DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Applicant’s claim to priority to provisional application No. 62/832,219 has been acknowledged by the examiner. 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-14 are rejected under 35 U.S.C. 101 because the claimed invention is directed to the abstract idea of a mathematical concept (i.e., mathematical calculations) without significantly more. For instance, exemplary independent claim 1. The claim(s) recite(s) obtaining information associated with a software component, applying an artificial intelligence algorithm to the information to derive a CPE identifier, and mapping the CPE identifier to a CVE identifier. This appears to be drawn to feeding input data into an AI model and obtaining a result. This judicial exception is not integrated into a practical application because merely adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea are not sufficient - see MPEP 2106.05(f) . In this case, the judicial exception is performed by a processor. However, the processor merely exists to perform the judicial exception, which is not considered to be applying the judicial exception with, or by use of, a particular machine. Further, 
Abstract idea limitations: “A method for aggregating, ranking, and minimizing threats  based on external vulnerability data, comprising: accessing data defining a configuration; (I) applying, artificial intelligence to at least a portion of the data to identify a common platform enumeration (CPE) identifier; and (II) mapping, the CPE identifier to a common vulnerability enumeration (CVE) identifier to identify a vulnerability.”
Claim elements which may be considered to be additional elements: “to computer systems; of a target information technology (IT) system; by a processor, defining a software component of the target IT system; corresponding to the software component; for the software component of the target IT system.”
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea / generally linking the judicial exception to a particular technological environment or field of use are not sufficient—see MPEP 2106.05(f)&(h). Here, the claim language merely recites a computing environment (the software component and IT system) from which input data is obtained for entry into the mathematical calculation; a processor which performs judicial exception. Attaching the judicial exception to different systems in a broad manner (i.e., a software component, IT system, and execution by a processor) without further detail is not considered to be sufficient to amount to significantly more than the exception.


Claim 15 is rejected under 35 U.S.C. 101 because the claimed invention is directed to the abstract idea of a mental process (i.e., concepts performed in the human mind, including an observation, evaluation, judgment, and/or opinion) without significantly more. The claim(s) recite(s) obtaining information including CPEs and CVEs (an observation), obtaining information associated with a software component of an IT system (an observation), and identifying a specific CPE in the software information (an observation / evaluation). For instance, a user reading a manual comprising CPE/CVE information and information for a software component, where the user then looks up the relevant CPEs within the manual. This judicial exception is not integrated into a practical application because generally linking the use of the judicial exception to a particular technological environment or field of use / adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea are not sufficient—see MPEP 2106.05(f)&(h). In this case, the claims link the judicial exception to an IT system and include computing elements for executing the judicial exception (i.e., the device, processor, network interface, and memory). However, the IT system and software application appear to merely be a source for observed information. Likewise, the computing elements perform no function other than to execute the judicial exception. As such, the claims appear to be directed to the judicial exception itself, rather than to a practical application of the judicial exception.
Abstract idea limitations: “aggregating, ranking, and minimizing threats based on external vulnerability data, comprising: access to information including common platform enumerations (CPEs) and corresponding common vulnerability enumerations (CVEs); and access data, and identify a CPE of the CPEs.”

The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea / generally linking the judicial exception to a particular technological environment or field of use are not sufficient—see MPEP 2106.05(f)&(h). Here, the claim language merely recites a computing environment (the software component and IT system, as well as a network) from which data is obtained for observation (i.e., linking the judicial exception to the environment). Attaching the judicial exception to different systems in a broad manner (i.e., a software component, IT system, and network) without further detail is not considered to be sufficient to amount to significantly more than the exception. Likewise, the claim language merely recites computing elements which exist to perform the judicial exception (i.e., the processor, network interface, and memory) without further detail other than the judicial exception. 

Claim 16 is rejected under 35 U.S.C. 101 because the claimed invention is directed to the abstract idea of a mental process (i.e., concepts performed in the human mind, including an observation, evaluation, judgment, and/or opinion) without significantly more. Claim 16 is substantially similar to claim 15, but is broader and is drawn to a computer-readable media having instructions executed by a processor rather than a device with memory having 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim 1 recites the limitation "of the data defining a software component of the target IT system," where it is not clear whether this is the same as the “data defining a configuration of a target information technology (IT) system” or a second data. As such, this limitation may be seen as a second / distinct data than that defining a configuration.  Therefore there is insufficient antecedent basis for this limitation in the claim. Dependent claims 2-14 do not rectify this indefiniteness and are therefore likewise rejected. 

Claim Objections
Claim 14 is objected to because of the following informalities:  it recites “and probability of exploitation” rather than “and a probability” / “and the probability.”  Appropriate correction is required.

Claim Rejections - 35 USC § 102

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-5 and 15-16 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Kim (US 2019/0147167 A1).

Regarding claim 1, Kim discloses: A method for aggregating, ranking, and minimizing threats to computer systems based on external vulnerability data, comprising: 
accessing data defining a configuration of a target information technology (IT) system; 
Refer to at least [0048]-[0049] of Kim with respect to acquiring both formal and informal vulnerability data. For instance, informal vulnerability data may include a source code of a web page, security patch information, firmware version and security warning, patch information, and so forth. The formal and informal vulnerability data further include, e.g., an identifier, a reference, and a product name.
(I) applying, by a processor, artificial intelligence (e.g., [0058]-[0059] of Kim concerning the classification model / machine learning examples) to at least a portion of the data (i.e., converting / formalizing the informal vulnerability data) defining a software component of the target IT system to identify a common platform enumeration (CPE) identifier corresponding to the software component; and 
Refer to at least [0010], [0013], FIG. 10, [0061], and [0066] of Kim with respect to converting an identifier of the informal vulnerability data to that of a CPE identifier. 
(II) mapping, by the processor, the CPE identifier to a common vulnerability enumeration (CVE) identifier to identify a vulnerability for the software component of the target IT system.
Refer to at least the abstract, FIG. 11, [0011], [0051]-[0054], [0061], and [0072]-[0073] with respect to associating with a CVE identifier and storing to a vulnerability table. 

Regarding claim 2, Kim discloses: The method of claim 1, further comprising applying, by the processor, natural language processing functions (interpreted according to the specification: e.g., [0039] of the specification) to correlate the CPE identifier with an identifier of the software component to identify the CPE identifier.
Refer to at least [0012], [0063], [0065]-[0066], [0058]-[0059], and [0072] of Kim with respect to parsing language, keyword analysis, using a dictionary, and machine learning to identify CPE identifiers in the informal vulnerability data. 

Regarding claim 3, it is rejected for substantially the same reasons as claims 1-2 above (i.e., the citations; e.g., FIG. 10 of Kim as an example).

Regarding claim 4, Kim discloses: The method of claim 1, further comprising, by the processor, repeating step (I) to identify a plurality of CPEs associated with a software stack of the target IT system.
Refer to at least [0012] and [0067]-[0072] with respect to building and converting a CPE tree into one or more CPEs conforming to the format of the CPE dictionary.

The method of claim 4, further comprising, by the processor, repeating step (II) to identify a plurality of CVEs corresponding to the plurality of CPEs associated with the software stack of the target IT system.
Refer to at least [0073] and FIG. 11 with respect to CVEs associated with the formalized CPEs. 

Regarding claim 15, Kim discloses: A device for aggregating, ranking, and minimizing threats to computer systems based on external vulnerability data, comprising: 
a processor; 
Refer to at least FIG. 4 and [0047] of Kim with respect to a vulnerability information collecting apparatus comprising a processor.
a network interface in operable communication with the processor, the network interface operable for communicating with a network and providing the processor with access to information including common platform enumerations (CPEs) and corresponding common vulnerability enumerations (CVEs); and 
Refer to at least [0048] of Kim, wherein “the information collector 310 may be configured to include a network interface for transmitting and receiving data.” The data being formal and/or informal vulnerability data comprising, e.g., CPEs and CVEs (e.g., [0038] of Kim).
a memory storing a set of instructions executable by the processor, the set of instructions, when executed by the processor, operable to: access data associated with an IT system, the data defining a software component implemented by the IT system, and 
Refer to at least [0047] of Kim with respect to memory. 
Refer to at least [0048]-[0049] of Kim with respect to acquiring both formal and informal vulnerability data. For instance, informal vulnerability data may include a source code of a web page, security patch information, firmware version and security warning, patch 
identify a CPE of the CPEs associated with the software component.
Refer to at least [0010], [0013], FIG. 10, [0061], and [0066] of Kim with respect to converting an identifier of the informal vulnerability data to that of a CPE identifier. 

Regarding independent claim 16, it is substantially similar to elements of claim 15 above, but is more broad. Accordingly, claim 16 is rejected for substantially the same reasons as claim 15 above (i.e., the citations).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 6-8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kim as applied to claims 1-5 and 15-16 above, and further in view of Eck (US 2015/0332054 A1).

Regarding claim 6, Kim does not disclose: further comprising: computing, by the processor, a probability of exploitation associated with each of the plurality of CVEs; and computing, by the processor, a probability that the IT system will be exploited (Cx), expressed as 1 - a probability that none of the vulnerabilities are going to be exploited. However, Kim in view of Eck discloses: further comprising: computing, by the processor, a probability of exploitation associated with each of the plurality of CVEs; and computing, by the processor, a probability that the IT system will be exploited (Cx), expressed as 1 - a probability that none of the vulnerabilities are going to be exploited. 
Refer to at least [0031] and [0045] of Eck with respect to using, e.g., CVE data as evidence to form a probabilistic assessment of a cyber threat's (e.g., a cyber threat that exploits a vulnerability) existence or a cyber threat track. It is a property of probability that if P(A) is the probability of Event A, then 1 - P(A) is the probability that the event does not occur.
The teachings of Kim and Eck concern vulnerability data such as CVEs, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Kim to further include probabilistic cyber threat recognition and prediction for at least the reasons specified in [0014]-[0018] of Eck (i.e., increased security through predictive, rather than reactive, cyber threat prevention).

Regarding claim 7, Kim-Eck discloses: The method of claim 5, further comprising: computing, by the processor, a probability of exploitation associated with each of the plurality of CVEs; and computing, by the processor, a probability that the IT system will be exploited (Cx), where Cx is expressed by taking a probability of exploitation of the vulnerability that has a greatest probability of exploitation (it is noted that the claim language merely recites “taking a probability” rather than exclusively taking / specifying an exact equation).
Refer to at least [0045] of Eck, wherein “a collection of predicted cyber threats present in the network can be projected or predicted forward in time…  A prediction can thus consist of a probability of attack from each cyber threat based on the predicted or received evidence.”
Refer to at least the abstract, [0016], and [0066] of Eck with respect to a score threshold of probability. 
This claim would have been obvious for substantially the same reasons as claim 6 above.

Regarding claim 8, Kim-Eck discloses: The method of claim 1, further comprising: computing, by the processor, a probability of exploitation associated with the IT system by computing an expected value relating to an expected number of attacks against the vulnerabilities associated with the IT system.
Refer to at least [0041] and [0045] of Eck with respect to determining the probabilistic assessment based on a collection of predicted cyber threats present in the network.
This claim would have been obvious for substantially the same reasons as claim 6 above.

Claims 9-13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kim as applied to claims 1-5 and 15-16 above, and further in view of “Security Risk Management in Computing Systems with Constraints on Service Disruption,” hereinafter “Bommannavar.”

Regarding claim 9, Kim does not disclose: further comprising: identifying an impact of employing a software patch to the software component, by: computing a function that quantifies the impact and takes as inputs a threat level associated with an older software version and a threat level associated with an updated software version. However, Kim in view of Bommannavar discloses: further comprising: identifying an impact of employing a software patch to the software component, by: computing a function that quantifies the impact and takes as inputs a threat level associated with an older software version and a threat level associated with an updated software version. 
Refer to at least “IV. Extensions” in Bommannavar with respect to computing a cost associated with a patched version of software compared with an older/unpatched 
The teachings of Kim and Bommannavar both concern vulnerabilities and are considered to be within the same field of endeavor and combinable as such. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Kim to further include determining a cost associated with patching vulnerabilities for an optimal policy for at least the reasons discussed in “I. Introduction:” i.e., the imperative to develop an automatic patching process. 

Regarding claim 10, Kim-Bommannavar discloses:  The method of claim 1, further comprising: identifying an impact of employing a software patch to the software component, by: computing a function that quantifies an impact of patching a single vulnerability of the IT system.
Refer to at least “II. Model” of Bommannavar with respect to seeking an optimal policy based on the impact of vulnerabilities and vulnerabilities accrued over time. 
This claim would have been obvious for substantially the same reasons as claim 9 above. 

Regarding claim 11, Kim-Bommannavar discloses: The method of claim 1, further comprising: solving, by the processor an optimization problem using integer programming to identify the optimal set of software upgrades that may be applied to the IT system that reduces threat in view of a software upgrade constraint, k.
Refer to at least the abstract and “II. Model” of Bommannavar with respect to a constraint M.
Refer to at least “III. Dynamic Programming” (e.g., the first paragraph) with respect to a dynamic programming approach for constructing an optimal policy.
This claim would have been obvious for substantially the same reasons as claim 9 above. 

Regarding claim 12, it is rejected for substantially the same reasons as claims 9 and 11 above (i.e., the citations concerning a cost of patching cp which is part of an extension to the approach for constructing an optimal policy).

Regarding claim 13, it is rejected for substantially the same reasons as claims 10-11 above (i.e., the citations concerning the constraint M: the number of times the network may be patched).

Claim 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kim as applied to claims 1-5 and 15-16 above, and further in view of “A Decision Support System for Corporations Cyber Security Risk Management,” hereinafter “Molina.”

Regarding claim 14, Kim does not disclose:  further comprising, given a set of alerts, computing, by the processor, a ranking based on vulnerabilities of the IT system and probability of exploitation of the vulnerabilities to provide threat-based alert triage. However, Kim in view of Molina discloses: further comprising, given a set of alerts, computing, by the processor, a ranking based on vulnerabilities of the IT system and probability of exploitation of the vulnerabilities to provide threat-based alert triage. 
Refer to at least pages 57-58 and 74 of Molina with respect to displaying alerts and organizing vulnerabilities according to severity / score. 
The teachings of Kim and Molina both concern vulnerabilities (e.g., CPE, CVE, CVSS) and are considered to be within the same field of endeavor and combinable as such. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Kim to further include displaying alerts and organizing vulnerabilities according to severity / score for at least the purpose of better usability (i.e., helping an analyst to better address vulnerabilities). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/DAO Q HO/      Primary Examiner, Art Unit 2432