SYSTEMS AND METHODS FOR VULNERABILITY REMEDIATION BASED ON AGGREGATE RISK AND SHARED CHARACTERISTICS

§101 §103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Applying the subject matter eligibility test, as outlined in MPEP 2106: Step 1: Statutory Category The claims fall within a statutory category. Claims 11-20 are considered “machines” based claims and claims 1-10 are considered “processes”. Both machines and processes are members of the statutory categories. Thus, the analysis moves towards step 2A, prong one of the subject matter eligibility test. Step 2A, Prong One: Judicial Exception The claims recite a judicial exception, specifically an abstract idea. For example, claims 1, 11 and 20 recite identifying a series of vulnerabilities; determining a risk associated with each vulnerability of the series of vulnerabilities; determining one or more characteristics related to a manner of repairing each vulnerability of the series of vulnerabilities; identifying, based on at least one commonality between the one or more characteristics, one or more subsets of vulnerabilities from the series of vulnerabilities; and displaying the one or more subsets of vulnerabilities in an order, the order being based on the at least one commonality and the determined risk, wherein each subset is enabled to be addressed as a group. Such processes are akin to a mental process or methods of organizing human activity, which have been recognized as abstract ideas. Thus, the analysis moves towards step 2A, prong two. Step 2A, Prong Two: Integration into a Practical Application The claims do not integrate the abstract idea into a practical application. The additional elements, such as a processor, memory and displaying one or more subsets of vulnerability do not impose any meaningful limits of on the abstract idea. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. Thus, the analysis moves towards step 2B. Step 2B: Inventive concept Finally, the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Claims 2-10, 12-19 merely add details to the generic off-shelf components that were already disclosed in claims 1 and 11, but do not alter the outcome of the analysis above. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-20 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention. Regarding claim 1, Key limitations, "one or more characteristics" is presented purely as functional labels with no objective boundaries, leaving readers unable to determine where infringement begins or ends. Every operative verb (identifying, determining and displaying) is recited only by its desired outcome. Because a person having ordinary skill in the art could not ascertain the claim scope with reasonable certainty, the claims are indefinite under 35 U.S.C § 112(b). Independent 11 and 20 are also rejected for the same rational as claim 1. Dependent claims 2-10 and 12-19 are also rejected for inheriting the deficiencies of the independent claims from which they depend on. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-4, 8-9, 11-14 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pickens et al. (Pub. No.: US 2025/0272408, hereinafter Pickens) in view of Griffin et al. (Pub. No.: US 2024/0356960, hereinafter Griffin). Regarding claim 1: Pickens teaches: A computer-implemented method for vulnerability management, the method comprising: identifying a series of vulnerabilities (Pickens - [0025]: a centralized server system or other computer system on the network identifies and prioritizes currently existing security vulnerabilities for the computing devices, based on factors that include priority level, ownership, age, and the like); determining one or more characteristics related to a manner of repairing each vulnerability of the series of vulnerabilities; identifying, based on at least one commonality between the one or more characteristics, one or more subsets of vulnerabilities from the series of vulnerabilities (Pickens - [0076]: Classification permits timely identification and/or grouping of security vulnerabilities based on characteristics, features, and/or attributes associated with various applicable technologies … Security Patch X may be required to avoid Security Vulnerability A and Security Vulnerability B. Here, one common characteristic of Security Vulnerabilities A and B is the commonly-required Security Patch X. A second common characteristic is the commonly-used operating system); and However, Pickens doesn’t explicitly teach, but Griffin discloses: determining a risk associated with each vulnerability of the series of vulnerabilities (Griffin - [0015]: for each vulnerability in the manifest, the computer system can execute Blocks of the method S100 to calculate risk (e.g., a risk score) associated with the vulnerability based on severity (e.g., a severity score) associated with the vulnerability and a quantity (and/or criticality) of assets associated with the vulnerability); displaying the one or more subsets of vulnerabilities in an order, the order being based on the at least one commonality and the determined risk (Griffin - [0011]: selecting a first subset of vulnerabilities, in the first set of vulnerabilities, exhibiting the highest vulnerability risk score in the first set of vulnerability risk scores in Block S146; generating a first visualization indicating the first subset of vulnerabilities including the first vulnerability and the first quantity of users associated with the first vulnerability in Block S150; and serving the first visualization to an operator via an operator interface in Block S152. [0161]: generates a second visualization indicating the second status of the first asset relative to the first vulnerability; and serves the second visualization to the operator via the operator interface), wherein each subset is enabled to be addressed as a group (Griffin - [0198]: for each vulnerability in a set of vulnerabilities exhibited in the computer network, the computer system can: access a current composite risk score for the computer network; identify an action (or a set of actions) to remediate or mitigate the vulnerability; recalculate a subset of asset risk scores). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Pickens with Griffin so that risks associated with vulnerability can be determined and visualized in an order. The modification would have allowed the system to determine risks and display to user for taking actions. Regarding claim 2: Pickens as modified teaches: wherein determining the risk includes at least one of identifying a predefined static value or calculating a dynamic value associated with each vulnerability (Griffin - [0010]: calculating a first vulnerability risk score, in a first set of vulnerability risk scores associated with the first set of vulnerabilities, associated with the first vulnerability based on the first quantity of devices and a first severity score assigned to the first vulnerability in Block S144). The reason to combine is for the same rational as claim 1. Regarding claim 3: Pickens as modified teaches: wherein the one or more characteristics include at least one of a cost to repair a particular vulnerability, a source of the particular vulnerability, a potential side effect associated with repairing the particular vulnerability, or a risk reduction value associated with repairing the particular vulnerability (Pickens - [0058]: The security vulnerability ownership component 216 is configured to identify one or more current “owners” of an identified security vulnerability). Regarding claim 4: Pickens as modified teaches: wherein the source of the particular vulnerability includes at least one of a source code, a hardware location, an alert location, a location of a change required for remediation, or an owner (Griffin - [0031]: the computer system can detect and distinguish individual assets (e.g., physical devices, virtual devices, software applications, users)—in a set of assets across a set of asset classes (e.g., a device asset class, a software asset class, a user asset class)—connected to the computer network during discrete intervals). The reason to combine is for the same rational as claim 1. Regarding claim 8: Pickens as modified teaches: further comprising repairing the one or more subsets of vulnerabilities (Pickens - [0043]: the system 100 for enhancing data security is an automated system operable to organize large quantities of security vulnerabilities into actionable groups that can be promptly communicated and assigned to corrective action owners across the enterprise). Regarding claim 9: Pickens as modified teaches: wherein repairing the one or more subsets includes making at least one change to repair at least one vulnerability of the one or more subsets, the method further comprising verifying the at least one change (Griffin - [0198]: for each vulnerability in a set of vulnerabilities exhibited in the computer network, the computer system can: access a current composite risk score for the computer network; identify an action (or a set of actions) to remediate or mitigate the vulnerability; recalculate a subset of asset risk scores). The reason to combine is for the same rational as claim 1. Regarding claims 11-14 and 18-19: Claims are directed to system claims and do not teach or further define over the limitations recited in claims 1-4 and 8-9. Therefore, claims 11-14 and 18-19 are also rejected for similar reasons set forth in claims 1-4 and 8-9. Furthermore, Pickens in para. [0045] discloses at least one processor 202; a memory device 204. Regarding claim 20: this claim defines a computer-readable medium claim that corresponds to method claim 1 and does not define beyond limitations of claim 1. Therefore, claim 20 is rejected with the same rational as in the rejection of claim 1. Claims 5, 10 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Pickens et al. (Pub. No.: US 2025/0272408, hereinafter Pickens) in view of Griffin et al. (Pub. No.: US 2024/0356960, hereinafter Griffin) and Cameron et al. (Pub. No.: US 2025/0036777, hereinafter Cameron). Regarding claims 5 and 15: Pickens as modified doesn’t explicitly teach but Cameron teaches: wherein the potential side effect is determined based on at least one of predefined data or one or more queries (Cameron - [0111]: Some examples of criteria that can be used in determining a best patch can include, for example and without limitation, effectiveness of the patch (e.g., whether a patch fully or partially remediates a vulnerability), availability impact of the patch (e.g., can patches be applied to a running system or is a reboot required, is there a lengthy installation process, are configuration changes needed, etc.), performance impact of the patch (e.g., is a system's capacity significantly reduced or do operations take significantly longer to carry out?), and so forth). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Pickens and Griffin with Cameron so that mitigation can be evaluated based on the potential performance impace. The modification would have allowed the system to select the best patch for mitigating vulnerability. Regarding claim 10: Pickens as modified discloses wherein repairing the one or more subsets includes making at least one change to repair at least one vulnerability of the one or more subsets (Griffin - [0198]: for each vulnerability in a set of vulnerabilities exhibited in the computer network, the computer system can: access a current composite risk score for the computer network; identify an action (or a set of actions) to remediate or mitigate the vulnerability). However, Pickens as modified doesn’t explicitly teach but Cameron teaches: the method further comprising validating a side effect associated with the at least one change (Cameron - [0121]: The system can test each generated patch and evaluate the results to select a patch for potential deployment, for example based on criteria such as vulnerability mitigation effectiveness, availability impact, performance impact, etc.). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Pickens and Griffin with Cameron so that the selected patch can be validated. The modification would have allowed the system to be more secure. Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Pickens et al. (Pub. No.: US 2025/0272408, hereinafter Pickens) in view of Griffin et al. (Pub. No.: US 2024/0356960, hereinafter Griffin) and Shakarian et al. (Pub. No.: US 2022/0215102, hereinafter Shakarian). Regarding claims 6 and 16: Pickens as modified doesn’t explicitly teach but Shakarian teaches further comprising: determining an aggregate risk reduction value associated with each subset of vulnerabilities; and determining an aggregate cost to repair associated with each subset of vulnerabilities (Shakarian - [0067]: the system 100 is configured to determine cyber aggregation risk by, generally, calculating the probability of a single attack costing a predetermined certain amount in terms of potential damage). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Pickens and Griffin with Shakarian so that aggregation risk and cost are determined. The modification would have allowed the system to be more efficient. Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Pickens et al. (Pub. No.: US 2025/0272408, hereinafter Pickens) in view of Griffin et al. (Pub. No.: US 2024/0356960, hereinafter Griffin) and Shakarian et al. (Pub. No.: US 2022/0215102, hereinafter Shakarian) and Kadam et al. (Pub. No.: US 2023/0032304). Regarding claims 7 and 17: Pickens as modified doesn’t explicitly teach but Kadam teaches wherein the order is further based on a ratio of the aggregate risk to the aggregate cost of repair (Kadam - [0061]: ranking the recommendations in descending order based on a ratio of the potential impact of the respective recommendation on the risk score to the estimated cost of implementing the respective recommendation). It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Pickens and Griffin with Shakarian and Kadam so that the ratio of risk score and cost is used to determine the rank. The modification would have allowed the system to sort the risk. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729. The examiner can normally be reached M-F 8:30-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MENG LI/ Primary Examiner, Art Unit 2437