DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 5/14/2020, 4/05/2021, and 12/14/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 2, 5, 6, 8, 9, 12, 13, 15, 16, and 19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by S. Gowda et al. "False Positive Analysis of Software Vulnerabilities Using Machine Learning," 2018, pp. 3-6 (hereinafter, “Gowda”).
As per claim 1: Gowda discloses: A system for managing software, comprising: a memory to store executable instructions; and, a processor adapted to access the memory, the processor further adapted to execute the executable instructions stored in the memory to (machine learning techniques are proposed to eliminate false positives in Dynamic Application Security Testing for security vulnerabilities [Gowda, Abstract] – such techniques would inherently require a conventional computer system to accomplish): obtain an electronic document listing potential vulnerability issues of a software product (obtaining scan results from scanners [Gowda, pg. 2, Fig. 1]: “..one can implement machine learning using the data available from scanners/penetration testing to predict the false positive factor for a reported vulnerability…”); extract features from the electronic document for each potential vulnerability issue (data cleaning [Gowda, Fig. 1]; in “II. Methodology”, elements (also as vectors) that directly impacts false positive analysis are identified); determine a vector based on the extracted features (“Since the data is text for http requests and responses, one needs to identify elements within such text that directly impacts the false positive analysis , such elements are referred to as vectors.” [Gowda, pg. 3]; also described on pg. 3 of Gowda, an example of how a vector is obtained and input to train a model that is used in the future for prediction); select one of a plurality of vulnerability-scoring methods based on the vector, the vulnerability-scoring methods selected from a group consisting of machine learning modelling methods and automated triaging methods (models using different implementations of ; and, determine a vulnerability accuracy score based on the vector using the selected vulnerability-scoring method (the accuracy measured for false positive analysis of vulnerabilities using various algorithms for both XSS and CSRF are shown in Tables 5 & 6; however, the same approach can be extended to other vulnerabilities [Gowda, pg. 6]).

As per claim 2: Gowda discloses all limitations of claim 1. Furthermore, Gowda discloses: wherein the processor is further adapted to: scan source code of the software product to detect the potential vulnerability issues; and, generate the electronic document based on the detected potential vulnerability issues (the findings of vulnerabilities of XSS and CSRF are available from scanners/penetration testing [Gowda, pg. 2 (see left column, and corresponding Fig. 1); in XSS (cross site scripting), vulnerabilities are found by injecting XSS vectors into the http body (e.g. “source code” of a web site/application) to determine if a vulnerability is present [Gowda, pg. 1; see “False Positive Analysis of Cross Site Scripting (XSS)”]).

As per claim 5: Gowda discloses all limitations of claim 1. Furthermore, Gowda discloses: wherein the processor is further adapted to: display the vulnerability accuracy score to a user (the measured accuracies [Gowda, pg. 4, Tables 5 & 6]).

As per claim 6: Gowda discloses all limitations of claim 1. Furthermore, Gowda discloses: wherein the plurality of machine learning modelling methods comprise random forest machine learning models (random forest [Gowda, pg. 2; “Machine Learning methods”]).

As per claim 8: Claim 8 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 8 is directed to a method corresponding to the executable instructions of system claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 8.

As per claim 9: Claim 9 incorporates all limitations of claim 8 and is a method corresponding to the executable instructions of system claim 2. Therefore, the arguments set forth above with respect to claims 2 and 8 are equally applicable to claim 9 and rejected for the same reasons.

As per claim 12: Claim 12 incorporates all limitations of claim 8 and is a method corresponding to the executable instructions of system claim 5. Therefore, the arguments set forth above with respect to claims 5 and 8 are equally applicable to claim 12 and rejected for the same reasons.

As per claim 13: Claim 13 incorporates all limitations of claim 8 and is a method corresponding to the executable instructions of system claim 6. Therefore, the arguments set 

As per claim 15: Claim 15 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 15 is directed to a non-transitory computer-readable medium including instructions corresponding to the executable instructions of system claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 15.

As per claim 16: Claim 16 incorporates all limitations of claim 15 and is a non-transitory computer-readable medium including instructions corresponding to the executable instructions of system claim 2. Therefore, the arguments set forth above with respect to claims 2 and 15 are equally applicable to claim 16 and rejected for the same reasons.

As per claim 19: Claim 19 incorporates all limitations of claim 15 and is a non-transitory computer-readable medium including instructions corresponding to the executable instructions of system claim 5. Therefore, the arguments set forth above with respect to claims 5 and 15 are equally applicable to claim 19 and rejected for the same reasons.




Allowable Subject Matter
Claims 3, 4, 7, 10, 11, 14, 17, 18, and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:
The claimed invention is generally directed to aiding cybersecurity experts in interpreting results of detected potential vulnerabilities (e.g. from a report). See [0003] and [0016]. The most relevant prior arts to this subject matter are Gowda (as cited in the above 102 rejection) and US 2020/0057850 (Kraus et al. – cited in the IDS filed 4/05/2021). 
Gowda is directed to eliminating false positives from the results of web application scanning. Gowda uses machine learning techniques to help detect false positives, wherein manual validation of the results would be inefficient and tedious. See Abstract. However, Gowda does not disclose the features that further define the claimed invention in the objected claims. 
Kraus is also similarly directed to using machine learning techniques to alleviate the tasks of administrators in identifying security alerts from event data. See Abstract. However, Kraus is distinct from the features of the objected claims. Kraus is primarily directed to observing event data (not source code of a software application) for determining a confidence score to indicate the severity or credibility of an event data alert. See ¶0238, 0241-0242.
Other prior arts include: 
US 2016/0065599 (Discloses using unstructured data from various sources to create structured data constructs for determining rules).
US 2015/0163242 (Discloses capturing data packets related to an alert and extracting attributes from the captured data packets to compute a level of an aspect of risk attributable to a cyber threat).
G. Jie, K. Xiao-Hui and L. Qiang, "Survey on Software Vulnerability Analysis Method Based on Machine Learning," 2016 IEEE First International Conference on Data Science in Cyberspace (DSC), 2016, pp. 642-647, doi: 10.1109/DSC.2016.33. (Discloses existing vulnerability analysis methods based on machine learning including lexical analysis. An example includes assisting a security analyst during auditing of source code. See pg. 644.)
R. Scandariato, J. Walden, A. Hovsepyan and W. Joosen, "Predicting Vulnerable Software Components via Text Mining," in IEEE Transactions on Software Engineering, vol. 40, no. 10, pp. 993-1006, 1 Oct. 2014, doi: 10.1109/TSE.2014.2340398. (Discloses using text mining of the source code of components of a software application to identify which component is likely to contain vulnerabilities. See Abstract.)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        3-09-2022