DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Allowable Subject Matter
Prosecution on the merits of this application is reopened on claims 1-21 considered unpatentable.  The new grounds of rejections under 102 and 103 are in view of Endersz et al. (WO 2007/027131 A2), which was provided in the Information Disclosure Statement filed on 11/9/21.  See rejections below.
Applicant is advised that the Notice of Allowance mailed 10/14/21 is vacated.  If the issue fee has already been paid, applicant may request a refund or request that the fee be credited to a deposit account.  However, applicant may wait until the application is either found allowable or held abandoned.  If allowed, upon receipt of a new Notice of Allowance, applicant may request that the previously submitted issue fee be applied.  If abandoned, applicant may request refund or credit to a specified Deposit Account.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 


An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 

Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitations uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  
Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function  and equivalents thereof.
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitations to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitations recite sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-7 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Endersz et al. (WO 2007/027131 A2).
Regarding claim 1, Endersz discloses a method for securing a service (i.e., a database, a communication link or any other service) (page 5, line 3-4) implemented on a computer network (Fig. 1), the method comprising:
	identifying network assets in the computer network used by the service (i.e., identifying each of the resources required by and affected by the service) (Fig. 1; page 5, lines 1-12);
	identifying vulnerabilities in one or more of the network assets (i.e., a threat T is directed against a vulnerability in a system resource) (page 5, lines 9-12, 16-17), each vulnerability having one or more vulnerability risk dimensions (i.e., vulnerability parameter V which exposes assets in the system) (page 5, lines 22-27);
	based on the identified vulnerabilities, determining an asset risk score for each of the network assets (i.e., calculating a risk value R for each resource) (page 5, lines 19-36; page 6, lines 18-27;  page 7, lines 6-10);
	based on the determined asset risk scores of the network assets, determining a service risk score for the service (i.e., calculating the total risk value as the sum of the risk values) (page 6, line 29 - page 7, line 14); and
	prioritizing implementation of one or more vulnerability remediation actions on the computer network to best reduce the service risk score and secure the service (i.e., selecting countermeasure which best meets made demands…for optimized selection of countermeasures in real time...increase protection and reduction of risk/damage in the system) (page 8, lines 17-35).
Regarding claim 2, Endersz further discloses identifying network assets in the computer network used by the service includes describing dependencies of the network 
Regarding claim 3, Endersz further discloses that implementing one or more vulnerability remediation actions includes: simulating effects of different vulnerability remediation actions on the service risk score (i.e., optimization of the risk level by simulating of effects of potential countermeasures…simulate a given countermeasure directed against the threat) (page 1, lines 11-12; page 3, lines 21-22); and prioritizing implementation of a vulnerability remediation action that has a larger simulated reduction in the service risk score over implementation of other vulnerability remediation actions that have smaller simulated reductions in the service risk score (i.e., selecting countermeasure which best meets made demands…for optimized selection of countermeasures in real time...increase protection and reduction of risk/damage in the system) (page 8, lines 17-35).
Regarding claim 4, Endersz further discloses identifying vulnerabilities in one or more of the network assets includes determining a risk value for each vulnerability risk dimension (i.e., vulnerability value V*C for each resource for a specific threat) (page 3, lines 15-17; page 5, lines 33-34).
Regarding claim 5, Endersz further discloses that determining a risk value for each vulnerability risk dimension includes using information obtained from one or more network security tools (i.e., the software and/or hardware component(s) that performs the steps for determining, in real time, V and C used to calculate the vulnerability value V*C) (page 1, lines 8-12; page 2, lines 1-5; page 3, lines 9-17).
Regarding claim 6, Endersz further discloses that determining an asset risk score for each of the network assets includes determining the asset risk score for each of the network assets based on the risk values of the vulnerability risk dimensions of the vulnerabilities in each of the network assets (i.e., calculating a risk value R = H*V*C for each resource) (page 5, lines 19-36; page 6, lines 18-27; page 7, lines 6-10).
Regarding claim 7, Endersz further discloses that determining the service risk score for the service includes aggregating the asset risk scores of the network assets used by the service (i.e., calculating the total risk value as the sum of the risk values) (page 6, line 29 - page 7, line 14).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 8-14 are rejected under 35 U.S.C. 103 as being unpatentable over Endersz in view of Gillin (“BMC upgrades toolset for mapping massive IT data centers”).
Regarding claim 8, Endersz discloses a computer system to secure a service implemented on a computer network, the computer system comprising: 
	a computing device including at least one processor and at least one memory (inherent features of a computer); 

	a security tools data module configured to receive data identifying vulnerabilities in one or more of the network assets (i.e., computing component receiving data identifying vulnerabilities in system resources when exposed to a threat T) (page 5, lines 9-12, 16-17), each vulnerability having one or more vulnerability risk dimensions (i.e., vulnerability parameter V which exposes assets in the system) (page 5, lines 22-27); 
	a risk score calculator configured to determine an asset risk score for each of the network assets used by the service based on the identified vulnerabilities (i.e., computer component calculating a risk value R for each resource) (page 5, lines 19-36; page 6, lines 18-27;  page 7, lines 6-10) and to determine a service risk score for the service based on the determined asset risk score of each of the network assets (i.e., calculating the total risk value as the sum of the risk values) (page 6, line 29 - page 7, line 14); and 
	a prioritization simulator configured to implement one or more vulnerability remediation actions on the computer network to reduce the service risk score and secure the service (i.e., computing component simulating of effects of potential countermeasures…simulate a given countermeasure directed against the threat and selecting countermeasure which best meets made demands…for optimized selection of countermeasures in real time... selecting countermeasure which best meets made demands…for optimized selection of countermeasures in real time...increase protection and reduction of risk/damage in the system increase protection and reduction of 
	The computing components disclosed by Endersz perform identical functions specified in the claims in substantially the same way, and produce substantially the same results with two exceptions: (i) Endersz does not specifically disclose that the computing components are implemented in software; and (ii) Endersz does not disclose how the computing component corresponding to the claimed service model module identify network assets in the network.
	Endersz does not disclose how the computing components are implemented. Specifically, Endersz does not disclose that the computing components are implemented in software. Official Notice is taken that both concept and advantage of implementing a method in software to lower the cost and facilitate update are well known and expected in the art.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have implemented the computing components disclosed in Endersz in software to lower the cost and facilitate update.  
	Endersz discloses a computer component that identifies network assets in the network (Fig. 1; page 5, lines 1-12). Endersz does not disclose how the network assets are identified by the component. Gillin discloses using BMC Discovery for asset inventory and dependency mapping (pages 2-3). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Endersz’s system to use BMC Discovery for asset inventory and dependency mapping, 
Regarding claim 9, Endersz and Gill combined further disclose that the service model module is configured to identify dependencies of the network assets in the computer network used by the service (Endersz - Fig. 1; page 5, lines 1-12) (Gillin – page 3).
Regarding claim 10, Endersz further discloses that the prioritization simulator is configured to: simulate effects of different vulnerability remediation actions on the service risk score (i.e., optimization of the risk level by simulating of effects of potential countermeasures…simulate a given countermeasure directed against the threat) (page 1, lines 11-12; page 3, lines 21-22); and prioritize implementation of a vulnerability remediation action that has a larger simulated reduction in the service risk score over implementation of other vulnerability remediation actions that have smaller simulated reductions in the service risk score (i.e., selecting countermeasure which best meets made demands…for optimized selection of countermeasures in real time...increase protection and reduction of risk/damage in the system) (page 8, lines 17-35).
Regarding claim 11, Endersz further discloses that identifying vulnerabilities in one or more of the network assets includes determining a risk value for each vulnerability risk dimension (i.e., vulnerability value V*C for each resource for a specific threat) (page 3, lines 15-17; page 5, lines 33-34).
Regarding claim 12, Endersz discloses that determining a risk value for each vulnerability risk dimension includes using vulnerability information (i.e., the type of  vulnerability that exposes an asset to a specific threat) (page 5, lines 16-36) Endersz 
Regarding claim 13, Endersz further discloses that the risk score calculator is configured to determine the asset risk score for each of the network assets based on the risk values of the vulnerability risk dimensions of the vulnerabilities in each of the network assets (i.e., calculating a risk value R = H*V*C for each resource) (page 5, lines 19-36; page 6, lines 18-27; page 7, lines 6-10).
Regarding claim 14, Endersz further discloses that the risk score calculator is configured to determine the service risk score for the service by aggregating the asset risk scores of the network assets used by the service (i.e., calculating the total risk value as the sum of the risk values) (page 6, line 29 - page 7, line 14).
Claims 15-21 are rejected under 35 U.S.C. 103 as being unpatentable over Endersz.
Regarding claim 15, Endersz discloses a method for securing a service (i.e., a database, a communication link or any other service) (page 5, line 3-4) implemented on a computer network (Fig. 1), the method comprising:

	identifying vulnerabilities in one or more of the network assets (i.e., a threat T is directed against a vulnerability in a system resource) (page 5, lines 9-12, 16-17), each vulnerability having one or more vulnerability risk dimensions (i.e., vulnerability parameter V which exposes assets in the system) (page 5, lines 22-27);
	based on the identified vulnerabilities, determining an asset risk score for each of the network assets (i.e., calculating a risk value R for each resource) (page 5, lines 19-36; page 6, lines 18-27;  page 7, lines 6-10);
	based on the determined asset risk scores of the network assets, determining a service risk score for the service (i.e., calculating the total risk value as the sum of the risk values) (page 6, line 29 - page 7, line 14); and
	implementing of one or more vulnerability remediation actions on the computer network to best reduce the service risk score and secure the service (i.e., selecting countermeasure which best meets made demands…for optimized selection of countermeasures in real time...increase protection and reduction of risk/damage in the system) (page 8, lines 17-35).
	Endersz does not disclose implementing the method in software. Official Notice is taken that both concept and advantage of implementing a method in software to lower the cost and facilitate update are well known and expected in the art.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have implemented the method disclosed by Endersz in software to 
Regarding claim 16, Endersz further discloses including descriptions of dependencies of the network assets in the computer network when identifying network assets in the computer network used by the service (i.e., Changed function or state/condition of C4 will influence C5, which in its turn will result in changes of/at C7, C8 and C9) (Fig. 1; page 5, lines 1-12). Accordingly, this feature would be implemented in software.
Regarding claim 17, Endersz further discloses simulating effects of different vulnerability remediation actions on the service risk score (i.e., optimization of the risk level by simulating of effects of potential countermeasures…simulate a given countermeasure directed against the threat) (page 1, lines 11-12; page 3, lines 21-22); and prioritizing implementation of a vulnerability remediation action that has a larger simulated reduction in the service risk score over implementation of other vulnerability remediation actions that have smaller simulated reductions in the service risk score (i.e., selecting countermeasure which best meets made demands…for optimized selection of countermeasures in real time...increase protection and reduction of risk/damage in the system) (page 8, lines 17-35). Accordingly, this feature would be implemented in software.
Regarding claim 18, Endersz further discloses determining a risk value for each vulnerability risk dimension of the identified vulnerabilities (i.e., vulnerability value V*C for each resource for a specific threat) (page 3, lines 15-17; page 5, lines 33-34). Accordingly, this feature would be implemented in software.
Regarding claim 19, Endersz further discloses determining a risk value for each vulnerability risk dimension using information obtained from one or more network security tools (i.e., the computing component(s) that performs the steps for determining, in real time, V and C used to calculate the vulnerability value V*C) (page 1, lines 8-12; page 2, lines 1-5; page 3, lines 9-17). Accordingly, this feature would be implemented in software.
Regarding claim 20, Endersz further discloses determining the asset risk score for each of the network assets based on the risk values of the vulnerability risk dimensions of the vulnerabilities in each of the network assets (i.e., calculating a risk value R = H*V*C for each resource) (page 5, lines 19-36; page 6, lines 18-27; page 7, lines 6-10). Accordingly, this feature would be implemented in software.
Regarding claim 21, Endersz further discloses determining the service risk score for the service by aggregating the asset risk scores of the network assets used by the service (i.e., calculating the total risk value as the sum of the risk values) (page 6, line 29 - page 7, line 14). Accordingly, this feature would be implemented in software.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MINH DINH whose telephone number is (571)272-3802. The examiner can normally be reached Mon-Fri: 9 AM - 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/MINH DINH/Primary Examiner, Art Unit 2432