Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
FINAL ACTION
	This action is in response to amendment filed on 11/17/2020. Claims 1, 3, 5 and 6 are amended. Claims 17-28 are new. Claims 1, 3, 5, 6 and 17-28 are pending. 
Response to Arguments
Claim Rejections -  Double Patenting
The examiner withdraws the rejection made under Double Patenting in view of applicant’s claim amendments. 
Claim Rejections - 35 USC § 101
The examiner withdraws the rejection made under 35 USC § 101 in view of applicant’s claim amendments. 
Claim Rejections - 35 USC § 103
Applicant’s arguments have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.



Claim Objections
The claims are objected to because of the following informalities:  Applicant has cancelled a number of previously presented claims however the new claim numbering is not correct (ex. ..claim 5 is now independent claim 9). The examiner notes that while only one instance of improper claim numbering has been listed, there a number of claim number issues present. Therefore the examiner advises the applicant to review the claim numbering submitted on 11/17/2020 and make the appropriate corrections.   
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 5 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Serra et al. (US Patent No. 6,226,787 and Serra hereinafter) in view of Noel et al. (US Patent Publication No. 2017/089187 and Noel hereinafter).

As to claims 1 and 5, Serra teaches a computer-implemented method for detecting security vulnerabilities, comprising the steps of: 
receiving, into a memory of a computers source code of a at least one computer program to be analyzed (i.e.,. …teaches in column 5 lines 55- 65 the following: “A scanner converts source code of the program 14 into symbols that can be arranged in a hierarchy that reflects the logic of the program. The checker then determines whether errors exist.”.); 

instrumenting one or more of the at least one computer program (i.e., …teaches in column 4 lines 35-45 the following: “a visualization system 10 includes a first group of functionally related components 12 for enabling static visualization of the operations of a program 14 and includes a second group of functionally related components 16 for enabling dynamic visualization.”.); 
executing the instrumented one or more of the at least one computer program (i.e., …teaches in column 4 lines 35-45 the following: “a visualization system 10 includes a first group of functionally related components 12 for enabling static visualization of the operations of a program 14 and includes a second group of functionally related components 16 for enabling dynamic visualization.”.); 
collecting runtime events during an execution of binary code of the instrumented one or more of the at least one computer program (i.e., …teaches in column 9 lines 35-45 the following: “enables a tracking mode for recording the sequences of events that are executed during the run-time of the computer program 14. A user can trigger the tracking mode by designating the "Trail" region 146 in FIG. 8. The event recorder supports playback, rewind and fast-forward direct access to any recorded event and supports partial execution between two events. The event recorder shows a textual representation of the events as well as a two-dimensional graph which is identical to the graph of FIG. 8.”.); 
preparing a second data flow graph from the collected runtime events (i.e.,. …teaches in column 9, lines 35-45 the following: “The event recorder shows a textual representation of the events as well as a two-dimensional graph which is identical to the graph of FIG. 8.”.). 

Serra does not expressly teach:

applying one or more of the received queries to the first data flow graph and one or more of the received queries to the second data flow graph;
and presenting results of the applying of the received queries on a display in a manner reporting a security vulnerability in one or more of the at least one computer program.
In this instance the examiner notes the teachings of prior art reference Noel. 
With regards to applicant’s claim limitation the following: “receiving queries in a query language”, teaches in paragraph 0036 the following: “the graph model 200 can be ready to be queried by a user of the graph model.”. 
With regards to applicant’s claim limitation element of, “applying one or more of the received queries to the first data flow graph and one or more of the received queries to the second data flow graph”, teaches in his Abstract the following: “The graph database model can also be queried by a user using a domain-specific query language”. The examiner notes that the database has multiple graphs to query.
With regards to applicant’s claim limitation element of, “and presenting results of the applying of the received queries on a display in a manner reporting a security vulnerability in one or more of the at least one computer program”, teaches in paragraph 0040 the following: “To understand the context for this alert, the analyst can submit a query in the domain-specific language that in plain terms asks for the alert, shows the source (attacking) machine, and shows whether this alert is a detection of exploitation against a vulnerability on a machine in the network.”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Serra with the teachings of Noel by including the feature of model correlation. Utilizing model correlation as taught by Noel above allows a system to provide comprehensive analysis and therefore provides the motivation in this instance to combine the 

2-6. (Cancelled)

As to claims 3 and 6, Serra teaches a method according to claim 1, wherein instrumenting one or more of the at least one computer program comprises instrumenting the at points of input and output of the computer program (i.e., …teaches in column 5 lines 20-25 the following: “providing inputs to the program”. …further teaches column 4 lines 60-67 the following: “The output of the checker”.).

4. (Cancelled)

10-14. (Cancelled)

7. (Cancelled)

As to claims 18 and 24, the system of Serra teaches modeling however Serra does not expressly teach a system according to claim 9, wherein instrumenting the one or more of the at least one computer program comprises defining the instrumentation of the one or more of the at least one computer program responsive to a received query, which is applied to the second data flow graph after executing the instrumented one or more of the at least one computer program.
In this instance the examiner notes the teachings of prior art reference Noel. 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Serra with the teachings of Noel by including the feature of model correlation. Utilizing model correlation as taught by Noel above allows a system to provide comprehensive analysis and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Serra's system will obtain the capability to provide enhanced vulnerability detection. 

As to claims 19 and 25, the system of Serra teaches modeling however Serra does not expressly teach a system according to system according to claim 9, wherein preparing the second data flow graph comprises preparing the second data flow graph in a form very similar to the form of the first data flow graph using the static testing tool, such that queries prepared for the form of the first data flow graph can run on the second data flow graph without modification.
In this instance the examiner notes the teachings of prior art reference Noel. 
Noel teaches in his Abstract the following: “The graph database model can also be queried by a user using a domain-specific query language”. The examiner notes that the database has multiple graphs for which can be queried having the same structures. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Serra with the teachings of Noel by including the feature of model correlation. Utilizing model correlation as taught by Noel above allows a system to provide comprehensive analysis and therefore provides the motivation in this instance to combine the 

As to claims 20 and 26, Serra teaches a system according to claim 9, wherein collecting runtime events comprises generating an event each time an instrumented Application Programming Interface (API) is called in running the program and collecting for each event an indication of the API called and parameter values with which the API was called (i.e., …teaches in column 9 lines 35-45 the following: “enables a tracking mode for recording the sequences of events that are executed during the run-time of the computer program 14. A user can trigger the tracking mode by designating the "Trail" region 146 in FIG. 8. The event recorder supports playback, rewind and fast-forward direct access to any recorded event and supports partial execution between two events. The event recorder shows a textual representation of the events as well as a two-dimensional graph which is identical to the graph of FIG. 8.”.).

As to claims 21 and 27, Serra teaches a system according to claim 9, wherein preparing the second data flow graph comprises forming a graph in which nodes contain source commands and a directed edge is placed between two nodes if a data flow occurred between the two corresponding commands of the nodes (i.e., …illustrates in figure 4, diagram of connected/linked calls/commands and corresponding nodes.).

As to claims 22 and 28 the system of Serra teaches modeling however Serra does not expressly teach a system according to claim 9, wherein applying the received queries comprises applying a specific query to both the first and second data flow graphs.
In this instance the examiner notes the teachings of prior art reference Noel. 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Serra with the teachings of Noel by including the feature of model correlation. Utilizing model correlation as taught by Noel above allows a system to provide comprehensive analysis and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, Serra's system will obtain the capability to provide enhanced vulnerability detection. 

Claims 17 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Serra in view of Noel as applied to claims 1 and 5 above and further in view of Mickens (US Patent Publication No. 2014/0181819).

As to claims 17 and 23, the system of Serra and Noel discloses model/graph generation however neither reference expressly teaches method according to claim 1, wherein preparing the second data flow graph comprises organizing the collected runtime events in a hierarchical Document Object Model (DOM) and producing the second data flow graph based on the DOM. 
In this instance the examiner notes the teachings of prior art reference Mickens. 
Mickens teaches in paragraph 0027 the following: “predefined runtimes may include services that many programs may use frequently. For example, these services may include methods for accessing the current date, or sending information to a remote computer. Such predefined execution environments represent respective graphs. For example each node in the graph may include a predefined object or method, and each edge in the graph may include a reference that links two 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Serra and Noel with the teachings of Micken by including the feature of Document Object Models. Utilizing Document Object Models as taught by Micken above allows a system to provide comprehensive execution analysis and therefore provides the motivation in this instance to combine the references. The examiner contends that by combining the references, the system of Serra and Noel will obtain the capability to provide enhanced modeling. 
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Contact Information

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BRYAN F WRIGHT/Examiner, Art Unit 2497