Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's arguments filed February 10, 2026 have been fully considered but they are not persuasive.
Applicant states, in page 1 of the remarks, that the Abstract is objected to as allegedly being 151 words, which is more than a 150 word limit guideline set forth in 37 C.F.R. § 1.72, but that the Abstract as originally presented was 145 words, not 151 words, and has been reduced to 138 words, and requests withdrawal of the objection. As the Abstract is no longer than 150 words, Examiner withdraws the objection.
In pages 2-8 of the remarks, Applicant states that claims 1-20 are rejected under 35 U.S.C. § 112(a) as allegedly failing to comply with the written description requirement. Specifically, the rejection alleges lack of adequate written description supporting the independent claim phrases "generating quantum source code by transforming the source code into a quantum computing data format" and "determining that the source code includes a potential vulnerability by applying a quantum generative adversarial network (QGAN) model to the quantum source code." Applicant states that information that is known in the art does not need to be described in detail in the applicant's specification, with the written description requirement of § 112 is grounded in what the disclosure conveys to those skilled in the art, a reasonable basis for questioning adequacy of a disclosure must necessarily include findings about what the level of skill in the art is and what a person of skill would have known at the time of the invention. Applicant further states that Office Action (“OA”) does not identify the ordinary level of skill, much less provide evidence as to why a person of the identified level of skill would not know or understand that the inventor had possession of the claimed subject matter at the time of the invention.
In particular, in pages 4-6 of the remarks, Applicant states that the limitation of "generating quantum source code by transforming the source code into a quantum computing data format," a person skilled in the quantum computing art would know methods for converting classical computerized information (represented by bits) to a format usable by a quantum computer (represented, e.g., by qubits), in particular, known techniques as representing the code by a token, a vector, a tree, a graph, or some combination of these, then embedding the code's structured classical representation (e.g., vector or matrix) into a quantum feature map that maps the structural properties of the code into the quantum state space (Hilbert space), such as in Zeguendry et al., Quantum Machine Learning: A Review and Case Studies, 25 ENTROPY 287 (2023) (cited by the Examiner), e.g., at pages 15, 24, 34 of 41 (describing various methods for encoding of classical data into quantum data for quantum machine learning), with Applicant’s own paragraph [0053] of the specification describes that "code extractor 110 may identify and format the source code components into the quantum computing data format […]", paragraph [0031] describes that the vulnerability scanner 112 can be "configured to transform the source code so that it may be analyzed. […] As [an] example, vulnerability scanner 112 may encode or transform the source code into a vector (e.g., a source code vector) or matrix (e.g., a source code matrix)”, and paragraphs [0072]-[0073] (discussing formatting the classical payload into a quantum payload for sending to the quantum computing system), and argues that the OA would have determined that a person skilled in the art would know and understand methods for performing tokenization or encoding of the software code into a vector or matrix, as described in the Applicant's specification, and provides examples, such as the open-source tool Joern is used by software developers for creating graphs from software code, and Code2Vec is a known classical technique for encoding software code into continuous vectors that can serve as input to quantum feature maps. Applicant reiterates that in absence of the proper factual findings by the Examiner in the record to support the written description rejection, supported by record evidence.
In pages 6-8 of the remarks, Applicant states that support for the claimed limitation of "determining that the source code includes a potential vulnerability by applying a quantum generative adversarial network (QGAN) model to the quantum source code," this phrase has been amended in the independent claims with this reply, with support for the amendment at FIGS. 3 and 6, and paragraphs [0054], [0081], and [0086] of the specification. In particular, with reference to FIG. 6 and paragraphs [0021]-[0022] and [0076]-[0087], that a QGAN includes a generator model and a discriminator model that work adversarially to improve each other (the generator model to generate synthetic data samples, such as software code including vulnerabilities, that appear as if they came from a real source. Furthermore, in paragraphs [0054], [0081], and [0086], the discriminator model of the QGAN is a machine-learning model that has effectively been trained to detect a potential software vulnerability. Applicant states that a person of ordinary skill in the art would understand that discriminator model is trained to determine that source code includes a potential vulnerability, as recited in amended claim 1, can result in output of the discriminator model that can effectively determine whether or not the source code includes a potential vulnerability, and that the implementation of a QGAN has been described in the art. Applicant states that references 18-29 cited at page 39 of 41 of Zeguendry, and page 2 of 41 of Zeguendry ("These algorithms are shown by Quantum Generative Adversarial Networks (Quantum GAN) [18-20] with its implementation in [21], which uses a superconducting quantum processor to learn and generate real-world handwritten digit pictures, Quantum Wasserstein Generative Adversarial Networks (Quantum WGAN) [22], which improves the scalability and stability of quantum generative adversarial model training on quantum machines, Quantum Boltzmann Machines [23,24], Quantum Autoencoders [25,26], and Quantum Convolutional Neural Networks [27-29], and the latter is implemented in the benchmark section."), and requests that the written description rejection of claims 1-20 be withdrawn.
Examiner disagrees with the Applicant, as the limitation of "generating quantum source code by transforming the source code into a quantum computing data format", while Applicant states that support is found in the reference of Zeguendry, such as using vector on matrix to convert classical code into a quantum feature map in a quantum state space, such as Hilbert space, this applies only to the prior art, and not to the Applicant’s invention. Applicant’s invention that utilizes quantum computing, which at the time of the invention’s filing date, December 20, 2023, is an experimental technology in active development and used in laboratories, and furthermore, information which is well known in the art need not be described in detail in the specification. See, e.g., Hybritech, Inc. v. Monoclonal Antibodies, Inc., 802 F.2d 1367, 1379-80, 231 USPQ 81, 90 (Fed. Cir. 1986). However, sufficient information must be provided to show that the inventor had possession of the invention as claimed. See MPEP § 2163(II)(A), paragraph 2, “Review the Entire Application to Understand How Applicant Provides Support for the Claimed Invention Including Each Element and/or Step”. Furthermore, despite utilizing paragraphs [0053] and [0073], and stating examples including Code2Vec and Joern in page 5 of the remarks, Applicant’s paragraph [0073] only states that “quantum system 120 applies an LLM and/or a GAN to detect a vulnerability in the quantum payload”, and describes the functions of a typical GAN model with a quantum aspect added on for “quantum payload”, with paragraph [0053] simply reciting, in Fig. 3, step 330, “vulnerability scanning system 106 generates quantum source code from the source code received at 310 by transforming source code into a quantum computing data format”, and formatting the code to be compatible with the quantum computing system, but does not provide, in sufficient detail, how this aspect is achieved in the invention.
Furthermore, in the limitation of “determining that the source code includes a potential vulnerability by applying a quantum generative adversarial network (QGAN) model to the quantum source code”, while Applicant utilizes paragraphs [0072]-[0073] to support the aforementioned limitation having written description in the Specification, paragraph [0072] describes a quantum payload being created from formatting “the payload” in Fig. 5, step 520, with no other components being described as to how the payload is converted into a quantum format. Furthermore, paragraph [0073] describes the use of a GAN model in a quantum computer for detecting a vulnerability in a quantum payload, but provides little detail as to how the quantum payload is inspected for malware with regards to both the discriminator and the generators present in a typical GAN. Even when taking into account page 2 of 41 of Zeguendry ("These algorithms are shown by Quantum Generative Adversarial Networks (Quantum GAN) [18-20] with its implementation in [21] […] superconducting quantum processor to learn and generate real-world handwritten digit pictures, Quantum Wasserstein Generative Adversarial Networks (Quantum WGAN) [22], which improves the scalability and stability of quantum generative adversarial model training on quantum machines […]), this applies only to the prior art of Zeguendry, and the Applicant’s invention needs to provide sufficient detail, where sufficient information must be provided to show that the inventor had possession of the invention as claimed. See MPEP § 2163(II)(A), paragraph 2, “Review the Entire Application to Understand How Applicant Provides Support for the Claimed Invention Including Each Element and/or Step”. As a result, Examiner maintains the rejections of claims 1-20 remain rejected under lack of written description.
Applicant states, in pages 8-12 of the remarks, that claims 1-20 are rejected under 35 U.S.C. § 112(a) as allegedly failing to comply with the enablement requirement, alleging that one skilled in the art would not have been enabled to "determin[e] that the source code includes a potential vulnerability by applying a quantum generative adversarial network (QGAN) model to the quantum source code," as recited in independent claims 1, 9, and 16, stating that In re Wands, 858 F.2d 731, 737 (Fed. Cir. 1988). "Not every last detail [need] be described," In re Gay, 309 F.2d 769, 774 (C.C.P.A. 1962), because specification "need not inform the layman nor disclose what the skilled already possess." GeneralElectric Co. v. Brenner, 407 F.2d 1258, 1261 (D.C. Cir. 1968). Wands sets out factors that must be considered in the analysis of whether undue experimentation would be required, including the quantity of experimentation necessary, the amount of direction or guidance presented, the presence or absence of working examples, the nature of the invention, the state of the prior art, the relative skill of those in the art, the predictability or unpredictability of the art, and the breadth of the claims. Applicant states that at pages 5-6 of the OA, the Examiner makes no relevant factual findings, but instead makes a number of bare allegations. In absence of the proper factual findings being made of record, the Applicant is under no burden to counter the conclusory allegations of the Examiner with evidence. Applicant reiterates that if the Examiner is relying on official notice or personal knowledge, such reliance should be made explicit and should be supported by affidavit or declaration under 37 C.F.R. § 1.104(d)(2). Furthermore, Applicant states that the rejection alleges that "[o]ne of ordinary skill in the art would be unable to apply a [QGAN] as claimed since the Specification […] does not describe what the QGAN performs, what the 'quantum' aspect is intended to perform in the context of a QGAN for detecting vulnerabilities, or where/how it is obtained and no relationship to the rest of the invention is established with other elements of the claim, as to enable one of ordinary skill in the art to make and use the invention." OA, page 5. Applicant further states that regarding the allegation that the specification does not describe the purpose of implementing a GAN using quantum computing in the context of detecting vulnerabilities, Applicant respectfully disagrees. As described in paragraphs [0022], [0038], [0040], [0046], [0054], [0061], [0068], [0069], [0077], and [0089]-[0093], a quantum computing system can be used to implement the vulnerability scanning system to increase performance (e.g., training speed) and accuracy, e.g., for a portion of the vulnerability detection used to weed out false positives and thereby increase the effectiveness of the vulnerability detection, and further states that the "where/how" "the 'quantum' aspect" of the QGAN "is obtained," Applicant respectfully disagrees. The specification teaches that the vulnerability scanning system 106, and in particular the QGAN, may be implemented using a quantum computing system. See, e.g., paragraphs [0025], [0038], [0048], [0051], [0053], [0061], [0068], [0069], [0072]-[0074], [0077], [0089]. Accordingly, Applicant respectfully requests the enablement rejection under § 112(a) be withdrawn. Applicant further respectfully requests that if the rejection is to be maintained, that the Examiner expressly state what personal knowledge is relied upon, as supported by affidavit or declaration under 37 C.F.R. § 1.104(d)(2).
Examiner states that the Applicant does not provide sufficient detail as to how the limitation of "determining that the source code includes a potential vulnerability by applying a quantum generative adversarial network (QGAN) model to the quantum source code”, as recited from the previous OA, is that the QGAN aspect of the claimed limitation is insufficiently explained in the Specification of the Applicant’s invention. Examiner states that in MPEP § 2164.06(II), “EXAMPLE OF UNREASONABLE EXPERIMENTATION”, in In re Ghiron, 442 F.2d 985, 991-92, 169 USPQ 723, 727-28 (CCPA 1971), functional “block diagrams” were insufficient to enable a person skilled in the art to practice the claimed invention with only a reasonable degree of experimentation because the claimed invention required a “modification to prior art overlap computers,” and because “many of the components which appellants illustrate as rectangles in their drawing necessarily are themselves complex assemblages […] It is common knowledge that many months or years elapse from the announcement of a new computer by a manufacturer before the first prototype is available”. This is best exemplified in Fig. 5 of the Applicant, and even if the teachings of Zeguendry’s “Quantum Machine Learning: A Review and Case Studies”, where in page 2, “Deep Learning is a new machine learning sub-discipline […] algorithms are shown by Quantum Generative Adversarial Networks (Quantum GAN). It further teaches a Quantum machine learning approach (e.g. generate a QGAN) would involves running traditional machine learning algorithms on quantum computers or simulators in an effort to achieve algorithmic speedups”, which, while a different method of running a “QGAN”/quantum GAN, substantially recites how a quantum GAN is utilized by Zeguendry. Applicant’s “quantum GAN”, while recited in paragraph [0040] (“Vulnerability scanner 112 may also contain a GAN (e.g., a quantum GAN (QGAN)) to detect and reduce the number of false positive payloads to be inspected”), and paragraph [0054] (“[…] applying a quantum generative adversarial network (QGAN) model to the quantum source code. Vulnerability scanning system 106 may determine whether one or more source code components include a potential vulnerability”), with paragraph [0053] reciting “code extractor 110 may identify and format the source code components into the quantum computing data format. For example, this may include converting the source code into a qubit representation and/or other quantum information representation”, does not sufficiently explain how the quantum aspect in the QGAN functions in the invention, and in particular, the function of identifying vulnerabilities in the quantum source code after conversion to a qubit representation is insufficiently explained in the Specification. As the QGAN aspect remains insufficiently explained in the Specification of the Applicant, in spite of the Zeguendry prior art stating a QGAN being utilized, claims 1-20 remain rejected under the enablement rejection under § 112(a).
In pages 12-15 of the remarks, Applicant states that the claims 1-3, 5, 8-10, 12, and 15-18 are rejected under 35 U.S.C. § 103 as allegedly being unpatentable over U.S. Patent No. 11,514,171 to Dinh et al. ("Dinh") in view of U.S. Patent Application Publication No. 2019/0324744 to Alam et al. ("Alam") and further in view of "Quantum Machine Learning: A Review and Case Studies" by Zeguendry et al. ("Zeguendry"). The rejected claims would not have been obvious over the cited art. Applicant states that in page 9 of the remarks, primary reference Dinh does not teach describe using a large language model (LLM). Dinh does not even use the terms "large language model" or "LLM." Dinh's knowledge base is not an LLM. See, e.g., column 4, line 44 of Dinh, describing its knowledge base as only a code corpus that matches known vulnerabilities to known solutions). As would be appreciated by a person skilled in the art, LLMs are AI systems based on deep learning and transformer architectures, trained on massive datasets to understand, summarize, generate, and predict text and code. Applicant further states that the rejection may not rely on hindsight to improperly pick and choose the claimed elements from the prior art and lump them together to recreate the claimed invention; it is improper to reconstruct claims in piecemeal fashion by picking and choosing from the prior art using applicants' disclosure as a blueprint. In re Kamm, 452 F.2d 1052, 1056-57 (CCPA 1972). "In determining obviousness, therefore, the inquiry is not whether each element existed in the prior art, but whether the prior art made obvious the invention as a whole." Hartness Int'l, Inc. v. Simplimatic Eng'g Co., 819 F.2d 1100, 1108 (Fed. Cir.1987). Applicant states that Dinh does not specifically teach a QGAN or transforming source code for application to the QGAN (e.g., to be input into the discriminator model of a QGAN), as claimed. OA, page 9. The rejection therefore relies on paragraph [0040] and FIG. 6 of Alam to allegedly describe a GAN implemented to perform "algorithm attack surface examination and risk assessment." Setting aside that, by acknowledgement of the OA (e.g., at pages 9-10), Alam does not describe a QGAN and is in no way related to quantum computing, the rejection does not explain why a person skilled in the art would be led to combine Alam's GAN with the alleged LLM of Dinh, but that the OA fails to explain why Alam, alone or in combination with Dinh, would lead one skilled in the art to use both a QGAN and an LLM, in that order, to perform software vulnerability detection, as recited in the independent claims.
Examiner disagrees with the Applicant’s arguments for claim 1 above, as the reference of Dinh, in [Col. 10, lines 50-56], updates to code are generated by a machine learning model (such as a deep learning model) based on training data sets, corresponding to a large language model being applied to source code, which contradicts the Applicant’s argument that Dinh’s “knowledge base is not an LLM”, and [column 4, line 44] of Dinh, describing its knowledge base as only a code corpus that matches known vulnerabilities to known solutions). Furthermore, while it is indeed the case that neither the references of Dinh or Alam recite the QGAN limitation as required by the invention, Zeguendry, page 2, “Quantum machine learning approach (e.g. generate a QGAN) would involves running traditional machine learning algorithms on quantum computers or simulators in an effort to achieve algorithmic speedups”, with translation of conventional binary data into quantum data being performed through quantum encoding, and in combination with Alam’s GAN model, which is described in Alam’s paragraph [0040] Fig. 6, a generative adversarial network (GAN) is shown in Fig. 6, 504. In particular, block 610 shows the GAN being used to identify attack surfaces and vulnerabilities of the code, and in paragraph [0041] further clarifies how the discriminator and generator work together in the GAN model, with discriminator are maximized to be determined as real, working against the generator which is intended to minimize the “real” determination. The GAN is “used to synthesize random inputs to write the algorithm and evaluate the attack surface of the algorithms” using the discriminator, based on submitted user-based code inputs 604, and generated inputs 602 from the generator. As a result, claims 1, 9, and 16, as well as claims 2-3, 5, 8, 10, 12, 15, and 17-18 depending therefrom remain rejected under § 103.
Claims 4, 11, and 20 are rejected under 35 U.S.C. § 103 as allegedly being unpatentable over Dinh in view of Zeguendry in view of Alam as applied to claims 1-3, 5, 8-10, 12, and 15-18 above, and further in view of U.S. Patent No. 11,243,746 to Evangelopoulos et al. ("Evangelopoulos"). Claims 6, 7, 13, 14, and 19 are rejected under 35 U.S.C. § 103 as allegedly being unpatentable over Dinh in view of Zeguendry in view of Alam as applied to claims 1-3, 5, 8-10, 12, and 15-18 above, and further in view of U.S. Patent Application Publication No. 2024/0333484 to Kim et al. ("Kim"). Kim does not remedy any of the above-described deficiencies of Dinh, Zeguendry, and Alam with respect to independent claims 1, 9, and 16. Consequently, the proposed combination of Dinh, Zeguendry, Alam, and Kim also fails to render obvious each of independent claims 1, 9, and 16, and as a result, Applicant requests that the rejection of claims 6, 7, 13, 14, and 19 under 35 U.S.C. § 103 be reconsidered and withdrawn.
As a result of no other arguments being presented for these claims above, and based on the independent claims 1, 9, and 16 remaining rejected, claims 4, 11, and 20 are rejected under § 103 as allegedly being unpatentable over Dinh in view of Zeguendry in view of Alam, and further in view of Evangelopoulos, and claims 6, 7, 13, 14, and 19 are rejected under § 103 as allegedly being unpatentable over Dinh in view of Zeguendry in view of Alam, and further in view of Kim.
Claim Rejections - 35 USC § 112(a)
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.
The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
There is no support in the disclosure regarding how the inventor intended to perform the claimed limitation of ‘generating quantum source code by transforming the source code into a quantum computing data format’ in claim 1, only in paragraph [0053] of the Specification of the Applicant, where it states a desirable result by repeating it may encompassed, in that quantum source code may be generated from vulnerability scanning system 106, it may format the source code so that it is compatible with a quantum computing system. This section simply on a high level of generality states it may include ‘converting the source code into a qubit representation and/or other quantum information representation’. Furthermore, paragraph [0073] only states that “quantum system 120 applies an LLM and/or a GAN to detect a vulnerability in the quantum payload”, and describes the functions of a typical GAN model with a quantum aspect added on for “quantum payload”, with paragraph [0053] simply reciting, in Fig. 3, step 330, “vulnerability scanning system 106 generates quantum source code from the source code received at 310 by transforming source code into a quantum computing data format”, and formatting the code to be compatible with the quantum computing system, but does not provide, in sufficient detail, how this aspect is achieved in the invention. The algorithm or steps/procedures for these claimed functions is not explained at all or is not explained in sufficient detail (simply restating the function reciting in the claim is not necessarily sufficient) so that one of ordinary skill in the art would recognize that the applicant had possession of the full scope of the claimed invention.
Furthermore, there is no support in the disclosure regarding how the inventor intended to perform the claimed limitation of ‘determining that the source code includes a potential vulnerability based on inputting the quantum source code to a discriminator model of a quantum generative adversarial network (QGAN) model to obtain an output of the discriminator model, wherein the discriminator model is trained to determine that source code includes a potential vulnerability’ in claim 1, only in paragraph [0054] of the Specification of the Applicant, where it states a desirable result by repeating it may encompassed, in that quantum GAN model may be used to reduce the false positive rate by screening out source code that would be flagged for inspection by pattern matching systems, such as regular expressions. Furthermore, paragraph [0073] describes the use of a GAN model in a quantum computer for detecting a vulnerability in a quantum payload, but provides little detail as to how the quantum payload is inspected for malware with regards to both the discriminator and the generators present in a typical GAN, but does not sufficiently describe how the quantum aspect of the QGAN analyzes the qubits and aspects of quantum computing after conversion of the binary code of a program. Applicant’s invention needs to provide sufficient detail, where sufficient information must be provided to show that the inventor had possession of the invention as claimed. See MPEP § 2163(II)(A), paragraph 2, “Review the Entire Application to Understand How Applicant Provides Support for the Claimed Invention Including Each Element and/or Step”. The algorithm or steps/procedures for these claimed functions is not explained at all or is not explained in sufficient detail (simply restating the function reciting in the claim is not necessarily sufficient) so that one of ordinary skill in the art would recognize that the applicant had possession of the full scope of the claimed invention.
Dependent claims 2-8 are rejected for relying upon independent claim 1, and inherit the rejections of their respective independent claim 1 above.
Independent claim 9 shares limitations that are present in independent claim 1 above, and inherits the rejections of independent claim 1 above.
Dependent claims 10-15 are rejected for relying upon independent claim 9, and inherit the rejections of their respective independent claim 9 above.
Independent claim 16 shares limitations that are present in independent claim 1 above, and inherits the rejections of independent claim 1 above.
Dependent claims 17-20 are rejected for relying upon independent claim 16, and inherit the rejections of their respective independent claim 16 above.
Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention.
In claim 1, the subject matter that is not enabled is the limitation for ‘determining that the source code includes a potential vulnerability by applying a quantum generative adversarial network (QGAN) model to the quantum source code’.
One of ordinary skill in the art would be unable to apply a quantum generative adversarial network (QGAN)as claimed since the Specification of the Applicant does not describe what the QGAN performs, what the ‘quantum’ aspect is intended to perform in the context of a QGAN for detecting vulnerabilities, or where/how it is obtained and no relationship to the rest of the invention is established with other elements of the claim, as to enable one of ordinary skill in the art to make and use the invention.
The Specification is not enabling for the expression claimed.
To decide whether the disclosure does not satisfy the enablement requirement, and whether any necessary experimentation is undue, the Examiner has weighed in particular the following factors:
The breadth of the invention.
The invention, which relates to source code vulnerability detection, contains a quantum generative adversarial (QGAN) model to apply to quantum source code as one of the limitations in the independent claims. While the Specification of the Applicant states that ‘[an] LLM and/or the quantum GAN (QGAN) may be used to detect source code vulnerabilities’ in paragraph [0004], the invention’s usage of a QGAN, as stated in the limitations of the independent claims, covers all QGAN models, and/or any quantum LLM for detecting vulnerabilities in the quantum source code, not known in the art
The nature of the invention.
The basic concept is a method proposed by the Applicant to apply a quantum generative adversarial network (QGAN) model that may be used to source code to detect vulnerabilities in the source code.
The present claimed invention provides no limits to the to a trained quantum LLM and/or quantum GAN at vulnerability scanner limitation to detect vulnerabilities.
The state of the prior art.
The Examiner has found no evidence of a particular QGAN model to apply the model to source code to detect vulnerabilities present that is so well understood or well known that one of ordinary skill would be able to make the invention without more detailed direction from the inventor. In addition, the Applicant makes no mention of any state in the background section of any papers/publications to demonstrate any level of knowledge in the art regarding quantum QGANs.
The level of one of ordinary skill.
The inventor provides no standard as to how the QGAN is intended to operate in relation to the invention as stated in the Specification of the Applicant, such as using the QGAN ‘to detect and reduce the number of false positive payloads to be inspected’ in paragraph [0040] only restating the limitation of the independent claims. As a result, a person of ordinary skill in the art would not understand how to make or use the invention in relation to the desired QGAN , without undue experimentation.
The level of predictability in the art.
In the Specification of the Applicant, the use of a vulnerability scanning system 106 to identify vulnerabilities in the source code may use and/or communicate with a quantum computing system to increase performance and accuracy, as stated in paragraph [0069] of the Specification. Vulnerability scanning system 106 functions similarly to the QGAN. There is no explanation of how a quantum computing system works in particular, and the invention is directed to just a concept for quantum computing. As a result, the predictability of the art of quantum computers is unpredictable.
The amount of direction provided by the inventor.
The inventor provides no direction whatsoever, to discuss the application or any relationship between the QGAN and the invention for source code vulnerability detection.
The existence of working examples.
There are no examples for a QGAN.
The quantity of experimentation needed to make or use the invention based on the content of the disclosure.
The inventor does not go into detail as to how the invention functions in relation to the QGAN scanning the source code for vulnerabilities in the Specification. As a result, the quantity of undue experimentation needed to make or use the invention based on the content present of the disclosures.
Dependent claims 2-8 are rejected for relying upon independent claim 1, and inherit the rejections of their respective independent claim 1 above.
Independent claim 9 shares limitations that are present in independent claim 1 above, and inherits the rejections of independent claim 1 above.
Dependent claims 10-15 are rejected for relying upon independent claim 9, and inherit the rejections of their respective independent claim 9 above.
Independent claim 16 shares limitations that are present in independent claim 1 above, and inherits the rejections of independent claim 1 above.
Dependent claims 17-20 are rejected for relying upon independent claim 16, and inherit the rejections of their respective independent claim 16 above.
For the purposes of art examination, Examiner has interpretated to read the limitation of claim 1, that being ‘[…] a quantum generative adversarial network (QGAN) model […]’, as ‘[…] a generative adversarial network (GAN) model […]’.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5, 8-10, 12, 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Dinh et al. (US 11514171 B2), hereinafter Dinh, in view of Alam et al. (US 20190324744 A1), hereinafter Alam, further in view of Zeguendry et al. ("Quantum Machine Learning: A Review and Case Studies"), hereinafter Zeguendry.
Regarding claim 1, Dinh discloses ‘a computer implemented method for source code vulnerability detection, comprising: receiving source code’ ([Col. 12, lines 63-65] Fig. 10, block 1002, receive code for computer programming.);
‘determining that the source code includes a potential vulnerability based on inputting the source code to determine that source code includes a potential vulnerability’ ([Col. 12, lines 63-65] Fig. 10, block 1004, determining whether at least a portion of code contains at least one vulnerability via process 1000. Furthermore, in [Col. 3, lines 58-60], code vulnerability remediation services are provided for users utilizing one or more machine learning models, which is done to identify and eliminating vulnerabilities in code, as described in [Col. 5, lines 35-40], where a code corpus 140/240 is a knowledge base that is modified based on input from an AI/ML engine, such as to learn code vulnerabilities not previously found in the code corpus based on the inputted code, also described in [Col. 9, lines 24-28].);
‘in response to determining that the source code includes the potential vulnerability, determining that the source code includes code corresponding to a vulnerability by applying a large language model to the source code’ ([Col. 12, lines 65-67] Fig. 10, block 1006, comparing portion of code comprising at least one vulnerability to a knowledge base comprising a plurality of code fragments comprising a plurality of vulnerabilities. Block 1008 matches portion of code to at least one vulnerability, with support from Fig. 2, block 248, after a determination of not being able to fix the code manually (block 247), stated in [Col. 10, lines 50-56], updates to code are generated by a machine learning model (such as a deep learning model) based on training data sets, corresponding to a large language model being applied to source code.);
‘and in response to determining that the source code includes code corresponding to the vulnerability, applying a vulnerability policy to the source code based on a vulnerability type associated with the vulnerability’ ([Col. 13, lines 29-33] Fig. 10, block 1010, executing a solution to prevent at least one vulnerability in at least a portion of the code.);
Dinh discloses usage of generating ‘large language model’ to apply to the source code to detect for vulnerabilities, in particular it teaches the uses of artificial intelligence (AI)/machine learning (ML) to learn and apply the vulnerability fixes on a codebase. Dinh does not specifically teach as a model, the particular a quantum generative adversarial network (GAN) model’ where the source code is “transformed into a quantum computing data format as applied to the QGAN, as claimed.
However, Alam teaches a process of determining that a source code includes a potential vulnerability based on inputting source code to a discriminator model of a generative adversarial network (GAN) model to obtain an output of the discriminator model, wherein the discriminator model is trained to determine that source code includes a potential vulnerability, is well known in the art and it is evidence by Alam et al., that teaches ‘a generative adversarial network (GAN) model’ ([0040] Fig. 6, a generative adversarial network (GAN) is shown in Fig. 6, 504. In particular, block 610 shows the GAN being used to identify attack surfaces and vulnerabilities of the code. Paragraph [0041] expands this further by stating that the outputs of a discriminator are maximized to be determined as real, working against the generator which is intended to minimize the “real” determination. The GAN is “used to synthesize random inputs to write the algorithm and evaluate the attack surface of the algorithms” using the discriminator, based on submitted user-based code inputs 604, and generated inputs 602 from the generator.).
Therefore, one of ordinary skill in the art would have been capable of applying this known method of applying a generative adversarial network (QGAN) model to detect for vulnerabilities and the results would have been predictable to one of ordinary skill in the art. The one of ordinary skill in the art would have been motivated to ensure of a GAN process involves optimization of opposite loss functions: The discriminator attempts to maximize the probability of having its outputs recognized as real, while the generator attempts to minimize this probability (Alam et al. [0041]).
While the use of GAN for the purposes to obtain an output of a discriminator model of a GAN model to detect for vulnerabilities as noted above, it is further evidence that Quantum machine learning is expected to be one of the first potential general-purpose applications of near-term quantum devices, in particular any implantation of a QGAN, as evidenced by Zeguendry (page 2, “Deep Learning is a new machine learning sub-discipline. Deep Learning techniques, which demand a significant amount of storage and time consumption, are now being implemented on quantum computers. These algorithms are shown by Quantum Generative Adversarial Networks (Quantum GAN)). It further teaches a Quantum machine learning approach (e.g. generate a QGAN) would involves running traditional machine learning algorithms on quantum computers or simulators in an effort to achieve algorithmic speedups. This approach needs to translate conventional data into quantum data, a process known as quantum encoding. ([pg. 15] Zeguendry’s Figure 8 shows classical data being used as an input for a quantum machine learning algorithm, which is first transformed from classical data (CD) into quantum data (QD) before processing the QD into a quantum machine learning algorithm.).
Therefore, one of ordinary skill in the art would have been capable of applying this known method of translating conventional data into a quantum computing data format to process the quantum data into a Quantum machine learning algorithm, a process known as quantum encoding, with the Quantum machine learning algorithm being a QGAN of Alam et al., and the results would have been predictable to one of ordinary skill in the art. One would have been motivated to experiment utilize quantum encoding to encode classical data into a quantum state by using a quantum feature map that can integrate data into higher dimensional spaces to further optimize the data before processing the quantum data into the Quantum machine learning algorithm, as taught by Zeguendry [pg. 28], and to utilize both the increased processing power of quantum computers and the scalability and learning capacity of machine learning algorithms, as taught by Zeguendry [pg. 2].
Regarding claim 2, Dinh in view of Zeguendry and Alam teach the method of claim 1 as recited above. Dinh further discloses ‘wherein determining that the source code includes code corresponding to a vulnerability further comprises: transforming the source code into a source code vector, wherein the source code vector is based on content of the source code’ ([Col. 7, lines 50-66] and [Col. 8, lines 56-61] Based on Figs. 7 and 8, code snippet 781 is converted to Abstract Syntax Tree (AST), then path vector 783 with other token vectors, and at the end of the process of both figures, is converted to a code snippet vector 889.);
‘comparing the source code vector to one or more vectors stored in a vulnerability database, wherein each of the one or more stored vectors corresponds to a type of vulnerability’ ([Col. 8, line 66-Col. 9, line 3] Match detection module 141 compares code vector to code vectors in code corpus 140/240, also known as a knowledge base, as stated in [Col. 13, line 1].);
‘and determining, based on the comparing, the vulnerability type’ ([Col. 4, lines 50-52] All vulnerabilities have a name and type associated with them, as seen in the table in Fig. 3, first column.).
Regarding claim 3, Dinh in view of Zeguendry and Alam teach the method of claim 1 as recited above. Dinh further discloses ‘training the large language model using a vulnerability database as training data, wherein the vulnerability database comprises one or more stored vectors, wherein each of the one or more stored vectors corresponds to a type of vulnerability’ ([Col. 10, lines 43-46] AI/ML engine 150 can learn from solutions in code corpus/knowledge base 140 that cannot be manually fixed, vulnerability types can be learned by the AI/ML engine 150, as stated in [Col. 10, lines 19-22]. [Col. 8, line 66-Col. 9, line 3] Match detection module 141 compares code vector to code vectors in code corpus 140/240, also known as a knowledge base, as stated in [Col. 13, line 1].).
Regarding claim 5, Dinh in view of Zeguendry and Alam teach the method of claim 1 as recited above. Dinh further discloses ‘wherein the vulnerability is one of cross-site scripting, structured query language (SQL) injection, remote code execution, or command injection’ ([Col. 4, lines 61-65] XML external entity injections allow attackers to interfere with XML data processing and allow backend or external system access that an application accesses. Corresponds to command injection of the Applicant.);
Regarding claim 8, Dinh in view of Zeguendry and Alam teach the method of claim 1 as recited above. Dinh further discloses ‘wherein the vulnerability policy comprises discarding the source code, storing the source code, or forwarding the source code to a destination’ ([Col. 9, lines 31-34] Code repair/building component 143 of Fig. 1 uses a solution to modify source code 261, removes at least one vulnerability, and builds new code without the at least one vulnerability.);
Regarding claim 9, Dinh in view of Zeguendry and Alam teach the method of claim 1 as recited above. Dinh also teaches the limitation of ‘a system, comprising: a memory’ ([0048] Computing device contains a memory component.);
‘and at least one processor coupled to the memory and configured to’ ([0048] Computing device is an assembly where various components, including memories and processors interact, corresponding to coupling of memory and processor.);
Regarding claim 10, Dinh in view of Zeguendry and Alam teach the method of claim 9 as recited above. Dinh also discloses the limitations of dependent claim 2 recited above.
Regarding claim 12, Dinh in view of Zeguendry and Alam teach the method of claim 9 as recited above. Dinh also discloses the limitations of dependent claim 5 recited above.
Regarding claim 15, Dinh in view of Zeguendry and Alam teach the method of claim 9 as recited above. Dinh also discloses the limitations of dependent claim 8 recited above.
Regarding claim 16, Dinh in view of Zeguendry and Alam teach the method of claim 1 as recited above. Dinh also teaches the limitation of ‘a non-transitory computer-readable device having instructions stored thereon that, when executed by at least one computing device, cause the at least one computing device to perform operations comprising’ ([0130]-[0131] Storage 105 stores at least a computer program 106 in a non-volatile memory, a hard disk, or other computer-readable mediums to allow a computer program to execute on a computing device with a memory and processor.);
Regarding claim 17, Dinh in view of Zeguendry and Alam teach the method of claim 16 as recited above. Dinh also discloses the limitations of dependent claim 2 recited above.
Regarding claim 18, Dinh in view of Zeguendry and Alam teach the method of claim 16 as recited above. Dinh also discloses the limitations of dependent claim 5 recited above.
Claims 4, 11, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Dinh in view of Zeguendry and Alam as applied to claims 1-3, 5, 8-10, 12, 15-18 above, and further in view of Evangelopoulos et al. (US 11243746 B2), hereinafter Evangelopoulos.
Regarding claim 4, Dinh in view of Zeguendry and Alam teach the method of claim 1 as recited above. Dinh in view of Zeguendry do not appear to disclose, but Alam teaches the limitation of ‘wherein the QGAN comprises a generator model and the discriminator model’, which has been interpretated in view of the rejection made under 35 U.S.C. 112(a) via lack of enablement in the section above to now read ‘wherein the GAN comprises a generator model and the discriminator model’ ([0040] Fig. 6, a generative adversarial network (GAN) is shown in Fig. 6, 504. [0041] Generator model is used to generate new data, which is shown in block 602. Discriminator is also described to recognize if input data is real or not, which can be used to train GAN, stated in block 606, when it recognizes a generated input as real or not.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Dinh, Zeguendry, and Alam before them, to include Alam’s ‘wherein the GAN comprises a generator model and the discriminator model’ in Dinh’s method performing ‘source code vulnerability detection’. One would have been motivated to make such a combination to increase efficiency the GAN models to generate new data with the same statistics as a training set, so that the network model can learn to mimic any distribution of data, as stated by Alam [0017].
Dinh in view of Zeguendry and Alam do not appear to disclose, but Evangelopoulos teaches the limitation of ‘compris[ing] a generator model and a discriminator model, the method further comprising: generating, by the generator model, a source code sample’ ([Col. 7, lines 8-14] Fig. 2, generator 240 generates synthetic style A ASTs (abstract syntax trees), which corresponds to a transformation of a first source code snippet from another programming style to target programming style, as stated in [Col. 3, lines 63-66].);
‘determining, by the discriminator model, a probability score indicating a probability that the source code sample was created by the generator model’ ([Col. 7, lines 34-39] Fig. 2, discriminator 242 generates a style output that can be provided to a training module 244, wherein the style output is a probability or confidence that the edit output of synthetic style-A ASTs conform with programming style A, and whether the edit output generated by generator 242 conforms with programming style A.);
‘identifying, by the discriminator model, a label for the source code sample, wherein the label indicates whether the source code sample was generated by the generator model’ ([Col. 7, lines 43-46] Fig. 2, discriminator 242 identifies label outputted by generator via identifying ASTs of 'genuine' and 'synthetic' labels.);
‘re-training the generator model based on the probability score and the label’ ([Col. 7, line 64-Col. 8, line 2] Fig. 2, when "fooling" the discriminator fails, by means of a 'synthetic' training example AST being labeled as not conforming to programming style A, generator 240 is trained by training module 244 to generate synthetic style-A ASTs that are more likely to "fool" discriminator 242.);
‘and re-training the discriminator model based on the probability score and the label’ ([Col. 7, lines 53-58] Conversely, when discriminator 242 has been "fooled" by the generator 240 in Fig. 2, training module 244 trains the discriminator to better identify synthetic examples from generator 240.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Dinh, Zeguendry, Alam, and Evangelopoulos before them, to include Evangelopoulos’ ‘compris[ing] a generator model and a discriminator model, the method further comprising: generating, by the generator model, a source code sample’ and other limitations of claim 4 in Dinh’s method performing ‘source code vulnerability detection’. One would have been motivated to make such a combination to increase efficiency by allowing a generator to create source code samples to have a discriminator determine whether AST conforms to provided source code, and train both components to better replicate style A programming that is provided to the GAN, as taught by Evangelopoulos [Col. 7, lines 34-36].
Regarding claim 11, Dinh in view of Zeguendry and Alam teach the method of claim 9 as recited above. Dinh in view of Zeguendry and Alam, and further in view of Evangelopoulos also teaches the limitations of dependent claim 4 recited above.
Regarding claim 20, Dinh in view of Zeguendry and Alam teach the method of claim 16 as recited above. Dinh in view of Zeguendry and Alam, and further in view of Evangelopoulos also teaches the limitations of dependent claim 4 recited above.
Claims 6-7, 13-14, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dinh in view of Zeguendry and Alam as applied to claims 1-3, 5, 8-10, 12, 15-18 above, and further in view of Kim et al. (US 20240333484 A1), hereinafter Kim.
Regarding claim 6, Dinh in view of Zeguendry and Alam teach the method of claim 1 as recited above. Dinh in view of Zeguendry and Alam do not appear to disclose, but Kim teaches the limitation of ‘generating a vulnerability score report comprising one or more vulnerability types and one or more corresponding vulnerability probabilities, wherein each of the one or more vulnerability probabilities represent the probability that the source code includes a vulnerability of the corresponding vulnerability type’ ([0105] Fig. 8, quantum vulnerability score L1 85 is based off vulnerability scores 84 and analysis weights w1-wn. Paragraph [0118] states that when a quantum vulnerability score at source code level L1 is above a threshold, additional quantum vulnerability analysis of library level L2, application level L3, and network level L4 is also performed. In paragraph [0063], when a higher quantum vulnerability score is detected, the target software is more likely to be more vulnerable to quantum computer threats, corresponding to vulnerability probabilities of the Applicant.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Dinh, Zeguendry, Alam, and Kim before them, to include Kim ‘generating a vulnerability score report comprising one or more vulnerability types and one or more corresponding vulnerability probabilities, wherein each of the one or more vulnerability probabilities represent the probability that the source code includes a vulnerability of the corresponding vulnerability type’ in Dinh’s method performing ‘source code vulnerability detection’. One would have been motivated to make such a combination to enhance security by extracting information on host communicating when vulnerability score is greater than or equal to threshold value and providing the extracted information, as taught by Kim [0023].
Regarding claim 7, Dinh in view of Zeguendry and Alam teach the method of claim 1 as recited above. Dinh in view of Zeguendry and Alam do not appear to disclose, but Kim teaches the limitation of ‘determining that a vulnerability probability associated with the vulnerability is greater than the corresponding threshold of the vulnerability type’ ([0105] Fig. 8, quantum vulnerability score L1 85 is based off vulnerability scores 84 and analysis weights w1-wn. Paragraph [0118] states that when a quantum vulnerability score at source code level L1 is above a threshold, additional quantum vulnerability analysis of library level L2, application level L3, and network level L4 is also performed. Each analysis level has a respective threshold, corresponding to thresholds of a vulnerability type of the Applicant.).
Accordingly, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Dinh, Zeguendry, Alam, and Kim before them, to include Kim ‘determining that a vulnerability probability associated with the vulnerability is greater than the corresponding threshold of the vulnerability type’ in Dinh’s method performing ‘source code vulnerability detection’. One would have been motivated to make such a combination to enhance security by performing additional analysis for levels of a program of quantum source code, as taught by Kim [0118].
Regarding claim 13, Dinh in view of Zeguendry and Alam teach the method of claim 9 as recited above. Dinh in view of Zeguendry and Alam, and further in view of Kim also teaches the limitations of dependent claim 6 recited above.
Regarding claim 14, Dinh in view of Zeguendry and Alam teach the method of claim 9 as recited above. Dinh in view of Zeguendry and Alam, and further in view of Kim also teaches the limitations of dependent claim 7 recited above.
Regarding claim 19, Dinh in view of Zeguendry and Alam teach the method of claim 16 as recited above. Dinh in view of Zeguendry and Alam, and further in view of Kim also teaches the limitations of dependent claim 7 recited above.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TOMMY MARTINEZ whose telephone number is (703)756-5651. The examiner can normally be reached Monday thru Friday 8AM-4PM ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached at (571) 272-7624 on Monday thru Friday 7AM-7PM ET. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/T.M./Examiner, Art Unit 2496
/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496