Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Response to Arguments
Applicant's arguments filed 12/19/2025 have been fully considered, and are persuasive. However, after further search and consideration a new grounds of rejection has been made further in view of Fainberg (US-20230319081-A1).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 4, 5, 7, 9, 10, 11, 13, 16, 17, 19, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Kanso (US-11956266-B2) in view of Fennelly (C. Fennelly. "Vulnerabilities by Common Ports". Tenable. https://www.tenable.com/tenable-io-dashboards/vulnerabilities-by-common-ports-dashboard. (Year: 2022)), Ungureanu (US-20240146755-A1), and Fainberg (US-20230319081-A1).
Regarding claim 1, Kanso shows a method comprising: determining a base vulnerability score for a particular vulnerability that is detected for an endpoint device (col. 9 lines 50-54, col. 10 lines 50-55, col. 13 lines 25-30) of an enterprise (col. 6 lines 35-50) network (col. 16 lines 19-22, col. 17 lines 38-47); determining topology information for the endpoint device within the enterprise network, wherein the topology information indicates one or more network security mechanisms of a network security infrastructure of the enterprise network that are capable of preventing the particular vulnerability from being triggered for the endpoint device (col. 18 lines 9-35 and lines 54-67, col. 19 lines 21-32);
obtaining security policies for the one or more network security mechanisms of the network security infrastructure that are to potentially protect the endpoint device from vulnerabilities (col. 9 lines 27-34, col. 10 line 60 – col. 11 line 5, col. 13 lines 15-17); performing a comparison between the security policies for the one or more network security mechanisms of the network security infrastructure and the triggering information to determine whether the endpoint device is protected from the particular vulnerability being triggered for the endpoint device (col. 9 lines 15-21); and generating an updated vulnerability score for the particular vulnerability that is detected for the endpoint device by adjusting the base vulnerability score based on whether the endpoint device is protected from the particular vulnerability being triggered for the endpoint device (col. 9 lines 33-38, col. 16 lines 25-31, col. 17 lines 25-41). Kanso does not show: translating the particular vulnerability to triggering information that identifies mechanisms through which to trigger the particular vulnerability for the endpoint device. Fennelly shows translating the particular vulnerability to triggering information that identifies mechanisms through which to trigger the particular vulnerability for the endpoint device (pgs. 1 – 2)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability analysis and reporting of Kanso with the vulnerability processing of Fennelly (translating the information of, e.g., the figures on page 1 of Fennelly, for use in the reports of Kanso) in order to provide additional information to systems administrators, thus enabling more efficient vulnerability tracking and mitigation. The above combination does not show where the preventative efforts are on preventing the vulnerability to: execute on the endpoint device via one or more attack paths to the endpoint device; where consideration is made regarding the vulnerability to execute or operate on the endpoint device; the vulnerability being triggered via the one or more attack paths to the endpoint device, to execute or operate on the endpoint device. Ungureanu shows to: execute on the endpoint device via one or more attack paths to the endpoint device, where consideration is made regarding the vulnerability to execute or operate on the endpoint device, and the vulnerability being triggered via the one or more attack paths to the endpoint device, to execute or operate on the endpoint device ([30] discussing exploiting a misconfiguration in order to gain privilege, the privilege being used to execute an attack/leverage a vulnerability, and [30-36] discussing identification of attack paths using connectivity information, network state, and vulnerabilities, which includes analysis of an attack chain, as discussed in [45-47], that results in identification of an attack path to a particular endpoint, e.g., as illustrated in Figs. 4 and 6, the attack path from vulnerability X -> Y -> 1, where such a path can be computed for each node in a network). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability analysis of the above combination with the attack graph and attack path consideration, performed on a node-by-node basis, as suggested by Ungureanu, in order to efficiently evaluate an entire network while also considering how attackers leverage exploits on one node to access other parts of a protected network (Ungureanu, [2,18-19]).
The above combination does not show: based on determining that the endpoint device is not protected by the one or more network security mechanisms of the network security infrastructure, generating a recommendation indicating one or more security controls or policies for the network security infrastructure that are capable of lowering the updated vulnerability score. Fainberg shows: based on determining that the endpoint device is not protected by the one or more network security mechanisms of the network security infrastructure ([51], see “ security risk is determined . . .” and [52], discussing determining vulnerability based on the version of installed software and applied patches, and [60] discussing determining when a threshold security risk is exceeded), generating a recommendation indicating one or more security controls or policies for the network security infrastructure that are capable of lowering ([57-60] discussing providing suggestions in view of the detected vulnerabilities) the updated vulnerability score ([17-18], discussing continually calculating and displaying current (and updated vulnerability calculations).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability analysis of the above combination with the vulnerability protection evaluation and responsive suggestion in order to better ensure desirable patches, updates, and configurations are applied in order to mitigate security risks in the dynamic and complex networking environments shared by Fainberg and the above combination.
Regarding claim 4, the above combination further shows wherein the triggering information identifies at least one of: one or more port numbers through which to trigger the particular vulnerability that is detected for the endpoint device; one or more internet protocol (IP) addresses through which to trigger the particular vulnerability that is detected for the endpoint device; or one or more function calls through which to trigger the particular vulnerability that is detected for the endpoint device (Fennelly, pgs. 1-2, particularly the figures correlating port numbers with particular vulnerabilities on pg. 1 lines 29-35).
Regarding claim 5, the above combination further shows obtaining priority information that identifies an asset importance of the endpoint device (Fainberg, [14,41,53]).
Regarding claim 7, the above combination further shows wherein the translating (the adaptation of the content displayed on Fennelly’s pg. 1 into the Kanso’s vulnerability analysis system) is based on vulnerability information obtained from one or more vulnerability information sources (Fennelly, pg. 2 lines 9-10, lines 37-38, and lines 46-48 and Kanso, col. 12 lines 40-50) in which the triggering information identifies the mechanisms through which the particular vulnerability that is detected for the endpoint device can be (Fennelly, pgs. 1 - 2) to execute or operate on the endpoint device via the one or more attack paths to the endpoint device (Ungureanu, Figs. 4 and 6, [30-33,45-47]).
Regarding claims 9, the limitations of said claims are addressed in the rejection of claim 1.
Regarding claim 13, Kanso shows a system comprising: at least one memory element for storing data (Fig. 1 item 104); and at least one processor (Fig. 1 item 106) for executing instructions associated with the data, wherein executing the instructions causes the system to perform operations, comprising: determining a base vulnerability score for a particular vulnerability that is detected for an endpoint device (col. 9 lines 50-54, col. 10 lines 50-55, col. 13 lines 25-30) of an enterprise (col. 6 lines 35-50) network (col. 16 lines 19-22, col. 17 lines 38-47); determining topology information for the endpoint device within the enterprise network, wherein the topology information indicates one or more network security mechanisms of a network security infrastructure of the enterprise network that are capable of preventing the particular vulnerability from being triggered for the endpoint device (col. 18 lines 9-35 and lines 54-67, col. 19 lines 21-32);
obtaining security policies for the one or more network security mechanisms of the network security infrastructure that are to potentially protect the endpoint device from vulnerabilities (col. 9 lines 27-34, col. 10 line 60 – col. 11 line 5, col. 13 lines 15-17); performing a comparison between the security policies for the one or more network security mechanisms of the network security infrastructure and the triggering information to determine whether the endpoint device is protected from the particular vulnerability being triggered for the endpoint device (col. 9 lines 15-21); and generating an updated vulnerability score for the particular vulnerability that is detected for the endpoint device by adjusting the base vulnerability score based on whether the endpoint device is protected from the particular vulnerability being triggered for the endpoint device (col. 9 lines 33-38, col. 16 lines 25-31, col. 17 lines 25-41). Kanso does not show: translating the particular vulnerability to triggering information that identifies mechanisms through which to trigger the particular vulnerability for the endpoint device. Fennelly shows translating the particular vulnerability to triggering information that identifies mechanisms through which to trigger the particular vulnerability for the endpoint device (pgs. 1 – 2)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability analysis and reporting of Kanso with the vulnerability processing of Fennelly (translating the information of, e.g., the figures on page 1 of Fennelly, for use in the reports of Kanso) in order to provide additional information to systems administrators, thus enabling more efficient vulnerability tracking and mitigation. The above combination does not show where the preventative efforts are on preventing the vulnerability to: execute on the endpoint device via one or more attack paths to the endpoint device; where consideration is made regarding the vulnerability to execute or operate on the endpoint device; the vulnerability being triggered via the one or more attack paths to the endpoint device, to execute or operate on the endpoint device. Ungureanu shows to: execute on the endpoint device via one or more attack paths to the endpoint device, where consideration is made regarding the vulnerability to execute or operate on the endpoint device, and the vulnerability being triggered via the one or more attack paths to the endpoint device, to execute or operate on the endpoint device ([30] discussing exploiting a misconfiguration in order to gain privilege, the privilege being used to execute an attack/leverage a vulnerability, and [30-36] discussing identification of attack paths using connectivity information, network state, and vulnerabilities, which includes analysis of an attack chain, as discussed in [45-47], that results in identification of an attack path to a particular endpoint, e.g., as illustrated in Figs. 4 and 6, the attack path from vulnerability X -> Y -> 1, where such a path can be computed for each node in a network). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability analysis of the above combination with the attack graph and attack path consideration, performed on a node-by-node basis, as suggested by Ungureanu, in order to efficiently evaluate an entire network while also considering how attackers leverage exploits on one node to access other parts of a protected network (Ungureanu, [2,18-19]).
The above combination does not show: based on determining that the endpoint device is not protected by the one or more network security mechanisms of the network security infrastructure, generating a recommendation indicating one or more security controls or policies for the network security infrastructure that are capable of lowering the updated vulnerability score. Fainberg shows: based on determining that the endpoint device is not protected by the one or more network security mechanisms of the network security infrastructure ([51], see “ security risk is determined . . .” and [52], discussing determining vulnerability based on the version of installed software and applied patches, and [60] discussing determining when a threshold security risk is exceeded), generating a recommendation indicating one or more security controls or policies for the network security infrastructure that are capable of lowering ([57-60] discussing providing suggestions in view of the detected vulnerabilities) the updated vulnerability score ([17-18], discussing continually calculating and displaying current (and updated vulnerability calculations).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability analysis of the above combination with the vulnerability protection evaluation and responsive suggestion in order to better ensure desirable patches, updates, and configurations are applied in order to mitigate security risks in the dynamic and complex networking environments shared by Fainberg and the above combination.
Regarding claims 10, 11, and 16, the limitations of said claims are addressed in the rejection of claim 4.
Regarding claims 17 and 21, the limitations of said claims are addressed in the rejection of claim 5.
Regarding claim 19, the limitations of said claims are addressed in the rejection of claim 7.
Claims 6, 8, 12, 18, 20, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Kanso in view of Fennelly, Ungureanu, and Fainberg, as applied to claim 1 above, further in view of Attar (US-20210288995-A1). Regarding claim 6, the above combination further shows wherein generating the updated vulnerability score includes generating a first updated vulnerability score for the particular vulnerability that is detected for the endpoint device by adjusting the base vulnerability score based on determining whether the endpoint device is protected from the particular vulnerability being triggered for the endpoint device (Kanso, col. 19 lines 45-65, col. 22 lines 26-56). The above combination does not show: applying a weight to the first updated vulnerability score based on the priority information to generate a second updated vulnerability score. Attar shows: applying a weight to the first updated vulnerability score based on the priority information to generate a second updated vulnerability score ([95-115]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability analysis and processing of the above combination with the priority information use of Attar in order to better ensure that more important resources receive comparable protection and consideration in line with their respective importance.
Regarding claim 8, the above combination shows claim 1. The above combination does not show wherein the method is performed for a plurality of endpoint devices of the enterprise network for which one or more other vulnerabilities are detected. Attar shows wherein the method is performed for a plurality of endpoint devices of the enterprise network for which one or more other vulnerabilities are detected ([69,75-77,117-125]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability analysis and processing of the above combination with the priority information of Attar in order to better ensure that more important resources receive comparable protection and consideration in line with their respective importance.
Regarding claims 12 and 20, the limitations of said claims are addressed in the rejection of claim 8.
Regarding claims 18 and 22, the limitations of said claims are addressed in the rejection of claim 6.
Claim 23 is rejected under 35 U.S.C. 103 as being unpatentable over Kanso in view of Fennelly, Ungureanu, and Fainberg, as applied to claim 1 above, further in view of Andriani (US-20230156032-A1). Regarding claim 23, the above combination further shows claim 1. The above combination does not show: synthesizing an exploit for the enterprise network, wherein the particular vulnerability for the endpoint device is determined based on the synthesized exploit. Andriani shows: synthesizing an exploit for the enterprise network (Figs. 3, 4, and [97,153,155]), wherein the particular vulnerability for the endpoint device is determined based on the synthesized exploit ([156-158], e.g., see [158] discussing after the synthesized exploit is leveraged, via, e.g., the process illustrated in Figs. 4 (particularly steps 502, 504), responsiveness “if a . . . vulnerability has been identified”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the vulnerability analysis and processing of the above combination with the attack simulation and evaluation in order to ensure the network reacts as expected when confronted with exploitative/attacking behavior and actions.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN M MACILWINEN whose telephone number is (571)272-9686. The examiner can normally be reached Monday - Friday, 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton B Burgess can be reached at (571) 272 - 3949. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
JOHN MACILWINEN
Primary Examiner
Art Unit 2442
/JOHN M MACILWINEN/Primary Examiner, Art Unit 2454