SYSTEM AND METHOD FOR CONTINUOUS AUTOMATED THREAT MODELING

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendments Amendments to claim 1 has overcome the 112 (f) rejection. Applicant’s arguments have been fully considered. However, upon further consideration, a new ground(s) of rejection is made in view of Bhatia (US 20200272741 A1) in view of Wu (US 11916767 B1) based on the new amendments to the claims 1, 15, 18. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-4, 8-18 are rejected under 35 U.S.C. 103 as being unpatentable over Mir (US 20090083695 A1) in view of CHAN (US 20240411666 A1) in view of Kuan (US 20240362409 A1) and in view of Mooney (US 20220207140 A1) and in view of Bhatia (US 20200272741 A1) in view of Wu (US 11916767 B1). Regarding claim 1, Mir teaches a system for continuous automated threat modeling based on prompt engineering using large language models, the system comprising: a threat modeling engine configured to ingest an application profile, a workload context, and a software template (Para [0082]. Claim 1. Claim 3. Claim 10. Claim 12: a threat analysis model for a software application comprising: defining the software application, wherein attributes and rules relating to the software application are determined; providing information associated with the software application, stored as threat analysis data; generating the threat analysis model based on the attributes, the rules, and information. Wherein the rules are based on one or more of the following: the attributes of the software application, technology used for the software application, coding language used for the software application, and platform of the software application.), wherein the threat modeling engine generates a threat model after ingesting the application profile, the workload context, and the software template (Para [0082]. Claim 1. Claim 3. Claim 10. Claim 12: a threat analysis model for a software application comprising: defining the software application, wherein attributes and rules relating to the software application are determined; providing information associated with the software application, stored as threat analysis data; generating the threat analysis model based on the attributes, the rules, and information. Wherein the rules are based on one or more of the following: the attributes of the software application, technology used for the software application, coding language used for the software application, and platform of the software application.); and a continuous automation module, wherein the continuous automation module retrieves the threat prompt and performs a security assessment of the threat prompt (Para [0103]: the verification of the threat model can be initiated. The threat model can be retrieved from the TAM repository 102. Once the application is developed at the develop phase 508, the application can undergo extensive tests, at this phase the threat model is verified to ensure the threat model has been successful in implementing the recommended countermeasures. The verification state of an application task list is inferred. Any unsuccessful implementation of the task items listed in an ATL. The TAM repository 102 can execute an automated process to analyze the bugs against the application and infer their association with the task items in the ATL. The process of verifying the correct implementation of identified task items can be derived by analyzing the bugs.). wherein the continuous automation module is configured to: retrieve the threat prompt (Para [0103]: the verification of the threat model can be initiated. The threat model can be retrieved from the TAM repository 102. At this phase the threat model is verified to ensure the threat model has been successful in implementing the recommended countermeasures.); perform the security assessment continuously and automatically (Para [0103]: the verification of the threat model can be initiated. The threat model can be retrieved from the TAM repository 102. Once the application is developed at the develop phase 508, the application can undergo extensive tests, at this phase the threat model is verified to ensure the threat model has been successful in implementing the recommended countermeasures. The TAM repository 102 can execute an automated process to analyze the bugs against the application and infer their association with the task items in the ATL.); generate threat reports based on the continuous security assessment (Para [0103]: the verification of the threat model can be initiated. The threat model can be retrieved from the TAM repository 102. Once the application is developed at the develop phase 508, the application can undergo extensive tests, at this phase the threat model is verified to ensure the threat model has been successful in implementing the recommended countermeasures. The verification state of an application task list is inferred. Any unsuccessful implementation of the task items listed in an ATL. The TAM repository 102 can execute an automated process to analyze the bugs against the application and infer their association with the task items in the ATL. The process of verifying the correct implementation of identified task items can be derived by analyzing the bugs.); Mir does not explicitly disclose a threat prompt generator comprising a prompt generation pipeline, wherein the prompt generation pipeline is integrated with a large language model and generates a threat prompt, wherein the threat prompt is based off a configuration, a threat taxonomy; (perform an action) with the large language model; a code generator configured to automatically generate remediation code based on vulnerability predictions from the large language model; (perform an action) from the threat prompt generator. Chan teaches a threat prompt generator comprising a prompt generation, wherein the prompt generation is integrated with a large language model and generates a threat prompt (Fig. 1. Para [0030]-[0032]. Para [0072]: the prompt generator generates a prompt for the large language model (block 610). The prompt includes the vulnerable source code snippet, instructions, the type of software vulnerability, and a few-shot examples (block 610). The prompt is input to the large language model (block 612) and a response is received from the large language model (block 614). Wherein the prompt generator pipeline is when the classifier model identifies vulnerability, the prompt generator 106 generates a prompt 123 for the large language model 110 which includes the source code snippet 116 having the identified vulnerability type and a few-shot examples and The large language model 110 provides a response 124.), wherein the threat prompt is based off a configuration, a threat taxonomy (Para [0028]. Para [0031]: the classifier model (threat taxonomy) is trained to determine the location of the software vulnerability and to identify the type of vulnerability. A few-shot example consists of a source code snippet having an identified software vulnerability type and token positions in the source code snippet identified as being associated with the software vulnerability type.); (perform an action) with the large language model (Para [0032]: the large language model 110 provides a response 124.); a code generator configured to automatically generate remediation code based on vulnerability predictions from the large language model (Para [0033]. [0073]: If the response from the large language model indicates a vulnerability (block 616—yes), then repair code may be generated for the vulnerable source code snippet (block 618) and output in the target system with the vulnerability prediction (block 620). The vulnerability repair engine is a deep learning model trained on source code to generate repaired code. The repaired code corrects the vulnerability in the source code snippet. In the decoder-only configuration, the model generates the repaired code as an autoregression task, predicting each token of the repaired code one at a time based on the preceding tokens of the repaired code.); (perform an action) from the threat prompt generator (Para [0072]: the prompt generator generates a prompt for the large language model (block 610).). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mir with the teachings of CHAN to include a threat prompt generator comprising a prompt generation, wherein the prompt generation is integrated with a large language model and generates a threat prompt, wherein the threat prompt is based off a configuration, a threat taxonomy; (perform an action) with the large language model; a code generator configured to automatically generate remediation code based on vulnerability predictions from the large language model; (perform an action) from the threat prompt generator in order to identify the type of vulnerability to improve regulatory compliance (CHAN Para [0031]). Mir in view of CHAN does not explicitly disclose generation pipeline. Kuan teaches generation pipeline (Para [0050]-[0051]: prompt generation model processing pipeline of a model training system 302.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Mir in view of CHAN prompt generator such that it utilizes pipelining technique as taught by Kuan such that the prompt generator comprises a prompt generation pipeline. One of ordinary skill in the art would have been motivated to do so because pipelining is a technique commonly used in the art which allows multiple tasks or instructions to be processed simultaneously, which increases the system’s throughput without reducing the time it takes for a single task to complete. Use of pipelining technique in CHAN prompt generator as proposed would increase the throughput of the threat prompt generator. Mir in view of CHAN in view of Kuan does not explicitly disclose (Perform an action) annotated threat from a threat data annotator. Mooney does disclose (Perform an action) annotated threat from a threat data annotator (Para [0050]: as the program code infers one or more threat model elements, the program code can annotate the artifact such that the program code can identify these elements moving forward, should the program code analyze the artifact at a later time.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mir in view of CHAN in view of Kuan with the teachings of Mooney to include (Perform an action) annotated threat from a threat data annotator in order to identify the threat and analyze it to improve security (Mooney Para [0050]). Mir in view of CHAN in view of Kuan and in view of Mooney does not explicitly disclose a policy generator integrated and configured to automatically generate security policies based on identified threats; automatically and continuously (perform an action) on a real-time basis; (Perform an action) automatically at regular intervals; (Perform an action) in real-time based on current threat intelligence data. Bhatia teaches a policy generator integrated and configured to automatically generate security policies based on identified threats (Para [0112]: FIG. 14 is a flowchart outlining an example operation of the ARA with regard to automatic generation of new STEM rules in response to newly identified threats.); automatically and continuously (perform an action) on a real-time basis (Para [0059]. Para [0105]: automatically generating new STEM rules, and train a machine learning model, such as a Recurrent Neural Network (RNN), to generate automated rules based on specific threat intelligence and learning of rule components that correspond to threat characteristics. The operation of the ARA 100 to perform generation of new rules to address new threats, may be performed in a continuous or periodic manner.); (Perform an action) automatically at regular intervals (Para [0105]: the operation of the ARA 100 to perform generation of new rules to address new threats, may be performed in a continuous or periodic manner, in response to an event, in response to the expiration of a predetermined time period, in response to a new threat information being received by the ARA, in response to a new standard rule being added to the standard rules repository 150, or any other trigger event, request, or condition.); (Perform an action) in real-time based on current threat intelligence data (Para [0095]. Para [0106]: the ARA 100 comprises a rule decomposition engine 120 and rule generation engine 122 to provide logic that is configured to perform operations for generating new STEM rules in response to threat intelligence indicating new threats that may be potentially encountered by computing resources in the enterprise computing environment 130. Furthermore, the illustrative embodiments provide mechanisms for automatically generating new STEM rules in response to newly identified threats on a dynamic basis.) Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mir in view of CHAN in view of Kuan and in view of Mooney with the teachings of Bhatia to include a policy generator integrated and configured to automatically generate security policies based on identified threats; automatically and continuously (perform an action) on a real-time basis; (Perform an action) automatically at regular intervals; (Perform an action) in real-time based on current threat intelligence data in order to identify newly threat and analyze it to increase security (Bhatia Para [0105]). Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia does not explicitly disclose a prompt template; wherein the threat prompt generator further comprises: a prompt template composer configured to dynamically compose threat prompt templates; wherein the prompt generation pipeline queries and trains the large language model iteratively using feedback from prior threat assessments performed by the system, wherein outputs from the large language model's vulnerability predictions are fed back as training input to improve subsequent threat assessments. Wu disclose a prompt template (Col 29 lines 1-18, FIG. 12: at block 1202, in one or more of the various embodiments, analysis engines may be arranged to determine a prompt template based on a prompt type or target agent.); wherein the threat prompt generator further comprises (Col 29 lines 1-18, FIG. 12: analysis engine 402.): a prompt template composer configured to dynamically compose threat prompt templates (Col 29 lines 1-18, FIG. 12: at block 1202, in one or more of the various embodiments, analysis engines may be arranged to determine a prompt template based on a prompt type or target agent.); wherein the prompt generation pipeline queries and trains the large language model iteratively using feedback from prior threat assessments performed by the system (Col 29 lines 50-59: the particular prompt template that may be determined may change as analysis engines gain more experience or exposure to events that occur in a given environment. For example, in some embodiments, as historical information may be collected about an organization's networking environment, prompt template selection may change based on subsequent training sessions, learning based on real-time observation of the system in production.), wherein outputs from the large language model's vulnerability predictions are fed back as training input to improve subsequent threat assessments (Claim 1: wherein the modified prompt is provided to the LLM to generate another response; determining one or more other portions of the other response based on the one or more prompt fragments, wherein each determined other portion of the other response corresponds to a prompt fragment; comparing each determined other portion of the response to the expected classification of each synthetic event; and updating the performance score for each prompt fragment based on the comparison; and employing the modified prompt to retrain the LLM to execute one or more other actions and classify one or more other events.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia with the teachings of Wu to include a prompt template; wherein the threat prompt generator further comprises: a prompt template composer configured to dynamically compose threat prompt templates; wherein the prompt generation pipeline queries and trains the large language model iteratively using feedback from prior threat assessments performed by the system, wherein outputs from the large language model's vulnerability predictions are fed back as training input to improve subsequent threat assessments in order to improve model performance and reliability. Regarding claim 2, Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu teaches the system as claimed in claim 1, further comprising a threat artifact generator in communication with the threat modeling engine (Mooney Para [0005]. Para [0035]: generating, by the one or more processors, a threat model for the given computing system, based on consolidating the elements of the threat model for the artifact with additional elements of the threat models of additional artifacts.). Regarding claim 3, Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu teaches the system as claimed in claim 1, wherein the annotated threat configuration comprises a third-party threat intelligence program (Mooney Para [0005]. Para [0035]: generating, by the one or more processors, a threat model for the given computing system, based on consolidating the elements of the threat model for the artifact with additional elements of the threat models of additional artifacts.). Regarding claim 4, Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu teaches the system as claimed in claim 1, wherein the continuous automation module further comprises a code generator in communication with the large language model (CHAN Para [0072]- [0073]: the prompt is input to the large language model (block 612) and a response is received from the large language model (block 614). If the response from the large language model indicates a vulnerability (block 616—yes), then repair code may be generated for the vulnerable source code snippet (block 618) and output in the target system with the vulnerability prediction (block 620).). Regarding claim 8, Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu teaches the system as claimed in claim 1, wherein the threat prompt generator further comprises a prompt template composer configured to compose a threat prompt template (Wu Col 29 lines 1-18, FIG. 12: at block 1202, in one or more of the various embodiments, analysis engines may be arranged to determine a prompt template based on a prompt type or target agent.), save the threat prompt template in a threat template repository (Wu Col 29), obtain an annotation from a threat data annotator (Mooney Para [0050]: as the program code infers one or more threat model elements, the program code can annotate the artifact such that the program code can identify these elements moving forward, should the program code analyze the artifact at a later time.), communicate with a threat taxonomy database (CHAN Para [0028]. Para [0031]: the classifier model (threat taxonomy) is trained to determine the location of the software vulnerability and to identify the type of vulnerability. A few-shot example consists of a source code snippet having an identified software vulnerability type and token positions in the source code snippet identified as being associated with the software vulnerability type.), and send information to a prompt generation pipeline (CHAN Para [0072]: the prompt generator generates a prompt for the large language model (block 610). The prompt includes the vulnerable source code snippet, instructions, the type of software vulnerability, and a few-shot examples (block 610). The prompt is input to the large language model (block 612) and a response is received from the large language model (block 614).). Regarding claim 9, Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu teaches the system as claimed in claim 8, wherein the prompt generation pipeline configures the threat prompt to query and train the large language model (Wu Claim 1: wherein the modified prompt is provided to the LLM to generate another response; determining one or more other portions of the other response based on the one or more prompt fragments, wherein each determined other portion of the other response corresponds to a prompt fragment; comparing each determined other portion of the response to the expected classification of each synthetic event; and updating the performance score for each prompt fragment based on the comparison; and employing the modified prompt to retrain the LLM to execute one or more other actions and classify one or more other events.). Regarding claim 10, Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu teaches the system as claimed in claim 1, wherein the continuous automation module further comprises a policy generator in communication with the large language model (Wu Claim 1: wherein the modified prompt is provided to the LLM to generate another response; determining one or more other portions of the other response based on the one or more prompt fragments, wherein each determined other portion of the other response corresponds to a prompt fragment; comparing each determined other portion of the response to the expected classification of each synthetic event; and updating the performance score for each prompt fragment based on the comparison; and employing the modified prompt to retrain the LLM to execute one or more other actions and classify one or more other events.). Regarding claim 11, Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu teaches the system as claimed in claim 1, wherein the continuous automation module further comprises automatic and continuous generation of at least one threat report that is communicated to the threat modeling engine (Mir Para [0103]: the verification of the threat model can be initiated. The threat model can be retrieved from the TAM repository 102. Once the application is developed at the develop phase 508, the application can undergo extensive tests, at this phase the threat model is verified to ensure the threat model has been successful in implementing the recommended countermeasures. The verification state of an application task list is inferred. Any unsuccessful implementation of the task items listed in an ATL. The TAM repository 102 can execute an automated process to analyze the bugs against the application and infer their association with the task items in the ATL. The process of verifying the correct implementation of identified task items can be derived by analyzing the bugs.). Regarding claim 12, Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu teaches the system as claimed in claim 1, wherein the large language model is integrated with a policy generator (Wu Claim 1: wherein the modified prompt is provided to the LLM to generate another response; determining one or more other portions of the other response based on the one or more prompt fragments, wherein each determined other portion of the other response corresponds to a prompt fragment; comparing each determined other portion of the response to the expected classification of each synthetic event; and updating the performance score for each prompt fragment based on the comparison; and employing the modified prompt to retrain the LLM to execute one or more other actions and classify one or more other events.) and a code generator (CHAN Para [0072]- [0073]: the prompt is input to the large language model (block 612) and a response is received from the large language model (block 614). 0073] If the response from the large language model indicates a vulnerability (block 616—yes), then repair code may be generated for the vulnerable source code snippet (block 618) and output in the target system with the vulnerability prediction (block 620).). Regarding claim 13, Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu teaches the system as claimed in claim 1, wherein the continuous automation module further comprises the large language model developing policies and code via queries and training from prior threat reports and/or prior threat prompts (Wu Claim 1: wherein the modified prompt is provided to the LLM to generate another response; determining one or more other portions of the other response based on the one or more prompt fragments, wherein each determined other portion of the other response corresponds to a prompt fragment; comparing each determined other portion of the response to the expected classification of each synthetic event; and updating the performance score for each prompt fragment based on the comparison; and employing the modified prompt to retrain the LLM to execute one or more other actions and classify one or more other events. CHAN Para [0072]- [0073]: the prompt is input to the large language model (block 612) and a response is received from the large language model (block 614). 0073] If the response from the large language model indicates a vulnerability (block 616—yes), then repair code may be generated for the vulnerable source code snippet (block 618) and output in the target system with the vulnerability prediction (block 620).). Regarding claim 14, Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu teaches the system as claimed in claim 1, wherein the continuous automation module further comprises a template patching notification (Mir [0098]-[0107]: At block 708, a notification is sent to the appropriate reviewers indicating a review is required for a threat model. In one implementation, this review notification can be sent automatically by the threat-analyzing module 114 once the state of the threat model is set to "awaiting review". In another implementation, the author has to manually send a review notification mail to the reviewer. At block 710, the threat model is retrieved and reviewed. The reviewers review the application task list ATL and the responses within the ATL for each task item. The reviewing can be performed based on information included in the ATL. At block 808, the verification is complete, and the threat model document's state can be set to "closed." In an implementation, a passed verification notification can be sent to the members of an application team(s), notifying them that the threat model verification has been completed and no further action is needed. For example, an email notification can be automatically sent by the threat-analyzing module 114, once the threat models status is set to "closed" or the reviewer can manually send the email notification to the application team(s).). Regarding claim 15, Mir teaches a method for continuous automated threat modeling based on prompt engineering using large language models, the method comprising: ingesting an application profile, a workload context, and a software template (Para [0082]. Claim 1. Claim 3. Claim 10. Claim 12: a threat analysis model for a software application comprising: defining the software application, wherein attributes and rules relating to the software application are determined; providing information associated with the software application, stored as threat analysis data; generating the threat analysis model based on the attributes, the rules, and information. Wherein the rules are based on one or more of the following: the attributes of the software application, technology used for the software application, coding language used for the software application, and platform of the software application.); enabling continuous automation of the system via automatic retrieval of the threat prompt and automatic performance of a security assessment on the threat prompt (Para [0103]: the verification of the threat model can be initiated. The threat model can be retrieved from the TAM repository 102. Once the application is developed at the develop phase 508, the application can undergo extensive tests, at this phase the threat model is verified to ensure the threat model has been successful in implementing the recommended countermeasures. the verification state of an application task list is inferred. Any unsuccessful implementation of the task items listed in an ATL. The TAM repository 102 can execute an automated process to analyze the bugs against the application and infer their association with the task items in the ATL. The process of verifying the correct implementation of identified task items can be derived by analyzing the bugs.), comprising: retrieving the threat prompt (Para [0103]: the verification of the threat model can be initiated. The threat model can be retrieved from the TAM repository 102. At this phase the threat model is verified to ensure the threat model has been successful in implementing the recommended countermeasures.); generating and communicating threat reports at regular intervals to the threat modeling engine (Para [0103]: the verification of the threat model can be initiated. The threat model can be retrieved from the TAM repository 102. Once the application is developed at the develop phase 508, the application can undergo extensive tests, at this phase the threat model is verified to ensure the threat model has been successful in implementing the recommended countermeasures. The verification state of an application task list is inferred. Any unsuccessful implementation of the task items listed in an ATL. The TAM repository 102 can execute an automated process to analyze the bugs against the application and infer their association with the task items in the ATL. The process of verifying the correct implementation of identified task items can be derived by analyzing the bugs.). Mir does not explicitly disclose identifying potential threats and vulnerabilities of a system; incorporating data that mitigates the potential threats and vulnerabilities of the system; annotating a threat configuration; (Perform an action) annotated threat. Mooney does disclose identifying potential threats and vulnerabilities of a system (Para [0050]: as the program code infers one or more threat model elements, the program code can annotate the artifact such that the program code can identify these elements moving forward, should the program code analyze the artifact at a later time.); incorporating data that mitigates the potential threats and vulnerabilities of the system (Para [0050]: as the program code infers one or more threat model elements, the program code can annotate the artifact such that the program code can identify these elements moving forward, should the program code analyze the artifact at a later time.); annotating a threat configuration (Para [0050]: as the program code infers one or more threat model elements, the program code can annotate the artifact such that the program code can identify these elements moving forward, should the program code analyze the artifact at a later time.); (Perform an action) annotated threat (Para [0050]: as the program code infers one or more threat model elements, the program code can annotate the artifact such that the program code can identify these elements moving forward, should the program code analyze the artifact at a later time.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mir with the teachings of Mooney to include identifying potential threats and vulnerabilities of a system; incorporating data that mitigates the potential threats and vulnerabilities of the system; annotating a threat configuration; (Perform an action) annotated threat in order to identify the threat and analyze it to improve security (Mooney Para [0050]). Mir in view of Mooney does not explicitly disclose generating a threat prompt based off a configuration, a threat taxonomy, and prompt engineering; integrating a large language model; remediation code based on the continuous security assessment. CHAN does disclose generating a threat prompt based off a configuration, a threat taxonomy, and prompt engineering(Para [0028]. Para [0031]: the classifier model (threat taxonomy) is trained to determine the location of the software vulnerability and to identify the type of vulnerability. A few-shot example consists of a source code snippet having an identified software vulnerability type and token positions in the source code snippet identified as being associated with the software vulnerability type.); integrating a large language model (Para [0072]: the prompt generator generates a prompt for the large language model (block 610). The prompt includes the vulnerable source code snippet, instructions, the type of software vulnerability, and a few-shot examples (block 610). The prompt is input to the large language model (block 612) and a response is received from the large language model (block 614).); (perform an action) from the threat prompt generator (Para [0072]: the prompt generator generates a prompt for the large language model (block 610).); remediation code based on the continuous security assessment (Para [0033]. [0073]: If the response from the large language model indicates a vulnerability (block 616—yes), then repair code may be generated for the vulnerable source code snippet (block 618) and output in the target system with the vulnerability prediction (block 620). The vulnerability repair engine is a deep learning model trained on source code to generate repaired code. The repaired code corrects the vulnerability in the source code snippet. In the decoder-only configuration, the model generates the repaired code as an autoregression task, predicting each token of the repaired code one at a time based on the preceding tokens of the repaired code.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mir in view of Mooney with the teachings of CHAN to include generating a threat prompt based off a configuration, a threat taxonomy, and prompt engineering; integrating a large language model; remediation code based on the continuous security assessment in order to identify the type of vulnerability to improve regulatory compliance (CHAN Para [0031]). Mir in view of Mooney in view of CHAN a prompt template; dynamically composing threat prompt templates; iteratively querying and training the large language model using feedback from prior threat assessments, wherein the iteratively querying and training comprises using vulnerability predictions and threat assessment outputs generated by the large language model to refine subsequent queries and training. Wu disclose a prompt template (Col 29 lines 1-18, FIG. 12: at block 1202, in one or more of the various embodiments, analysis engines may be arranged to determine a prompt template based on a prompt type or target agent.); dynamically composing threat prompt templates (Col 29 lines 1-18, FIG. 12: analysis engine 402.); iteratively querying and training the large language model using feedback from prior threat assessments (Col 29 lines 50-59: the particular prompt template that may be determined may change as analysis engines gain more experience or exposure to events that occur in a given environment. For example, in some embodiments, as historical information may be collected about an organization's networking environment, prompt template selection may change based on subsequent training sessions, learning based on real-time observation of the system in production.), wherein the iteratively querying and training comprises using vulnerability predictions and threat assessment outputs generated by the large language model to refine subsequent queries and training (Claim 1: wherein the modified prompt is provided to the LLM to generate another response; determining one or more other portions of the other response based on the one or more prompt fragments, wherein each determined other portion of the other response corresponds to a prompt fragment; comparing each determined other portion of the response to the expected classification of each synthetic event; and updating the performance score for each prompt fragment based on the comparison; and employing the modified prompt to retrain the LLM to execute one or more other actions and classify one or more other events.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mir in view of Mooney in view of CHAN with the teachings of Wu to include a prompt template; dynamically composing threat prompt templates; iteratively querying and training the large language model using feedback from prior threat assessments, wherein the iteratively querying and training comprises using vulnerability predictions and threat assessment outputs generated by the large language model to refine subsequent queries and training in order to improve model performance and reliability. Mir in view of Mooney in view of CHAN in view of Wu does not explicitly disclose continuously and automatically (perform an action); (Perform an action) in real-time based on current threat intelligence data; automatically generating security policies; (Perform an action) automatically at regular intervals. Bhatia teaches continuously and automatically (perform an action) (Para [0095]. Para [0106]: the ARA 100 comprises a rule decomposition engine 120 and rule generation engine 122 to provide logic that is configured to perform operations for generating new STEM rules in response to threat intelligence indicating new threats that may be potentially encountered by computing resources in the enterprise computing environment 130. Furthermore, the illustrative embodiments provide mechanisms for automatically generating new STEM rules in response to newly identified threats on a dynamic basis.); (Perform an action) in real-time based on current threat intelligence data (Para [0095]. Para [0106]: the ARA 100 comprises a rule decomposition engine 120 and rule generation engine 122 to provide logic that is configured to perform operations for generating new STEM rules in response to threat intelligence indicating new threats that may be potentially encountered by computing resources in the enterprise computing environment 130. Furthermore, the illustrative embodiments provide mechanisms for automatically generating new STEM rules in response to newly identified threats on a dynamic basis.); automatically generating security policies (Para [0112]: FIG. 14 is a flowchart outlining an example operation of the ARA with regard to automatic generation of new STEM rules in response to newly identified threats.); (Perform an action) automatically at regular intervals (Para [0105]: the operation of the ARA 100 to perform generation of new rules to address new threats, may be performed in a continuous or periodic manner, in response to an event, in response to the expiration of a predetermined time period, in response to a new threat information being received by the ARA, in response to a new standard rule being added to the standard rules repository 150, or any other trigger event, request, or condition.); Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mir in view of Mooney in view of CHAN in view of Wu with the teachings of Bhatia to include continuously and automatically (perform an action); (Perform an action) in real-time based on current threat intelligence data; automatically generating security policies; (Perform an action) automatically at regular intervals in order to identify newly threat and analyze it to increase security (Bhatia Para [0105]). Regarding claim 16, Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu teaches the method as claimed in claim 15, further comprising generating threat artifacts based on the identified potential threats and vulnerabilities of the system (Mooney Para [0005]. Para [0035]. Para [0050]: as the program code infers one or more threat model elements, the program code can annotate the artifact such that the program code can identify these elements moving forward, should the program code analyze the artifact at a later time.). Generating, by the one or more processors, a threat model for the given computing system, based on consolidating the elements of the threat model for the artifact with additional elements of the threat models of additional artifacts.). Regarding claim 17, Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu teaches the method as claimed in claim 15, wherein the threat prompt is based on fine-tuning, a sampling strategy, and a diversity algorithm (CHAN Para [0028]. Para [0031]: the classifier model (threat taxonomy) is trained to determine the location of the software vulnerability and to identify the type of vulnerability. A few-shot example consists of a source code snippet having an identified software vulnerability type and token positions in the source code snippet identified as being associated with the software vulnerability type.). As per claim 18, the claim claiming a computer-readable medium essentially corresponding to the method claim 15 above, and they are rejected, at least for the same reasons. Claims 5-7 are rejected under 35 U.S.C. 103 as being unpatentable over Mir (US 20090083695 A1) in view of CHAN (US 20240411666 A1) in view of Kuan (US 20240362409 A1) and in view of Mooney (US 20220207140 A1) and in view of Bhatia (US 20200272741 A1) in view of Wu (US 11916767 B1) and in view of WICKER (US 20190334942 A1). Regarding claim 5, Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu teaches the system as claimed in claim 1, wherein the threat modeling engine further comprises a threat engine orchestrator in communication with a threat configuration composer, one or more threat artifacts (Mooney Para [0055]: the program code generates a risk score which can represent risks associated with a given artifact and/or risk associated with a given artifact and/or with the system in which the artifact is implemented. The program code can generate facts that describe a given artifact and correlate with elements of a threat model.). Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu does not explicitly disclose a Relative Attacker Attractiveness analyzer. WICKER does disclose a Relative Attacker Attractiveness analyzer (Para [0027]: each of the devices and files in the received threat intelligence data may have an associated reputation score that indicates a relative threat determined for the entity (e.g., as a Boolean value representing a possible threat or not a possible threat, a percentage or other floating point value between 0 and 1 representing a predicted degree of threat, a letter grade or numeral value representing the predicted degree of threat, etc.). For example, the reputation score may indicate a likelihood that the entity is malicious or is associated with potentially malicious activity.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu with the teachings of WICKER to include a Relative Attacker Attractiveness analyzer in order to indicate a likelihood that the entity is malicious or is associated with potentially malicious activity (WICKER Para [0027]). Regarding claim 6, Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu in view of WICKER teaches the system as claimed in claim 5, wherein the threat modeling engine generates the one or more threat artifacts and the Relative Attacker Attractiveness analyzer (Mooney Para [0055]: the program code generates a risk score which can represent risks associated with a given artifact and/or risk associated with a given artifact and/or with the system in which the artifact is implemented. WICKER Para [0027]: each of the devices and files in the received threat intelligence data may have an associated reputation score that indicates a relative threat determined for the entity). Regarding claim 7, Mir in view of CHAN in view of Kuan and in view of Mooney in view of Bhatia in view of Wu in view of WICKER teaches the system as claimed in claim 5, wherein the Relative Attacker attractiveness analyzer receives information from a threat and risk catalog and the threat engine orchestrator, analyzes the information (Mooney Para [0055]: the program code generates a risk score which can represent risks associated with a given artifact and/or risk associated with a given artifact and/or with the system in which the artifact is implemented (based on the individual risk associated with various artifacts in this system evaluated by the program code). As discussed above, based on analyzing a given artifact, the program code can generate facts that describe a given artifact and correlate with elements of a threat model. Thus, in some examples, the program code can assign a confidence score to one or more facts generated by the program code, including but not limited to elements of the threat model. The program can also assign a risk score to identified elements of the threat model based on one or more properties of the artifacts of a system architecture that the program code analyzed. These risk scores may be recorded to a model. For example, the present invention may assign a risk score based on a data flow traversing a trust boundary that is known to be less trusted than a typical trust boundary or a trust boundary in the known system. The program code can determine risk scores for the system under analysis using one or more risk scores calculated from other systems that the present invention has analyzed.), generates a percentage value, then sends the percentage value to a threat score generator (WICKER Para [0027]: Each of the devices and files in the received threat intelligence data may have an associated reputation score that indicates a relative threat determined for the entity (e.g., as a Boolean value representing a possible threat or not a possible threat, a percentage or other floating point value between 0 and 1 representing a predicted degree of threat, a letter grade or numeral value representing the predicted degree of threat, etc.). For example, the reputation score may indicate a likelihood that the entity is malicious or is associated with potentially malicious activity.). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUDY BAZNA whose telephone number is (703)756-1258. The examiner can normally be reached Monday - Friday 08:30 AM-05:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JUDY BAZNA/ Examiner, Art Unit 2495 /FARID HOMAYOUNMEHR/ Supervisory Patent Examiner, Art Unit 2495