Prosecution Insights
Last updated: July 17, 2026
Application No. 18/940,572

TECHNIQUES FOR CHRONOLOGICAL VULNERABILITY EVENT RECOGNITION

Final Rejection §103
Filed
Nov 07, 2024
Examiner
LEE, MICHAEL M
Art Unit
2436
Tech Center
2400 — Computer Networks
Assignee
Rapid7 Inc.
OA Round
2 (Final)
84%
Grant Probability
Favorable
3-4
OA Rounds
1y 0m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 84% — above average
84%
Career Allowance Rate
226 granted / 270 resolved
+25.7% vs TC avg
Strong +42% interview lift
Without
With
+42.5%
Interview Lift
resolved cases with interview
Typical timeline
2y 9m
Avg Prosecution
25 currently pending
Career history
292
Total Applications
across all art units

Statute-Specific Performance

§101
3.1%
-36.9% vs TC avg
§103
86.7%
+46.7% vs TC avg
§102
0.7%
-39.3% vs TC avg
§112
9.3%
-30.7% vs TC avg
Black line = Tech Center average estimate • Based on career data from 270 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims The amendment filed 4/30/2026 has been entered. Claims 1, 14, 16, 20 are currently amended. Claims 1-20 are pending in the application. Response to Amendment The objection to claims 1, 16 due to informalities has been withdrawn in light of applicant’s amendment to the claims. Response to Arguments Applicant’s arguments, see pages 9-10 of the Remarks filed 4/30/2026 with respect to claims rejected under 35 USC 103 over prior arts of record has been fully considered and asserted not persuasive. Examiner acknowledges that applicant amended independent claims 1, 14, 20 respectively by specifying underlined reciting “generating, for the first event, a first set of feature values describing the first event and the first event's relationship with the one or more historical events using both: (i) the first enriched vulnerability data; and (ii) enriched vulnerability data for at least some of the one or more historical events”. Applicant specifically argued about Wu’s teaching, that “In particular, Wu does not describe generating feature values that describe a vulnerability related event and that event's relationship with one or more historical events, as claimed. Therefore, Wu fails to describe at least the above-quoted language of amended claim 1. Thus, Jha and Wu, alone or in combination, fail to describe at least the above-quoted language of amended claim 1”. See page 10 of the Remarks. Examiner acknowledges applicant’s perspective however respectively disagrees. First, as summarized in Wu’s Abstract, Wu teaches identifying software vulnerability from vulnerability event based on snapshot images, “The system identifies whether the snapshot images include the software vulnerability. The system registers the software vulnerability in association with a snapshot image in the database responsive to the identification of the snapshot image of the virtual machine including the software vulnerability”, [Abstract]. Wu’s software vulnerability information includes vulnerability timestamps. Wu’s Archive Event includes event identifier, event timestamp etc. In this case, Wu’s teachings of database and archive suggests the claimed “historical events”. Second, the claim does not specify what “a first set of feature values” is, except the features values describing the first event and the first event's relationship with the one or more historical events using both: (i) the first enriched vulnerability data; and (ii) enriched vulnerability data for at least some of the one or more historical events. In Wu’s case, the set of feature values may be interpreted as vulnerability identifier as shown in Fig. 2F, virtual machine identifier as shown in Fig. 2G, or archive event identifier, all are associated with vulnerability identification of software vulnerability in association with a snapshot image in the database responsive to the identification of the snapshot image of the virtual machine including the software vulnerability. In view of above, examiner asserts Wu teaches the limitation “generating, for the first event, a first set of feature values describing the first event and the first event's relationship with the one or more historical events using both: (i) the first enriched vulnerability data; and (ii) enriched vulnerability data for at least some of the one or more historical events”. For the above reason, the claim rejections under 35 USC 103 in view of Jha and Wu is maintained. Applicant is encouraged to further include innovative features into the independent claims to advance the case. Examiner Notes Examiner cites particular paragraphs, columns and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-4, 6-9, 14-16, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Jha et al (US20240020391A1, hereinafter, "Jha"), in view of Wu et al (US20210133328A1, hereinafter, “Wu”). Regarding claim 1, similarly claim 14, claim 20, Jha teaches: A method, a system, at least one non-transitory computer-readable storage medium, for identifying vulnerabilities in a computing environment using at least one computer hardware processor (Jha, discloses methods and systems for detecting runtime security vulnerabilities in the computing environments based on log data, see [Abstract], [0002]. Fig. 1A Processor 104, Memory 106, and Fig. 6 Computer-readable storage medium 604), the method comprising: obtaining first vulnerability data for a first event from one or more external data sources (e.g., [0022] to keep the users safe from the vulnerabilities, the software vendors may publish these vulnerabilities in logs. These vulnerabilities are generated at runtime through logs of the application. See Fig. 1A, Public Database 116 (i.e., external data sources). And [0023] The log management server may receive, during runtime, a plurality of logs associated with a plurality of applications or operating systems running in a computing environment (i.e., first event) via a log database. And [0045] FIG. 2 is a flow diagram illustrating an example computer-implemented method 200 for detecting vulnerabilities in compute nodes of a protected network. And Fig. 2 at 202, and [0046] At 202, a plurality of logs of a network activity associated with compute nodes of the protected network (i.e., first vulnerability data for a first event) may be received during runtime); associating the first event with a particular vulnerability in a vulnerability dictionary using at least some of the first vulnerability data, the particular vulnerability being associated with one or more historical events ([0023] the log management server may validate the vulnerability signature of the attack by correlating the vulnerability signature with available data on a public database. Upon validating the vulnerability signature, the log management server may retrieve vulnerability information associated with the vulnerability signature from the public database. And Fig. 2 at 206-208, and [0048] At 206, the vulnerability signature of the attack may be validated by correlating the vulnerability signature with available data on a first public database (i.e., vulnerability dictionary)); determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event ([0053] At 210, the vulnerability information associated with the vulnerability signature may be presented on a graphical user interface...In an example, in response to receiving a request, the storage device may be queried to obtain the vulnerability information including a recommended action to mitigate a security vulnerability related to the attack on an application or an operating system); and triggering performance of the vulnerability mitigation action for the first event ([0057] recommending an action to be performed to mitigate a security vulnerability related to the attack, and [0058] classifying a severity of the attack based on a vulnerability score, and [0059] exploring an access exploitation and an impact of the security vulnerabilities). While Jha teaches detection of security vulnerabilities in computing environments at runtime, but does not specifically teach the following, in the same field of endeavor Wu teaches: enriching the first vulnerability data with first metadata comprising one or more time-based feature values to obtain first enriched vulnerability data (Wu, discloses systems and methods to identify software vulnerability in snapshot image of a message identifying a software vulnerability, see [Abstract] The system registers the software vulnerability in association with a snapshot image in the database responsive to the identification of the snapshot image of the virtual machine including the software vulnerability. And [0044] The virtual machine snapshot 212 (i.e., first metadata) may include …, snapshot software information 218, and a timestamp 220... The timestamp 220 includes a date and time the virtual machine snapshot 212 was chronicled. For example, the timestamp 220 may include the date and the time the virtual machine snapshot 212 was written to the list information 210. And [0047] FIG. 2F is a block diagram illustrating software vulnerability information 228, according to an embodiment …The software vulnerability information 228 may include a vulnerability identifier 240, a vulnerability description 242, severity information 244, criterion information 246, a vulnerability start timestamp 248 (e.g., start date), and a vulnerability end timestamp 250 (e.g., end date)); generating, for the first event, a first set of feature values describing the first event and the first event's relationship with the one or more historical events using both: (i) the first enriched vulnerability data; and (ii) enriched vulnerability data for at least some of the one or more historical events (Refer to Figs. 2, in particular, Fig. 2F and Fig. 2H. And [0047] The software vulnerability information 228 may include a vulnerability identifier 240, a vulnerability description 242, severity information 244, criterion information 246, a vulnerability start timestamp 248 (e.g., start date), and a vulnerability end timestamp 250 (e.g., end date). The vulnerability identifier 240 uniquely identifies the software vulnerability from the other software vulnerabilities. And [0049] FIG. 2H is a block diagram illustrating an archive event 261, according to an embodiment. The archive event 261 may be added to the archive information 128 responsive to retrieval of a snapshot image 118 from the database 107 and processing the snapshot image 118. The archive event 261 (i.e., the one or more historical events) may include an archive event identifier 262 that uniquely identifies the archive event 261, an archive event timestamp 264 chronicling the addition of the archive event 261 to the archive information 128, the snapshot image 118 that was processed,... The archive event timestamp 264 chronicles the archiving of the snapshot image 118 in the database 107. Examiner notes, Wu’s archive event is interpreted as one or more historical events, and software vulnerability identifier may be interpreted as first set of feature values); Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wu in the log-based security vulnerabilities detection in computing environments of Jha by registering the software vulnerability in association with a snapshot image with timestamps in database. This would have been obvious because the person having ordinary skill in the art would have been motivated to search whether virtual machines within the snapshot images includes the software vulnerability for identifying software vulnerability (Wu, [Abstract], [0079]). Regarding claim 2, Jha-Wu combination teaches the method of claim 1, Jha further teaches: wherein the one or more external data sources comprises one or more of the following: (i) data obtained from one or more vulnerability databases; (ii) data obtained from one or more cybersecurity tools via one or more application programming interfaces (APIs); (iii) RSS feeds obtained from one or more websites; (iv) content shared on one or more social media platforms; and (v) third party content identified as being referenced in any of (i)-(iv) ([0034] During operation, discovery service 108 may receive, during runtime, a plurality of logs associated with a plurality of applications or operating systems running in the computing environment from log database 114 (i.e., one or more vulnerability databases). In an example, a log may be a file including information about events that have occurred within an application or an operating system of a compute node (e.g., compute node 118A). These events are logged out by the application or the operating system and written to the file. Further, such files may be stored in log database 114. And [0035] In an example, discovery service 108 may determine logs including the vulnerability signature by running a query including a regular expression on log database 114 and extract the vulnerability signature by parsing the determined logs using the regular expression). Regarding claim 3, similarly claim 15, Jha-Wu combination teaches the method of claim 1, the system of claim 14, The combination of Jha-Wu further teaches: further comprising: obtaining second vulnerability data for each of multiple events from the one or more external data sources (Jha, [0031] operating system may generate operating system logs for storing in log database 114. Thus, log database 114 may collect log data from compute nodes 118A-118N (i.e., second vulnerability data for each of multiple events) that log management server 102 (e.g., vRealize Log Insight) can ingest and analyze); and for each of the multiple events: associating the event with a particular vulnerability in the vulnerability dictionary using at least some of the corresponding second vulnerability data (Jha, the teachings of Jha as shown in claim 1 for the first vulnerability data will apply similarly for second vulnerability data); enriching the second vulnerability data with second metadata comprising one or more time-based feature values to obtain second enriched vulnerability data (Wu, the teachings of Wu as shown in claim 1 for enriching the first vulnerability data will apply similarly for enriching the second vulnerability data); and storing the second enriched vulnerability data in a database (Wu, [Abstract] The system identifies snapshot images taken of a production machine and stored in a database. And [0034] The backup machine 106 manages the snapshot images 118 of the production machine 104, identifies software vulnerabilities in a snapshot image 118 retrieved from the database 107). Same motivation as presented in claim 1, 14 would apply. Regarding claim 4, Jha-Wu combination teaches the method of claim 1, Wu further teaches: wherein the one or more time-based feature values comprises: (i) a timestamp indicating when the first vulnerability data was obtained; and/or (ii) a timestamp indicating when the first vulnerability data was first published ([0044] For example, the timestamp 220 (i.e., (i) a timestamp) may include the date and the time the virtual machine snapshot 212 was written to the list information 210). Same motivation as presented in claim 1 would apply. Regarding claim 6, similarly claim 16, Jha-Wu combination teaches the method of claim 1, the system of claim 14, Jha further teaches: wherein associating the first event with a particular vulnerability in a vulnerability dictionary using at least some of the first vulnerability data comprises: identifying a Common Vulnerabilities and Exposures (CVE) identifier corresponding to a vulnerability referenced in the first vulnerability data; and associating the first event with the particular vulnerability in the vulnerability dictionary based on the CVE identifier ([0036] Further, validation service 110 may validate the vulnerability signature of the attack by correlating the vulnerability signature with available data on public database 116. Example public database 116 may be a common vulnerabilities and exposures (CVE) database, which includes a list of publicly disclosed computer security flaws (i.e., known attack patterns). In such databases, each security flaw may be assigned a CVE identifier. Upon validating the vulnerability signature, validation service 110 may retrieve vulnerability information associated with the vulnerability signature from public database 116 or another public database. In an example, validation service 110 may retrieve the vulnerability information using the CVE identifier). Regarding claim 7, Jha-Wu combination teaches the method of claim 1, Wu further teaches: wherein the first set of feature values for the first event comprises one or more of the following: (i) a feature value indicating a distance in time between the first event and a previous event; (ii) a feature value indicating a distance in time between the first event and an epoch event; (iii) a feature value corresponding to a tag associated with the first event; (iv) a feature value corresponding to a tag associated with the previous event; (v) a feature value indicating an origin associated with the first event; (vi) a feature value indicating an origin associated with the previous event; and (vii) a bitmap of binary values indicating an occurrence of: a prior event, a prior condition, and/or a prior feature (e.g., [0078] Here, a technical problem arises. How far back in time should snapshot images 118 that are periodically stored (e.g., archive event 261) in a database (e.g., database 107) with a timestamp (e.g., archive event timestamp 264) be searched to identify the software vulnerability? And [0079] The technical solution to the technical problem is to establish a search window 602 that is based on configurable and meaningful values. The search window 602 may include a start time 604 and an end time 608). Same motivation as presented in claim 1 would apply. Regarding claim 8, Jha-Wu combination teaches the method of claim 1, Wu further teaches: wherein generating a first set of feature values for the first event comprises: generating the first set of feature values for the first event using (i) the first enriched vulnerability data associated with the first event, the first event being a current event; and (ii) enriched vulnerability data associated with a previous event ([0049] FIG. 2H is a block diagram illustrating an archive event 261, according to an embodiment. The archive event 261 may be added to the archive information 128 responsive to retrieval of a snapshot image 118 from the database 107 and processing the snapshot image 118. The archive event 261 (i.e., the previous event) may include an archive event identifier 262 that uniquely identifies the archive event 261, an archive event timestamp 264 chronicling the addition of the archive event 261 to the archive information 128, the snapshot image 118 that was processed,... The archive event timestamp 264 chronicles the archiving of the snapshot image 118 in the database 107. And [0079] For example, the end time 608 may be continuously updated by a clock that dynamically provides the current time 606. Accordingly, a search window 602 that is sliding is identified for identification of a set of snapshot images 118, each associated with a timestamp (e.g., e.g., archive event timestamp 264), for searching whether virtual machines 114 within the snapshot images 118 includes the software vulnerability). Same motivation as presented in claim 1 would apply. Regarding claim 9, Jha-Wu combination teaches the method of claim 1, Wu further teaches: wherein generating a first set of feature values for the first event comprises: generating the first set of feature values for the first event using (i) the first enriched vulnerability data associated with the first event, the first event being a current event; and (ii) enriched vulnerability data for multiple preceding events ([0038] The archive information 128 includes archive events (i.e., enriched vulnerability data for multiple preceding events). Each archive event includes a snapshot image 118 and chronicles software vulnerabilities identified for each virtual machine 114 in the snapshot image 118. Each archive event further chronicles whether a patch was applied (e.g., pushed) to a virtual machine 114. The snapshot information 124, vulnerability information 126, and the archive information 128 are stored in the database 107. And [0079] For example, the end time 608 may be continuously updated by a clock that dynamically provides the current time 606. Accordingly, a search window 602 that is sliding is identified for identification of a set of snapshot images 118, each associated with a timestamp (e.g., e.g., archive event timestamp 264), for searching whether virtual machines 114 within the snapshot images 118 includes the software vulnerability). Same motivation as presented in claim 1 would apply. Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Jha-Wu as applied above to claim 1, further in view of Thompson et al (WO2024211703A2, hereinafter, “Thompson”). Regarding claim 5, Jha-Wu combination teaches the method of claim 1, The combination of Jha-Wu does not specifically teach, in the same field of endeavor Thompson teaches: wherein the first metadata comprises: (i) a timestamp indicating when the first vulnerability data was obtained (Thompson, discloses systems and methods for protecting data based on state of posture, see [Abstract]. e.g., [0533] the response system 130 can generate metadata from the realtime cybersecurity data based on characterizing the at least one cyber incident or claim based on the timing …, the severity …, or the type (e.g., specific categories of cyber threats such as phishing scams, which exploit human vulnerabilities, and malware attacks, which compromise system integrity)); (ii) a timestamp indicating when the first vulnerability data was first published (e.g., [0539] the analysis system 3908 might assess the interconnectedness of incidents through shared indicators of compromise or attack vectors, identifying a systemic risk or vulnerability. In yet another example, the analysis system 3908 may quantify the aggregate impact of these incidents on operational continuity and financial stability, identifying a threshold beyond which an event is considered catastrophic. In some arrangements, the response system can automatically initiate the creation of a comprehensive report (i.e., published) detailing the incidents, their impacts, and recommended responses); (iii) one or more metrics indicative of characteristics of the first vulnerability data (e.g., [0446] Additionally, the processing circuits can group the incident data to generate grouped incident data based on one or more metrics or threat vector of the new cybersecurity incident. For example, incidents can be grouped by attack type, such as ransomware or phishing, to identify patterns and common vulnerabilities); (iv) origin information regarding the first vulnerability data (e.g., [0446] Additionally, the processing circuits can group the incident data to generate grouped incident data based on one or more metrics or threat vector of the new cybersecurity incident. For example, incidents can be grouped by attack type, such as ransomware or phishing, to identify patterns and common vulnerabilities. And [0554] the preservation requirement of the attachment and pipeline 3906 can include all correspondence with the threat actor, regardless of the forum or method; indicators of compromise; relevant log entries; relevant forensic artifacts; network data; data and information that may help identify how a threat actor compromised or potentially compromised an information system; system information that may help identify exploited vulnerabilities); and (v) one or more tag values identifying one or more properties that the first vulnerability data has in common with other portions of data obtained from the one or more external data sources (e.g., [0554] In some arrangements, the preservation requirement of the attachment and pipeline 3906 can include all correspondence with the threat actor, regardless of the forum or method; indicators of compromise; relevant log entries; relevant forensic artifacts; network data; data and information that may help identify how a threat actor compromised or potentially compromised an information system; system information that may help identify exploited vulnerabilities; information about exfiltrated data; all data or records related to the disbursement or payment of any ransom payment; and any forensic or other reports concerning the incident, whether internal or prepared for the covered entity by a cybersecurity company or other third-party vendor). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Thompson in the log-based security vulnerabilities detection in computing environments of Jha-Wu by analyzing security posture of entity data that have vulnerability that result in security incidents. This would have been obvious because the person having ordinary skill in the art would have been motivated to generate cybersecurity protection plan corresponding to a new cybersecurity attribute to protect the entity (Thompson, [Abstract]). Claims 10, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Jha-Wu as applied above to claim 1, 14 respectively, further in view of Liu et al (US20140359776A1, hereinafter, “Liu”). Regarding claim 10, similarly claim 17, Jha-Wu combination teaches the method of claim 1, the system of claim 14, wherein determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event comprises: The combination of Jha-Wu does not specifically teach, in the same field of endeavor Liu teaches: processing the first set of feature values using one or more rules defining criteria for identifying events for which a vulnerability mitigation action is to be triggered (Liu, discloses system and method for automatically mitigating vulnerabilities in source code if vulnerability is determined mitigable, see [Abstract]. And [0052] For each of the tainted paths, the processor 110 may find the other intersecting tainted paths with the same target node as an intersection (Step S403)... For the same target node corresponds to different vulnerability rules or different tainted objects, the processor 110 may evaluate the priority order of the vulnerabilities for mitigation by the vulnerability rules (Step S409), which may define actual objects/variables on the target node and determine an optimal order to mitigate the vulnerability accordingly. Similar to Step S317, the processor 110 then may apply multiple instant-fix calls at the actual tainted objects/variables on the target node based on the corresponding vulnerability rule (Step S411)). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Liu in the log-based security vulnerabilities detection in computing environments of Jha-Wu by evaluating priority order of vulnerabilities for mitigation by the vulnerability rules. This would have been obvious because the person having ordinary skill in the art would have been motivated to automatically mitigate vulnerabilities in source code (Liu, [Abstract], [0052]). Claims 11, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Jha-Wu as applied above to claim 1, 14 respectively, further in view of Roundy et al (US10242187B1, hereinafter, “Roundy”). Regarding claim 11, similarly claim 18, Jha-Wu combination teaches the method of claim 1, the system of claim 14, wherein determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event comprises: The combination of Jha-Wu does not specifically teach, in the same field of endeavor Roundy teaches: comparing, using a locality hashing technique, the first set of feature values to a second set of feature values associated with the at least some of the one or more historical events (Roundy, discloses system and method for providing integrated security management in computing environment, [Abstract]. And [Col. 9 ll. 24-29] For example, the security management system may analyze security information generated by one or more security systems to monitor and/or audit the computing environment for threats and/or vulnerabilities by analyzing, in aggregate, information provided by multiple security systems. And [Col. 14 l. 51-Col. 15 l. 14] determination module 108 may determine that the first and second event signatures are equivalent by using a signature association statistic that includes inferences of event co-occurrences and/or event signature co-occurrences, even absent observed event signature co-occurrences… In some examples, systems described herein may store and/or process event signature association information using locality-sensitive hashing techniques). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Roundy in the log-based security vulnerabilities detection in computing environments of Jha-Wu by using locality sensitive hashing to compare event signatures to determine that the first and second event signatures are equivalent. This would have been obvious because the person having ordinary skill in the art would have been motivated to perform a security action to the related event signature directed to the computing environment (Roundy, [Abstract]). Claims 12-13, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Jha-Wu as applied above to claim 1, 14 respectively, further in view of Stocks et al (US20230418949A1, hereinafter, “Stocks”). Regarding claim 12, similarly claim 19, Jha-Wu combination teaches the method of claim 1, the system of claim 14, wherein determining, using the first set of feature values, that a vulnerability mitigation action is to be triggered for the first event comprises: The combination of Jha-Wu does not specifically teach, in the same field of endeavor Stocks teaches: analyzing, using one or more machine learning models, the first set of feature values and a second set of feature values associated with the at least some of the one or more historical events (Stocks, discloses computing platform and method for performing vulnerability analysis and alert generation, see [Abstract] Current event or vulnerability data may be received. In some examples, one or more machine learning models may be executed to determine a confidence score associated with the software being analyzed. For instance, software attributes, author attributes, and current event data may be used as inputs in the machine learning model and a confidence score may be output. And [0018] current event data (e.g., issues in one or more global regions that may indicate risk, current software vulnerability data, and the like) may be received. The software attributes, author attributes and current event data may be used as inputs into one or more machine learning models that may output a confidence score associated with a likelihood of risk. And [0039] The one or more machine learning models may be trained using historical software data, vulnerability data and the like). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Stocks in the log-based security vulnerabilities detection in computing environments of Jha-Wu by analyzing software vulnerability using machine learning. This would have been obvious because the person having ordinary skill in the art would have been motivated to input software attributes, author attributes, and current event data to machine learning model to generate a confidence score and alerts for enterprise organization (Stocks, [Abstract]). Regarding claim 13, Jha-Wu combination teaches the method of claim 1, The combination of Jha-Wu does not specifically teach, in the same field of endeavor Stocks teaches: wherein the vulnerability mitigation action for the first event comprises at least one of: generating an alert, updating software, changing a network configuration of a resource, changing a configuration of one or more software applications executing on the resource, changing a configuration of an operating system executing on the resource, changing one or more permissions for the resource, deleting malware, removing corrupted files or data, taking a physical offline, killing an instance of a virtual resource, and blocking communications to and/or from the resource (Stocks, discloses computing platform and method for performing vulnerability analysis and alert generation, see [Abstract]. And [0028] The machine learning model executed by the software analysis computing platform 110 may output a risk score or confidence level that the software product is not potentially malicious. In some examples, this score or confidence level may be compared to one or more thresholds to identify an alert to generate and transmit to one or more computing devices, such as internal entity computing device 140). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Stocks in the log-based security vulnerabilities detection in computing environments of Jha-Wu by analyzing software vulnerability using machine learning. This would have been obvious because the person having ordinary skill in the art would have been motivated to input software attributes, author attributes, and current event data to machine learning model to generate a confidence score and alerts for enterprise organization (Stocks, [Abstract]). Citation of References The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action: Abadi et al (US10713364B2) discloses system and method for identifying vulnerabilities in code. Reguly et al (US20240193280A1) discloses method for implementing risk scoring systems used for vulnerability mitigation in a distributed computing environment. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975. The examiner can normally be reached on M-F: 8:30AM - 5:30PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MICHAEL M LEE/Primary Examiner, Art Unit 2436
Read full office action

Prosecution Timeline

Nov 07, 2024
Application Filed
Mar 05, 2026
Non-Final Rejection mailed — §103
Apr 30, 2026
Response Filed
Jun 24, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12676884
Spoofed UDP Packet Detection
2y 2m to grant Granted Jul 07, 2026
Patent 12671994
INTEGRITY PROTECTION FAILURE HANDLING METHOD AND APPARATUS, AND USER EQUIPMENT
3y 7m to grant Granted Jun 30, 2026
Patent 12665914
VEHICLE SECURITY ANALYSIS APPARATUS, AND METHOD AND PROGRAM STORAGE MEDIUM
2y 4m to grant Granted Jun 23, 2026
Patent 12659728
DATA TRANSMISSION SYSTEM WITH HIGH TRANSMISSION SECURITY
3y 9m to grant Granted Jun 16, 2026
Patent 12659347
TECHNIQUES FOR PROTECTING WEB-BROWSERS AGAINST CROSS-SITE SCRIPTING EXPLOITATION ATTACKS
3y 5m to grant Granted Jun 16, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
84%
Grant Probability
99%
With Interview (+42.5%)
2y 9m (~1y 0m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 270 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month