DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/27/2024 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Allowable Subject Matter
Claim(s) 6, 14, 17-20 is/are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim(s) 1-21 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract idea without significantly more. The claim(s) recite(s) collecting information (vulnerability database entries, repository text), analyzing information (using a LLM to interpret text) and reporting a result (reporting a component as vulnerable).
The limitations include details that aligns with recognized abstract ideas such as data analysis and classification, information extraction and correlation and mental process implemented on a computer. In addition, merely reciting the use of a large language model does not, by itself, remove the claim from abstraction. AL/ML models are treated as tools used to perform the abstract analysis unless it is tied to a specific technical improvement.
This judicial exception is not integrated into a practical application because the additional elements of the claim(s) include generic computer component, such as “a computer system”, “vulnerability database”, “a large language model”, “a source code repository” and “software components” are used as generic tools to perform the identification and analysis. Although the specification describes technical improvements to software vulnerability identification, the claim(s) do/does not recite the specific technical improvements or mechanism disclosed in the specification. Instead, the claim simply used a LLM to analyze test and report a result. The courts have repeatedly held that automating known manual processes using a generic computer does not constitute a practical application.
The claim(s) do/does not include additional elements that are sufficient to amount to significantly more than the judicial exception because absent of the abstract idea, the remaining elements only include a “large language model” recited functionally, without architectural, training, prompting or inference constraints. No unconventional data structures, processing flows or security mechanism art recited. The method uses conventional sources, such as vulnerability databases and source repositories. Neither the claim nor the specification indicate that these components or operation are unconventional. Rather, they reflect well-understood, routine, and conventional analysis and identification techniques using generic computing components and a large language model. There is no inventive concept that transforms the abstract idea into patent-eligible subject matter.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claim(s) 1, 4-5 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by CHAN et al. (US 2024/0411666 A1).
Re Claim 1, CHAN teaches a computer-implemented method for identifying vulnerable software from a computer system, comprising:
identifying name of a given software component in a vulnerability database by analyzing text of an entry in the vulnerability database using a large language model, where entries in the vulnerability database have known vulnerabilities; (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; The stated limitation is comparable to the cited embodiment that details the process of identifying source code snippet having a identified type of software vulnerability using a LLM, with a list of known vulnerabilities.)
identifying a patch for the given software component in a source code repository by analyzing text of the entry in the vulnerability database using the large language model; (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; Identifying a repair (identifying a patch) for the software components in source code related system, using a LLM.)
identifying the patch for the given software component in the source code repository by analyzing text in the source code repository using the large language model; and (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; Identifying a repair (identifying a patch) for the software components in source code related system, using a LLM.)
reporting the given software component as being vulnerable in response to identifying the patch for the given software component in the source code repository. (CHAN; FIG. 1-8; Background, Summary, ¶ [0029], [0030]-[0042]; Alerting developers to vulnerabilities associated with the repair (patch) associated with the software component and source code system.)
Re Claim 4, CHAN discloses the method of claim 1 further comprises increasing probability that the given software component is vulnerable in response to identifying the patch for the given software component in the source code repository. (CHAN; FIG. 1; ¶ [0016]-[0020], [0053]-[0055]; Identifying repairs related to the likelihood and probability that the software component is vulnerable.)
Re Claim 5, CHAN discloses the method of claim 1 further comprises patching for the given software component in response to identifying the patch for the given software component in the source code repository. (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; Identifying a repair (identifying a patch) for the software components in source code related system, using a LLM.)
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 2 is/are rejected under 35 U.S.C. 103 as being unpatentable over CHAN et al. (US 2024/0411666 A1) as applied to claim(s) 1, 4-5 above, and further in view of Dang et al. (US 2022/0108020 A1).
Re Claim 2, CHAN discloses the method of claim 1 yet does not explicitly suggest wherein the patch for the given software component is identified by matching the name of the given software component in the vulnerability database to the name of the given software component in the source code repository.
However, in analogous art, Dang teaches wherein the patch for the given software component is identified by matching the name of the given software component in the vulnerability database to the name of the given software component in the source code repository. (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair.)
It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Dang to match software for the reasons of creating a system and method for automating the process of application code vulnerability remediation. (Dang Abstract)
Re Claim 3, CHAN-Dang discloses the method of claim 2 further comprises:
identifying type of vulnerability associated with the given software component by analyzing text in the vulnerability database using the large language model; (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; The stated limitation is comparable to the cited embodiment that details the process of identifying source code snippet having a identified type of software vulnerability using a LLM, with a list of known vulnerabilities.)
identifying type of vulnerability associated with the given software component by analyzing text in the source code repository using the large language model; and (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; Identifying a repair (identifying a patch) for the software components in source code related system, using a LLM.)
reporting the given software component as being vulnerable in response to the name of the given software component in the vulnerability database matching the name of the given software component in the source code repository, and (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair.)
the type of vulnerability associated with the given software component in the vulnerability database matching the type of vulnerability associated with the given software component in the source code repository. (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair, which includes determining the type of vulnerability.)
It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Dang to match software for the reasons of creating a system and method for automating the process of application code vulnerability remediation. (Dang Abstract)
Claim(s) 7-8 is/are rejected under 35 U.S.C. 103 as being unpatentable over CHAN et al. (US 2024/0411666 A1) as applied to claim(s) 1, 4-5 above, and further in view of Crabtree et al. (US 2022/0060497 A1).
Re Claim 7, CHAN discloses the method of claim 1 yet does not explicitly suggest further comprises: retrieving topology entities from a topology model based on the given software component, where the retrieved topology entities are affected by the vulnerability of the given software component, and the topology model is a graph with nodes in the graph representing topology entities in a distributed computer system and edges of the graph representing relationships between the topology entities; and reporting the retrieved topology entities along with the given software component.
However, in analogous art, Crabtree teaches further comprises:
retrieving topology entities from a topology model based on the given software component, where the retrieved topology entities are affected by the vulnerability of the given software component, and (Crabtree; FIG. 1-7, 23-26, Summary, ¶ [0081]-[0086], [0112]-[0118], [0123]-[0124]; Topologies, topology based models, software components and vulnerabilities affecting software.)
the topology model is a graph with nodes in the graph representing topology entities in a distributed computer system and edges of the graph representing relationships between the topology entities; and (Crabtree; FIG. 1-7, 23-26, Summary, ¶ [0081]-[0083], [0112]-[0118], [0123]-[0131]; Models include graphs with nodes associated with the topology of the computer system and edges of the graph representing relationship between topology related entities.)
reporting the retrieved topology entities along with the given software component. (Crabtree; FIG. 1-7, 23-26, Summary, ¶ [0100]-[0103], [0126]; Reporting topology based data.)
It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Crabtree to model topologies of computing systems for the reasons of implementing a cybersecurity analysis system that includes behavioral analysis and network topology information for improved cybersecurity. (Crabtree Abstract)
Re Claim 8, CHAN-Crabtree discloses the method of claim 7 further comprises changing the topology of the computer system in response to reporting topology entities as vulnerable such that the level of risk associated with the vulnerability is reduced by changing the topology. (Crabtree; FIG. 1-19; ¶ [0091]-[0093], [0107]-[0119]; The embodiment(s) detail the changing of the level of risk associated with the vulnerability.)
It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Crabtree to model topologies of computing systems for the reasons of implementing a cybersecurity analysis system that includes behavioral analysis and network topology information for improved cybersecurity. (Crabtree Abstract)
Claim(s) 9-13, 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over CHAN et al. (US 2024/0411666 A1) and further in view of Dang et al. (US 2022/0108020 A1).
Re Claim 9 & 21, CHAN teaches a computer-implemented method for identifying vulnerable software from a computer system, comprising:
identifying name of a given software component in a vulnerability database by analyzing text of an entry in the vulnerability database using a large language model, where entries in the vulnerability database have known vulnerabilities; (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; The stated limitation is comparable to the cited embodiment that details the process of identifying source code snippet having a identified type of software vulnerability using a LLM, with a list of known vulnerabilities.)
extracting a link to a patch for the given software component in a source code repository by analyzing text of the entry in the vulnerability database using the large language model; (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; Identifying a repair (identifying a patch) for the software components in source code related system, using a LLM.)
identifying name of the given software component in the source code repository by analyzing text of the patch in the source code repository using the large language model; (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; Identifying a repair (identifying a patch) for the software components in source code related system, using a LLM.)
CHAN does not explicitly suggest comparing name of the given software component in the vulnerability database to the name of the given software component in the source code repository; and reporting the given software component as being vulnerable in response to the name of the given software component in the vulnerability database matching the name of the given software component in the source code repository
However, in analogous art, Dang teaches comparing name of the given software component in the vulnerability database to the name of the given software component in the source code repository; and (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair.)
reporting the given software component as being vulnerable in response to the name of the given software component in the vulnerability database matching the name of the given software component in the source code repository. (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair.)
It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Dang to match software for the reasons of creating a system and method for automating the process of application code vulnerability remediation. (Dang Abstract)
Re Claim 10, CHAN-Dang discloses the method of claim 9 further comprises linking to the patch for the given software component in the source code repository using the link for the patch extracted from the entry in the vulnerability database. (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair.)
It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Dang to match software for the reasons of creating a system and method for automating the process of application code vulnerability remediation. (Dang Abstract)
Re Claim 11, CHAN-Dang discloses the method of claim 9 further comprises:
identifying type of vulnerability associated with the given software component by analyzing text of the entry in the vulnerability database using the large language model; (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; The stated limitation is comparable to the cited embodiment that details the process of identifying source code snippet having a identified type of software vulnerability using a LLM, with a list of known vulnerabilities.)
identifying type of vulnerability associated with the given software component by analyzing source code for the given software component in the source code repository using the large language model, where the source code does not include the patch for the given software component; and (CHAN; FIG. 1-8; Background, Summary, ¶ [0014]-[0020], [0026]-[0042]; The stated limitation is comparable to the cited embodiment that details the process of identifying source code snippet having a identified type of software vulnerability using a LLM, with a list of known vulnerabilities.)
reporting the given software component as being vulnerable in response to the name of the given software component in the vulnerability database matching the name of the given software component in the source code repository, and (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair.)
the type of vulnerability associated with the given software component in the vulnerability database matching the type of vulnerability associated with the given software component in the source code repository. (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair, which includes determining the type of vulnerability.)
It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Dang to match software for the reasons of creating a system and method for automating the process of application code vulnerability remediation. (Dang Abstract)
Re Claim 12, CHAN-Dang discloses the method of claim 9 further comprises increasing probability that the given software component is vulnerable in response to in response to the name of the given software component in the vulnerability database matching the name of the given software component in the source code repository. (CHAN; FIG. 1; ¶ [0016]-[0020], [0053]-[0055]; Identifying repairs related to the likelihood and probability that the software component is vulnerable.)
Re Claim 13, CHAN-Dang discloses the method of claim 9 further comprises patching for the given software component in response to in response to the name of the given software component in the vulnerability database matching the name of the given software component in the source code repository. (Dang; FIG. 7-9; Background, Summary, ¶ [0036], [0046]-[0064]; The cited embodiment(s) detail comparable subject matter such as source code remediation based on matching vulnerabilities in application code to related software for repair.)
It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN in view of Dang to match software for the reasons of creating a system and method for automating the process of application code vulnerability remediation. (Dang Abstract)
Claim(s) 15-16 is/are rejected under 35 U.S.C. 103 as being unpatentable over CHAN et al. (US 2024/0411666 A1), in view of Dang et al. (US 2022/0108020 A1) and further in view of Crabtree et al. (US 2022/0060497 A1).
Re Claim 13, CHAN-Dang discloses the method of claim 9 yet does not explicitly suggest further comprises: retrieving topology entities from a topology model based on the given software component, where the retrieved topology entities are affected by the vulnerability of the given software component, and the topology model is a graph with nodes in the graph representing topology entities in a distributed computer system and edges of the graph representing relationships between the topology entities; and reporting the retrieved topology entities along with the given software component.
However, in analogous art, Crabtree teaches further comprises:
retrieving topology entities from a topology model based on the given software component, where the retrieved topology entities are affected by the vulnerability of the given software component, and (Crabtree; FIG. 1-7, 23-26, Summary, ¶ [0081]-[0086], [0112]-[0118], [0123]-[0124]; Topologies, topology based models, software components and vulnerabilities affecting software.)
the topology model is a graph with nodes in the graph representing topology entities in a distributed computer system and edges of the graph representing relationships between the topology entities; and (Crabtree; FIG. 1-7, 23-26, Summary, ¶ [0081]-[0083], [0112]-[0118], [0123]-[0131]; Models include graphs with nodes associated with the topology of the computer system and edges of the graph representing relationship between topology related entities.)
reporting the retrieved topology entities along with the given software component. (Crabtree; FIG. 1-7, 23-26, Summary, ¶ [0100]-[0103], [0126]; Reporting topology based data.)
It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN-Dang in view of Crabtree to model topologies of computing systems for the reasons of implementing a cybersecurity analysis system that includes behavioral analysis and network topology information for improved cybersecurity. (Crabtree Abstract)
Re Claim 16, Chang-Dang-Crabtree discloses the method of claim 15 further comprises changing the topology of the computer system in response to reporting topology entities as vulnerable such that the level of risk associated with the vulnerability is reduced by changing the topology. (Crabtree; FIG. 1-19; ¶ [0091]-[0093], [0107]-[0119]; The embodiment(s) detail the changing of the level of risk associated with the vulnerability.)
It would have been obvious to one of ordinary skill in the art at the time before the effective filing date of the claimed invention (AIA ) to modify CHAN-Dang in view of Crabtree to model topologies of computing systems for the reasons of implementing a cybersecurity analysis system that includes behavioral analysis and network topology information for improved cybersecurity. (Crabtree Abstract)
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER B ROBINSON whose telephone number is (571)270-0702. The examiner can normally be reached M-F 7:00-3:00 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas R Taylor can be reached at 571-272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHRISTOPHER B ROBINSON/Primary Examiner, Art Unit 2443