Prosecution Insights
Last updated: July 17, 2026
Application No. 18/647,604

SYSTEM AND METHOD FOR SCORING AND RANKING COMMON WEAKNESSES MAPPED TO VULNERABILITIES FOUND IN NETWORKED AND/OR DISTRIBUTED SYSTEMS

Non-Final OA §103
Filed
Apr 26, 2024
Priority
May 24, 2023 — provisional 63/504,090
Examiner
BROWN, CHRISTOPHER J
Art Unit
2439
Tech Center
2400 — Computer Networks
Assignee
George Mason University
OA Round
2 (Non-Final)
75%
Grant Probability
Favorable
2-3
OA Rounds
1y 2m
Est. Remaining
88%
With Interview

Examiner Intelligence

Grants 75% — above average
75%
Career Allowance Rate
536 granted / 711 resolved
+17.4% vs TC avg
Moderate +13% lift
Without
With
+13.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 5m
Avg Prosecution
34 currently pending
Career history
753
Total Applications
across all art units

Statute-Specific Performance

§101
0.5%
-39.5% vs TC avg
§103
92.8%
+52.8% vs TC avg
§102
3.5%
-36.5% vs TC avg
§112
1.3%
-38.7% vs TC avg
Black line = Tech Center average estimate • Based on career data from 711 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments, have been fully considered and are persuasive. The previous rejection has been withdrawn. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-5, 8, 11, 13-17, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Albanese US 2022/0407891 in view of Srinivasan US 11,516,222 in view of Patel US 2018/0351987 As per claim 1, Albanese teaches A method of performing prioritized remediation of security weaknesses in a distributed system, comprising: obtaining cyber security data including at least vulnerability data and intrusion detection system (IDS) rules; Albanese teaches determining a standard security weakness ranking based on the cyber security data; Albanese teaches customizing metrics for calculating a likelihood of exploitation of each vulnerability and an exposure factor associated with exploitation of each vulnerability based on a user input including at least one variable for use in the calculation, the at least one variable influencing the likelihood of exploitation or the exposure factor and capturing a specific applicative domain of each vulnerability, priorities of the distributed system, and/or types of potential attackers; [0069]-[0072] (exploitability based on ids rules, CVSS, time) [0073]-[0075] (teaches score is determined by vulnerability data and IDS rules) (exploitability based on ids rules, CVSS, time; exposure, impact CWE CVE) [0073]-[0075] [0100][0101] Srinivasan teaches A method of performing prioritized remediation of security weaknesses in a distributed system, comprising: obtaining cyber security data including at least vulnerability data and intrusion detection system (IDS) rules; (Column 4 line 61- Column 5 line 8) (Column 15 line 40 to Column 16 line 62) (teaches obtaining vulnerability rules from a plurality of sources including network activity monitor and vulnerability service) Srinivasan teaches calculating the customized metrics; outputting a customized ranking of the one or more vulnerabilities based on the calculated customized metrics; (Column 14 lines 45- Column 15 line 40) (Column 19 line 64- Column 21 line 64) (teaches customizable metrics per customer calculating rankings based on vulnerability scores, including an amalgamation of vulnerability scores including likelihood of exploitation, exposure factor, and priorities of the system) It would have been obvious to one of ordinary skill in the art before the effective filing date of the current application to use the teaching of Srinivasan with the prior art because it increases security. Srinivasan does not teach, but Patel teaches determining that one or more vulnerabilities exist in one or more system components of the distributed system based on the standard security weakness ranking; [0088][0091] (show vulnerability detection) Patel teaches performing a prioritized remediation of a target vulnerability selected by the user from the one or more vulnerabilities based on the customized ranking and specific needs and resources of the distributed system. [0088][0097]-[0099][0105][0114]-[0120][0148] (teaches remediation based on cyber security scoring factors and prioritizing a remediation which may be selected by a user to be applied on a GUI) It would have been obvious to one of ordinary skill in the art to use the teaching of Patel with the prior art because it improves the security of the system in an efficient, effective manner. As per claim 2, Albanese and Patel teach the method of claim 1. Albanese further teaches wherein the at least one variable belongs to a first set X of variables that contribute to increasing the likelihood of exploitation as the value of the first set increases, a second set Xl that contribute to decreasing the likelihood of exploitation as the value of the second set increases, a third set Xe that contribute to increasing the exposure factor as the value of the third set increases, and a fourth set Xe that contribute to decreasing the exposure factor as the value of the fourth set increases. [0069]-[0072] (likelihood of exploitation and exposure with time value) As per claim 3, Albanese and Patel teach the method of claim 2. Albanese further teaches wherein the first set, the second set, the third set and the fourth set of variables are defined, respectively, as follows: X={XEX1I(V1i2EV)((X(vi)5 X(v2)A((VX'EX\{X})(X(V1) = PNG media_image1.png 10 27 media_image1.png Greyscale -p(vi) PNG media_image2.png 3 3 media_image2.png Greyscale p(v2))};X={XEX1I(V1i2EV)((X(vi) PNG media_image2.png 3 3 media_image2.png Greyscale X(v2)A((VX'EX\{X})(X(V1) = PNG media_image3.png 10 27 media_image3.png Greyscale -31p(vi)>p(v2))};Xe={XEXe| PNG media_image4.png 6 2 media_image4.png Greyscale (Viv2EV)((X(vi) PNG media_image2.png 3 3 media_image2.png Greyscale X(v2)A((VX'EX\{X})(X(v1) =X(v2 PNG media_image5.png 10 17 media_image5.png Greyscale ef(v) PNG media_image2.png 3 3 media_image2.png Greyscale ef(vV2))}; and Xe={XEXe| PNG media_image4.png 6 2 media_image4.png Greyscale (Voiv2EV)((X(vi) PNG media_image2.png 3 3 media_image2.png Greyscale X(v2)A((VX'EX\{X})(X(v1) =X(v2 PNG media_image6.png 10 17 media_image6.png Greyscale ef(v);ef(v2))};where X is a variable, V is a set of all know vulnerabilities and v is a known vulnerability, p (v) is the likelihood of exploitation of the vulnerability v and ef(v) is the exposure factor of the vulnerability [0013]-[0020] teaches the sets of variables, vulnerabilities, likelihood of exploitation, exposure factor) As per claim 4, Albanese and Patel teach the method of claim 3. Albanese further teaches wherein the likelihood p(v) of exploitation of each vulnerability is defined as a function p: V -> [0,1] as follows: PNG media_image7.png 15 105 media_image7.png Greyscale and the exposure factor ef (v) associated with exploitation of each vulnerability is defined as a function ef : V -> [0,1] as follows: PNG media_image8.png 13 40 media_image8.png Greyscale HII(1-e-axfx(x(v) ef (v)=XEX(1- where X is the variable, ax is a tunable parameter, X(v ) is the value of X for v , and fx is a monotonically increasing function used to convert values of X to scalar values, i.e., x 1 < x 2 => fx (X1 ) <- fx (X2 ). [0069]-[0072] (exploitability based on ids rules, CVSS, time) [0069]-[0072] (exploitability based on ids rules, CVSS, time) [0073]-[0075] (teaches score is determined by vulnerability data and IDS rules) [0083]-[0091] (exposure) As per claim 5, Albanese and Srinivasan teach the method of claim 5. Albanese teaches wherein variables in the first set X7 comprise at least an exploitability score of a vulnerability as captured by CVSS, time lapsed since publication of details about the vulnerability and a set of known vulnerability exploitations, wherein variables in the second set Xl comprise at least a set of known IDS rules associated with a vulnerability and a set of vulnerability scanning plugins, wherein variables in the third set Xe comprise at least an impact score of a vulnerability as captured by Common Vulnerability Scoring System (CVSS), and wherein variables in the fourth set Xe comprise a set of deployed IDS rules associated with a vulnerability. [0069]-[0072] (exploitability based on ids rules, CVSS, time) [0073]-[0075] Srinivasan further teaches wherein variables in the first set X7 comprise at least an exploitability score of a vulnerability as captured by CVSS, time lapsed since publication of details about the vulnerability and a set of known vulnerability exploitations, wherein variables in the second set Xl comprise at least a set of known IDS rules associated with a vulnerability and a set of vulnerability scanning plugins, wherein variables in the third set Xe comprise at least an impact score of a vulnerability as captured by Common Vulnerability Scoring System (CVSS), and wherein variables in the fourth set Xe comprise a set of deployed IDS rules associated with a vulnerability. (Column 7 lines 1-16) (Column 13 lines 45-55) (Column 15 lines 23-40) (teaches CVSS and subscores including temporal subscores) As per claim 8, Albanese and Patel teach the method of claim 8. Albanese further teaches adding one or more new variables to at least one of the first set XI, the second set Xt, the third set Xe or the fourth set Xe based on a user selection in accordance with the priorities of the distributed system. [0045][0078] (metrics calculated based on tunable parameters selected by the user) As per claim 11, Albanese and Patel teach the method of claim 11. Patel further teaches wherein the performing a prioritized remediation of a target vulnerability comprises: prioritizing remediation of the one or more vulnerabilities based on the resources available for remediation and current needs of the distributed system; and determining the target vulnerability that poses a greatest risk to the distributed system. [0088][0097]-[0099][0105][0114]-[0120][0148] (teaches remediation based on cyber security scoring factors and prioritizing a remediation based on rank) The motivation is the same that of claim 1 above. As per claim 13, Albanese teaches A method of performing prioritized remediation of security weaknesses in a distributed system, comprising: obtaining cyber security data including at least vulnerability data and intrusion detection system (IDS) rules; Albanese teaches determining a standard security weakness ranking based on the cyber security data; Albanese teaches customizing metrics for calculating a likelihood of exploitation of each vulnerability and an exposure factor associated with exploitation of each vulnerability based on a user input including at least one variable for use in the calculation, the at least one variable influencing the likelihood of exploitation or the exposure factor and capturing a specific applicative domain of each vulnerability, priorities of the distributed system, and/or types of potential attackers; [0069]-[0072] (exploitability based on ids rules, CVSS, time) [0073]-[0075] (teaches score is determined by vulnerability data and IDS rules) (exploitability based on ids rules, CVSS, time; exposure, impact CWE CVE) [0073]-[0075] [0100][0101] Srinivasan teaches A method of performing prioritized remediation of security weaknesses in a distributed system, comprising: obtaining cyber security data including at least vulnerability data and intrusion detection system (IDS) rules; (Column 4 line 61- Column 5 line 8) (Column 15 line 40 to Column 16 line 62) (teaches obtaining vulnerability rules from a plurality of sources including network activity monitor and vulnerability service) Srinivasan teaches calculating the customized metrics; outputting a customized ranking of the one or more vulnerabilities based on the calculated customized metrics; (Column 14 lines 45- Column 15 line 40) (Column 19 line 64- Column 21 line 64) (teaches customizable metrics per customer calculating rankings based on vulnerability scores, including an amalgamation of vulnerability scores including likelihood of exploitation, exposure factor, and priorities of the system) It would have been obvious to one of ordinary skill in the art before the effective filing date of the current application to use the teaching of Srinivasan with the prior art because it increases security. Albanese does not teach, but Patel teaches a target security risk remediation device structured to perform a prioritized remediation of a target vulnerability selected by a user from the one or more vulnerabilities based on the customized ranking and specific needs and resources of the distributed system; and a user interface coupled to the customized security risk remediator and structured to receive the user input and output security weakness rankings including the customized rankings periodically or on demand. [0066][0088][0097]-[0099][0105][0114]-[0120][0148] (teaches remediation based on cyber security scoring factors, including user customization, periodic evaluation, and prioritizing a remediation which may be selected by a user to be applied on a GUI) It would have been obvious to one of ordinary skill in the art to use the teaching of Patel with the prior art because it improves the security of the system in an efficient, effective manner. As per claim 14, Albanese and Patel teach the system of claim 13, Albanese further teaches wherein the at least one variable belongs to a first set X of variables that contribute to increasing the likelihood of exploitation as the value of the first set increases, a second set Xl that contribute to decreasing the likelihood of exploitation as the value of the second set increases, a third set Xe that contribute to increasing the exposure factoras the value of the third set increases, and a fourth set XI that contribute to decreasing the exposure factor as the value of the fourth set increases. [0069]-[0072] (likelihood of exploitation and exposure with time value) As per claim 15, Albanese and Patel teach the system of claim 14, Albanese further teaches wherein the first set, the second set, the third set and the fourth set of variables are defined, respectively, as follows: X={XEXI PNG media_image9.png 6 9 media_image9.png Greyscale 2EV)((X(vi) PNG media_image2.png 3 3 media_image2.png Greyscale X(v2)A((VX'E X\{X})(X(V1) =X(v2))))p(vi) PNG media_image2.png 3 3 media_image2.png Greyscale p(v2))}; PNG media_image10.png 3 6 media_image10.png Greyscale X={XEX1|(VI12EV)((X(vi) PNG media_image2.png 3 3 media_image2.png Greyscale X(v2)A((VX'E X\{X})(X(V1) =X(v2))))p(vi)>p(v2))}; PNG media_image10.png 3 6 media_image10.png Greyscale Xe={XEXe| PNG media_image4.png 6 2 media_image4.png Greyscale (Viv2EV)((X(vi) PNG media_image2.png 3 3 media_image2.png Greyscale X(v2)A((VX'E X\{X})(X(v1) =X(v2 PNG media_image5.png 10 17 media_image5.png Greyscale ef(v)< ef(2))}; and Xe={XEXe| PNG media_image4.png 6 2 media_image4.png Greyscale (Voiv2EV)((X(vi) PNG media_image2.png 3 3 media_image2.png Greyscale X(v2)A((VX'E X\{X})(X(v1) =X(v2 PNG media_image6.png 10 17 media_image6.png Greyscale ef(v);ef(v2))};where X is a variable, V is a set of all know vulnerabilities and v is a known vulnerability, p(v) is the likelihood of exploitation of the vulnerability v and ef(v) is the exposure factor of the vulnerability v. [0013]-[0020] teaches the sets of variables, vulnerabilities, likelihood of exploitation, exposure factor) As per claim 16, Albanese and Patel teach the system of claim 14, Albanese further teaches wherein the likelihood p(v) of exploitation of each vulnerability is defined as a function p: V -> [0,1] as follows: PNG media_image11.png 15 105 media_image11.png Greyscale and the exposure factor ef (v) associated with exploitation of each vulnerability is defined as a function ef : V -> [0,1] as follows: PNG media_image12.png 13 25 media_image12.png Greyscale H( (1 - e-axfx((v)ef (v) =.,,ty,'f3)) where X is the variable, ax is a tunable parameter, X(v ) is the value of X for v , and fx is a monotonically increasing function used to convert values of X to scalar values, i.e., x 1 < x 2 => fx (X1 ) <- fx (X2 ). (Exploitation and Exposure metric calculation formulas) [0069]-[0072] (exploitability based on ids rules, CVSS, time) [0073]-[0075] (teaches score is determined by vulnerability data and IDS rules) [0083]-[0091] (exposure As per claim 17, Albanese and Patel teach the system of claim 14, Albanese teaches wherein variables in the first set X7 comprise at least an exploitability score of a vulnerability as captured by CVSS, time lapsed since publication of details about the vulnerability and a set of known vulnerability exploitations, wherein variables in the second set Xl comprise at least a set of known IDS rules associated with a vulnerability and a set of vulnerability scanning plugins, wherein variables in the third set Xe comprise at least an impact score of a vulnerability as captured by Common Vulnerability Scoring System (CVSS), and wherein variables in the fourth set Xe comprise a set of deployed IDS rules associated with a vulnerability. [0069]-[0072] (exploitability based on ids rules, CVSS, time) [0073]-[0075] Srinivasan further teaches wherein variables in the first set X7 comprise at least an exploitability score of a vulnerability as captured by CVSS, time lapsed since publication of details about the vulnerability and a set of known vulnerability exploitations, wherein variables in the second set Xl comprise at least a set of known IDS rules associated with a vulnerability and a set of vulnerability scanning plugins, wherein variables in the third set Xe comprise at least an impact score of a vulnerability as captured by Common Vulnerability Scoring System (CVSS), and wherein variables in the fourth set Xe comprise a set of deployed IDS rules associated with a vulnerability. (Column 7 lines 1-16) (Column 13 lines 45-55) (Column 15 lines 23-40) (teaches CVSS and subscores including temporal subscores) As per claim 20, Albanese, Srinivasan and Patel teach the system of claim 13, Patel further teaches wherein the prioritized remediation of a target vulnerability is based at least in part on a prioritization of remediations of the one or more vulnerabilities based on the resources available for remediation and current needs of the distributed system and a determination that the target vulnerability that poses a greatest risk to the distributed system. [0088][0097]-[0099][0105][0114]-[0120][0148] (teaches remediation based on cyber security scoring factors and prioritizing a remediation based on rank). The motivation is the same that of claim 13 above. Claim(s) 6, 7, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over over Albanese US 2022/0407891 in view of Srinivasan US 11,516,222 in view of Patel US 2018/0351987 in view of Alsharif US 2021/0037038 As per claim 6, Albanese, Srinivasan and Patel teach the method of claim 2, Srinivasan and Patel do not teach, but Alsharif teaches wherein the at least one variable comprises a plurality variables and each of the first set X , the second set Xt, the third set X, or the fourth set Xe includes at least one of the plurality of variables, and wherein the method further comprises: providing a quality score of each customized rank; and determining the target vulnerability based at least in part on the quality score. [0011][0012][0087][0088][0101] (teaches incorporating a score based on number of occurrences per different computer environment/variable and incorporating this score into the total ranking of vulnerability scores) It would have been obvious to one of ordinary skill in the art to use the teaching of Alsharif with the prior art because it ranks and prioritizes vulnerabilities and the corresponding remediation more accurately. As per claim 7, Albanese, Srinivasan, Patel and Alsharif teach the method of claim 6, Alsharif further teaches wherein the quality score improves based on an increase in a number of the plurality of variables used in the calculation of the customized metrics. [0011][0012][0087][0088][0101] (teaches incorporating a score based on number of occurrences per different computer environment/variable and incorporating this score into the total ranking of vulnerability scores). The motivation is the same that of claim 6 above. As per claim 19, Albanese Srinivasan and Patel teach the system of claim 13, Albanese further teaches wherein the data ingestion device is further structured to generate and/or ingest vulnerability scanning reports, and the metrics further comprises a common weaknesses score as defined as S(CWEi)=LVEC(CWEg)11(V)Ip(v)-ef(v), where v is a vulnerability, I(v) is a set of instances of the vulnerability v within the system, CWEi is a Common Weakness Enumeration weakness, C(CWEi) is a set of common vulnerabilities and explores (CVEs) mapped to CWEi, p(v) is the likelihood of exploitation of the vulnerability v and ef(v) is the exposure factor of the vulnerability v. [0069]-[0072] (exploitability based on ids rules, CVSS, time; CWE CVE) [0073]-[0075] [0100][0101] Alsharif teaches a set of instances of vulnerability within a system[0011][0093][0100] (teaches incorporating a score based on number of occurrences per different computer environment/variable and incorporating this score into the total ranking of vulnerability scores) The motivation is the same that of claim 6 above. Claim(s) 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over over Albanese US 2022/0407891 in view of Srinivasan US 11,516,222 in view of Patel US 2018/0351987 in view of Crabtree US 2022/0263852 As per claim 12, Albanese, Srinivasan and Patel teach the method of claim 1, Srinivasan and Patel do not teach, but Crabtree teaches wherein the types of potential attackers comprises attackers who are aware of only the CVSS scores, attackers who have access to a system component associated with the one or more vulnerabilities, and attackers who can perform reconnaissance on the distributed system and discover unpatched vulnerabilities. [0020][0022][0072] (teaches potential attacker analysis and security vulnerability analysis including reconnaissance and patch level of vulnerabilities) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Crabtree with the prior art because it incorporates more variables to improve the remediation method. Claim(s) 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over over Albanese US 2022/0407891 in view of Srinivasan US 11,516,222 in view of Patel US 2018/0351987 in view of Klein US 2017/0339180 As per claim 18, Albanese, Srinivasan and Patel teach the system of claim 13, Srinivasan and Patel do not teach, but Klein teaches plugins structured to interface with an individual virtual scanner; and Application Programming Interfaces structured to interface with third party applications. [0040][0045][0048] (teaches use of plugins with scanner appliance and interfacing with third party applications) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Klein with the prior art because it provides for broader compatibility. Allowable Subject Matter Claims 9 and 10 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439
Read full office action

Prosecution Timeline

Apr 26, 2024
Application Filed
Dec 17, 2025
Non-Final Rejection mailed — §103
Mar 09, 2026
Response Filed
Jun 03, 2026
Non-Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12652290
CYBER SECURITY FOR SOFTWARE-AS-A-SERVICE FACTORING RISK
5y 3m to grant Granted Jun 09, 2026
Patent 12652315
REMOTE MONITORING OF A SECURITY OPERATIONS CENTER (SOC)
3y 8m to grant Granted Jun 09, 2026
Patent 12641111
Automated Security Analysis of Software Libraries
2y 5m to grant Granted May 26, 2026
Patent 12621339
SYSTEM AND METHOD FOR PROVIDING SECURITY POSTURE MANAGEMENT FOR AI APPLICATIONS
2y 5m to grant Granted May 05, 2026
Patent 12615280
DETECTING POLYMORPHIC BOTNETS USING AN IMAGE RECOGNITION PLATFORM
2y 9m to grant Granted Apr 28, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

2-3
Expected OA Rounds
75%
Grant Probability
88%
With Interview (+13.0%)
3y 5m (~1y 2m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 711 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month