DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	Claims 1-20 are pending.  Claims 1 and 11 are independent.

3.	The IDS submitted on 8/13/2019 has been considered.

Claim Objections
4.	Claims 1 and 12 are objected to because the claims recite misspelled word “backpropogation”.  The correct word or words should be “backpropagation” or “back propagation”.

Appropriate correction is required.








Claim Rejections - 35 USC § 101
5.	35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

6.	Claims 1-10 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
Claim 1 is rejected under 35 U.S.C. 101 as not falling within one of the four statutory categories of invention.  While the claim recites a series of steps or acts to be performed, a statutory “process” under 35 U.S.C. 101 must (1) be tied to particular machine, or (2) transform underlying subject matter (such as an article or material) to a different state or thing [see page 10 of In Re Bilski 88 USPQ2d 1385].  The instant claim is neither positively tied to a particular machine that accomplishes the claimed method steps nor transforms underlying subject matter, and therefore do not qualify as a statutory process.   Claim 1 comprising steps of “directing, from a security assessing server”, “diagnosing” and “training” is broad enough that the claim could be completely performed by software since a server may include software.  Thus the recited method is not tied to a particular machine or apparatus.  Additionally, none of the recited steps transform a particular article into a different state or thing.  Accordingly, the recited method is directed to nonstatutory subject matter.  To overcome rejection under 35 U.S.C. 101, it is suggested that at least one of the previously identified steps is to be performed “by a computer” to positively tie the method to a computer.




Claim Rejections - 35 USC § 102
7.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

8.	Claims 1-4, 6-14 and 16-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Amiri (US PG Pub. 2018/0288086).
Regarding claim 1, Amiri discloses A method of training a machine learning neural network, the method comprising: 
directing, from a security assessing server, to a software program under execution, a series of attack vectors [para. 46, 85, 90 and 105; collecting corpus of data from the server for testing]; 
diagnosing an at least a first set of results associated with the software program under execution as comprising one of a security vulnerability and not a security vulnerability, the at least a first set of results produced based at least in part on the attack vectors [para. 78, 85, 92, 95, 165 and 228]; and 
training a machine learning neural network classifier in accordance with a supervised classification that identifies false positive vulnerability defects of the at least a first set of results to produce a trained classifier [para. 130 and 200], the neural network classifier including an input and an output layers connected via at least one intermediate layer that is configured in accordance with an initial matrix of weights [FIG. 12, para. 97, 109, 160, and 254].  

Regarding claim 2, Amiri further discloses The method of claim 1 wherein training the neural network classifier comprises recursively adjusting the initial matrix of weights by backpropogation in diminishment of a number of the false positive vulnerability defects generated at the output layer in accordance with the supervised classification [para. 97, 160 and 254].  

Regarding claim 3, Amiri further discloses The method of claim 2 wherein diminishment of the number of false positive vulnerability defects proceeds, based on the recursively adjusting, in accordance with diminishment of an error matrix computed at the output layer of the neural network classifier [para. 128-130].  

Regarding claim 4, Amiri further discloses The method of claim 3 further comprising: deploying results of a subsequent dynamic testing case using the software program to the input layer of the trained classifier; and  VTG-P00419identifying a set of software security vulnerability defects of the subsequent dynamic testing case that are generated in accordance with the output layer of the trained classifier [para. 128-130].  

Regarding claim 6, Amiri further discloses The method of claim 1 wherein the software program under execution comprises a cloud based execution of at least one of a web based application and a software as a service (SaaS) enterprise application [para. 7, 20, 123 and 182].  

Regarding claim 7, Amiri further discloses The method of claim 1 wherein at least one attack vector of the series comprises a data set that encodes an attempt to exploit a security vulnerability aspect of the software program under execution [para.88 and 90].  

Regarding claim 8, Amiri further discloses The method of claim 7 wherein the data set includes at least one of an identifier of a class and a type of attack, a data value, a group of data values, a reference to a predetermined attack data set, and a copy of an attack data set [para. 104].  

Regarding claim 9, Amiri further discloses The method of claim 1 wherein the security vulnerability relates to at least one of a cross-site scripting, a SQL injection, a path disclosure, a denial of service, a memory corruption, a code execution, a cross-site request forgery, a PHP injection, a Javascript injection and a buffer overflow [para. 106 and 203].  

Regarding claim 10, Amiri further discloses The method of claim 9 wherein the diagnosing of the security vulnerability comprises the software application providing an error response indicating that at least one attack vector in the series of attack vectors successfully exploited a security vulnerability of the application [para. 199].  


11, Amiri discloses A server computing system comprising: 
a processor [para. 215]; 
a memory storing a set of instructions, the instructions executable in the processor [para. 215] to: 
direct, to a software program under execution, a series of attack vectors [para. 46, 85, 90 and 105; collecting corpus of data from the server for testing]; 
diagnose an at least a first set of results associated with the software program under execution as comprising one of a security vulnerability and not a security vulnerability, the at least a first set of results produced based at least in part on the attack vectors [para. 78, 85, 92, 95, 165 and 228]; and 
train a machine learning neural network classifier in accordance with a supervised classification that identifies false positive vulnerability defects of the at least a first set of results to produce a trained classifier, the neural network classifier including an input and an output layers connected via at least one intermediate layer that is configured in accordance with an initial matrix of weights [FIG. 12, para. 97, 109, 160, and 254].  

Regarding claim 12, Amiri further discloses The system of claim 11 wherein training the neural network classifier comprises recursively adjusting the initial matrix of weights by backpropogation in diminishment of a number of the false positive vulnerability defects generated at the output layer in accordance with the supervised classification [para. 97, 160 and 254].  

Regarding claim 13, Amiri further discloses The system of claim 12 wherein diminishment of the number of false positive vulnerability defects proceeds, based on the recursively adjusting, in accordance with diminishment of an error matrix computed at the output layer of the neural network classifier [para. 128-130].  

Regarding claim 14, Amiri further discloses The system of claim 11 further comprising instructions executable in the processor to:  VTG-P00421deploy results of a subsequent dynamic testing case using the software program to the input layer of the trained classifier; and identify a set of software security vulnerability defects of the subsequent dynamic testing case that are generated in accordance with the output layer of the trained classifier [para. 128-130].  

Regarding claim 16, Amiri further discloses The system of claim 11 wherein the software program under execution comprises a cloud based execution of at least one of a web based application and a software as a service (SaaS) enterprise application [para.88 and 90].  

Regarding claim 17, Amiri further discloses The system of claim 11 wherein at least one attack vector of the series comprises a data set that encodes an attempt to exploit a security vulnerability aspect of the software application under execution [para.88 and 90].  

Regarding claim 18, Amiri further discloses The system of claim 17 wherein the data set includes at least one of an identifier of a class and a type of attack, a data value, a group of data values, a reference to a predetermined attack data set, and a copy of an attack data set [para. 104].  

Regarding claim 19, Amiri further discloses The system of claim 11 wherein the security vulnerability relates to at least one of a cross-site scripting, a SQL injection, a path disclosure, a denial of service, a memory corruption, a code execution, a cross-site request forgery, a PHP injection, a Javascript injection and a buffer overflow [para. 106 and 203].  

Regarding claim 20, Amiri further discloses The system of claim 19 wherein the diagnosing of the security vulnerability comprises the software application providing an error response indicating that at least one attack vector in the series of attack vectors successfully exploited a security vulnerability of the application [para. 199].










Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THONG TRUONG whose telephone number is (571)270-7905.  The examiner can normally be reached on M-F 8:30AM - 5:30PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THONG TRUONG/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433