Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The present Office Action is responsive to communications received 5/21/2021. Claims 1-22 are pending. Claims 1, 5-9, 12-20 are amended. Claims 10 and 11 are cancelled. Claims 21 and 22 are new.
Response to Arguments
Applicant’s remarks received on 5/21/2021 are addressed as follows: 
Applicant’s amendment to claims are considered.
Applicant respectfully argues that the 102(a)(1) and 103 rejection cited references fail to disclose all the features of the claims as previously presented. However, the applicant does not provide details about why the references fail to disclose all the features of the claims. Amendment to claim 1 includes limitations of claims 10 and 11 which are now cancelled. Because of these reasons, the examiner respectfully disagrees with the applicant and believes that the claim limitations of the amended claims read into the references previously presented and so the original rejection is maintained.
In view of the amendment to the claims with newly added features to the independent claims, previous 102(a)(1) rejection is withdrawn.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1, 3, 5, 8, 12, 14-20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. Appl. Publ’n No. 20120304300 to LaBumbard hereinafter (“LaBumbard”), in view of U.S. Pat. Appl. Publ’n No. 20150237065 to Roytman et al. hereinafter (“Roytman”)
Regarding claim 1, LaBumbard teaches:
A method comprising: 
identifying two or more vulnerabilities (LaBumbard, ¶ [0039], The EVMA interfaces with and manages the operation of disparate scanning and/or maintenance tools to rapidly scan the network to assess vulnerabilities), each of the vulnerabilities affecting a set of one or more of a plurality of assets (LaBumbard, ¶ [0121], Fig. 3N, particular severity of vulnerability affecting multiple assets) of an information technology infrastructure (LaBumbard, ¶ [0052], metrics measure how vulnerabilities will affect IT assets); 
assigning a weight to each of the vulnerabilities, the weight assigned to each of the vulnerabilities being based at least in part on the set of one or more assets affected by that vulnerability (LaBumbard, ¶ [0022], generating a vulnerability score associated with assets of an enterprise which includes collecting results of at least one vulnerability identified on the assets), asset criticalities associated with the set of one or more assets affected by that vulnerability (LaBumbard, ¶ [0053-0080], Base Metrics Scoring calculated based on assets affected), and at least one of (i) an exploitability potential of that vulnerability (LaBumbard, ¶ [0103-0104], asset's exploitability potential based on exploitability score of temporal metrics) and (ii) an impact potential of that vulnerability (LaBumbard, ¶ [0052], impact metrics based on confidentiality, integrity and availability impact); 
… to address at least one of the vulnerabilities based at least in part on the weights assigned to the vulnerabilities (LaBumbard, ¶ [0020-0021], instructions include analyzing and prioritization, where one or more vulnerability scores are generated and remediate one or more vulnerabilities. Here generating vulnerability score is interpreted as assigning weights to the vulnerabilities and remediating as addressing one or more vulnerabilities); and 
applying, in accordance with the determined order, at least one of the set of remediation actions to at least one of the plurality of assets in the information technology infrastructure (LaBumbard, Fig. 3P-3S, ¶ [0111, 0123], applying remediation to the assets); 
wherein determining the order in which to apply the set of remediation actions in the information technology infrastructure comprises: 
…
wherein the method is performed by at least one processing device comprising a processor coupled to a memory (LaBumbard, Fig. 1, ¶ [0021, 0040], enterprise vulnerability management system includes a processing module and a memory module logically connected to the processing module and comprising a set of computer readable instructions executable by the processing module).
LaBumbard does not teach the limitation of determining an order in which to apply a set of remediation actions, identifying two or more different network portions of the information technology infrastructure; identifying a subset of the plurality of assets located in each of the two or more different network portions of the information technology infrastructure; and determining an ordering of the two or more different network portions based at least in part on weights assigned to the subsets of the plurality of assets located in each of the two or more different network portions of the information technology infrastructure. Roytman remedies and teaches the limitation of determining an order in which to apply a set of remediation actions (Roytman, ¶ [0027], set of remediations are identified based on risk score and set of vulnerabilities. An amount is determined for each remediation action to be taken based on how much the risk score is reduced when the remediation is applied. The set of remediations are ordered based on this amount determined for reach remediation.), identifying two or more different network portions of the information technology infrastructure (Roytman, Fig. 6A-6B, ¶ [0088-0089], risk meter is based on computing asset group of a customer. These group of assets are customer network containing desktop assets and another group of assets for ecommerce website. Similarly, DMZ, linux servers, etc. are another group of assets. Set of computing assets may be grouped based on geographical location of the computing assets, the type of computing assets, the subnet of the computing assets, see ¶ [0086]. These group of assets or group of computing assets can be interpreted as network segment or network portions); identifying a subset of the plurality of assets located in each of the two or more different network portions of the information technology infrastructure (Roytman, Fig. 1 and 6A-6B, ¶ [0089], dashboard of risk meter provides group data information based on asset group. For example, desktops asset group provides information about number of assets in that group, vulnerabilities in that group that are Top Priority. Here, providing such asset and related vulnerability information is interpreted as identifying assets among the plurality of assets based on vulnerability and showing that information on the dashboard.); and determining an ordering of the two or more different network portions (Roytman, ¶ [0050, 0055], Risk assessment unit 203 may be configured to determine order of vulnerabilities of customer's computing assets or group of computing assets.) based at least in part on weights assigned to the subsets of the plurality of assets located in each of the two or more different network portions of the information technology infrastructure (Roytman, Fig. 1, ¶ [0086], Risk score assigned to the assets in the set of assets is displayed on the screen. These set of assets are grouped based on geographical location, type and subnet of the computing assets which are interpreted as network portions or network segments. Here, the risk score assigned to each asset is the weight assigned to each asset in the group of assets). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify LaBumbard with the teachings of Roytman to assign weight to each of the assets based on static and dynamic criticality metrics, with the motivation to allow users or customers to mark their assets as critical so that those assets are equally considered important and by the popularity of the asset in specific industry. This enables the basic scoring metrics, as in LaBumbard, to be extended and enhanced to perform metrics based on dynamic criticality of the asset thereby providing near real-time reassessment of the vulnerabilities. (Roytman, ¶ [0044, 0070]).
Regarding claim 3, LaBumbard in view of Roytman teaches:
The method of claim 1 wherein the impact potential of a given vulnerability is based at least in part on an impact metric (LaBumbard, ¶ [0088-0089], impact metric reflecting availability impact), a severity metric (LaBumbard, Fig. 3V 390, ¶ [0128], identifying the severity (e.g. none, low, medium, high) of issue(s) affecting each asset.), an attack complexity metric (LaBumbard, ¶ [0079-0080], Table 2, Access Complexity measures complexity of the attack), and a privilege required metric (LaBumbard, ¶ [0081], Table 3, authentication metric measures the number of times an attacker must authenticate to gain access).
claim 5, LaBumbard in view of Roytman teaches:
The method of claim 1 further comprising assigning the weights to the plurality of assets (Roytman, Fig. 5, ¶ [0034], generating risk score for each asset) of the information technology infrastructure based at least in part on static criticality metrics (Roytman, ¶ [0044], customer indicating particular assets as critical) and dynamic criticality metrics associated with the plurality of assets (Roytman, ¶ [0070], asset criticality that is based on asset usage and popularity of the asset).
Regarding claim 8, LaBumbard in view of Roytman teaches:
The method of claim 5 wherein determining the order in which to apply the set of remediation actions within a given one of the two or more different network portions (Roytman, ¶ [0027], set of remediations are identified based on risk score and set of vulnerabilities. An amount is determined for each remediation action to be taken based on how much the risk score is reduced when the remediation is applied. The set of remediations are ordered based on this amount determined for reach remediation.) is further based at least in part on the weights assigned to a given subset of the plurality of assets of the information technology infrastructure that are located in the given one of the two or more different network portions (Roytman, Fig. 1, ¶ [0086], Risk score assigned to the assets in the set of assets is displayed on the screen. These set of assets are grouped based on geographical location, type and subnet of the computing assets which are interpreted as network portions or network segments. Here, the risk score assigned to each asset is the weight assigned to each asset in the group of assets)
Regarding claim 12, LaBumbard in view of Roytman teaches:
The method of claim 5 wherein determining the order in which to apply the set of remediation actions in the information technology infrastructure (Roytman, ¶ [0027], set of remediations are identified based on risk score and set of vulnerabilities. An amount is determined for each remediation action to be taken based on how much the risk score is reduced when the remediation is applied. The set of remediations are ordered based on this amount determined for reach remediation.) comprises selecting a subset of the plurality of assets to apply one or more of the set of remediation actions to for addressing one or more of the vulnerabilities (LaBumbard, ¶ [0020], prioritizing assets to apply remediations to for one or more vulnerabilities. Assets are prioritized based on asset inventory and then running a vulnerability scan on the assets which is then analyzed for prioritizing the assets. Here, inventorying, scanning and prioritizing is interpreted as selecting a subset of the plurality of the assets) that do not have available patches based at least in part on the weights assigned to the plurality of assets of the information technology infrastructure (LaBumbard, ¶ [0107], Table 8, Remediation Level metric where interim remediation is applied to assets for vulnerabilities until official patch is available).
Regarding claim 14, LaBumbard in view of Roytman teaches:
The method of claim 1 wherein a given one of the set of remediation actions for remediating a given vulnerability (LaBumbard, ¶ [0107], Table 8, Remediation Level metric where remediation is applied to assets for vulnerabilities) for which a patch is available comprises applying the patch to a given one of the plurality of assets (LaBumbard, Fig. 3P, ¶ [0123], remediation using fix scripts which means patch as customarily known in the art).
Regarding claim 15, LaBumbard in view of Roytman teaches:
A computer program product comprising a non-transitory processor-readable storage medium having stored therein program code of one or more software programs (LaBumbard, ¶ [0130], computer program product comprising a non-transitory processor-readable storage medium having stored therein program code of one or more software programs), wherein the program code when executed by at least one processing device causes the at least one processing device: 
to identify two or more vulnerabilities (LaBumbard, ¶ [0039], The EVMA interfaces with and manages the operation of disparate scanning and/or maintenance tools to rapidly scan the network to assess vulnerabilities), each of the vulnerabilities affecting a set of one or more of a plurality of assets of an information technology infrastructure (LaBumbard, ¶ [0121], Fig. 3N, particular severity of vulnerability affecting multiple assets out of total number of assets); 
to assign a weight to each of the vulnerabilities, the weight assigned to each of the vulnerabilities being based at least in part on the set of one or more assets affected by that vulnerability (LaBumbard, ¶ [0022], generating a vulnerability score associated with assets of an enterprise which includes collecting results of at least one vulnerability identified on the assets), asset criticalities (LaBumbard, ¶ [0053-0080], Base Metrics Scoring calculated based on assets affected), and at least one of 
an exploitability potential of that vulnerability (LaBumbard, ¶ [0103-0104], asset's exploitability potential based on exploitability score of temporal metrics) and 
an impact potential of that vulnerability (LaBumbard, ¶ [0052], impact metrics based on confidentiality, integrity and availability impact); 
… to address at least one of the vulnerabilities based at least in part on the weights assigned to the vulnerabilities (LaBumbard, ¶ [0020-0021], instructions include analyzing and prioritization, where one or more vulnerability scores are generated and remediate one or more vulnerabilities); and 
to apply, in accordance with the determined order, at least one of the set of remediation actions to at least one of the plurality of assets in the information technology infrastructure (LaBumbard, Fig. 3P-3S, ¶ [0111, 0123], applying remediation to the assets); 
wherein determining the order in which to apply the set of remediation actions in the information technology infrastructure comprises: 
…
LaBumbard does not teach the limitation of determining an order in which to apply a set of remediation actions, identifying two or more different network portions of the information technology infrastructure; identifying a subset of the plurality of assets located in each of the two or more different network portions of the information technology infrastructure; and determining an ordering of the two or more different network portions based at least in part on weights assigned to the subsets of the plurality of assets located in each of the two or more different network portions of the information technology infrastructure. Roytman remedies and teaches the limitation of determining an order in which to apply a set of remediation actions (Roytman, ¶ [0027], set of remediations are identified based on risk score and set of vulnerabilities. An amount is determined for each remediation action to be taken based on how much the risk score is reduced when the remediation is applied. The set of remediations are ordered based on this amount determined for reach remediation.), identifying two or more different network portions of the information technology infrastructure (Roytman, Fig. 6A-6B, ¶ [0088-0089], risk meter is based on computing asset group of a customer. These group of assets are customer network containing desktop assets and another group of assets for ecommerce website. Similarly, DMZ, linux servers, etc. are another group of assets. Set of computing assets may be grouped based on geographical location of the computing assets, the type of computing assets, the subnet of the computing assets, see ¶ [0086]. These group of assets or group of computing assets can be interpreted as network segment or network portions); identifying a subset of the plurality of assets located in each of the two or more different network portions of the information technology infrastructure (Roytman, Fig. 1 and 6A-6B, ¶ [0089], dashboard of risk meter provides group data information based on asset group. For example, desktops asset group provides information about number of assets in that group, vulnerabilities in that group that are Top Priority. Here, providing such asset and related vulnerability information is interpreted as identifying assets among the plurality of assets based on vulnerability and showing that information on the dashboard.); and determining an ordering of the two or more different network portions (Roytman, ¶ [0050, 0055], Risk assessment unit 203 may be configured to determine order of vulnerabilities of customer's computing assets or group of computing assets.) based at least in part on weights assigned to the subsets of the plurality of assets located in each of the two or more different network portions of the information technology infrastructure (Roytman, Fig. 1, ¶ [0086], Risk score assigned to the assets in the set of assets is displayed on the screen. These set of assets are grouped based on geographical location, type and subnet of the computing assets which are interpreted as network portions or network segments. Here, the risk score assigned to each asset is the weight assigned to each asset in the group of assets). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify LaBumbard with the teachings of Roytman to assign weight to each of the assets based on static and dynamic criticality metrics, with the motivation to allow users or customers to mark their assets as critical so that those assets are equally considered important and by the popularity of the asset in specific industry. This enables the basic scoring metrics, as in LaBumbard, to be extended and enhanced to perform metrics based on dynamic criticality of the asset thereby providing near real-time reassessment of the vulnerabilities. (Roytman, ¶ [0044, 0070]).
Regarding claim 16, it is rejected as claim 5. Additionally, LaBumbard discloses the computer program product (LaBumbard, ¶ [0130])
claim 17, it is rejected as claim 8. Additionally, LaBumbard discloses the computer program product (LaBumbard, ¶ [0130])
Regarding claim 18, LaBumbard teaches:
An apparatus comprising: at least one processing device comprising a processor coupled to a memory (LaBumbard, ¶ [0130], apparatus with a processing device comprising a processor and memory); the at least one processing device being configured: 
to identify two or more vulnerabilities (LaBumbard, ¶ [0039], The EVMA interfaces with and manages the operation of disparate scanning and/or maintenance tools to rapidly scan the network to assess vulnerabilities), each of the vulnerabilities affecting a set of one or more of a plurality of assets of an information technology infrastructure (LaBumbard, ¶ [0121], Fig. 3N, particular severity of vulnerability affecting multiple assets); 
to a weight to each of the vulnerabilities, the weight assigned to each of the vulnerabilities being based at least in part on the set of one or more assets affected by that vulnerability (LaBumbard, ¶ [0022], generating a vulnerability score associated with assets of an enterprise which includes collecting results of at least one vulnerability identified on the assets), asset criticalities associated with the set of one or more assets affected by that vulnerability (LaBumbard, ¶ [0053-0080], Base Metrics Scoring calculated based on assets affected), and at least one of 
an exploitability potential of that vulnerability (LaBumbard, ¶ [0103-0104], asset's exploitability potential based on exploitability score of temporal metrics) and 
an impact potential of that vulnerability (LaBumbard, ¶ [0052], impact metrics based on confidentiality, integrity and availability impact);
 	to determine an order in which to apply a set of remediation actions in the information technology infrastructure (LaBumbard, ¶ [0020-0021], steps include prioritization) to address at least one of the vulnerabilities based at least in part on the weights assigned to the vulnerabilities (LaBumbard, ¶ [0020-0021], instructions include analyzing and prioritization, where one or more vulnerability scores are generated and remediate one or more vulnerabilities); and 
(LaBumbard, Fig. 3P-3S, ¶ [0111, 0123], applying remediation to the assets); 
wherein determining the order in which to apply the set of remediation actions in the information technology infrastructure comprises: 
…
LaBumbard does not teach the limitation of identifying two or more different network portions of the information technology infrastructure; identifying a subset of the plurality of assets located in each of the two or more different network portions of the information technology infrastructure; and determining an ordering of the two or more different network portions based at least in part on weights assigned to the subsets of the plurality of assets located in each of the two or more different network portions of the information technology infrastructure. Roytman remedies and teaches the limitation of identifying two or more different network portions of the information technology infrastructure (Roytman, Fig. 6A-6B, ¶ [0086, 0088], different network segments identified such as DMZ, Linux Servers, desktop computers in customer’s network or ecommerce network); identifying a subset of the plurality of assets located in each of the two or more different network portions of the information technology infrastructure (Roytman, Fig. 1 and 6A-6B, ¶ [0090-0092], assets that can be in different network segments where the remediation order is based on the overall risk scores of those computing assets that are grouped by particular network segment like DMZ or Linux Servers); and determining an ordering of the two or more different network portions (Roytman, ¶ [0050, 0055], risk assessment unit is used to calculate risk score based on computing asset or group of computing assets and ordered remediation list based on the risk score) based at least in part on weights assigned to the subsets of the plurality of assets located in each of the two or more different network portions of the information technology infrastructure (Roytman, Fig. 1, ¶ [0044, 0086], all assets tagged by customer as important are considered important in that network segment. Risk score based on assets grouped according to the subnet). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify LaBumbard with the teachings of Roytman to assign weight to each of the assets based on static and dynamic criticality metrics, with the motivation to allow users or customers to mark their assets as critical so that those assets are equally considered important and by the popularity of the asset in specific industry (Roytman, ¶ [0044, 0070]).
claim 19, it is rejected as claim 5. Additionally, LaBumbard discloses the apparatus (LaBumbard, ¶ [0130]) 

Regarding claim 20, it is rejected as claim 8. Additionally, LaBumbard discloses the apparatus (LaBumbard, ¶ [0130]) 

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. Appl. Publ’n No. 20120304300 to LaBumbard hereinafter (“LaBumbard”), in view of U.S. Pat. Appl. Publ’n No. 20150237065 to Roytman et al. hereinafter (“Roytman”), further in view of U.S. Pat. Appl. Publ’n No. 20200210590 to Doyle et al. hereinafter (“Doyle”)
Regarding claim 2, LaBumbard in view of Roytman teaches:
The method of claim 1 wherein the exploitability potential of a given vulnerability is based at least in part on an exploitability metric (LaBumbard, ¶ [0052, 0079-0080], Table 2, exploitability metric defined as access complexity of how complex it is to exploit the vulnerability of an asset) , an exploit code maturity metric (LaBumbard, ¶ [0104-0106], Table 7, exploit code maturity metric defined as E Metric measures current state of code availability whether it is proof-of-concept, functional code, or highly available such as a virus), and ...
The combination of LaBumbard and Roytman does not teach the limitation of exploitability potential of a given vulnerability based at least in part on a threat activity metric. Doyle remedies and teaches exploitability potential of a given vulnerability (Doyle, ¶ [0005], degree of one or more exploits for the software vulnerability) based on threat activity score (Doyle, Fig. 4, ¶ [0046], threat activity score that indicates exploitability potential of a vulnerability). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of LaBumbard and Roytman with the teachings of Doyle wherein the exploitability potential is based on threat activity score, with the motivation to identify the degree of threat associated with vulnerabilities where lower score may indicate low likelihood and higher score may indicate higher likelihood of exploitability (Doyle, ¶ [0048]).

Claims 4, 9 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. Appl. Publ’n No. 2012/0304300 A1 to LaBumbard hereinafter (“LaBumbard”), in view of U.S. Pat. Appl. Publ’n No. 20150237065 to Roytman et al. hereinafter (“Roytman”), further in view of U.S. Pat. No. 8,595845 B2 to Basavapatna et al. hereinafter (“Basavapatna”)
Regarding claim 4, LaBumbard in view of Roytman teaches:
The method of claim 1 wherein assigning a given weight to a given one of the vulnerabilities comprise utilizing a vulnerability weight function that increases the given weight assigned to the given vulnerability (LaBumbard, ¶ [0022, 0053, 0079], utilizing vulnerability assessment to generate vulnerability score which increases): 
…
as criticalities of the assets affected by the given vulnerability increases (LaBumbard, ¶ [0053-0080], asset criticalities measured in base metrics where the increase in criticality components increases the vulnerability score); 
as the exploitability potential of the given vulnerability increases (LaBumbard, ¶ [0103-0106], Table 7, the more easily a vulnerability can be exploited, the higher the vulnerability score); and 
as the impact potential of the given vulnerability increases (LaBumbard, ¶ [0083-0089], increase in the impacts on confidentiality, integrity and availability of the assets increases the vulnerability score).
Combination of LaBumbard and Roytman does not teach the limitation of increase in vulnerability weight as number of assets affected by the given vulnerability increases. Basavapatna remedies and teaches that the weight of vulnerability increases as number of assets affected by the vulnerability increases (Basavapatna, Fig. 4, column 24 lines 22-35, risk metric is the sum of affected assets. The risk metric will increase as the number of assets increase as part of the summation). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of LaBumbard and Roytman with the teachings of Basavapatna to utilize a vulnerability weight function that increases the weight as number of assets affected by the vulnerability increases, with the motivation to enable calculating aggregated risk metrics of the assets. (Basavapatna, column 26 lines 28-44).
Regarding claim 9, LaBumbard in view of Roytman teaches:
The method of claim 8 wherein assigning a given weight to a given one of the plurality of assets comprises utilizing an asset weight function (Roytman, Fig. 4, ¶ [0081], using risk score function by user) that increases the given weight assigned to the given asset (Roytman, Fig. 4, ¶ [0081], risk score can be changed to lower or higher priority): 
as a criticality of the given asset increases (LaBumbard, ¶ [0053-0080], asset criticalities measured in base metrics where the increase in criticality components); … 
as the exploitability potential of the vulnerabilities affecting the given asset increases (LaBumbard, Table 7, the more easily a vulnerability can be exploited, the higher the vulnerability score); and 
as the impact potential of the vulnerabilities affecting the given asset increases (LaBumbard, ¶ [0053-0080], increase in the impacts on confidentiality, integrity and availability of the assets increases the vulnerability score or weight).
The combination of LaBumbard and Roytman does not teach the limitation of number of vulnerabilities affecting the given asset increases asset weight. Basavapatna remedies and teaches the number of vulnerabilities affecting the asset increases the risk metric (Basavapatna, Fig. 3B, column 25 lines 25-45, risk metric will increase as the number of vulnerabilities increase as part of the summation). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of LaBumbard and Roytman with the teachings of Basavapatna to utilize an asset weight function that increases the weight as number of vulnerabilities increases, with the motivation that will enable calculating aggregated risk metrics. Such aggregate risk metrics enables users to set rules that specify if an aggregate risk metric for any vulnerability or threat increases above a threshold, the user can be alerted (Basavapatna, column 26 lines 28-44).
Regarding claim 13, LaBumbard in view of Roytman teaches:
(LaBumbard, ¶ [0107], Table 8, Remediation Level metric where interim remediation is applied to assets for vulnerabilities until official patch is available) comprises …
Combination of LaBumbard and Roytman does not teach the limitation of applying one or more security hardening measures to a given one of the plurality of assets affected by the given vulnerability, a given one of the security hardening measures comprising at least one of: adding additional authentication mechanisms for accessing the given asset; and placing the given asset behind a firewall in the information technology infrastructure. Basavapatna remedies and teaches applying one or more security hardening measures to a given one of the plurality of assets affected by the given vulnerability, a given one of the security hardening measures comprising at least one of: adding additional authentication mechanisms for accessing the given asset; and placing the given asset behind a firewall in the information technology infrastructure (Basavapatna, column 4 lines 54-67, column 5 lines 1-11, using a firewall to protect a port of an application that is vulnerable. Firewall protection is part of passive countermeasures or remediation until active countermeasures are applied which includes available patches). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of LaBumbard and Roytman with the teachings of Basavaptna to have a security hardening measure of placing the asset behind a firewall, with the motivation to cover up the existence of the vulnerability to shield it from exploitation (Basavapatna, column 4 lines 64-67, column 5 lines 1-12).  

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. Appl. Publ’n No. 20120304300 A1 to LaBumbard hereinafter (“LaBumbard”), in view of U.S. Pat. Appl. Publ’n No. 20150237065 to Roytman et al. hereinafter (“Roytman”), further in view of U.S. Pat. Appl. Publ’n No. 20200162497 A1 to Iyer et al. hereinafter (“Iyer”)
Regarding claim 6, LaBumbard in view of Roytman teaches
The method of claim 5 wherein the static criticality metric for a given one of the plurality of assets is based at least in part on a type of one or more applications hosted on the given asset (Roytman, fig. 4 405, ¶ [0081], risk score of assets tagged by web server application hosted on the asset. See claim 5 for motivation) and …
Combination of LaBumbard and Roytman does not teach the limitation static criticality based on importance of the one or more applications to the enterprise system. Iyer remedies and teaches the importance of the one or more applications to the enterprise system (Iyer, Fig. 1, ¶ [0047], service criticality module has service criticality value based on importance of the application). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of LaBumbard and Roytman with the teachings of Iyer to assign criticality value based on the importance of the application to the enterprise system, with the motivation to enable each IT application having its own importance based on the provider’s business the absence of which can result into different degrees of risk (Iyer, ¶ [0024]).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. Appl. Publ’n No. 20120304300 to LaBumbard hereinafter (“LaBumbard”), in view of U.S. Pat. Appl. Publ’n No. 20150237065 to Roytman et al. hereinafter (“Roytman”), further in view of U.S. Pat. Appl. Publ’n No. 20200092319 to Spisak et al. hereinafter (“Spisak”)
Regarding claim 7, LaBumbard in view of Roytman teaches:
The method of claim 5 wherein the dynamic criticality metric for a given one of the plurality of assets is based at least in part on usage of the given asset (Roytman, ¶ [0070], risk score calculated based on asset usage like how widely the asset is used and the popularity of the asset. See claim 5 for motivation), a number of users that access the given asset (LaBumbard, Table 2 AC Metric, score value based on number of users that are either trusted, untrusted or anonymous who have access to the asset), an amount of network traffic to and from the given asset, and a fraction of time that the given asset is in use in a designated time period.
Combination of LaBumbard and Roytman does not teach the limitation that the dynamic criticality metric for a given asset is based in part on the amount of network traffic to and from the given asset and a fraction of time that the given asset is in use in a designated time period. Spisak remedies and teaches the dynamic criticality (Spisak, ¶ [0043], dynamic determination of criticality) based on (Spisak, ¶ [0085], asset criticality based on network traffic of e-commerce web-server) and a fraction of time that the given asset is in use in a designated time period. (Spisak, ¶ [0025], criticality based on asset use time at certain time periods like in a day, week, month or year). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of LaBumbard and Roytman to have dynamic criticality also based on amount of traffic to and from the asset and time the given asset is in use in a designated time period, as in Spisak, with the motivation to discover security vulnerabilities based on structured and unstructured data from sources such as dark web, open internet and internet documentation (Spisak, ¶ [0041]).

Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. Appl. Publ’n No. 20120304300 to LaBumbard hereinafter (“LaBumbard”), in view of U.S. Pat. Appl. Publ’n No. 20150237065 to Roytman et al. hereinafter (“Roytman”), further in view of U.S. Patent Application No.  9213995 to Rao et al. hereinafter (“Rao”)
Regarding claim 21, LaBumbard in view of Roytman teaches:
The apparatus of claim 18 wherein the two or more different network portions of the information technology infrastructure are identified … the subsets of the plurality of assets in the two or more different network portions (Roytman, Fig. 6A-6B, ¶ [0086, 0088], different network segments identified such as DMZ, Linux Servers, desktop computers in customer’s network or ecommerce network), …
Combination of LaBumbard and Roytman does not teach the limitation of two or more network portions are identified based at least in part on personnel responsible for managing the two or more different network portions of the information technology infrastructure comprising a first network portion comprising a first subset of the plurality of assets managed by a first set of personnel and at least a second network portion comprising a second subset of the plurality of assets managed by a second set of personnel different than the first set of personnel. Rao remedies and teaches two or more network portions are identified based at least in part on personnel responsible for managing the two or more different network portions (Rao, Fig. 12, col. 5 lines 1-20, network administrators managing different networks where first and second network are managed by administrators. Also see col. 13 lines 45-65 where secondary network administrators are assigned.) of the information technology infrastructure comprising a first network portion comprising a first subset of the plurality of assets managed by a first set of personnel (Rao, Fig. 1, col. 4 lines 65-67 and col. 5 lines 1-20, first network N1 has resources R1, R2 and R3 managed by administrator of the first network. Here administrators are interpreted as personnel and resources are interpreted as assets of that network) and at least a second network portion comprising a second subset of the plurality of assets managed by a second set of personnel (Rao, Fig. 1, col. 4 lines 65-67 and col. 5 lines 1-20, second network N2 has resources R4 and R5 managed by administrator of the second network) different than the first set of personnel (Rao, col. 5 lines 3-6, administrator of the first network sending request to administrator of the second network is interpreted as two different administrator personnel). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of LaBumbard and Roytman with the teachings of Rao with the motivation to provide secure environment in the IT infrastructure not only to the networks sharing data but also to the networks sharing resources across different networks managed by different IT personnel by identifying and remediating vulnerabilities in those shared resources (LaBumbard, ¶ [0004-0005]).
Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. Appl. Publ’n No. 20120304300 to LaBumbard hereinafter (“LaBumbard”), in view of U.S. Pat. Appl. Publ’n No. 20150237065 to Roytman et al. hereinafter (“Roytman”), further in view of U.S. Pat. Appl. Publ’n No.  20190297113 to Yang hereinafter (“Yang”)
Regarding claim 22, LaBumbard in view of Roytman teaches: 
The apparatus of claim 18 wherein the two or more different network portions of the information technology infrastructure are identified (Roytman, Fig. 6A-6B, ¶ [0086, 0088], different network segments identified such as DMZ, Linux Servers, desktop computers in customer’s network or ecommerce network) …
Combination of LaBumbard and Roytman does not teach the limitation of identifying two or more different network portions based on at least in part on whether the subsets of the plurality of assets are part of a public network address space or a non-routable network address space, the two or more different network portions of the information technology infrastructure comprising a first network (Yang, Fig. 2, ¶ [0046], network monitor device determines and scans devices behind one or more NAT devices having public and private IP addresses), the two or more different network portions of the information technology infrastructure comprising a first network portion comprising a first subset of the plurality of assets that are part of the public network address space (Yang, Fig. 2, ¶ [0053], device 230 and firewall 202 having public IP addresses with public network address space) and at least a second network portion comprising a second subset of the plurality of assets that are part of the non-routable network address space (Yang, Fig. 2, ¶ [0048], device 240 and 220 have IP addresses which are commonly known in the art as private and non-routable address space). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of LaBumbard and Roytman with the teachings of Yang with the motivation to scan each device on a network for monitoring and securing communication network in order to prevent unauthorized or rogue devices from accessing network resources (Yang, ¶ [0002]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
U.S. Pat. Appl. Publ'n No. 20130174259 to Pearcy et al. discloses a method of grouping assets within a particular computing system based on geographic location for the purposes of identifying security events based on geo-mapping system.
U.S. Pat. Appl. Publ'n No. 20190044972 to Ikeda et al. discloses a technology of reducing the influence of an attack performed on a communication apparatus.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NIRAV C SHAH whose telephone number is (408)918-7592.  The examiner can normally be reached on Monday - Thursday and alternate Fridays, 7:30-4:30 PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-






/N.C.S./Examiner, Art Unit 2493                                                                                                                                                                                                        
/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493