Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor
to file provisions of the AIA .
Detailed Action
2. Claims 1-21 are pending in Instant Application.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/28/2025 is in compliance with the
provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claim 1 is rejected under 35 U.S.C. § 101 under the 2019 PEG framework because the claimed inventions are directed to an abstract idea without significantly more. The claim recites a judicial exception (an abstract idea falling within the “methods of organizing human activity” and “data analysis” groupings) that is not integrated into a practical application.
Step 1: Statutory Category
Claim 1 satisfies the statutory category requirement because it is directed to a “method” or “process” under 35 U.S.C. § 101(a). The claim recites a series of steps performed with at least one processor, including obtaining a library, obtaining vulnerability information, generating rules, training a machine learning model, scanning applications, and providing an indication of vulnerabilities.
Step 2A, Prong 1 - Judicial Exception (Abstract Area)
Claim 1 recites multiple judicial exceptions within the abstract idea category. First, the claim recites data analysis and information processing: “obtaining…information associated with at least one vulnerability,” “generating…at least one rule associated with the at least one vulnerability,” and “providing an indication of whether the at least one application…includes the at least one vulnerability” constitute mental processes and data manipulation that could be performed in the human mind. Second, the claim recites a method of organizing human activity—a vulnerability management workflow: collect data, generate rules, train a model, scan applications, report results. This is a business or organizational process predating computers. The offending clauses are: “obtaining…information associated with at least one vulnerability associated with the library”; “generating…at least one rule associated with the at least one vulnerability”; “training…at least one machine learning model, with the at least one rule”; “scanning…at least one application…to identify whether the at least one application includes the at least one vulnerability”; and “providing…an indication of whether the at least one application…includes the at least one vulnerability.”
Step 2A, Prong 2 - Integration into a Practical Application
Claim 1 fails integration analysis. The claim does not recite any specific technological improvement to computer functionality—no reduction in latency, improvement in detection accuracy, or optimization of memory utilization. The claim merely states “train at least one machine learning model” without describing the model’s innovation or technological contribution, which is insufficient under Alice and Mayo. The preamble recites “with at least one processor,” but this is generic computer implementation language; there is no claim to specialized hardware, FPGA, ASIC, or particular machine architecture. Per Alice, 573 U.S. at 221, merely implementing an abstract idea on a generic computer does not confer eligibility. The claim does not transform a tangible article into a different state or thing; data manipulation alone—receiving vulnerability data, generating rules, scanning code, reporting results—is not transformation. Per Bilski, 561 U.S. at 618, and PEG p. 56, transformation requires a change in physical properties or state of a tangible article. The additional elements (processor, memory, external data source, DAST tools) are routine, conventional steps in application security testing and constitute insignificant extra-solution activity. Per PEG p. 56, field-of-use limitations do not suffice.
The claim does not recite a specific technological problem solved; the specification describes a business problem (supply chain attacks, CVE remediation delays) but not how the claimed method improves upon existing DAST tools or conventional vulnerability detection in a non-conventional manner.
Step 2B - “Significantly More” (Inventive Concept)
The additional elements—processor, memory, external data source, OWASP dependency check tool, web crawler, machine learning model, and DAST tool—are all well-understood, routine, and conventional (WURC) in the field of cybersecurity and application security testing as of the priority date of September 8, 2023. OWASP tools, web crawlers, and DAST tools are standard, commercially available components. Machine learning models for classification are well-established techniques. The specification provides no factual evidence demonstrating that these elements, individually or in combination, represent a non-conventional or inventive approach. Under Berkheimer v. HP, Inc., 881 F.3d 1360 (Fed. Cir. 2018), the examiner would need to establish a factual record that these elements are not WURC, and no such record exists. Therefore, the claim fails Step 2B as well.
Examiner Note: Independent claims teach claim limitation ‘a library’ which is pretty broad. Based on ¶ 0075 of the specification a library can be defined as “(e.g., a software library, a Java Archive (JAR) file including the software library, etc.)”. Examiner would like the applicant to take a look into this and make necessary adjustment.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
4. Claims 1-2, 5, 7-9, 12, 14-16, 19, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over US 11,106,801 issued to Levine et al. (Levine) in view of US 2022/0083667 issued to Anwar et al. (Anwar) (Applicant IDS).
As per claim 1, Levine teaches a method, comprising: obtaining, with at least one processor, a library (Levine: Fig. 5 - Receive contextual data, computational data, experiential data, and industry data associated with software code (library)); obtaining, with the at least one processor, from at least one external data source, information associated with at least one vulnerability associated with the library (Levine: Fig. 5 - Receive detected vulnerabilities data identified by a scanning model based on the software code and software code metadata of the computational data); generating, with the at least one processor, based on the information associated with the at least one vulnerability associated with the library, at least one rule associated with the at least one vulnerability (Levine: Fig. 5 - Process the contextual data, the computational data, and the experiential data, with a contextual identification model, to determine a set of rules and a set of actions, wherein the set of rules are associated with security testing of the software code); training, with the at least one processor, at least one machine learning model, with the at least one rule associated with the at least one vulnerability (Levine: Fig. 2 - using a machine learning model in connection with orchestrating and performing augmented vulnerability triage for software security testing);
Levine however does not explicitly teach scanning, with the at least one processor, based on the at least one rule associated with the at least one vulnerability, at least one application that uses the library to identify whether the at least one application includes the at least one vulnerability; and providing, with the at least one processor, an indication of whether the at least one application that uses the library includes the at least one vulnerability.
Anwar however explicitly teaches scanning, with the at least one processor, based on the at least one rule associated with the at least one vulnerability, at least one application that uses the library to identify whether the at least one application includes the at least one vulnerability (Anwar: Fig. 3 - software composition analysis system identifies application for analysis; application calls common library and identifies known vulnerability in common library); and providing, with the at least one processor, an indication of whether the at least one application that uses the library includes the at least one vulnerability (Anwar: Fig. 3 - software composition analysis system generates application dependency tree and identifies effective and ineffective vulnerabilities).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Levine in view of Anwar to teach scanning, with the at least one processor, based on the at least one rule associated with the at least one vulnerability, at least one application that uses the library to identify whether the at least one application includes the at least one vulnerability; and providing, with the at least one processor, an indication of whether the at least one application that uses the library includes the at least one vulnerability. One would be motivated to do so as the software composition analysis system identifies application for analysis; application calls common library and identifies known vulnerability in common library and software composition analysis system generates application dependency tree and identifies effective and ineffective vulnerabilities (Anwar: Fig. 3).
As per claim 2, the modified teaching of Levine teaches the method of claim 1, wherein the information associated with the at least one vulnerability includes at least one of the following: a name or identifier associated with the library, a vulnerability type associated with the at least one vulnerability, a description associated with the at least one vulnerability, a time of discovery associated with the at least one vulnerability, a complexity level associated with the at least one vulnerability, a code pattern associated with the at least one vulnerability, or any combination thereof (Levine: Col. 5, ll. (61-62) - generalizing or specifying rule statements related to a same vulnerability type).
As per claim 5, the modified teaching of Levine teaches the method of claim 2, wherein obtaining, from the at least one external data source, the information associated with the at least one vulnerability associated with the library includes: decompiling the library to generate source code associated with the library; and querying, based on the source code associated with the library, the at least one external data source for one or more code patterns associated with the source code (Levine: Col. 5, ll. (13-17) - the orchestration system may onboard (e.g., provide) the software code and the software code metadata to the scanning model, and the scanning model may analyze the software code for occurrences of patterns that may lead to unintended and/or unsecure behavior of the software code).
As per claim 7, the modified teaching of Levine teaches the method of claim 1, further comprising: obtaining, with the at least one processor, further information associated with the library; providing, with the at least one processor, as input to the at least one machine learning model, the further information associated with the library (Levine: Col. 10, ll. (30-33) - the machine learning system may determine variables for a set of observations and/or variable values for a specific observation based on input received from the orchestration system), and receiving, as output from the at least one machine learning model, an indication as to whether one or more rules associated with one or more vulnerabilities associated with the further information associated with the library have already been generated (Levine: Col. 11, ll. (7-12) - the machine learning model may learn patterns from the set of observations without labeling or supervision, and may provide output that indicates such patterns, such as by using clustering and/or association to identify related groups of items within the set of observations; Col. 11, ll. (1-21) and ll. (42-44) - also teaches the machine learning system may store the machine learning model as a trained machine learning model to be used to analyze new observations and the trained machine learning model may predict a value of sets of rules and actions X for the target variable of workflow for the new observation);
Levine however does not explicitly teach in response to the indication that the one or more rules associated with the further information associated with the library have already been generated, with the at least one processor: scan, based on the one or more rules, the at least one application that uses the library to identify whether the at least one application includes the one or more vulnerabilities; and provide a further indication of whether the at least one application that uses the library includes the one or more vulnerabilities.
Anwar however explicitly teaches in response to the indication that the one or more rules associated with the further information associated with the library have already been generated, with the at least one processor: scan, based on the one or more rules, the at least one application that uses the library to identify whether the at least one application includes the one or more vulnerabilities (Anwar: Fig. 3 - software composition analysis system identifies application for analysis; application calls common library and identifies known vulnerability in common library); and provide a further indication of whether the at least one application that uses the library includes the one or more vulnerabilities (Anwar: Fig. 3 - software composition analysis system generates application dependency tree and identifies effective and ineffective vulnerabilities).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Levine in view of Anwar to teach in response to the indication that the one or more rules associated with the further information associated with the library have already been generated, with the at least one processor: scan, based on the one or more rules, the at least one application that uses the library to identify whether the at least one application includes the one or more vulnerabilities; and provide a further indication of whether the at least one application that uses the library includes the one or more vulnerabilities. One would be motivated to do so as the software composition analysis system identifies application for analysis; application calls common library and identifies known vulnerability in common library and software composition analysis system generates application dependency tree and identifies effective and ineffective vulnerabilities (Anwar: Fig. 3).
As per claim 8, the claim resembles claim 1 and is rejected under the same rationale.
As per claim 9, the claim resembles claim 2 and is rejected under the same rationale.
As per claim 12, the claim resembles claim 5 and is rejected under the same rationale.
As per claim 14, the claim resembles claim 7 and is rejected under the same rationale.
As per claim 15, the claim resembles claim 1 and is rejected under the same rationale while Levine also teaches a computer program product comprising at least one non-transitory computer-readable medium including program instructions that is executed by at least one processor (Levine: Col. 15, ll. (2-7) - a non-transitory computer-readable medium (e.g., memory and/or storage component) may store a set of instructions (e.g., one or more instructions, code, software code, program code, and/or the like) for execution by processor and the processor may execute the set of instructions to perform one or more processes).
As per claim 16, the claim resembles claim 2 and is rejected under the same rationale.
As per claim 19, the claim resembles claim 5 and is rejected under the same rationale.
As per claim 21, the claim resembles claim 7 and is rejected under the same rationale.
5. Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over US 11,106,801 issued to Levine et al. (Levine) in view of US 2022/0083667 issued to Anwar et al. (Anwar) (Applicant IDS) and further in view of US 2025/0032935 issued to Palanki.
As per claim 3, the modified teaching of Levine teaches the method of claim 2 however does not explicitly teach wherein obtaining, from the at least one external data source, the information associated with the at least one vulnerability associated with the library includes: retrieving, with an Open Worldwide Application Security Project (OWASP) dependency check tool, the information associated with the at least one vulnerability associated with the library.
Palanki however explicitly teaches obtaining, from the at least one external data source, the information associated with the at least one vulnerability associated with the library includes: retrieving, with an Open Worldwide Application Security Project (OWASP) dependency check tool, the information associated with the at least one vulnerability associated with the library (Palanki: ¶ 0031 - a test program challenge can be based on an Open Worldwide Application Security Project (OWASP) for computer security vulnerability).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the modified teaching of Levine in view of Palanki to teach obtaining, from the at least one external data source, the information associated with the at least one vulnerability associated with the library includes: retrieving, with an Open Worldwide Application Security Project (OWASP) dependency check tool, the information associated with the at least one vulnerability associated with the library. One would be motivated to do so as a test program challenge can be based on an Open Worldwide Application Security Project (OWASP) for computer security vulnerability) (Palanki: ¶ 0031).
As per claim 10, the claim resembles claim 3 and is rejected under the same rationale.
As per claim 17, the claim resembles claim 3 and is rejected under the same rationale.
6. Claims 4, 11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over US 11,106,801 issued to Levine et al. (Levine) in view of US 2022/0083667 issued to Anwar et al. (Anwar) (Applicant IDS) and further in view of US 8,752,183 issued to Heiderich et al. (Heiderich).
As per claim 4, the modified teaching of Levine teaches the method of claim 2 however does not explicitly teach wherein obtaining, from the at least one external data source, the information associated with the at least one vulnerability associated with the library includes: aggregating, from a plurality of websites, using a web crawler, the information associated with the at least one vulnerability associated with the library.
Heiderich however explicitly teaches wherein obtaining, from the at least one external data source, the information associated with the at least one vulnerability associated with the library includes: aggregating, from a plurality of websites, using a web crawler, the information associated with the at least one vulnerability associated with the library (Heiderich: Col. 7, ll. (7-15); Col. 19, ll. (11-13) - teaches the crawler module may comprise a universal resource locator (URL) crawler module, configured to identify URLs and forms in the web page code and a document object model (DOM) crawler module, configured to identify URLs\forms by analyzing DOMs associated with web pages that may utilize a "classical" web crawler application or process in the URL crawler module; wherein the aggregate of URLs stored in the URLs data store may eventually be utilized by the DOM crawler module and the vulnerability scanner module).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the modified teaching of Levine in view of Heiderich to teach wherein obtaining, from the at least one external data source, the information associated with the at least one vulnerability associated with the library includes: aggregating, from a plurality of websites, using a web crawler, the information associated with the at least one vulnerability associated with the library. One would be motivated to do so as web pages may utilize a "classical" web crawler application or process in the URL crawler module; wherein the aggregate of URLs stored in the URLs data store may eventually be utilized by the DOM crawler module and the vulnerability scanner module (Heiderich: Col. 7, ll. (7-15); Col. 19, ll. (11-13)).
As per claim 11, the claim resembles claim 4 and is rejected under the same rationale.
As per claim 18, the claim resembles claim 4 and is rejected under the same rationale.
7. Claims 6, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US 11,106,801 issued to Levine et al. (Levine) in view of US 2022/0083667 issued to Anwar et al. (Anwar) (Applicant IDS) and further in view of US 2017/0176245 issued to Cornell et al. (Cornell) (Applicant IDS).
As per claim 6, the modified teaching of Levine teaches the method of claim 1 however does not explicitly teach wherein scanning, based on the at least one rule associated with the at least one vulnerability, the at least one application that uses the library to identify whether the at least one application includes the at least one vulnerability includes: generating, based on the at least one rule, at least one dynamic application security testing (DAST) pattern; and scanning, using a DAST tool, the at least one application according to the at least one DAST pattern.
Cornell however explicitly teaches wherein scanning, based on the at least one rule associated with the at least one vulnerability, the at least one application that uses the library to identify whether the at least one application includes the at least one vulnerability includes: generating, based on the at least one rule, at least one dynamic application security testing (DAST) pattern; and scanning, using a DAST tool, the at least one application according to the at least one DAST pattern (Cornell: ¶ 0009 - vulnerabilities identified by dynamic application security testing (DAST) analysis for web-based applications tend to have attack surface information that includes vulnerability type, the relative URL of the vulnerability within the application, and, for certain classes of vulnerabilities, the injection point into the application).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the modified teaching of Levine in view of Cornell to teach wherein scanning, based on the at least one rule associated with the at least one vulnerability, the at least one application that uses the library to identify whether the at least one application includes the at least one vulnerability includes: generating, based on the at least one rule, at least one dynamic application security testing (DAST) pattern; and scanning, using a DAST tool, the at least one application according to the at least one DAST pattern. One would be motivated to do so as vulnerabilities identified by dynamic application security testing (DAST) analysis for web-based applications tend to have attack surface information that includes vulnerability type, the relative URL of the vulnerability within the application, and, for certain classes of vulnerabilities, the injection point into the application (Cornell: ¶ 0009).
As per claim 13, the claim resembles claim 6 and is rejected under the same rationale.
As per claim 20, the claim resembles claim 6 and is rejected under the same rationale.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SM AZIZUR RAHMAN whose telephone number is (571)270-7360. The examiner can normally be reached on M-F Telework;
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ali Shayanfar can be reached on 571-270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SM A RAHMAN/Primary Examiner, Art Unit 2434