DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-2, 7-9, and 14-16 are rejected on the ground of nonstatutory double patenting as being unpatentable over at least claims 1-4 and 7-9 of U.S. Patent No. 11,210,405 B2. Although the claims at issue are not identical (the patent claims do not specify a CVSS “factor”), they are not patentably distinct from each other because the vulnerability parameters recited in the patent anticipate those of a CVSS factor (e.g., CVE vulnerability metrics). Further, at least claims 3 and 9 specify CVE dataset for parameters associated with a CVSS score. 

Instant Application
US 11,210,405 B2 
1. A computer-implemented method, comprising: 


receiving, by at least one hardware processor, a binary software code; 

inspecting, by the at least one hardware processor, the binary software code to determine at least one Common Vulnerability Scoring Standard (CVSS) factor; and 



determining, by the at least one hardware processor, a CVSS score based on the at least one CVSS factor.


receiving, at a server, a binary;


determining, by the server, a plurality of vulnerability parameters of the binary, …; and
2. The method of claim 1, wherein the severity score is a common vulnerability scoring system (CVSS) severity score.


determining, by the server, the severity score based on the plurality of vulnerability parameters…;
.


4. The method of claim 1, wherein the vulnerability parameters include an attack vector (AV), an attack complexity (AC), a privileges required (PR), a user interaction (UI), a scope (S), a confidentiality (C), an integrity (I), and an availability (A).
7. The method of Claim 1, further comprising outputting the CVSS score.

1. …determining, by the server, the severity score based on the plurality of vulnerability parameters; and
generating, by the server, a report based on the plurality of vulnerability parameters.
2. The method of claim 1, wherein the severity score is a common vulnerability scoring system (CVSS) severity score.


	Independent claims 8 and 15 are substantially similar to independent claim 1, and are likewise rejected. Claims 2, 7, 9, 14, and 16 depend on claims 1, 8, and 15, and are rejected in kind. 
Claims 3, 5-6, 10, 12-13, 17, and 19-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-4 and 7-9 of U.S. Patent No. 11,210,405 in view of Hufsmith (US 2020/0097662 A1). The patent claims do not fully disclose the language of claims 3-6, 10-13, and 17-20. However, the patent claims in view of Hufsmith disclose the claims as follows: refer to at least [0140], [0163], and [0185] of Hufsmith with respect to claim 3; refer to at least [0083] of Hufsmith with respect to claim 5; Refer to at least [0117] and [0188] of Hufsmith with respect to claim 6.  The teachings of Hufsmith concern vulnerability metrics which are determined in association with CVSS scoring, and the cited portions each concern respective claimed vulnerability metrics. It would have been obvious to one of ordinary skill in the art to modify the teachings of the patent claims to further include the .
Claims 4, 11, and 18 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-4 and 7-9 of U.S. Patent No. 11,210,405 in view of Yawalkar (US 2020/0137126 A1). Regarding claim 4, the patent claims disclose an attack complexity parameter (e.g., patent claim 4), but do not disclose routines related to compiler defense, obfuscation, validation, or exception handling in the binary software code; based on the number of routines related to compiler defense, obfuscation, validation, or exception handling. However, the patent claims in view of at least [0024] of Yawalkar are considered to disclose said limitations. . It would have been obvious to one of ordinary skill in the art to modify the teachings of the patent claims to further include the teachings of Yawalkar concerning additional vulnerability metrics for at least the purpose of increasing security by having a more comprehensive model.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 15-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because they are drawn to a “computer-readable media,” which may be interpreted as a signal per se. For instance, at least [0090] of the specification explicitly recites that “program instructions can be encoded on an artificially generated propagated signal” and further only discusses a non-transitory computer-readable medium using exemplary language. 

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to the abstract idea of a mental process (concepts performed in the human mind, such as an observation, evaluation, judgment, and/or opinion) without significantly more. The claim(s) recite(s) a process for observing binary code, evaluating the binary code for a specific factor, and assigning a score based on the factor as a judgement. This is considered to be analogous to a mental process performable by a human coder reviewing binary code (e.g., using a reference book of factor-to-score mappings; or simply deciding a value consistent with CVSS). This judicial exception is not integrated into a practical application because adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely using a computer as a tool to perform an abstract idea is not considered to be sufficient—see MPEP 2106.05(f) . In this case, the claims merely recite a hardware processor and/or storage media and instructions for performing the process without further describing any particular machine. The dependent claims further specify concepts performed in the human mind (i.e., further specifying the code portions which are observed and evaluated) rather than suggesting integration into a practical application.
	Abstract idea limitations (exemplary claim 1): “A method, comprising: receiving, a binary software code; inspecting, by the at least one hardware processor, the binary software code to determine at least one Common Vulnerability Scoring Standard (CVSS) factor; and determining, by the at least one hardware processor, a CVSS score based on the at least one CVSS factor.”
Abstract idea limitations (exemplary claim 2): “wherein the at least one CVSS factor comprises at least one of an attack vector factor, an attack complexity factor, a privileges required factor, a user interaction factor, a scope factor, a confidentiality factor, an integrity factor, or an availability factor.”
Abstract idea limitations (exemplary claim 3): “wherein the at least one CVSS factor comprises an attack vector factor, and the inspecting the binary software code comprises: 
Abstract idea limitations (exemplary claim 4): “wherein the at least one CVSS factor comprises an attack complexity factor, and the inspecting the binary software code comprises: determining a number of routines related to compiler defense, obfuscation, validation, or exception handling in the binary software code, and determining the attack complexity factor based on the number of routines related to compiler defense, obfuscation, validation, or exception handling.”
Abstract idea limitations (exemplary claim 5): “wherein the at least one CVSS factor comprises a privileges required factor, and the inspecting the binary software code comprises: determining a number of application program interfaces (APIs) related to privilege processing in the binary software code, and determining the privileges required factor based on the number of APIs related to privilege processing.”
Abstract idea limitations (exemplary claim 6): “wherein the at least one CVSS factor comprises a user interaction factor, and the inspecting the binary software code comprises: determining a number of routines related to user input in the binary software code, and determining the user interaction factor based on the number of routines related to user input.”
Abstract idea limitations (exemplary claim 7): “The method of Claim 1, further comprising outputting the CVSS score.”
	Potential limitations which may recite significantly more: “computer-implemented,” “by at least one hardware processor,” “one or more computer-readable storage media coupled to the at least one hardware processor and storing programming instructions for execution by the at least one hardware processor” (exemplary claim 8).
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because adding the words “apply it” (or an 
Independent claims 8 and 15 comprise substantially similar subject matter, and are likewise rejected. The dependent claims further specify factors which a human coder may observe and evaluate within the binary code (i.e., further specifying the code portions which are observed and evaluated). They do not specify any additional elements which may be significantly more than the judicial exception. Since the dependent claims do not rectify the identified issues, they are likewise rejected. 

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-3, 5-10, 12-17, and 19-20 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Hufsmith (US 2020/0097662 A1).

Regarding claim 1, Hufsmith discloses: A computer-implemented method, comprising: 
receiving, by at least one hardware processor, a binary software code; 
Refer to at least [0033] and [0036] of Hufsmith, wherein “[b]y analyzing the data in each of the layers of a container, some embodiments extract the binaries and send them to the most appropriate scanning technique across multiple scanning engines.”
Inspecting, by the at least one hardware processor, the binary software code to determine at least one Common Vulnerability Scoring Standard (CVSS) factor; and 
Refer to at least [0033] of Hufsmith, wherein “[t]he binary and package information may be assessed and sent to engines to acquire the CVE and CWE information for the binary.”
Refer to at least [0084], [0113] and [0116] of Hufsmith with respect to CVE and CVSS.
determining, by the at least one hardware processor, a CVSS score based on the at least one CVSS factor.
Refer to at least [0033] of Hufsmith, wherein “some embodiments may apply algorithms to the results to generate a comprehensive view into the image to obtain a threat assessment, remediation recommendations and exposure report.”
Refer to at least the abstract and FIG. 6 with respect to providing a score with the assessment/report.

Regarding claim 2, Hufsmith discloses: The method of Claim 1, wherein the at least one CVSS factor comprises at least one of an attack vector factor, an attack complexity factor, a privileges required factor, a user interaction factor, a scope factor, a confidentiality factor, an integrity factor, or an availability factor.
Refer to at least [0117] of Hufsmith, which states: “Exploitability metrics may include one or more metrics and their values such as or similar to an attack vector indicating whether 

Regarding claim 3, Hufsmith discloses: The method of Claim 1, wherein the at least one CVSS factor comprises an attack vector factor, and the inspecting the binary software code comprises: determining a number of text strings related to network functionalities in the binary software code, and determining the attack vector factor based on the number of text strings related to network functionalities.
Refer to at least [0140] of Hufsmith, wherein “a container image may include a subroutine that registered with a networks socket, but a composition file or other code may indicate that the subroutine is never invoked. Or an container image may include a library with module having a sys.exec command based on a passed value, but a call graph of a the larger distributed application may indicate that the sys.exec command module is never called.”
Refer to at least [0163] and [0185] of Hufsmith with respect to parsing source code and analyzing commands. 

Regarding claim 5, Hufsmith discloses: The method of Claim 1, wherein the at least one CVSS factor comprises a privileges required factor, and the inspecting the binary software code comprises: determining a number of application program interfaces (APIs) related to privilege processing in the binary software code, and determining the privileges required factor based on the number of APIs related to privilege processing.
Refer to at least [0083] of Hufsmith, wherein “such dynamic tests include calling an API exposed by that body of code with API requests including code injection attacks and including parameters configured to cause a buffer overflow to detect whether the code appropriately handles the attack or if it allows access or privilege escalation when it should not.”

Regarding claim 6, Hufsmith discloses: The method of Claim 1, wherein the at least one CVSS factor comprises a user interaction factor, and the inspecting the binary software code comprises: determining a number of routines related to user input in the binary software code, and determining the user interaction factor based on the number of routines related to user input.
Refer to at least [0117] of Hufsmith with respect to user interaction metrics. 
Refer to at least [0188] of Hufsmith with respect to creating and traversing call graphs of the binary. 

Regarding claim 7, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations concerning the report and scoring).

Regarding independent claim 8, it is substantially similar to independent claim 1 above, and is therefore rejected for substantially the same reasons (i.e., the citations).

Regarding claims 9-10 and 12-14, they are substantially similar to claims 2-3 and 5-7 above, and are therefore likewise rejected.



Regarding claims 16-17 and 19-20, they are substantially similar to claims 2-3 and 5-6 above, and are therefore likewise rejected.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 4, 11, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hufsmith as applied to claims 1-3, 5-10, 12-17, and 19-20 above, and further in view of Yawalkar (US 2020/0137126 A1).

Regarding claim 4, Hufsmith discloses: The method of Claim 1, wherein the at least one CVSS factor comprises an attack complexity factor, and the inspecting the binary software code comprises: determining a number of routines, and determining the attack complexity factor. 
Refer to at least [0117] of Hufsmith with respect to attack complexity as a vulnerability metric. 
Hufsmith does not appear to disclose: routines related to compiler defense, obfuscation, validation, or exception handling in the binary software code; based on the number of routines related to compiler defense, obfuscation, validation, or exception handling. routines related to compiler defense, obfuscation, validation, or exception handling in the binary software code; based on the number of routines related to compiler defense, obfuscation, validation, or exception handling. 
Refer to at least [0024] of Yawalkar, wherein “security risk factors… comparison against the NVD, common vulnerabilities and exposures (CVEs)… similarity with adblocker scripts, similarity with privacy snooping scripts, presence of dangerous JavaScript constructs such as eval, instances of personally identifiable information (PII) handling, obfuscation measures, such as an assessment of effectiveness of code or PII obfuscation techniques, and any other security risk factors.”
The teachings of Hufsmith and Yawalkar each concern security risk factors, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Hufsmith to further include vulnerability metrics such as those listed in [0024] of Yawalkar for at least the purpose of further providing additional scanning for better detection and scoring of threats. This would increase security in line with the intent of Hufsmith (i.e., performing multiple scans and aggregating the results for scoring). 

Claims 11 and 18 are substantially similar to claim 4 above, and are therefore likewise rejected.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/V.S/            Examiner, Art Unit 2432