DETAILED ACTION

Currently pending claims are 1 – 21.

Response to Arguments
Applicant's arguments with respect to the subject matter of the instant claims have been fully considered but are not persuasive.
As per claim 1, Applicant asserts prior-art(s) does not teach generating a first machine learning model based on a first set of training data associated with a first type of vulnerability because Chari teaches nothing about training or generating a model based on training data associated with a first type of vulnerability (Remarks: Page 8 / 2nd Para).  Examiner respectfully disagrees with the following rationale.
Examiner notes according to MPEP 2111 of the broadest and reasonable claim interpretations, applicant’s argument has no merit since the alleged limitation such as “what is the exact context of the first type of vulnerability” has not been specifically recited into the claim.  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
In light of that, Examiner notes Chari teaches (a) providing a training phase to collect the input parameters such as program execution data and the recorded metadata of monitored events in the program, as it executes, against the security policies so as to develop a baseline machine learning model to characterize vulnerable programming patterns such as normal paths versus anomalous paths and sensitive paths versus non-sensitive paths (Chari: Para [0063] Line 1 – 9) and besides, (b) determining (e.g.) a sensitive (high-risk) data / computation or a sensitive control / data flow (path), and tagging the identified (affected) paths or flows to present as a higher risk (i.e. identifying one type of vulnerabilities) from the learning process (Chari: Figure 4 / E-405 & Para [0063] Line 7 – 13 / Para [0062] and Para [0004] / Last sentence) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0016] Line 4 – 8 and Para [0003] Line 5 – 8) and as such Applicant's arguments are respectfully traversed).
As per claim 2, Applicant asserts prior-art(s) does not teach generating a second set of training data based on the topology (Remarks: Page 9 / 2nd Para).  Examiner respectfully disagrees because Chari teaches a baseline process (see above) is further enhanced (i.e. updated) from a generated second set of training data during runtime execution of the application program against the security policies based on, at least, a topology of the associated control / data flows associated with a portion of the code (Chari: see above & Para [0008] Line 12 – 17) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0016] Line 4 – 8 and Para [0003] Line 5 – 8) and as such Applicant's arguments are respectfully traversed.  
As per claim 3, Applicant asserts that Examiner has to establish a prime facie case of obvousness to combine the references of Chari and Jackson (Remarks: Page 10 / 1st Para).  Examiner respectfully disagrees because It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of emulating a fault injection during execution of the first portion of code because Jackson teaches effectively simulating an fault injection (as the system may expose flaws) during the execution of initating a cycle of program / data flow and determining whether this would cause the device / system to perform improperly – i.e. presenting as a security risk (i.e. identifying as one type of vulnerabilities (Jackson: Col. 12 Line 34 – 38 and Col. 1 Line 26 – 27) within the Chari’s system of using a machine learning model to determine whether there are potential control / data flows (paths) that may indicate a security vulnerability against the security policies during run-time execution of the computer program (see above) and as such Applicant's arguments are respectfully traversed.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1, 2, 6 – 12, 16 – 19 and 21 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Chari et al. (U.S. Patent 2019/0121979). 

As per claim 1, 11 and 16, Chari teaches a computer-implemented method, the method comprising: 
generating a first machine learning model based on a first set of training data associated with a first type of vulnerability (Chari: Figure 4 / E-405, Figure 5 / E-500 & Para [0062] / Para [0063] Line 1 – 13, Para [0071] / [0072] / [0075] and Para [0004] / Last sentence: (a) providing a training phase to collect the input parameters such as program execution data and the recorded metadata of monitored events in the program, as it executes, against the security policies so as to develop a baseline machine learning model to characterize vulnerable programming patterns such as normal paths versus anomalous paths and sensitive paths versus non-sensitive paths (Chari: Para [0063] Line 1 – 9) and besides, (b) determining (e.g.) a sensitive (high-risk) data / computation or a sensitive control / data flow (path), and tagging the identified (affected) paths or flows to present as a higher risk (i.e. identifying one type of vulnerabilities) from the learning process (Chari: Figure 4 / E-405 & Para [0063] Line 7 – 13 / Para [0062] and Para [0004] / Last sentence) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0016] Line 4 – 8 and Para [0003] Line 5 – 8) and as such Applicant's arguments are respectfully traversed);
generating a topology based on a first portion of code, wherein the topology comprises at least one of a control flow associated with the first portion of code or a data flow associated with the first portion of code (Chari: Figure 5 / E-500, Figure 4 / E-405 & see above, Para [0004] and Para [0086]: a control flow call-graph with nodes and edges (i.e. one type of topologies) is generated during the computer learning model analysis to determine whether there are potential paths (e.g. represented in the graph by an edge) that may indicate a security vulnerability during run-time execution of the computer program); 
analyzing the topology based on the first machine learning model to determine that the first portion of code includes the first type of vulnerability (see immediate above); and 
performing one or more remedial operations in response to determining that the first portion of code includes the first type of vulnerability (Chari: see above & Para [0071] and Para [0004] / Last sentence: performing and simplifying remediation by first identifying vulnerability from the machine learning process as set forth above and generating a report to resolve (fix) the identified vulnerability as a simplified remedial opeartion).  

As per claim 2 and 12, Chari teaches generating a second set of training data based on the topology; and updating the first machine learning model based on the second set of training data (Chari: see above & Para [0008] Line 12 – 17: a baseline process (see above) is further enhanced (i.e. updated) from a generated second set of training data during runtime execution of the application program against the security policies based on, at least, a topology of the associated control / data flows associated with a portion of the code (Chari: see above & Para [0008] Line 12 – 17) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0016] Line 4 – 8 and Para [0003] Line 5 – 8)).  

As per claim 6, Chari teaches performing a static analysis on the first portion of code to generate an abstract syntax tree (Chari: Figure 5 / E-500, see above & Para [0004] Line 11 – 15 and Para [0068] Line 7 – 10).  

As per claim 7, Chari teaches assigning a first classification to a first portion of the topology that is associated with the first type of vulnerability, wherein the first portion of the topology corresponds to the first portion of code (Chari: Figure 5 / E-500, see above & Para [0072] Line 4 – 7 and Para [0075] Last sentence: identifying a first type of vulnerability such as (e.g.), at least as one of examples, including sensitive data sent from a particular client with a percentage beyond a configurable threshold (against a security policy)).  

As per claim 8 – 9 and 17, Chari teaches generating a report indicating that the first portion of code includes the first vulnerability (Chari: see above & Para [0004] Last sentence: generating a report to resolve (fix) the identified vulnerability as a simplified remedial opeartion).  

As per claim 10 and 18 – 19, Chari teaches wherein the first portion of code comprises source code associated with a software application or source code associated with a firmware application (Chari: see above & Para [0065] Line 7 – 9: including a binary compiled and generated from a source code of an application).  

As per claim 21, Chari teaches wherein the first set of training data comprises information indicating one or more program behaviors resulting from the first type of vulnerability (Chari: see above & Para [Para [0071] & [0004] / Last sentence]: (for example) determining an anomalous program behaviors from the maching learning).

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (U.S. Patent 2019/0121979), in view of Jackson et al. (U.S. Patent 8,683,269).  

As per claim 3 and 13, Jackson (& Chari) teaches:
executing the first portion of code (Chari: see above); 
during execution of the first portion of code, emulating a fault injection (Jackson: Col. 12 Line 34 – 38 and Col. 1 Line 26 – 27: during the execution of initating a cycle of program / data flow, simulating an fault injection (as the system may expose flaws) and determining whether this would cause the device / system to perform improperly – i.e. presenting as a security risk (i.e. identifying as one type of vulnerabilities). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of emulating a fault injection during execution of the first portion of code because Jackson teaches effectively simulating an fault injection (as the system may expose flaws) during the execution of initating a cycle of program / data flow and determining whether this would cause the device / system to perform improperly – i.e. presenting as a security risk (i.e. identifying as one type of vulnerabilities (see above) within the Chari’s system of using a machine learning model to determine whether there are potential control / data flows (paths) that may indicate a security vulnerability against the security policies during run-time execution of the computer program (see above).
determining, based on the execution of the first portion of code after to the fault injection, that the first portion of the code includes the first type of vulnerability (Jackson: see above) || (Chari: see above);
determining a first portion of the topology that corresponds to the first portion of code (Chari: see above) || (Jackson: see above); and 
generating a first training vector included in the second set of training data based on the first portion of the topology (Jackson: see above) || (Chari: see above & Para [0008] Line 12 – 17: the baseline process (see above) is further enhanced (i.e. updated) based on a generated second set of training data (e.g. log data collected during runtime execution of the application program) against the security policies).  

Claims 4 – 5 and 14 – 15 are rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (U.S. Patent 2019/0121979), in view of Pohlack (U.S. Patent 10.311.229).  

As per claim 4 – 5 and 14 – 15, Pohlack (& Chari) teaches: 
performing a static analysis on the first portion of code to generate a control flow graph (Chari: see above & Figure 5 and Para [0004]), 
wherein the control flow graph indicates at least one conditional branch that depends on a value of a cryptologic primitive (Chari: see above & Figure 5 and Para [0004]: presenting a control flow graph) || (Pohlack: Col. 28 Line 45 – 46 and Col. 11 Line 36 – 44: effectively identifying a portion of code in an application as vulnerable to a malicious attack based on sensitive (secret information) analysis with a control flow (code path) having a conditional expression selected (generated) at runtime through static analysis when determining that a critical control flow is (or calls) (e.g.) an encryption function (i.e. cryptographic primitive) as well as using data flow analysis to determine that the senstive / secret data being accessed (i.e. data transformation from the associated encrypted sensitive data).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of emulating a fault injection during execution of the first portion of code because Pohlack teaches effectively, identifying a portion of code in an application as vulnerable to a malicious attack based on sensitive (secret information) analysis with a control flow (code path) having a conditional expression selected (generated) at runtime through static analysis when determining that a critical control flow is (or calls) (e.g.) an encryption function (i.e. cryptographic primitive) as well as using data flow analysis to determine that the senstive / secret data being accessed (i.e. data transformation from the associated encrypted sensitive data) (see above) within the Chari’s system of using a machine learning model to determine whether there are potential control / data flows (paths) that may indicate a security vulnerability against the security policies during run-time execution of the computer program (see above).


Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (U.S. Patent 2019/0121979), in view of Krasser et al. (U.S. Patent 10,726,128).  	

As per claim 20, Krasser (& Chari) teaches a recurrent neural network trained via one or more unsupervised training algorithms with the first set of training data (Chari: see above) || (Krasser: Abstract & Col. 5 Line 28 – 31, Col. 12 – 18 and Col. 6 Line 33 – 38: providing an effective computation model, for malware detection, that can improve accuracy by increasing the amount of data input to the model based on a recurrent neural network with unsupervised learning technique using training data stream (feature vector(s)).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of emulating a fault injection during execution of the first portion of code because Krasser teaches providing an effective computation model, for malware detection, that can improve accuracy by increasing the amount of data input to the model based on a recurrent neural network with unsupervised learning technique using training data stream (feature vector(s)) (see above) within the Chari’s system of using a machine learning model to determine whether there are potential data / control flows (paths) that may indicate a security vulnerability against the security policies during run-time execution of the computer program (see above).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788.  The examiner can normally be reached on Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2248 – 2021
---------------------------------------------------