DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1. This is in response to communication filed on 2/20/25 in which claims 1-3 and 4-15 are pending.
Response to Arguments
2. Applicant's arguments filed 2/20/25 have been fully considered but they are not persuasive.
Claim Rejections - 35 USC § 101
Applicant’s arguments, see pages 9-19, filed 11/25/2025, with respect to claims 1-3, 5-15 have been fully considered and are persuasive. The rejections under 35 USC § 101 of claims 1-3, 5-15 has been withdrawn.
Claim Rejections - 35 USC § 102
Applicant’s representative argues that asserts that a vulnerability identification 402 of Serrano unit maps to the claimed exploitability classifier of feature (1: an exploitability classifier for determining an exploitability level for a vulnerability) and on page 6, vulnerability identification 402 of Serrano is also mapped to the claimed vulnerability classifier. However, Serrano clearly teaches an exploitability classifier for determining an exploitability level for a vulnerability (See paragraph [0063], vulnerabilities within the software application modules are identified Step 402 may be performed by the vulnerability identification unit 14). Furthermore, the claimed “vulnerability classifier” is recited in the teaching of Serrano on paragraph wherein “each vulnerability is assigned a severity, e.g., one of low, medium, and high” (See paragraph [0063]), thus assigning a classification/severity to each vulnerability. Applicant’s representative is reminded that a recitation of the intended use of the claimed invention must result in a structural difference between the claimed invention and the prior art in order to patentably distinguish the claimed invention from the prior art. If the prior art structure is capable of performing the intended use, then it meets the claim.
Furthermore, Applicant’s representative argues that “the Office Action alleges that the function "a process and tool that will intelligently learn how to optimize prioritization efforts" of Serrano (see, e.g., paragraph [0042]) maps to one or more machine learning models”. However, Serrano clearly teaches a tool that will intelligently learn how to optimize prioritization efforts in order to secure application code in the most efficient way (See paragraph [0042]). Applicant’s arguments do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Applicant’s argument does not present any distinction between the machine learning models of the claimed invention and the intelligent tool of the Serrano. One with ordinary skill in the can confidently equate the intelligent tool of Serrano to a machine learning model trained on data to recognize patterns and make predictions, therefore intelligently trained to optimize prioritization efforts.
Furthermore, Applicant’s representative argues that “with respect to feature (4: an intelligence feed), the Office Action alleges that the function "a process and tool that will intelligently learn how to optimize prioritization efforts" of Serrano (see, e.g., paragraph [0042]) maps to an intelligence feed. However, Serrano clearly teaches “the groups of vulnerabilities may be further established as a function of similar patterns in the software application modules. For example, a group may be established based on similar patterns in an associated root cause and/or a suggested or recommended remediation action”(See paragraph [0055]). Furthermore, Serrano clearly teaches “a historical database or knowledge base 24 of known vulnerabilities and known associated remedial actions. The vulnerability correlation index generation unit may assign the recommended vulnerability remediation effort to each identified vulnerability as a function of the historical database 24 of known vulnerabilities” (See paragraph [0056]). One with ordinary skill in the art can confidently conclude that the teaching of patterns, historical database and knowledge base of Serrano clearly equate the intelligence feed of the claimed invention.
Claim Rejections - 35 USC § 102
3. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
4. Claims 1-3, 5-7, 9-14 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by U.S. Publication No. 2016/0217288 to Serrano et al.
a. As per claim 1, Serrano et al teaches a security tool comprising: a vulnerability classifier for classifying vulnerabilities based on an assessment report (See paragraph [0066]), the vulnerability classifier implemented on one or more processors;
an exploitability classifier for determining an exploitability level for a vulnerability of a list of vulnerabilities of the assessment report based on data of an intelligence feed (See paragraph [0051, 0063, 0094, 0096], vulnerabilities within the software application modules are identified Step 402 may be performed by the vulnerability identification unit) wherein: the exploitability classifier is communicatively coupled to the vulnerability classifier and implemented on the one or more processors (See paragraph [0061, 0063, 0094 and 0096]); and determining the exploitability level for the vulnerability of the list of vulnerabilities includes applying one or more machine learning models to identify the one or more commonalities of the vulnerability with the data of the intelligence feed; (See paragraph [0030], analyze the software application and identify any vulnerabilities. Historical vulnerabilities and recommended remediation efforts may be stored in a knowledge base, [0042] providing a process and tool that will intelligently learn how to optimize prioritization efforts in order to secure application code in the most efficient way); a risk classifier for calculating an overall risk level for a computer application associated with the vulnerability of the list of vulnerabilities based on an impact score for the computer application (See paragraph [0044 and 0048]), the risk classifiers communicatively coupled to the exploitability classifier and implemented on the one or more processors; and a remediation prioritizer to determine an order of remediation for the computer application and to generate a remediation prioritization report including the order of remediation, the remediation prioritizer implemented on the one or more processors (See paragraph [0053, 0065, 0094. 0096], a prioritized list of remediation efforts aimed at mitigating the identified vulnerabilities is generated as a function of the identified vulnerabilities and the severity assigned to each identified vulnerability).
b. As per claim 9, Serrano et al teaches a method comprising: classifying, via a vulnerability classifier implanted on one or more processors, vulnerabilities based on an assessment report (See paragraph [0066, 0032, 0094, 0096]); determining, via an exploitability classifier communicatively coupled to the vulnerability classifier and implemented on the one or more processors an exploitability level for a vulnerability of a list of vulnerabilities based on data of an intelligence feed (See paragraph [0051 and 0063], vulnerabilities within the software application modules are identified Step 402 may be performed by the vulnerability identification unit), wherein determining the exploitability level for the vulnerability of the list of vulnerabilities includes analyzing, using one or machine learning models, the vulnerability of the list of vulnerabilities to determine whether the vulnerability includes one more commonalities with the data of the intelligence feed (See paragraph [0030], analyze the software application and identify any vulnerabilities. Historical vulnerabilities and recommended remediation efforts may be stored in a knowledge base [0042], providing a process and tool that will intelligently learn how to optimize prioritization efforts in order to secure application code in the most efficient way); calculating, via a risk classifier communicatively coupled to the exploitability classifier and implemented on the one or more processors, an overall risk level for a computer application associated with the vulnerability of the list of vulnerabilities based on an impact score for the computer application (See paragraph 0044 and 0048]); and determining, via a risk classifier communicatively coupled to the exploitability classifier and implemented on the one or more processors, an order of remediation for the computer application; and generating a remediation prioritization report including the order of remediation for the computer application (See paragraph [0053, 0065, 0094, 0096], a prioritized list of remediation efforts aimed at mitigating the identified vulnerabilities is generated as a function of the identified vulnerabilities and the severity assigned to each identified vulnerability).
c. As per claims 2 and 10, Serrano et al teaches the claimed invention as described above. Furthermore, Serrano et al teaches wherein the list of vulnerabilities includes a severity score for the vulnerability of the list of vulnerabilities (See paragraph [0051-0052 and 0063], each vulnerability is assigned a severity, e.g., one of low, medium, and high).
d. As per claim 3, Serrano et al taches the claimed invention as described above. Furthermore, Serrano et al teaches wherein determining the exploitability level for the vulnerability of the list of vulnerabilities comprises: analyzing the vulnerability of the list of vulnerabilities to determine whether the vulnerability includes one or more commonalities of the vulnerability with the data of the intelligence feed (See paragraph [0007 and 0010], The actionable intelligence may include a list or groupings of the vulnerabilities ranked based on severability, type, and/or location); and generating the exploitability level for the vulnerability of the list of vulnerabilities based on a result of the analysis (See paragraph [0010]).
f. AS per claims 5 and 12, Serrano et al teaches the claimed invention as described above. Furthermore, Serrano et al teaches wherein determining the exploitability level for the vulnerability of the list of vulnerabilities further comprises: generating an attack possibility matrix based on the result of the analysis (See fig 6 and paragraph [0052])) ; and generating the exploitability level for the vulnerability of the list of vulnerabilities based on at least one of the attack possibility matrix, a modified severity score, or a combination thereof (See fig 6 and paragraph [0052).
g. As per claims 6 and 13, Serrano et al teaches the claimed invention as described above. Furthermore, Serrano et al teaches further comprising determining the modified severity score based on a remote code execution indicator for the vulnerability of the list of vulnerabilities, a privilege escalation indicator for the vulnerability of the list of vulnerabilities, or a combination thereof (See paragraph [0044 and 0079]).
h. AS per claim 7 and 14, Serrano et al teaches the claimed invention as described above. Furthermore, Serrano et al teaches wherein the data of the intelligence feed comprises an internal threat data intelligence feed, an external threat data intelligence feed, or a combination thereof (See paragraph [0042 and 0062]).
e. As per claims 11, Serrano et al taches the claimed invention as described above. Furthermore, Serrano et al teaches wherein generate the exploitability level for the vulnerability of the list of vulnerabilities based on a result of the analysis. (See paragraph [0007).
Claim Rejections - 35 USC § 103
5. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
6. Claims 8 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Publication No. 2016/0217288 to Serrano et al in view of U.S. Publication No. 2006/0041891 to Aaron.
a. As per claims 8 and 15, Serrano et al teaches the claimed invention as described above. However, Serrano et al fails to teach wherein the impact score for the computer application comprises a confidentiality score, an integrity score, an availability score, or a combination thereof.
Aaron teaches wherein the impact score for the computer application comprises a confidentiality score, an integrity score, an availability score, or a combination thereof (See paragraph [0060]).
It would have been obvious to one with ordinary skill in the art to incorporate the teaching of Aaron in the claimed invention of Serrano in order to provide various maintenance and support functions which aid the providing of services to the user and/or the providing of security features.
Conclusion
7. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
U.S. Publication No. 2023/0208870 to Yellapragada et al teaches System and Method for Predictive Analysis Potential Attack Patterns Based on Contextual Security Information
8. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
9. Any inquiry concerning this communication or earlier communications from the examiner should be directed to DJENANE BAYARD whose telephone number is (571)272-3878. The examiner can normally be reached 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached on (571)272-3964. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DJENANE M BAYARD/Primary Examiner, Art Unit 2444