DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Election/Restrictions
NO restrictions warranted at applicant’s initial time of filing for patent. 
Priority
Applicant claims NO foreign or domestic priority at initial time of filing for patent. 
The effective filing date of the claimed invention is 01/17/2020. 
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 01/17/2020, and 02/05/2020,   the submissions are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Drawings
Applicant’s drawings filed on 01/17/2020 have been inspected, and is in compliance with MPEP 608.02. 
Specification
Applicant’s specification filed on 01/17/2020 has been inspected, and is in compliance with MPEP 608.01. 
Claim Objections
NO objections warranted at applicant’s initial time of filing for patent. 
Claim Interpretation – 35 USC 112th 6th or f
It is in the examiners opinion that claim[s] 1 – 20 do not invoke means for or step plus functional claim language under the meaning of the statute. 
Claim Rejections – 35 USC § 112
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 101
NO rejections warranted at applicant’s initial time of filing for patent. 
***The examiner notes that in the specification as filed, applicant explicitly admits that the claimed “computer readable storage medium” or other variations of a “medium” are not to embody a: “transitory signal” or “signal or radio waves or any other energy of any sort..etc. Please see paragraph 0013 of the specification as filed. 
Double Patenting
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1 – 3, 5 – 10, 12 – 17, 19, 20 is/are rejected under 35 U.S.C. 102(a)(2) as being taught by Pope et al. [US PGPUB # 2018/0124092]
As per claim 1. Pope does teach a method [Pope, paragraph: 0012, lines 1 – 3, Aspects of the present disclosure relate to identifying a vulnerability of an asset of a network infrastructure to mitigate.] comprising:
receiving, by one or more processors, network infrastructure data regarding a network [Pope, Figure # 1, paragraph: 0019, lines 3 – 5, In general, the 100 may include a security recommendation component 135 that receives data associated with a network infrastructure];
identifying, by the one or more processors, a plurality of vulnerabilities associated with one or more components of the network [Pope, Figure # 1, paragraph: 0019, lines 3 – 9, In general, the environment 100 may include a security recommendation component 135 that receives data associated with a network infrastructure and generates  a network graph used to identify a vulnerability of one or more assets of the network infrastructure that contributes more to a probability of a successful security breach for the network infrastructure than another vulnerability. ];
generating, by the one or more processors, an architecture model based, at least in part, on the network infrastructure data and the plurality of vulnerabilities [Pope, paragraph: 0018, lines 6 – 10, Such a determination may be based on the characteristics of the assets of the network infrastructure [i.e. applicant’s network infrastructure data] and the use of a network graph [i.e. applicant’s architecture model] to identify the particular vulnerability that contributes more to the probability of a successful security breach of the assets of the network infrastructure. Where at Figure # 1, and paragraph: 0022, lines 15 – 19, The probability, likelihood, or an assessment of a successful security breach [i.e. applicant’s plurality of vulnerabilities] of the assets of the network infrastructure may be determined by using the network graph generated by the security recommendation component 135.];
generating, by the one or more processors, a vulnerability expansion model based, at least in part, on the architecture model [Pope, Figure #2, a nodes vulnerabilities sub-component 220 that may identify the vulnerabilities associated with each of the nodes of the network graph [i.e. applicant’s generating, by one or more processors, a vulnerability expansion model..etc.]. Where at paragraph: 0024, lines 14 – 17, The security recommendation component 200 may further include a nodes controls sub-component 230 that may identify controls that are associated with each of the nodes of the network graph [i.e. applicant’s generating, by one or more processors, a vulnerability expansion model..etc.]]; and
determining, by the one or more processors, a vulnerability expansion based, at least in part, on the vulnerability expansion model and at least one vulnerability of plurality of vulnerabilities being compromised [Pope, Figure #2, paragraph: 0024, lines 6 – 10, Furthermore, the security recommendation component 200 may include a nodes vulnerabilities sub-component 220 that may identify the vulnerabilities associated with each of the nodes of the network graph. Then where at paragraph: 0024, lines 17 – 21, For example, a control may correspond to a software or hardware capability of the asset represented by the respective node that is enabled to mitigate one of the vulnerabilities  of the respective asset].
As per claim 2. Pope does teach the method of claim 1, the method further comprising: determining, by the one or more processors, a criticality rating for at least one vulnerability of the plurality of vulnerabilities based, at least in part, on an amount of additional vulnerabilities the compromised vulnerability provides access [Pope, Figure # 5, and paragraph: 0049, lines 1 – 21,  Referring to FIG. 5, the processing logic may further determine a total amount that the vulnerability contributes to the probability [i.e. applicant’s criticality rating] of a successful security breach based on a combination of the amount for each of the identified nodes (block 540). For example, an aggregate of the amounts that the vulnerability [i.e. applicant’s at least one vulnerability] contributes to the probability of the successful security breaches for each of the nodes may be summed, added, or combined. Thus, a total amount that the vulnerability contributes to the probability of a successful security breach across the assets represented by nodes of the network graph may be calculated. For example, the values of the vulnerability across each of the nodes may be added or combined. The processing logic may further determine whether another vulnerability associated with one or more nodes of the network graph contributes more to the probability of the successful security breach than the identified vulnerability (block 550) [i.e. applicant’s a criticality rating for at least one vulnerability of the plurality of vulnerabilities…based on an amount of additional vulnerabilities the compromised vulnerability provides access]. If the other vulnerability does not contribute more to the probability of the successful security breach, then the identified vulnerability may be provided as a vulnerability of the network infrastructure that is to be mitigated (block 560). ].
As per claim 3. Pope does teach the method of claim 2, wherein the criticality rating is further based, at least in part, on one or more of the following: (i) an intrinsic criticality of a resource associated with the at least one vulnerability; (ii) a detectability of the at least one vulnerability; (iii) a degree of extent that the resource associated with the at least one vulnerability is able to be compromised [Pope, Figure # 3, and paragraph: 0027, lines 30 – 37,  In some embodiments, each vulnerability may be assigned a value or a score that may represent an amount that the vulnerability may contribute to the probability of a successful security breach for the asset that is associated with the vulnerability or an amount that the vulnerability may contribute to the impact of a successful security breach for the asset. Further details with regard to such values assigned to vulnerabilities are described in conjunction with FIG. 4B. ]; and (iv) a difficulty to exploit the at least one vulnerability.
As per claim 5. Pope does teach the method of claim 1, wherein the architecture model includes nodes for one or more of the following network components: (i) network zones, (ii) firewalls, (iii) devices of the network [Pope, paragraph: 0015, lines 13 – 18, Thus, the network graph [i.e. applicant’s architecture model] may represent every asset of the network infrastructure where each node of the network graph represents one of the assets of the network infrastructure. The network graph may further include nodes that represent entities associated with a use of the network infrastructure.], and (iv) vulnerabilities associated with at least one device of the network.
As per claim 6. Pope does teach the method of claim 1, wherein directed paths of the architecture model are based, at least in part, on network zones [Pope, Figure # 1, and paragraph: 0020, lines 2 – 13, the environment 100 may include the security recommendation component 135 of a server 130 that receives various types of data associated with a network infrastructure. For example, the security recommendation component 135 may receive entity data 110 and assets data 120. The entity data 110 may identify one or more entities that are associated with a use of the network infrastructure. For example, the entity data 110 may identify, but is not limited to, one or more corporations, organizations under the corporations (e.g., a sales department, information technology (IT) department, etc.), third party entities (e.g., other organizations providing external servers or external resources to the network infrastructure) [i.e. applicant’s network zones], and personnel (e.g., records identifying employees of the company). Where at Figure # 1, paragraph: 0019, lines 3 – 9, In general, the environment 100 may include a security recommendation component 135 that receives data associated with a network infrastructure and generates  a network graph used to identify a vulnerability of one or more assets of the network infrastructure that contributes more to a probability of a successful security breach for the network infrastructure than another vulnerability] and one or more firewall rules [Pope, figure # 2, and paragraph: 0024, lines 14 – 21, The security recommendation component 200 may further include a nodes controls sub-component 230 that may identify controls [i.e. applicant’s firewall rules] that are associated with each of the nodes of the network graph. For example, a control may correspond to a software or hardware capability of the asset represented by the respective node that is enabled to mitigate one of the vulnerabilities of the respective asset.].
As per claim 7. Pope does teach the method of claim 1, the method further comprising: determining, by the one or more processors, at least on vulnerability of the plurality of vulnerabilities based, at least in part, on at least one configuration of a component of the network [Pope, Figure # 3, and paragraph: The processing logic may further determine vulnerabilities for each of the assets of the network infrastructure (block 320). In some embodiments, the nodes that represent assets of a network infrastructure may include a label or an identification of the vulnerabilities that are assigned to the asset represented by the respective node. For example, as previously described, assets data may be received. The assets data may identify one or more software and hardware characteristics of a particular asset. In some embodiments, the characteristics may include, but are not limited to, a hardware configuration, software version, types of hardware devices used by the asset, operating system version used by the asset, software applications and the versions of the software applications run or executed by the asset, etc.].
As per computer program product claim 8, that includes the same or similar claim limitations as method claim # 1, and is similarly rejected. 
***The examiner points to the prior art of Pope, at paragraph: 0065, specifically, paragraph:0065, lines 1 - 6, which discloses applicant’s recited: “computer program product” and “one or more computer readable storage media,” and “program instructions.”
As per computer program product claim 9, that includes the same or similar claim limitations as method claim # 2, and is similarly rejected. 

As per computer program product claim 10, that includes the same or similar claim limitations as method claim # 3, and is similarly rejected. 

As per computer program product claim 12, that includes the same or similar claim limitations as method claim # 5, and is similarly rejected. 

As per computer program product claim 13, that includes the same or similar claim limitations as method claim # 6, and is similarly rejected. 

As per computer program product 14 which includes the same or similar claim limitations as method claim # 7, and is similarly rejected. 

As per computer system claim 15 that includes the same or similar claim limitations as method claim # 1, and is similarly rejected. 
***The examiner points to the prior art of Pope, at paragraph: 0065, specifically, paragraph:0065, lines 1 – 6 and at paragraph: 0057, specifically, paragraph: 0057, lines 1-6, which discloses applicant’s recited: “one or more computer processors” and “one or more computer readable storage media,” and “program instructions stored on the computer readable storage media.”
As per computer system claim 16 that includes the same or similar claim limitations as method claim # 2, and is similarly rejected. 

As per computer system claim 17 that includes the same or similar claim limitations as method claim # 3, and is similarly rejected. 

As per computer system claim 19 that includes the same or similar claim limitations as method claim # 5, and is similarly rejected. 

As per computer system claim 20 that includes the same or similar claim limitations as method claim # 6, and is similarly rejected. 
Allowable Subject Matter
Claim[s] 4, 11, 18 contain allowable subject matter, but as allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
Claim[s] 4, 11, 18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Choi et al., who does teach an illustrative embodiments also provide for another computer-implemented method. The method includes a computer accessing a configuration of a network and the computer determining dependencies between security vulnerabilities associated with nodes in the network.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT SHAIFER - HARRIMAN whose telephone number is (571)272-7910. The examiner can normally be reached M - F: 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571- 272- 3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, 
/DANT B SHAIFER HARRIMAN/          Primary Examiner, Art Unit 2434