DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 2, 7-11, 15, 16, 18, and 19, as best understood, are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Hu et al., USPN 2018/0285797.
With regard to claims 1, 15, and 18, Hu discloses a computer-implemented method (0016) for analyzing systems for security vulnerabilities (0014, 0029), the method including selecting a first system from a plurality of devices (0026, 0028, Fig. 4) which can be servers (“For example, one user can own multiple devices (laptops, servers, phones) and one device (server) may be used by multiple users”, 0031), wherein the first device (server) includes a plurality of accounts (“one device (server) 
With regard to claims 2, 16, and 19, Hu discloses the method of claim 1, as outlined above, and further discloses associating a user to each weak account of the plurality of accounts, including a first user associated with the first weak account (0024), associating the first user to other weak accounts on other servers (0023, 2nd used down in Fig. 4), and calculating, for the first user, a first user risk score (0024, 0035).
With regard to claim 7, Hu discloses the method of claim 1, as outlined above, and further discloses associating a first user with the first weak account, wherein the first user is an owner of the first weak account (0024), and identifying a second server of nd used down in Fig. 4).
With regard to claim 8, Hu discloses the method of claim 1, as outlined above, and further discloses determining the overall server score is above a server risk threshold (0046, 0060, 0086), and identifying, in response to the overall server being above the server risk threshold, a third server of the plurality of servers, wherein the third server and the first server have at least one data factor and one server factor in common (0061).
With regard to claim 9, Hu discloses the method of claim 1, as outlined above, and further discloses generating, based on the server factors, a base score, wherein the server factors represent uses of the first server (0045, 0050), and adjusting, based on the data factors, the base score, wherein the data factors represent types of data in the first server (0037, 0093).
With regard to claim 10, Hu discloses the method of claim 1, as outlined above, and further discloses the data factors are personally identifiable information (0093), and wherein the server factors are public access (0032, 0037).
With regard to claim 11, Hu discloses the method of claim 1, as outlined above, and further discloses the risk level for the first server is categorized into one of a plurality of categories, wherein each category is delineated based on the overall risk score (0034, 0053, 0066), and a high risk server is prioritized for future analysis of the security vulnerabilities (0030, 0029, 0025).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3-6, 17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Hu in view of Bhola, USPN 2013/0085953.
With regard to claims 3, 17, and 20, Hu discloses the method of claim 1, as outlined above, but does not disclose remediation in response to a risk score being above a given threshold. Bhola discloses a risk assessment method (0001)  that detects weak passwords (0033) similar to the of Hu, and further discloses determining the first user risk score is above a user risk threshold (0061), and remediating, in response to determining the first user risk score is above the user risk threshold, the first weak account (0061). It would have been obvious for one of ordinary skill in the art, prior to the instant effective filing date, to implement the remediation of Bhola in the method of Hu for the motivation of improved security.

With regard to claim 5, Hu in view of Bhola discloses the method of claim 1, as outlined above, and Bhola further discloses the remediation can be prompting the user to correct the problem (user may be instructed as to how to improve the protection, 0073). The motivation to combine remains the same as outlined above.
With regard to claim 6, Hu in view of Bhola discloses the method of claim 1, as outlined above, and Bhola further discloses the remediation can be notifying an administrator (notifying the social network contact, 0061). The motivation to combine remains the same as outlined above.
Claims 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Hu in view of Rojewski, USPN 7,581,245.
With regard to claims 12-14, Hu discloses the method of claim 1, as outlined above, and Hu discloses that the password could be high risk (0023) based on being used in less reputable devices (0025), and likelihood that it was leaked (0036), which is seen as a weakness in the credential, but does not necessarily based on its predictability. Rojewski discloses a method of determining risk based on credentials (column 3 lines 20-28) similar to that of Hu, and further discloses determining if a password is weak based on a dictionary lookup, matching other passwords, or similarity to the user’s name (column 1 lines 32-44). It would have been obvious for one of ordinary skill in the art, prior to the instant effective filing date, to implement the weak .
Response to Arguments
Applicant's arguments filed 12 January 2022 have been fully considered but they are not fully persuasive.
Applicant’s amendment to claim 9 has overcome the 112 rejection of the prior office action.
Applicant argues that the “type of server” taught in Hu is for accessing of risky external servers. While Hu does discloses risky external servers, the server that the examiner maps to the “first server” of the claim is one of the devices of Fig. 4, not to the external servers of Fig. 4, as outlined above. Hu discloses the devices can be servers (0031), and discloses that one server device may be used by multipole users (0031). While the external server reputation may be a part of the overall risk score, so too is the password vulnerability (“the credentials used to log into the devices have high risks of being compromised”, 0023, 0026), as outlined above.
Applicant argues that Hu does not weight public access. The examiner points out that Hu teaches calculating the risk score including unauthorized asset access (0037). This unauthorized access is seen as reading on public access, because it was access by someone outside the authorized, private, users.
References Cited
The examiner cites Carpenter, USPN 2007/0101432, as directed toward a method of combining a password risk score with a general system risk score for an end user (0035), but was not used in the rejection, since the weak password results in disabling a user account, and is not seen as weighted together with the other factors.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JACOB LIPMAN whose telephone number is (571)272-3837. The examiner can normally be reached 5:30AM-6:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JACOB LIPMAN/Primary Examiner, Art Unit 2434