Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

DETAILED ACTION
This is in response to the amendments filed 111/29/2021.  Claims 1-16 have been amended.  Claims 1-16 are pending and have been considered below.

Priority
16722383, filed 12/20/2019 claims foreign priority to 2019-004023, filed 01/15/2019.

Drawings
The drawings filed on 12/30/2019 are accepted.

Specification
The specification filed on 12/30/2019 is accepted.

Response to Arguments
Applicant’s arguments, with respect to” Claim interpretation and Claim Rejections - 35 USC § 112
Applicant’s arguments, with respect to” a vulnerability information storage which stores vulnerability information including (i) information indicating a vulnerability target which is a target to be influenced by vulnerability,” remarks pages 10-11 have been fully considered, but are not are persuasive because  
Sakari teaches see par 4 a relationship between a threat and a vulnerability stored in the threat and vulnerability databases, and their weights correspond to a risk model. Sakari further teaches see par 45, the risk model storage section 104 stores the risk model that relates threats constituting a risk inherent in an information system as the risk analysis target system to measures for decreasing the threats. In the risk model, a parameter such as a weight is related to each of the threats. The weight of the threat is calculated from a kind and a generation frequency of the threat, which are obtained by analyzing threats in a general information system. In the risk model, the threats or measures may be further related to each other. Further, as a weight of each of the measures, effectiveness for a corresponding threat and cost for implementing the measure may be added as an effect of the measure and F11 further teaches target system PCF1 and PC2 with corresponding threat and measure, which meet the limitations of the “a vulnerability information storage which stores vulnerability information including information indicating a vulnerability target which is a target to be influenced by vulnerability,
” regarding the newly amended part of the claim limitations such as (a vulnerability information storage which stores vulnerability information including  and (ii) information indicating a severity of the vulnerability in terms of security”  a newly found prior Thario U.S. 20140344936 teaches  server computer 105b includes vulnerability database 125 for storing information about computer software applications, wherein the information  in term of security  
Basavapatna et al U.S. 2013/0191919 A1 teaches , server computer 105b includes vulnerability database 125 for storing information about computer software applications, wherein the information includes the following: names of computer software applications, a unique identifier (unique ID) (e.g., version number) associated to each of the names of computer software applications, vulnerabilities identified that are associated with the unique ID, Severity  level parameter value assigned to each of the vulnerabilities identified based on amount of security risks which meet the limitation of and information indicating a severity of the vulnerability in term of security. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 2 are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421 in further view of Basavapatna et al U.S. 2013/0191919 A1.
Claim 1: Sakaki teaches a vulnerability influence evaluation system comprising: 
a vulnerability information storage which stores vulnerability information including information indicating a vulnerability (par. 14, a risk model storage section that stores as a risk model, a correspondence relationship between threats constituting a risk and a measure against the threat); 
calculate a vulnerability influence degree of the relevant vulnerability on the basis of (i)the severity of the relevant vulnerability and (ii)a relevance degree between (a)the relevant vulnerability and (b) a threat according to the relevant vulnerability (par. 14, 46 an influence degree calculating section that calculates an influence degree of the existence or non-existence of the measure on a result of the calculation of the risk value); 
Sakati fails to teach, however Kataoka in the same field of endeavor teaches
performs determination as to a vulnerability level of the evaluation target on the basis of the calculated vulnerability influence degree (par.13, 15, 52, 57, an influence degree determining module configured to determine a degree of influence on the program by the influenced element); and 
wherein the output outputs a result of the determination (par.58-59, The risk degree display unit 41 edits information such as the numerical value obtained by the risk degree calculating unit 40, and prepares to browse the risk degree information by use of the input unit and the like shown in FIG. 1. Concretely, the influence degree is inputted as a first parameter, the influence range is inputted as a second parameter, a parameter group expressed two-dimensionally by the first parameter and the second parameter is constituted, and the risk degree is displayed two-dimensionally (refer to FIG. 16 and FIG. 17). As a display method, not only a simple linear combination but also a combination reflecting various policies can be conceived). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Sakati with the additional features of Kataoka in order to provide the ability for improving the maintainability and extensibility of the existing program, and aims to modify module configuration, class configuration and the like without modifying a performing function of the existing program and to impart greater stability to the program, as suggested by Kataoka par.5.
The combination fails to teach, however Basavapatna et al in the same field of endeavor teaches
 in term of security(par 23 , server computer 105b includes vulnerability database 125 for storing information about computer software applications, wherein the information includes the following: names of computer software applications, a unique identifier (unique ID) (e.g., version number) associated to each of the names of computer software applications, vulnerabilities identified that are associated with the unique ID, Severity  level parameter value assigned to each of the vulnerabilities identified based on amount of security risks) 
collect the latest vulnerability information from the vulnerability information storage (par.60 vulnerability detection data 206 can be generated by collecting,  considering, and comparing asset configuration data 207 and vulnerability definition data 205); 
a processor; and an outpout, wherein the processor is configured to(par.93)
compare configuration information about an evaluation target with the vulnerability information(par.60 vulnerability detection data 206 can be generated by collecting, considering, and comparing asset configuration data 207 and vulnerability definition data 205. The applicability of a given vulnerability to a particular asset can be determined, for instance, based on configuration data for a given asset. When information in vulnerability definition data 205 describing asset characteristics and configurations evidencing or causing the vulnerability substantially matches or approximates asset configuration data, vulnerability data sources 212 (or network monitor 202 itself) can determine that the vulnerability is applicable to the asset),
determine whether there is relevance between the evaluation target and the vulnerability of each vulnerability information  on the basis of whether the evaluation target includes the vulnerability target indicated by the vulnerability information stored in the vulnerability information storage (par.103, 104, an asset can possess multiple vulnerabilities that introduce similar or overlapping risk. Vulnerability definition data 205 can include indications of related vulnerabilities that should be considered in parallel with the vulnerability, so as to properly assess risk. Consequently, the process 350 can identify a standardized vulnerability score V.sub.S for each of a set of related or "overlapping" vulnerabilities and use the maximum individual standardized vulnerability score, or the average of the set's standardized vulnerability scores, as the standardized vulnerability score V.sub.S. The process can further derive a vulnerability detection score V identifying whether a particular vulnerability is possessed by, or applicable to, a particular asset (354). The vulnerability detection score estimates whether the asset possesses a particular vulnerability. For vulnerabilities known to be exploited by a particular known threat, the vulnerability score can be further interpreted to estimate whether the asset is vulnerable to the associated threat. Indeed, in such instances, vulnerability detection score V can be the same in both a threat-centric and vulnerability-centric risk metric generation),
detect the vulnerability determined to be relevant to the evaluation target, as relevant vulnerability (par.105-1-6, determines a composite vulnerability score V.sub.C for the asset and the vulnerability (356). The composite vulnerability score V.sub.C estimates the potential risk a particular vulnerability poses to an asset and is derived from the standardized vulnerability score V.sub.S and the vulnerability detection score V.sub.D),
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Sakati with the additional features of Basavapatna et al in order to provide the ability for calculating risk metrics for assets in a system of computing assets, as suggested by Basavapatna et al par.1.
Claim 2: the combination teaches
wherein the processor further corrects the relevance degree in accordance with an operation condition of the evaluation target (Sakakipar.70-71, 75-76. 
Claims 3 and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421 in further view  Basavapatna et al U.S. 2013/0191919 A1 and Curtis et al U.S. 2012/0210434 A1.
Claims 3 and 4: the combination fails to teach, however Curtis et al in the same field of endeavor teaches
wherein the vulnerability information further includes vulnerability countermeasure information which is information indicating a countermeasure for the vulnerability, the processor is further configured to  perform a vulnerability countermeasure on the basis of the vulnerability countermeasure information, wherein the processor performs the vulnerability countermeasure for the relevant vulnerability for which determination on the vulnerability influence degree has been performed (par.35-37,40 and Fig.7).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Sakati with the additional features of Curtis et al in order to provide the ability for controlling the operation of a security countermeasure for mitigation purposes to documenting the awareness of a security countermeasure that is in place, as suggested by Curtis et al abstract.

Claims 5 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421in further view of Basavapatna et al U.S. 2013/0191919 A1 and Raz et al U.S. 2014/0215629 A1.
Claims 5 and 6: the combination teaches 
wherein the vulnerability information storage transmits a vulnerability information update notification to the processor when an addition or update has been performed for the stored vulnerability information, and the processor collects the vulnerability information when having received the vulnerability information update notification (Raz et al, par.10, 21, 24, 25, 34). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Sakati with the additional features of Raz et al in order to provide the ability for automatic update of a Common Vulnerability Scoring System (CVSS) score, as suggested by Raz et al abstract.
Claims 7 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421in further view of view of Basavapatna et al U.S. 2013/0191919 A1,  Curtis et al U.S. 2012/0210434 A1 and Raz et al U.S. 2014/0215629 A1.
Claims 7 and 8: the combination teaches 
(Raz et al, par.10, 21, 24, 25, 34). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Sakati with the additional features of Raz et al in order to provide the ability for automatic update of a Common Vulnerability Scoring System (CVSS) score, as suggested by Raz et al abstract.
Claims 9  and 10  are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421in further view of Basavapatna et al U.S. 2013/0191919 A1 and  Lee et al U.S. 2019/0052663 A1.
Claims 9 and 10: the combination fails to teach, however Lee et al in the same field of endeavor teaches
 	wherein the processor collects the vulnerability information periodically (par.100). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Sakati with the additional features of Lee et al in order to provide the ability for enhancing  Lee et al par.2.
Claims 11 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421 A1 in further view of Basavapatna et al U.S. 2013/0191919 A1 and Curtis et al U.S. 2012/0210434 A1 and Lee et al U.S. 2019/0052663 A1.
Claims 11 and 12: the combination fails to teach, however Lee et al in the same field of endeavor teaches
 	wherein the processor collects the vulnerability information periodically (par.100). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Sakati with the additional features of Lee et al in order to provide the ability for enhancing network security in which attack surfaces of hosts on a network are analyzed, hosts, the security of which has to be enhanced, are identified, and the security of the corresponding hosts is enhanced, as suggested by Lee et al par.2.

Claims 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421 A1 in further view of Basavapatna et al U.S. 2013/0191919 A1 and Lotem et al U.S. 2006/0218640 A1.
Claims 13 and 14: the combination fails to teach, however Lotem et al in the same field of endeavor teaches 
 wherein the processor collects the vulnerability information at a timing of starting vulnerability influence evaluation for the evaluation target (par.173, Fig.3). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Sakati with the additional features of Lotem et al in order to provide the ability for evaluating an Intrusion Detection and Prevention (IDP) entity, the method includes evaluating an effect of at least one IDP rule applied by the IDP entity on legitimate traffic, based upon a network model; evaluating an effect of at least one IDP rule applied by the IDP entity based upon a network model and an attack model; determining an effectiveness of the IDP entity in response to the evaluated effects, as suggested by Lotem et al abstract.
Claims 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Sakaki U.S. 2010/0162401 A1 in view of Kataoka U.S. 2004/0210421 A1 in further view of Basavapatna et al U.S. 2013/0191919 A1 and Curtis et al U.S. 2012/0210434 A1 and U.S. 200 Lotem et al U.S. 2006/0218640 A1.
Claims 13 and 14: the combination fails to teach, however Lotem et al in the same field of endeavor teaches 
 wherein the processor collects the vulnerability information at a timing of starting vulnerability influence evaluation for the evaluation target (par.173, Fig.3). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the combined disclosure of Sakati with the additional features of Lotem et al in order to provide the ability for evaluating an Intrusion Detection and Prevention (IDP) entity, the method includes evaluating an effect of at least one IDP rule applied by the IDP entity on legitimate traffic, based upon a network model; evaluating an effect of at least one IDP rule applied by the IDP entity based upon a network model and an attack model; determining an effectiveness of the IDP entity in response to the evaluated effects, as suggested by Lotem et al abstract.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Al-Harbit et al U.S. 2012/0180133 A1 system, program product and methods for performing risk assessment workflow process for plant network and systems.
Goldberg et al U.S. 8,312,549 B2 practical threat analysis.

Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685. The examiner can normally be reached 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available 





Monday, March 7, 2022
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436