Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims  1-4, 7, 9-12, 15, 18-21, 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Newton US 2007/0180107 in view of Li US 2017/0098087

As per claims 1, 23  Newton teaches A method for vulnerability management for connected devices in a network, using an Enterprise Aggregation and Analysis Server (EAAS), said method comprising: analyzing data packets from said network, by an Edge Packet Collector and Processor (EPCP) module, coming from one or more devices in said network; [0042][0043][0055][0072]-[0080]  (teaches an enterprise security system including packet collecting and collating, along with vulnerability analysis and remediation, including forecast of likely attacks and success likelihood)



It would have been obvious to one of ordinary skill in the art to use the scoring of Li with the system of Newton at the time the invention was filed. because it provides a comprehensive way to accurately evaluate system for vulnerabilities.
As per claim 2. Li teaches The method in claim 1, where calculating VS for said vulnerability comprises: calculating impact metric (IM) and exploitability metric (EM); assigning weights W.sub.i and W.sub.e to IM and EM respectively, based on the context; calculating vulnerability score using IM, EM and their respective weights, using the formula: VS=W.sub.i.times.IM+W.sub.e.times.EM, where IM is impact metric, W.sub.i is the weight for impact metric, EM is exploitability metric, and W.sub.e is the weight for exploitability metric.   [0036][0039]  (teaches calculating a composite vulnerability score based on weighted metrics 
As per claim 7. Li teaches The method in claim 1, said method further comprising: identifying plurality of anomalies for said device; assigning scores to each of said plurality of anomalies, based on criticality of anomaly; and determining an overall anomaly score for said device. [0040]As per claim 9. Newton teaches The method in claim 1, said method further comprising: 
As per claim 15. Newton teaches The method in claim 1, where said report highlights high risk assets for user attention. [0055][0056][0078][0080]   (Examiner asserts that “highlights” is subjective, and well known in the art in any case)



Claims 5, 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Newton US 2007/0180107 in view of Li US 2017/0098087 in view of Pfleger de Aguiar US 2018/0136921.
 The method in claim 2, where IM is calculated using: IM=Minimum(1-(1-CI.times.CR).times.(1-II.times.IR).times.(1-AI.times.AR),- 0.915), where CI is Confidentiality Impact, CR is Confidentiality Requirement, II is Integrity Impact, IR is Integrity Requirement, AI is Availability Impact, and AR is Availability Requirement. [0031] (teaches including all these factors in calculating an impact/exploit score)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Pfleger de Aguiar  with the prior combination because it provides a more comprehensive calculationAs per claim 6. Pfleger de Aguiar  teaches The method in claim 2, where EM is calculated using: EM=AV.times.AC.times.PR.times.UI, where AV is Attack Vector, AC is Attack Complexity, PR is Privilege Required, and UI is User Interaction. [0031] (teaches including all these factors in calculating an impact/exploit score)
Claim 13, 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Newton US 2007/0180107 in view of in view of Li US 2017/0098087 in view of Govindarajan US 2006/0095961.
As per claim 13. Govindarajan The method in claim 11, wherein said reconfiguration includes assigning said device or said group of devices to their own VLAN.  [0014][0038]  (teaches that the highly vulnerable device is isolated in a secure VLAN) 
 


Claim 16, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Newton US 2007/0180107 in view of in view of Li US 2017/0098087 in view of Navarro US 2019/0230098
As per claim 16. Navarro teaches The method in claim 1, said method further comprising automatically mitigating risk by taking necessary action for vulnerabilities crosses a pre-configured threshold. [0037][0039] (teaches a score crosses a preset threshold and automatically protected against high risk vulnerability threat)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the threshold of Navarro with the previous combination because it helps prioritize remediation.
As per claim 17. Navarro teaches The method in claim 1, said method further comprising marking said device as high-risk asset based on vulnerability score, when said vulnerability score is crosses a pre-configured threshold. [0037][0039] (teaches a score crosses a preset threshold and automatically protected against high risk vulnerability threat)


Claim 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Newton US 2007/0180107 in view of Li US 2017/0098087 in view of Bar Joseph US 10,963,571

It would have been obvious to one of ordinary skill in the art to use the risk of Bar Joseph with the previous combination because it includes more comprehensive vulnerability assessment 



Allowable Subject Matter
Claim 8 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439