DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on March 2, 2022 has been entered.

Claim Objections
Claim 4 is objected to because of the following informalities:  the claim recites, “to determine that the risk metric violates the one or more operational preferences” which should be “to determine that the risk metric violates the .  Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-6, 8-10, 12-14, 16-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Seiver et al. (US PGPUB 2017/0078322; hereinafter “Seiver”) in view of Jagad et al. (US PGPUB 2015/0244743; hereinafter “Jagad”) and Sakib et al. (US PGPUB 2020/0274939; hereinafter “Sakib”).
Claim 1: (Currently Amended)
Seiver teaches a system comprising:
one or more processors (Fig. 10: Central Processing Unit (CPU) 150); and
one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to (Fig. 10: Mass Storage Device 120. [0358] “Each of the processes, methods, and algorithms described in the preceding sections may be embodied in, and fully or partially automated by, code modules executed by one or more computer systems or computer processors comprising computer hardware. The code modules (or ‘engines’) may be stored on any type of non-transitory computer-
identify a group of network devices in a device network that share a common functional attribute, wherein individual ones of the group of network devices are running first software ([0201] “For instance in determining a total risk value for the network devices, the system can determine a number of network devices (e.g. a total number of network devices associated the networks)… a number of machines running vulnerable operating systems… a number of distinct applications running on the networks (e.g., on network devices included in the networks), a percentage of applications that are up to date (e.g., a current version)…and so on.”);
receive, from a user account and via a user device, input data defining operational preferences associated with the group of network devices ([0160] “risk assessment system 100 may include one or more commonly available input/output (I/O) devices and interfaces 110.” [0170] “FIG. 9A is an example user interface 900 illustrating user account risk values of user accounts. The user interface 900… can be generated by the system (e.g., risk assessment system 100…) and be provided as an interactive document … on a user device”. [0257] “The system receives user input specifying an investment to be made to network security (block 1402). As described above, an investment is one or more goals, that when implemented, each reduce a risk value of one or more user accounts and/or one or more network devices. The system can determine investments that will most reduce risk values by analyzing which metrics are most commonly raising compromise vulnerabilities or compromise values of user accounts and/or network devices.”),
wherein the operational preferences include:
a risk-tolerance level indicating an allowable measure of risk associated with the group of network devices ([0177] “the system can provide description of summary data associated with user account risk values and/or network device risk values. For instance, the user interface 920 indicates metrics 922 that are most affecting the network device risk values of network devices. As an example, the system has determined one or more metrics indicating that a large percentage (e.g., greater than a threshold) of network devices are executing applications known to be trivially exploitable (e.g., comprised without extensive effort by a hacker).” [0314] “the user can specify a number, or percentage, of network devices affected by the particular metric 2704 that is acceptable. The system (e.g., the risk assessment system 100) can then identify whether the presented number in the user interface 2700 is acceptable, and optionally whether the number is good, mediocre, poor, and so on.”); and
a preferred-operational list indicating a set of features that are preferred by the user account to be associated with the group of network devices ([0167] “the reviewing user can indicate goals to improve compromise values and compromise vulnerabilities, and the system can monitor whether the goals are positively affecting network security,” wherein the disclosed “goals” are one type of “list indicating a set of features that are preferred”.  [0257] “The system receives user input specifying an investment to be made to network security (block 1402). As described above, an investment is one or more goals, that when implemented, each reduce a risk value of one or more user accounts and/or one or more network devices. The system can determine investments that will most reduce risk values by analyzing which metrics are most commonly raising ;
collect operational data that indicates a current operating condition associated with the group of network devices running the first software ([0207] “FIG. 12A is a flowchart of an example process 1200 for determining a network device risk value of a network device.” [0208] “To determine the network device compromise vulnerability, the system determines multitudes of metrics that each measure a particular aspect of an increase in likelihood of compromise.” [0209] “The system obtains the configuration information for the network device, and determines whether the network device conforms to the guidelines.”);

determine that the risk metric violates the operational preferences ([0325] “the user can specify values thresholds associated with metrics (e.g., as described above with respect to FIGS. 12A-12B, metrics can be associated with numerical values and determined for each … network device), and only … network devices associated with the value thresholds can be presented. In this way, the user can specify a threshold value of a metric associated with measuring a number of exploitable applications on each network device, and network devices with a value of the metric (e.g., a number of exploitable applications) greater than the threshold can be included in the network risk map 2802.”).

With further regard to Claim 1, Seiver does not teach the following, however, Jagad teaches:
identify second software configured for execution by individual ones of the group of network devices, wherein the second software satisfies the operational preferences and is associated with the common functional attribute of the group of network devices 
determine that running the second software lowers the measure of risk associated with the group of network devices as compared to running the first software ([0047] “an application 129 that is similar to the uninstalled application 129 but that has been previously determined to comply with a profile 139….” [0052] “If the number of violations for one or more rules 143 or one or more sets of rules 143 is less than a predefined threshold, the device management system 119 may determine that the application 129 is compliant with the profile 139. In some embodiments, the device management system 119 may assign a certification designation to the application 129 to indicate to users of the client devices 106 and/or administrators of the device management system 119 that the application 129 has been deemed compliant with a profile 139 and therefore is believed to present a relatively low security risk,” wherein the compliant application, i.e. the second software, has been determined to pose a low 
provide the user device with access to a recommendation to run the second software on individual ones of the group of network devices ([0049] “In another embodiment, the command may instruct the management component 149 to cause a message to be presented to a user of the client device 106. Such a message may, for example, inform the user that the application 129 has been identified as violating a profile 139. Additionally, the message may suggest that the application 129 be uninstalled and/or recommend another application 129 to be installed in its place.”); and
cause the group of network devices to run the second software ([0050] “the device management system 119 may transmit one or more commands to multiple client devices 106 that are managed by the device management system 119 and that have the application 129 that has been deemed noncompliant with the profile 139. In this way, once an application 129 has been deemed noncompliant, the device management system 119 may initiate remedial action for all of the client devices 106 that have that application 129.” [0025] “An application 129 may comprise, for example, one or more programs that perform various operations when executed in the client device 106.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system as disclosed by Seiver with the identification and recommendation of replacement software as taught by Jagad in order to “provide an administrator with information that facilitates the administrator deciding whether the application 129 is a security risk” (Jagad [0074]) and 

With further regard to Claim 1, Seiver in view of Jagad does not teach the following, however, Sakib teaches wherein the operational preferences include:
a disallowed-operational list indicating at least one of security vulnerabilities or software bugs that are disallowed in the group of network devices ([0087] “The policy-creation module 214 may be designed generate an application-control policy for a set of candidate devices… An application-control policy may include a list of known bad binaries and a list of unwanted binaries… An application-control policy may be designed to allow a managed installer to allow installation and execution of binaries not listed in the application-control policy.” [0088] “The policy-creation module 214 may, however, generate an application-control policy that does not allow binaries included in the list of malicious binaries 224 or the list of unwanted binaries 226 to run on the set of candidate devices, even if application-usage data indicates that the set of candidate devices executed those binaries. The policy-creation module 214 may also not allow binaries obtained from a particular source, such as a particular website.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system as disclosed by Seiver in view of Jagad with the disallowed-operational list as taught by Sakib in order to “add sufficient security to the devices while imposing a sufficiently low potential for productivity interference” (Sakib [0028]).

	Claim 2: (Currently Amended)
Seiver in view of Jagad and Sakib teaches the system of claim 1, and Seiver teaches comprising further computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to:
store an association between the operational preferences and a user account associated with the group of network devices ([0167] “the system can monitor changes to compromise values and compromise vulnerabilities of user accounts, and network devices, over time. The reviewing user can then determine any positive, or negative, changes to the determined values and take remedial actions in response. For instance, the reviewing user can indicate goals to improve compromise values and compromise vulnerabilities, and the system can monitor whether the goals are positively affecting network security (e.g., an investment as will be described below),” wherein the disclosure that the “system can monitor changes” as it relates to “user accounts” and “goals”, i.e. operational preferences, teaches the storage of some form of an association between these two data.  [0257] “an investment is one or more goals, that when implemented, each reduce a risk value of one or more user accounts and/or one or more network devices. The system can determine investments that will most reduce risk values by analyzing which metrics are most commonly raising compromise vulnerabilities or compromise values of user accounts and/or network devices.”).

Claim 4: (Currently Amended)

to determine that the risk metric violates the one or more operational preferences comprises to determine that the risk metric indicates a higher measure of risk than the allowable measure of risk ([0193] “Similarly, each metric associated with a compromise value measures an aspect of a network device that is known to increase the priority an attacker might place on compromising the network device. For instance, an example metric measures whether the network device is used by user accounts with compromise values greater than a threshold,” wherein the “allowable measure of risk” is indicated by values that are less than the threshold disclosed in Seiver.).

Claim 5:
Seiver in view of Jagad and Sakib teaches the system of claim 1, and Seiver teaches comprising further computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to:
obtain telemetry data associated with a plurality of network devices in the device network ([0215] “Additionally, the system determines a metric describing a number of paths to the network device (e.g., which can be based on a determined network topology, as described above with respect to FIG. 2A-2D). The greater the number of paths to the network device, the more likely it could be that the network device can be accessed, and potentially compromised. Similarly, a metric can determine communication paths, and network connectivity, to the network device from other 
analyze the telemetry data to identify, from the plurality of network devices, the group of network devices as sharing the common functional attribute in the device network ([0118] “For nodes that include more than one network device, e.g., multiple network devices that are part of the same subnet, the system can determine compromise values of those multiple network devices, and compute a sum of the network devices for the node.”);
generate a device policy for the group of network devices ([0139] “The system can then determine a network compromise risk value, e.g., by combining in some manner, such as summing, the compromise risk values for each node and/or user account in the network. The network compromise risk value identifies a compromise risk value for the entire network, and can then be provided to a system administrator to obtain a high level estimation of the overall risks associated with the network.” [0318] “The user can further refine and filter information included in the network risk map, for example by constraining particular network devices that are included in the network risk map according to particular configuration information. For instance, the user can request that only network devices … that are connected with (e.g., determined from a network topology of the networks) network devices that satisfy one or more constraints, and so on, are to be included. As an example, the moment an exploit becomes known (e.g., a zero-day), a user can view the network risk map and filter, refine, the network risk map to present only network devices that are affected by the exploit. The user can 
store an indication of the device policy for the group of network devices indicating that the group of network devices share the common functional attribute in the device network ([0319] “Information associated with network risk maps can be shared with other users associated with other networks, such that a particular network risk map can be applied to other networks. As will be described, information associated with a network risk map can include filters and refinements applied to network devices and user accounts, particular metrics utilized in determining risk values of networks devices and user accounts, particular weights applied to values of metrics in determining compromise value and compromise likelihood, and so on,” wherein the “information associated with the network risk maps,” i.e. the “indication of the device policy”, is disclosed in Seiver as being able to be shared with other users and as such must be stored in some form.).

Claim 6:
Seiver in view of Jagad and Sakib teaches the system of claim 1, and Seiver further teaches wherein the common functional attribute shared by the group of network devices comprises at least one of:
a common hardware component type ([0344] “the system can determine commonalities of aspects of user accounts or network devices that are associated with user accounts or network devices actually compromised.”);

a common software version ([0201] “the system can determine a… a number of machines running vulnerable operating systems” [0286] “a user can create a metric associated with measuring numbers of network devices that are (1) enabled (e.g., active on the networks, or that have at least one communication path with one or more other network devices as indicated by a determined network topology) and (2) execute a particular operating system (e.g., particular type of operating system, particular type of a particular version, and so on).”); or
common software features being supported ([0201] “the system can determine …  a number of network devices with local administrator accounts on them,” wherein the “common software feature” is the presence of a “local administrator account”.).

Claim 8: (Currently Amended)
Seiver in view of Jagad and Sakib teaches the system of claim 1, and Seiver further teaches wherein the operational preferences include a stability-preference metric indicating a permitted measure of at least one of software bugs, security advisories, or security vulnerabilities determined for other software ([0167] “the reviewing user can indicate goals to improve compromise values and compromise vulnerabilities, and the system can monitor whether the goals are positively affecting network security (e.g., an investment as will be described below).” [0257] “an investment is one or more goals, 
determine that the second software is associated with a stability metric indicating an actual measure of at least one of software bugs, security advisories, or security vulnerabilities determined for the second software ([0165] “a metric for determining a likelihood of compromise of a network device can include determining whether the network device is executing applications known to be trivially exploitable.” [0217] “Upon determining the compromise vulnerability for the network device, the system stores information describing the compromise vulnerability (e.g., time stamp associated with the determination, values of metrics, and so on) in one or more databases.”); and
determine that the stability metric is less than or equal to the stability-preference metric ([0325] “the user can specify values thresholds associated with metrics (e.g., as described above with respect to FIGS. 12A-12B, metrics can be associated with numerical values and determined for each user account or network device), and only user accounts or network devices associated with the value thresholds can be presented. In this way, the user can specify a threshold value of a metric associated with measuring a number of exploitable applications on each network device, and network devices with a value of the metric (e.g., a number of exploitable applications) greater than the threshold can be included in the network risk map 2802.”).

Claim 9: (Currently Amended)
Seiver teaches a method comprising:
identifying a group of network devices in a device network that share a common functional attribute, wherein individual ones of the group of network devices are running first software ([0201] “For instance in determining a total risk value for the network devices, the system can determine a number of network devices (e.g. a total number of network devices associated the networks)… a number of machines running vulnerable operating systems… a number of distinct applications running on the networks (e.g., on network devices included in the networks), a percentage of applications that are up to date (e.g., a current version)…and so on.”); 
receiving, from a user account and via a user device, input data defining operational preferences associated with the group of network devices ([0160] “risk assessment system 100 may include one or more commonly available input/output (I/O) devices and interfaces 110.” [0170] “FIG. 9A is an example user interface 900 illustrating user account risk values of user accounts. The user interface 900… can be generated by the system (e.g., risk assessment system 100…) and be provided as an interactive document … on a user device”. [0257] “The system receives user input specifying an investment to be made to network security (block 1402). As described above, an investment is one or more goals, that when implemented, each reduce a risk value of one or more user accounts and/or one or more network devices. The system can determine investments that will most reduce risk values by analyzing which metrics ,
wherein the operational preferences include:
a risk-tolerance level indicating an allowable measure of risk associated with the group of network devices ([0177] “the system can provide description of summary data associated with user account risk values and/or network device risk values. For instance, the user interface 920 indicates metrics 922 that are most affecting the network device risk values of network devices. As an example, the system has determined one or more metrics indicating that a large percentage (e.g., greater than a threshold) of network devices are executing applications known to be trivially exploitable (e.g., comprised without extensive effort by a hacker).” [0314] “the user can specify a number, or percentage, of network devices affected by the particular metric 2704 that is acceptable. The system (e.g., the risk assessment system 100) can then identify whether the presented number in the user interface 2700 is acceptable, and optionally whether the number is good, mediocre, poor, and so on.”); and
a preferred-operational list indicating a set of features that are preferred by the user account to be associated with the group of network devices ([0167] “the reviewing user can indicate goals to improve compromise values and compromise vulnerabilities, and the system can monitor whether the goals are positively affecting network security,” wherein the disclosed “goals” are one type of “list indicating a set of features that are preferred”.  [0257] “The system receives user input specifying an investment to be made to network security (block 1402). As described above, an investment is one or more goals, that when implemented, each reduce a risk value of one or more user accounts ;
collecting operational data that indicates a current operating condition associated with the group of network devices running the first software ([0207] “FIG. 12A is a flowchart of an example process 1200 for determining a network device risk value of a network device.” [0208] “To determine the network device compromise vulnerability, the system determines multitudes of metrics that each measure a particular aspect of an increase in likelihood of compromise.” [0209] “The system obtains the configuration 
determining, based at least in part on the current operating condition, a risk metric indicating a measure of risk associated with the group of network devices running the first software ([0177] “the user interface 920 indicates metrics 922 that are most affecting the network device risk values of network devices.” [0209] “For each determined instance of non-conformity (e.g., lack of an anti-virus software) the system can increase a value associated with the metric.” [0198] “the system can combine (e.g., determine a measure of central tendency) of all risk values for network devices to determine a total risk value for the network devices.”); and
determining that the risk metric violates the operational preferences ([0325] “the user can specify values thresholds associated with metrics (e.g., as described above with respect to FIGS. 12A-12B, metrics can be associated with numerical values and determined for each … network device), and only … network devices associated with the value thresholds can be presented. In this way, the user can specify a threshold value of a metric associated with measuring a number of exploitable applications on each network device, and network devices with a value of the metric (e.g., a number of exploitable applications) greater than the threshold can be included in the network risk map 2802.”).

With further regard to Claim 9, Seiver does not teach the following, however, Jagad teaches:

determining that running the second software lowers the measure of risk associated with the group of network devices as compared to running the first software ([0047] “an application 129 that is similar to the uninstalled application 129 but that has been previously determined to comply with a profile 139….” [0052] “If the number of violations for one or more rules 143 or one or more sets of rules 143 is less than a predefined threshold, the device management system 119 may determine that the application 129 is compliant with the profile 139. In some embodiments, the device management system 119 may assign a certification designation to the application 129 
providing the user device with access to a recommendation to run the second software on individual ones of the group of network devices ([0049] “In another embodiment, the command may instruct the management component 149 to cause a message to be presented to a user of the client device 106. Such a message may, for example, inform the user that the application 129 has been identified as violating a profile 139. Additionally, the message may suggest that the application 129 be uninstalled and/or recommend another application 129 to be installed in its place.”); and
causing the group of network devices to run the second software ([0050] “the device management system 119 may transmit one or more commands to multiple client devices 106 that are managed by the device management system 119 and that have the application 129 that has been deemed noncompliant with the profile 139. In this way, once an application 129 has been deemed noncompliant, the device management system 119 may initiate remedial action for all of the client devices 106 that have that application 129.” [0025] “An application 129 may comprise, for example, one or more programs that perform various operations when executed in the client device 106.”).


With further regard to Claim 9, Seiver in view of Jagad does not teach the following, however, Sakib teaches wherein the operational preferences include:
a disallowed-operational list indicating at least one of security vulnerabilities or software bugs that are disallowed in the group of network devices ([0087] “The policy-creation module 214 may be designed generate an application-control policy for a set of candidate devices… An application-control policy may include a list of known bad binaries and a list of unwanted binaries… An application-control policy may be designed to allow a managed installer to allow installation and execution of binaries not listed in the application-control policy.” [0088] “The policy-creation module 214 may, however, generate an application-control policy that does not allow binaries included in the list of malicious binaries 224 or the list of unwanted binaries 226 to run on the set of candidate devices, even if application-usage data indicates that the set of candidate devices executed those binaries. The policy-creation module 214 may also not allow binaries obtained from a particular source, such as a particular website.”).


Claim 10: (Currently Amended)
Seiver in view of Jagad and Sakib teaches the method of claim 9, and Seiver teaches further comprising storing an association between the operational preferences and a user account associated with the group of network devices ([0167] “the system can monitor changes to compromise values and compromise vulnerabilities of user accounts, and network devices, over time. The reviewing user can then determine any positive, or negative, changes to the determined values and take remedial actions in response. For instance, the reviewing user can indicate goals to improve compromise values and compromise vulnerabilities, and the system can monitor whether the goals are positively affecting network security (e.g., an investment as will be described below),” wherein the disclosure that the “system can monitor changes” as it relates to “user accounts” and “goals”, i.e. operational preferences, teaches the storage of some form of an association between these two data.  [0257] “an investment is one or more goals, that when implemented, each reduce a risk value of one or more user accounts and/or one or more network devices. The system can determine investments that will most reduce risk values by analyzing which metrics are most commonly raising 

Claim 12: (Currently Amended)
Seiver in view of Jagad and Sakib teaches the method of claim 9, and Seiver further teaches wherein:
determining that the risk metric violates the operational preferences comprises determining that the risk metric indicates a higher measure of risk than the allowable measure of risk ([0193] “Similarly, each metric associated with a compromise value measures an aspect of a network device that is known to increase the priority an attacker might place on compromising the network device. For instance, an example metric measures whether the network device is used by user accounts with compromise values greater than a threshold,” wherein the “allowable measure of risk” is indicated by values that are less than the threshold disclosed in Seiver.).

Claim 13:
Seiver in view of Jagad and Sakib teaches the method of claim 9, and Seiver teaches further comprising:
obtaining telemetry data associated with a plurality of network devices in the device network ([0215] “Additionally, the system determines a metric describing a number of paths to the network device (e.g., which can be based on a determined network topology, as described above with respect to FIG. 2A-2D). The greater the number of paths to the network device, the more likely it could be that the network 
analyzing the telemetry data to identify, from the plurality of network devices, the group of network devices as sharing the common functional attribute in the device network ([0118] “For nodes that include more than one network device, e.g., multiple network devices that are part of the same subnet, the system can determine compromise values of those multiple network devices, and compute a sum of the network devices for the node.”);
generating a device policy for the group of network devices ([0139] “The system can then determine a network compromise risk value, e.g., by combining in some manner, such as summing, the compromise risk values for each node and/or user account in the network. The network compromise risk value identifies a compromise risk value for the entire network, and can then be provided to a system administrator to obtain a high level estimation of the overall risks associated with the network.” [0318] “The user can further refine and filter information included in the network risk map, for example by constraining particular network devices that are included in the network risk map according to particular configuration information. For instance, the user can request that only network devices … that are connected with (e.g., determined from a network topology of the networks) network devices that satisfy one or more constraints, and so on, are to be included. As an example, the moment an exploit becomes known (e.g., a zero-day), a user can view the network risk map and filter, refine, the network 
storing an indication of the device policy for the group of network devices indicating that the group of network devices share the common functional attribute in the device network ([0319] “Information associated with network risk maps can be shared with other users associated with other networks, such that a particular network risk map can be applied to other networks. As will be described, information associated with a network risk map can include filters and refinements applied to network devices and user accounts, particular metrics utilized in determining risk values of networks devices and user accounts, particular weights applied to values of metrics in determining compromise value and compromise likelihood, and so on,” wherein the “information associated with the network risk maps,” i.e. the “indication of the device policy”, is disclosed in Seiver as being able to be shared with other users and as such must be stored in some form.).

Claim 14:
Seiver in view of Jagad and Sakib teaches the method of claim 9, and Seiver further teaches wherein the common functional attribute shared by the group of network devices comprises at least one of:
a common hardware component type ([0344] “the system can determine commonalities of aspects of user accounts or network devices that are associated with user accounts or network devices actually compromised.”);

a common software version ([0201] “the system can determine a… a number of machines running vulnerable operating systems” [0286] “a user can create a metric associated with measuring numbers of network devices that are (1) enabled (e.g., active on the networks, or that have at least one communication path with one or more other network devices as indicated by a determined network topology) and (2) execute a particular operating system (e.g., particular type of operating system, particular type of a particular version, and so on).”); or
common software features being supported ([0201] “the system can determine …  a number of network devices with local administrator accounts on them,” wherein the “common software feature” is the presence of a “local administrator account”.).

Claim 16: (Currently Amended)
Seiver in view of Jagad and Sakib teaches the method of claim 9, and Seiver further teaches wherein the operational preferences include a stability-preference metric indicating a permitted measure of at least one of software bugs, security advisories, or security vulnerabilities determined for other software ([0167] “the reviewing user can indicate goals to improve compromise values and compromise vulnerabilities, and the system can monitor whether the goals are positively affecting network security (e.g., an investment as will be described below).” [0257] “an investment is one or more goals, 
determining that the second software is associated with a stability metric indicating an actual measure of at least one of software bugs, security advisories, or security vulnerabilities determined for the second software ([0165] “a metric for determining a likelihood of compromise of a network device can include determining whether the network device is executing applications known to be trivially exploitable.” [0217] “Upon determining the compromise vulnerability for the network device, the system stores information describing the compromise vulnerability (e.g., time stamp associated with the determination, values of metrics, and so on) in one or more databases.”); and
determining that the stability metric is less than or equal to the stability-preference metric ([0325] “the user can specify values thresholds associated with metrics (e.g., as described above with respect to FIGS. 12A-12B, metrics can be associated with numerical values and determined for each user account or network device), and only user accounts or network devices associated with the value thresholds can be presented. In this way, the user can specify a threshold value of a metric associated with measuring a number of exploitable applications on each network device, and network devices with a value of the metric (e.g., a number of exploitable applications) greater than the threshold can be included in the network risk map 2802.”).

Claim 17: (Currently Amended)
Seiver teaches a system comprising:
one or more processors (Fig. 10: Central Processing Unit (CPU) 150); and
one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to (Fig. 10: Mass Storage Device 120. [0358] “Each of the processes, methods, and algorithms described in the preceding sections may be embodied in, and fully or partially automated by, code modules executed by one or more computer systems or computer processors comprising computer hardware. The code modules (or ‘engines’) may be stored on any type of non-transitory computer-readable medium or computer storage device, such as hard drives, solid state memory, optical disc, and/or the like.”):
obtain telemetry data associated with a plurality of network devices in a device network ([0215] “Additionally, the system determines a metric describing a number of paths to the network device (e.g., which can be based on a determined network topology, as described above with respect to FIG. 2A-2D). The greater the number of paths to the network device, the more likely it could be that the network device can be accessed, and potentially compromised. Similarly, a metric can determine communication paths, and network connectivity, to the network device from other network devices indicated as being valuable, or that have associated compromise values greater than a threshold.”);

individual ones of the group of network devices running first software ([0201] “For instance in determining a total risk value for the network devices, the system can determine a number of network devices (e.g. a total number of network devices associated the networks)… a number of machines running vulnerable operating systems… a number of distinct applications running on the networks (e.g., on network devices included in the networks), a percentage of applications that are up to date (e.g., a current version)…and so on.”);
generate a device policy for the group of network devices ([0139] “The system can then determine a network compromise risk value, e.g., by combining in some manner, such as summing, the compromise risk values for each node and/or user account in the network. The network compromise risk value identifies a compromise risk value for the entire network, and can then be provided to a system administrator to obtain a high level estimation of the overall risks associated with the network.” [0318] “The user can further refine and filter information included in the network risk map, for example by constraining particular network devices that are included in the network risk map according to particular configuration information. For instance, the user can request that only network devices … that are connected with (e.g., determined from a 
store an indication of the device policy for the group of network devices indicating that the group of network devices share the common functional attribute in the device network ([0319] “Information associated with network risk maps can be shared with other users associated with other networks, such that a particular network risk map can be applied to other networks. As will be described, information associated with a network risk map can include filters and refinements applied to network devices and user accounts, particular metrics utilized in determining risk values of networks devices and user accounts, particular weights applied to values of metrics in determining compromise value and compromise likelihood, and so on,” wherein the “information associated with the network risk maps,” i.e. the “indication of the device policy”, is disclosed in Seiver as being able to be shared with other users and as such must be stored in some form.);
receive, via a user account associated with the group of network devices, input data defining operational preferences associated with the group of network devices ([0160] “risk assessment system 100 may include one or more commonly available input/output (I/O) devices and interfaces 110.” [0170] “FIG. 9A is an example user interface 900 illustrating user account risk values of user accounts. The user interface  ,
wherein the operational preferences include:
a risk-tolerance level indicating an allowable measure of risk associated with the group of network devices ([0177] “the system can provide description of summary data associated with user account risk values and/or network device risk values. For instance, the user interface 920 indicates metrics 922 that are most affecting the network device risk values of network devices. As an example, the system has determined one or more metrics indicating that a large percentage (e.g., greater than a threshold) of network devices are executing applications known to be trivially exploitable (e.g., comprised without extensive effort by a hacker).” [0314] “the user can specify a number, or percentage, of network devices affected by the particular metric 2704 that is acceptable. The system (e.g., the risk assessment system 100) can then identify whether the presented number in the user interface 2700 is acceptable, and optionally whether the number is good, mediocre, poor, and so on.”); and
a preferred-operational list indicating a set of features that are preferred by the user account to be associated with the group of network devices ([0167] “the reviewing ;


With further regard to Claim 17, Seiver does not teach the following, however, Jagad teaches:
identify second software configured for execution by individual ones of the group of network devices, wherein the second software satisfies the operational preferences and is associated with the common functional attribute of the group of network devices ([0045] “remedial action may be initiated upon the number of violations for a set of rules 143 that are assigned a particular level of risk satisfying a predetermined threshold.” 
determine that running the second software lowers the measure of risk associated with the group of network devices as compared to running the first software ([0047] “an application 129 that is similar to the uninstalled application 129 but that has been previously determined to comply with a profile 139….” [0052] “If the number of violations for one or more rules 143 or one or more sets of rules 143 is less than a predefined threshold, the device management system 119 may determine that the application 129 is compliant with the profile 139. In some embodiments, the device management system 119 may assign a certification designation to the application 129 to indicate to users of the client devices 106 and/or administrators of the device management system 119 that the application 129 has been deemed compliant with a profile 139 and therefore is believed to present a relatively low security risk,” wherein the compliant application, i.e. the second software, has been determined to pose a low security risk as compared to running the non-compliant application, i.e. the first 
provide the user account with access to a recommendation to run the second software on individual ones of the group of network devices ([0049] “In another embodiment, the command may instruct the management component 149 to cause a message to be presented to a user of the client device 106. Such a message may, for example, inform the user that the application 129 has been identified as violating a profile 139. Additionally, the message may suggest that the application 129 be uninstalled and/or recommend another application 129 to be installed in its place.”); and
cause the group of network devices to run the second software ([0050] “the device management system 119 may transmit one or more commands to multiple client devices 106 that are managed by the device management system 119 and that have the application 129 that has been deemed noncompliant with the profile 139. In this way, once an application 129 has been deemed noncompliant, the device management system 119 may initiate remedial action for all of the client devices 106 that have that application 129.” [0025] “An application 129 may comprise, for example, one or more programs that perform various operations when executed in the client device 106.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system as disclosed by Seiver with the identification and recommendation of replacement software as taught by Jagad in order to “provide an administrator with information that facilitates the administrator deciding whether the application 129 is a security risk” (Jagad [0074]) and further “so that the administrator may decide whether to, for example, prohibit the 

With further regard to Claim 17, Seiver in view of Jagad does not teach the following, however, Sakib teaches wherein the operational preferences include:
a disallowed-operational list indicating at least one of security vulnerabilities or software bugs that are disallowed in the group of network devices ([0087] “The policy-creation module 214 may be designed generate an application-control policy for a set of candidate devices… An application-control policy may include a list of known bad binaries and a list of unwanted binaries… An application-control policy may be designed to allow a managed installer to allow installation and execution of binaries not listed in the application-control policy.” [0088] “The policy-creation module 214 may, however, generate an application-control policy that does not allow binaries included in the list of malicious binaries 224 or the list of unwanted binaries 226 to run on the set of candidate devices, even if application-usage data indicates that the set of candidate devices executed those binaries. The policy-creation module 214 may also not allow binaries obtained from a particular source, such as a particular website.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system as disclosed by Seiver in view of Jagad with the disallowed-operational list as taught by Sakib in order to “add sufficient security to the devices while imposing a sufficiently low potential for productivity interference” (Sakib [0028]).


Seiver in view of Jagad and Sakib teaches the system of claim 17, and Seiver teaches comprising further computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to:
collect operational data that indicates a current operating condition associated with the group of network devices running the first software ([0207] “FIG. 12A is a flowchart of an example process 1200 for determining a network device risk value of a network device.” [0208] “To determine the network device compromise vulnerability, the system determines multitudes of metrics that each measure a particular aspect of an increase in likelihood of compromise.” [0209] “The system obtains the configuration information for the network device, and determines whether the network device conforms to the guidelines.”);
determine, based at least in part on the current operating condition, a risk metric indicating the measure of risk associated with the group of network devices running the first software ([0177] “the user interface 920 indicates metrics 922 that are most affecting the network device risk values of network devices.” [0209] “For each determined instance of non-conformity (e.g., lack of an anti-virus software) the system can increase a value associated with the metric.” [0198] “the system can combine (e.g., determine a measure of central tendency) of all risk values for network devices to determine a total risk value for the network devices.”); and
determine that the risk metric violates the operational preferences ([0325] “the user can specify values thresholds associated with metrics (e.g., as described above with respect to FIGS. 12A-12B, metrics can be associated with numerical values and 

Claim 20:
Seiver in view of Jagad and Sakib teaches the system of claim 17, and Jagad further teaches wherein the recommendation to run the second software on individual ones of the group of network devices includes indications of software bugs or security vulnerabilities for the second software ([0049] “the command may instruct the management component 149 to cause a message to be presented to a user of the client device 106. Such a message may, for example, inform the user that the application 129 has been identified as violating a profile 139. Additionally, the message may suggest that the application 129 be uninstalled and/or recommend another application 129 to be installed in its place.” [0052] “, the device management system 119 may determine that the application 129 is compliant with the profile 139. In some embodiments, the device management system 119 may assign a certification designation to the application 129 to indicate to users of the client devices 106 and/or administrators of the device management system 119 that the application 129 has been deemed compliant with a profile 139 and therefore is believed to present a relatively low security risk.”).

Claims 7 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Seiver in view of Jagad and Sakib as applied to Claims 1 and 9 above, and further in view of Kumar (US PGPUB 2016/0162270; hereinafter “Kumar”).
Claim 7: (Currently Amended)
Seiver in view of Jagad and Sakib teaches all the limitations of claim 1 as described above. Seiver in view of Jagad and Sakib does not teach the following, however, Kumar teaches:
wherein the operational preferences include a popularity-preference metric indicating a permitted measure of other user accounts associated with other network devices that are running other software ([0037] “The system may generate a set of alternative applications, including new or recently improved applications, which are related to one of the frequently used applications by the user. … The alternative applications may be determined based on a variety of factors. A non-exhaustive list may include a popularity metric”), comprising further computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to:
determine that the second software is associated with a popularity metric indicating an actual measure of the other users associated with the other network devices that are running the second software ([0049] “the system may select applications at 110 based upon a popularity metric … A popularity metric may refer to the number of installations on client devices for an application.”); and
determine that the popularity metric is greater than or equal to the popularity- preference metric ([0042] “The application store may present applications according to 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the system as disclosed by Seiver in view of Jagad and Sakib with the use of the popularity metric as taught by Kumar “thus reducing the effort required from the user to identify related applications” (Kumar [0037]).

Claim 15: (Currently Amended)
Seiver in view of Jagad and Sakib teaches all the limitations of claim 9 as described above. Seiver in view of Jagad and Sakib does not teach the following, however, Kumar teaches:
wherein the operational preferences include a popularity-preference metric indicating a permitted measure of other user accounts associated with other network devices that are running other software ([0037] “The system may generate a set of alternative applications, including new or recently improved applications, which are related to one of the frequently used applications by the user. … The alternative applications may be determined based on a variety of factors. A non-exhaustive list may include a popularity metric”), further comprising:
determining that the second software is associated with a popularity metric indicating an actual measure of the other users associated with the other network devices that are running the second software ([0049] “the system may select 
determining that the popularity metric is greater than or equal to the popularity- preference metric ([0042] “The application store may present applications according to popularity.” See also Claim 4 of Kumar, which recites, “4. The method of claim 1, wherein the plurality of applications comprise applications that are above at least one of a threshold level of rating or a threshold level of popularity.”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method as disclosed by Seiver in view of Jagad and Sakib with the use of the popularity metric as taught by Kumar “thus reducing the effort required from the user to identify related applications” (Kumar [0037]).

Response to Arguments
Applicant's arguments filed March 2, 2022 have been fully considered but they are not persuasive.
The Office contends that the previously cited Seiver et al. (US PGPUB 2017/0078322; hereinafter “Seiver”) reference does teach a portion of the newly amended language recited in independent claims 1, 9 and 17. The Office respectfully directs the Applicant’s attention to the newly modified rejections of claims 1, 9 and 17 above for further explanation regarding how the Seiver reference has been interpreted as teaching the newly amended language of independent claims 1, 9 and 17, 
With respect to the remaining newly amended limitation of independent claims 1, 9 and 17, “a disallowed-operational list”, the Office notes that this limitation is taught and made obvious by the disclosure of the newly cited Sakib et al. (US PGPUB 2020/0274939; hereinafter “Sakib”) reference. 
Therefore the Applicant's arguments, see Pages 11-12 of the Remarks, with respect to the rejections under 35 U.S.C. 103 of Claims 1-2, 4-10, 12-18 and 20 have been fully considered but are moot in view of new grounds of rejection.	

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOANNE GONZALES MACASIANO whose telephone number is (571)270-7749. The examiner can normally be reached Monday to Thursday, 10:30 AM to 6:00 PM Eastern Standard Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Dennis Chow can be reached on (571)272-7767. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/J.G.M/Examiner, Art Unit 2194                                                                                                                                                                                                        

/DOON Y CHOW/Supervisory Patent Examiner, Art Unit 2194