Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

1.        Claims 1 - 22 are pending.  Claims 1, 12 are independent. 
2.        This application was filed on 12-19-2018.     

Claim Rejections - 35 USC § 103  

3.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

4.        Claims 1 - 10, 12 - 21 are rejected under 35 U.S.C. 103 as being unpatentable over Oliphant et al. (US PGPUB No. 20050005159) in view of Vaidya et al. (US Patent No. 7,797,752).     	

Regarding Claims 1, 12, Oliphant discloses a method for determining if a software component is susceptible to a vulnerability and a device for determining if a software component is susceptible to a vulnerability, the method comprising: 
a)  accessing a vulnerability listing object comprising: a vulnerability identifier uniquely identifying a software vulnerability; (see Oliphant paragraph [0005], lines 
b)  vulnerability causes information for use in determining software affected by the vulnerability (see Oliphant paragraph [0012], lines 4-12: security server collects data from devices, including software installed on devices, their configuration and policy settings, and patches that have been installed; security server also obtains from vulnerability and remediation database a regularly updated list of security vulnerabilities in software for a wide variety of operating systems, software applications), the vulnerability causes information comprising:
c)  patch information specifying one or more patches, each associating a patch token with a patch details identifying a software patch. (see Oliphant paragraph [0012], lines 12-19: security server downloads a regularly updated list of remediation techniques that can be applied to protect a device from damage due to those vulnerabilities; each vulnerability in remediation database is identified by a vulnerability identifier, and vulnerability identifier is used to retrieve remediation information (patch information) from database) and 


Oliphant does not specifically disclose for d) Boolean expression processing patch information, and for e) determining with Boolean expression if software patches are present, and for f) Boolean expression processing patch information, and for g) indicating software component(s) susceptible to software vulnerability.  
However, Vaidya discloses:
d)  a Boolean expression using one or more of the plurality of patch tokens, the Boolean expression identifying software patches associated with the vulnerability listing object; and e) determining if software patches associated with the one or more patch tokens of the Boolean expression are present; and g) indicating that the software component is susceptible to the software vulnerability based on the evaluation of the Boolean expression. (see Vaidya col 8, lines 12-15: comparing (Boolean operation) the list of active applications and operating system versions with the vulnerability database, a list of actual vulnerabilities applicable to the system are derived)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Oliphant for d) Boolean expression processing patch information, and for e) determining with Boolean expression if software patches are present, and for f) Boolean expression 

Furthermore for Claim 12, Oliphant discloses wherein a processor for executing instructions; and a memory for storing instructions, which when executed by the processor configure the device to perform operations. (see Oliphant paragraph [0012], lines 1-4: includes processor, and memory  encoded with programming instructions executable by processor  to perform several important security-related functions)

Regarding Claims 2, 13, Oliphant-Vaidya discloses the method of claim 1 and the device of claim 12, wherein the vulnerability listing object further comprises information for fixing the vulnerability. (see Oliphant paragraph [0012], lines 12-19: security server downloads a regularly updated list of remediation techniques that can be applied to protect a device from damage due to those vulnerabilities; each vulnerability in remediation database is identified by a vulnerability identifier, and vulnerability identifier is used to retrieve remediation information from database; (patch information utilized for fixing vulnerability))    

Regarding Claims 3, 14, Oliphant-Vaidya discloses the method of claim 2 and the device of claim 13, wherein the information for fixing the vulnerability comprises: a 

Oliphant does not specifically disclose Boolean expression utilized for associating each corrective patch token with a corrective patch location. 
However, Vaidya discloses wherein Boolean expression utilized for associating each respective corrective patch token with a corrective patch location for retrieving the corrective patch. (see Vaidya col 8, lines 28-33: system provides a URL (location, domain name, path identifier) to download patches; downloading patches comprises going to one or more predefined URLs provided for each of the applications that require patches, and downloading the patches)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Oliphant for Boolean expression utilized for associating each corrective patch token with a corrective patch location as taught by Vaidya. One of ordinary skill in the art would have been motivated to employ the teachings of Vaidya for the benefits achieved from a system that enables a security 

Regarding Claims 4, 15, Oliphant-Vaidya discloses the method of claim 3 and the device of claim 14, further comprising: 
a)  determining which of the one or more corrective patch identifiers to apply; (see Oliphant paragraph [0012], lines 12-19: security server downloads a regularly updated list of remediation techniques that can be applied to protect a device from damage due to those vulnerabilities; each vulnerability in remediation database is identified by a vulnerability identifier, and vulnerability identifier is used to retrieve remediation information from database; (corrective patch information)) and
d)  applying each of the retrieved corrective patches. (see Oliphant paragraph [0023], lines 8-13: remediation technique(s) are applied to machine(s) attacked; to all devices subject to same vulnerability (based on their real-time software, patch, policy, and configuration status); or to all devices to which selected remediation can be applied)    

Oliphant does not specifically disclose for a) utilizing a Boolean expression process patch information, and for b) determining respective corrective patch location, and for c) retrieving corrective patches from respective patch locations. 
However, Vaidya discloses:
a)  Boolean expression utilized to process corrective patch; (see Vaidya col 8, lines 12-15: comparing the list of active applications and operating system versions 
b)  determining the respective corrective patch location from the corrective patch information; and c) retrieving one or more corrective patches from the respective corrective patch locations; (see Vaidya col 8, lines 28-33: system provides a URL (location, domain name, path identifier) to download patches; downloading patches comprises going to one or more predefined URLs provided for each of the applications that require patches, and downloading the patches) 
             It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Oliphant for a) utilizing a Boolean expression process patch information, and for b) determining respective corrective patch location, and for c) retrieving corrective patches from respective patch locations as taught by Vaidya. One of ordinary skill in the art would have been motivated to employ the teachings of Vaidya for the benefits achieved from a system that enables a security structure in which a computer system is protected from all available vulnerabilities.  (see Vaidya col 2, lines 43-45)

Regarding Claims 5, 16, Oliphant-Vaidya discloses the method of claim 4 and the device of claim 15, further comprising:
a)  determining if each of the one or more retrieved corrective patches were successfully applied; (see Oliphant paragraph [0005], lines 4-7: database stores data indicating installed operating system(s), installed software, patches that have been applied (successfully applied), system policies that are in place, and configuration information for each device) and
b)  if one or more of the corrective patches were not successfully applied, providing a notification that one or more of the corrective patches were not successfully applied. (see Oliphant paragraph [0016], lines 7-12: each device execute a client-side program that continuously monitors software installation and configuration status for that device; changes to that status (unsuccessful patch application) are communicated in substantially real time to security server, which continuously maintains the information in database)    

Regarding Claims 6, 17, Oliphant-Vaidya discloses the method of claim 1 and the device of claim 12.
Oliphant does not specifically disclose retrieving the vulnerability listing object from a network location provided by a base location. 
However, Vaidya discloses wherein further comprising retrieving the vulnerability listing object from a network location provided by a base location comprising a website domain followed by a predetermined location identifier. (see Vaidya col 8, lines 28-33: system provides a URL (domain name, path identifier) to download patches; downloading patches comprises going to one or more predefined URLs provided for each of the applications that require patches, and downloading the patches)    
             It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Oliphant for retrieving the vulnerability listing object from a network location provided by a base location as taught by Vaidya.   

Regarding Claims 7, 18, Oliphant-Vaidya discloses the method of claim 6 and the device of claim 17. 
Oliphant does not specifically disclose location further comprises one or more of: a subdomain; and a path identifier. 
However, Vaidya discloses wherein the base location further comprises one or more of: a subdomain; and a path identifier. (see Vaidya col 8, lines 28-33: system provides a URL (location, domain name, path identifier) to download patches; downloading patches comprises going to one or more predefined URLs provided for each of the applications that require patches, and downloading the patches)    
             It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Oliphant for location further comprises one or more of: a subdomain; and a path identifier as taught by Vaidya.  One of ordinary skill in the art would have been motivated to employ the teachings of Vaidya for the benefits achieved from a system that enables a security structure in which a computer system is protected from all available vulnerabilities.  (see Vaidya col 2, lines 43-45)

Regarding Claims 8, 19, Oliphant-Vaidya discloses the method of claim 6 and the device of claim 18, wherein the vulnerability listing object further comprises: one or 

Oliphant does not specifically disclose a product identifier indicating a software product.
However, Vaidya discloses wherein a product identifier indicating a software product. (see Vaidya col 8, lines 12-15: comparing (Boolean operation) the list of active applications and operating system versions with the vulnerability database, a list of actual vulnerabilities applicable to the system are derived; (operating system version identification analogous to product identifier))
             It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Oliphant for a product identifier indicating a software product as taught by Vaidya. One of ordinary skill in the art would have been motivated to employ the teachings of Vaidya for the benefits achieved from a system that enables a security structure in which a computer system is protected from all available vulnerabilities.  (see Vaidya col 2, lines 43-45)

Regarding Claims 9, 20, Oliphant-Vaidya discloses the method of claim 8 and the device of claim 19, wherein the one or more vulnerabilities are specified within the vulnerability listing object indirectly by referencing a second vulnerability listing object. 

Regarding Claims 10, 21, Oliphant-Vaidya discloses the method of claim 1 and the device of claim 12, further comprising determining one or more software components to be checked, wherein the software components to be checked are located on one or more of: a device that the method is performed by; and one or more devices different from the device that the method is performed by. (see Oliphant Fig. 2 (security server 135; computer 137, computer 139); paragraph [0016], lines 7-12: devices 137 and 139 each execute a client-side program that continuously monitors software installation and configuration status for that device; changes to that status are communicated in substantially real time to security server 135, which continuously maintains the information in database 146; security server and monitor computer device are separate objects; (selected: devices different from the device that the method is performed by))    

5.        Claims 11, 22 are rejected under 35 U.S.C. 103 as being unpatentable over Oliphant in view of Vaidya and further in view of Hibbert et al. (US PGPUB No. 20140245376). 

Regarding Claims 11, 22, Oliphant-Vaidya discloses the method of claim 1 and the device of claim 12, wherein the vulnerability listing object further comprises version check information comprising:
c)  wherein the version check information is used to determine if software is vulnerable by: determining a version number of a software component to be checked for susceptibility to the software vulnerability; (see Oliphant paragraph [0012], lines 12-19: security server downloads a regularly updated list of remediation techniques that can be applied to protect a device from damage due to those vulnerabilities; each vulnerability in remediation database is identified by a vulnerability identifier, and vulnerability identifier is used to retrieve remediation information (patch information) from database) and 
d)  applying the determined version number according to the one or more version rules. (see Oliphant paragraph [0023], lines 8-13: remediation technique(s) are applied to the machine(s) that was attacked; to all devices subject to same vulnerability (based on their real-time software, patch, policy, and configuration status); or to all devices to which selected remediation can be applied)       

Oliphant-Vaidya does not specifically disclose for a) version rules providing a version definition for a software version number, and for b) identifying software versions associated with vulnerability. 
However, Hibbert discloses:
a)  one or more version rules providing a version definition of how a software version number is formed from a plurality of tokens; and b) using one or more of the plurality of tokens, identifying software versions associated with the vulnerability 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Oliphant-Vaidya for a) version rules providing a version definition of how a software version number, and for b) identifying software versions associated with vulnerability as taught by Hibbert.   One of ordinary skill in the art would have been motivated to employ the teachings of Hibbert for the benefits achieved from a system that enables generation of version information utilized to identify applications within a patch type environment.  (see Hibbert paragraph [0243]; [0245])  

Oliphant-Hibbert does not specifically disclose for b) Boolean expression utilized to process patch information, and for d) Boolean expression utilized to process patch information. 
However, Vaidya discloses: 
b)  Boolean expression utilized to process patch information; and d) Boolean expression utilized to process patch information. (see Vaidya col 8, lines 12-15: comparing the list of active applications and operating system versions with the 
             It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Oliphant-Hibbert for b) Boolean expression utilized to process patch information, and for d) Boolean expression utilized to process patch information as taught by Vaidya. One of ordinary skill in the art would have been motivated to employ the teachings of Vaidya for the benefits achieved from a system that enables a security structure in which a computer system is protected from all available vulnerabilities.  (see Vaidya col 2, lines 43-45)

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARLTON JOHNSON whose telephone number is (571)270-1032. The examiner can normally be reached Work: 12-9PM (most days).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.




/MOHAMMAD W REZA/Primary Examiner, Art Unit 2436                                                                                                                                                                                                        

/CJ/
December 20, 2021