DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1. This is in response to the communications filed on 24 April 2025.
2. Claims 1-4, 6-10, 12-18 and 20 are pending in the application.
3. Claims 1-4, 6-10, 12-18 and 20 have been rejected.
4. Claims 5, 11 and 19 have been cancelled in a preliminary amendment.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
5. Claims 1-4, 6-10, 12-18 and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-17 of U.S. Patent No. 12,284,201 B2 (hereinafter the ‘201 patent). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the earlier filed claims of the ‘201 patent in that the claims of the ‘201 patent contain all of the limitations of the instant application. Claims 1-4, 6-10, 12-18 and 20 of the instant application therefore are not patentably distinct from the earlier filed claims of the ‘201 patent, and as such, are unpatentable for obviousness-type double patenting.
As to claim 1, the ‘201 patent discloses a method, comprising:
receiving, by a product/version risk assessment computer program executed by an electronic device and from a user computer program executed by a user electronic device, an identification of a plurality of proposed components to include in the computer program under development [column 11, lines 7-12];
retrieving, by the product/version risk assessment computer program, vulnerability information for each of the plurality of proposed components, wherein the vulnerability information identifies a security vulnerability for the proposed component [column 11, lines 13-17];
generating, by a product/version risk scoring computer program, a risk score for the computer program under development based on the vulnerability information [column 11, lines 18-20]; and
returning, by the product/version risk assessment computer program, the risk score to the user computer program [column 11, lines 30-32].
As to claim 2, the ‘201 patent discloses the method of claim 1, wherein the plurality of proposed components comprise hardware components and/or software components [column 11, lines 33-35].
As to claim 3, the ‘201 patent discloses the method of claim 1, wherein the vulnerability information is retrieved from an external threat and vulnerability tool/database [column 11, lines 36-38].
As to claim 4, the ‘201 patent discloses the method of claim 3, wherein the vulnerability information is further retrieved from an internal threat and vulnerability tool/database [column 11, lines 39-41].
As to claim 6, the ‘201 patent discloses the method of claim 1, wherein the risk score comprises a dynamic qualitative severity rating [column 11, lines 42-43].
As to claim 7, the ‘201 patent discloses the method of claim 1, further comprising:
identifying, by the product/version risk assessment computer program, an alternate component for one of the plurality of proposed components in response to the proposed component having certain cyber-tech risk related information [column 11, lines 44-49].
As to claim 8, the ‘201 patent discloses the method of claim 7, wherein the alternate component is identified using a trained machine learning engine [column 11, lines 50-51].
As to claim 9, the ‘201 patent discloses a system, comprising:
a user electronic device executing a user computer program [column 11, lines 53-54];
an electronic device executing a product/version risk assessment computer program and a product/version risk scoring computer program [column 11, lines 55-57];
an internal threat and vulnerability tool/database [column 11, line 58]; and
an external threat and vulnerability tool/database [column 11, line 59];
wherein:
the user computer program receives an identification of a plurality of proposed components to include in a computer program under development [column 11, lines 61-63];
the product/version risk assessment computer program receives the identification of a plurality of proposed components and retrieves vulnerability information for each of the plurality of proposed components from the internal threat and vulnerability tool/database and the external threat and vulnerability tool/database [column 11 line 64 to column 12 line 3];
the product/version risk scoring computer program generates a risk score for the computer program under development based on the vulnerability information [column 12, lines 4-7]; and
the product/version risk assessment computer program returns the risk score to the user computer program [column 12, lines 16-17].
As to claim 10, the ‘201 patent discloses the system of claim 9, wherein the plurality of proposed components comprise hardware components and/or software components [column 12, lines 18-20].
As to claim 12, the ‘201 patent discloses the system of claim 9, wherein the risk score comprises a dynamic qualitative severity rating [column 12, lines 21-22].
As to claim 13, the ‘201 patent discloses the system of claim 9, wherein the product/version risk assessment computer program identifies an alternate component for one of the plurality of proposed components in response to the proposed component having certain cyber-tech risk related information [column 12, lines 23-27].
As to claim 14, the ‘201 patent discloses the system of claim 13, further comprising a trained machine learning engine, wherein the product/version risk assessment computer program identifies the alternate component using the trained machine learning engine [column 12, lines 28-31].
As to claim 15, the ‘201 patent discloses a non-transitory computer readable storage medium, including instructions stored thereon, which when read and executed by one or more computer processors, cause the one or more computer processors to perform steps comprising:
receiving, from a user computer program executed by a use electronic device, an identification of a plurality of proposed components to include in a computer program under development [column 12, lines 36-39];
retrieving vulnerability information for each of the plurality of proposed components, wherein the vulnerability information identifies a security vulnerability for the proposed component [column 12, lines 40-43];
generating a risk score for the computer program under development based on the vulnerability information [column 12, lines 44-45]; and
returning the risk score to the user computer program [column 12, line 55].
As to claim 16, the ‘201 patent discloses the non-transitory computer readable storage medium of claim 15, wherein the plurality of proposed components comprise hardware components and/or software components [column 12, lines 56-59].
As to claim 17, the ‘201 patent discloses the non-transitory computer readable storage medium of claim 15, wherein the vulnerability information is retrieved from an external threat and vulnerability tool/database [column 12, lines 60-63].
As to claim 18, the ‘201 patent discloses the non-transitory computer readable storage medium of claim 17, wherein the vulnerability information is further retrieved from an internal threat and vulnerability tool/database [column 12, lines 64-67].
As to claim 20, the ‘201 patent discloses the non-transitory computer readable storage medium of claim 15, further including instructions stored thereon, which when read and executed by one or more computer processors, cause the one or more computer processors to perform identify an alternate component for one of the plurality of proposed components in response to the proposed component having certain cyber-tech risk related information using a trained machine learning engine [column 13, lines 6-8].
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
6. Claim(s) 1, 2, 15 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jackson et al US 2017/0147338 A1 (hereinafter Jackson) in view of Kao et al US 2019/0205542 A1 (hereinafter Kao).
As to claim 1, Jackson discloses a method, comprising:
receiving, by a product/version risk assessment computer program executed by an electronic device and from a user computer program executed by a user electronic device, an identification of a plurality of proposed components (i.e. requested component) [0059] to include in the computer program under development (i.e. development environment and repository of risk data such as security vulnerabilities of the components) [0059-0060];
retrieving, by the product/version risk assessment computer program, vulnerability information for each of the plurality of proposed components, wherein the vulnerability information identifies a security vulnerability for the proposed component (i.e. risk data can include risks such as security vulnerabilities, software licensing details and/or other details from the metadata that might be associated with the component) [0070].
Jackson does not teach generating, by a product/version risk scoring computer program, a risk score for the computer program under development based on the vulnerability information. Jackson does not teach returning, by the product/version risk assessment computer program, the risk score to the user computer program.
Kao teaches generating, by a product/version risk scoring computer program, a risk score for the computer program under development based on the vulnerability information (i.e. a security risk score for a software application under development would have been generated based upon identified security vulnerabilities) [0051]. Kao teaches returning, by the product/version risk assessment computer program, the risk score to the user computer program [0051].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Jackson so that a product/version risk scoring computer program would have generated a risk score for the computer program under development based on the vulnerability information. The product/version risk assessment computer program would have returned the risk score to the user computer program.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Jackson by the teaching of Kao because it provides for automated secure software development management, risk assessment and risk remediation [0009].
As to claim 2, Jackson teaches the method of claim 1, wherein the plurality of proposed components comprise hardware components and/or software components (i.e. software components) [0071].
As to claim 15, Jackson discloses a non-transitory computer readable storage medium, including instructions stored thereon, which when read and executed by one or more computer processors, cause the one or more computer processors to perform steps comprising:
receiving, from a user computer program executed by a use electronic device, an identification of a plurality of proposed components (i.e. requested component) [0059] to include in a computer program under development (i.e. development environment and repository of risk data such as security vulnerabilities of the components) [0059-0060];
retrieving vulnerability information for each of the plurality of proposed components, wherein the vulnerability information identifies a security vulnerability for the proposed component (i.e. risk data can include risks such as security vulnerabilities, software licensing details and/or other details from the metadata that might be associated with the component) [0070].
Jackson does not teach generating a risk score for the computer program under development based on the vulnerability information. Jackson does not teach returning the risk score to the user computer program.
Kao teaches generating a risk score for the computer program under development based on the vulnerability information (i.e. a security risk score for a software application under development would have been generated based upon identified security vulnerabilities) [0051]. Kao teaches returning the risk score to the user computer program [0051].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Jackson so that a risk score for the computer program under development would have been based on the vulnerability information. The risk score would have been returned to the user computer program.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Jackson by the teaching of Kao because it provides for automated secure software development management, risk assessment and risk remediation [0009].
As to claim 16, Jackson teaches the non-transitory computer readable storage medium of claim 15, wherein the plurality of proposed components comprise hardware components and/or software components (i.e. software components) [0071].
7. Claim(s) 3 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jackson et al US 2017/0147338 A1 (hereinafter Jackson) and Kao et al US 2019/0205542 A1 (hereinafter Kao) as applied to claims 1 and 15 above, and further in view of Kumar US 2020/0218993 A1.
As to claim 3, the Jackson-Kao combination does not teach the method of claim 1, wherein the vulnerability information is retrieved from an external threat and vulnerability tool/database.
Kumar teaches that the vulnerability information is retrieved from an external threat and vulnerability tool/database (i.e. external threat and vulnerability databases) [0019].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Kao combination so that the vulnerability information would have been retrieved from an external threat and vulnerability tool/database.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Kao combination by the teaching of Kumar because it helps manage knowledge about the system [0004].
As to claim 17, the Jackson-Kao combination does not teach the non-transitory computer readable storage medium of claim 15, wherein the vulnerability information is retrieved from an external threat and vulnerability tool/database.
Kumar teaches that the vulnerability information is retrieved from an external threat and vulnerability tool/database (i.e. external threat and vulnerability databases) [0019].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Kao combination so that the vulnerability information would have been retrieved from an external threat and vulnerability tool/database.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Kao combination by the teaching of Kumar because it helps manage knowledge about the system [0004].
8. Claim(s) 4 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jackson et al US 2017/0147338 A1 (hereinafter Jackson), Kao et al US 2019/0205542 A1 (hereinafter Kao) and Kumar US 2020/0218993 A1 as applied to claims 3 and 17 above, and further in view of Mordvinova et al US 2013/0325545 A1 (hereinafter Mordvinova).
As to claim 4, the Jackson-Kao-Kumar combination does not teach the method of claim 3, wherein the vulnerability information is further retrieved from an internal threat and vulnerability tool/database.
Mordvinova teaches that the vulnerability information is further retrieved from an internal threat and vulnerability tool/database (i.e. vulnerability and threat selected from internal database) [0081].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Kao-Kumar combination so that the vulnerability information would have further retrieved from an internal threat and vulnerability tool/database.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Kao-Kumar combination by the teaching of Mordvinova because it helps mitigate an information technology risk [0002].
As to claim 18, the Jackson-Kao-Kumar combination does not teach the non-transitory computer readable storage medium of claim 17, wherein the vulnerability information is further retrieved from an internal threat and vulnerability tool/database.
Mordvinova teaches that the vulnerability information is further retrieved from an internal threat and vulnerability tool/database (i.e. vulnerability and threat selected from internal database) [0081].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Kao-Kumar combination so that the vulnerability information would have further retrieved from an internal threat and vulnerability tool/database.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Kao-Kumar combination by the teaching of Mordvinova because it helps mitigate an information technology risk [0002].
9. Claim(s) 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jackson et al US 2017/0147338 A1 (hereinafter Jackson) and Kao et al US 2019/0205542 A1 (hereinafter Kao) as applied to claim 1 above, and further in view of Navarro US 2019/0230098 A1.
As to claim 6, the Jackson-Kao combination does not teach the method of claim 1, wherein the risk score comprises a dynamic qualitative severity rating.
Navarro teaches the risk score comprises a dynamic qualitative severity rating (i.e. dynamically adjust the threat-severity score of a malicious threat) [0024].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Kao combination so that the risk score would have comprised a dynamic qualitative severity rating.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Kao combination by the teaching of Navarro because it helps prevent and mitigate an impact of malicious activity on computing devices and underlying network [0001].
10. Claim(s) 7, 8 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jackson et al US 2017/0147338 A1 (hereinafter Jackson) and Kao et al US 2019/0205542 A1 (hereinafter Kao) as applied to claims 1 and 15 above, and further in view of Sejpal et al US 2017/0243009 A1 (hereinafter Sejpal).
As to claim 7, the Jackson-Kao combination does not teach identifying, by the product/version risk assessment computer program, an alternate component for one of the plurality of proposed components in response to the proposed component having certain cyber-tech risk related information.
Sejpal teaches identifying, by the product/version risk assessment computer program, an alternate component for one of the plurality of proposed components in response to the proposed component having certain cyber-tech risk related information (i.e. identify a code segment to replace a code segment of a mobile application that is associated with a vulnerability) [0063].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Kao combination so that the product/version risk assessment computer program would have identified an alternate component for one of the plurality of proposed components in response to the proposed component having certain cyber-tech risk related information.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Kao combination by the teaching of Sejpal because it helps prevent the installation of an unverified mobile application [0002].
As to claim 8, Sejpal teaches the method of claim 7, wherein the alternate component is identified using a trained machine learning engine [0057].
As to claim 20, the Jackson-Kao combination does not teach the non-transitory computer readable storage medium of claim 15, further including instructions stored thereon, which when read and executed by one or more computer processors, cause the one or more computer processors to perform identify an alternate component for one of the plurality of proposed components in response to the proposed component having certain cyber-tech risk related information using a trained machine learning engine.
Sejpal teaches identifying an alternate component for one of the plurality of proposed components in response to the proposed component having certain cyber-tech risk related information (i.e. identify a code segment to replace a code segment of a mobile application that is associated with a vulnerability) [0063] using a trained machine learning engine (i.e. machine learning) [0057].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Kao combination so that an alternate component for one of the plurality of proposed components would have been identified in response to the proposed component having certain cyber-tech risk related information using a trained machine learning engine.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Kao combination by the teaching of Sejpal because it helps prevent the installation of an unverified mobile application [0002].
11. Claim(s) 9 and 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jackson et al US 2017/0147338 A1 (hereinafter Jackson) in view of Kao et al US 2019/0205542 A1 (hereinafter Kao) and Shakarian et al US 2021/0288991 A1 (hereinafter Shakarian).
As to claim 9, Jackson discloses a system, comprising:
a user electronic device executing a user computer program (i.e. development environment) [0059];
an electronic device executing a product/version risk assessment computer program and a product/version risk scoring computer program (i.e. vulnerability rating) [0039];
wherein:
the user computer program receives an identification (i.e. requested component) [0059] of a plurality of proposed components to include in a computer program (i.e. requested component) [0059] under development (i.e. development environment and repository of risk data such as security vulnerabilities of the components) [0059-0060];
the product/version risk assessment computer program receives the identification of a plurality of proposed components and retrieves vulnerability information for each of the plurality of proposed components from the internal threat and vulnerability tool/database and the external threat and vulnerability tool/database (i.e. risk data can include risks such as security vulnerabilities, software licensing details and/or other details from the metadata that might be associated with the component) [0070].
Jackson does not teach an internal threat and vulnerability tool/database. Jackson does not teach an external threat and vulnerability tool/database.
Shakarian teaches an internal threat and vulnerability tool/database (i.e. identifying high priority vulnerabilities by combining external threat intelligence and internal enterprise IT information) [0059]. Shakarian teaches an external threat and vulnerability tool/database [0059].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Jackson so that there would have been an internal threat and vulnerability tool/database. There would have been an external threat and vulnerability tool/database.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified Jackson by the teaching of Shakarian because it overcomes issues by tools that detect attacks after they have approached the computing system [0003].
The Jackson-Shakarian combination does not teach the product/version risk scoring computer program generates a risk score for the computer program under development based on the vulnerability information. The Jackson-Shakarian combination does not teach the product/version risk assessment computer program returns the risk score to the user computer program.
Kao teaches that the product/version risk scoring computer program generates a risk score for the computer program under development based on the vulnerability information (i.e. a security risk score for a software application under development would have been generated based upon identified security vulnerabilities) [0051]. Kao teaches that the product/version risk assessment computer program returns the risk score to the user computer program [0051].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Shakarian combination so that the product/version risk scoring computer program would have generated a risk score for the computer program under development based on the vulnerability information. The product/version risk assessment computer program would have returned the risk score to the user computer program.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Shakarian combination by the teaching of Kao because it provides for automated secure software development management, risk assessment and risk remediation [0009].
As to claim 10, Jackson teaches the system of claim 9, wherein the plurality of proposed components comprise hardware components and/or software components (i.e. software components) [0071].
12. Claim(s) 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jackson et al US 2017/0147338 A1 (hereinafter Jackson), Shakarian et al US 2021/0288991 A1 (hereinafter Shakarian) and Kao et al US 2019/0205542 A1 (hereinafter Kao) as applied to claim 9 above, and further in view of Navarro US 2019/0230098 A1.
As to claim 12, the Jackson-Shakarian-Kao combination does not teach the system of claim 9, wherein the risk score comprises a dynamic qualitative severity rating.
Navarro teaches that the risk score comprises a dynamic qualitative severity rating (i.e. dynamically adjust the threat-severity score of a malicious threat) [0024].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Shakarian-Kao combination so that the risk score would have comprised a dynamic qualitative severity rating.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Shakarian-Kao combination by the teaching of Navarro because it helps prevent and mitigate an impact of malicious activity on computing devices and underlying network [0001].
13. Claim(s) 13 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jackson et al US 2017/0147338 A1 (hereinafter Jackson), Shakarian et al US 2021/0288991 A1 (hereinafter Shakarian) and Kao et al US 2019/0205542 A1 (hereinafter Kao) as applied to claim 9 above, and further in view of Sejpal et al US 2017/0243009 A1 (hereinafter Sejpal).
As to claim 13, the Jackson-Shakarian-Kao combination does not teach the system of claim 9, wherein the product/version risk assessment computer program identifies an alternate component for one of the plurality of proposed components in response to the proposed component having certain cyber-tech risk related information.
Sejpal teaches that the product/version risk assessment computer program identifies an alternate component for one of the plurality of proposed components in response to the proposed component having certain cyber-tech risk related information (i.e. identify a code segment to replace a code segment of a mobile application that is associated with a vulnerability) [0063].
Therefore, it would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Shakarian-Kao combination so that the product/version risk assessment computer program would have identified an alternate component for one of the plurality of proposed components in response to the proposed component having certain cyber-tech risk related information.
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to have modified the Jackson-Shakarian-Kao combination by the teaching of Sejpal because it helps prevent the installation of an unverified mobile application [0002].
As to claim 14, Sejpal teaches the system of claim 13, further comprising a trained machine learning engine, wherein the product/version risk assessment computer program identifies the alternate component using the trained machine learning engine [0057].
Relevant Prior Art
14. The following references have been considered relevant by the examiner:
A. Shivanna et al US 2022/0129561 A1 directed to accessing an input representing a software component list for a software product [abstract].
B. Tripp et al US 2016/0182553 A1 directed to user-guided machine learning (ML) that significantly reduces false alarms generated by an automated analysis tool performing static security analysis [abstract].
C. Teilhet et al US 2016/0315960 A1 directed to identifying and remediating application vulnerabilities using static analysis [0002].
Conclusion
15. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ARAVIND K MOORTHY whose telephone number is (571)272-3793. The examiner can normally be reached M-F 4:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Catherine Thiaw can be reached at 571-270-1138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ARAVIND K MOORTHY/ Primary Examiner, Art Unit 2407