DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification
The use of the trademark MICROSOFT [paragraph 0024], has been noted in this application.  It should be capitalized wherever it appears and be accompanied by the generic terminology. 
Although the use of trademarks is permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as trademarks.
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having 

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 2-4, 6-11, 13-18, and 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over Chattopadhyay et al., (US 20140189086 A1) hereinafter referred to as Chatto in view of Hooks (US 20050038827 A1) hereinafter referred to as Hooks.
Regarding Claims 2, 9, and 16, Chatto discloses A method for controlling security risks on client devices, comprising: receiving information corresponding to a first client device from a plurality of client devices; [Abstract, A self-learning system is employed to proactively and automatically detect the anomalies using one or more locally hosted agents for pulling information that describes states of a plurality of nodes (e.g., computing devices of a cloud-computing infrastructure] 
determining, based on the information corresponding to the first client device, a vulnerability state of a second client device from the plurality of client devices, the vulnerability state indicating an at-risk level of security vulnerabilities of the second client device similar to security vulnerabilities of the first client device; [paragraph 0057, As used herein, the phrase "state information" is not meant to be limiting but may include any data that describes a configuration of hardware (e.g., recognizing the presence of certain equipment) of one or more machines and/or a definition of resources (e.g., software, program components, or role 
Chatto does not explicitly teach and transmitting, to the second client device, a configuration update in response to the vulnerability state indicating the second client device is an at-risk device.
Hooks teaches and transmitting, to the second client device, a configuration update in response to the vulnerability state indicating the second client device is an at-risk device. [paragraph 0063, One embodiment of the present invention monitors and adjusts the state of a managed machine so that it is more resistant to threats. Using Policy Templates, service providers can routinely monitor the security posture of every managed system, automatically adjusting security settings and installing software updates to eliminate known vulnerabilities]
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Hooks with the disclosure of Chatto. The motivation or suggestion would have been to reduce the frequency at which incidents occur. (paragraph 0063)
Regarding Claims 3, 10, and 17, Chatto does not explicitly teach wherein the configuration update includes instructions for the second client device to change a security configuration of the second client device.
	Hooks teaches wherein the configuration update includes instructions for the second client device to change a security configuration of the second client device. [paragraph 0063, One embodiment of the present invention monitors and adjusts the state of a managed machine so that it is more resistant to threats. Using Policy Templates, service providers can routinely monitor the security posture of every managed system, automatically adjusting security settings and installing software updates to eliminate known vulnerabilities] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Hooks with the disclosure of Chatto. The motivation or suggestion would have been to reduce the frequency at which incidents occur. (paragraph 0063)
Regarding Claims 4, 11, and 18, Chatto discloses wherein the determining the vulnerability state comprises: determining a vulnerability score of the second client device, the vulnerability state of the second client device being classified based on the vulnerability score. [paragraph 0079, At this point, the comparison technique may involve ranking the anomalous machines 411 or anomalies therein in order to raise alerts for top anomalies. In embodiments, ranking the anomalous machines 411 against one another may include comparing the state information of the anomalous machines 411 against state information of the reference machine 440 or another healthy machine 421. Based on the comparison, scores may be assigned to each of the anomalous machines 411]
Regarding Claims 6, 13, and 20, Chatto discloses wherein the determining the vulnerability state is implemented through machine learning. [Abstract, A self-learning system is employed to proactively and automatically detect the anomalies using one or more locally hosted agents for pulling information that describes states of a plurality of nodes (e.g., computing devices of a cloud-computing infrastructure]
Regarding Claims 7 and 14, Chatto discloses wherein the information corresponding to the first client device includes one or more of security configuration information or malware information of the first client device. [paragraph 0057, As used herein, the phrase "state information" is not meant to be limiting but may include any data that describes a configuration of hardware (e.g., recognizing the presence of certain equipment) of one or more machines and/or a definition of resources (e.g., software, program components, or role instances) running on those machine(s). In one instance, the state information may comprise any data information that the self-learning system 220 deems important to securing program components of the service application within a node. This data related to securing program components may include data that serves to detect firewall misconfiguration. For example, the state information may include a set of firewall rules pulled from machines within the data center 225. If a firewall misconfiguration (e.g., Internet information server (IIS) OS component installed on a node) goes undetected using conventional mechanisms, the firewall misconfiguration may be used by nefarious actors to exploit the node and compromise the software running thereon] [paragraph 0058, Accordingly, state information may be any data to detect issues, misconfigurations, or potential risks associated with the nodes 255 and 265 or resources of the data center 225.]
Regarding Claims 8, 15, and 21, Chatto discloses wherein the determining the vulnerability state comprises: determining a correlation between the security vulnerabilities of the first client device and a hardware configuration or a software configuration of the second client device; and determining the at-risk level of security vulnerabilities of the second client device based on the correlation. [paragraph 0057, As used herein, the phrase "state information" is not meant to be limiting but may include any data that describes a configuration of hardware (e.g., recognizing the presence of certain equipment) of one or more machines and/or a definition of resources (e.g., software, program components, or role instances) running on those machine(s). In one instance, the state information may comprise any data information that the self-learning system 220 deems important to securing program components of the service application within a node. This data related to securing program components may include data that serves to detect firewall misconfiguration. For example, the state information may include a set of firewall rules pulled from machines within the data center 225. If a firewall misconfiguration (e.g., Internet information server (IIS) OS component installed on a node) goes undetected using conventional mechanisms, the firewall misconfiguration may be used by nefarious actors to exploit the node and compromise the software running thereon] [paragraph 0058, Accordingly, state information may be any data to detect issues, misconfigurations, or potential risks associated with the nodes 255 and 265 or resources of the data center 225.] [paragraph 0065, In one specific implementation of firewall misconfiguration detection, the function Sim(S1, S2) may be defined as the Jackard similarity of S1 and S2 (e.g., |S1.andgate.S2|/|S1.orgate.S21), where the size of intersection between S1 and S2 is divided by the size of the union between S1 and S2. It should be noted that, for other applications, the function Sim(S1, S2) may be defined in other ways. Accordingly, the function Sim(S1, S2) may be used to proactively group the nodes 320 of a cloud-computing infrastructure 310 based on the role instances being hosted thereon - teaches detecting security risks such as "firewall misconfiguration detection"] [Abstract, The comparison technique involves individually comparing the state information of the plurality of the nodes against one another and, based upon the comparison, grouping one or more nodes of the plurality of nodes into clusters that exhibit substantially similar state information – teaches comparing the nodes (devices) against one other to find similarities which include anomalous similarities]

Claims 5, 12, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Chatto in view of Hooks, as applied to Claims 2, 9, and 16, respectively, above, and further in view of Saguiguit et al., (US 7934261 B1) hereinafter referred to as Saguiguit. 
Regarding Claims 5, 12, and 19, the combination of Chatto and Hooks does not explicitly teach further comprising: determining an infection pattern for the first client device based on one or more of a number of types of malware files present on the first client device, a number of malware files present on the first client device, or a period of time the malware files have been present on the first client device; and determining the vulnerability state based on the infection pattern.
Saguiguit teaches, further comprising: determining an infection pattern for the first client device based on one or more of a number of types of malware files present on the first client device, a number of malware files present on the first client device, or a period of time the malware files have been present on the first client device; and determining the vulnerability state based on the infection pattern. [Abstract, Identified malicious files are matched against the log file to determine the extent of the infection by the malicious files] 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to combine the teachings of Saguiguit with the disclosures of Chatto and Hooks. The motivation or suggestion would have been for “removal of computer viruses and other malware from a computer system.” (Column 1, lines 7-8)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW J STEINLE whose telephone number is (571)272-9923. The examiner can normally be reached M-F 10am-6pm CT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/ANDREW J STEINLE/Primary Examiner, Art Unit 2497