim 16 is similar in scope to claim 6, respectively, and are therefore rejected under similar rationale. Claim(s) 8 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree et al (US 2023/0370439) and Ghosh et al. (US 2023/0171313) and in further view of Summers et al. (US 2022/0366045). As per claim 8, Crabtree in combination with Ghosh teaches the method of claim 1, but fails to teach integrating with the plurality of security controls, wherein integrating with the plurality of security controls further comprises deploying an artifact in a computing environment, wherein the artifact is configured to record a plurality of activities performed in the computing environment by the plurality of security controls, wherein the mapping is created based further on the recorded plurality of activities. However, in an analogous art Summers teaches integrating with the plurality of security controls, wherein integrating with the plurality of security controls further comprises deploying an artifact in a computing environment, wherein the artifact is configured to record a plurality of activities performed in the computing environment by the plurality of security controls, wherein the mapping is created based further on the recorded plurality of activities (Summers, Paragraph 0033 recites “The software distribution point 120 may comprise deployment management application(s) installed and running on a host computing device that may include one or ore processors 124, a communication interface 122 to facilitate communication via the network 105, and memory 126 storing one or more artifacts associated with software deployed within an enterprise computing network, such as the computing environment 100. The SDP 120 may be used to deliver content to a plurality of client computing devices (e.g., the host computing devices 180) via the network.”). It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Summers’ Known-Deployed File Metadata Repository And Analysis Engine with Crabtree’s policy - aware vulnerability mapping and attack planning because it offers the advantage of providing effective solutions that address problems associated with identification and deployment of files that are known to be approved and centrally deployed within that environment. Regarding claim 18, claim 18 is directed to a similar system associated with the method of claim 8 respectively. Claim 18 is similar in scope to claim 8, respectively, and are therefore rejected under similar rationale. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. RODERICK . TOLENTINO Examiner Art Unit 2439 /RODERICK TOLENTINO/Primary Examiner, Art Unit 2439