Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to amendment filed on 7/23/2021. Claims 1, 20, 38 and 39 are independents. Claims 1, 6, 10, 18, 20, 25, 29 and 37-39 are amended. Claims 1-39 are currently pending.

Response To Arguments
Objection to claims 1, 6, 10, 18, 20, 25, 29 and 37-39 is withdrawn, in view of amendment.
Applicant’s argument with respect to the rejection to claims 1-39 under 35 U.S.C. 103 has been carefully and thoroughly considered. The argument is moot, in view of new ground of rejection.

Claim Rejections -35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims, the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-3, 7-17, 19-22, 26-36, 38 and 39 are rejected under 35 U.S.C. 103 as being unpatentable over Biswas et al. (US 20200128047 A1), hereinafter Biswas, in view of Bellis et al. (US 10114954 B1), hereinafter Bellis, further in view of Muddu et al. (US 20170063908 A1), hereinafter Muddu.

Regarding claim 1, Biswas teaches a method of training a model for threat score assessment of software vulnerabilities, comprising:
obtaining training data associated with a first set of software vulnerabilities, the training data for each software vulnerability among the first set of software 
generating a threat score prediction model based on the training data (para. 0166, [i]n various examples, the threat detection engine 302 can perform regression analysis on each indicator used to compute a risk score, on the risk score. Regression analysis may include building and updating a linear regression model. … coefficients c.sub.1 computed by the regression model could be new or modified weights that would replace the initial weights for computing the risk score. The model can provide greater accuracy as more feedback and more data is collected), 
wherein the threat score prediction model is configured to determine a threat score for a candidate software vulnerability that is indicative of a likelihood that the candidate software vulnerability will be targeted for exploitation, or successfully exploited (para. 0161, …indicators, can be used to compute a risk score, which is also referred to herein as a measure of security. In various examples, the threat detection 
Biswas does not explicitly disclose (ii) a degree to which one or more exploits that have already been developed for the software vulnerability are described across one or more public exploit databases and (iii) information from one or more third party threat intelligence sources that characterizes one or more historic threat events associated with the software vulnerability, or any combination of (i)-(iv).
However, in an analogous art, Bellis teaches
(ii) a degree to which one or more exploits that have already been developed for the software vulnerability are described across one or more public exploit databases (col9 ln15-col11 ln33, in it described is a particular vulnerability already has an exploit developed for it; col5 ln58-col6 ln2, score feature 124 may indicate software vulnerability 108 is exposed to more risk than software vulnerability 110, because software vulnerability 108 has a risk score of fifty, which is higher than the risk score of forty-seven for software vulnerability 110. Common Vulnerability Scoring System (CVSS) score data may be used in the determination of a risk score as described in U.S. patent application Ser. No. 14/181,352, hereinafter ‘352, the entirety of which is incorporated herein by reference; para. 0034 of US 20150237062 A1, which publication of ‘352, [i]n an embodiment, a vulnerability threat management platform requests data about breaches, exploits, vulnerabilities of computing assets from various data sources such as Alien Vault's Open Threat Exchange, RiskDB, the National Vulnerability Database, the Web Applications Security Consortium (WASC), the Exploit Database, SHODAN, and the Metasploit Project. As referred to herein, a breach is a successful 
(iii) information from one or more third party threat intelligence sources that characterizes one or more historic threat events associated with the software vulnerability (col4 ln2-16, [i]n the example of FIG. 1, prevalence feature 116 is of a numeric type. In some embodiments, prevalence feature 116 indicates a number of copies of software that are affected by a particular vulnerability), or any combination of (i)-(iv).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Biswas and Bellis because it would provide a way to accurately anticipate or predict vulnerability.
The combination of Biswas and Bellis does not explicitly disclose a target window, of time, or both. However, in an analogous art, Muddu teaches a target window of time, or both (para. 0426, computer network activities occur in the time period, a start time, an end time, an average gap period between the computer network activities that occur in the time period, or a standard deviation of gap periods between the computer network activities that occur in the time period; 0522 and 0531, detection of an unusual R in a target window).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Biswas, Bellis and Muddu because it would provide a way to accurately anticipate or predict vulnerability (Muddu, para. 0626).

Regarding claims 2 and 21, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 1 and 20, respectively, as described above. Biswas further teaches wherein the training data includes the degree to which the software vulnerability is described across the set of public media sources (para. 0133, social media system, news aggregator or provider; para. social media sites, news organizations).

Regarding claims 3 and 22, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 2 and 21, respectively, as described above. Biswas further teaches wherein the set of public media sources includes one or more mainstream news media sources, one or more web forums, one or more technical publications, one or more dark web sources, one or more social media sources, or any combination thereof (para.0277 social media networks and/or other communication services such as Twitter® feeds, Facebook® updates, web feeds such as Rich Site Summary (RSS) feeds, and/or real-time updates from one or more third party information sources).

Regarding claim 19, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claim 1, as described above. Biswas further teaches further comprising: applying the threat score prediction model with respect to input data for each of a second set of software vulnerabilities to generate a respective threat score for each software vulnerability among the second set of software vulnerabilities (para. 

Regarding claims 7 and 26, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 1 and 20, respectively, as described above. Bellis further teaches wherein the training data includes the degree to which one or more exploits that have already been developed for the software vulnerability are described across the one or more public exploit databases (col5 ln58-col6 ln2, Common Vulnerability 65 Scoring System (CVSS) score data [degree] may be used in the determination of a risk score).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Biswas, Muddu and Bellis because it would provide a way to accurately anticipate or predict vulnerability (Bellis, col1 ln48-53).

Regarding claims 8 and 27, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 7 and 26, respectively, as described above. Bellis further teaches wherein the training data includes a count of a number of entries related to the software vulnerability on the one or more public exploit databases (col4 ln17-22, prevalence feature 116 indicates a number [count] of references, in a particular database, to a particular vulnerability. For example, prevalence feature 116 may indicate that software vulnerability 114 has 250,000 different references to it in a particular organization's configuration management database.)


Regarding claims 9 and 28, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 1 and 20, respectively, as described above. Bellis further teaches wherein the training data includes the information from the one or more third party threat intelligence sources that characterizes the one or more historic threat events associated with the software vulnerability (col7 ln48-54, learning from historical relationships and trends in the data).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Biswas, Muddu and Bellis because it would provide a way to accurately anticipate or predict vulnerability (Bellis, col1 ln48-53).

Regarding claims 10 and 29, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 9 and 28, respectively, as described above. Bellis further teaches wherein the training data includes, for a particular window of time, a total number of threat events related to the software vulnerability, a language, media type associated with one or more threat events, topic associated with the one or more threat events, a number of days since a first threat event, a number of days since a most recent threat event, a number of days having at least one threat event, or any 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Biswas, Muddu and Bellis because it would provide a way to accurately anticipate or predict vulnerability (Bellis, col1 ln48-53).

Regarding claims 11 and 30, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 1 and 20, respectively, as described above. Bellis further teaches wherein the training data includes the information that characterizes the at least one behavior of the enterprise network in association with the software vulnerability (col9 ln15-19, Vulnerability selection logic 216 may generate training data 210 based on interacting with database(s) 204. More specifically, vulnerability selection logic 216 may determine which of the software vulnerabilities stored in database(s) 204 are to be included in a training set; … training set has a value for a developed exploit feature and/or a value for a developed exploit time [behavior] feature).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Biswas, Muddu 

Regarding claims 12 and 31, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 1 and 20, respectively, as described above. Biswas further teaches wherein the training data includes information that characterizes one or more historic remediation metrics of the software vulnerability (para. 0064, In some examples, the security information 126 includes historic data: the results of past analysis (e.g., from the last month, last three months, last year, or some other past time period) which can be consulted when needed. In some examples, the security information 126 can further include records of past security incidents, determinations of whether the past security incidents were actual incidents or false positives, records of remediation actions taken for past incidents, and/or outcomes of performing remediation actions, among other data. In some examples, the security information 126 can further include network threat intelligence data, obtained, for example, from third-party threat intelligence aggregators and distributors).

Regarding claims 13 and 32, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 1 and 20, respectively, as described above. Bellis further teaches wherein the one or more historic remediation metrics include an average time to remediate the software vulnerability in a particular network (col7 ln48-54, These analytical models allow researchers, data scientists, engineers, and analysts to produce 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Biswas, Muddu and Bellis because it would provide a way to accurately anticipate or predict vulnerability (Bellis, col1 ln48-53).

Regarding claims 14 and 33, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 1 and 20, respectively, as described above. Bellis further teaches wherein the training data includes a degree to which one or more customers perceive the software vulnerability as a threat (col7 ln48-54, These analytical models allow researchers, data scientists, engineers, and analysts to produce reliable, repeatable decisions and results as well as to uncover hidden insights through learning from historical relationships and trends in the data).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Biswas, Muddu and Bellis because it would provide a way to accurately anticipate or predict vulnerability (Bellis, col1 ln48-53).

Regarding claims 15 and 34, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 1 and 20, respectively, as described above. Bellis further teaches wherein the degree to which the one or more customers perceive the software vulnerability as a threat is indicated via a recast score that overrides a threat 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Biswas, Muddu and Bellis because it would provide a way to accurately anticipate or predict vulnerability (Bellis, col1 ln48-53).

Regarding claims 16 and 35, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 1 and 20, respectively, as described above. Bellis further teaches wherein the training data includes inter-customer recast metrics (para. 0036, Automated anomaly-based threat detection logic also requires regular updates to incorporate feedback from the security experts as well as tenants to eliminate false positives).

Regarding claims 17 and 36, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 1 and 20, respectively, as described above. Biswas further teaches wherein the inter-customer recast metrics include: an average recast score for the software vulnerability from among a plurality of recast scores provided from a plurality of customers, a maximum recast score for the software vulnerability from among the plurality of recast scores, a minimum recast score for the 

Regarding claims 20, 38 and 39, they are similarly rejected as claim 1.

Claims 4 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Biswas, Bellis and Muddu, as applied in the claims above, further in view of Truve et al. (US 20180063170 A1), hereinafter Truve.

Regarding claims 4 and 23, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 2 and 21, respectively, as described above.
The combination of Biswas, Bellis and Muddu does not explicitly disclose wherein the training data includes one or more features derived from one or more natural language descriptions of the software vulnerability in a given public media source. However, in analogous art, Truve teaches wherein the training data includes one or more features derived from one or more natural language descriptions of the software vulnerability in a given public media source (para. 0024, information from sources such as RSS feeds, web sites, social media, forums, paste sites, honey pots, IRC, TOR/Onion, and threat lists. It also includes an ingestion layer 34 that performs 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Biswas, Muddu and Truve because it would provide a way of better understanding of maliciousness (Truve, para. 0030).

Claims 5, 6, 24 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Biswas, Bellis and Muddu, as applied in the claims above, further in view of Tegegne et al. (US 20170213258 A1), hereinafter Tegegne.

Regarding claims 5 and 24, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 2 and 21, as described above. 
The combination of Biswas, Bellis and Muddu does not explicitly disclose wherein the training data includes a prevalence of references to the software vulnerability across the one or more public media sources. However, in an analogous art, Tegegne teaches wherein the training data includes a prevalence of references to the software vulnerability across the one or more public media sources (para. 0002, The volume of textual data has increased due to the prevalence of internet use. This textual data is in the form of discussion forums, customer reviews, social media feeds, contact center records, support tickets, conversations in collaboration solutions, event logs, etc.).


Regarding claims 6 and 25, the combination of Biswas, Muddu and Truve teaches all of the limitations of claims 5 and 24, respectively, as described above. Biswas further teaches wherein the threat score prediction model assigns weights to one or more of the references based on a media source type a degree of prominence of the associated references, or both (para. 0162 and 0213, … profile has a weight that is different from a corresponding weight of the vertex in the cumulative graph profile by more than a threshold amount, an anomaly may be detected. Thresholds may be set for each individual action depending on the type of action).

Claims 18 and 37 are rejected under 35 U.S.C. 103 as being unpatentable over Biswas, Bellis and Muddu, as applied in the claims above, further in view of Paulo et al. (WO 2019089389 A1), hereinafter Paulo.

Regarding claims 18 and 37, the combination of Biswas, Bellis and Muddu teaches all of the limitations of claims 1 and 20, respectively, as described above. Biswas further teaches further comprising:
obtaining secondary training data associated with the first set of software vulnerabilities, (para. 0253, a first set of pods may be provisioned for a database 
The combination of Biswas, Bellis and Muddu does not explicitly disclose the second training data for each software vulnerability among the first set of software vulnerabilities including one or more of a degree of difficulty or complexity associated with exploit development for the software vulnerability, an age of the software vulnerability, an age of a developed exploit for the software vulnerability, information characterizing a set of software versions exposed to the software vulnerability, information characterizing a set of vendors that are exposed to the software vulnerability, or a prevalence of the software vulnerability, wherein the generating is further based upon the secondary training data. However, in an analogous art, Paulo teaches a degree of difficulty or complexity associated with exploit development for the software vulnerability, an age of the software vulnerability, an age of a developed exploit for the software vulnerability, information characterizing a set of software versions exposed to the software vulnerability, information characterizing a set of vendors that are exposed to the software vulnerability, or a prevalence of the software vulnerability, wherein the generating is further based upon the secondary training data (para. 0064, vulnerability can exist in variant software versions that run on different operating systems; software version is software age).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Biswas, Bellis, Muddu and Paulo because it would provide a way of better understanding of maliciousness of particular subject (Paulo, para. 00104).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday -Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SHU CHUN GAO/Examiner, Art Unit 2437 


/NELSON S. GIDDINS/Primary Examiner, Art Unit 2437