AUTOMATED RESPONSE TO COMPUTER VULNERABILITIES

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims 2. This Office Action is issued in response to the Amendment filed on 10/03/2025. Claims 1, 6-7, and 10-12 are pending in this Office Action. Claims 11-12 have been amended. Claims 2-5 and 8-9 have been cancelled. Response to Arguments 3. a. Previous drawing objection has been maintained because drawing filed on 10/03/2025 still has typo “atacks” in box 320 of Fig.3. It should be “attacks”. b. Previous objections to claims 11 and 12 have been withdrawn in response to claim amendments. c. Applicant’s arguments regarding 35 U.S.C. § 103 Claim Rejections have been fully considered but they are not persuasive. Applicant argues that Jadhav does not disclose an actual attack and “there is no impact in Shakarian Jadhav to assess.” Applicant appears to argue that Jadhav does not teach “an impact module to responsive to detecting an attack comprising a relevant CVE notification including a CVE-ID, determine impact on one or more network assets affected by the CVE based on the asset profiles, wherein the impact is either low impact, high impact and blocked, or high impact and unblocked.” The Examiner respectfully disagrees. As cited in page 6 of Office Action dated 04/03/225, Jadhav discloses in Figs. 19 and 20 with associated text: CVE-2017-0283-CVE-ID which represents attack that has been happened and detected and paragraphs [0062]-[0063]: “software product vulnerabilities can be found by matching a software product's CPE to one or more CPE(s) that are impacted by a CVE.” It is logical that in a matching process, the result is at least either match or no match. It is obvious that when there is no match of a software product's CPE to one or more CPE(s) that are impacted by a CVE, the software is not affected/vulnerable by the CVE and it is obvious and a designer’s choice to consider the software product that is not affected/vulnerable by the CVE as being low impact. Therefore, Jadhav does teach attack as well as impact and the previous rejections have been maintained. Drawing Objection 4. Fig. 3 filed on 10/03/2025 is objected to under 37 CFR 1.83(a) because of typo “atacks” in box 320 which should be “attacks”. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance. Claim Rejections - 35 USC § 103 5. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 6. Claims 1, 6-7 and 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Jadhav et al. (US 20230244791 A1), hereinafter “Jadhav”. Regarding claim 1, Jadhav discloses a gateway device (Fig. 1 with associated text: cbom platform 101), coupled to a plurality of network assets on a private network (Fig. 1 with associated text: medical devices 102, 103, 104, and 105) and coupled to a public data communication network (Fig. 1 with associated text: Public Data Sources 106), for automatically assessing impact of attacks on the network assets from the public data communication network (abstract), the gateway device comprising: a processor (Fig. 22 with associated text: processing unit(s) 2203); a communication interface, communicatively coupled to the data communication network (Fig. 22 with associated text: bus 2216); and a memory (Fig. 22 with associated text: HDD 2211 and/or ROM 2210), communicatively coupled to the processor and storing: a CPE (common platform enumerations) module to identify and categorize according to a CPE format each of the plurality of network assets on the private network for storage in a device inventory database, and to generate an asset profile for each of the plurality of network assets (Fig. 21 with associated text: common platform module 2105- common platform enumerations module, paragraphs [0046], [0049]-[0052]. [0057]-[0058], and [0082]-[0083]: generating characteristic of medical device-asset profile- according to CPE format); a CVE (common vulnerabilities exposures) [module] to monitor and categorize attacks on the plurality of assets related to each of the identified CPEs according to a CVE format, and determine whether the CVE format is relevant against the asset profiles (paragraphs [0062]-[0063]); an impact module to responsive to detecting an attack comprising a relevant CVE notification including a CVE-ID, determine impact on one or more network assets affected by the CVE based on the asset profiles, wherein the impact is either low impact, high impact and blocked, or high impact and unblocked (Figs. 19 and 20 with associated text: CVE-2017-0283-CVE-ID and paragraphs [0062]-[0063]: “software product vulnerabilities can be found by matching a software product's CPE to one or more CPE(s) that are impacted by a CVE.” It is logical that in a matching process, the result is either match or no match. It is obvious that when there is no match of a software product's CPE to one or more CPE(s) that are impacted by a CVE, the software is not affected/vulnerable by the CVE and it is obvious and a designer’s choice to consider the software product as being low impact); and a security action [module] to take security action based on the impact (paragraphs [007]-[0071] and [0079]: security action to correct identified vulnerability). Jadhav does not explicitly disclose a CVE module, an impact module and a security action module. However, Jadhav discloses “The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical functions. In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures.” Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Jadhav’s teachings in different modules performing specific functions of choice to have a CVE module, an impact module and a security action module and the motivation is to make the system easier to manage and repair, which is an advantage of an integrated system. Regarding claim 6, Jadhav discloses the gateway device of claim 1, wherein the impact is determined as low impact if the asset profile was not vulnerable to the CVE-ID (From claim 1, when there is no match of a software product's CPE to one or more CPE(s) that are impacted by a CVE, the software is not affected/vulnerable by the CVE and it obvious and a designer’s choice to consider the software product as being low impact). Regarding claim 7, Jadhav discloses the gateway device of claim 1, wherein the impact is determined as high impact if the asset profile is determined to be vulnerable to the CVE-ID (From claim 1, when there is a match of a software product's CPE to one or more CPE(s) that are impacted by a CVE, the software product is affected/vulnerable by the CVE and it obvious and a designer’s choice to consider the software product as being high impact). Claims 11-12 disclose similar subject matter to claim 1; therefore, they are rejected at least for the same reasons as claim 1. 7. Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Jadhav et al. (US 20230244791 A1), hereinafter “Jadhav” in view of Cavallaro Corti et al. (US 20220217173 A1), hereinafter “Cavallaro Corti”. Regarding claim 10, Jadhav discloses the gateway device of claim 1, wherein the CPE format comprises one value for application, hardware, or operating system, and one or more values for vendor, product, version, update and edition (paragraphs [0046], [0065], and [0067]: CPE information includes hardware, vendor, product, and version). Jadhav does not explicitly disclose but Cavallaro Corti discloses CPE format comprises one or more values for update and edition (Cavallaro Corti, paragraph [0089]: “The following name attributes are part of the CPE format: part, vendor, product, version, update, edition, language, software edition, target software, target hardware.”) Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Jadhav’s teaching of utilizing asset information with CPE format including hardware, vendor, product, and version with Cavallaro Corti’s teaching of CPE format includes update and edition to have predictable results of the CPE format comprises one value for application, hardware, or operating system, and one or more values for vendor, product, version, update and edition. . Prior Art of Record 8. The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: see attached PTO-892 Notice of References Cited. Conclusion 9. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to THANH T. LE whose telephone number is (571)270-0279. The examiner can normally be reached on Monday-Friday 8:00 am - 4:30 pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /THANH T LE/Primary Examiner, Art Unit 2495