Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments, have been fully considered and are persuasive. The previous rejection has been withdrawn.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-5, 8, 11, 13-17, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Albanese US 2022/0407891 in view of Srinivasan US 11,516,222 in view of Patel US 2018/0351987
As per claim 1, Albanese teaches A method of performing prioritized remediation of security weaknesses in a distributed system, comprising: obtaining cyber security data including at least vulnerability data and intrusion detection system (IDS) rules; Albanese teaches determining a standard security weakness ranking based on the cyber security data;
Albanese teaches customizing metrics for calculating a likelihood of exploitation of each vulnerability and an exposure factor associated with exploitation of each vulnerability based on a user input including at least one variable for use in the calculation, the at least one variable influencing the likelihood of exploitation or the exposure factor and capturing a specific applicative domain of each vulnerability, priorities of the distributed system, and/or types of potential attackers; [0069]-[0072] (exploitability based on ids rules, CVSS, time) [0073]-[0075] (teaches score is determined by vulnerability data and IDS rules) (exploitability based on ids rules, CVSS, time; exposure, impact CWE CVE) [0073]-[0075] [0100][0101]
Srinivasan teaches A method of performing prioritized remediation of security weaknesses in a distributed system, comprising: obtaining cyber security data including at least vulnerability data and intrusion detection system (IDS) rules; (Column 4 line 61- Column 5 line 8) (Column 15 line 40 to Column 16 line 62) (teaches obtaining vulnerability rules from a plurality of sources including network activity monitor and vulnerability service)
Srinivasan teaches calculating the customized metrics; outputting a customized ranking of the one or more vulnerabilities based on the calculated customized metrics;
(Column 14 lines 45- Column 15 line 40) (Column 19 line 64- Column 21 line 64) (teaches customizable metrics per customer calculating rankings based on vulnerability scores, including an amalgamation of vulnerability scores including likelihood of exploitation, exposure factor, and priorities of the system)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the current application to use the teaching of Srinivasan with the prior art because it increases security.
Srinivasan does not teach, but Patel teaches determining that one or more vulnerabilities exist in one or more system components of the distributed system based on the standard security weakness ranking; [0088][0091] (show vulnerability detection)
Patel teaches performing a prioritized remediation of a target vulnerability selected by the user from the one or more vulnerabilities based on the customized ranking and specific needs and resources of the distributed system. [0088][0097]-[0099][0105][0114]-[0120][0148] (teaches remediation based on cyber security scoring factors and prioritizing a remediation which may be selected by a user to be applied on a GUI)
It would have been obvious to one of ordinary skill in the art to use the teaching of Patel with the prior art because it improves the security of the system in an efficient, effective manner.
As per claim 2, Albanese and Patel teach the method of claim 1.
Albanese further teaches wherein the at least one variable belongs to a first set X of variables that contribute to increasing the likelihood of exploitation as the value of the first set increases, a second set Xl that contribute to decreasing the likelihood of exploitation as the value of the second set increases, a third set Xe that contribute to increasing the exposure factor as the value of the third set increases, and a fourth set Xe that contribute to decreasing the exposure factor as the value of the fourth set increases. [0069]-[0072] (likelihood of exploitation and exposure with time value)
As per claim 3, Albanese and Patel teach the method of claim 2.
Albanese further teaches wherein the first set, the second set, the third set and the fourth set of variables are defined, respectively, as follows: X={XEX1I(V1i2EV)((X(vi)5 X(v2)A((VX'EX\{X})(X(V1) =
PNG
media_image1.png
10
27
media_image1.png
Greyscale
-p(vi)
PNG
media_image2.png
3
3
media_image2.png
Greyscale
p(v2))};X={XEX1I(V1i2EV)((X(vi)
PNG
media_image2.png
3
3
media_image2.png
Greyscale
X(v2)A((VX'EX\{X})(X(V1) =
PNG
media_image3.png
10
27
media_image3.png
Greyscale
-31p(vi)>p(v2))};Xe={XEXe|
PNG
media_image4.png
6
2
media_image4.png
Greyscale
(Viv2EV)((X(vi)
PNG
media_image2.png
3
3
media_image2.png
Greyscale
X(v2)A((VX'EX\{X})(X(v1) =X(v2
PNG
media_image5.png
10
17
media_image5.png
Greyscale
ef(v)
PNG
media_image2.png
3
3
media_image2.png
Greyscale
ef(vV2))}; and Xe={XEXe|
PNG
media_image4.png
6
2
media_image4.png
Greyscale
(Voiv2EV)((X(vi)
PNG
media_image2.png
3
3
media_image2.png
Greyscale
X(v2)A((VX'EX\{X})(X(v1) =X(v2
PNG
media_image6.png
10
17
media_image6.png
Greyscale
ef(v);ef(v2))};where X is a variable, V is a set of all know vulnerabilities and v is a known vulnerability, p (v) is the likelihood of exploitation of the vulnerability v and ef(v) is the exposure factor of the vulnerability [0013]-[0020] teaches the sets of variables, vulnerabilities, likelihood of exploitation, exposure factor)
As per claim 4, Albanese and Patel teach the method of claim 3.
Albanese further teaches wherein the likelihood p(v) of exploitation of each vulnerability is defined as a function p: V -> [0,1] as follows:
PNG
media_image7.png
15
105
media_image7.png
Greyscale
and the exposure factor ef (v) associated with exploitation of each vulnerability is defined as a function ef : V -> [0,1] as follows:
PNG
media_image8.png
13
40
media_image8.png
Greyscale
HII(1-e-axfx(x(v) ef (v)=XEX(1- where X is the variable, ax is a tunable parameter, X(v ) is the value of X for v , and fx is a monotonically increasing function used to convert values of X to scalar values, i.e., x 1 < x 2 => fx (X1 ) <- fx (X2 ). [0069]-[0072] (exploitability based on ids rules, CVSS, time) [0069]-[0072] (exploitability based on ids rules, CVSS, time) [0073]-[0075] (teaches score is determined by vulnerability data and IDS rules)
[0083]-[0091] (exposure)
As per claim 5, Albanese and Srinivasan teach the method of claim 5.
Albanese teaches wherein variables in the first set X7 comprise at least an exploitability score of a vulnerability as captured by CVSS, time lapsed since publication of details about the vulnerability and a set of known vulnerability exploitations, wherein variables in the second set Xl comprise at least a set of known IDS rules associated with a vulnerability and a set of vulnerability scanning plugins, wherein variables in the third set Xe comprise at least an impact score of a vulnerability as captured by Common Vulnerability Scoring System (CVSS), and wherein variables in the fourth set Xe comprise a set of deployed IDS rules associated with a vulnerability. [0069]-[0072] (exploitability based on ids rules, CVSS, time) [0073]-[0075]
Srinivasan further teaches wherein variables in the first set X7 comprise at least an exploitability score of a vulnerability as captured by CVSS, time lapsed since publication of details about the vulnerability and a set of known vulnerability exploitations, wherein variables in the second set Xl comprise at least a set of known IDS rules associated with a vulnerability and a set of vulnerability scanning plugins, wherein variables in the third set Xe comprise at least an impact score of a vulnerability as captured by Common Vulnerability Scoring System (CVSS), and wherein variables in the fourth set Xe comprise a set of deployed IDS rules associated with a vulnerability. (Column 7 lines 1-16) (Column 13 lines 45-55) (Column 15 lines 23-40) (teaches CVSS and subscores including temporal subscores)
As per claim 8, Albanese and Patel teach the method of claim 8.
Albanese further teaches adding one or more new variables to at least one of the first set XI, the second set Xt, the third set Xe or the fourth set Xe based on a user selection in accordance with the priorities of the distributed system. [0045][0078] (metrics calculated based on tunable parameters selected by the user)
As per claim 11, Albanese and Patel teach the method of claim 11.
Patel further teaches wherein the performing a prioritized remediation of a target vulnerability comprises: prioritizing remediation of the one or more vulnerabilities based on the resources available for remediation and current needs of the distributed system; and determining the target vulnerability that poses a greatest risk to the distributed system. [0088][0097]-[0099][0105][0114]-[0120][0148] (teaches remediation based on cyber security scoring factors and prioritizing a remediation based on rank)
The motivation is the same that of claim 1 above.
As per claim 13, Albanese teaches A method of performing prioritized remediation of security weaknesses in a distributed system, comprising: obtaining cyber security data including at least vulnerability data and intrusion detection system (IDS) rules; Albanese teaches determining a standard security weakness ranking based on the cyber security data;
Albanese teaches customizing metrics for calculating a likelihood of exploitation of each vulnerability and an exposure factor associated with exploitation of each vulnerability based on a user input including at least one variable for use in the calculation, the at least one variable influencing the likelihood of exploitation or the exposure factor and capturing a specific applicative domain of each vulnerability, priorities of the distributed system, and/or types of potential attackers; [0069]-[0072] (exploitability based on ids rules, CVSS, time) [0073]-[0075] (teaches score is determined by vulnerability data and IDS rules) (exploitability based on ids rules, CVSS, time; exposure, impact CWE CVE) [0073]-[0075] [0100][0101]
Srinivasan teaches A method of performing prioritized remediation of security weaknesses in a distributed system, comprising: obtaining cyber security data including at least vulnerability data and intrusion detection system (IDS) rules; (Column 4 line 61- Column 5 line 8) (Column 15 line 40 to Column 16 line 62) (teaches obtaining vulnerability rules from a plurality of sources including network activity monitor and vulnerability service)
Srinivasan teaches calculating the customized metrics; outputting a customized ranking of the one or more vulnerabilities based on the calculated customized metrics;
(Column 14 lines 45- Column 15 line 40) (Column 19 line 64- Column 21 line 64) (teaches customizable metrics per customer calculating rankings based on vulnerability scores, including an amalgamation of vulnerability scores including likelihood of exploitation, exposure factor, and priorities of the system)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the current application to use the teaching of Srinivasan with the prior art because it increases security.
Albanese does not teach, but Patel teaches a target security risk remediation device structured to perform a prioritized remediation of a target vulnerability selected by a user from the one or more vulnerabilities based on the customized ranking and specific needs and resources of the distributed system; and a user interface coupled to the customized security risk remediator and structured to receive the user input and output security weakness rankings including the customized rankings periodically or on demand. [0066][0088][0097]-[0099][0105][0114]-[0120][0148] (teaches remediation based on cyber security scoring factors, including user customization, periodic evaluation, and prioritizing a remediation which may be selected by a user to be applied on a GUI)
It would have been obvious to one of ordinary skill in the art to use the teaching of Patel with the prior art because it improves the security of the system in an efficient, effective manner.
As per claim 14, Albanese and Patel teach the system of claim 13,
Albanese further teaches wherein the at least one variable belongs to a first set X of variables that contribute to increasing the likelihood of exploitation as the value of the first set increases, a second set Xl that contribute to decreasing the likelihood of exploitation as the value of the second set increases, a third set Xe that contribute to increasing the exposure factoras the value of the third set increases, and a fourth set XI that contribute to decreasing the exposure factor as the value of the fourth set increases. [0069]-[0072] (likelihood of exploitation and exposure with time value)
As per claim 15, Albanese and Patel teach the system of claim 14,
Albanese further teaches wherein the first set, the second set, the third set and the fourth set of variables are defined, respectively, as follows: X={XEXI
PNG
media_image9.png
6
9
media_image9.png
Greyscale
2EV)((X(vi)
PNG
media_image2.png
3
3
media_image2.png
Greyscale
X(v2)A((VX'E X\{X})(X(V1) =X(v2))))p(vi)
PNG
media_image2.png
3
3
media_image2.png
Greyscale
p(v2))};
PNG
media_image10.png
3
6
media_image10.png
Greyscale
X={XEX1|(VI12EV)((X(vi)
PNG
media_image2.png
3
3
media_image2.png
Greyscale
X(v2)A((VX'E X\{X})(X(V1) =X(v2))))p(vi)>p(v2))};
PNG
media_image10.png
3
6
media_image10.png
Greyscale
Xe={XEXe|
PNG
media_image4.png
6
2
media_image4.png
Greyscale
(Viv2EV)((X(vi)
PNG
media_image2.png
3
3
media_image2.png
Greyscale
X(v2)A((VX'E X\{X})(X(v1) =X(v2
PNG
media_image5.png
10
17
media_image5.png
Greyscale
ef(v)< ef(2))}; and Xe={XEXe|
PNG
media_image4.png
6
2
media_image4.png
Greyscale
(Voiv2EV)((X(vi)
PNG
media_image2.png
3
3
media_image2.png
Greyscale
X(v2)A((VX'E X\{X})(X(v1) =X(v2
PNG
media_image6.png
10
17
media_image6.png
Greyscale
ef(v);ef(v2))};where X is a variable, V is a set of all know vulnerabilities and v is a known vulnerability, p(v) is the likelihood of exploitation of the vulnerability v and ef(v) is the exposure factor of the vulnerability v. [0013]-[0020] teaches the sets of variables, vulnerabilities, likelihood of exploitation, exposure factor)
As per claim 16, Albanese and Patel teach the system of claim 14,
Albanese further teaches wherein the likelihood p(v) of exploitation of each vulnerability is defined as a function p: V -> [0,1] as follows:
PNG
media_image11.png
15
105
media_image11.png
Greyscale
and the exposure factor ef (v) associated with exploitation of each vulnerability is defined as a function ef : V -> [0,1] as follows:
PNG
media_image12.png
13
25
media_image12.png
Greyscale
H( (1 - e-axfx((v)ef (v) =.,,ty,'f3)) where X is the variable, ax is a tunable parameter, X(v ) is the value of X for v , and fx is a monotonically increasing function used to convert values of X to scalar values, i.e., x 1 < x 2 => fx (X1 ) <- fx (X2 ). (Exploitation and Exposure metric calculation formulas) [0069]-[0072] (exploitability based on ids rules, CVSS, time) [0073]-[0075] (teaches score is determined by vulnerability data and IDS rules)
[0083]-[0091] (exposure
As per claim 17, Albanese and Patel teach the system of claim 14,
Albanese teaches wherein variables in the first set X7 comprise at least an exploitability score of a vulnerability as captured by CVSS, time lapsed since publication of details about the vulnerability and a set of known vulnerability exploitations, wherein variables in the second set Xl comprise at least a set of known IDS rules associated with a vulnerability and a set of vulnerability scanning plugins, wherein variables in the third set Xe comprise at least an impact score of a vulnerability as captured by Common Vulnerability Scoring System (CVSS), and wherein variables in the fourth set Xe comprise a set of deployed IDS rules associated with a vulnerability. [0069]-[0072] (exploitability based on ids rules, CVSS, time) [0073]-[0075]
Srinivasan further teaches wherein variables in the first set X7 comprise at least an exploitability score of a vulnerability as captured by CVSS, time lapsed since publication of details about the vulnerability and a set of known vulnerability exploitations, wherein variables in the second set Xl comprise at least a set of known IDS rules associated with a vulnerability and a set of vulnerability scanning plugins, wherein variables in the third set Xe comprise at least an impact score of a vulnerability as captured by Common Vulnerability Scoring System (CVSS), and wherein variables in the fourth set Xe comprise a set of deployed IDS rules associated with a vulnerability. (Column 7 lines 1-16) (Column 13 lines 45-55) (Column 15 lines 23-40) (teaches CVSS and subscores including temporal subscores)
As per claim 20, Albanese, Srinivasan and Patel teach the system of claim 13,
Patel further teaches wherein the prioritized remediation of a target vulnerability is based at least in part on a prioritization of remediations of the one or more vulnerabilities based on the resources available for remediation and current needs of the distributed system and a determination that the target vulnerability that poses a greatest risk to the distributed system.
[0088][0097]-[0099][0105][0114]-[0120][0148] (teaches remediation based on cyber security scoring factors and prioritizing a remediation based on rank).
The motivation is the same that of claim 13 above.
Claim(s) 6, 7, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over over Albanese US 2022/0407891 in view of Srinivasan US 11,516,222 in view of Patel US 2018/0351987 in view of Alsharif US 2021/0037038
As per claim 6, Albanese, Srinivasan and Patel teach the method of claim 2,
Srinivasan and Patel do not teach, but Alsharif teaches wherein the at least one variable comprises a plurality variables and each of the first set X , the second set Xt, the third set X, or the fourth set Xe includes at least one of the plurality of variables, and wherein the method further comprises: providing a quality score of each customized rank; and determining the target vulnerability based at least in part on the quality score. [0011][0012][0087][0088][0101] (teaches incorporating a score based on number of occurrences per different computer environment/variable and incorporating this score into the total ranking of vulnerability scores)
It would have been obvious to one of ordinary skill in the art to use the teaching of Alsharif with the prior art because it ranks and prioritizes vulnerabilities and the corresponding remediation more accurately.
As per claim 7, Albanese, Srinivasan, Patel and Alsharif teach the method of claim 6,
Alsharif further teaches wherein the quality score improves based on an increase in a number of the plurality of variables used in the calculation of the customized metrics. [0011][0012][0087][0088][0101] (teaches incorporating a score based on number of occurrences per different computer environment/variable and incorporating this score into the total ranking of vulnerability scores).
The motivation is the same that of claim 6 above.
As per claim 19, Albanese Srinivasan and Patel teach the system of claim 13,
Albanese further teaches wherein the data ingestion device is further structured to generate and/or ingest vulnerability scanning reports, and the metrics further comprises a common weaknesses score as defined as S(CWEi)=LVEC(CWEg)11(V)Ip(v)-ef(v), where v is a vulnerability, I(v) is a set of instances of the vulnerability v within the system, CWEi is a Common Weakness Enumeration weakness, C(CWEi) is a set of common vulnerabilities and explores (CVEs) mapped to CWEi, p(v) is the likelihood of exploitation of the vulnerability v and ef(v) is the exposure factor of the vulnerability v. [0069]-[0072] (exploitability based on ids rules, CVSS, time; CWE CVE) [0073]-[0075] [0100][0101]
Alsharif teaches a set of instances of vulnerability within a system[0011][0093][0100] (teaches incorporating a score based on number of occurrences per different computer environment/variable and incorporating this score into the total ranking of vulnerability scores)
The motivation is the same that of claim 6 above.
Claim(s) 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over over Albanese US 2022/0407891 in view of Srinivasan US 11,516,222 in view of Patel US 2018/0351987 in view of Crabtree US 2022/0263852
As per claim 12, Albanese, Srinivasan and Patel teach the method of claim 1,
Srinivasan and Patel do not teach, but Crabtree teaches wherein the types of potential attackers comprises attackers who are aware of only the CVSS scores, attackers who have access to a system component associated with the one or more vulnerabilities, and attackers who can perform reconnaissance on the distributed system and discover unpatched vulnerabilities. [0020][0022][0072] (teaches potential attacker analysis and security vulnerability analysis including reconnaissance and patch level of vulnerabilities)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Crabtree with the prior art because it incorporates more variables to improve the remediation method.
Claim(s) 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over over Albanese US 2022/0407891 in view of Srinivasan US 11,516,222 in view of Patel US 2018/0351987 in view of Klein US 2017/0339180
As per claim 18, Albanese, Srinivasan and Patel teach the system of claim 13,
Srinivasan and Patel do not teach, but Klein teaches plugins structured to interface with an individual virtual scanner; and Application Programming Interfaces structured to interface with third party applications. [0040][0045][0048] (teaches use of plugins with scanner appliance and interfacing with third party applications)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Klein with the prior art because it provides for broader compatibility.
Allowable Subject Matter
Claims 9 and 10 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439