SERVER APPARATUS, INFORMATION PROCESSING APPARATUS, AND STORAGE MEDIUM

DETAILED ACTION This office action is in reply to applicant communication filed on January 13, 2026. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-11 and 13-15 have been amended. Claims 1-11 and 13-15 are pending. Response to Argument Applicant’s arguments filed on January 13, 2026 with respect to the 35 U.S.C. 103 rejections have been fully considered but are moot in view of new ground(s) of rejection. Applicant’s arguments filed on January 13, 2026 with respect to the 35 U.S.C. 101 rejections have been fully considered and withdrawn in view of applicant argument. Applicant’s arguments filed on January 13, 2026 with respect to the 35 U.S.C. 112 rejection of claim 12 have been fully considered and withdrawn due to the cancellation of the claim. Applicant’s argues that the prior art on record fails to teach the amended limitation of independent claims. However, upon further consideration, a new ground(s) of rejection is made using the newly find prior arts to Basavapatna (US Pub. No. 2013/0191919). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. . This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1-11 and 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over Ueda (US Pub. No. 2023/0018096) in view of Basavapatna (US Pub. No. 2013/0191919). As per claim 1 Ueda discloses: A server apparatus comprising: one or more memories; and one or more processors, wherein the one or more processors and the one or more memories are configured to: (paragraph 122 of Ueda, each apparatus and each function (processing) may be implemented by a computer 20 including a processor 21 such as a CPU (Central Processing Unit) and a memory 22 as a storage device). Acquire vulnerability information about an information processing apparatus; (paragraph 43 of Ueda, vulnerability information of the information system is collected (S102)). Acquire information about a network to which the information processing apparatus is connected; (paragraph 42 of Ueda, in the recognition of the vulnerability (S110), a configuration of the information system is acquired (S101)) and (paragraph 60 of Ueda, the system configuration information includes hardware information, software information, network information, various setting information, and the like of node devices (terminals) constituting the information system). Transmit, to the information processing apparatus, vulnerability countermeasure information based on the vulnerability information and the information about the network. (Paragraph 44 of Ueda, it is determined whether or not the vulnerability needs to be addressed (S103). Based on the collected vulnerability information, it is determined whether or not the vulnerabilities of the software and the hardware should be addressed in the information system) and (paragraph 45 of Ueda, when it is determined that a countermeasure is needed, detection and analysis (S104) of an attack exploiting the vulnerability are performed as a countermeasure against the vulnerability (S120). By referring to a log of the information system, it is confirmed whether there is any trace of the attack which exploited the corresponding vulnerability. Depending on a result of the detection of the attack exploiting the vulnerability and the details of the vulnerability, necessary countermeasures such as prevention (mitigation measure) (S105), containment/eradication/recovery (S106), and prevention (permanent measure) (S107) shall be taken. In the prevention (mitigation measure) (S105), filtering of IP (Internet Protocol) addresses and URLs (Uniform Resource Locators) is set in the information system. The containment/eradication/recovery (S106) involve incident handling. In the prevention (permanent measure) (S107), a patch is installed in the information system) and (paragraph 82 of Ueda, the output unit 150 outputs all the results when all the determination results of the temporal value determination unit 120, the environmental value determination unit 130, and the base value determination unit 140 indicate that a countermeasure is needed. Alternatively, the output unit may output only the result indicating that a countermeasure is needed if any one of the determination results indicates so. The output method is not limited, and the determination result may be displayed on a display unit (display device) by a GUI (Graphical User Interface), or the user may be notified of data in any format indicating the determination result). Ueda teaches the method of collecting vulnerability information and providing a countermeasure (see paragraphs 43 and 44 of Ueda) but fails to disclose: Wherein the vulnerability countermeasure information indicates a vulnerability, among a plurality of vulnerabilities, against which the information processing apparatus is to take measures. However, in the same field of endeavor, Basavapatna teaches this limitation as, (paragraph 14 of Basavapatna, one aspect of the subject matter described in this specification can be embodied in methods that include the actions of receiving vulnerability definition data including, for each of a plurality of vulnerabilities, an indication of the vulnerability, an identification of one or more countermeasures that reduce a risk associated with possession of the vulnerability by an asset, an indication of a level of protection potentially afforded by each countermeasure for the vulnerability, and applicability information describing one or more configurations of assets to which the vulnerability applies). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Ueda to include the above limitation using the teaching of Basavapatna in order to enhance the security of computing system by providing appropriate countermeasure based on the type of vulnerability (see paragraph 14 of Basavapatna). Claim 14 is rejected under the same reason set forth in rejection of claim 1. As per claim 2 Ueda in view of Basavapatna discloses: The server apparatus according to claim 1, wherein the information about the network is an identifier configured to identify security of the network to which the information processing apparatus is connected. (Paragraph 105 of Ueda, based on the determination of the complexity of the attack condition, it is confirmed whether or not information (configuration information, sequence number, shared key, etc.) necessary for a successful attack in the base value of the vulnerability matches that of the policy of the information system (whether or not information necessary for a successful attack in the base value of the vulnerability is included in the policy)) and (paragraph 42 of Ueda, in the recognition of the vulnerability (S110), a configuration of the information system is acquired (S101)) and (paragraph 60 of Ueda, the system configuration information includes hardware information, software information, network information, various setting information, and the like of node devices (terminals) constituting the information system). As per claim 3 Ueda in view of Basavapatna discloses: The server apparatus according to claim 1, wherein the one or more processors and the one or more memories are further configured to acquire the information about the network from a network device within the network to which the information processing apparatus is connected. (paragraph 42 of Ueda, in the recognition of the vulnerability (S110), a configuration of the information system is acquired (S101)) and (paragraph 60 of Ueda, the system configuration information includes hardware information, software information, network information, various setting information, and the like of node devices (terminals) constituting the information system). As per claim 4 Ueda in view of Basavapatna discloses: The server apparatus according to claim 1, wherein the one or more processors and the one or more memories are further configured to acquire the vulnerability information, based on information about at least one of a protocol, a port, software, and hardware that are used in the information processing apparatus. (Paragraph 42 of Ueda, in the recognition of the vulnerability (S110), a configuration of the information system is acquired (S101). Software and hardware included in the information system are acquired by referring to a detailed design document of the information system and obtaining system configuration information of the information system). As per claim 5 Ueda in view of Basavapatna discloses: The server apparatus according to claim 1, wherein the one or more processors and the one or more memories are further configured to acquire the vulnerability information, based on information about at least one of a vendor name, a device name, and a model number of the information processing apparatus. (Paragraph 105 of Ueda, based on the determination of the complexity of the attack condition, it is confirmed whether or not information (configuration information, sequence number, shared key, etc.) necessary for a successful attack in the base value of the vulnerability matches that of the policy of the information system (whether or not information necessary for a successful attack in the base value of the vulnerability is included in the policy)) and (paragraph 42 of Ueda, in the recognition of the vulnerability (S110), a configuration of the information system is acquired (S101)) and (paragraph 60 of Ueda, the system configuration information includes hardware information, software information, network information, various setting information, and the like of node devices (terminals) constituting the information system). As per claim 6 Ueda in view of Basavapatna discloses: The server apparatus according to claim 1, wherein the one or more processors and the one or more memories are further configured to generate the vulnerability countermeasure information, based on attack information about the vulnerability information and a vulnerability severity in the vulnerability information. (Paragraph 8 of Ueda, an analysis apparatus according to the present disclosure includes: environment assessment means for assessing environmental metrics of a Common Vulnerability Scoring System (CVSS) as regards a vulnerability in an information system based on an attack path extracted from the information system to which the vulnerability to be analyzed is applied; base assessment means for assessing base metrics of the CVSS as regards the vulnerability in the information system based on obtained CVSS base value information of the vulnerability and a predetermined base value countermeasure determination condition of the information system; and determination means for determining whether or not the vulnerability in the information system needs to be addressed based on an assessment result of the environmental metrics and an assessment result of the base metrics). As per claim 7 Ueda in view of Basavapatna discloses: The server apparatus according to claim 1, wherein the one or more processors and the one or more memories are further configured to, in a case where network information specified by the vulnerability information matches the information about the network, transmit the vulnerability information to the information processing apparatus. (Paragraph 105 of Ueda, based on the determination of the complexity of the attack condition, it is confirmed whether or not information (configuration information, sequence number, shared key, etc.) necessary for a successful attack in the base value of the vulnerability matches that of the policy of the information system (whether or not information necessary for a successful attack in the base value of the vulnerability is included in the policy)) and (paragraph 42 of Ueda, in the recognition of the vulnerability (S110), a configuration of the information system is acquired (S101)) and (paragraph 60 of Ueda, the system configuration information includes hardware information, software information, network information, various setting information, and the like of node devices (terminals) constituting the information system). As per claim 8 Ueda in view of Basavapatna discloses: The server apparatus according to claim 1, wherein the vulnerability countermeasure information includes a setting target in which a setting value is to be changed in the information processing apparatus, the setting value after a change, and necessity for a vulnerability countermeasure. (Paragraph 92 of Ueda, the attack path extraction unit 133 extracts the attack path (S233). The attack path extraction unit 133 generates the attack graph by using the attack graph generation technique based on the set and analyzed information, and extracts the attack path of the information system including a vulnerability of the analysis target. That is, by inputting the system configuration information to which the newly discovered vulnerability to be analyzed is applied in addition to existing vulnerabilities, the entry point, the attack target, and the like to the attack graph generation technique, the attack graph from the entry point to the attack target passing through the vulnerability of each node is generated). As per claim 9 Ueda in view of Basavapatna discloses: The server apparatus according to claim 6, wherein the one or more processors and the one or more memories are further configured to, in a case where the vulnerability severity in the vulnerability information is greater than a predetermined value, transmit the vulnerability information to the information processing apparatus. (Paragraph 8 of Ueda, an analysis apparatus according to the present disclosure includes: environment assessment means for assessing environmental metrics of a Common Vulnerability Scoring System (CVSS) as regards a vulnerability in an information system based on an attack path extracted from the information system to which the vulnerability to be analyzed is applied; base assessment means for assessing base metrics of the CVSS as regards the vulnerability in the information system based on obtained CVSS base value information of the vulnerability and a predetermined base value countermeasure determination condition of the information system; and determination means for determining whether or not the vulnerability in the information system needs to be addressed based on an assessment result of the environmental metrics and an assessment result of the base metrics). As per claim 10 Ueda in view of Basavapatna discloses: The server apparatus according to claim 1, wherein the one or more processors and the one or more memories are further configured to, in a case where authentication by the information processing apparatus is successful, transmit the vulnerability information to the information processing apparatus. (Paragraph 103 of Ueda, in the determination of the privilege level (S253), whether or not a countermeasure is needed is determined based on whether or not the “privilege level” of the base value information of the vulnerability matches the “privilege level” of the policy determination table (whether or not the “privilege level” of the base value information of the vulnerability is included in the policy). By determining the privilege level, it is confirmed whether or not the necessity of authentication and administrator privilege (whether or not access to secret information is needed or the like) of the base value of the vulnerability matches that of the policy of the information system (whether or not the necessity of authentication and administrator privilege of the base value of the vulnerability is included in the policy)). As per claim 11 Ueda discloses: An information processing apparatus comprising: one or more memories; and one or more processors, wherein the one or more processors and the one or more memories are configured to: (paragraph 122 of Ueda, each apparatus and each function (processing) may be implemented by a computer 20 including a processor 21 such as a CPU (Central Processing Unit) and a memory 22 as a storage device). Acquire vulnerability countermeasure information; (paragraph 84 of Ueda, as shown in FIG. 13, in the vulnerability information collection processing, the security information collection unit 110 obtains the vulnerability information from the vulnerability information DB 300, such as a public database (S211), and determines whether or not a new vulnerability has been discovered (S212)). Acquire information about a network being connected; and determine whether to apply the vulnerability countermeasure information, based on the information about the network. (Paragraph 85 of Ueda, when a new vulnerability is discovered, the security information collection unit 110 obtains the system configuration information of the system configuration information DB 200 in order to analyze whether or not the new vulnerability in the user's information system needs to be addressed (S213). In addition, the security information collection unit 110 obtains the intelligence information about the vulnerability and the like from, for example, the vulnerability information DB 300 and the vendor) and (paragraph 42 of Ueda, in the recognition of the vulnerability (S110), a configuration of the information system is acquired (S101)) and (paragraph 60 of Ueda, the system configuration information includes hardware information, software information, network information, various setting information, and the like of node devices (terminals) constituting the information system). Ueda teaches the method of collecting vulnerability information and providing a countermeasure (see paragraphs 43 and 44 of Ueda) but fails to disclose: Wherein the vulnerability countermeasure information indicates a vulnerability, among a plurality of vulnerabilities, against which the information processing apparatus is to take measures. However, in the same field of endeavor, Basavapatna teaches this limitation as, (paragraph 14 of Basavapatna, one aspect of the subject matter described in this specification can be embodied in methods that include the actions of receiving vulnerability definition data including, for each of a plurality of vulnerabilities, an indication of the vulnerability, an identification of one or more countermeasures that reduce a risk associated with possession of the vulnerability by an asset, an indication of a level of protection potentially afforded by each countermeasure for the vulnerability, and applicability information describing one or more configurations of assets to which the vulnerability applies). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Ueda to include the above limitation using the teaching of Basavapatna in order to enhance the security of computing system by providing appropriate countermeasure based on the type of vulnerability (see paragraph 14 of Basavapatna). Claim 15 is rejected under the same reason set forth in rejection of claim 11 As per claim 13 Ueda in view of Basavapatna discloses: The information processing apparatus according to claim 11, wherein the one or more processors and the one or more memories are further configured to acquire the vulnerability countermeasure information from a server apparatus. (Paragraph 98 of Ueda, in the information system 400, when the maintenance server 422, the monitoring control server 423, and the HMI 424 are important assets, it is assumed that a vulnerability is present in the monitoring control server 423. Although the monitoring control server 423 is an important asset, it cannot be directly accessed from the OA terminal 411 because of the FW2 and has no external connection. Thus, the attack graph is analyzed, and the attack path from the Internet 401 to the monitoring control server 423 is not extracted, and it is therefore determined that a countermeasure against the vulnerability is not needed (S241). That is, in this case, since the monitoring control server 423 is isolated by the FW2, the countermeasure is suspended). Conclusion The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is McConnell (US Pub. No. 2011/0093786). McConnell’s reference discloses: Systems and methods for geographically mapping a vulnerability of a network having one or more network points include receiving vulnerability information identifying a vulnerability of a point of the network, correlating the vulnerability information with location information for the identified network point, and network identification information for the identified network point, and generating a map displaying a geographical location of the vulnerability. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m.. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ali Shayanfar can be reached at (571) 270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /TESHOME HAILU/Primary Examiner, Art Unit 2434