DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The following claim(s) is/are pending in this office action: 1-3, 5-10, 12, 15-20
The following claim(s) is/are amended: 1-2, 6, 8-9, 16-17, 20
The following claim(s) is/are cancelled: 4, 11, 13-14
The following claim(s) is/are new: -
Claim(s) 1-3, 5-10, 12, 15-20 is/are rejected.
Response to Arguments
Applicant’s arguments filed in the amendment filed 12/4/2025, have been fully considered but are moot in view of new grounds of rejection. The reasons set forth below.
Applicant’s Invention as Claimed
Claim Rejections - 35 USC § 103
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5-10, 12, 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over McGee (US Pub. 2016/0378993) in view of Nickolov (US Pub. 2017/0034023).
With respect to Claim 1, McGee teaches a system, comprising: a computing device comprising a processor and a memory; and a set of machine-readable instructions stored in the memory that, when executed by the processor, cause the computing device to at least: (para. 27; processor, memory and instructions)
collect a list of available updates from a device management system; (para. 50; system tracks updates including actual or expected release date of update. See also Nickolov, paras. 314-324; system tracks software packages including version and list of CVEs which have been fixed for the package. Paras. 587-591; system monitors for detection of release of OS or software version. Para. 218; system outputs available packages. Para. 603; notification of new component version ability.)
query the device management system to obtain device information of a client device; (para. 33; user selects a class of devices like a Samsung galaxy 6. The class has the same components and software. Paras. 34-35; system accesses a database that stores data based on product line or vulnerability.)
determine a first common platform enumeration (CPE) of a current version of the one or more applications; (para. 36; system determines vulnerability for the class of products based on CPE ID. para. 50; database includes entries with version numbers of products.)
determine a second CPE that reflects the one or more applicable updates having been applied to the current version of the one or more applications on the client device; (para. 36; database entries identified based on CPE ID. para. 50; database includes updates and whether a security vulnerability is resolved in the update. Para. 50; version status includes whether update was applied or not.)
perform a first reverse lookup in a vulnerability database for a first one or more common vulnerabilities and exposures (CVE) associated with the current version of the one or more applications on the client device based on the first CPE of the current version; (para. 37; system identifies CVE IDs for the product. Para. 47; search by CVE ID. Examiner asserts this teaches a reverse lookup, but to the extent a reverse lookup is not taught it would have been obvious to one of ordinary skill prior to the effective filing date to perform a reverse lookup in order to determine vulnerabilities for a product despite the database not being ordered by CVE.)
But McGee does not explicitly teach comparing versions.
Nickolov, however, does teach determine one or more applicable updates for one or more applications on the client device based at least in part on the list of available updates and the device information; (Although this is not explicitly disclosed in McGee, para. 50, Examiner asserts McGee, para. 50 suggests applicable updates because it tracks “a product identifier indicating the product line being updated.” Further, Examiner cites Nickolov, paras. 314-324; system tracks software packages including version and list of CVEs which have been fixed for the package. Paras. 587-591; system monitors for detection of release of OS or software version. Para. 952; System presents available versions for a package to user.)
perform a second reverse lookup in the vulnerability database for a second one or more CVE associated with the one or more applicable updates of the one or more applications based on the second CPE; (para. 311, 405; CVEs that have been fixed in a package. paras. 402-405; system tracks CVEs in relation to software versions. Further, application of a known technique to similar elements for expected benefits or predictable results is obvious, see MPEP 2143(C) and (D). Here McGee previously taught identifying CVE associated with a current version of applications, which renders obvious identifying CVE associated with an updated version of an application obvious as it provides expected results and benefits. Examiner also cites McGee, para. 37; system identifies CVE IDs for the product. Para. 47; search by CVE ID.)
compare the first one or more CVE of the current version of the one or more applications on the client device with the second one or more CVE associated with the one or more applicable updates of the one or more applications; (Fig. 8, paras. 558-559, 599-600, 610-612, 1134; system includes recommendation and conditional updating procedure which monitors and performs updates based on scoring of components, including vulnerability scoring. Fig. 21, paras. 618-625, 794, 810-819; system recommends action such as upgrading package to new version. Fig. 16, para. 458, 708-710, 725, 744, 754-760; System provides comparison information for updating. Comparison information may include package vulnerabilities. Fig. 35, paras. 927-935; system displays vulnerabilities for each update package including severity. Para. 1076; system determines a fix is available for a vulnerability. See also McGee, para. 41, 55; security vulnerability is fixed in a patch, which is a CVE comparison between versions.)
generate a vulnerability report that contains one or more identified vulnerabilities and impacts of the one or more identified vulnerabilities on the one or more applications as determined from the comparison between the first one or more CVE of the current version of the one or more applications on the client device and the second one or more CVE associated with the one or more applicable updates of the one or more applications. (paras. 335-338; system tracks vulnerabilities and vulnerability score. Fig. 35, paras. 927-935; system displays CVE identifier and CVSS score along with a description of the vulnerabilities for a given program version. The score and description are impacts of the vulnerabilities. Fig. 44, paras. 1048-1085; System displays vulnerabilities and whether fixes are available. See also McGee, para. 30, 42; system generates reports of vulnerabilities in the product line.)
generate a workflow containing at least one mitigation action based on the vulnerability report; and execute the at least one mitigation action of the workflow on the client device. (paras. 428-431, 438-441, 614-618, 645-650; system may automatically make changes or may inform user and ask user for consent to proceed with configuration changes. paras. 618-625; system recommends action such as upgrading package to new version. Para. 444; changes may be provided through a workflow management system. Para. 1134; manual or automated approval of a configuration change workflow.)
It would have been obvious to one of ordinary skill prior to the effective filing date to combine the system of McGee with the comparison of current to available update versions in order to determine which version is more secure and improve security by using the more secure version.
With respect to Claim 2, modified McGee teaches the system of claim 1, and McGee also teaches wherein the vulnerability report contains a risk level for each identified vulnerability. (para. 42-43, 49, 58; System reports severity such as trivial, minor, moderate, severe classifications. The system may also derive a security posture score. See also Nickolov, para. 402; CVSS (a vulnerability scoring system).)
With respect to Claim 3, modified McGee teaches the system of claim 1, and Nickolov also teaches further comprising generating a recommendation, wherein the recommendation is one of a recommendation to downgrade the one or more applications on the client device or a recommendation to upgrade the one or more applications on the client device. (Fig. 8, paras. 558-559, 599-600, 610-612; system includes recommendation and conditional updating procedure which monitors and performs updates based on scoring of components, including vulnerability scoring. Fig. 21, paras. 618-625, 810-819; system recommends action such as upgrading package to new version. Paras. 16, 366, 655-665; downgrade recommendations.)
The same motivation to combine as the independent claim applies here.
With respect to Claim 5, modified McGee teaches the system of claim 1, and Nickolov also teaches further comprising providing the workflow in a draft mode for administrator review. (paras. 428-431, 438-441, 614-618, 645-650; system may automatically make changes or may inform user and ask user for consent to proceed with configuration changes. Para. 444; changes may be provided through a workflow management system. Para. 1134; manual or automated approval of a configuration change workflow.)
The same motivation to combine as the independent claim applies here.
With respect to Claim 6, modified McGee teaches the system of claim 5, and Nickolov also teaches wherein the workflow is generated based at least in part on a risk level for the one or more identified vulnerabilities. (para. 402; CVSS (a vulnerability scoring system). Fig. 8, paras. 558-559, 599-600, 610-612; system includes recommendation and conditional updating procedure which monitors and performs updates based on scoring of components, including vulnerability scoring. See also McGee, para. 42-43, 49, 58; System reports severity such as trivial, minor, moderate, severe classifications. The system may also derive a security posture score.)
The same motivation to combine as the independent claim applies here.
With respect to Claim 7, modified McGee teaches the system of claim 1, and McGee also teaches wherein the device information further comprises at least one or more of: endpoint device data; operating system version; application data; device type; or a software update history. (para. 33; a class of devices like a Samsung galaxy 6.)
With respect to Claim 8, it is substantially similar to Claim 1 and is rejected in the same manner, the same art and reasoning applying. Further, McGee also teaches a non-transitory computer-readable medium comprising machine-readable instructions that, when executed by a processor of a computing device, cause the computing device to at least: (para. 16; non-transitory medium. para. 27; processor, memory and instructions)
With respect to Claims 9-10, they are substantially similar to Claims 2-3, respectively, and are rejected in the same manner, the same art and reasoning applying.
With respect to Claim 12, it is substantially similar to Claim 5 and is rejected in the same manner, the same art and reasoning applying.
With respect to Claim 15, modified McGee teaches the non-transitory computer-readable medium of claim 8, and McGee also teaches wherein the machine-readable instructions further cause the computing device to provide a risk profile for at least one of an application, operating system, or a firmware on the client device based on the vulnerability report. (para. 33; components and software. para. 42; generation of report indicating severity of vulnerability, which is a risk profile. See also Nickolov, paras. 805-808; risk analysis of making a change. Paras. 314-320; operating system version, software package version, bios or firmware versions. Para. 402; OS, hardware/firmware, application.)
With respect to Claim 16, it is substantially similar to Claim 1 and is rejected in the same manner, the same art and reasoning applying.
With respect to Claims 17-18, they are substantially similar to Claims 2, 5, respectively, and are rejected in the same manner, the same art and reasoning applying.
With respect to Claim 19, modified McGee teaches the method of claim 18, and Nickolov also teaches further comprising allowing administrators to review and modify the workflow. (paras. 889-890, 1128-1131; user can modify or edit recommended changes)
The same motivation to combine as the independent claim applies here.
With respect to Claim 20, it is substantially similar to Claim 6 and is rejected in the same manner, the same art and reasoning applying.
Remarks
Applicant argues at Remarks, pg. 8 that Nickolov, paras. 558-559, 599-600, 610-612, and 618-625 fail to teach comparing the CVEs.
Applicant admits that the cited sections teach a recommendation to install an updated package. A recommendation to install an update is a comparison between the two versions and a conclusion that the updated package is superior. Further, Examiner notes that Applicant does not dispute the citations for getting the CVE of either the current or the update versions of an application. Applicant outright admits that the comparison previously occurred in a user’s head, see Spec, para. 1. Applicant relies upon the conventional knowledge in the art to enable their comparison feature. See, e.g., Spec-as-published paras. 20-21, 59, 69, 72, merely stating that the comparison is performed and not teaching how to do so. Consequently, the compare limitation would have been obvious merely over the teaching that the CVEs could be acquired and that a user performed the comparison in their head, as there appears to be no technological enablement problem in coding the analysis.
Regardless, Nickolov has extensive disclosures relating to displaying vulnerabilities and update packages and whether the packages will fix any vulnerabilities. Examiner cites some relevant disclosures above with respect to both the compare and the generate a vulnerability report limitations. The combination of teachings with McGee renders the claim features obvious.
The amended claims are taught above. All claims remain rejected.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NICHOLAS P CELANI whose telephone number is (571)272-1205. The examiner can normally be reached on M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on 571-272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/NICHOLAS P CELANI/Examiner, Art Unit 2449