METHOD FOR EMULATING A KNOWN ATTACK ON A TARGET COMPUTER NETWORK

§101 §103 §112 §DP

DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to communication filed on 11/14/2024. Status of claims in the instant application: Claims 1-20 are pending. Priority This application is a CON of 18/529,968 filed on 12/05/2023 which is a CON of 18/087,360 filed on 12/22/2022 now PAT 11,876,829 which is a CON of 17/083,275 filed on 10/28/2020 now PAT 11,563,765 which claims benefit of 63/008,451 04/10/2020. Drawings Drawings filed on 11/14/2024 have been inspected, and it’s in compliance with MPEP 608.02. Specification Specification filed on 11/14/2024 has been inspected and it’s in compliance with MPEP 608.01. Claim Objections Claim 16 is objected to because of the following: Claim 16: “The computer system of Claim 15, wherein the first asset configured to initiate transmission of the first data packet comprises the first asset configured to initiate transmission of the first data packet in response to receiving a second data packet in the set of data packets from the second asset”. The bolded parts above are duplicates, and they need to be corrected. Examiner suggests amending the claim to fix the issue as below: “The computer system of Claim 15, wherein [[the first asset configured to initiate transmission of the first data packet comprises]] the first asset configured to initiate transmission of the first data packet in response to receiving a second data packet in the set of data packets from the second asset”. Appropriate correction is required. Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f): (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f). The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) because the claim limitations use a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are: Claim 14: “A computer system for emulating a known attack on a computer network, the computer system: comprising a first asset external to a target computer network; and configured to: …” Claim 15: “…The computer system of Claim 14, wherein the first asset is configured to initiate transmission” Claim 16: “The computer system of Claim 15, wherein the first asset configured to initiate transmission of the first data packet comprises the first asset configured to initiate transmission of the first data packet in response to receiving a second data packet in the set of data packets from the second asset” Claim 17: “The computer system of Claim 14, wherein the computer system is further configured to …” Claim 18: “The computer system of Claim 14, wherein the computer system is further configured to …” Because these claim limitations are being interpreted under 35 U.S.C. 112(f), they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. Examiner has investigated the disclosure (specification, drawing …) for the nonce term “first asset”. However, the disclosure does not clearly describe the structure of the “first asset”. If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f), applicant may: (1) amend the claim limitations to avoid them being interpreted under 35 U.S.C. 112(f) (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitations recite sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f). Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 14-18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention. Limitations of claims 14, 15 and 16, as noted above in the claim interpretation section, invokes 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Therefore, the claims 14-16 are indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph. Claims 17-18 are also rejected as their base claim has been rejected. Applicant may: (a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph; (b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or (c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)). If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: (a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or (b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181. Appropriate corrections required. The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 14-18 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Limitations of claims 14, 15 and 16, as noted above in the claim interpretation section, invokes 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Therefore, claims 14-16 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claims 17-18 are also rejected as their base claim has been rejected. Appropriate corrections required. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1, 4, 7, 9-16, 19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Claim 1 recites: “A method comprising: accessing a set of data packets representing data transmitted between machines in communication with a second computer network during a malicious attack on the second computer network; selecting a set of assets as actors in an emulation of the malicious attack on a target computer network, the set of assets comprising: a first asset external to the target computer network; and a second asset within the target computer network; for each data packet in the set of data packets: assigning a transmission trigger in a set of transmission triggers to the data packet based on transmission of corresponding data during the malicious attack on the second computer network; assigning a recipient asset in the set of assets to receive the data packet; and assigning a source asset, in the set of assets, to transmit the data packet to the recipient asset according to the transmission trigger; and distributing the set of data packets and definitions of the set of transmission triggers for storage at the set of assets”. Examiner interprets that claim 1 recites a series of steps to perform the recited functions. Hence it’s one of the 4 categories of patent eligible subject matter. Examiner further investigates each of the limitations of the claim, and interprets the following limitation to be a mental process, “assigning a transmission trigger in a set of transmission triggers to the data packet based on transmission of corresponding data during the malicious attack on the second computer network”. The highlighted claim limitations identified above is interpreted as identifying/indexing (assigning) a data packet with a tag/index (i.e. transmission trigger), where the data packets were collected during a malicious attack. The each data packet can be a file that can be assigned a trigger/index that identifies the condition/cause of the transmission of the packet during the malicious attack. This process can be done as a mental process in human mind (with the help of pencil and paper). The remaining limitations of “accessing a set of data packets …”, “selecting a set of assets…”, “assigning a recipient asset …”, and “assigning a source asset …” can be considered reading a data packet (i.e. a file), tagging/indexing source and destination in data communication. These can either be considered as additional mental steps or insignificant extra solution activities. The action of data transmission (sending/receiving) and storing are considered as normal/ordinary activity of computer and computing network, and when recited in claim(s) are considered as extra-solution activity, that does not necessarily add any patentable weight to the claim. Claim 1 does not recite any other limitation that can be considered to integrating the previously identified mental process into a practical application. Therefore claim 1 is rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. The dependent claims 4, 7 and 9-13 also recite limitations similar to that of claim 1, and hence similarly rejected as claim 1. Claims 14-16 and 19 are also rejected for reasons similar to that of claims 1, 4-7, 9-13. Appropriate corrections required. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. Claims 1-3, 14, 19-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 3, 4, 16, 19-20 of U.S. Patent No. 12418559 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are just broader version of claims of the issued patent 12418559 that make the claims of the instant application obvious. Instant Application Reference Patent (US 12418559 B2) 1. A method comprising: accessing a set of data packets representing data transmitted between machines in communication with a second computer network during a malicious attack on the second computer network; selecting a set of assets as actors in an emulation of the malicious attack on a target computer network, the set of assets comprising: a first asset external to the target computer network; and a second asset within the target computer network; for each data packet in the set of data packets: assigning a transmission trigger in a set of transmission triggers to the data packet based on transmission of corresponding data during the malicious attack on the second computer network; assigning a recipient asset in the set of assets to receive the data packet; and assigning a source asset, in the set of assets, to transmit the data packet to the recipient asset according to the transmission trigger; and distributing the set of data packets and definitions of the set of transmission triggers for storage at the set of assets. 1. A method comprising: accessing a set of data packets representing data transmitted between machines in communication with a reference computer network during a malicious attack on the reference computer network during a first time period; selecting a set of assets as actors in an emulation of the malicious attack, the set of assets comprising: a first internal asset within a target computer network; and a second external asset external to the target computer network; for each data packet in the set of data packets: assigning a behavior trigger, in a set of behavior triggers, to the data packet based on a corresponding behavior during the malicious attack on the reference computer network; assigning a recipient asset, in the set of assets, to receive the data packet; and assigning a source asset, in the set of assets, to transmit the data packet to the recipient asset according to the behavior trigger; and initiating transmission of the set of data packets from source assets to recipient assets, in the set of assets, according to the set of behavior triggers to emulate the malicious attack on the target network. 2. The method of claim 1, further comprising: accessing a set of event records generated by a security technology responsive to transmission of the set of data packets from source assets to recipient assets according to the set of transmission triggers; and generating a prompt to reconfigure the security technology to detect the malicious attack at the target computer network in response to absence of an event record, in the set of event records, indicating the malicious attack. 3. The method of claim 2, further comprising: serving the context file to a security technology deployed on the target computer network in response to termination of the emulation of the malicious attack on the target computer network; accessing a set of event records generated by the security technology responsive to the set of artifacts in the context file; and in response to absence of an event record in the set of event records indicating the malicious attack, generating a prompt to reconfigure the security technology to detect the malicious attack at the target computer network. 3. The method of claim 1, further comprising: accessing a set of event records generated by a security technology during transmission of the set of data packets from source assets to recipient assets according to the set of transmission triggers; and confirming configuration of the security technology to respond to computer network attacks analogous to the malicious attack at the target computer network in response to presence of an event record, in the set of event records, indicating the malicious attack. 4. The method of claim 2, further comprising: accessing a set of event records generated by a security technology, deployed on the target computer network, based on the set of artifacts in the context file; and in response to presence of an event record in the set of event records indicating the malicious attack, confirming configuration of the security technology to respond to the malicious attack. 14. A computer system for emulating a known attack on a computer network, the computer system: comprising a first asset external to a target computer network; and configured to: access a set of data packets representing data transmitted between machines in communication with a second computer network during a malicious attack on the second computer network; select a set of assets as actors in an emulation of the malicious attack on the target computer network, the set of assets comprising: the first asset; and a second asset within the target computer network; for each data packet in the set of data packets: assign a transmission trigger in a set of transmission triggers to the data packet based on transmission of corresponding data during the malicious attack on the second computer network; assign a recipient asset in the set of assets to receive the data packet; and assign a source asset in the set of assets to transmit the data packet to the recipient asset according to the transmission trigger; upload the set of data packets for storage in local memory of the first asset; and distribute the set of data packets and definitions of the set of transmission triggers for storage in local memory of the second asset. 16. A non-transitory computer-readable medium storing an executable file comprising instructions that, when executed by a processor of a first internal asset within a target computer network, cause the processor to: access a set of data packets from the executable file, the set of set of data packets representing data transmitted between machines in communication with a reference computer network during a malicious attack on the reference computer network, each data packet in the set of data packets: associated with a behavior trigger, in a set of behavior triggers, based on a corresponding behavior during the malicious attack on the reference computer network; defining a recipient asset, in a set of assets, to receive the data packet; and defining the source asset, in the set of assets, to transmit the data packet to the recipient asset according to the behavior trigger; store the set of data packets in local memory of the first internal asset, the set of data packets comprising a first data packet to which the first internal asset and a second external asset, in the set of assets and external to the target computer network, are assigned; initiate transmission of the first data packet from the first internal asset to the second external asset according to a first behavior trigger in the set of behavior triggers; and generate a context file specifying a set of artifacts representing indicators of the malicious attack responsive to: reception of data packets in the set of data packets at the first internal asset; and transmission of data packets in the set of data packets from the first internal asset. 19. A method comprising: accessing a set of data packets representing data transmitted between machines in communication with a second computer network during a malicious attack on the second computer network; selecting a set of assets as actors in an emulation of the malicious attack on a target computer network, the set of assets comprising: a first asset external to the target computer network; and a second asset within the target computer network; for each data packet in the set of data packets: assigning a behavior trigger in a set of behavior triggers to the data packet based on a corresponding behavior during the malicious attack on the second computer network; assigning a recipient asset in the set of assets to receive the data packet; and assigning a source asset, in the set of assets, to transmit the data packet to the recipient asset according to the transmission trigger; and distributing the set of data packets and definitions of the set of behavior triggers for storage at the set of assets. 20. The method of claim 19, further comprising: accessing a log specifying a set of events during transmission of the set of data packets from source assets to recipient assets in the set of assets according to the set of behavior triggers; and in response to absence of an event in the set of events indicating preventing of transmission of first packet in the set of packets from the second asset to the first asset, generating a prompt to reconfigure the security technology to prevent network traffic analogous to the first data packet on the target computer network. 19. A method comprising: accessing a set of data packets representing data transmitted between machines in communication with a reference computer network during a malicious attack on the reference computer network during a first time period; selecting a set of assets as actors in an emulation of the malicious attack on a target computer network, the set of assets comprising: a first internal asset within the target computer network; and a second external asset external to the target computer network; for each data packet in the set of data packets: assigning a behavior trigger, in a set of behavior triggers, to the data packet based on a corresponding behavior during the malicious attack on the reference computer network; assigning a recipient asset, in the set of assets, to receive the data packet; and assigning a source asset, in the set of assets, to transmit the data packet to the recipient asset according to the behavior trigger; generating an executable file: comprising the set of data packets; defining the set of behavior triggers; and configured to trigger the first internal asset to generate a context file specifying a first set of artifacts according to a first format, the first set of artifacts representing indicators of the malicious attack responsive to: reception of data packets in the set of data packets at the first internal asset; transmission of data packets in the set of data packets from the first internal asset; and execution of behaviors corresponding to behavior triggers in the set of behavior triggers; during a second time period succeeding the first time period and in response to execution of the executable file at the first internal asset, initiating transmission of the set of data packets from source assets to recipient assets, in the set of assets, according to the set of behavior triggers to emulate the malicious attack on the target network; accessing the context file specifying the first set of artifacts and generated by the first internal asset in response to termination of the emulation of the malicious attack on the target computer network; transforming the first set of artifacts into a second set of artifacts according to a second format associated with a target security technology deployed on the target computer network; and serving the second set of artifacts to the target security technology. 20. The method of claim 19, further comprising: accessing a set of event records generated by the target security technology responsive to the second set of artifacts; and in response to absence of an event record in the set of event records indicating the malicious attack, generating a prompt to reconfigure the target security technology to detect the malicious attack at the target computer network. *** Claims are also rejected as non-statutory double patenting rejections over similar claims of issued patents 12177244, 11876829, 11563765, 12081580 and 11677775. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 4, 9, 10, 14, 15, 16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20170048266 A1 to Hovor et al. (hereinafter “Hovor”) in view of Pub. No.: US 20170244744 A1 to Key et al. (hereinafter “Key”). Regarding Claim 1. Hovor discloses A method (Hovor, Abstract, FIG. 4: … …) comprising: accessing a set of data packets representing data transmitted between machines in communication with a second computer network (Hovor, FIG. 4, Para [0085-0087]: … The system receives an asset topology that identifies one or more first computer assets each of which is directly connected to a network … The system receives threat data that identifies vulnerabilities of computer assets (404). The system may subscribe to a threat data feed and receive some of the threat data from the data feed. The system may search for and find some of the threat data on a network, e.g., the Internet. In some implementations, the system may receive some of the threat data from an internal source, e.g., controlled by the same entity that controls the system …) [during a malicious attack on the second computer network]; selecting a set of assets as actors in an emulation of the malicious attack on a target computer network (Hovor, FIG. 4, Para [0087-0088]: … The system determines, using the asset topology, a first computer asset that is one of the first computer assets (406). For instance, the system may use the asset topology and the threat data to perform a simulated attack on the assets in the asset topology. The system selects the first computer as an entry point in the simulated attack …), the set of assets comprising: a first asset external to the target computer network (Hovor, FIG. 4, Para [0087-0088]: … The system selects the first computer as an entry point in the simulated attack. The first computer may be an external facing asset, …); and a second asset within the target computer network (Hovor, FIG. 4, Para [0092]: … The system determines, using the asset topology and the threat data, a path from the first computer asset to a second computer asset that is one of the second computer assets (410). For example, as described in more detail below with reference to FIG. 5, the system determines all of the assets directly connected to the first computer asset and which of those assets may be compromised by an adversary's device. The system creates a path, moving from one computer asset to another to create the path from the first computer asset to the second computer asset. The second computer asset may be an intended destination for the attack simulation, e.g., which may contain data potential adversary may want to access, or may be an end destination on the path, e.g., from which the system cannot access any other assets to which the system did not already gain access when creating the path during the attack simulation …); for each data packet in the set of data packets: assigning a transmission trigger in a set of transmission triggers to the data packet based on transmission of corresponding data during the malicious attack on the second computer network (Hovor, FIG. 4, Para [0101-0102]: … The system receives new threat data over a predetermined period of time (422). For example, the system receives the new threat data over the course of days, weeks, months, or years. The system may receive the new threat data from any appropriate source, such as the sources discussed above … The system determines, using the new threat data, paths from the first computer assets to the second computer assets over the predetermined period of time (424). For instance, during the predetermined time, the system may perform additional attack simulations, similar to the one described above, e.g., steps 408 through 414 or steps 408 through 410 …); assigning a recipient asset in the set of assets to receive the data packet (Hovor, FIG. 4, Para [0092]: … The system determines, using the asset topology and the threat data, a path from the first computer asset to a second computer asset that is one of the second computer assets (410). For example, as described in more detail below with reference to FIG. 5, the system determines all of the assets directly connected to the first computer asset and which of those assets may be compromised by an adversary's device. The system creates a path, moving from one computer asset to another to create the path from the first computer asset to the second computer asset. The second computer asset may be an intended destination for the attack simulation …); and assigning a source asset, in the set of assets, to transmit the data packet to the recipient asset according to the transmission trigger (Hovor, FIG. 4, Para [0092]: … The system determines, using the asset topology and the threat data, a path from the first computer asset to a second computer asset that is one of the second computer assets (410). For example, as described in more detail below with reference to FIG. 5, the system determines all of the assets directly connected to the first computer asset and which of those assets may be compromised by an adversary's device. The system creates a path, moving from one computer asset to another to create the path from the first computer asset to the second computer asset. The second computer asset may be an intended destination for the attack simulation …); and distributing the set of data packets and definitions of the set of transmission triggers for storage at the set of assets (Hovor, Para [0049]: … The system analyzes each of the assets in the asset inventory 202 to determine a priority of each of the assets, e.g., how important the assets are to the entity, the criticality or sensitivity of data stored on or access with the asset, etc. In some examples, the system may receive priority information from a user. The system may analyze the types of the assets, the data stored on the assets, etc., to determine the priorities of the assets in the asset inventory 202. The system may use any appropriate method to determine priority information for the assets ...). However, Hovor does not explicitly teach, but Key from same or similar field of endeavor teaches: “data packets representing data packets representing data during a malicious attack on the second computer network (Key, Para [0009]: … One inventive aspect of the subject matter of this disclosure can be implemented in a method for controlling execution of malicious behavior in a production network to test a security system of the production network. The method can include receiving, by a first controller on a first node in a production network with a security system, instructions to operate as an attacker and data for executing a predetermined malicious behavior on the production network. The method can include receiving, by a second controller on a second node in the production network from the planner, instructions to operate as a target of the predetermined malicious behavior by the attacker. The method can include establishing a connection between the first controller and the second controller. The method can include transmitting, responsive to the instructions by the first controller via the connection to the second controller via at least a portion of the security system of the production network, network traffic comprising the predetermined malicious behavior and generated using the data …)” Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Key into the teachings of Hovor, because it discloses that, “Instead of performing isolated laboratory testing of individual computing devices as discussed above, security of a computer network can be improved by testing within a system that is able to evaluate the security posture of an organization's complex production network. In some implementations, such a system can be included within a production network and configured such that the security posture of the production network can be evaluated without putting the computing devices within the production network at risk (Key, Para [0007])”. Regarding Claim 4. The combination of Hovor-Key discloses the method of claim 1, Hovor further discloses, “further comprising: loading the set of data packets and definitions of the set of transmission triggers in local memory of the second asset (Hovor, Para [0004]: … The method may include determining, for each of the first computer related assets and each of the second computer related assets, a path from the first computer related asset to the second computer related asset. The method may include receiving new threat data over a predetermined period of time, determining, using the new threat data, paths from the first computer related assets to the second computer related assets over the predetermined period of time, and determining trends in the paths from the first computer related assets to the second computer related assets over the predetermined period of time …); and initiating transmission of a first data packet in the set of data packets from the second asset to the first asset according to a first transmission trigger in the set of transmission triggers (Hovor, Para [0004]: … Determining the trends in the paths from the first computer related assets to the second computer related assets over the predetermined period of time may include determining a recurring path of compromise that has a high probability that one or more assets on the recurring path will be compromised by an adversary's device over at least a threshold value of times during the predetermined period of time …).” Regarding Claim 9. The combination of Hovor-Key discloses the method of claim 1, Key further discloses, “wherein accessing the set of data packets comprises generating the set of data packets based on packet fragments transmitted between machines in communication with the second computer network during the malicious attack on the second computer network (Key, Para [0006, 0070]: … In some implementations, the security of each computing device in a network may be tested individually. For example, network packets representing malicious behavior may be directed towards one of the computing devices, and the computing device can be monitored to determine whether it responds appropriately, such as by dropping the malicious packets or generating an alarm condition to indicate that the packets may correspond to an attack. Typically, such a test may be run in a laboratory setting, to avoid compromising the computing device under test in case the computing device does not successfully prevent the attack. However, such isolated lab testing scenarios may fail to fully validate the security posture of the more complex production network, even if individual computing devices appear to respond appropriately to malicious network traffic. For example, an attacker may be able to take advantage of misconfigurations that exist in the production setup but are not present in the isolated laboratory testing scenario. Furthermore, laboratory testing typically relies on simply sending a stream of packets intended to replicate malicious behavior to a given computing device. As such, there is no way to test active stateful connections that may be necessary to route through in the production network environment. Therefore, isolated laboratory testing of computing devices cannot be used to determine how a complex network would respond to malicious packets. …).” The motivation to further combine Key remains same as in claim 1. Regarding Claim 10. The combination of Hovor-Key discloses the method of claim 1, Key further discloses, “further comprising discarding a first data packet at the first asset in response to: receiving the first data packet from the second asset (Key , Para [0071, 0156]: … In some implementations, the simulation data manager 116 can be configured to process a PCAP file by first identifying each host conversation within the PCAP file. For example, the simulation data manager 116 can make this determination based on the communication protocol exhibited in the PCAP file. The simulation data manager 116 also can determine the type of application traffic represented by the PCAP file, such as HTTP traffic that may be sent using TCP, or DNS traffic that may be sent using UDP … In some implementations, the server can analyze a PCAP file to extract an application-layer record of requests and responses exchanged between the attacker and the target in the network traffic represented by the PCAP file. The server also may extract an actual malware file from the PCAP file. The PCAP file will typically contain low-level packet information related to data exchanged during the attack. However, the server can process the PCAP file to extract the higher-level application layer record of each request and response … ); and detecting a first digital signature in the first data packet (Key , Para [0071, 0156]: … In some implementations, the determination of the type of application traffic represented by the PCAP file can be made based on the use of application signatures in the PCAP file. … ).” The motivation to further combine Key remains same as in claim 1. Regarding Claim 14. This claim contains all the same or similar limitations as claim 1, and hence similarly rejected as claim 1. *** Note: Hovor also discloses a computer system (Hovor: Abstract, Para [0002]). Regarding Claim 15. This claim contains all the same or similar limitations as claim 4, and hence similarly rejected as claim 4. Regarding Claim 16. The combination of Hovor-Key discloses the computer system of claim 15, Key further discloses, “wherein the first asset configured to initiate transmission of the first data packet comprises the first asset configured to initiate transmission of the first data packet in response to receiving a second data packet in the set of data packets from the second asset (Key, Para [0009]: … One inventive aspect of the subject matter of this disclosure can be implemented in a method for controlling execution of malicious behavior in a production network to test a security system of the production network. The method can include receiving, by a first controller on a first node in a production network with a security system, instructions to operate as an attacker and data for executing a predetermined malicious behavior on the production network. The method can include receiving, by a second controller on a second node in the production network from the planner, instructions to operate as a target of the predetermined malicious behavior by the attacker. The method can include establishing a connection between the first controller and the second controller. The method can include transmitting, responsive to the instructions by the first controller via the connection to the second controller via at least a portion of the security system of the production network, network traffic comprising the predetermined malicious behavior and generated using the data. The method can include receiving, by the first controller via the connection from the second controller, one or more responses to the network traffic. The method can include determining, by the first controller, whether the one or more responses from the second controller are as expected …).” The motivation to further combine Key remains same as in claim 1 (i.e. 14). Regarding Claim 19. This claim contains all the same or similar limitations as claim 1, and hence similarly rejected as claim 1. *** Note: Hovor also discloses behavior trigger (Hovor, Para [0058, 0069]: … Indicators of compromise (IOC) may include certain observable conditions as well as contextual information about patterns of those observable conditions and how and when a pattern should be acted on. The contextual information may represent artifacts or behaviors of interest within a cyber-security context or both. The patterns of the observable conditions may be mapped to related TTP context information, include relevant metadata about confidence in the indicator's assertion, handling restrictions, valid time windows, likely impact, sightings of the information indicator, structured test mechanisms for detection, related campaigns, or suggested COA, or both related TTP context information and relevant metadata …). Claims 7, 12 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20170048266 A1 to Hovor et al. (hereinafter “Hovor”) in view of Pub. No.: US 20170244744 A1 to Key et al. (hereinafter “Key”), as applied to claim 1 above, and further in view of Pub. No.: US 20150128246 A1 to Feghali et al. (hereinafter “Feghali”). Regarding Claim 7. The combination of Hovor-Key discloses the method of claim 1, however it does not explicitly teach but Feghali from same or similar field of endeavor teaches: “further comprising: accessing a log indicating failure to transmit a first packet in the set of packets from the second asset to the first asset (Feghali, Para [0083-0084]: … FIG. 5 is a flowchart that shows the operation of the Delta Engine 472 for determining if an incoming packet on the WAN 260 side has been dropped by the Firewall 250 …); and detecting prevention of transmission of the first data packet from the second asset within the target network to the first asset external to the target network based on the log (Feghali, Para [0031, 0107-0108]: … The solutions described above prevent false positives but may weaken the validity of comparisons for "corresponding" packets. Consider the following scenario for the WAN-to-LAN direction. An attacker in the Internet/WAN 260 may simultaneously initiate two separate sessions or streams of communication with two different servers in the corporate LAN 210, where the first session is innocuous but the second is malicious. Normally, the SrcPort numbers in the two sessions would be different, allowing the DTF Engine 477 to correctly distinguish the sessions and make the correct correspondences between incoming and outgoing packets … However, the attacker may instead use the same SrcPort numbers in both sessions. The Firewall 250 may properly allow the innocuous stream to pass though, while blocking the malicious stream. Using the flowchart steps in FIG. 5, the Delta Engine 472 will match each outgoing packet containing the attacker's SrcIP to an incoming packet with the same SrcIP, but the matched packets could come from either stream. Thus, at the expiration of the maximum transit delay, the remaining buffered packets, which are assumed to have been dropped by the firewall, may actually be a partial collection of packets from both streams, and may be forwarded to the Labyrinth 257 or 258 via the DTF Engine 477. Unfortunately, the fact that the forwarded stream may be missing packets from the original incoming malicious stream may prevent the Labyrinth from properly engaging the attacker. This drawback can be avoided using the "whitelist" approach described later, by adding certain information to whitelist entries as they are created …).” Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Feghali into the teachings of Hovor-Key, because it discloses that, “In some embodiments of FIGS. 3A through 3E, the Inspector 255 may have additional ports and links to connect it directly to the Corporate Network/LAN 210 and/or the Internet/WAN 260, to carry traffic associated with a Labyrinth 257 or 258, the Cloud Inspector Service (CIS) 262, or the Management Server 263. An advantage of this approach is that it does not increase the traffic on or stress the Firewall's connections to the Corporate Network/LAN 210 and to the Internet/WAN 260, and these additional ports and links can be managed independently (Feghali, Para [0070])”. Regarding Claim 12. The combination of Hovor-Key discloses the method of claim 1, however it does not explicitly teach but Feghali from same or similar field of endeavor teaches, “further comprising indicating failure to transmit a first packet in the set of packets from the second asset to the first asset (Feghali, Para [0083-0084]: … FIG. 5 is a flowchart that shows the operation of the Delta Engine 472 for determining if an incoming packet on the WAN 260 side has been dropped by the Firewall 250 …)”. Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Feghali into the teachings of Hovor-Key, because it discloses that, “In some embodiments of FIGS. 3A through 3E, the Inspector 255 may have additional ports and links to connect it directly to the Corporate Network/LAN 210 and/or the Internet/WAN 260, to carry traffic associated with a Labyrinth 257 or 258, the Cloud Inspector Service (CIS) 262, or the Management Server 263. An advantage of this approach is that it does not increase the traffic on or stress the Firewall's connections to the Corporate Network/LAN 210 and to the Internet/WAN 260, and these additional ports and links can be managed independently (Feghali, Para [0070])”. Regarding Claim 13. The combination of Hovor-Key-Feghali discloses the method of claim 12, Feghali further discloses, “wherein indicating failure to transmit the first packet comprises generating a log at the second asset assigned to transmit the first packet, the log indicating failure to transmit the first packet from the second asset to the first asset (Feghali, Para [0031, 0107-0108]: … The solutions described above prevent false positives but may weaken the validity of comparisons for "corresponding" packets. Consider the following scenario for the WAN-to-LAN direction. An attacker in the Internet/WAN 260 may simultaneously initiate two separate sessions or streams of communication with two different servers in the corporate LAN 210, where the first session is innocuous but the second is malicious. Normally, the SrcPort numbers in the two sessions would be different, allowing the DTF Engine 477 to correctly distinguish the sessions and make the correct correspondences between incoming and outgoing packets … However, the attacker may instead use the same SrcPort numbers in both sessions. The Firewall 250 may properly allow the innocuous stream to pass though, while blocking the malicious stream. Using the flowchart steps in FIG. 5, the Delta Engine 472 will match each outgoing packet containing the attacker's SrcIP to an incoming packet with the same SrcIP, but the matched packets could come from either stream. Thus, at the expiration of the maximum transit delay, the remaining buffered packets, which are assumed to have been dropped by the firewall, may actually be a partial collection of packets from both streams, and may be forwarded to the Labyrinth 257 or 258 via the DTF Engine 477. Unfortunately, the fact that the forwarded stream may be missing packets from the original incoming malicious stream may prevent the Labyrinth from properly engaging the attacker. This drawback can be avoided using the "whitelist" approach described later, by adding certain information to whitelist entries as they are created …).” The motivation to further combine Feghali remains same as in claim 12. Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20170048266 A1 to Hovor et al. (hereinafter “Hovor”) in view of Pub. No.: US 20170244744 A1 to Key et al. (hereinafter “Key”), as applied to claim 1 above, and further in view of Pub. No.: US 20210294666 A1 to Giles et al. (hereinafter “Giles”). Regarding Claim 11. The combination of Hovor-Key discloses the method of claim 1, however it does not explicitly teach but Giles from same or similar field of endeavor teaches, “wherein assigning a transmission trigger, assigning a recipient asset, and assigning a source asset for each data packet in the set of data packets comprise: assigning a first transmission trigger in the set of transmission triggers to a first data packet in the set of data packets (Giles, Para [0010, 0060]: … In general, in a second aspect, the subject matter described in this specification can be embodied in methods that include the actions of: accessing logged data for prior transmissions of digital components, wherein the logged data includes transmission scores for the transmissions of digital components, distribution criteria that triggered the transmissions of the digital components, and delivery times of the transmissions of the digital components; assigning different digital component transmissions included in the logged data to different ones of the multiple different transmission commitments, including: for a particular digital component transmission in the logged data, assigning the particular digital component transmission to a given transmission commitment where distribution criteria of the given transmission commitment match distribution criteria that triggered the particular digital component transmission and a time period for completing the given transmission commitment matches the delivery time of the particular digital component transmission …); assigning the second asset to receive the first data packet (Giles, Para [0042]: … Requests 112 can also include data related to other information, such as information that the user has provided, geographic information indicating a state or region from which the request was submitted, or other information that provides context for the environment in which the digital components will be displayed (e.g., a type of device at which the digital components will be displayed, such as a mobile device or tablet device). Requests 112 can be transmitted, for example, over a packetized network, and the requests 112 themselves can be formatted as packetized data having a header and payload data. The header can specify a destination of the packet and the payload data can include any of the information discussed above …); and assigning the first asset to transmit the first data packet to the second asset according to the first transmission trigger (Giles, Para [0010, 0060]: … for a particular digital component transmission in the logged data, assigning the particular digital component transmission to a given transmission commitment where distribution criteria of the given transmission commitment match distribution criteria that triggered the particular digital component transmission and a time period for completing the given transmission commitment matches the delivery time of the particular digital component transmission; and for each digital component transmission commitment of the multiple different digital component transmission commitments, determining an expected cost that results in the digital component transmission commitment being allocated at least a specified minimum number of digital component transmissions over the time period for completing the digital component transmission commitment based on the digital component transmissions of the logged data that were assigned to the multiple different transmission commitments).” Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Giles into the teachings of Hovor-Key, because it discloses that, “Particular embodiments of the subject matter described in this specification can be implemented so as to realize one or more of the following advantages. The subject matter described in this document enables expected resources required to jointly complete one or more commitments to provide resources (e.g., an agreement to provide computing resources such as data processing by way of a distributed computing environment or a cloud computing environment, or to transmit one or more digital components for a third-party at least a specified minimum number of times within a specified period of time) to be determined. When multiple different commitments overlap in time the co-existence of these commitments can affect the resources required during that time period, so by taking into account each other commitment in determining of the resources required to satisfy a given commitment, a more accurate estimate of the expected resources required to complete each commitment is determined (Giles, Para [0023])”. Allowable Subject Matter Claims 2, 3, 5, 6, 8, 17, 18 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with. See 37 CFR 1.111(b) and MPEP § 707.07(a). Applicants response must address all rejections (101, 112, ..), objections and other formality issues noted in this office action Reasons for allowance will be furnished upon allowance. Pertinent Prior Arts The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. US 20210144169 A1; LASSER; Menahem: LASSER discloses Methods and systems for carrying out penetration testing campaigns of a networked system. These include having a reconnaissance agent software module (RASM) installed on a first network node detect an occurrence of a risky event in the node, an event that would allow an attacker of the penetration testing campaign to compromise the node if a specific Boolean condition is satisfied; in response to detecting the risky event, the RASM sends queries to a second network node requesting information, receives answers to the queries including at least one or more portions of the requested information, and, based on the received information, determines that the specific Boolean condition is satisfied and concludes that the node could be compromised by the attacker of the penetration testing campaign. Based on the above, a security vulnerability may be reported. The present invention relates to systems and methods for penetration testing of networked systems, and especially to penetration testing systems and methods using locally installed instances of a reconnaissance agent software modules configured to communicate with each other and cooperate in determining the compromisability of networked nodes. US 20210037040 A1; Aleks et al.: Aleks discloses A security testing platform to provide security teams with an extensible, cost-effective and flexible platform which can continuously test, evaluate and tune deployed security tools & policies. The security testing platform allows users to automatically simulate security threat attacks in order to measure the effectiveness of a security stack's prevention, detection and mitigation capabilities. A set of endpoints within the controlled environment may be configured to simulate the environment of the application being tested, which may be configured across multiple endpoints. Additional endpoints may also be configured as ‘attackers’ to orchestrate security attacks on the simulated environment. The security testing platform 100 may also integrate monitoring tools to gain automated insights into the detection, reliability and performance capabilities of the current security policies, rules and configurations. US 10812516 B2; Chenette et al.: Chenette discloses A cyber security assessment platform, the platform can assess the security posture of a network by deploying one or more scenarios to be executed on one or more assets on the network and analyzing the outcomes of the scenarios. A scenario can be configured to validate a device or network status, and/or mimic an unauthorized cyber-attack. Each scenario can include one or more phases defining an execution path. Related method, apparatus, systems, techniques and articles are also described. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364. The examiner can normally be reached on 9AM-5PM EST M-F. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ali Shayanfar can be reached on 571-270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MAHABUB S AHMED/Examiner, Art Unit 2434 /TESHOME HAILU/Primary Examiner, Art Unit 2434