Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

DETAILED ACTION
This is in response to the amendments filed 12/20/2019.  Claims 1-16 are pending and have been considered below.

Priority
16722383, filed 12/20/2019 claims foreign priority to 2019-004023, filed 01/15/2019.

Drawings
The drawings filed on 12/30/2019 are accepted.

Specification
The specification filed on 12/30/2019 is accepted.

Information Disclosure Statement
The information disclosure statement (IDS) submitted 12/20/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: a vulnerability information collector, a relevance determiner, a vulnerability influence degree calculator, a vulnerability influence degree determiner, a vulnerability influence degree determiner, a vulnerability countermeasure information, a vulnerability countermeasure executor in claims 1-16.
Because these claims limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim limitations “a vulnerability information collector, a relevance determiner, a vulnerability influence degree calculator, a vulnerability influence degree determiner and a vulnerability influence degree determiner, a vulnerability countermeasure information, a vulnerability countermeasure executor” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The specification fails to provide any structure or algorithm that performs the function in claims.  The specification only disclose in paragraph 68 that the 
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 2 are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421.
Claim 1: Sakaki teaches a vulnerability influence evaluation system comprising: 
a vulnerability information storage which stores vulnerability information including information indicating a vulnerability target which is a target to be influenced by vulnerability, and information indicating a vulnerability severity of the vulnerability (par. 14, a risk model storage section that stores as a risk model, a correspondence relationship between threats constituting a risk and a measure against the threat); 
par.14, 46,an information collecting section that collects as an adopted measure, a measure adopted in an analysis target system); 
a relevance determiner which compares configuration information about an evaluation target with the vulnerability information, determines whether or not there is relevance between the evaluation target and the vulnerability on the basis of whether or not the evaluation target includes the vulnerability target, and detects the vulnerability determined to be relevant to the evaluation target, as relevant vulnerability (14, 46, risk analyzing section that calculates a magnitude of the risk in the analysis target system as a risk value on the basis of the risk model and the adopted measure);
 a vulnerability influence degree calculator which calculates a vulnerability influence degree of the relevant vulnerability on the basis of the vulnerability severity of the relevant vulnerability and a relevance degree between the relevant vulnerability and a threat according to the relevant vulnerability (par. 14, 46 an influence degree calculating section that calculates an influence degree of the existence or non-existence of the measure on a result of the calculation of the risk value); 
Sakati fails to teach, however Kataoka in the same field of endeavor teaches
par.13, 15, 52, 57, an influence degree determining module configured to determine a degree of influence on the program by the influenced element); and 
an output which outputs a result of the determination by the vulnerability influence degree determiner (par.58-59, The risk degree display unit 41 edits information such as the numerical value obtained by the risk degree calculating unit 40, and prepares to browse the risk degree information by use of the input unit and the like shown in FIG. 1. Concretely, the influence degree is inputted as a first parameter, the influence range is inputted as a second parameter, a parameter group expressed two-dimensionally by the first parameter and the second parameter is constituted, and the risk degree is displayed two-dimensionally (refer to FIG. 16 and FIG. 17). As a display method, not only a simple linear combination but also a combination reflecting various policies can be conceived). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Sakati with the additional features of Kataoka in order to provide the ability for improving the maintainability and extensibility of the existing program, and aims to modify module configuration, class configuration and the like without modifying a performing function  Kataoka par.5.
Claim 2: the combination teaches
wherein the vulnerability influence degree calculator corrects the relevance degree in accordance with an operation condition of the evaluation target (Sakakipar.70-71, 75-76). 

Claims 3 and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421in further view of Curtis et al U.S. 2012/0210434 A1.
Claims 3 and 4: the combination fails to teach, however Curtis et al in the same field of endeavor teaches
wherein the vulnerability information further includes vulnerability countermeasure information which is information indicating a countermeasure for the vulnerability, the vulnerability influence evaluation system further comprising ,  which performs a vulnerability countermeasure on the basis of the vulnerability countermeasure information, wherein the vulnerability countermeasure executor performs the vulnerability countermeasure for the relevant vulnerability for which determination on the vulnerability influence par.35-37,40 and Fig.7).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Sakati with the additional features of Curtis et al in order to provide the ability for controlling the operation of a security countermeasure for mitigation purposes to documenting the awareness of a security countermeasure that is in place, as suggested by Curtis et al abstract.

Claims 5 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421in further view of Raz et al U.S. 2014/0215629 A1.
Claims 5 and 6: the combination teaches 
wherein the vulnerability information storage transmits a vulnerability information update notification to the vulnerability information collector when addition or update has been performed for the stored vulnerability information, and the vulnerability information collector collects the vulnerability information when having received the vulnerability information update notification (Raz et al, par.10, 21, 24, 25, 34). 
Sakati with the additional features of Raz et al in order to provide the ability for automatic update of a Common Vulnerability Scoring System (CVSS) score, as suggested by Raz et al abstract.

Claims 7 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421in further view of view of Curtis et al U.S. 2012/0210434 A1 and Raz et al U.S. 2014/0215629 A1.
Claims 7 and 8: the combination teaches 
wherein the vulnerability information storage transmits a vulnerability information update notification to the vulnerability information collector when addition or update has been performed for the stored vulnerability information, and the vulnerability information collector collects the vulnerability information when having received the vulnerability information update notification(Raz et al, par.10, 21, 24, 25, 34). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Sakati with the additional features of Raz et al in order to provide the ability for automatic  Raz et al abstract.

Claims 9  and 10  are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421in further view of view of Lee et al U.S. 2019/0052663 A1.
Claims 9 and 10: the combination fails to teach, however Lee et al in the same field of endeavor teaches
 	wherein the vulnerability information collector collects the vulnerability information periodically (par.100). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Sakati with the additional features of Lee et al in order to provide the ability for enhancing network security in which attack surfaces of hosts on a network are analyzed, hosts, the security of which has to be enhanced, are identified, and the security of the corresponding hosts is enhanced, as suggested by Lee et al par.2.

Claims 11 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421 A1 in further view of view of Curtis et al U.S. 2012/0210434 A1 and Lee et al U.S. 2019/0052663 A1.
Claims 11 and 12: the combination fails to teach, however Lee et al in the same field of endeavor teaches
 	wherein the vulnerability information collector collects the vulnerability information periodically (par.100). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Sakati with the additional features of Lee et al in order to provide the ability for enhancing network security in which attack surfaces of hosts on a network are analyzed, hosts, the security of which has to be enhanced, are identified, and the security of the corresponding hosts is enhanced, as suggested by Lee et al par.2.

Claims 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421 A1 in further view of Lotem et al U.S. 2006/0218640 A1.
Claims 13 and 14: the combination fails to teach, however Lotem et al in the same field of endeavor teaches 
par.173, Fig.3). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Sakati with the additional features of Lotem et al in order to provide the ability for evaluating an Intrusion Detection and Prevention (IDP) entity, the method includes evaluating an effect of at least one IDP rule applied by the IDP entity on legitimate traffic, based upon a network model; evaluating an effect of at least one IDP rule applied by the IDP entity based upon a network model and an attack model; determining an effectiveness of the IDP entity in response to the evaluated effects, as suggested by Lotem et al abstract.

Claims 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421 A1 in further view of Curtis et al U.S. 2012/0210434 A1 and U.S. 200 Lotem et al U.S. 2006/0218640 A1.
Claims 13 and 14: the combination fails to teach, however Lotem et al in the same field of endeavor teaches 
 wherein the vulnerability information collector collects the vulnerability information at a timing of starting vulnerability influence evaluation for the evaluation target (par.173, Fig.3). 
Sakati with the additional features of Lotem et al in order to provide the ability for evaluating an Intrusion Detection and Prevention (IDP) entity, the method includes evaluating an effect of at least one IDP rule applied by the IDP entity on legitimate traffic, based upon a network model; evaluating an effect of at least one IDP rule applied by the IDP entity based upon a network model and an attack model; determining an effectiveness of the IDP entity in response to the evaluated effects, as suggested by Lotem et al abstract.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Al-Harbit et al U.S. 2012/0180133 A1 system, program product and methods for performing risk assessment workflow process for plant network and systems.
Goldberg et al U.S. 8,312,549 B2 practical threat analysis.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685.  The examiner can normally be reached on 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






Wednesday, September 29, 2021

/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436