DETAILED ACTION
	Claims 1-20 are presented on 09/20/2019 for examination on merits.  Claims 1, 8, and 16 are independent base claims.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Applicant Arguments/Remarks or a section following the Remarks.

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted as for examination on merits are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner. See the annotated 1449 documents.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 16-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the claimed cybersecurity machine may be software (i.e., software per se).  
The United States Patent and Trademark Office (USPTO) is obliged to give claims their broadest reasonable interpretation consistent with the specification during proceedings before the USPTO. See In re Zletz, 893 F.2d 319 (Fed. Cir. 1989) (during patent examination the pending claims must be interpreted as broadly as their terms reasonably allow). 
The broadest reasonable interpretation of the claim element “the cybersecurity machine” in claim 16 is drawn to a non-structural item which could be interpreted as software per se., because the machine only comprises a virtual on-premise scanning application, a vulnerability database, and a list of instructions.  The claimed invention at most describes a computer model for improving operational cybersecurity resiliency.  The corresponding relationships between entries are essentially database/software design features that do not necessarily require specific computer hardware for implementation.  And the added limitation for storing at least one resource entry in the storage system is broadly defined in such that the storing function even does not tie to a computer memory device/computer processor.  Therefore, claim 16 is found to be software per se. and thus not eligible for patent protection. 
Dependent claims 17-20, when analyzed as a whole, are held to be patent ineligible under 35 U.S.C. 101 because the additional recited limitation(s) fail(s) to render the claims to be statutory.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.
The rationale for this determination is explained below:  
First – following Step 1 of the guidance, claims 1-20 are directed to a method comprising a series of functional steps, or a machine performing similar steps of the method.  Therefore, the claimed invention falls into one of the four statutory categories.
Secondly – following Step 2 of the guidance, claims 1-20 are analyzed for its underlying inventive concept with a new two-prong inquiry (1) does the claim recite an abstract idea, law of nature, or natural phenomenon, and/or judicial exceptions? And (2) does the claim recite additional elements that integrate the judicial exception into a practical application?
It is determined that claimed invention is directed to an abstract idea or at least one of the judicial exceptions, because the concept of the invention is basically managing steps of a testing procedure that may be performed in human mind including observation, evaluation, judgment, opinion; the first prone of the inquiry.  

Regarding the second prone, the identified additional elements – such as the computer-readable medium and the unsupervised machine learning algorithm – failed to integrate the idea of “managing a test procedure” into a practical application.  The claims are so broadly defined without pointing out a computer element that performs the steps as defined in the claims.  For example, all the steps in claim 1 can reasonably perform by a human user (e.g., a software analyst) with aid of a general computer where the human user may initiate the steps of loading a test, then observe and evaluate the test results, and make a report based on his or her judgment and opinion.

The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the claim merely recites unsupervised machine learning algorithm, software on a computer network, which is the subject under test and the application is executed on a server.  These elements only perform functions of a general computer such as receiving, retrieving, and storing data.  The outputting and .

Dependent claim 2-7, 9-15, and 17-20, when analyzed individually or as a whole, are held to be patent ineligible under 35 U.S.C. 101 because, the additional recited limitation(s) fail(s) to amount to “significantly more” than the judicial exception, and thereby non-statutory.

Please see “The 2019 Revised Patent Subject Matter Eligibility Guidance (or “2019 PEG” for short) published in January 2019 at USPTO Website.  Note that the groupings of abstract ideas in the 2019 PEG are not the same as those on the Abstract Ideas QRS or in the MPEP. The groupings in the 2019 PEG should be FOLLOWED for identifying abstract ideas. The 2019 PEG does not change the analysis at Step 2B which pertains to an improvement to conventional functioning of a computer or to technological processes; see also MPEP 2106.05(a).


Claim Objections
Claim 20 is objected to because of the following informalities:  
Claim 20 being a dependent claim is missing a claim number of the base claim from which it depends from.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claim 1 recites a limitation “the exploited vulnerabilities” unclearly or lacking antecedent basis for this limitation in the claim, because the exploited vulnerabilities is never clearly identified in the claim.  It is understood that the claim comprises a step for remediating the software that may enable a configuration of the software to prevent exploitation of said vulnerabilities.  However, preventing exploitation of said vulnerabilities is the purpose of the software configuration, not the result.  In the remediating step, the exploited vulnerabilities is not positively identified, causing confusion in understanding what is the scope of “the exploited vulnerabilities” in view of the aforementioned loaded vulnerability dataset.
Claim 1 recites a limitation “the cybersecurity resilience of the software” unclearly or lacking antecedent basis for this limitation in the claim.  It should be noted that the stress testing reaches a point where a financial impact of the exploited vulnerabilities may be calculated, but never comes to a quantifiable measurement (e.g., a level or score) of the cybersecurity resilience of the software.
Claims 8 also recites a limitation “the cybersecurity resilience of the software” unclearly or lacking antecedent basis for this limitation in the claim for the same reason as that given in claim 1.
wherein remediation configures the software… ” in which the so-called remediation is loosely defined causing confusion.  It appears that the remediation here is the same as the step for remediating the software.  That may mean, while remediating the software is performed as a general response to the chaos stress testing, the remediating step essentially configures the software to prevent exploitation of said vulnerabilities.  If so, the Examiner suggests amending “remediation” to “the remediating” for clarity.
Claim 8 also recites “remediation” in the clause “wherein remediation configures the software” unclearly or lacking antecedent basis for the same reason as that given in claim 1.
Claim 12 recites a limitation “the exploited vulnerabilities” in step k unclearly or lacking antecedent basis for this limitation in the claim for the same reason as that given in claim 1.

Claim 20 being a dependent claim is unclear because a base claim number is missing.

Claims 2-7, 9-15, and 17-20 are also rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, because they depend from the rejected base claims 1, 8, and 15, respectively.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 8-12 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Nandha (US 20170308701 A1) in view of Bulut (US 20210075814 A1).

As per claim 8, Nandha teaches a process for an application on a test server to improve operational cybersecurity resiliency of software on a computer network, the test server coupled to the network (Nandha, par. 0073-0075: the server processor … may receive a software application, and may exercise the received software application … to identify one or more behaviors), the process comprising the steps of: 
a) loading a vulnerability dataset from the network comprising vulnerability information … (Nandha, par. 0074-0076: The server … receives exercise information from the client computing device, the exercise information comprising test features, activities, behaviors, etc. of the software application.  The identified behaviors are vulnerability information); 
b) determining vulnerabilities by using a first machine learning algorithm on the vulnerability dataset (Nandha, par. 0075: the server processor may exercise the received software application (e.g., in a client computing device emulator, etc.) to identify one or more behaviors); 
Nandha, par. 0076: the server processor may evaluate the identified behaviors (e.g., count lines of code, API calls, etc.) and determine whether the software application may be classified as benign or non-benign.), wherein the stress testing comprises: 
(1) selecting at least one of said vulnerabilities (Nandha, par. 0053 and 0082: a list of explored GUI screens, a list of unexplored activities, a list of unexplored GUI screens); 
 
d) remediating the software based on said response to the chaos stress testing, wherein remediation configures the software to prevent exploitation of said vulnerabilities (Nandha, par. 0056: In response to determining that the software application or any of identified behaviors are non-benign, the detonator component 202 may quarantine the software application); and 
e) reporting the cybersecurity resilience of the software (Nandha, par. 0056: send security warnings or notification messages to a corporate or IT/Security system 206 … send notification message that includes information identifying the software application as non-benign to the client computing device 102 and/or take other corrective or preventive measures).
However, Nandha does not explicitly disclose a vulnerability database from with the vulnerability dataset or vector information is loaded and utilizing a second machine learning algorithm based on a historical dataset for chaos stress testing. These aspects of the claim are identified as a difference.
In a related art, Bulut teaches,
a vulnerability database (Bulut, par. 0074-0075: vulnerability database 502 can comprise historical vulnerability data including, but not limited to, vulnerabilities received from one or more computing resources 504);
(2) chaos stress testing the software with respect to said at least one of said vulnerabilities by utilizing a second machine learning algorithm based on a historical Bulut, par. 0089-0090: perform a set of machine learning computations associated with training a model defined above to train a model defined above to learn to assign such one or more risk assessment metrics and/or one or more risk scores based on historical vulnerability data defined above (e.g., vulnerability descriptions, vulnerability categories, vulnerability scores, etc.); assign such one or more risk assessment metrics and/or one or more risk scores based on historical vulnerability data); and 
(3) identifying a response to the chaos stress testing (Bulut, par. 0118-0119: deep learning model 412 … can assign such one or more risk assessment metrics and/or one or more risk scores; par. 0123: assign one or more risk assessment metrics);

Nandha and Bulut are analogous art, because they are in a similar field of endeavor in improving vulnerability test of software applications.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Bulut to modify Nandha to include a deep learning model to run Nandha’s learning machine on stored historical dataset or vector information. For this combination, the motivation would have been to improve the capability of dection of risks and vulnerability of software applications.

As per claim 9, the references as combined above teach the process of claim 8 wherein the first machine learning algorithm is unsupervised (Nandha, par. 0058 and 0065: dynamic analysis operations and monitoring activities of the software application to collect behavior information, which are evidently unsupervised).

As per claim 10, the references as combined above teach the process of claim 8 wherein the second machine learning algorithm is semi- supervised (Bulut, par. 0087: using supervised learning and/or unsupervised learning; par. 0024-0026: National Vulnerability Bulut’s machine learning is both supervised and unsupervised, it is using semi- supervised algorithm).

As per claim 11, the references as combined above teach the process of claim 8 wherein the selection of said vulnerabilities is random (Bulut, par. 0118-0119: vulnerabilities received from computing resources 504 that can be discovered from change requests and/or tickets during execution of various source code and/or applications, which are random).

As per claim 12, the references as combined above teach the process of claim 8 wherein the steps are performed in real-time as the operational cybersecurity resiliency of the software is analyzed (Bulut, par. 0023: it takes time (e.g., 5-10 minutes or more) for analysts to understand and assign scores (e.g., based on CVSS) to vulnerabilities. Note here that taking 5-10 minutes for analysis means real-time).

As per claim 14, the references as combined above teach the process of claim 8 wherein the steps are stored as computer-executable instructions in at least one tangible, non-transitory computer-readable medium (Nandha, par. .0104: the functions may be stored as one or more instructions or code on a non-transitory computer-readable medium or non-transitory processor-readable medium).

As per claim 15, the references as combined above teach the process of claim 14 wherein the vulnerability database is the NIST National Vulnerability Database (Bulut, par. 0024-0026: National Vulnerability Database (NVD)).


Allowable Subject Matter
Claims 1-7 and 16-20 are allowable over prior art for the following reasons:
The prior art as discussed above discloses the vulnerability test of software that runs on a computer network using machine learning algorithms and subsequent remediation of the software based on the test results.  However, the prior art fails to disclose the combination of calculating a financial impact of the exploited vulnerabilities with the stress testing process as a whole as specified in independent claims 1 and 16.  Therefore, independent claims 1 and 16 are allowable. Dependent claims 2-7 and 17-20 are allowed by virtue of their dependencies on claims 1 and 16, respectively, as they further limit the scope of the claimed invention.
 
Claim 13 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all the limitations of the base claim and any intervening claims.  Claim 13 recites a limitation of “confirming a blast radius for the chaos stress testing to minimize negative side effects from the chaos stress testing”, which is not anticipated by, nor made obvious over the prior art of record when considered in combination with the other limitations in the claim 8.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        02/22/2022