DETAILED ACTION
Claims 1-20 are pending in this application. 

Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 02/10/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
4.	The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

5.	The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
 	Claims 1-2 and 4 recite means-plus functions. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: a sandbox engine configured to scan (claim 1), a knowledge base engine configured to acquire (claim 1), a risk scoring engine configured to analyze (claim 1), security control system configured to take an action (claim 1), a static analysis unit configured to perform (claim 2), a dynamic analysis unit configured to generate, a statistical analysis unit configured to:  receive, identify and generate (claim 2) and an audit report generation unit configured to generate (claim 2) and an offline training engine configured to estimate (claim 4). 
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. 


Claim Rejections - 35 USC § 103
7.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have 



8.	Claims 1, 4-5, 10, 13-14 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Digiambattista et al (“Digiambattista,” US 20190229915) in view of Titonis et al (“Titonis,” US 20180025157) and further in view of Roytman et al (“Roytman,” US 20150237065). 

Regarding claim 1, Digiambattista discloses a vulnerability management system for blockchain digital assets comprising: (Digiambattista, [0108] & [0017] describes a vulnerability management system for blockchain digital assets)
a sandbox engine configured to scan digital assets for vulnerabilities; (Digiambattista, [0113] & [0019] describes sandbox software configured to scan code and instructions [digital assets] for vulnerabilities)
a knowledge base engine including artificial intelligence, (Digiambattista, [0106] & [0020] describes a knowledge base engine including artificial intelligence)
the knowledge base engine configured to acquire information related to new vulnerabilities and threat intelligence; (Digiambattista, [0077], [0105]-[0106] & [0020]-[0021] describes the knowledge base engine configured to acquire information related to new vulnerabilities and threat intelligence; also see [0091], [0108], [0019] & [0049])
Digiambattista fails to explicitly disclose a risk scoring engine including machine learning, the risk scoring engine configured to analyze sandbox engine outcomes and assign a risk score to each vulnerable asset; and a security control system configured to take action on an identified vulnerable asset based on the risk score assigned to the identified vulnerable asset.  
(Titonis, [0392], [0414], [0424], describes risk scoring; [0211], [0219] & [0264] describes machine learning)
the risk scoring engine configured to analyze sandbox engine outcomes and assign a risk score to each vulnerable asset; (Titonis, [0111] & [0264], describes analyzing sandbox engine outcomes and [0423] describes assigning a risk score to each asset). 
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Titonis with the method and system of Digiambattista to include a risk scoring engine including machine learning, the risk scoring engine configured to analyze sandbox engine outcomes and assign a risk score to each vulnerable asset.  One would have been motivated to provide automated application analysis using an instrumented sandbox and machine learning classification to assess mobile application security (Titonis, [0002]). 
Digiambattista and Titonis fail to explicitly disclose and a security control system configured to take action on an identified vulnerable asset based on the risk score assigned to the identified vulnerable asset.  
However, in an analogous art, Roytman discloses and a security control system configured to take action on an identified vulnerable asset based on the risk score assigned to the identified vulnerable asset, (Roytman, [0034], [0038] & [0035] & FIG 7 describes and a security control system configured to order a set of remediations [action] on an identified vulnerable asset based on the risk score assigned to the identified vulnerable asset)

effective filing date of the claimed invention to combine the teachings of Roytman with the method and system of Digiambattista and Titonis to include a risk scoring engine including machine learning, the risk scoring engine configured to analyze sandbox engine outcomes and assign a risk score to each vulnerable asset; and a security control system configured to take action on an identified vulnerable asset based on the risk score assigned to the identified vulnerable asset. One would have been motivated to correlate IT security risks from various security risk sources (Roytman, [0002] & [0035]). 

Regarding claim 4, Digiambattista, Titonis and Roytman disclose the vulnerability management system of claim 1. 
Digiambattista further discloses and known legitimate digital assets; (Digiambattista, [0033] & [0107[-[0108] where code is known to pass acceptance and later verified). 
Titonis further discloses wherein the risk scoring engine includes: a regression model including a machine learning algorithm; (Titonis, [0393], [0414], [0423], risk score; [0179], a regression model including [0111], machine learning)
access to at least one database of digital assets, the at least one database of digital assets including: known vulnerabilities of the digital assets; (Titonis, [0150], [0227], [0250] & [0287], describes identifying similar application binaries [digital assets] from the database of statistics of known vulnerabilities)
(Titonis, [0150], [0227], [0250] & [0287] describes known vulnerable application binaries infected with malware [known vulnerable digital assets])
an offline training engine configured to estimate parameters of the machine learning algorithm and provided training data; (Titonis, [0282]-[0293] describes an external machine learning algorithm and provided training data;  [0326] & [0416]-[0425] describes estimating)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Titonis with the method and system of Digiambattista to include wherein the risk scoring engine includes: a regression model including a machine learning algorithm; access to at least one database of digital assets, the at least one database of digital assets including: known vulnerabilities of the digital assets; known vulnerable digital assets; an offline training engine configured to estimate parameters of the machine learning algorithm and provided training data. One would have been motivated to provide automated application analysis using an instrumented sandbox and machine learning classification to assess mobile application security (Titonis, [0002]). 
Digiambattista and Titonis fails to explicitly disclose and an online prediction engine comprising the risk scoring engine.
However, in an analogous art, Roytman discloses and an online prediction engine comprising the risk scoring engine, (Roytman, [0061], [0053] & [0054] describes providing a prediction comprising the risk scoring software)
Therefore, it would have been obvious to one of ordinary skill in the art before the


Regarding claim 5, Digiambattista, Titonis and Roytman disclose the vulnerability management system of claim 4. 
Titonis further discloses wherein the provided training data includes feature vectors from known legitimate digital assets and feature vectors from known vulnerable digital assets, (Titonis, [0282]-[0293] describes wherein the provided training data includes feature vectors for known non-infected application binaries [digital assets] and feature vectors of known vulnerable application binaries infected with malware [known vulnerable digital assets]). 
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Titonis with the method and system of Digiambattista to include wherein the provided training data includes feature vectors from known legitimate digital assets and feature vectors from known vulnerable digital assets.  One would have been motivated to provide automated application analysis using an instrumented sandbox and machine learning classification to assess mobile application security (Titonis, [0002]). 

Regarding claim 10, claim 10 is directed to a method. Claim 10 is


Regarding claim 13, claim 13 is directed to the method of claim 10. Claim 13 is
similar in scope to claim 4 and is therefore rejected under similar rationale.

Regarding claim 14, claim 14 is directed to the method of claim 13. Claim 14 is
similar in scope to claim 5 and is therefore rejected under similar rationale.

Regarding claim 16, claim 16 is directed to a non-transitory computer-readable storage medium. Claim 16 is similar in scope to claim 1 and is therefore rejected under similar rationale.

9.	Claims 2, 11 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Digiambattista et al (“Digiambattista,” US 20190229915) in view of Titonis et al (“Titonis,” US 20180025157) and further in view of Roytman et al (“Roytman,” US 20150237065) and further in view of Tedeschi et al (“Tedeschi,” US 20180322292).  

Regarding claim 2, Digiambattista, Titionis and Roytman disclose the vulnerability management system of claim 1. 
Digiambattista further discloses a dynamic analysis unit configured to generate compiled code and execute the compiled code in a virtual machine; (Digiambattista, [0037] & [0093] describes changing the code and recompiling it and executing it in a virtual instance)
(Titonis, [0111] & [0264], describes the sandbox engine; [0158], [0182], [0208], describes a static analysis unit configured to perform static code scanning)
a statistical analysis unit comprising a database of global statistics for the digital assets and configured to: (Titonis, [0150], [0227], [0250] & [0280], describe a statistical analysis unit comprising a database of global statistics for the digital assets and configured to) 
receive the risk score of each vulnerable asset from the risk scoring engine; (Titonis, [0111] & [0264], describes analyzing sandbox engine outcomes and [0423] describes assigning a risk score to each asset)
identify similar digital assets from the database of global statistics; (Titonis, [0150], [0227], [0250] & [0287], describes identifying similar digital assets from the database of statistics)
and generate statistical vulnerability data representing each digital asset's standing within a population of similar digital assets with respect to each digital asset's vulnerabilities; (Titonis, [0025], [0227], [0250] & [0280], describe and generate statistical vulnerability data representing each digital asset’s standing within a population of similar digital assets with respect to each digital asset’s vulnerabilities)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Titonis with the method and system of Digiambattista to include wherein the sandbox engine includes: a static analysis unit configured to perform static code scanning; a statistical analysis unit 
Digiambattista, Titonis and Roytman fail to explicitly disclose and an audit report generation unit configured to generate a heatmap based on the statistical vulnerability data of the statistical analysis unit.
However, in an analogous art, Tedeschi discloses and an audit report generation unit configured to generate a heatmap based on the statistical vulnerability data of the statistical analysis unit (Tedeschi, [0066], auditing, [0069], describes reporting; [0062], [0121], describes generating a heat map; [0034] describes based on measured vulnerability data that is based on measured analysis). 
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Tedeschi with the method and system of Digiambattista, Titonis and Roytman to include and an audit report generation unit configured to generate a heatmap based on the statistical vulnerability data of the statistical analysis unit. One would have been motivated to analyze an organization’s cybersecurity in order to identity objects that must be completed to comply with a cybersecurity framework and report on initial, current, and 

Regarding claim 11, claim 11 is directed to the method of claim 10. Claim 11 is
similar in scope to claim 2 and is therefore rejected under similar rationale.

Regarding claim 17, claim 17 is directed to the non-transitory computer-readable storage medium of claim 16. Claim 17 is similar in scope to claim 2 and is therefore rejected under similar rationale.

10.	Claims 3 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Digiambattista et al (“Digiambattista,” US 20190229915), Titonis et al (“Titonis,” US 20180025157), Roytman et al (“Roytman,” US 20150237065) in view of Tedeschi et al (“Tedeschi,” US 20180322292) and further in view of Bennett (“Bennet,” US 20140218389)

Regarding claim 3, Digiambattista, Titonis, Roytman and Tedeschi disclose the vulnerability management system of claim 2. 
Digiambattista, Titonis, Roytman and Tedeschi fail to explicitly disclose wherein the heatmap comprises a graph displaying the risk score as a function of the number of lines of code.
However, in an analogous art, Bennett discloses wherein the heatmap comprises a graph displaying the risk score as a function of the number of lines of code, (Bennett, [0105], [0141], [0153] describes a heatmap; [0212] describes the heat map is in form of a graph; [0221]-[0222] describes displaying the risk score; [0012] describes risk modeling the vulnerabilities for the scanner in the code) 
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Bennett with the method and system of Digiambattista, Roytman and Tedeschi to include wherein the heatmap comprises a graph displaying the risk score as a function of the number of lines of code. One would have been motivated to provide what-if scenarios on actual security data, modified security data, or both (Bennett, [0105]). 

Regarding claim 12, claim 12 is directed to the method of claim 11. Claim 12 is similar in scope to claim 3 and is therefore rejected under similar rationale.

13.	Claims 6, 15 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Digiambattista et al (“Digiambattista,” US 20190229915), Titonis et al (“Titonis,” US 20180025157) in view of Roytman et al (“Roytman,” US 20150237065) and further in view of Larson et al (“Larson,” US 20180082235). 

Regarding claim 6, Digiambattista and Roytman disclose the vulnerability management system of claim 1. 
logic to scan digital assets for vulnerabilities and identify those digital assets as vulnerable digital assets; (Digiambattista, [0017], [0021], [0113] & [0118] describe software to scan digital assets for vulnerabilities and identify those digital assets as vulnerable digital assets)
Digiambattista and Roytman fail to explicitly disclose wherein the security control system includes: logic to identify digital assets; logic to protect digital assets including the ability to suspend trading of vulnerable digital assets on a digital asset trading exchange; and logic to respond to a trade on the digital asset trading exchange, the trade including vulnerable digital assets and legitimate digital assets, wherein the vulnerable digital assets are suspended and the legitimate digital assets are allowed to proceed.
However, in an analogous art, Larson discloses wherein the security control system includes: logic to identify digital assets; (Larson, FIG 4B shows a transaction record wherein the security control system includes logic to identify digital assets in the form of bitcoin transactions on the Coinbase cryptocurrency exchange)
logic to protect digital assets including the ability to suspend trading of vulnerable digital assets on a digital asset trading exchange; (Larson, [0097], FIG 4B & FIG 5 describe software to protect bitcoin transactions [digital assets] including the ability to stop trading of bitcoin transactions [digital assets] due to vulnerabilities such as the user violated gambling policy, violated local bitcoins policy, violated merchant policy on a the Coinbase cryptocurrency exchange)
and logic to respond to a trade on the digital asset trading exchange, (Larson, [0094], [0095], and FIG 4A describe logic to respond to a trade on the Coinbase cryptocurrency exchange)
(Larson, [0094]-[0095], FIG 4B and FIG 5 describe the trade including bitcoin transactions that violated either a gambling policy, local bitcoins policy, merchant policy [vulnerable digital assets] on the Coinbase Cryptocurrency Exchange and when there is non-compliance closing the user’s account so that the purchase of bitcoin ceases)
and the legitimate digital assets are allowed to proceed (Larson, [0094]-[0095], FIG 4A describe when a user is compliant with the policy the bitcoin transactions are allowed to proceed)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Larson with the method and system of Digiambattista and Roytman to include wherein the security control system includes: logic to identify digital assets; logic to protect digital assets including the ability to suspend trading of vulnerable digital assets on a digital asset trading exchange; and logic to respond to a trade on the digital asset trading exchange, the trade including vulnerable digital assets and legitimate digital assets, wherein the vulnerable digital assets are suspended and the legitimate digital assets are allowed to proceed. One would have been motivated to determine compliance and provide an enforcement platform (Larson, [0002]). 

Regarding claim 15, claim 15 is directed to the method of claim 10. Claim 15 is
similar in scope to claim 6 and is therefore rejected under similar rationale.

Regarding claim 18, claim 18 is directed to a non-transitory computer-readable storage medium of claim 16. Claim 18 is similar in scope to claim 6 and is therefore rejected under similar rationale.

14.	Claims 7, 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Digiambattista et al (“Digiambattista,” US 20190229915) in view of Titonis et al (“Titonis,” US 20180025157) in view of Roytman et al (“Roytman,” US 20150237065). and further in view of Rodler et al (“Rodler,” Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks,” Network and Distributed Systems Security  (NDSS) Symposium, February 2019, pages 1-15 as disclosed in the IDS filed 02/10/2021).  

Regarding claim 7, Digiambattista, Titonis and Roytman disclose the vulnerability management system of claim 1. 
Digiambattista, Titonis and Roytman fail to explicitly disclose wherein the knowledge base engine updates the information upon receiving threat intelligence to include a reentrancy vulnerability pattern.
However, in an analogous art, Rodler discloses wherein the knowledge base engine updates the information upon receiving threat intelligence to include a reentrancy vulnerability pattern, (Rodler, Page 3, Left Column, Last two paragraphs for describes wherein the knowledge based updates the data upon receiving threat intelligence to include a reentrancy vulnerability pattern).
Therefore, it would have been obvious to one of ordinary skill in the art before the


Regarding claim 9, Digiambattista, Titonis and Roytman disclose the vulnerability management system of claim 7. 
Rodler further discloses wherein the reentrancy vulnerability pattern is described as key-value pairs, (Rodler, Page 3, Last two paragraphs disclose the reentrancy vulnerability pattern as described as key-value pairs)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Rodler with the method and system of Digiambattista, Tetonis and Roytman to include wherein the reentrancy vulnerability pattern is described as key-value pairs. One would have been motivated to prevent other contracts to withdraw funds from their balance (Rodler, Page 3, Left Column, Last two paragraphs).

Regarding claim 19, claim 19 is directed to the non-transitory computer-readable storage medium of claim 16. Claim 19 is similar in scope to claim 7 and is therefore rejected under similar rationale.

15.	Claims 8 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Digiambattista et al (“Digiambattista,” US 20190229915), Titonis et al (“Titonis,” US 20180025157), Roytman et al (“Roytman,” US 20150237065), in view of Rodler et al (“Rodler,” Sereum: Protecting Existing Smart Contracts Against Re-Entrancy Attacks,” Network and Distributed Systems Security  (NDSS) Symposium, February 2019, pages 1-15 as disclosed in the IDS filed 02/10/2021) and further in view of Davi et al (“Davi,” JP2019083013, see Machine Translation of JP2019083013). 

Regarding claim 8, Digiambattista, Titonis, Roytman and Rodler disclose the vulnerability management system of claim 7. 
Digiambattista discloses of the sandbox engine (Digiambattista, [0113] & [0019] describe sandbox software)
Digiambattista, Titonis, Roytman and Rodler fail to explicitly disclose wherein the reentrancy vulnerability pattern is detected by the dynamic analysis unit.
However, in an analogous art, Davi discloses wherein the reentrancy vulnerability pattern is detected by the dynamic analysis unit, (Davi, [0005] & [0024] describe wherein the reentrancy vulnerability pattern is detected; [0011]-[0012] describes wherein the reentrancy vulnerability is detected by a dynamic analysis)
Therefore, it would have been obvious to one of ordinary skill in the art before the
effective filing date of the claimed invention to combine the teachings of Davi with the method and system of Digiambattista, Titonis, Roytman and Rodler to include wherein the reentrancy vulnerability pattern is detected by the dynamic analysis unit of the 

Regarding claim 20, claim 20 is directed to the non-transitory computer-readable storage medium of claim 19. Claim 20 is similar in scope to claim 8 and is therefore rejected under similar rationale.


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and 





/JAMES J WILCOX/Examiner, Art Unit 2439    



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439