DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s remarks, see page 9, filed 10/31/2025, with respect to the First Action Interview request has been acknowledged. The First Action Interview Pilot Program has been discontinued as of January 15th, 2021 (for more information, see: https://www.uspto.gov/patents/initiatives/first-action-interview/full-first-action-interview-pilot-program). The Effective Filing Date of this current pending application is July 26th, 2023, which is more than two (2) full years past the ending date of the pilot program. If the Applicant would like to know more about current interview practices and submit a proper interview request, the Applicant is encouraged to consult MPEP § 713 for more information, and MPEP § 713.09 regarding Interviews Between Final Rejection and Notice of Appeal.
Applicant's arguments, see pages 9-12, filed 10/31/2025, with respect to the rejection of claims 4-9, 13-15, and 19-20 under 35 U.S.C. § 112(a) have been fully considered but they are not persuasive.
Applicant first attests that the limitation “recording the changes in an immutable record to obtain the record” has proper written description support in the originally filed disclosure.
The Examiner respectfully disagrees.
The originally filed disclosure is not commensurate with the claim scope of “an immutable record” or the newly claimed desired result of “the changes being stored in the repository in a manner where the information remains unchanged within the repository over time”. Figure 2B does not describe how the inventor intended to achieve the implementation of an immutable record, paragraphs [0069-0076] merely suggest that the information may remain unchanged, without disclosing how the inventor intended to achieve the desired result, the same applies to paragraph [0082]. In fact, Applicant readily attests and admits that,
“Now since an exact method is not described in the specification, how the information remains unchanged can (as one of ordinary skill in the art of computers and data storage would know) be done in any way. See MPEP § 2164.05(a) (requiring that "[t]he specification need not disclose what is well-known to those skilled in the art and preferably omits that which is well- known to those skilled and already available to the public" (emphasis added)). In particular, there are probably over a thousand different methods that can be used to keep data unchanged in a repository (i.e., storage) in which the data is stored; ranging for easy solutions such as just not overwriting existing data as new data is added into the storage to more complex solutions such as putting in write lock of the like on the existing data.
Indeed, the main point here in the original specification is not how the data (i.e., record, used as a noun) is stored in an unchanging (i.e., immutable) manner (namely, because the how does not matter) but is rather that the data is stored in the unchanging manner” (original bolding maintained, underlined emphasis added).
Here, it is clear that Applicant readily admits that there is no support in the originally filed disclosure for any implementation of an immutable record. Applicant’s examples of “over a thousand different methods… ranging for [sic] easy solutions such as just not overwriting existing data as new data is added into the storage1 to more complex solutions such as putting in write lock of the like on the existing data” are helpful, but these arguments do not demonstrate that the originally filed disclosure contains support commensurate with the scope of the claims. The Examiner agrees with the Applicant in that there are a myriad of possible solutions to arrive at the desired result of maintaining an immutable record or storing data “in a manner where the information remains unchanged within the repository over time”, and that “an exact method is not described in the specification”, and this is exactly why the limitation was rejected for lacking written description. Applicant’s argument that “the how does not matter” directly contradicts current examination practice and the MPEP. As in MPEP 2161.01 (I), ("The description requirement of the patent statute requires a description of an invention, not an indication of a result that one might achieve if one made that invention."). It is not enough that one skilled in the art could write a program to achieve the claimed function because the specification must explain how the inventor intends to achieve the claimed function to satisfy the written description requirement. See, e.g., Vasudevan Software, Inc. v. MicroStrategy, Inc., 782 F.3d 671, 681-683, 114 USPQ2d 1349, 1356, 1357 (Fed. Cir. 2015). Therefore, the rejection will be maintained.
Applicant lastly attests the following, “Turning now to dependent claim 9, the Office contends at Page 3 of the Office Action that there is no support in the original specification for the limitation "making a second determination regarding whether a malicious entity exploited the expressed vulnerability." Applicant respectfully disagrees.
In particular, paragraph [00109] of the original specification explicitly discloses the following:
[00109] The action set may further be performed by making a third determination (e.g., based on the information regarding the operation) regarding whether a malicious entity exploited the expressed vulnerability. To do so, any number of diagnostic processes may be performed. For example, the diagnostic processes may include searching for malware, viruses, artifacts, and/or other indicators of previous (and/or ongoing) presence of the malicious entity. (Emphasis
Added).
There should be no question from above cited paragraph [00109] of the original specification that diagnostic processes such as "searching for malware, viruses, artifacts, and/or other indicators of previous (and/or ongoing) presence of the malicious entity," may be used to determine "whether a malicious entity exploited the expressed vulnerability." Said another way, any of these example diagnostic processes may be used as the inventor's "intended" way of performing this alleged specialized claim function of "making a second determination regarding whether a malicious entity exploited the expressed vulnerability." In the interest of moving prosecution forward and not causing confusions for Examiner Lopez (who appears to be new as evidenced of the Office Action being co-signed by a Supervisory Patent Examiner), Applicant has amended dependent claim 9 as shown above to remove the term "second." Namely, it appears to Applicant that this rejection of claim 9 was only issued because Examiner Lopez was unable to find, verbatim, a "second determination" in the original specification that is directed to the malicious entity exploiting the expressed vulnerability” (original bolding maintained).
The Examiner respectfully disagrees.
The amended claim limitation “making a determination regarding whether a malicious entity has already exploited the expressed vulnerability” in claim 9 still lacks adequate support in the originally filed disclosure. Paragraph [0109] of the originally filed disclosure discloses no such diagnostic method, and instead consists of a mere restating of claim language specifying a desired result. Original claims may lack written description when the claims define the invention in functional language specifying a desired result but the specification does not sufficiently describe how the function is performed or the result is achieved. For software, this can occur when the algorithm or steps/procedure for performing the computer function are not explained at all or are not explained in sufficient detail (simply restating the function recited in the claim is not necessarily sufficient). In other words, the algorithm or steps/procedure taken to perform the function must be described with sufficient detail so that one of ordinary skill in the art would understand how the inventor intended the function to be performed. See MPEP §§ 2161.01, 2163.02, and 2181, subsection IV. The examples provided in paragraph [0109] do not disclose how the inventor intended to achieve the specialized claim function of claim 9 determining whether a malicious entity has already exploited the particularly expressed vulnerability. Generic recitations of “diagnostic processes” such as “searching for malware, viruses, artifacts, and/or other indicators of previous (and/or ongoing) presence of the malicious entity” is not commensurate with supporting the claim scope of determining whether or not a particularly expressed vulnerability was exploited by a malicious entity. The described “searching for malware” makes no mention whatsoever of determining that the particularly expressed vulnerability has already been exploited, and finding “presence of the malicious entity” does not mean that that the originally filed disclosure is commensurate with the 2-step process of 1) determining that the data processing system expresses a particular vulnerability, and then 2) determining whether a malicious entity has already exploited the said particular expressed vulnerability, as required by claim 9. Therefore, the written description rejection will be maintained.
Applicant's arguments, see pages 12-13, filed 10/31/2025, with respect to the rejection of claims 4-8, 13-15, and 19-20 under 35 U.S.C. § 112(b) have been fully considered but they are not persuasive.
Applicant attests “Initially, it appears to Applicant that the Office is confused about whether the term ‘record’ in independent claim 1 is used as a noun, verb, or adjective. However, based on the placement of the term ‘of’ in the limitation ‘the determination being made using a record of changes in operation of the components of the data processing system over time and requirements for the vulnerability to be expressed,’ it is clear that the term ‘record’ is used as a noun to describe a ‘record’ (i.e., a copy) of ‘changes in the operation of the components of the data processing system over time.’
Therefore, the Office's proposed changes of ‘the record of changes’ that now combine the term ‘record’ with ‘changes’ into a single term actually makes no sense. Indeed, as already discussed above in the § 112(a) rejection section, paragraphs [0069]-[0076] of the original specification disclose that is the actual updates (i.e., changes) to the data processing system that are monitored and recorded (i.e., stored), and NOT the stored information of the changes (i.e., the recorded changes implemented as version data 214A-214B stored in IIM repository 240 that is monitored and recorded (i.e., stored).
Thus, Applicant respectfully submits that antecedent basis for all of the terms in claims 4- 6, 13-15, and 19-20 are already proper as is in these claim's original form. To help alleviate the Office's above confusion with how the term ‘record’ is being used in the independent claims, Applicant has also amended all of the independent claims to recite, in part, ‘making a determination regarding whether the data processing system expressed the vulnerability, the determination being made using requirements for the vulnerability to be expressed and a record created for the data processing system, the record includes changes in operation of the components of the data processing system over time,’ which now expressly makes clear that the term ‘record’ is being used a noun to mean, for example, ‘historic copy of the changes.’ (Emphasis Added)”.
The Examiner respectfully disagrees.
The amended claim limitations still contain antecedent basis issues and will be presented in the rejection below.
Applicant's arguments, see pages 14-16, filed 10/31/2025, with respect to the rejections of claims 1-20 under35 U.S.C. § 102(a)(1) have been fully considered but they are not persuasive.
Applicant first attests that the previously presented Murthy reference does not disclose or suggest the amended independent claims or dependent claim 9 by disparaging Murthy Fig. 3 and paragraphs [0018], [0054], [0056-0058].
The Examiner respectfully disagrees.
Regarding the amended independent claims, the broadest reasonable interpretation of the claim limitation “the record includes: … and version data of all past and current versions of a component among the components” is anticipated by Murthy disclosing “The application information 153 could include the names of applications installed on the client device 103, the versions of applications installed on the client device 103, any features of a client application on the client device 103 that are enabled or disabled, or other data” in paragraph [0018]. Contrary to Applicant’s argument, it is not stated, implied, or indicated in the Murthy reference that “only the current (i.e., newest) version information of an application is stored”. Murthy further discloses “In some examples, an enterprise, such as a company, organization, or other entity, can operate the management service 109 to oversee or manage the operation of the client devices 103 of its employees, contractors, customers, or other users having accounts with the enterprise. The management service 109 can further cause device records 126 to be created, modified, or removed from the data store 123” in paragraph [0025] (emphasis added). Therefore, Murthy disclosing the device record containing “the versions of applications installed on the client device”, and that the device record can later be modified anticipates the broadest reasonable interpretation because it follows that if the version of the application installed on the client device is changed, it would be added to the device record.
Applicant next attests that amended dependent claim 9 is not anticipated by Murthy.
The Examiner respectfully disagrees.
As discussed above and in the Non-Final Rejection mailed 08/05/2025, the claim limitation “making a determination regarding whether a malicious entity has already exploited the expressed vulnerability” lacks adequate support in the originally filed disclosure. The originally filed disclosure does is not commensurate with the scope of the claimed invention determining whether or not the malicious entity has already exploited the expressed vulnerability. Furthermore, Applicant attempts to show that Murthy is allegedly silent with respect to teaching the claim limitation at issue by pointing to Murthy Figure 3 and Murthy paragraphs [0056-0058]. The Examiner respectfully submits that this argument is moot as these portions of Murthy were not relied upon in the Non-Final Rejection mailed 08/05/2025 and defers to the rejection presented below.
Applicant lastly attests that new claim 21 is separately and individually patentable over the Murthy reference. Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Specification
The disclosure is objected to because of the following informalities:
Paragraphs [0071], [0074], and [0080-0082] of the originally filed disclosure refer to an “instillation”. The word should read “installation”. The definition of instillation is to impart gradually or to cause to enter drop by drop, whereas it is clear from the device management subject matter of the pending instant application that the word “installation” was meant.
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 4-9, 13-15, and 19 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Regarding claims 4, 13, and 19:
Dependent claims 4, 13, and 19 recite “the information associated with the changes being stored in the repository in a manner where the information remains unchanged within the repository over time”. There is no support in the disclosure regarding how the inventor intended to perform this specialized claim function. The algorithm or steps/procedures for these claimed functions is not explained at all or is not explained in sufficient detail (simply restating the function reciting in the claim is not necessarily sufficient) so that one of ordinary skill in the art would recognize that the applicant had possession of the claimed invention. As discussed above, Applicant has readily admitted on the record that the originally filed disclosure is silent with regard to how the inventor intended for the claimed invention to achieve the desired result of having the information being stored in a specialized or particular manner such that the information remains unchanged over time. As in MPEP 2161.01 (I), ("The description requirement of the patent statute requires a description of an invention, not an indication of a result that one might achieve if one made that invention."). It is not enough that one skilled in the art could write a program to achieve the claimed function because the specification must explain how the inventor intends to achieve the claimed function to satisfy the written description requirement. See, e.g., Vasudevan Software, Inc. v. MicroStrategy, Inc., 782 F.3d 671, 681-683, 114 USPQ2d 1349, 1356, 1357 (Fed. Cir. 2015).
Regarding Claim 9:
Dependent claim 9 recites “making a determination regarding whether a malicious entity has already exploited the expressed vulnerability”. There is no support in the disclosure regarding how the inventor intended to perform this specialized claim function. The algorithm or steps/procedures for these claimed functions is not explained at all or is not explained in sufficient detail (simply restating the function reciting in the claim is not necessarily sufficient) so that one of ordinary skill in the art would recognize that the applicant had possession of the claimed invention. The scope of the claim encompasses all conceivable ways of determining whether a malicious entity has exploited a vulnerability, yet the originally filed disclosure is silent with regard to how the inventor intended to achieve detecting exploitation of the vulnerability.
In MPEP 2161.01, "computer-implemented functional claim language must still be evaluated for sufficient disclosure under the written description". And MPEP 2161.01(I) "generic claim language in the original disclosure does not satisfy the written description requirement if it fails to support the scope of the genus claimed." For computer-implemented inventions, the determination of the sufficiency of disclosure will require an inquiry into the sufficiency of both the disclosed hardware and the disclosed software due to the interrelationship and interdependence of computer hardware and software. The critical inquiry is whether the disclosure of the application relied upon reasonably conveys to those skilled in the art that the inventor had possession of the claimed subject matter as of the filing date.
As in MPEP 2161.01 (I), "The description requirement of the patent statute requires a description of an invention, not an indication of a result that one might achieve if one made that invention."). It is not enough that one skilled in the art could write a program to achieve the claimed function because the specification must explain how the inventor intends to achieve the claimed function to satisfy the written description requirement. See, e.g., Vasudevan Software, Inc. v. MicroStrategy, Inc., 782 F.3d 671, 681-683, 114 USPQ2d 1349, 1356, 1357 (Fed. Cir. 2015).
AS in MPEP 2161.01 “For instance, generic claim language in the original disclosure does not satisfy the written description requirement if it fails to support the scope of the genus claimed. Ariad, 598 F.3d at 1349-50, 94 USPQ2d at 1171 ("[A]n adequate written description of a claimed genus requires more than a generic statement of an invention' s boundaries.") (citing Eli Lilly, 119 F.3d at 1568, 43 USPQ2d at 1405-06); Enzo Biochem, Inc. v. Gen-Probe, Inc., 323 F.3d 956, 968, 63 USPQ2d 1609, 1616 (Fed. Cir. 2002) (holding that generic claim language appearing in ipsis verbis in the original specification did not satisfy the written description requirement because it failed to support the scope of the genus claimed); Fiers v. Revel, 984 F.2d 1164, 1170, 25 USPQ2d 1601, 1606 (Fed. Cir. 1993) (rejecting the argument that "only similar language in the specification or original claims is necessary to satisfy the written description requirement").”
“The Federal Circuit has explained that a specification cannot always support expansive claim language and satisfy the requirements of 35 U.S.C. 112 "merely by clearly describing one embodiment of the thing claimed." LizardTech v. Earth Resource Mapping, Inc., 424 F.3d 1336, 1346, 76 USPQ2d 1731, 1733 (Fed. Cir. 2005). The issue is whether a person skilled in the art would understand applicant to have invented, and been in possession of, the invention as broadly claimed. In LizardTech, claims to a generic method of making a seamless discrete wavelet transformation (DWT) were held invalid under 35 U.S.C. 112, first paragraph, because the specification taught only one particular method for making a seamless DWT and there was no evidence that the specification contemplated a more generic method. "[T]he description of one method for creating a seamless DWT does not entitle the inventor . . . to claim any and all means for achieving that objective." LizardTech, 424 F.3d at 1346, 76 USPQ2d at 1733.”
The dependent claims fall together accordingly.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-19 and 21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Independent claims 1, 10, and 16 recite “changes in operation of the components of the data processing system”, “version data of all past and current versions of a component among the components”. It is currently unclear what “the components” refers to as the claim only references “a component of the data processing system” earlier in the claim and there is insufficient antecedent basis for “the components” limitation in the claim. Furthermore, it is unclear whether the second recitation of “a component in “a component among the components” is trying to refer to the prior recited “a component of the data processing system” or is trying to instantiate antecedent basis for another component.
Dependent claim 9 recites “in an instance of the determination where it is determined that the malicious entity has already exploited the expressed vulnerability” in lines 4-5. There is insufficient antecedent basis for this limitation in the claim
The dependent claims fall together accordingly.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claim(s) 1-19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Murthy et. al. (US Publication No. US 2020/0228560 A1) hereinafter Murthy.
Regarding Claims 1, 10, and 16:
Claim 10. Murthy discloses a non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations for managing security of a data processing system, the operations comprising (Murthy [0067-0071]): making an identification of a vulnerability of a component of the data processing system (Murthy [0018-0019] “The application information 153 may be used, for example, to determine whether or not a client device 103 is suffering from a security vulnerability due to a vulnerable version of the client application being installed or the client application being installed in an insecure manner or having a vulnerable feature or functionality enabled.”), the vulnerability rendering the data processing system exploitable by a malicious entity if the vulnerability is expressed by the data processing system (Murthy [0018-0020]); making a determination regarding whether the data processing system expressed the vulnerability (Murthy [0018-0022]), the determination being made using requirements for the vulnerability to be expressed and a record created for the data processing system (Murthy [0018] record maintained of applications and operations; [0025] may observe operations and create/modify records), the record includes: changes in operation of the components of the data processing system over time (Murthy [0018] record maintained of applications and operations; [0025] may observe operations and create/modify records), and version data of all past and current versions of a component among the components (Murthy [0017-0018] record maintained of applications and operations; [0025] may observe operations and create/modify records); in a first instance of the determination where the vulnerability is expressed by the data processing system: performing an action set to mitigate a potential impact of the expressed vulnerability (Murthy [0023] mitigation to be performed; [0039] examples); and in a second instance of the determination where the vulnerability is not expressed by the data processing system: confirming to a requestor that the data processing system did not express the vulnerability (Murthy Fig. 3, [0048], [0054-0055] user’s request causes the determination process to be performed; [0065] and Fig. 5 shows devices that are patched and therefore not vulnerable).
Claims 1 and 16 recite substantially the same content and are therefore rejected under the same rationales. Murthy further discloses a method for managing security of a data processing system (Murthy [0042], [0067], claim 8). Murthy further discloses a data processing system, comprising: a processor; and a memory coupled to the processor to store instructions, which when executed by the processor, cause the processor to perform operations for managing security of a data processing system (Murthy [0067-0071]).
Regarding Claims 2, 11, and 17:
Claim 11. Murthy further discloses the non-transitory machine-readable medium of claim 10 (Murthy [0067-0071]), wherein making the determination comprises: identifying, based on the requirements for the vulnerability, an operation of the component (Murthy [0018-0022]); making a second determination, based on the record, whether the component performed the operation (Murthy [0018] record maintained of applications and operations; [0025] may observe operations and create/modify records); in a first instance of the second determination where the component performed the operation: concluding that the vulnerability was expressed by the data processing system (Murthy [0018] record maintained of applications and operations; [0025] may observe operations and create/modify records); and in a second instance of the second determination where the component did not perform the operation: concluding that the vulnerability was not expressed by the data processing system (Murthy [0018] record maintained of applications and operations; [0025] may observe operations and create/modify records; [0048-0049]).
Claims 2 and 17 recite substantially the same content and are therefore rejected under the same rationales.
Regarding Claims 3, 12, and 18:
Claim 12. Murthy further discloses the non-transitory machine-readable medium of claim 11 (Murthy [0067-0071]), wherein making the determination further comprises: in the first instance of the second determination: identifying a duration of time while the vulnerability was expressed by the data processing system using the record (Murthy [0018] record maintained of applications and operations; [0025] may observe operations and create/modify records; [0064] mitigation timeline explicitly disclosed).
Claims 3 and 18 recite substantially the same content and are therefore rejected under the same rationales.
Regarding Claims 4, 13, and 19:
Claim 13. Murthy further discloses the non-transitory machine-readable medium of claim 10 (Murthy [0067-0071]), wherein the operations further comprise: monitoring the changes in the operation of the components of the data processing system (Murthy [0018] record maintained of applications and operations; [0025] may observe operations and create/modify records); and storing information associated with the changes in a repository of the data processing system to create the record for the data processing system, the information associated with the changes being stored in the repository in a manner where the information remains unchanged within the repository over time, and the information comprising the version data of all of the past and current versions of the component (Murthy [0017-0018] record maintained of applications and operations; [0025] may observe operations and create/modify records).
Claims 4 and 19 recite substantially the same content and are therefore rejected under the same rationales.
Regarding Claims 5 and 14:
Claim 14. Murthy further discloses the non-transitory machine-readable medium of claim 13 (Murthy [0067-0071]), wherein monitoring the changes comprises: identifying updates made to software components of the components (Murthy [0018] record maintained of applications and operations; [0025] may observe operations and create/modify records; [0037-0039] update records and vulnerable software applications).
Claim 5 recites substantially the same content and is therefore rejected under the same rationales.
Regarding Claims 6 and 15:
Claim 15. Murthy further discloses the non-transitory machine-readable medium of claim 14 (Murthy [0067-0071]), wherein monitoring the changes further comprises: identifying durations of time during which each updated software component of the software components was hosted by the data processing system (Murthy [0018] record maintained of applications and operations; [0025] may observe operations and create/modify records; [0037-0039] update records and vulnerable software applications; [0064] mitigation timeline explicitly disclosed).
Claims 6 recites substantially the same content and is therefore rejected under the same rationales.
Regarding Claim 7:
Murthy further discloses the method of claim 6 (Murthy [0042], [0067], claim 8), wherein each updated software component is a version of the software component (Murthy [0018] record maintained of applications and operations and vulnerable versions).
Regarding Claim 8:
Murthy further discloses the method of claim 5 (Murthy [0042], [0067], claim 8), wherein the requirements for the vulnerability to be expressed comprise: a version of the software component to be hosted by the data processing system (Murthy [0018] record maintained of applications and operations and vulnerable versions).
Regarding Claim 9:
Murthy further discloses the method of claim 1 (Murthy [0042], [0067], claim 8), wherein performing the action set to mitigate the vulnerability, after the vulnerability has already been determined in the first instance of the determination as being expressed by the data processing system, comprises: making a determination regarding whether a malicious entity has already exploited the expressed vulnerability (Murthy [0017] if client device is found with malware it is quarantined; [0019-0022] vulnerability records obtained to find severity of exploitation and vulnerable versions of software and hardware); in an instance of the determination where it is determined that the malicious entity has already exploited the expressed vulnerability: and performing a second action set to mitigate an impact of the expressed vulnerability being already exploited by the malicious entity (Murthy [0017] “A client device 103 could be placed into a quarantined status or state, for example, if it suffered from one or more vulnerabilities, if the client device 103 were currently infected with malware, or if the client device 103 had not yet been evaluated to determine whether the client device 103 were suffering from one or more vulnerabilities. Similarly, a vulnerable state or status could indicate that the respective client device 103 is enrolled, but is vulnerable to one or more security vulnerabilities” (emphasis added); [0023] mitigation to be performed; [0039] examples).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 21 is rejected under 35 U.S.C. 103 as being unpatentable over Murthy in view of Yamamoto; Kazuya (US Publication No. US 2021/0012014 A1) hereinafter Yamamoto.
Regarding Claim 21:
Murthy discloses the method of claim 1 (Murthy [0042], [0067], claim 8).
Murthy does not explicitly disclose wherein the record further comprises a time and a date associated with an installation of each version of all of the past and current versions of the component, and the time and the date associated with the installation of each version of the past and current versions of the component being used to determine a time frame during which the data processing system expressed the vulnerability over a course of when the component was first installed to a most-current operating version of the component.
Yamamoto teaches wherein the record further comprises a time and a date associated with an installation of each version of all of the past and current versions of the component, and the time and the date associated with the installation of each version of the past and current versions of the component being used to determine a time frame during which the data processing system expressed the vulnerability over a course of when the component was first installed to a most-current operating version of the component (Yamamoto Fig. 6 software version is obtained along with the date and time obtained [0098-0101]).
It would have been obvious to one having ordinary skill in the art before the time the invention was effectively filed to combine the vulnerability assessment method and data records disclosed by Murthy with the date and time incorporated by Yamamoto. Murthy contained a base method incorporating device records that store, amongst other information, device identifiers, client application versions, identification of vulnerable application versions, device statuses, and application information; all stored within a data store which holds even more information including standardized vulnerability records, certificates, compliance policies, and command queued up by the disclosed management service. Yamamoto teaches a comparable vulnerable checking method, which also includes recording the version information, software name, vulnerability information, software settings, and most importantly recording the date and time of when the information was obtained. One of ordinary skill in the art could have applied the known improvement of incorporating a time and date, or a timestamp, into the device records disclosed by Murthy, as the practice of logging and timestamping are well-known techniques in the art, and Yamamoto explicitly teaches the practice of logging the time and date when information is obtained. The results would have been predictable in that the device records disclosed by Murthy would have been modified to further include a timestamp of when the disclosed device records are modified, such as to apply settings or perform actions specified by the compliance policies or executed by the command queue.
Conclusion
The prior art made of record in the submitted PTO-892 Notice of References Cited and not relied upon is considered pertinent to applicant’s disclosure.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MIGUEL A LOPEZ whose telephone number is (703)756-1241. The examiner can normally be reached 8:00AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.A.L./ Examiner, Art Unit 2496
/JORGE L ORTIZ CRIADO/ Supervisory Patent Examiner, Art Unit 2496
1 The Examiner respectfully notes that “just not overwriting existing data as new data is added into the storage” does not in any way accomplish an “immutable record” as such a practice does not preclude nor protect the prior stored data from being modified or changed, thereby violating the immutability requirement.