DETAILED ACTION
Examiner's Note:  The Examiner has pointed out particular references contained in the prior art of record within the body of this action for the convenience of the Applicant.  Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply.  Applicant, in preparing the response, should consider fully the entire reference as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the Examiner.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s remarks filed on 02/24/2021 have been fully considered. 
Regarding claim[s] 1, 5, 6, 8, 9, 11 under the obviousness rejection, applicant’s remarks are not persuasive, therefore, see the examiner’s response to such remarks in the office action below.  
Regarding claim[s] 2, 3, 7, 10 under the various obviousness rejections, applicant’s remarks are not persuasive, therefore, see the examiner’s response to such remarks in the office action below. 
The examiner will answer all other remarks that do not concern the prior art rejection, if any, in the office action below. 
Applicant states on page[s] 11 and 12 of the remarks: “Thus, the Specification explains that raw natural language content of each communication can be processed (NLP). Additionally, concept expansion is used to understand the intent of these sentences. Although the Office Action asserts that Masood teaches the above highlighted claimed features (see Office Action, page 44, paragraph 42), it relies on the additional reference of Jain to cure the deficiency of Masood. As to cited paragraph [0065] of Jain, it merely states that NLP-based parsing is used to determine which of the existing posts and/or comments contain questions. (See Jain, paragraph [0065], lines 5 to 6.) A processing into meaningful sentences, as provided in the context of claim 1 and the Specification, is not disclosed or suggested. Claim 1 is allowable for at least this reason.”
In response the examiner points out that applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
It appears that applicant merely explains that the claim[s] recites “…the Specification explains that raw natural language content of each communication can be processed into meaningful sentences by way of natural language processing (NLP)….,” however, applicant has not explained specifically how the NLP is used to process the raw natural language content of each communication, but somehow the raw communication data is formed into sentences in the claim language. Then generally states that the NLP teaching of the prior art of Jain doesn’t teach such recited forming of sentences by an NLP. 
….A processing into meaningful sentences, as provided in the context of claim 1 and the Specification, is not disclosed or suggested…”
What is further, applicant’s recited “meaningful sentences,” to one of ordinary skilled in the art could be equated to literally any constructs of the prior art of record. 
Additionally, applicant’s recited “concept expansion,” to one of ordinary skilled in the art could be equated to literally any constructs of the prior art of record. Applicant has intentionally kept this claim limitation broad, therefore, the appropriate prior art as used and rejected over, is fair and reasonable. 
Applicant states on page[s] 12 of the remarks: “Additionally, claim 1 as currently presented also provides for the use of concept expansion to determine an intent of each monitored social media communication. Although the Office Action asserts that Masood discloses this feature, the actual disclosure of Masood does not support this contention. As to cited step A1 of FIG. 3 and its corresponding disclosure in paragraph [0035] of Masood, it merely states that “a user spots a suspicious post on their wall or news feed and sends a notification to a security application provider.” A use of concept expansion, let alone to determine an intent of each monitored social media communication, as provided in the context of claim 1 and the Specification, is not disclosed or suggested. Claim 1 is allowable for this additional reason.”
concept expansion,” to one of ordinary skilled in the art could be equated to literally any constructs of the prior art of record. Applicant has intentionally kept this claim limitation broad, therefore, the prior art of Masood as used and rejected over, is fair and reasonable. 
	Therefore, see Masood at Figure # 3A, step A1, and paragraph: 0035, lines 1 – 2, A1. A social network user spots a suspicious post on their wall or news feed. What one of ordinary skilled in the art would know is that for a user to spot a suspicious post of Masood, the user would have to have at the very least knowledge of what a suspicious post looks like, in order to even spot a suspicious post in the operation of Masood. 
Applicant states on page[s] 13 and 14 of the remarks: “Accordingly, the Specification, in view of which claim 1 is to be interpreted, explains that the computing device of claim 1 is configured to monitor social media communication and identify whether a social media thread is related to a communication about a vulnerability. By virtue of monitoring such communication, insight can be gained about the potential vulnerability. Thus, the communication is itself not a vulnerability; rather, it is from which knowledge about the vulnerability can be extracted by the computing device. It is respectfully submitted that Masood, whether taken alone or in combination with Jain, Foster, and/or Schneck, does not disclose or suggest this feature of claim 1.”
In response the examiner isn’t persuaded, the examiner points here again to the prior art combination of Masood in view of Schneck.

The prior art of Schneck discloses at paragraph: 0034, lines 3 - 17, In this example embodiment, data collectors 202 (e.g., in connection with brand risk intelligence system 104) may monitor the Internet to collect brand impact intelligence for malware and other threats. For example, data collectors 202 may use threat intelligence resources, filters, triggers, and keywords to identify potentially relevant intelligence resources, filters, triggers, and keywords to identify potentially relevant intelligence sources, such as online news articles, websites, forums [i.e. applicants discussion about a vulnerability], blogs [i.e. applicants discussion about a vulnerability], and social media posts [i.e. applicants discussion about a vulnerability], and other data that identify real or potential of organizations or even other organizations in related fields. For instance, message boards, social networks, online message feeds, etc. popular with hackers or IT professionals can be monitored for references to various threats, attacks, and vulnerabilities affecting [i.e. applicant’s vulnerabilities], or potentially affecting, particular named organizations, brands.
“By virtue of monitoring such communication, insight can be gained about the potential vulnerability. Thus, the communication is itself not a vulnerability; rather, it is from which knowledge about the vulnerability can be extracted by the computing device. It is respectfully submitted that Masood, whether taken alone or in combination with Jain, Foster, and/or Schneck, does not disclose or suggest this feature of claim 1.”
Thus, it can be concluded that applicant’s argued invention is an obvious variation of at least Masood in view of Schneck.
Applicant states on page[s] 15 of the remarks: “It is respectfully submitted that even if Schneck mentions that it “may monitor the Internet to collect brand impact intelligence for malware and other threats,” the monitoring of Schneck is with respect to a brand of an organization and not a vulnerability of a computing device, as required by claim 1.”
	In response the examiner isn’t persuaded, the examiner points out that applicant continues to ignore the examiner’s rejection that shows the appropriate teachings of Schneck, who makes obvious applicant’s argued claim limitation. (emphasis added...).
The examiner points to the prior art of Schneck, specifically, at paragraph: 0034, lines 3 - 17, In this example embodiment, data collectors 202 (e.g., in connection with brand risk intelligence system 104) may monitor the Internet to collect brand impact intelligence for malware and other threats. For example, data collectors 202 may use threat intelligence resources, filters, triggers, and keywords to identify potentially relevant intelligence sources, such as online news articles, websites, forums [i.e. applicants discussion about a vulnerability], blogs [i.e. applicants discussion about a vulnerability], and social media posts [i.e. applicants discussion about a vulnerability], and other data that identify real or potential of organizations or even other organizations in related fields. For instance, message boards, social networks, online message feeds, etc, popular with hackers or IT professionals can be monitored for references to various threats, attacks, and vulnerabilities affecting fi.e. applicant’s vulnerabilities'!, or potentially affecting, particular named organizations, brands.
The examiner continues to point out [i.e. see bolded and underlined above] of Schneck, that the data collectors collect data relating to malware and other threats that effect the organization and not just the brands as argued by applicant. Schneck monitors for malware that affects the organization’s IT network and devices and software connected thereto. See paragraph: 0019 of Schneck. This meets applicant’s argued claim limitation of: “It is respectfully submitted that even if Schneck mentions that it “may monitor the Internet to collect brand impact intelligence for malware and other threats,” the monitoring of Schneck is with respect to a brand of an organization and not a vulnerability of a computing device, as required by claim 1.”
Further of paragraph: 0034 [i.e. see bolded and underlined above], the prior art Schneck does disclose that the data collectors collect data that potentially includes malware and other threats for identifying vulnerabilities [see paragraph: 0022 of Schneckl that could affect the organizations network IT system and associated devices software connected to such network IT system. This meets applicant’s “……..there is no disclosure in Schneck that such consequence would be considered a vulnerability unless it has a negative PR effect. Stated differently, if there is no negative PR effect in Schneck, there is no vulnerability.’’
***The examiner’s response above applies to the same or similar remarks in made on page[s] 15 of the remarks as filed. 

Applicant states on page[s] 17 and 18 of the remarks: “Further, claim 1 includes the feature of determining one or more possible root causes of the vulnerability from the searched dependable social media threads. In this regard, the specification of the present application discloses the following:
In one embodiment, in a resolution phase, the vulnerability engine 103 is configured to identify a root cause of the vulnerability. To that end, the vulnerability engine 103 identifies different possible solutions and ranks them based on the dependability (e.g., quality) of the source and/or individual of each solution. The vulnerability engine 103 may receive many such communication threads. From these threads, the vulnerability engine 103 can identify the most likely root cause of the vulnerability ....
(Specification, paragraph [0036], emphasis added.)
Accordingly, the Specification of the present application, in view of which claim 1 is to be evaluated, explains that claim 1 uses social media threads in two separate aspects, namely:

(ii)    determining a root cause of the identified vulnerability.
Regarding the latter, claim 1 specifically searches one or more dependable social media threads in a same one or more categories of the identified vulnerability. The Office Action asserts that paragraph [0045] of Masood provides the necessary disclosure. Applicants respectfully disagree.
Cited paragraph [0045] of Masood merely states that “[i]f the undesirable post looks similar to other undesirable posts that have already been detected, then the similar undesirable posts can be grouped together and the pre-determined features and values for all the similar undesirable posts are used to form a single, common signature.” (.Masood, paragraph [0045], emphasis added.) Review of Masood makes plain that its “undesirable posts” relate to the vulnerability itself and not a discussion thereof. Stated differently, searching a discussion about a vulnerability (e.g., malware) is wholly different from comparing and grouping similar vulnerabilities. Accordingly, Masood fails to teach determining one or more possible root causes of the vulnerability, let alone from searched dependable social media threads, as provided in the context of claim 1.
Nonetheless, in the Response too Arguments Section, the Office Action states the following:
in a resolution phase, the vulnerability engine 103 is configured to identify a root cause of the vulnerability, to that end, the vulnerability engine 103 identifies different possible solutions and ranks them based on the dependability (e.g., quality) of the source and/or individual of each solution. The vulnerability engine 103 may receive many such communication threads. From these threads, the vulnerability engine 103 can identify the most likely root cause of the vulnerability ...) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
(Office Action, page 12, emphasis added.)
It is respectfully submitted that the relevant portions of the Specification were highlighted hereinabove to better explain the claimed subject matter, as the claimed subject matter is to be interpreted in view of the Specification. The “phase” during which the root cause of the vulnerability is identified or the name of the “engine” performing the same are not immediately at issue. Rather, the issue is whether there is disclosure of a determination of one or more possible root causes of the vulnerability. As explained above, the reference relied upon by the Office Action (i.e., Masood), does not provide the requisite disclosure. Jain, Foster, and Schneck do not cure, and are not purported to cure, this critical deficiency of Masood. Accordingly, Masood, whether taken alone or in any combination with Jain, Foster, and/or Schneck, does not disclose or suggest root causes of the vulnerability from the searched dependable social media threads. Claim 1 is allowable for this additional reason.”
	In response the examiner points to the prior art combination of Masood and Jain and Foster and Schneck. Specifically, at least of Foster, at paragraph 0034, lines 1 – 7, A social risk score is a calculation of the security risk associated with a target URL, file, or social communication and thus, the risk posed by a scored social entity that is associated with the target. Social risk scores [i.e. applicant’s validity scores] may be determined by the predictive risk protection module 103 of security analysis engine 101, which may proactively identify cyber threats [i.e. root causes], before attacks occur.
Applicant states on page[s] 18 and 19 of the remarks: “Still further, it is respectfully submitted that unsupported assertions are not evidence as to why a person having ordinary skill in the art would be motivated to modify or combine, for example, five separate and in themselves complete references for the subject matter of claim 1 as currently presented (i.e., (i) Masood, (ii) Jain, (iii) Foster, (iv) Schneck, and (v) Karsun) to provide the claimed subject matter of claim 1 to address the problems met thereby (i.e., for claim 1 alone). It is respectfully submitted that the Office impermissibly uses Applicants’ disclosure as a roadmap for gleaning therefrom a need to modify and combine prior art methods based, a particular way in which to modify the prior art methods, and an indication as to how the particular way in which to modify prior art methods satisfies the need. Further, the Office has not provided any support for the proposition that there was a reasonable expectation of success for combining such a multiplicity of references.

In response the examiner points out that applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Response to Amendment
Status of the instant application:
Regarding claim[s] 4, 19, under the various obviousness rejections, applicant’s cancellation of the claim[s] is noted, therefore, the rejections are withdrawn. 
Regarding claim[s] 12 – 20 previously rejected over the various obviousness rejections, applicant’s incorporation of the subject matter of claim 19 into the base claim 12 has been considered, therefore, the rejection is withdrawn. 
Regarding claim[s] 1 – 3, 5 – 11 under the various obviousness rejections, applicant’s claim amendments have been considered, however, they are not persuasive; therefore, the examiner has addressed such claim amendments in the office action below. 
Regarding claim[s] 1 – 7, 9 – 17, 20 under the non – statutory obvious type double patenting rejection, the rejection is maintained until the appropriate e-terminal disclaimer is filed. 
Double Patenting
The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, 
Claim[s] 1 – 3, 5 - 7, 9 – 17, 20 are rejected on the ground of non-statutory double patenting as being unpatentable over claim[s] 1 – 3, 5 - 7, 9 – 17, 20 of U.S. Patent No. 10587643. 
Although the claims at issue are not identical, they are not patentably distinct from each other because the subject matter of the pending application and the subject matter of the patent are not distinct, but are the same or similar in scope in the following manner:
identifying a vulnerability of a computing device monitoring social media communications. Social media threads of the social media communications that are related to a vulnerability are identified, filtered, and categorized into one or more predetermined categories of computing device vulnerabilities. Determining that a number of social media communications related to the vulnerability is above a first predetermined threshold, one or more trusted social media threads in a same one or more categories as the vulnerability are searched. Possible root causes of the vulnerability are determined from the searched trusted social media threads. A validity score for each of the one or more possible root causes is assigned. A possible root cause from that has a highest validity score that is above a second predetermined threshold is selected to be the root cause of the vulnerability.

US Pending Application # 16/734322
US PAT # 10587643
1.    A computing device comprising: 
a processor;
a network interface coupled to the processor to enable communication over a network; 
a storage device coupled to the processor;
a vulnerability engine code stored in the storage device, wherein an execution of the code by the processor configures the computing device to perform acts comprising: 
monitoring social media communication;
identifying social media threads that relate to a discussion about a  vulnerability of a computing device, based on the monitored social media communication;
extracting meaningful sentences from the monitored social media communication via natural learning processing (NLP); and
determining an intent of each monitored social media communication via concept expansion;

filtering the identified social media threads by removing SPAM postings therefrom; 
categorizing the filtered identified social media threads into one or more predetermined categories of computing device vulnerabilities;
upon determining that a number of social media posts of the social media threads related to the vulnerability is above a first predetermined threshold:
searching one or more dependable social media threads in a same one or more categories of the vulnerability;
determining one or more possible root causes of the vulnerability from the searched dependable social media threads;
assigning a validity score for each of the one or more possible root causes; and selecting a possible root cause from the one or more possible root causes that has a highest validity score that is above a second predetermined threshold, to be the root cause of the vulnerability.

A computing device comprising: 
a processor;
a network interface coupled to the processor to enable communication over a network; 
a storage device coupled to the processor;
a vulnerability engine code stored in the storage device, wherein an execution of the code by the processor configures the computing device to perform acts comprising: 
monitoring social media communication;
identifying social media threads that are related to a vulnerability of a computing device, based on the monitored social media communication;
filtering the identified social media threads by removing SPAM postings therefrom; 
categorizing the filtered identified social media threads into one or more predetermined categories of computing device vulnerabilities;
upon determining that a number of social media posts of the social media threads related to the vulnerability is above a first predetermined threshold:
searching one or more dependable social media threads in a same one or more categories of the vulnerability;
determining one or more possible root causes of the vulnerability from the searched dependable social media threads;
assigning a validity score for each of the one or more possible root causes; and selecting a possible root cause from the one or more possible root causes that has a highest validity score that is above a second predetermined threshold, to be the root cause of the vulnerability;
wherein identifying dependable social media threads for the one or more predetermined categories comprises:
during a training phase, receiving a training social media communication:
for each thread of the training social media communication:
evaluating at least one of: (i) a peer vote: (ii) a status of the contributor:
(in) a number of views: or (iv) a number of comments parameters: and
rating a dependability of the thread of the training social media communication based on the evaluated parameters: and storing the thread of the training social media communication as a dependable social media thread, if the rating of the dependability of the thread is above a predetermined threshold for its category, such that the thread of the training social media communication is 
wherein the monitoring and resolution phases are after the training phase.

The computing device of claim 1, wherein monitoring social media communication comprises receiving social media from one or more social media hosts at a predetermined interval via the network interface.

2.     The computing device of claim 1, wherein monitoring social media communication comprises receiving social media from one or more social media hosts at a predetermined interval via the network interface.
3.    The computing device of claim 1, wherein identifying social media threads that are related to a vulnerability of a computing device comprises:
during a given training phase, receiving historic data of social media communication related to one or more vulnerabilities, from a database;
using the historic data for machine learning to construct an algorithm that can identify one or more vulnerabilities of a computing device from social media; and
during a given monitoring phase, applying the algorithm to the monitored social media communication, wherein the given monitoring phase is after the given training phase.

The computing device of claim 1, wherein identifying social media threads that are related to a vulnerability of a computing device comprises:
during a given training phase, receiving historic data of social media communication related to one or more vulnerabilities, from a database;
using the historic data for machine learning to construct an algorithm that can identify one or more vulnerabilities of a computing device from social media; and
during a given monitoring phase, applying the algorithm to the monitored social media communication, wherein the given monitoring phase is after the given training phase.

The computing device of claim 1, wherein filtering the identified social media threads by removing SPAM postings therefrom comprises:
determining an intent of each monitored social media communication via concept expansion; and
removing any monitored social media communication that has been determined to have a marketing intent.

5.  The computing device of claim 1, wherein filtering the identified social media threads by removing SPAM postings therefrom comprises:
determining an intent of each monitored social media communication via concept expansion; and
removing any monitored social media communication that has been determined to have a marketing intent.

6.    The computing device of claim 1, wherein the first predetermined threshold is different for each predetermined category of computing device vulnerabilities.
6.     The computing device of claim 1, wherein the first predetermined threshold is different for each predetermined category of computing device vulnerabilities.
7.    The computing device of claim 1, wherein the categories include at least one of:
Denial of Service (DOS);
SQL Injection; 
code execution; or 
memory corruption.

7.     The computing device of claim 1, wherein the categories include at least one of:
Denial of Service (DOS);
SQL Injection; 
code execution; and or 
memory corruption.

The computing device of claim 1, further comprising, upon determining the root cause of the vulnerability, sending a notification to one or more computing devices that are deemed to be affected or are at risk to be affected by the identified vulnerability.
9.     The computing device of claim 1, further comprising, upon determining the root cause of the vulnerability, sending a notification to one or more computing devices that are deemed to be affected or are at risk to be affected by the identified vulnerability.
10.    The computing device of claim 9, wherein the notification includes a patch to the identified vulnerability.
10.   The computing device of claim 9, wherein the notification includes a patch to the identified vulnerability.
11.    The computing device of claim 1, wherein subjective logic is used for assigning a validity score for each of the one or more possible root causes.
11.    The computing device of claim 1, wherein subjective logic is used for assigning a validity score for each of the one or more possible root causes.
12.    A non-transitory computer readable storage medium tangibly embodying a computer readable program code having computer readable instructions that, when executed, causes a computer device to carry out a method of identifying a computing device vulnerability, the method comprising:
monitoring social media communication;
identifying social media threads that relate to a discussion about a vulnerability of a computing device, based on the monitored social media communication;
filtering the identified social media threads by removing SPAM postings therefrom; 
categorizing the filtered identified social media threads into one or more predetermined categories of computing device vulnerabilities;
upon determining that a number of social media posts of the social media threads related to the vulnerability is above a first predetermined threshold:
searching one or more dependable social media threads in a same one or more categories of the vulnerability;
determining one or more possible root causes of the vulnerability from the searched dependable social media threads;
assigning a validity score for each of the one or more possible root causes; and
selecting a possible root cause from the one or more possible root causes that has a highest validity score that is above a second predetermined threshold, to be the root cause of the vulnerability; and
    upon determining the root cause of the vulnerability, sending a notification to one or more computing devices that are deemed to be affected or are at risk to be affected by the identified vulnerability, wherein the 
12. A non-transitory computer readable storage medium tangibly embodying a computer readable program code having computer readable instructions that, when executed, causes a computer device to carry out a method of identifying a computing device vulnerability, the method comprising:
monitoring social media communication;
identifying social media threads that are related to a vulnerability of a computing device, based on the monitored social media communication;
filtering the identified social media threads by removing SPAM postings therefrom; categorizing the filtered identified social media threads into one or more predetermined categories of computing device vulnerabilities;
upon determining that a number of social media posts of the social media threads related to the vulnerability is above a first predetermined threshold:
searching one or more dependable social media threads in a same one or more categories of the vulnerability;
determining one or more possible root causes of the vulnerability from the searched dependable social media threads;
assigning a validity score for each of the one or more possible root causes; and selecting a possible root cause from the one or more possible root causes that has a highest validity score that is above a second predetermined threshold, to be the root cause of the vulnerability;
wherein identifying dependable social media threads for the one or more predetermined categories comprises:
during a training phase, receiving a training social media communication:
for each thread of the training social media communication:
evaluating at least one of: (i) a peer vote: (ii) a status of the contributor:
(hi) a number of views: or (iv) a number of comments parameters: and
rating a dependability of the thread of the training social media communication based on the evaluated parameters: and
storing the thread of the training social media communication as a dependable social media thread if the rating of the dependability of the thread is above a predetermined 


The non-transitory computer readable storage medium of claim 12, wherein identifying social media threads that are related to a vulnerability of a computing device comprises:
during a given training phase, receiving historic data of social media communication related to one or more vulnerabilities, from a database;
using the historic data for machine learning to construct an algorithm that can identify one or more vulnerabilities of a computing device from social media; and
during a given monitoring phase, applying the algorithm to the monitored social media communication, wherein the given monitoring phase is after the given training phase.

13. The non-transitory computer readable storage medium of claim 12, wherein identifying social media threads that are related to a vulnerability of a computing device comprises:
during a given training phase, receiving historic data of social media communication related to one or more vulnerabilities, from a database;
using the historic data for machine learning to construct an algorithm that can identify one or more vulnerabilities of a computing device from social media; and
during a given monitoring phase, applying the algorithm to the monitored social media communication, wherein the given monitoring phase is after the given training phase.

14.    The non-transitory computer readable storage medium of claim 13, wherein identifying social media threads that are related to a vulnerability of a computing device further comprises:
extracting meaningful sentences from the monitored social media communication via natural learning processing (NLP); and
determining an intent of each monitored social media communication via concept expansion.

The non-transitory computer readable storage medium of claim 13, wherein identifying social media threads that are related to a vulnerability of a computing device further comprises:
extracting meaningful sentences from the monitored social media communication via natural learning processing (NLP); and
determining an intent of each monitored social media communication via concept expansion.

The non-transitory computer readable storage medium of claim 12, wherein filtering the identified social media threads by removing SPAM postings therefrom comprises:
determining an intent of each monitored social media communication via concept expansion; and
removing any monitored social media communication that has been determined to have a marketing intent.

15. The non-transitory computer readable storage medium of claim 12, wherein filtering the identified social media threads by removing SPAM postings therefrom comprises:
determining an intent of each monitored social media communication via concept expansion; and
removing any monitored social media communication that has been determined to have a marketing intent.

16.    The non-transitory computer readable storage medium of claim 12, wherein the first predetermined threshold is different for each predetermined category of computing device vulnerabilities.

16.  The non-transitory computer readable storage medium of claim 12, wherein the first predetermined threshold is different for each predetermined category of computing device vulnerabilities.

17.    The non-transitory computer readable storage medium of claim 12, wherein the categories include at least one of:
Denial of Service (DOS);
SQL Injection; 
code execution; or 
memory corruption.

The non-transitory computer readable storage medium of claim 12, wherein the categories include at least one of:
Denial of Service (DOS);
SQL Injection; 
code execution; and or 
memory corruption.

The non-transitory computer readable storage medium of claim 12, wherein subjective logic is used for assigning a validity score for each of the one or more possible root causes.
20.     The non-transitory computer readable storage medium of claim 12 wherein subjective logic is used for assigning a validity score for each of the one or more possible root causes.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
Claim[s] 1, 5, 6, 8, 9, 11, is/are rejected under 35 U.S.C. 103 as being unpatentable over Masood [US PGPUB # 2013/0018823] in view of Jain [US PGPUB # 2017/0206271], further in view of Foster et al. [US PGPUB # 2019/0014148], further in view of Schneck et al. [US PGPUB # 2014/0172495]
As per claim 1. Masood does teach a computing device [paragraph 0003, line 11, user computer] comprising: 
a processor [paragraph 0007, line 4, user’s machine];
a network interface coupled to the processor to enable communication over a network [paragraph 0007, lines 4 – 6, One such known alternative is when a user's machine is infected by malware. This type of malware is able to detect when the user is accessing Facebook];
a storage device coupled to the processor [paragraph: 0014, user's terminal];
a vulnerability engine code stored in the storage device, wherein an execution of the code by the processor configures the computing device to perform acts [Figure # 3, and paragraphs: 0035, 0036, 0037, 0038, 0039, 0040, security application provider] comprising: 
monitoring social media communication [Figure #3A, step A1, and paragraph 0035, lines 1 - 2, A1. A social network user spots a suspicious post [i.e. applicant’s social media communication] on their wall or news feed];
identifying social media threads that relate to a ……….......  vulnerability of a computing device, based on the monitored social media communication [Figure # 4, step B2, paragraph 0050, lines 3 – 4, B2. Retrieving signatures of known undesirable posts [i.e. applicant’s social media communication] from the signature database].
And determining an intent of each monitored social media communication via concept expansion [Figure # 3A, step A1, and paragraph: 0035, lines 1 – 2, A1. A social network user spots a suspicious post on their wall or news feed].
filtering the identified social media threads by removing SPAM postings therefrom [paragraph: 0011, Embodiments of the present invention may provide a way for a user of a social networking website to more easily detect and, if desired, subsequently remove any undesirable posts such as spam or malicious posts];
categorizing the filtered identified social media threads into one or more predetermined categories of computing device vulnerabilities [paragraph 0045, If the undesirable post looks similar to other undesirable posts that have already been detected, then the similar undesirable posts can be grouped together and the pre-determined features and values for all the similar undesirable posts are used to form a single, common signature. For sets of similar undesirable posts, the values of the corresponding pre-determined features in each post may be identical or alternatively may form a pattern. In this case, instead of a value being used in the signature, a pattern is used in its place];
searching one or more dependable social media threads in a same one or more categories of the vulnerability [Figure # 4, step B2, paragraph 0050, lines 3 – 4, B2. Retrieving signatures of known undesirable posts from the signature database];
determining one or more possible root causes of the vulnerability from the searched dependable social media threads [paragraph 0045, If the undesirable post looks similar to other undesirable posts that have already been detected].
Masood does not clearly teach upon extracting meaningful sentences from the monitored social media communication via natural learning processing (NLP);
upon determining that a number of social media posts of the social media threads related to the vulnerability is above a first predetermined threshold:
assigning a validity score for each of the one or more possible root causes; and 
selecting a possible root cause from the one or more possible root causes that has a highest validity score that is above a second predetermined threshold, to be the root cause of the vulnerability.
However, Jain does teach upon extracting meaningful sentences from the monitored social media communication via natural learning processing (NLP) [paragraph: 0065, lines 4 – 7, The answer corpus generator 300 may use Natural-Language Processing (NLP)-based parsing to determine which of the existing posts and/or comments 320 contain questions [i.e. applicant’s extracting meaningful sentences from the monitored social media communication via natural learning processing (NLP)]];
upon determining that a number of social media posts of the social media threads related to the vulnerability is above a first predetermined threshold [paragraph 0086, lines 1 – 7, In particular embodiments, referencing FIGS. 5D and 5E, the social-networking system 160 may send, to the client system 130 of the first user, a suggested-answers page 580 comprising references to one or more comments 520. Each sent comment may have a calculated score greater than a threshold score].
It would have been obvious to one of ordinary skilled in the art before the effective filing date to combine the teachings of Masood and Jain in order for the monitoring of malicious/spam posts of the user’s social network platform of Masood to include social networking question and answer system of Jain. This would allow for the monitoring operation to pose questions to other user and get answers from the other user of the social network system as to whether the monitored posts contains subject matter that is spam or malicious. See paragraph 0005, lines 1- 8 of Jain. 
Masood and Jain do not clearly teach assigning a validity score for each of the one or more possible root causes; and 
selecting a possible root cause from the one or more possible root causes that has a highest validity score that is above a second predetermined threshold, to be the root cause of the vulnerability.
However, Foster does teach assigning a validity score for each of the one or more possible root causes [paragraph 0034, lines 1 – 7, A social risk score is a calculation of the security risk associated with a target URL, file, or social communication and thus, the risk posed by a scored social entity that is associated with the target. Social risk scores [i.e. applicant’s validity scores] may be determined by the predictive risk protection module 103 of security analysis engine 101, which may proactively identify cyber threats [i.e. root causes], before attacks occur]; and 
selecting a possible root cause from the one or more possible root causes that has a highest validity score that is above a second predetermined threshold, to be the root cause of the vulnerability [paragraph 0043, lines 11 – 15, If the social entity is a known entity, the security analysis engine 101 may compare the social risk score that is associated with the social entity in social risk database 104 to a social risk threshold that is associated with the user 106 (209), and may determine whether the social risk score exceeds the social risk threshold (211). If the social risk score that is associated with the social entity exceeds the social risk threshold that is associated with the user 106, the security analysis engine may initiate an appropriate security action (213).].
It would have been obvious to one of ordinary skilled in the art before the effective filing date to combine the teachings of Masood as modified and Foster in order for the monitoring of malicious/spam posts of the user’s social network platform of Masood as modified to include a predictive analysis framework with scoring algorithm of Foster. This would allow for a score to be assigned to each potential malicious/spam 
Masood and Jain and Foster do not clearly teach…discussion about a….
However, Schneck does teach…discussion about a… [paragraph: 0034, lines 3 – 17, In this example embodiment, data collectors 202 (e.g., in connection with brand risk intelligence system 104) may monitor the Internet to collect brand impact intelligence for malware and other threats. For example, data collectors 202 may use threat intelligence resources, filters, triggers, and keywords to identify potentially relevant intelligence sources, such as online news articles, websites, forums [i.e. applicants discussion about a vulnerability], blogs [i.e. applicants discussion about a vulnerability], and social media posts [i.e. applicants discussion about a vulnerability], and other data that identify real or potential of organizations or even other organizations in related fields. For instance, message boards, social networks, online message feeds, etc. popular with hackers or IT professionals can be monitored for references to various threats, attacks, and vulnerabilities affecting [i.e. applicant’s vulnerabilities], or potentially affecting, particular named organizations, brands].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Masood as modified and Schneck in order for the monitoring of malicious/spam posts of the user’s social network platform of Masood as modified to include monitoring of malicious/spam posts based on threshold risk score criteria of Schneck. This would allow for the 
***The examiner further notes that applicant’s claimed processor and storage device, and vulnerability engine code are also taught by the prior art of Jain, at paragraph 0007, lines 6 – 8. 
As per claim 5. Masood does teach the computing device of claim 1, wherein filtering the identified social media threads by removing SPAM postings therefrom comprises:
determining an intent of each monitored social media communication via concept expansion [Masood, Figure #3A, step A1, and paragraph 0035, lines 1 - 2, A1. A social network user spots a suspicious post on their wall or news feed]; and
removing any monitored social media communication that has been determined to have a marketing intent [Masood, paragraph: 0011, Embodiments of the present invention may provide a way for a user of a social networking website to more easily detect and, if desired, subsequently remove any undesirable posts such as spam or malicious posts].
As per claim 6. Masood as modified does teach the computing device of claim 1, wherein the first predetermined threshold is different for each predetermined category of computing device vulnerabilities [Foster, paragraph 0137, lines 10 – 16, and may submit one or more thresholds for social network security risks. These thresholds may include thresholds for profile impersonations, the exposure 
As per claim 8.  Masood does teach the computing device of claim 1, wherein identifying dependable social media threads for the one or more predetermined categories comprises, during a training phase, receiving a training social media communication, wherein the monitoring and resolution phases are after the training phase [Masood, Figure # 3, and paragraphs: 0044,  Steps A4 and A5 describe how the signature is created. First the analyst determines which of the pre-determined features of the undesirable post will be most suitable for use in the signature for the undesirable post. For example the analyst may choose only the message, link title, link description and thumbnail URL. Once this set of pre-determined features has been chosen, the signature is created using part or all of the content of each pre-determined feature as a "value" that can be compared with the content of other posts to be scanned in the future. For example the signature for an undesirable post can be a logical expression that searches for matches between the content of a feature of a post being scanned and value of the corresponding feature in the undesirable post for which it is a signature.].
As per claim 9. Masood does teach the computing device of claim 1, further comprising, upon determining the root cause of the vulnerability, sending a notification to one or more computing devices that are deemed to be affected or are at risk to be affected by the identified vulnerability [Masood, paragraph 0013, lines 1 – 4, The method may further comprise alerting the user when a post is 
As per claim 11. Masood as modified does teach the computing device of claim 1, wherein subjective logic is used for assigning a validity score for each of the one or more possible root causes [Foster, paragraph 0034, lines 1 – 7, A social risk score is a calculation of the security risk associated with a target URL, file, or social communication and thus, the risk posed by a scored social entity that is associated with the target. Social risk scores may be determined by the predictive risk protection module 103 of security analysis engine 101, which may proactively identify cyber threats, before attacks occur.].
Claim[s] 2, 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Masood [US PGPUB # 2013/0018823] in view of Jain [US PGPUB # 2017/0206271] and Foster et al. [US PGPUB # 2019/0014148] and Schneck et al. [US PGPUB # 2014/0172495] as applied to claim[s] 1 above, and further in view of Trabelsi et al. [US PGPUB # 2015/0242515]
As per claim 2. Masood and Jain and Foster and Schneck do teach what is taught in the rejection of claim #1 above. 
Masood and Jain and Foster and Schneck do not teach clearly the computing device of claim 1, wherein monitoring social media communication comprises receiving social media from one or more social media hosts at a predetermined interval via the network interface.
However, Trabelsi does each the computing device of claim 1, wherein monitoring social media communication comprises receiving social media from one or more social media hosts at a predetermined interval via the network interface [paragraph 0068, lines 5 – 11, The search results 407 (e.g., tweets, blog posts, forum responses) are collected, together with corresponding meta-data (author, date, likes, etc.). This search may be performed at regular intervals, or when new search phrases become available (e.g., because a new system component has been installed by the end-user)].
It would have been obvious to one of ordinary skilled in the art before the effective filing date to combine the teachings of Masood as modified and Trabelsi in order for the monitoring of malicious/spam posts of the user’s social network platform of Masood as modified to include automating the monitoring with dedicated software to implements the monitoring with data analytics of Trabelsi. This would allow for the monitoring to send alerts with analytics to an administrator or users when the results of the monitoring process when new searching phrases are available to be used to monitor posts for malicious/spam activity. See paragraphs: 0068, lines 8 – 11, 0072, 0082, of Trabelsi. 
As per claim 10. Masood as modified does teach the computing device of claim 1, wherein the notification includes a patch to the identified vulnerability .
Claim[s] 3, 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Masood [US PGPUB # 2013/0018823] in view of Jain [US PGPUB # 2017/0206271] and Foster et al. [US PGPUB # 2019/0014148] and Schneck et al. [US PGPUB # 2014/0172495] as applied to claim[s] 1 above, and further in view of Kursun [US PAT # 9514133].
As per claim 3. Masood and Jain and Foster and Schneck and do teach what is taught in the rejection of claim #1 above. 
Masood and Jain and Foster and Schneck do not teach clearly the computing device of claim 1, wherein identifying social media threads that are related to a vulnerability of a computing device comprises:
during a training phase, receiving historic data of social media communication related to one or more vulnerabilities, from a database;
using the historic data for machine learning to construct an algorithm that can identify one or more vulnerabilities of a computing device from social media; and
during a monitoring phase, applying the algorithm to the monitored social media communication, wherein the monitoring phase is after the training phase.
However, Kursun does teach the computing device of claim 1, wherein identifying social media threads that are related to a vulnerability of a computing device comprises:
during a training phase, receiving historic data of social media communication related to one or more vulnerabilities, from a database [col. 14, lines 57 – 61, The system may incorporate a look-up table that is updated with machine learning algorithms using real-time and historical data. The look-up table may incorporate base weights for different sources based on the nature of the entity];
using the historic data for machine learning to construct an algorithm that can identify one or more vulnerabilities of a computing device from social media [col. 14, lines 57 – 61, The system may incorporate a look-up table that is updated with machine learning algorithms using real-time and historical data. The look-up table may incorporate base weights for different sources based on the nature of the entity]; and
during a monitoring phase, applying the algorithm to the monitored social media communication, wherein the monitoring phase is after the training phase [col. 14, lines 61 – 66, For example, if the entity is a retail company, the social media and blog sources may be weighted more heavily. Base values can be created on the characteristics of the entity, then the machine learning algorithms can be used to fine tune these weight factor parameters].
It would have been obvious to one of ordinary skilled in the art before the effective filing date to combine the teachings of Masood as modified and Kursun in order for the monitoring of malicious/spam posts of the user’s social network platform of Masood as modified to include assigning user weighting factors to detect words or phrases or items of a social media posts of Kursun. This would allow for the monitoring to include user customized weighting factors that are based on the user’s previous 
As per claim 7. Masood as modified does teach the computing device of claim 1, wherein the categories include at least one of:
Denial of Service (DOS);
SQL Injection; 
code execution [Kursun, col. 19, lines 19 – 20, Any suitable programming language may be used in accordance with the various embodiments of the invention]; or 
memory corruption.
Allowable Subject Matter
Claim[s] 12 – 18, 20 contain allowable subject matter, but as allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT B SHAIFER HARRIMAN whose telephone number is (571)272-7910.  The examiner can normally be reached on M - F: 8am to 5pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571- 272- 3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
/DANT B SHAIFER HARRIMAN/Primary Examiner, Art Unit 2434