Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
This action is in response to the correspondence filed 11/19/2024.
Claims 1-10 are presented for examination.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-10 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
As to claims 1, 8, 9 and 10, the claims recite an assessment apparatus that assesses an assessment target device that includes a plurality of physical components for executing processing appropriate to a plurality of logical components, the assessment apparatus comprising: a processor; and memory connected to the processor, wherein using the memory, the processor: acquires device information about the assessment target device; determines, based on the device information, a logical path including an array of one or more logical components and a physical path corresponding to the logical path and including an array of one or more physical components, the logical path and the physical path being paths of access to an asset of the assessment target device from an outside of the assessment target device, the asset being data or a function; and assesses a risk value of the asset in accordance with an attack feasibility level and an influence level, the attack feasibility level indicating a level of attack feasibility on the physical path and the logical path that have been determined, the influence level indicating an influence to be exerted when the asset is invaded (wherein claims 8 and 10 on determine a logical path as opposed to claims 1 and 9 which determine both a logical and physical path).
The limitation of “acquires device information,” as drafted, is a process that, under its broadest reasonable interpretation, covers mere data gathering. The “processor” performing conventional operations of collecting data are well-known, routine, and conventional that does not amount to significantly more.
The limitation of “determines … a logical path … and a physical path,” as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting a processor and a memory, nothing in the claim element precludes the step from practically being performed in the mind. For example, but for the processor and memory language, “determines” in the context of this claim encompasses the user mentally and/or visually analyzing or comparing data. Similarly, the limitation of “assesses a risk value,” as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of a processor and a memory as “assesses” in the context of this claim encompasses the user mentally inferring based on the observed data.
If claim limitations, under their broadest reasonable interpretation, cover performance of the limitations in the mind but for the recitation of generic computer components, then it falls in the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application because the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. Specifically, the claims do not include additional elements that integrate the judicial exception into a practical application. As discussed above, the use of the processor and memory to perform conventional operations that are well-known, routine, and conventional does not amount to significantly more. Accordingly, the abstract idea is not integrated into a practical application as the elements do not impose any meaningful limits on practicing the abstract idea nor amount to significantly more than the judicial exception. Therefore, the claims are not patent eligible.
As to claims 2-7, the claims do not cure the deficiency of claim 1 and are rejected under 35 USC § 101 for their dependency upon claim 1 while not integrating the abstract idea into practical application nor including elements that amount to significantly more than the abstract idea.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1 and 8-10 are rejected under 35 U.S.C. 103 as being unpatentable over US 2023/0208882 to Crabtree et al. (hereinafter Crabtree) in view of US 2020/0226266 to Fukami et al. (hereinafter Fukami).
As to claims 1 and 9, Crabtree teaches an assessment apparatus that assesses an assessment target device that includes a plurality of physical components for executing processing appropriate to a plurality of logical components (paragraph 69, a system for continuous policy-aware vulnerability mapping, security posture determination and attack path planning and simulation), the assessment apparatus comprising: a processor; and memory connected to the processor, wherein using the memory (FIG. 20 and paragraph 163-165, one or more central processing units [CPU] and one or more local and/or remote memory), the processor: acquires device information about the assessment target device (paragraphs 208, 209 and 215, retrieved configurations related to a mapped network asset); determines, based on the device information, a logical path including an array of one or more logical components and a physical path corresponding to the logical path and including an array of one or more physical components, the logical path and the physical path being paths of access to an asset of the assessment target device from an outside of the assessment target device, the asset being data or a function (paragraph 215, identifying a plurality of paths, wherein the network assets include hardware and software, thus logical and physical paths); and assesses a risk value of the asset (paragraph 215, determined plurality of risk attributes associated with the node).
Crabtree does not explicitly teach assessing the risk value of the asset in accordance with an attack feasibility level and an influence level, the attack feasibility level indicating a level of attack feasibility on the physical path and the logical path that have been determined, the influence level indicating an influence to be exerted when the asset is invaded.
However, Fukami teaches assessing the risk value of the asset in accordance with an attack feasibility level and an influence level, the attack feasibility level indicating a level of attack feasibility on the physical path and the logical path that have been determined, the influence level indicating an influence to be exerted when the asset is invaded (wherein the output of the risk evaluation information [paragraph 48]; wherein a relevance degree is determined in relation to the possibility of an execution of optional code, information leak, DoS attack, etc. [the possibility of the attacks read as the claimed attack feasibility] [paragraph 70 and FIG. 10] and the vulnerability influence degree is determined based on the relevance degree; furthermore, the risk value is determined based on the asset importance, threat level and vulnerability level [FIGS. 9 and 14, paragraph 57] and the threat level is related to the probability of occurrence of the threat [FIG. 7] and wherein the vulnerability influence degree is related to the vulnerability level which is used to update the risk evaluation information [FIG. 11 and paragraph 79]).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the vulnerability mapping and risk evaluation teachings of Crabtree to include the vulnerability influence evaluation system taught by Fukami in order to perform risk evaluation based on the degree of influence of vulnerability in order to produce more accurate risk assessments, thus optimizing the overall efficiency of the risk assessment system (paragraph 73).
As to claims 8 and 10, claims 8 and 10 are directed to an apparatus and method that is generally related to the apparatus and method of claims 1 and 9 and contain limitations similar to those discussed above in connection to claims 1 and 9. Therefore claims 8 and 10 are rejected on the same basis as set forth in claims 1 and 9.
Relevant Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
US 20240265113 A1 to Napper et al. teaches a system and a method to determine attack paths to application assets may include storing in a memory asset inventory indicating multiple application assets, multiple attack vector parameters configured to indicate vulnerabilities of one or more of the application assets, and asset mapping information configured to associate each of the application assets to one or more of the application layers. A processor may determine multiple vulnerable assets in the application assets based at least in part upon the attack vector parameters. Further, the processor may determine feasibility parameters that indicate a likelihood of the attack path to occur in the system, generate a visual interface showing the vulnerable assets, determine an attack path connecting the vulnerable assets based at least in part upon the asset mapping information, and map the attack path to the application layers in the visual interface based at least in part upon the feasibility parameters.
US 20210105294 A1 to Kruse et al. teaches a system for assessing potential cybersecurity threats to a subject system is provided. The system includes a computer system including at least one processor in communication with at least one memory device. The at least one processor is programmed to: receive a subject system to analyze, determine a potential hazard event associated with the subject system, generate an attack graph associated with the potential hazard event, wherein the attack graph includes a plurality of actions, determine an exploitability score for each of the plurality of actions, determine an uncertainty level for each of the plurality of actions based on the corresponding exploitability score, aggregate the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system, and generate a response to the one or more vulnerabilities of the subject system.
US 12445474 B1 to Reed et al. teaches a method including scanning a compute environment associated with an entity and identifying one or more attack paths from a network to one or more datasets associated with the entity. The one or more attack paths each include a series of risk artifacts within the compute environment that can be exploited by an attacker to access the one or more datasets. The method further includes generating one or more attack path risk scores associated with the one or more attack paths and indicative of one or more levels of risk that the one or more attack paths could be exploited to access the one or more datasets. A risk mitigation operation associated with the one or more attack paths is performed based on the one or more attack path risk scores.
US 9276951 B2 to Choi et al. teaches a computer-implemented method for discovering network attack paths is provided. The method includes a computer generating scoring system results based on analysis of vulnerabilities of nodes in a network configuration. The method also includes the computer applying Bayesian probability to the scoring system results and selected qualitative risk attributes wherein output accounts for dependencies between vulnerabilities of the nodes. The method also includes the computer applying a weighted-average algorithm to the output yielding at least one ranking of nodes in order of likelihood of targeting by an external attacker.
Allowable Subject Matter
Claims 2-7 would be allowable if rewritten to overcome the rejections under 35 U.S.C. 101 set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:
Dependent claim 2 is allowable over the prior art of record, including Crabtree, Fukami, Napper, Kruse and the references cited by the Examiner and the Applicant’s IDS, taken individually or in combination, because the prior art of record fails to particularly disclose, fairly suggest or render obvious combining the physical path and the logical path by determining the logical path in accordance with the separation state identified and determining the physical path corresponding to the logical path and, in the assessing of the risk value of the asset, the processor assesses the risk value of the asset in accordance with the physical path and the logical path that have been combined, in view of the other limitations of the claim and claim 1;
Dependent claim 3 is allowable over the prior art of record, including Crabtree, Fukami, Napper, Kruse and the references cited by the Examiner and the Applicant’s IDS, taken individually or in combination, because the prior art of record fails to particularly disclose, fairly suggest or render obvious in the determining of the logical path and the physical path: for each of the one or more vulnerabilities of the one or more logical components indicated by the vulnerability assessment information, the processor further re-determines the physical path and the logical path in accordance with the vulnerability, and in the assessing of the risk value of the asset: for each of the one or more vulnerabilities of the one or more logical components, the processor further re-assesses the risk value of the asset in accordance with the physical path and the logical path that have been re-determined, in view of the other limitations of the claim and claim 1;
Dependent claim 6 is allowable over the prior art of record, including Crabtree, Fukami, Napper, Kruse and the references cited by the Examiner and the Applicant’s IDS, taken individually or in combination, because the prior art of record fails to particularly disclose, fairly suggest or render obvious for each of the one or more vulnerabilities of the one or more logical components indicated by the vulnerability assessment information, the processor further assesses a priority of mitigation to be taken against the vulnerability as a priority score value in accordance with the score value of the vulnerability and a use status of a logical component corresponding to the vulnerability, being used by the plurality of assets, in view of the other limitations of the claim and claim 1.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MALCOLM CRIBBS whose telephone number is (571)270-1566. The examiner can normally be reached Monday-Friday 930a-330p; 430p-630p.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached at (571)272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
MALCOLM . CRIBBS
Examiner
Art Unit 2497
/MALCOLM CRIBBS/Primary Examiner, Art Unit 2497