DETAILED ACTION
1. This office action is in response to an amendment filed on 12/17/2025. Claims 1-30 are pending. Claims 1, 11 and 21 are independent. Each independent claim is amended.
Notice of Pre-AIA or AIA Status
2. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
3. The information disclosure statements (IDS) submitted on 10/14/2025 and 12/19/2025 have been considered. The submission is in-compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto.
Response to Arguments
4. Applicant’s arguments filed on December 17, 2025, with regarding to the
35 U.S.C. 101 rejection to claims 11-19 have been considered and is persuasive, the amendment made to claim 11 overcomes the rejection. Thus, the 35 U.S.C. 101 rejection is withdrawn. Furthermore, the 35 U.S.C. 102 rejection with respect to the independent claims 1, 11 and 21 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
5. Applicant’s representative in particular argued that the following amended (underlined and bolded) claim limitations recited in independent claims 1, 11 and 21 aren’t disclosed by the references/prior arts of the record namely by Lurie:
“receiving an alert concerning one or more of the plurality of network entities;
defining a query for researching the alert: and
providing a result set of the query to a generative AI model for subsequent processing”;
Examiner would like to point out that, the newly founded prior art US Publication No. 2025/0077655 A1 Schindel, discloses each and every amended/underlined claim limitation.
In particular Schindel discloses each and every amended claim limitation as shown below:
Schindel discloses:
“receiving an alert concerning one or more of the plurality of network entities [Fig 6, ref. 610, “Receive an incident input”; Para. 0101, “At S610, an incident input is processed. In an embodiment, the incident response is received. In some embodiments, the incident response includes an alert”. Para. 0101, “the incident response includes an alert, a query, a natural language query, a database query, a combination thereof, and the like”. The incident occurs In “computing environment”, Para. 0111, which necessarily involves network entities such as “as a workload, virtual machine, software container, serverless function, and the like and cloud resources. This meets the limitation, “receiving an alert concerning one or more of the plurality of network entities”]
defining a query for researching the alert [Fig, 6, ref. Num “630”, “Generate a query based on the incident input and a selection of a sub-scenario of the plurality of sub-scenarios”; : and
providing a result set of the query to a generative AI model for subsequent processing” Par. 0096, “A sub-scenario includes, according to an embodiment, a query, a natural language query, a database query, combinations thereof, and the like” and Par. 0107, “At S630, a database query is generated….the database query is generated based on…an incident input” and Para. 0101. ““the incident response includes an alert”, This explicitly teaches, generating a query based on the incident input where the incident input includes an alert/para. 0101];
and providing a result set of the query to a generative AI model for subsequent processing [Fig. 6, ref. 640, “the database query is executed” Para. 0110. “ S640, the database query is executed. In an embodiment, executing the database query produces a database answer” Para. 0116, “the result of executing the database query at S640 is provided to an LLM with a modified prompt… the prompt is modified based on the result of the database query execution… the prompt, when processed by the LLM, configures the LLM to output an explanation for the result”]
Therefore, as it is shown above, Schindel discloses each and every argued and amended claim limitation: “receiving an alert concerning one or more of the pluralities of network entities;
defining a query for researching the alert: and
providing a result set of the query to a generative AI model for subsequent processing”;
6. Thus, in response to the 35 U.S.C. 102 rejection set forth in the previous office action, applicant amended at least each independent claim 1, 11 and 21, presumably to overcome the 102 rejection set forth in the previous office action. Since, the newly amended claims changed the scope and necessitated new grounds of rejection, applicant’s arguments are moot. The analysis of the claims under consideration, as amended, follows in the corresponding section below.
Claim Rejections - 35 USC § 103
7. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
8. Claims 1-4, 6, 9-14, 16, 19-24, 26 and 29-30 are rejected under 35 U.S.C. 103 as being unpatentable over Noam Sherr Lurie (herein after referred as Lurie) (US Publication No. 20250233884A1) (Earlies Priority Date: 02/28/2023) in view of Alon Schindel (herein after referred Schindel, US Pub. No. 2025/0077655 A1 which is a continuation of Patent No. 12/001,549, filed on Jan. 31, 2024)
The following is referring to claims 1, 11 and 21:
As per independent claim 1, Lurie discloses a computer-implemented method, executed on a computing device [FIG. 1 and para. 0010; illustrates an example network diagram of a computing environment monitored by a plurality of cybersecurity monitoring systems and claim 17, A system for continuous exposure management in a computing environment, comprising:
one or more processors and memory storing instructions that, when executed, cause the one or more processors], comprising:
obtaining entity data for a plurality of network entities from a plurality of data sources, thus defining a plurality of network entity data portions for each of the plurality of network entities [Para. 0124, (1) Data Ingestion—Receive Data Feeds: The system collects data from various security tools and sources, such as vulnerability scanners, endpoint monitoring solutions, IAM systems, CASB platforms, threat intelligence feeds, and data storage assessments. See also claim 1, ingesting cybersecurity data from a plurality of heterogeneous sources into a data fabric, wherein the sources comprise cybersecurity monitoring systems, cloud service providers, configuration management databases (CMDBs), and endpoint telemetry feeds];
combining the plurality of network entity data portions for each of the plurality of network entities to form consolidated network entity data for each of the plurality of network entities, thus defining network-wide consolidated entity data [Claim 1, normalizing and correlating the ingested data into a semantically harmonized representation using a security knowledge graph implemented in the data fabric, the representation comprising entities including users, devices, applications, vulnerabilities, misconfigurations, or policies; and para. 0006, creates a unified, dynamically updated, and enriched asset inventory, known as a high-fidelity “golden record,” providing authoritative, real-time, and comprehensive insights into the organization's entire asset landscape. This golden record is continuously refined through entity resolution processes, consolidating conflicting or duplicated asset data from multiple sources into a single, trustworthy inventory and para. 0194, The AEM application 1270 provides a robust framework for securing enterprise environments by offering a dynamically updated, high-fidelity “golden record” of all organizational assets. This consolidated record is continuously enriched with data from dozens of source systems, ensuring accurate asset resolution that underpins a holistic and reliable asset inventory and para. 0008, the process involves receiving cybersecurity signals from two distinct monitoring systems within a computing environment, each tracking potential threats. By integrating these signals, the method generates a single object that reflects the combined data, which is then analyzed to determine the severity level of the threat.]; and
processing the network-wide consolidated entity data to identify one or more potential exposure situations for the plurality of network entities [See at least claim 1, continuously evaluating harmonized data in the security knowledge graph to detect potential exposures based on predefined controls and graph traversal logic; generating a risk posture by aggregating exposure metrics associated with entities in the security knowledge graph, wherein the risk posture is dynamically updated in response to newly ingested data and para. 0182, AEM represents a specialized approach concentrating explicitly on managing and mitigating risks associated with exposed or vulnerable assets. While CAASM focuses broadly on comprehensive visibility, AEM specifically addresses assets known to have vulnerabilities or misconfigurations, thereby enabling targeted risk prioritization and actionable remediation. Key functionalities of AEM include identifying exposed or vulnerable assets, contextualizing exposure data to understand asset-specific risk profiles, prioritizing remediation efforts based on assessed risk levels, and reducing attack surfaces by effectively remediating high-risk assets].
Lurie doesn’t explicitly disclose the following amended claim limitation:
“receiving an alert concerning one or more of the plurality of network entities;
defining a query for researching the alert: and
providing a result set of the query to a generative AI model for subsequent processing”;
However, Schindel discloses the above amended claim limitation:
Schindel discloses:
“receiving an alert concerning one or more of the plurality of network entities [Fig 6, ref. 610, “Receive an incident input”; Para. 0101, “At S610, an incident input is processed. In an embodiment, the incident response is received. In some embodiments, the incident response includes an alert”. Para. 0101, “the incident response includes an alert, a query, a natural language query, a database query, a combination thereof, and the like”. The incident occurs In “computing environment”, Para. 0111, which necessarily involves network entities such as “as a workload, virtual machine, software container, serverless function, and the like and cloud resources. This meets the limitation, “receiving an alert concerning one or more of the plurality of network entities”]
defining a query for researching the alert [Fig, 6, ref. Num “630”, “Generate a query based on the incident input and a selection of a sub-scenario of the plurality of sub-scenarios”; : and
providing a result set of the query to a generative AI model for subsequent processing” Par. 0096, “A sub-scenario includes, according to an embodiment, a query, a natural language query, a database query, combinations thereof, and the like” and Par. 0107, “At S630, a database query is generated….the database query is generated based on…an incident input” and Para. 0101. ““the incident response includes an alert”, This explicitly teaches, generating a query based on the incident input where the incident input includes an alert/para. 0101];
and providing a result set of the query to a generative AI model for subsequent processing [Fig. 6, ref. 640, “the database query is executed” Para. 0110. “ S640, the database query is executed. In an embodiment, executing the database query produces a database answer” Para. 0116, “the result of executing the database query at S640 is provided to an LLM with a modified prompt… the prompt is modified based on the result of the database query execution… the prompt, when processed by the LLM, configures the LLM to output an explanation for the result”]
Lurie and Schindel are analogous arts and are in the same field of endeavor as they both pertain and directed to detection and mitigation of threats by monitoring anomalous activities or cybersecurity incident/alert.
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention, to modify the system of Lurie’s cybersecurity monitoring systems to incorporate the steps such as “receiving an alert concerning one or more of the plurality of network entities; defining a query for researching the alert: and providing a result set of the query to a generative AI model for subsequent processing” as taught by Schindel because this would enhance the security of the system by providing cybersecurity solutions by identifying the root cause of an alert and remediate and mitigate this cybersecurity incident/alert. [See by Schindel, para. 0008-0009, As such, specifically for cybersecurity solutions,…receive an alert that lacks context and information which is presented in a manner which is machine readable but does not immediately convey context, does not provide a root cause, or indicate what, if at all, should be done to remediate, mitigate, and the like. It would therefore be advantageous to provide a solution that would overcome the challenges noted above.]
As per independent claim 11, independent claim 11 has the same scope as that of the independent claim 1. It is a computer program product version of the method claim 1. Thus, is rejected for the same reason/rationale as that of the above independent claim 1.
As per independent claim 21, independent claim 21 has the same scope as that of the independent claim 1. It is a system version of the method claim 1. Thus, is rejected for the same reason/rationale as that of the above independent claim 1.
The following is referring to dependent claims 2-4, 6, 9-10, 12-14, 16, 19-20, 22-24, 26 and 29-30:
As per dependent claim 2, the combination of Lurie and Schindel discloses the method/system as applied to claims above. Furthermore, Lurie discloses the method/system, wherein the plurality of network entities includes one or more of: one or more network devices; one or more computing devices; one or more network users; one or more services; one or more containers; one or more pods; and one or more virtual machines [Figure 1, ref. 110 and Para 0049, the computing environment 110 includes entities, such as resource and principals. A resource 114 is, for example, a hardware resource, a software resource, a computer, a server, a virtual machine, a serverless function, a software container, an asset, a combination thereof, and the like and a principal 112 is authorized to act on a resource 114. For example, in a cloud computing environment, a principal 112 is authorized to initiate actions in the cloud computing environment, act on the resource 114, and the like. The principal 112 is, according to an embodiment, a user account, a service account, a role, and the like]].
As per dependent claim 12, dependent claim 12 has the same scope as that of the dependent claim 2. It is a computer program product version of the method claim 2. Thus, is rejected for the same reason/rationale as that of the above dependent claim 2.
As per independent claim 22, dependent claim 22 has the same scope as that of the dependent claim 2. It is a system version of the method claim 2. Thus, is rejected for the same reason/rationale as that of the above dependent claim 2.
As per dependent claim 3, the combination of Lurie and Schindel discloses the method/system as applied to claims above. Furthermore, Lurie discloses the method/system, wherein the plurality of data sources includes one or more of: one or more content delivery network systems [para. 0053, SaaS provider 123 is implemented as a computing environment which provides software as a service, The SaaS provider 123 delivers cloud-based applications over the internet, enabling access to software without the need for local installation or management of infrastructure.]; one or more database activity monitoring systems; one or more user behavior analytics systems [Para. 0051, threat intelligence platforms (TIP) provide insights into emerging threats, while user and entity behavior analytics (UEBA) detect insider threats through behavioral analysis]; one or more mobile device management systems; one or more identity and access management systems [Para. 0073. AWS Identity and Access Management and Okta® provide two solutions (i.e., sources) of the same type (i.e., identity and access management services) from different sources]; one or more domain name server systems; one or more antivirus systems [Para. 0153 Compliance and Posture Check Results: Logs capture the results of compliance checks, such as whether the device met security requirements (e.g., latest OS patch, active antivirus]; one or more operating systems [Para. 0185, The collected data feeds into a centralized overview dashboard 1206, providing high-level, consolidated visualizations of asset discovery, asset types, operating systems, and software installations]; one or more data lakes [Para. 0073, a cybersecurity monitoring system, a ticketing system, a data lake, a business intelligence (BI) system]; one or more data logs [Para. 0153, Compliance and Posture Check Results: Logs capture the results of compliance checks]; one or more security-relevant software applications [para. 0051, application security monitoring tools focus on identifying vulnerabilities in applications and application programming interfaces (APIs)]; one or more security-relevant hardware systems [Para. 0180, CAASM platforms provide comprehensive visibility and control over an organization's complete asset landscape by consolidating and integrating data from various security and IT management tools into a unified, detailed inventory. This approach systematically identifies, categorizes, and manages all cyber assets, including hardware, software, cloud resources, IoT devices, and other critical resources]; one or more security information and event management (SIEM) systems[Para. 0051 security information and event management (SIEM) systems aggregate data from multiple sources to identify threat patterns]; and one or more resources external to the computing platform [para. 0051, external attack surface management (EASM) tools continuously monitor external assets to identify vulnerabilities that could be exploited by attackers].
As per dependent claim 13, dependent claim 13 has the same scope as that of the dependent claim 3. It is a computer program product version of the method claim 3. Thus, is rejected for the same reason/rationale as that of the above dependent claim 3.
As per independent claim 23, dependent claim 23 has the same scope as that of the dependent claim 3. It is a system version of the method claim 3. Thus, is rejected for the same reason/rationale as that of the above dependent claim 3.
As per dependent claim 4, the combination of Lurie and Schindel discloses the method/system as applied to claims above. Furthermore, Lurie discloses the method/system, further comprising: processing the one or more potential exposure situations to generate analysis data that concerns the one or more potential exposure situations [See at least claim 1, continuously evaluating harmonized data in the security knowledge graph to detect potential exposures based on predefined controls and graph traversal logic; generating a risk posture by aggregating exposure metrics associated with entities in the security knowledge graph, wherein the risk posture is dynamically updated in response to newly ingested data and para. 0182, AEM represents a specialized approach concentrating explicitly on managing and mitigating risks associated with exposed or vulnerable assets. While CAASM focuses broadly on comprehensive visibility, AEM specifically addresses assets known to have vulnerabilities or misconfigurations, thereby enabling targeted risk prioritization and actionable remediation. Key functionalities of AEM include identifying exposed or vulnerable assets, contextualizing exposure data to understand asset-specific risk profiles, prioritizing remediation efforts based on assessed risk levels, and reducing attack surfaces by effectively remediating high-risk assets].
As per dependent claim 14, dependent claim 14 has the same scope as that of the dependent claim 4. It is a computer program product version of the method claim 4. Thus, is rejected for the same reason/rationale as that of the above dependent claim 4.
As per independent claim 24, dependent claim 24 has the same scope as that of the dependent claim 4. It is a system version of the method claim 4. Thus, is rejected for the same reason/rationale as that of the above dependent claim 4.
As per dependent claim 6, the combination of Lurie and Schindel discloses the method/system as applied to claims above. Furthermore, Lurie discloses the method/system, further comprising: effectuating a remedial action based, at least in part, upon the analysis data that concerns the one or more potential exposure situations. [Abstract, Automated workflows trigger proactive remediation actions based on dynamically calculated exposure metrics. Para. 0039, The present disclosure automates remediation workflows, streamlining the process of addressing vulnerabilities, and features dynamic reporting and dashboards that offer real-time insights into security posture and team performance. Para.0181, Essential capabilities of CTEM include continuous scanning for vulnerabilities and emerging threats, prioritization of threats based on their potential impact and criticality, proactive measures for reducing risk exposure, and integration of efficient remediation workflows. In practice, CTEM empowers security teams to maintain continuous oversight of threat exposure, prioritize addressing high-risk vulnerabilities, and implement timely remediation actions]
As per dependent claim 16, dependent claim 16 has the same scope as that of the dependent claim 6. It is a computer program product version of the method claim 6. Thus, is rejected for the same reason/rationale as that of the above dependent claim 6.
As per independent claim 26, dependent claim 26 has the same scope as that of the dependent claim 6. It is a system version of the method claim 6. Thus, is rejected for the same reason/rationale as that of the above dependent claim 6.
As per dependent claim 9, the combination of Lurie and Schindel discloses the method/system as applied to claims above. Furthermore, Lurie discloses the method/system, wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the one or more potential exposure situations includes: autonomously executing a threat mitigation plan if the one or more potential exposure situations is deemed to be a severe threat level. [Para. 0156, 5-6. Generating Risk Scores and Priority Indicators: The security knowledge graph 902 can analyze the integrated log data to calculate risk scores for various entities, such as users, devices, and applications. For example, if multiple high-severity DLP events are logged for a particular user, the graph 902 can raise that user's risk score and visually represent it with indicators like “high-risk user.” Risk scores and priorities can be dynamically adjusted as new log data is ingested, helping security teams to focus on the most significant risks. (6) Automating Response Actions through Workflow Triggers: With the knowledge graph enriched by real-time log data, automated workflows can be triggered based on certain patterns or thresholds. For instance, if the graph 902 identifies a high-risk device with multiple malware detections, it could trigger a workflow to isolate the device from the network, alert the security team, and initiate additional scanning] Para. 0164, This approach gives security teams a dynamic, real-time view of risk that accounts for both policy enforcement and user behavior, enabling them to prioritize high-risk assets for remediation and improve overall security posture. Each finding highlights specific vulnerabilities and misconfigurations, allowing teams to prioritize and remediate high-risk exposures quickly]
As per dependent claim 19, dependent claim 19 has the same scope as that of the dependent claim 9. It is a computer program product version of the method claim 9. Thus, is rejected for the same reason/rationale as that of the above dependent claim 9.
As per independent claim 29, dependent claim 29 has the same scope as that of the dependent claim 9. It is a system version of the method claim 9. Thus, is rejected for the same reason/rationale as that of the above dependent claim 9.
As per dependent claim 10, the combination of Lurie and Schindel discloses the method/system as applied to claims above. Furthermore, Lurie discloses the method/system, further comprising: revising the network-wide consolidated entity data based, at least in part, upon the analysis data [Abstract, This unified data model normalizes, correlates, and contextualizes diverse cybersecurity information, enabling comprehensive and real-time assessment of an organization's cybersecurity risk posture and Para. 0008, By integrating these signals, the method generates a single object that reflects the combined data, which is then analyzed to determine the severity level of the threat and para 0124, Generate Insights: Automated queries and machine learning models generate insights, such as detecting anomalous access patterns or identifying relationships between vulnerabilities and high-value targets, which are flagged for immediate review. Para. 0008, By integrating these signals, the method generates a single object that reflects the combined data, which is then analyzed to determine the severity level of the threat]
As per dependent claim 20, dependent claim 20 has the same scope as that of the dependent claim 10. It is a computer program product version of the method claim 10. Thus, is rejected for the same reason/rationale as that of the above dependent claim 10.
As per independent claim 30, dependent claim 30 has the same scope as that of the dependent claim 10. It is a system version of the method claim 10. Thus, is rejected for the same reason/rationale as that of the above dependent claim 10.
9. Claims 5, 15 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Noam Sherr Lurie (herein after referred as Lurie) (US Publication No. 20250233884A1) (Earlies Priority Date: 02/28/2023) in view of Alon Schindel (herein after referred Schindel, US Pub. No. 2025/0077655 A1 which is a continuation of Patent No. 12/001,549, filed on Jan. 31, 2024) and further in view of Jason Crabtree (Crabtree)(US Publication No. 2022/0053013 A1 ) (Feb. 17, 2022).
As per dependent claim 5, the combination of Lurie and Schindel discloses the method/system as applied to claim 4 above. Furthermore, Lurie discloses the wherein processing the one or more potential exposure situations to generate analysis data that concerns the one or more potential exposure situations[See at least claim 1, continuously evaluating harmonized data in the security knowledge graph to detect potential exposures based on predefined controls and graph traversal logic; generating a risk posture by aggregating exposure metrics associated with entities in the security knowledge graph, wherein the risk posture is dynamically updated in response to newly ingested data and para. 0182, AEM represents a specialized approach concentrating explicitly on managing and mitigating risks associated with exposed or vulnerable assets. While CAASM focuses broadly on comprehensive visibility, AEM specifically addresses assets known to have vulnerabilities or misconfigurations, thereby enabling targeted risk prioritization and actionable remediation. Key functionalities of AEM include identifying exposed or vulnerable assets, contextualizing exposure data to understand asset-specific risk profiles, prioritizing remediation efforts based on assessed risk levels, and reducing attack surfaces by effectively remediating high-risk assets].
The combination of Lurie and Schindel doesn’t explicitly disclose the following underlined claim limitation: “the one or more potential exposure situations includes: determining a position and a history of any network user involved in the event”
However, Crabtree discloses the one or more potential exposure situations includes: determining a position [Abstract, and para. 0106, 0108 and figure 24-25, users /entities modeled as nodes in a network topology graph and the network topology meets the limitation postion ; method for network cybersecurity analysis that uses user and entity behavioral analysis combined with network topology information to provide improved cybersecurity. The system and method involve gathering network entity information, establishing baseline behaviors for each entity, and monitoring each entity for behavioral anomalies that might indicate cybersecurity concerns. Further, the system and method involve incorporating network topology information into the analysis by generating a model of the network, annotating the model with risk and criticality information for each entity in the model and with a vulnerability level between entities, and using the model to evaluate cybersecurity risks to the network. Para. 0106, FIG. 24 is a diagram showing how UEBA information may be associated with network topology. As described elsewhere herein, user and entity behavior analysis may be used to improve cybersecurity. This diagram shows an example of how such UEBA information may be associated with, or incorporated into, a representation of the network, so as to combine UEBA information with information about network topology. For each user and device for which UEBA information is collected, such information may be represented in a graph comprising nodes and edges, in a manner similar to the cyber-physical graph previously described. In this example, a user 2401 is represented by a node in the graph. The user is associated with three different devices 2402-2404, each of which is also represented by a node in the graph] and a history of any network user involved in the event [para. 0106 and abstract, where establishing behavioral baseline overtime meets the limitation “a history of any network user involved in the event”, The user 2401 is also associated with device 2404 for which there is some vulnerability (which may be known or unknown), such as vulnerability to phishing attacks wherein the user 2401 is persuaded to inadvertently install malware by opening an email attachment. The baseline behavior of the user's 2401 interaction with each device is established. In this simplified example, in a given week for each device 2402-2404, the user 2401 normally has seven logins, zero failed login attempts, mounts three USB devices, has one instance of risky web activity (e.g., visiting a website with a known risk of malware), and has zero instances of data exfiltration (e.g., moving or copying of data to an unauthorized location). The baseline data for each user/device interaction may be stored in, or associated with, the graph node for that device 2402-2404. Monitoring and measurement of those same user/device interactions can indicate instances of cybersecurity concern.]
Lurie, Schindel and Crabtree are analogous arts and are in the same field of endeavor as they all pertain and directed to detection and mitigation of threats by monitoring anomalous activities.
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention, to modify the system of Lurie and Schindel by incorporating the step such as “determining a position and a history of any network user involved in the event” as taught by Crabtree because this would enhance the security of the system by improving exposure detection accuracy, reduce false positives and prioritizes remediation. [See Crabtree, para. 0107, Conversely, if the user 2401 is an executive-level employee with access to highly-sensitive information through the devices 2402-2404, anomalous user/device interaction behavior has a high risk of having a negative cybersecurity impact, and the user/device criticality may be very high, meaning that investigating even minor anomalous behavior is a high priority.]
As per dependent claim 15, dependent claim 15 has the same scope as that of the dependent claim 5. It is a computer program product version of the method claim 5. Thus, is rejected for the same reason/rationale as that of the above dependent claim 5.
As per independent claim 25, dependent claim 25 has the same scope as that of the dependent claim 5. It is a system version of the method claim 5. Thus, is rejected for the same reason/rationale as that of the above dependent claim 5.
10. Claims 7-8, 17-18 and 27-28 are rejected under 35 U.S.C. 103 as being unpatentable over Noam Sherr Lurie (herein after referred as Lurie) (US Publication No. 20250233884A1) (Earlies Priority Date: 02/28/2023) in view of Alon Schindel (herein after referred Schindel, US Pub. No. 2025/0077655 A1 which is a continuation of Patent No. 12/001,549, filed on Jan. 31, 2024) and further in view Satyendra Thakur (Thakur) (US Publication No. 20140331326 A1)
As per dependent claim 7, the combination of Lurie and Schindel discloses the method/system as applied to claim 6 above. Furthermore, Lurie discloses the wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the one or more potential exposure situations includes: autonomously executing a threat mitigation plan if the one or more potential exposure situations is deemed to be a severe threat level. [Para. 0156, 5-6. Generating Risk Scores and Priority Indicators: The security knowledge graph 902 can analyze the integrated log data to calculate risk scores for various entities, such as users, devices, and applications. For example, if multiple high-severity DLP events are logged for a particular user, the graph 902 can raise that user's risk score and visually represent it with indicators like “high-risk user.” Risk scores and priorities can be dynamically adjusted as new log data is ingested, helping security teams to focus on the most significant risks. (6) Automating Response Actions through Workflow Triggers: With the knowledge graph enriched by real-time log data, automated workflows can be triggered based on certain patterns or thresholds. For instance, if the graph 902 identifies a high-risk device with multiple malware detections, it could trigger a workflow to isolate the device from the network, alert the security team, and initiate additional scanning] Para. 0164, This approach gives security teams a dynamic, real-time view of risk that accounts for both policy enforcement and user behavior, enabling them to prioritize high-risk assets for remediation and improve overall security posture. Each finding highlights specific vulnerabilities and misconfigurations, allowing teams to prioritize and remediate high-risk exposures quickly]
The combination of Lurie and Schindel doesn’t explicitly disclose the following underlined claim limitation: “allowing the one or more potential exposure situations to continue if the one or more potential exposure situations is deemed to be a low threat level”
However, Thakur discloses “allowing the one or more potential exposure situations to continue if the one or more potential exposure situations is deemed to be a low threat level” [Para. 0068, the decisions whether to fix the vulnerability or to suppress or exempt the vulnerability may be made by a stakeholder, automatically by the VCA engine 110 based on one or more criteria (e.g., a previously denied remediation proposal or a particular threat security level), etc.Para. 0031, to keep the network 102 secure and to comply with compliance/governance SLAs, the risks may require some form of remediation. Based on information from the risk report, the VCA engine 110 may automatically create risk records 156 and associated remediation ticket(s) 158 (hereinafter ticket), which may include one or more tasks and Para. 0032, Remediation options may include suppression of vulnerabilities, exception/exemption (used interchangeably) of vulnerabilities, and/or fixing of vulnerabilities. Suppression refers to action taken when a scan has resulted in a false positive (e.g. the network scanner has incorrectly indicated that a particular vulnerability is present and this meets the limitation “low threat levels”. Exception refers to an election by a stakeholder to not fix a vulnerability at the present time or for some duration. Fixing of vulnerabilities may include any number of steps or tasks and may require only moments or may require many hours over multiple months to complete. Fixing of vulnerabilities may be an automated process, manual process, or a combination of the forgoing]
Lurie, Schindel and Thakur are analogous arts and are in the same field of endeavor as they all pertain and directed to detection and mitigation of threats by monitoring for anomalous activities.
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention, to modify the system of Lurie and Schindel by incorporating the step such as “allowing the one or more potential exposure situations to continue if the one or more potential exposure situations is deemed to be a low threat level” as taught by Thakur because this would enhance the security of the system by mitigating the threat by applying or prioritizing remediation related to threat security levels. [Para. 0068, the decisions whether to fix the vulnerability or to suppress or exempt the vulnerability may be made by a stakeholder, automatically by the VCA engine 110 based on one or more criteria such as particular threat security level), by improving exposure detection accuracy, reduce false positives and prioritizes remediation. [See Crabtree, para. 0107, Conversely, if the user 2401 is an executive-level employee with access to highly-sensitive information through the devices 2402-2404, anomalous user/device interaction behavior has a high risk of having a negative cybersecurity impact, and the user/device criticality may be very high, meaning that investigating even minor anomalous behavior is a high priority.]
As per dependent claim 17, dependent claim 17 has the same scope as that of the dependent claim 7. It is a computer program product version of the method claim 7. Thus, is rejected for the same reason/rationale as that of the above dependent claim 7.
As per independent claim 27, dependent claim 27 has the same scope as that of the dependent claim 7. It is a system version of the method claim 7. Thus, is rejected for the same reason/rationale as that of the above dependent claim 7.
As per dependent claim 8, the combination of Lurie and Schindel discloses the method/system as applied to claim 6 above. Furthermore, Lurie discloses the wherein effectuating a remedial action based, at least in part, upon the analysis data that concerns the one or more potential exposure situations includes autonomously executing a threat mitigation plan if the one or more potential exposure situations is deemed to be a severe threat level. [Para. 0156, 5-6. Generating Risk Scores and Priority Indicators: The security knowledge graph 902 can analyze the integrated log data to calculate risk scores for various entities, such as users, devices, and applications. For example, if multiple high-severity DLP events are logged for a particular user, the graph 902 can raise that user's risk score and visually represent it with indicators like “high-risk user.” Risk scores and priorities can be dynamically adjusted as new log data is ingested, helping security teams to focus on the most significant risks. (6) Automating Response Actions through Workflow Triggers: With the knowledge graph enriched by real-time log data, automated workflows can be triggered based on certain patterns or thresholds. For instance, if the graph 902 identifies a high-risk device with multiple malware detections, it could trigger a workflow to isolate the device from the network, alert the security team, and initiate additional scanning] Para. 0164, This approach gives security teams a dynamic, real-time view of risk that accounts for both policy enforcement and user behavior, enabling them to prioritize high-risk assets for remediation and improve overall security posture. Each finding highlights specific vulnerabilities and misconfigurations, allowing teams to prioritize and remediate high-risk exposures quickly]
The combination of Lurie and Schindel doesn’t explicitly disclose the following underlined claim limitation: “the one or more potential exposure situations includes: “generating a potential exposure situation report for further review if the one or more potential exposure situations is deemed to be a moderate threat level”
However, Thakur discloses “generating a potential exposure situation report for further review if the one or more potential exposure situations is deemed to be a moderate threat level” [Abstract, system for automatically managing vulnerabilities may determine vulnerability data describing vulnerabilities in an information technology environment and then assign each vulnerability to a stakeholder for remediation. The system may receive a remediation proposal from the stakeholder, obtain approval for the remediation proposal, and facilitate remediation of the vulnerability based on the proposal and para. 0040, Regarding the exception or suppression processes, the VCA engine 110 may allow operational teams (i.e., teams and/or groups responsible for remediation of a risk/vulnerability) to create an online suppression or exception request to address a given vulnerability. The team may start the exception or suppression method (i.e., request for suppression/exception) from a remediation ticket, risk record, etc., using the system. For instance, from the remediation ticket (e.g., see FIG. 7), a stakeholder may change the state to “suppression” or “exception.” This can open the suppression or exception-related fields on a remediation form (e.g., see FIG. 10). Once these fields are completed, the VCA engine 110 may send the form to the appropriate group for review (e.g., approval). The exception or suppression processes may require approval from a single group or different groups (see or refer to FIG. 6 for details and Para. 0068, the decisions whether to fix the vulnerability or to suppress or exempt the vulnerability may be made by a stakeholder, automatically by the VCA engine 110 based on one or more criteria such as particular threat security level which broadly meets one of the limitation “low, medium/moderate or high threat levels. and Para. 0008, By integrating these signals, the method generates a single object that reflects the combined data, which is then analyzed to determine the severity level of the threat and para 0124, Generate Insights: Automated queries and machine learning models generate insights, such as detecting anomalous access patterns or identifying relationships between vulnerabilities and high-value targets, which are flagged for immediate review]
Lurie, Schindel and Thakur are analogous arts and are in the same field of endeavor as they both pertain and directed to detection and mitigation of threats by monitoring for anomalous activities.
It would have been obvious to one having ordinary skill in the art, before the effective filing of the claimed invention, to modify the system of Lurie and Schindel to incorporate the step such as “generating a potential exposure situation report for further review if the one or more potential exposure situations is deemed to be a moderate threat level” as taught by Thakur because this would enhance the security of the system by mitigating the threat by applying or prioritizing remediation related to threat security levels. [Para. 0068, the decisions whether to fix the vulnerability or to suppress or exempt the vulnerability may be made by a stakeholder, automatically by the VCA engine 110 based on one or more criteria such as particular threat security level]
As per dependent claim 18, dependent claim 18 has the same scope as that of the dependent claim 8. It is a computer program product version of the method claim 8. Thus, is rejected for the same reason/rationale as that of the above dependent claim 8.
As per independent claim 28, dependent claim 28 has the same scope as that of the dependent claim 8. It is a system version of the method claim 8. Thus, is rejected for the same reason/rationale as that of the above dependent claim 8.
Conclusion
11. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
A. US Pub. No. 2025/0350628 A1, Murphy discloses, “Threat Mitigation System and Method”, particularly using Artificial Intelligence/Machines Learning Overview [See at least figure 2 and para. 0068]
B. US Publication No. 20250342184-A1 Wu discloses “System for surveying security environments” A prompt associated with the content system may be generated based on the entries, the data sources, or the question. Query models may be employed to obtain data associated with the question from the data sources. Other prompts may be generated based on the data from the data sources to generate candidate answers based on the question and the data from the data sources. An evaluation prompt that includes the candidate answers and the question may be generated to rank the candidate answers for correctness. Answers may be determined based on the ranking of the candidate questions such that top ranked candidate answers are provided to the client.
C. US Patent No. 12488134-B2 Pasumarthi discloses data security in Large Models, the method teaches receiving a prompt query entered through a user interface, extracting a plurality of named entities from the prompt query and classifying the plurality of named entities into respective entity classes, tagging the plurality of named entities to be security compliant or security noncompliant based on the respective entity classes, and responsive to finding that one or more named entities are tagged to be security noncompliant, generating an alert on the user interface
D. See the other cited prior arts.
12. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMSON B LEMMA whose telephone number is 571-272-3806. The examiner can normally be reached on M-F 8am-10pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor Yin-Chen Shaw can be reached on 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/SAMSON B LEMMA/Primary Examiner, Art Unit 2498