Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION

Continuation
	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on February 08, 2021 been entered.

Response to Arguments
	 
Applicant’s arguments filed February 08, 2021 have been fully considered. A new ground(s) of rejection is presented because of Applicant’s amendment. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1 – 3, 7, 11, 13, 14, 17, 20 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Gerrick (US Pub. No. 2019/0166149 A1) in view of Bunker (US Pub. No. 2010/0242114 A1) in view of Kortright (US Pub. No. 2004/0128370 A1).


Per claim 1, Gerrick suggests a system for suppressing remediation of vulnerabilities of network components based on acceptable vulnerabilities, the system comprising: one or more memories having computer readable code stored thereon (reads on non-transitory computer-readable medium with computer-executable instructions stored thereon, see Gerrick para 0004 – 0006);  and one or more processors operatively coupled to the one or more memories (see Gerrick Figure 2 and para 0024), wherein the one or more processors are configured to execute the computer readable code to (reads on instructions are executed by the processor, see Gerrick para 0004 – 0006): monitor (reads on detecting risks to the environment by evaluating individual assets against a catalog of 
The prior art of record is silent on explicitly stating continue monitoring the at least one of the network components and the organization policy.

[0017] Vulnerability scanners detect risks to the environment by evaluating individual assets against a catalog of vulnerabilities.  Conventional cyber security vulnerability scanning solutions map vulnerabilities to the assets book of record (BOR) and generate tickets based on the mappings.  These conventional solutions are unable to translate cyber security threats into actionable data, which in turn forces threat analysts to manually and 
unreliably attempt to map vulnerabilities to action plans.  The conventional solutions also do not identify which security vulnerabilities are actively being addressed by existing automations, nor do they map vulnerabilities to 
exception BORs.  The conventional solutions return a comprehensive list of potential vulnerabilities per asset, but lack the ability to prioritize remediation efforts, since they are unable to natively map threats with 
technology system management BORs.  Without the ability to thread vulnerability output into existing computing infrastructure fabric, conventional solutions are unable to determine the threat to the computing environment.  This is 
problematic, since the cyber threat landscape changes daily, and the ability to keep track of both assets and threats is becoming intractable. 
 
[0018] Embodiments of the disclosure provide a system and method to contextualize vulnerabilities, thus enabling data engineers to prioritize, address, and remediate vulnerabilities in a significantly more reliable and rapid fashion.  With the reduction in response time, instant interpretation of risk is realized, thus reducing costs associated with manual identification, and increasing accuracy by removing human error during the manual identification in conventional solutions.  With the potential impact of a cyber security breach, an organization may utilize some embodiments of the disclosure to instantly understand their threat exposure and take immediate action to drastically reduce risk to their computing infrastructure. 

[0021] The owner device(s) 102 and the service device(s) 104 are computing devices used by an individual.  For ease of description, the singular form will be used for the owner device(s) 102 and the service device(s) 104 by default and plural form will be used when appropriate.  Example computing devices for the owner device 102 and service device 104 include mobile devices, for example, a smartphone, a tablet, a phablet, a smart watch, a fitness tracking device, and so on.  Computing devices may also 
 
[0022] The vulnerability analytics server(s) 106 is a computing infrastructure with one or more servers utilizing one or more database(s) 108 for performing vulnerability analysis of assets 112.  The vulnerability analytics server(s) 106 analyzes vulnerability data, informs the owner device 102 and/or the service device 104 of vulnerabilities, automates a remediation process, and generates reports of vulnerabilities associated with the assets 112.  The vulnerability data is determined by the vulnerability scanner 110, which is a third-party tool that scans assets 112 for various vulnerabilities and packages these vulnerabilities as raw vulnerability data sent to the vulnerability analystics server(s) 106.  The vulnerability scanner 110 may be software running on a computing device, such as, a laptop computer, a desktop computer, a server, etc. 
 
[0023] The assets 112 include an organization's computing infrastructure that is being analyzed by the vulnerability analytics server(s) 106 for security vulnerabilities.  Assets 112 include networking infrastructure, networking switches, firewalls, applications, servers, computers, laptops, operating systems, etc. Information on assets 112 may be stored in the asset database 114.  Information on assets 112 may include the type of asset, owner of the asset, specific application utilizing the asset, etc. 
 
[0024] FIG. 2 is a block diagram illustrating basic hardware components of a computing device 200 that may be used as the owner device 102, service device 104, vulnerability analytics server(s) 106, and/or assets 112, according to some example embodiments.  Computing device 200 may include one or more processors 202, memory 204, network interfaces 206, power source 208, output devices 210, input devices 212, and storage devices 214.  Although not explicitly shown in FIG. 2, each component provided is interconnected physically, communicatively, and/or operatively for inter-component communications in order to realize functionality ascribed to the one or more owner device 102, service device 104, vulnerability analytics server(s) 106, or assets 112.  To simplify the discussion, the singular form will be used for all components identified in FIG. 2, when appropriate, but the use of the singular does not limit the discussion to only one of each component.  For example, multiple processors may implement functionality attributed to processor 202. 
 
[0032] FIG. 3 is a flow diagram illustrating a process 300 for vulnerability analysis according to an embodiment of the disclosure.  The process 300 may be performed by the vulnerability analytics server(s) 106 in concert with the vulnerability scanner 110.  The process 300 contextualizes vulnerability raw data into information that can identify and prioritize vulnerability remediation.  At step 302, the vulnerability scanner 110 scans the assets 112.  During step 302, the vulnerabilities are catalogued as raw vulnerability data and sent to the vulnerability analytics server(s) 106.  The raw vulnerability data includes a list of vulnerabilities, each vulnerability including at least a vulnerability identification (ID) and an asset identifier.  asset identifier identifies the asset affected by the vulnerability.  Asset identifier in the raw vulnerability data broadly refers to a hostname or address associated with a machine affected by the vulnerability. 
 
[0033] At step 304, the vulnerability analytics server(s) 106 mines the raw vulnerability data.  The vulnerability analytics server(s) 106 may compare the raw vulnerability data to asset inventory obtained from asset database 114.  
The vulnerability analytics server(s) 106 may merge the raw vulnerability data with the results of the comparison to the asset inventory to obtain contextual vulnerability data.  The contextual vulnerability data may include raw vulnerability data linked with one or more of an asset value, an application, or an owner.  An asset value is a value that identifies the asset associated with the vulnerability data.  An asset may include an operating system, for example, Windows.RTM., Linux, etc.; or, a platform, for example, network, hardware, etc. 
 
[0034] At step 304, the vulnerability analytics server(s) 106 may further import control exceptions and system management automation tools from database 108 to perform further comparison.  Control exceptions define, for example, vulnerabilities that may not be fixed at this point due to a manual exception being created.  For example, an exception could be created where a vulnerability may not be fixed because a firewall already protects the asset from the vulnerability, thus, further resources need not go to fixing the asset.  The system management automation tools provide further information on 
vulnerabilities, for example, vulnerabilities that are currently being worked on, vulnerabilities that have already been patched, vulnerabilities for which a patch has already been scheduled, and so on.  The vulnerability analytics server(s) 106 may further update the contextual vulnerability data with information on control exceptions and system management automation, after the comparison.  Assets may then be ranked by order of importance based on the contextual vulnerability data including asset values, application, owner, control exceptions, system mangament automation, and so on. 
 
[0035] At step 306, the vulnerability analytics server(s) 106 may analyze vulnerabilities using the contextual vulnerability data.  During analysis, the vulnerability analytics server(s) 106 may categorize the vulnerabilities into different groupings, for example, groupings based on duplicates, exceptions, being superseded, unfixed, patch in progress, application dependent, and so on. 
 
[0036] At step 308, the vulnerability analytics server(s) 106 may prioritize and inform owner devices 102 and/or service devices 104 of vulnerabilities.  The owner devices 102 and/or service devices 104 may be alerted through an email message, a text message, an alarm, and so on. 
 
[0037] At step 310, the vulnerability analytics server(s) 106 may remediate the vulnerabilities by, for example, patching vulnerabilities with available patches.  In some embodiments, other changes or settings that need to be applied are also applied during remediation.  These may adjusting firewall settings, adjusting application settings, performing application uninstalls, performing application upgrades, and so on. 
 
[0038] At step 312, the vulnerability analytics server(s) 106 validates the remediation of vulnerabilities performed in step 310.  This step is similar to step 302, where a scan is performed on the vulnerabilities that were patched to determine whether those vulnerabilities have been fixed. 
 
[0039] At step 314, the vulnerability analytics server(s) 106 generates a report for viewing on a display of a computing device, for example, a display of the owner device 102 or the service device 104. 


[0041] At step 404, the vulnerability analytics server(s) 106 imports asset inventory data from the asset database 114.  The asset inventory data includes, for example, operating systems deployed, hardware configurations of computing devices and servers, applications installed on the computing devices and servers, and owners of assets within the asset inventory. 
 
[0042] At step 406, the vulnerability analytics server(s) 106 merges the raw vulnerability data with the asset inventory data to obtain contextual vulnerability data.  In one embodiment, each vulnerability data in the raw vulnerability data includes a vulnerability ID and an asset identifier; so, during the merging process, the vulnerability analytics server(s) 106 matches asset identifiers in the raw vulnerability data to asset values in the asset inventory.  After matching an asset value with an asset identifier, the vulnerability analytics server(s) 106 merges other information associated with the asset value to the raw vulnerability data.  For example, in the asset inventory, asset owners and applications may be identified, so the vulnerability analytics server(s) 106 merges asset owners and applications to the raw vulnerability data to obtain contextual vulnerability data.  Raw vulnerability data includes an asset identifier, which is individual asset data that identifies where a vulnerability was found.  These include, for example, a hostname of a device, a domain name server (DNS) name, or an internet protocol (IP) address.  Raw vulnerability data may also include what type of vulnerability was detected on the individual asset.  The individual asset data in the raw vulnerability data may be compared against asset inventory data in the asset inventory database 114.  The asset inventory database 114 provides context for the role of the individual asset in the ecosystem.  Raw vulnerability data identifies that a vulnerability was detected on a specific host, while, after performing the merging process, the contextual vulnerability data identifies that the specific host may be owned by a certain individual, that one or more applications running on the host may be affected by the vulnerability, that the host may have a certain role in the ecosystem, that the host may have a certain level of importance in the ecosystem, that a certain affected application may have a certain level of importance in the ecosystem, and so on. 
 

[0046] At step 504, the vulnerability analytics server(s) 106 determines whether an exception is approved for the vulnerability.  In one embodiment, using control exceptions data obtained at step 408, the vulnerability analytics server(s) 106 compares X of the vulnerability to the control exceptions data to determine whether X exists in the control exceptions data.  X is used here as a property in the contextual vulnerability data and the control exceptions data.  In some embodiments, when determining whether a vulnerability exists in the control exceptions data, the vulnerability ID is matched to a vulnerability ID in the control exceptions data.  Once a match is found, the asset value is matched, then the owner is matched, then the application is matched.  At each of these levels of granularity, the control exceptions data may include specific exceptions, for example, exceptions may exist for a specific vulnerability ID for all assets and for another vulnerability ID for only certain assets.  If an exception is approved for the vulnerability, the vulnerability is categorized as exception approved. 
 
[0047] At step 506, the vulnerability analytics server(s) 106 determines whether the vulnerability is superseded.  The vulnerability analytics server(s) 106 determines from the system management automation data obtained from database 108 whether the vulnerability is superseded.  As with using control exception data, the vulnerability analytics server(s) 106 compares properties in the system management automatiion data with properties in the contexual vulnerability data to identify whether the vulnerability is superseded.  In one embodiment, the vulnerability may have a new version of a patch already 
released, but vendor information supersedes the new patch version, instructing the vulnerability analytics server(s) 106 to apply an older patch version or stay with an older patch version.  If the vulnerability is determined to be 
superseded, the vulnerability is categorized as such. 
 
[0048] At step 508, the vulnerability analytics server(s) 106 determines whether the vulnerability has a fix.  The system automation data obtained from database 108 is used to determine whether the vulnerability has a fix, by comparing properties of entries in the system automation data that have fixes with properties of vulnerabilities in the contextual vulnerability data.  If the vulnerability analytics server(s) 106 determines that a fix does not exist for the vulnerability, the vulnerability is categorized under a "No Fix" heading. 
 
[0049] At step 510, similar to step 508, the vulnerability analytics server(s) 106 determines whether the vulnerability has a patch or solution already deployed using system automation data.  If the vulnerability analytics server(s) 106 determines that a patch is in progress, the vulnerability is categorized under a "Patch in Progress" heading. 
 
[0050] At step 512, the vulnerability analytics server(s) 106 determines whether the vulnerability is application-dependent.  In one embodiment, the vulnerability analytics server(s) 106 determines from the contextual vulnerability data whether a specific vulnerability ID is paired with a 
vulnerability is application-dependent.  If a contextualized vulnerability data includes metadata that has historically been marked as application-dependent, then the vulnerability analytics server(s) 106 classifies the vulnerability as application-dependent.  In an example, an engineer sets a rule that automatically assigns a java finding in a contexualized vulnerability data as 
application-dependent.  Thus, when the vulnerability analytics server(s) 106 comes across the java finding in the metadata, the vulnerability is assigned as application-dependent.  In another example, the metadata is included in the vulnerability ID or a description of the vulnerability. 

[0058] Under the prioritize grouping, if a vulnerability is 
application-dependent, then the vulnerability is separated by application at step 738 and categorized as application-dependent at step 740.  The categorization of the vulnerability as application-dependent at step 740 may involve contacting application owners of all applications affected by the specific vulnerability.  The message to the owner may include information or data on the vulnerability and on solutions recommended to fix the vulnerability.  At step 742, an owner may decide to have the vulnerability go 
through a remediation process at step 748, or the owner may discover that a solution breaks the application susceptible to the vulnerability and creates a control exception at step 744, or the owner may manually update the application at step 746. 
 
[0059] Step 748 involves deciding whether the remediation process is guided by the owner or whether the remediation process is automated.  If automated, then at step 750, the solution to the vulnerability signals that a fix/patch exists and at step 756, the fix/patch is added to a collection and deployed.  If at step 750, the solution to the vulnerability is not automated, then a package is created for the solution at step 752, and the package is added to a device collection at step 754 before being deployed with patches at step 756. 
 
[0060] After remediation, the vulnerability scanner 110 rescans the remediated assets at step 758.  At step 760, the vulnerability analytics server(s) 106 generates reports, for examples, graphs and tables, for user consumption. 
 
[0061] FIGS. 8-10 illustrate example reports displayed on a screen of a computing device according to some embodiments of the disclosure.  In FIG. 8, a report may be generated by the vulnerability analytics server(s) 106 that shows an overall summary 802, infrastructure finding summary 804, application-dependent finding summary 806, derivative finding summary 808, patch deployment in progress summary 810, suppressed or expired summary 812, no fix available summary 814, and exceptions summary 816.  The overall summary 802 includes total vulnerabilities and may list total number of vulnerabilities in infrastructure, application, and/or exceptions.  The overall summary 802 may also list total number of duplicate vulnerabilities, vulnerabilities associated with the removed desktop computer may be identified, removed, or categorized as non-essential or non-important.  The removed desktop computer is an example of a sunset asset, that is, an asset that was previously part of the computing infrastructure or computing ecosystem but is no longer part of that ecosystem.  In some embodiments, the vulnerability scanner 110 determines that an asset is a sunset asset when the asset has been offline for a predetermined duration.  For example, an asset that has been offline for 30 days is deemed a sunset asset.  In some embodiments, the vulnerability analytics server(s) 106 determines that an asset associated with a vulnerability is a sunset asset when the asset is not found in the asset database 114. 
 
[0062] The infrastructure finding summary 804 may include vulnerabilities where engineering teams may research vulnerability IDs and create remediation plans based on risk.  The application-dependent finding summary 806 may include vulnerabilities that cannot be addressed without coordination with a software deployment life cycle (SDLC).  Vulnerabilities classified under application-dependent findings may require extensive testing and potential coding changes prior to remediation.  The derivative finding summary 808 includes vulnerabilities addressed by applying a cumulative currency patch or remediated by addressing a related finding.  Vulnerabilities under derivative findings do not require additional remediation, since they are automatically remediated when the parent infrastructure/application-dependent finding is resolved.  The patch deployment in progress summary 810 may include vulnerabilities addressed by security patches that are actively being deployed.  Vulnerabilities under patch deployment in progress are resolved once scheduled patches are installed.  In some embodiments, a link to track progress of the installation of the scheduled patches is provided.  The superseded or expired summary 812 includes vulnerabilities where remediated patches are superseded or expired by a vendor.  Vulnerabilities in this category do not require remediation and may be confirmed as false positives.  The no fix available summary 814 includes vulnerabilities where no known solution is availabe to resolve the threats.  The exceptions summary 816 includes vulnerabilities that have active and approved exceptions.  In some embodiments, once an excpetion is no longer active or an exception expires, the vulnerabilities affected by the expiration are re-categorized. 




    PNG
    media_image1.png
    1123
    605
    media_image1.png
    Greyscale



 

Bunker suggests 
monitor network components for vulnerabilities (reads on scan and determine network vulnerabilities, see Bunker Figure 7 block 702 and para 0047); identify a vulnerability (reads on scan and determine network vulnerabilities, see Bunker Figure 7 block 702 and para 0047) wherein the vulnerability is related to at least one of the 

the vulnerability management system and database could be implement with the 
intrusion protection system within a network firewall or the vulnerability management system, security management system, security management system and intrusion protection system could each be implemented within the same server or 
hardware.  Additionally, the firewall, intrusion protection system and security management system could be implemented in a single component and the vulnerability management system and database could interact with this single 
component. 
 
[0041] Additionally, the active risk report functionality 424 generates a report of particular vulnerabilities that are of present concern to system administrators of the enterprise network.  The active risk report functionality 
424 generates reports, that will be described more fully hereinbelow, illustrating vulnerabilities that are either partially or fully susceptible to intrusion attacks because particular filters, which are available to protect the network from the vulnerabilities, have not been fully implemented.  If the user decides to protect from the indicated vulnerabilities, the update filters functionality 426 may be used to select the particular filters that have not yet been activated and activate them such that the enterprise network is more fully protected from the system vulnerabilities that have been detected and are associated with the indicated filters.  The updated filters are provided to the IPS filter management functionality 404 within the security management service (SMS) server 314 to enable their activation within the intrusion protection 
systems of the network.  Thus, using the information generated from the active risk report functionality 424, the update filters functionality 426 may configure filters within the intrusion protection system based upon the actual vulnerabilities detected by the vulnerability management system 316 rather than just vendor recommendations.  This type of configuration will limit the risk of blocking legitimate traffic within or to the enterprise network but provides a warranted reason to justify inadvertent blocking of legitimate traffic.  
Additionally, the active risk report functionality 422 may be used to internally create exceptions for particular vulnerabilities from subsequent reports by the vulnerability management detection system 316.  The reason being that since particular filters (signatures) have been implemented within the intrusion protection system 310 to protected against a selected vulnerability, there is no more need to generate reports with respect to the vulnerability and the associated filter since the protections against the vulnerability are active.  This will prevent the system from providing a user with information that is not important to their analysis of the vulnerabilities of present concern to system administrators of the enterprise network.  By utilizing the information generated by the active risk report functionality 424, additional unneeded filters may be eliminated which 

[0043] This integration between the vulnerability management system 316 and the SMS 314 enables enterprise network operators to better tune their filters within the IPS servers 310 based upon the vulnerability scan results determined by the scanning server 317.  The vulnerability management system 316 is daily updated with new vulnerabilities found and new IPS filters are regularly 
written to protect from these new vulnerabilities.  The new IPS filters to new vulnerabilities mapping is updated using functionality 604 so that vulnerability descriptions provide current remediation instructions as well as the corresponding IPS filters to provide the remediation.  The interconnection between the scanning server 317 and the SMS 314 enables the vulnerability management system 316 to determine which IPS filters are applied at which IPS servers 310.  This information enables the generation of the report relating to presently mitigated vulnerabilities, vulnerabilities that could be mitigated if the appropriate filter were activated, IPS filters that could have the greatest impact on potential risk, and vulnerabilities which have no IPS filter coverage and must be mitigated via patch or configuration level solutions.  These results provide the system operator with visibility of the optimal mitigation point either by applying filters to the IPS or by patching the vulnerabilities at the device level.  Additional features enable audit defense and the ability to log compensating controls by documenting risks that are mitigated by the established IPS filters. 


[0050] Referring now to FIG. 10, there is illustrated the screen displayed at the display associated with the vulnerability management system server 316 when the active risk analysis tab 1002 is actuated.  The active risk analysis screen shows if a vulnerability is fully covered, partially covered or not covered by the IPS filters.  As described previously, based upon the particular node selected within the navigation area 810.  Either the field 1004 or field 1006 may be selected to determine whether the results for a selected node and all nodes below the selected node are displayed if field 1004 is selected or the results for only the selected node are displayed if field 1006 is selected.  The active risk analysis screen can display all of the active risks that have associated IPS filters associated therewith by clicking tab 1008 or may display all of the active risks that do not have a filter associated therewith by clicking tab 1010. 
 
[0051] The illustration of FIG. 10 shows the view when tab 1008 has been selected and illustrates all of the active risks for which filters are available.  The filtering column 1022 includes a number of boxes which may be checked in order create an exception for the selected vulnerability from subsequent vulnerability management reports that are generated.  By checking a box within this column 1022 and clicking field 1026, a pull down menu including the field 1027 "apply scan filters for all items" is displayed.  The filters can be applied by clicking on field 1027 such that the filters are activated to apply the vulnerabilities exceptions.  Filters can be applied to selected items by 
as "urgent," "high" or "low." The exposure column 1018 lists the name for the particular vulnerabilities that have been detected by the system.  These vulnerability names are standardized in accordance with CVE and other industry standards.  Finally, the total column 1020 indicates the number of occurrences of the vulnerability listed within the exposure column 1018 that has been detected. 
 
[0052] Referring now to FIG. 11, there is illustrated the screen that is displayed when an exception is being created for a particular risk vulnerability remove it from subsequent active risk analysis report and standard vulnerability management reports.  The screen is brought up by selecting vulnerabilities on 1022 to be filtered and then clicking field 1026.  The system user has the ability to set a scan filter within the active risk analysis profile of FIG. 10 in order to suppress a reported vulnerability that has been mitigated by initiating particular IPS filters to protect from the indicated vulnerability.  This is achieved by checking the selected box within column 1022 and then clicking 1026.  Field 1102 may be checked to indicate that the risk is no longer to be generated within the active risk analysis report and standard vulnerability reporting.  The exposure field 1104 provides the standardized name of the detected vulnerability while the risk level field 1106 indicates the risk associated with the vulnerability.  Drop down menu 1108 can be used to indicate the reason for filtering out the vulnerability from the report, and a comments field 1110 can be used for entering information for as to why the vulnerability is being filtered.  Finally, a drop down menu 1112 may be used to indicate the point of which the filtering of the vulnerability may expire and the vulnerability would again be displayed by the system. 

US Pub. No. 2003/0009696 (translation of incorporated by reference US Patent No. 7325252 into Bunker)



[0013] A preferred embodiment's physical subsystems combine to form a scalable holistic system that is able to conduct tests for thousands of customers any place in the world.  The security skills of experts can be embedded into a preferred embodiment systems enable the security vulnerability test to be conducted on a continuous basis for multiple customers at the same time.  A preferred embodiment can reduce the work time required for security practices of companies from three weeks to less than a day, as well as significantly increase their capacity.  This can expand the market for network security testing by allowing small and mid-size companies to be able to afford proactive, continuous electronic risk management. 

[0138] Early Warning Generator subsystem 112 can be used to alert 714 relevant customers to early warnings on a periodic or aperiodic basis that a new security vulnerability 702 can affect their system.  The alert 714 tells the customer which vulnerability 702 can affect them, which computers 1102 in their network 1002 are affected, and what to do to reduce or eliminate the exposure. 

[0183] Security assessment tests for each customer can be scheduled on a daily, weekly, monthly, quarterly or annual basis.  The Job Scheduling module 202 initiates customer tests, at scheduled times, on a continuous basis. 

[0194] The Report Generator 110 uses the information collected in the Database 114 about the customer's systems 1002 to generate a report 2230 about the systems profile, ports utilization, security vulnerabilities, etc. The reports 2230 reflect the profile of security services and reports frequency the customer bought.  Security trend analyses can be provided since the scan stores customer security information on a periodic basis.  The security vulnerability assessment test can be provided on a monthly, weekly, daily, or other periodic or aperiodic basis specified and the report can be provided in hard copy, electronic mail or on a CD. 


Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the vulnerability assessment teachings of the prior art of record by integrating the vulnerability assessment teachings of Bunker to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, it would have been obvious to one of ordinary skill in the art to have the continual 

Kortright suggests 
continue monitoring (reads on maintain complete synchronization of all monitored devices via an updated central database for all applications and devices on the network, see Kortright para 0015, 0022, 0023, 0024) the at least one network components (reads on field systems/devices on the network that are part of a two-way communications model that permits a central database to affect changes on all or some network management systems in the field, while also allowing those same field systems to affect the central database, see Kortright para 0015) and the organization policy (reads on a central database that is part of a two-way communications model that permits the central database to affect changes on all or some network management systems in the field, while also allowing those same field systems to affect the central database, see Kortright para 0015).

[0002] The present invention relates to network management. More specifically, the present invention is an automated change management system and method to manage diverse management functions across a network in an automated fashion. 
[0015] The approaches described in these references are those that relate to management of the network manually. a two-way communications model that permits a central database to affect changes on all or some network management applications/systems in the field, while also allowing those same field systems to affect the central database. It also would be desirable for such a system and method to update all network management applications on the network upon the occurrence of a change in a network device and to manage failover through logically assigned buddies. Finally, such a system and method would also decrease the errors associated with human intervention to update network management applications. 
[0022] It is yet another aspect of the present invention to automatically detect changes in devices on the network and immediately update all network management system applications associated with changed devices.
[0023] It is still another aspect of the present invention to update a central database concerning all network management applications and devices on the network.
[0024] It is still another aspect of the present invention to maintain complete synchronization of all devices that are being monitored on a network.
[0026] In an embodiment of the present invention, a change management engine synchronizes the configuration of distributed network management applications, as well as synchronize device status from those same distributed network management applications with a central database. "Change management" as used in this context means the process by which network management poller and aggregation applications are synchronized to the exact configurations of the devices they monitor in real-time without human intervention. The network can be a wired, or wireless network. Further, embodiments of the present invention operate on an intranet, the Internet, or any other wired or wireless network that is to be managed as an entity. These embodiments operate in an application-diverse environment allowing the synchronization of networks that use applications of different vendors to perform various network management functions.
[0027] In an embodiment of the present invention, the change management process is automated by employing a real time two way communications model that permits a central database comprising the latest network management software and configuration to effect changes on all or some network management applications and systems in the field. In this embodiment, field systems also affect the central database by transmitting polled information into that database. Each network device is entered into a central database one time. After the initial data entry, this embodiment of the present invention handles all of the processes associated with configuring different and distributed network management systems and applications in the field. Thus, this embodiment of the present invention acts as a manager of other system managers in order to insure that all network management applications are synchronized across the  binds many disparate functions of change management under one control model. Further, automating the configuration process reduces the risk that human error will disrupt the monitoring of critical systems.
[0075] The new configuration data are stored in the DIDB (205) 330 and then sent to the autocontroller (220) 335. The autocontroller (220) configures the applications running on application server (225) with the new configuration data 340. As discussed below, the configuration data is customized to the format expected by each application running on the application server (225). The autocontroller (220) sends the revised application configuration data back to the core engine (215) 345. The revised configuration data are again compared with the data in DIDB (205) to ensure that the DIDB and the application server (225) applications are in sync as to the current configuration of the device (235). If variations are detected, the process of updating the application server is repeated.
[0076] The change management process illustrated in FIG. 3 is cyclical in nature and works in the real-time, requiring no human intervention to maintain accurate data acquisition and device monitoring. At the end of this cycle, the network is in sync with respect to device and application configurations, a result achieved without human intervention.

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the monitoring teachings of the prior art of record by integrating the monitoring and linking teachings of Kortright to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, as in Kortright it would have been obvious to one of ordinary skill in the art to have the ability to implement a two-way communications model that permits a central database/organization policy to affect changes on all or some network management systems/devices in the field, while also allowing those same field systems/devices to affect the central database/organization policy, implemented in the monitoring system of 


Per claim 2, the prior art of record further suggests wherein suppressing at least the portion of the reporting for the acceptable vulnerability comprises preventing reporting of the acceptable vulnerability in order to prevent a false reporting of the vulnerability (reads on suppressing the reporting of the vulnerability based on checking the box associated with the particular vulnerability whose reporting should be suppressed, see Bunker para 0051 – 0052). 
Per claim 3, the prior art of record further suggests wherein suppressing at least the portion of the remediation plan comprises suspending alerts to a primary user of the at least one of the network components impacted by the acceptable vulnerability (reads on suppressing the reporting of the vulnerability based on checking the box associated with 
Per claim 7, the prior art of record further suggests wherein determining when the vulnerability is the acceptable vulnerability comprises determining when a user exception request for the vulnerability has been approved (reads on if an exception is active/approved for the vulnerability the vulnerability is categorized as exception approved and it is not fixed at this point, see Gerrick para 0034, 0046, 0058 and 0062). 
Per claim 11, the prior art of record further suggests wherein the one or more processors are configured to execute the computer readable code to: edit the remediation suppression when the change to the at least one of the network components or the change to the organization policy occurs (reads on re-categorize the previously active and approved vulnerability exception which kept the vulnerability from being fixed, see Gerrick para 0046, 0058 and 0062), wherein editing the remediation suppression comprises changing the suppression of at least the portion of the remediation plan, the consequence action, or the reporting for the acceptable vulnerability (reads on re-categorize the previously active and approved vulnerability exception which kept the vulnerability from being fixed, see Gerrick para 0046, 0058 and 0062). 
Claim 13 is analyzed with respect to claim 1.
Claim 14 is analyzed with respect to claim 2.
Claim 17 is analyzed with respect to claim 11.
Claim 20 the computer program product is analyzed with respect to claim 13.
Claim 21 is analyzed with respect to claim 14. 




 Claims 4 – 6, 15 – 16 and 22 – 23 are rejected under 35 U.S.C. 103 as being unpatentable over Gerrick in view of Bunker in view of Kortright in view of Banzhof (US Pub. No. 2006/0191012 A1).

Per claim 4, the prior art of record suggests claim 1 and suppressing at least the portion of the remediation plan for remediating (reads on suppressing the reporting of the vulnerability based on checking the box associated with the particular vulnerability whose reporting should be suppressed, see Bunker para 0051 – 0052) the acceptable vulnerability (reads on the user has decided the reporting and fixing of a particular vulnerability should be suppressed, see Bunker para 0051 – 0052 and Gerrick para 0034 and 0035). The prior art of record is silent on explicitly stating altering a remediation deadline. 
Banzhof suggests 
altering a remediation deadline (reads on delaying scheduled remediations of vulnerabilities, see Banzhof para 0056 – 0057).

Banzhof US Pub. NO. 2006/0191012 A1
[0056] Another enhanced remediation assessment procedure involves the scheduling 90 of the installation of remediations, such as patches and other software modifications.  For example, the enhanced automated vulnerability resolution system 10 might specify that installation of remediations should be delayed until known problems with the remediations are resolved or are expected 
to be resolved.  Installation of remediations on new software might be deferred until the software is determined to be operating correctly.  The life cycle of software or systems might also be considered in the scheduling 90 of 


[0057] Some remediation installations or other remediation activities may be automatically scheduled to occur at regular intervals or as they become available.  The enhanced automated vulnerability resolution system 10 might 
adjust the schedule by taking the enhanced risk assessment into account.  For example, a billing system might operate only at the end of a month or a batch process might occur only on weekends.  It would typically be undesirable for 
remediation activities to take place on such systems during or near their periods of peak operation.  A computer administrator might enter into the enhanced automated vulnerability resolution system 10 the times when such 
systems are available or when critical operations are or are not occurring.  The enhanced automated vulnerability resolution system 10 might automatically take those times into account in the scheduling 90 of remediation activities.  The schedules of all systems may be considered and remediation activities could take place when the least disruption to the fewest systems would occur.  If a critical update needed to be made at a time when a system was unavailable, the enhanced automated vulnerability resolution system 10 could alert an administrator to decide whether to make the system available for the remediation or whether to delay. 

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the remediation teachings of the prior art of record by integrating the remediation teachings of Banzhof to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, it would have been obvious to one of ordinary skill in the art to have the ability to schedule and delay remediation of found vulnerabilities, in a system similar to that of the prior art of record, in order to realize the expected improvement of implementing remediations at a time that is optimized for the benefit of the organization.  It would have been recognized that applying the technique of Banzhof to the teachings of the prior art of record would have 

Claim 5 is analyzed with respect to claim 4. The prior art of record further suggests wherein suppressing at least the portion of the remediation plan comprises suspending prevention of operation of at least a portion of the at least one of the network components impacted by the acceptable vulnerability (reads on the combination of suspending remediation activities that would cause some types of equipment not to operate properly or to fail in order to minimize system disruptions, see Banzhof para 0042, 0043 and 0056 – 0057). 
Claim 6 is analyzed with respect to claim 4. The prior art of record further suggests wherein suppressing implementation of the consequence action comprises suspending removal of the at least one of the networks components impacted by the acceptable vulnerability (reads on the combination of suspending remediation activities that would cause some types of equipment not to operate properly or to fail in order to minimize system disruptions, see Banzhof para 0042, 0043 and 0056 – 0057). 
Claim 15 is analyzed with respect to claim 4. The prior art of record further suggests wherein suppressing at least the portion of the remediation plan comprises suspending alerts to a primary user of the at least one of the network components impacted by the acceptable vulnerability (reads on suppressing the reporting of the 
Claim 16 is analyzed with respect to claim 6.
Claim 22 is analyzed with respect to claim 15. 
Claim 23 is analyzed with respect to claim 16. 


 


Claims 12, 18 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Gerrick in view of Bunker in view of Kortright in view of Fudge (US Pub. No. 2006/0195905 A1).


Per claim 12, the prior art of record further suggests determine when the remediation suppression is untagged from the acceptable vulnerability (reads on the 
Fudge suggests 
monitor the at least one of the network components for compliance with the remediation plan (reads on after remediation actions have taken place determine whether compliance has been achieved, see Fudge para 0069); identify a trigger for implementing the consequence action for the at least one of the network components (reads on identify a risk level indicator to determine if a re-scan, quarantine or alert is necessary, see Fudge para 0069 – 0070); and implement the consequence action for the at least one of the network components when the trigger is identified (reads on at a specific risk level indicator re-scan, quarantine or alert, see Fudge para 0069 – 0071).

[0069] After remediation actions have been taken, the party at user device 110 and/or network monitoring system 150 may determine whether compliance has been achieved (act 570).  For example, the party at user device 110 may initiate another monitoring procedure (e.g., a re-scan) on the network element for which remedial action has been taken.  may then generate a new risk level indicator (e.g., score) for server 112-1.  The party at user device 110 may then determine whether risk compliance has been achieved based on the new risk level indicator.  For example, the party at user device 110 may determine whether the new score is now in an acceptable range, indicating that the vulnerability has been reduced to an acceptable risk level.  Alternatively, network monitoring system 150 may automatically initiate a re-scan of high risk network devices a predetermined period of time after the high vulnerability has been detected.  In either case, after the re-check has been completed and if compliance has been achieved, network monitoring system 
150 may document the action(s) taken and record the new risk level indicator for that particular network element (act 580). 
 
[0070] If compliance has not been achieved, the party at user device 110 or network monitoring system 150 may escalate the remediation (act 590).  For example, the party at user device 110 and/or network monitoring system 150 may 
send alerts to personnel associated with the vulnerable network element indicating that a quarantine action should be performed with respect to the network element. Alternatively, in some implementations, network monitoring 
system 150 may automatically quarantine the vulnerable network element by, for example, shutting down the network element and/or preventing access to the network element by any outside traffic. 
 
[0071] In another alternative implementation, if action is required at either act 550 or compliance has not been achieved at act 570, the party at user device 110 may request that an exception for the offending network device be granted.  That is, if a particular network device is outside an acceptable risk range, but a party at user device 110 has determined that the network element does not pose a significant risk, the party at user device 110 may request that an exception be stored in policy monitoring tools database 340 that would account for the high risk level.  In future scans, the exception information would then reduce any risk level indicator for that network element to an acceptable range. 
 
[0072] In the manner describe above, a risk analysis associated with managing network elements in system 100 may be performed by generating relative risk level indicators for the particular network elements.  The need for remedial actions with respect to network elements may then be prioritized based on the risk level indicators.  Actions may then be taken based on the prioritization to reduce the vulnerability to attack associated with network elements posing the highest risk.
 

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the vulnerability remediation teachings of the prior art of record by integrating the compliance and vulnerability remediation teachings of 

Claim 18 is analyzed with respect to claim 12.
Claim 24 is analyzed with respect to claim 18. 


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Shaw whose telephone number is (571)270-5191.  The examiner can normally be reached on Mon-Thurs from 6:00 AM-3:30 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's Supervisor, Ashok Patel can be reached on (571) 272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.  Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).



/BRIAN F SHAW/Primary Examiner, Art Unit 2491