DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 12/24/2021.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/24/2021 has been entered.
Status of claims in the instant application:
Claims 1-20 are pending.
Claims 4, 5, 10 and 17 have been amended.
No claim has been canceled.
No new claim has been added.
**** Note: Applicant’s remarks, page [8] of the remarks filed on 12/24/2021, identified claim 11 as being amended. But the amended claim set filed/entered on 12/24/2021 shows that claim 10 has been amended and claim 11 has not been amended. Examiner requests Applicant’s comments as appropriate.
Response to Arguments
Applicant's arguments, page [9-11] of the remarks filed on 12/24/2021, with respect to rejection of claims 1, 8 and 14 under 35 USC 103, have been fully considered 
The newly amended claim limitations of claim 10 have been met with newly cited portions of Sofka prior art. Therefore, Applicant is directed to the rejection of claim 10 regarding Applicant’s argument, page[12-13] of the remarks filed on 12/24/2021.
The newly amended claim limitations of claim 17 have been met with newly cited portions of Ahuja prior art. Therefore, Applicant is directed to the rejection of claim 10 regarding Applicant’s argument, page[14-16] of the remarks filed on 12/24/2021.
Applicant's arguments, page [9-11] of the remarks filed on 12/24/2021, with respect to rejection of claims 1, 8 and 14 under 35 USC 103, have been fully considered but they are not persuasive. Therefore, the Applicant is directed to Examiner’s response below.
Applicant's arguments, page [13-14] of the remarks filed on 12/24/2021, with respect to rejection of claims 6 and 11 under 35 USC 103, have been fully considered but they are not persuasive. Therefore, the Applicant is directed to Examiner’s response below.
Applicant states, see page [9-11] of the remarks filed on 12/24/2021:
“With regard to exemplary Claim 1, a combination of the cited prior art does not teach or suggest “a mitigation action that mitigates a vulnerability of the computer system hardware resource in the particular computer system to the malicious attack by reducing a functionality of the computer system hardware resource in the particular computer system”.

Park is directed to a system for using a Process Control Network (PCN) to analyze and respond to cyber-attacks (see Abstract of Park). 
Cited col. 22, line 47 - col. 24, line 7 of Park teach a "cyber security system 100 to make changes to the state of the protected system 103. For example, in the event that a trojan horse embedded in the protected system 103 is activated and detected, and the operator wishes to roll back the compromised system 103 to an earlier non-compromised version... (("e.g., a state that allows the system to operate possibly with a reduced set of functionality, but is still able support the current needs of the mission given the presence of a cyber-attack). For example, the Security Device 101 can insert commands back into the system 103 to override the effects of injected malware; thus, mitigating the effect until the malware can be removed"). 
That is, if a software update includes malware, then the system can revert back to an earlier version of the software that does not include this malware. 
First, as currently amended, the present invention is not directed to software malware in a computer, but rather is directed to a vulnerable piece of hardware in the computer. 
Second, Park does not cause the "system to operate possibly with a reduced set of functionality" in order to protect the system. Rather, this reduced functionality is a by-product of reverting back to an earlier version of software. 
Thus, Park teaches that an earlier version of software can be loaded onto the system. 
gist (i.e., the overall concept of the invention) of the presently claimed invention and that of the prior art is prohibited. (See section 2141.02(II) of the MPEP.) 
More specifically, as stated in section 2141.02(I) of the MPEP, "the question under 35 U.S.C. 103 is...whether the claimed invention as a whole would have been obvious. Stratoflex, Inc. v. Aeroquip Corp., 713 F.2d 1530, 218 USPQ 871 (Fed. Cir. 1983); Schenck v. Nortron Corp., 713 F.2d 782, 218 USPQ 698 (Fed. Cir. 1983) ... "Because that insight was contrary to the understandings and expectations of the art, the structure effectuating it would not have been obvious to those skilled in the art." 713 F.2d at 785, 218 USPQ at 700 (citations omitted).)." (Emphasis in the original.) 
That is, under section 2141.02 of the MPEP, there is nothing in a combination of the cited prior art, including Park, that teaches or suggests reducing a functionality of a hardware resource until a malicious attack is mitigated. More specifically, Park 1) reverts to a prior software version, which 2) has the side effect of being less capable than the new, infected version of the software. 
Described another way: in Park, software reverts to an earlier version in response to detecting a virus (e.g., a Trojan Horse) in a later version of the software that has been loaded onto the system. Thus, the impetus for reverting back to the earlier software is that "a trojan horse embedded in the protected system 103 is activated and detected" (col. 22, lines 53-55 of Park). 
In the present invention, however, the impetus for performing a mitigation action is “the vulnerable computer system hardware resource matching the computer system hardware resource in the particular computer system”. 
as a whole.”
	In response, Examiner disagrees with Applicant’s characterization that the combination of Trepagnier, Tamir and Park prior arts does not disclose Applicant’s claimed invention as in the independent claims 1, 8 and 14.
	Examiner notes that following from the prior Trepagnier, Tamir and Park prior arts.
	Trepagnier discloses:
“Para [0003]: In one embodiment, a system for determining a risk rating for software vulnerabilities is provided. The system includes one or more computing devices that include a processor and a memory, and one or more databases holding data related to at least one of known software vulnerabilities and known exploits. The one or more computing devices are configured to execute at least one of a vulnerability module and exploit module. The vulnerability module when executed generates a vector space holding vectors for the known software vulnerabilities based on the data related to known software vulnerabilities. Each vector is associated with a set of characteristics of a corresponding known software vulnerability. The vulnerability module also groups the known software vulnerabilities into one or more sets of similar software vulnerabilities based on the characteristics. The exploit module when executed determines the applicability of one or more known exploits to individual software vulnerabilities represented in the one or more sets of similar software vulnerabilities using the data related to known exploits. The exploit module also determines a risk rating for each of the one or more sets of similar software vulnerabilities based on the determined applicability of the known exploits to individual software vulnerabilities represented in each of the one or more sets of similar software vulnerabilities and stores and associates the risk rating with a corresponding set of similar software vulnerabilities in a database.”
Examiner, also notes the section/paragraphs [0032-0033, 0040-0041], [0041-0042, 0063, 0071-0072, 0114], [0044, 0058] and  [0106, 0108] of Trepagnier prior art that have already been cited in the previous office action.
	Examiner interprets that Trepagnier discloses identifying vulnerability of software (a computing system resource) based on description of vulnerability that is applicable for a particular software. The vulnerability description of a software resource can be obtained from third party (such as National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) that provide open and universally standard severity ratings of software vulnerabilities) that maintains such information.
	Tamir prior art discloses that, “Tamir , Abstract: The method comprises receiving at a security computer external vulnerability data from an external source regarding vulnerabilities associated with an attack vector for configuration item (CI) data related to a (CI) device, of the networked computer system. The security computer accesses a configuration management database (CMDB) and the CI data related to the physical device is read. Trust zone data associated with the CI device is determined utilizing the CMDB, and the security computer performs a vulnerability calculation for the CI device utilizing the external vulnerability data and associated trust zone data”
	Examiner interprets that Tamir discloses that an external entity maintains vulnerability data about a “physical device” (i.e. a hardware resource) and that this external data is used to detect if the specific configuration (i.e. description of the device – hardware resource) of the physical device that is vulnerable to attack.
	The Park prior art discloses that, “Park, Col. [22, 23], Lines [47-67, 1-7]: … the Security Device 101 can serve as a bridge between the protected system 103 and the Control Device 105. For example, the Security Device 101 can include a corrective action manager 350 that supports the ability of other components of the cyber security system 100 to make changes to the state of the protected system 103. For example, in the event that a trojan horse embedded in the protected system 103 is activated and detected, and the operator wishes to roll back the compromised system 103 to an earlier non-compromised version, the Control Device 105 can be configured to issue such a rollback request to the Security Device 101. Upon receiving the rollback request, the Security Device 101 converts the request into a sequence of commands suitable for processing by the protected system 103 that will accomplish the rollback to the non-compromised state. As it is possible that attacks can be embedded into the source code or the hardware of the protected system 103, the corrective action manager 350 will, as needed, on a customer and deployment specific basis include the necessary software and hardware needed to restore the system 103 to a desired operating state (e.g., a state that allows the system to operate possibly with a reduced set of functionality, but is still able support the current needs of the mission given the presence of a cyberattack). For example, the Security Device 101 can insert commands back into the system 103 to override the effects of injected malware; thus, mitigating the effect until the malware can be removed …)”
	Examiner interprets that Park prior art disclose reducing the functionality of the computing resource as a result of detecting a vulnerability to the resource, and that the resource operates/functions at a reduced capability until the vulnerability is rectified.
	Thus, Examiner interprets that the combination of Trepagnier, Tamir and Park prior arts discloses “a mitigation action that mitigates a vulnerability of the computer system hardware resource in the particular computer system to the malicious attack by reducing a functionality of the computer system hardware resource in the particular computer system”
	Examiner further notes that, in Applicant’s claimed invention, the detection of vulnerability of a resource is based on the description of vulnerability for the resource. It does not appear to matter, based on the claimed invention, if the resource is hardware or software, because no attribute of the resource being hardware is used in determining the vulnerability of the resource.
Applicant states, see page [13-14] of the remarks filed on 12/24/2021:
“With regard to the rejection of previously presented dependent Claims 6 and 11, a combination of the cited prior art does not teach or suggest "wherein the mitigation action comprises changing an access control list for access to the computer system hardware resource in the particular computer system, changing a host-based agent for 
The final Office Action cites col. 6, line 55 - col. 7, line 8; col. 8, lines 1-12; and col. 29, lines 28-45 of Park against dependent Claims 6 and 11. 
Cited col. 6, line 55 - col. 7 of Park teaches "an embodiment of the overlay cyber security networked system and method, which provides standardized security functions to the PCN layers described earlier (Physical, Sensor, Safety and Control) between Levels 0-2 of the Purdue ICS Reference Architecture. The security layer may include a network of sentinel security devices... The security devices may include one or more security devices further specialized to serve as host platforms to perform... asset and configuration management". That is, a Process Control Network (PCN), which is part of a Control System (CS) (see col. 1, lines 51-60 of Park) and Industrial Control System (IDS), can configure components of the CS. 
Cited col. 8, lines 1-12 of Park teaches capturing and analyzing packets in a network ("ranging from triggered packet capture to actual network participation in terms 
Cited col. 29, lines 28-45 of Park teaches switching to a backup system ("switch to a backup system (e.g., instruct the protected system 103 or one or more components to start using a backup controller)"); modifying a controlled value ("e.g., instruct the protected system 103 to set the thermostat to maintain a different temperature"); restarting the system; reloading and resetting the Security Device; resetting "the input data (e.g., re-upload a PLC configuration or parameter configuration from a secure location)"; and notifying analysts of security problems ("logs data and send alert and support information to appropriate analysts and managers for forensic analysis"). 
As such, a broadest reasonable interpretation of combination of the cited prior art (including Park) does not teach or suggest 1) changing an access control list for access to the computer system hardware resource in the particular computer system (i.e., changing a list of what entities are permitted to access the vulnerable hardware resource). ”
	In response, Examiner does not find Applicant’s arguments to be persuasive. As cited in the previous office action (Park, Col. [8, 30, 31], Lines [1-12, 36-67, 1-7]: … actual network participation in terms of in-stream packet analysis. Other foundational security features such as user or device authentication; access and participation logs from the fabric such as association with VRF or VLAN, ACL groups …)  Park prior art discloses the access control list. Par also discloses changing the access control list (Park, Col. [8, 30, 31], Lines [1-12, 36-67, 1-7]: … operators can have access to features related to running the cyber security system 100 during run time operation such as viewing detection logs and marking their resolution, triggering corrective actions, and viewing situational views. Administrators can set up and configure the Control Device 105 including the authority to create, delete, view, and edit user accounts (including changes of user roles), configure detection rules, add/edit/delete and configure individual Security Devices 101, and add/edit/delete/view situational viewers …).
	Examiner interprets that creating(adding)/deleting/editing accounts for access is changing the access control.
Response to Amendment
Claim Objections
Claim 4 is objected to because of the following informalities:
Claim 4 recites, “The method of claim 3, wherein the mitigation action causes intermediate changes to the computer system hardware resource between a time that the CVE is released and a time that a vendor is provides a patch to close the vulnerability of the computer system, wherein the intermediate changes comprise limiting what devices are allowed to access P201805294US01 - RCE Amendment BPage 2 of 16 16186.785the computer system, changing passwords required to access the computer system, changing a hardware configuration of the computer system, and applying a patch that stops access to the computer system.”
It appears that there is a grammatical error in the recited limitations in claim 4. There is an extra “is” in the claim limitation.
Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 6, 8, 11, 13, 14, 16, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2020/0012796 A1 to Trepagnier et al (hereinafter “Trepagnier”) in view of Pub. No.: US 2018/0219908 A1 to Tamir et al (hereinafter “Tamir”) and further in view of Pat. No.: US 10250619 B1 to Park et al. (hereinafter “Park”).
Regarding Claim 1. Trepagnier discloses A method (Trepagnier: Abstract) comprising:
receiving, by one or more processors, a description of a vulnerability of a computer system [hardware] resource in a computer system to a malicious attack (Trepagnier, Para [0032-0033, 0040-0041]: … The inputs of box 110 are known vulnerability data and known exploit data, both of which are network or host-independent. The inputs thus convey information on a general threat environment … vulnerability data relating to known software vulnerabilities is input from a third party source, for example, the National Vulnerability Database (NVD) 112 … The modules may include various circuits, circuitry and one or more software components, programs, applications, or other units of code base or instructions configured to be executed by one or more processors included in device 1910 or server 1920…  the vulnerability module 210 is configured to retrieve data, such as but not limited to NVD-based data, relating to known software vulnerabilities from third party data sources and analyze the data to generate the vector space. In some embodiments, the analysis may include natural language processing of vulnerability descriptions found in the NVD …);
performing, by the one or more processors, a Natural Language Processing (NLP) analysis of the description of the vulnerability in order to extract risk information related to the vulnerability, wherein the risk information comprises an identity of a type of vulnerable computer system [hardware] resource in the computer system that is vulnerable to the malicious attack (Trepagnier, Para [0041-0042, 0063, 0071-0072, 0114]: … vulnerability module 210 may be a hardware or software implemented module configured to generate a vector space of vectors associated with a set of characteristics for known software vulnerabilities, and to group the vulnerabilities into one or more sets of similar software vulnerabilities based on the similarities between the corresponding vectors. In some embodiments, the vulnerability module 210 is configured to retrieve data, such as but not limited to NVD-based data, relating to known software vulnerabilities from third party data sources and analyze the data to generate the vector space. In some embodiments, the analysis may include natural language processing of vulnerability descriptions found in the NVD … The software vulnerabilities in the generated vector space may be grouped into sets of similar software vulnerabilities using a number of different approaches. Embodiments may utilize spectral clustering, a neural network, logistic regression analysis, partial least squares, a recommender system, random decision forests, least squares linear decision analysis, and other forms of supervised or unsupervised machine learning classifying together items which are close together in a relevant feature space or satisfy another criteria … Hosts/services typically contain multiple vulnerabilities providing varying degrees of risk that may be identified in the manner discussed previously. Embodiments provide a number of techniques to leverage this information to provide an overall security metric for each host/service in an enterprise network …);
comparing, by the one or more processors, the vulnerable computer system [hardware] resource to a computer system [hardware] resource in a particular computer system (Trepagnier, Para [0044, 0058]: … The host-specific and service-specific vulnerability module 230 may be a hardware or software implemented module configured to analyze particular hosts/services to identify software vulnerabilities within the host, compare the host-specific/service-specific vulnerabilities to the sets of similar software vulnerabilities identified by the vulnerability module 210, and determine a risk rating for each of the host-specific/service-specific vulnerabilities using the previously determined risk rating for the set of similar software vulnerabilities … At step 404, the host-specific and service-specific vulnerability module 230 compares each host-specific/service-specific software vulnerability identified via the scan with the sets of similar software vulnerabilities to determine which vulnerabilities on the host are present in which set …); and
in response to the vulnerable computer system [hardware] resource matching the computer system [hardware] resource in the particular computer system, performing, by the one or more processors, a mitigation action that mitigates a vulnerability of the computer system [hardware] resource in the particular computer system to the malicious attack (Trepagnier, Para [0106, 0108]: … FIGS. 11 and 12 depict examples of the relationships between the exploits that may be mitigated according to the rank orderings of the risk rating system inspired both by several cluster choices and CVSS scoring across the entire NVD … The "random patching" curve 1010 in FIG. 11 represents the simplest, least data-informed approach of vulnerability mitigation, implying that exploit-associated vulnerabilities are mitigated in the same proportion as the patched vulnerabilities …) [by reducing a functionality of the computer system hardware resource in the particular computer system until a solution is implemented that mitigates the vulnerability of the particular computer system to the malicious attack].
However Trepagnier does not explicitly teach, but Tamir from same or similar field of endeavor teaches, “… a description of a vulnerability of a computer system hardware resource in a computer system (Tamir, Abstract, Para [0004]: … the method comprises receiving at a security computer external vulnerability data (description of a vulnerability) from an external source regarding vulnerabilities associated with an attack vector for configuration item (CI) data related to a (CI) device, of the networked computer system (hardware resource). The security computer accesses a configuration management database (CMDB) and the CI data related to the physical device (hardware resource) is read. Trust zone data associated with the CI device is determined utilizing the CMDB, and the security computer performs a vulnerability calculation for the CI device utilizing the external vulnerability data and associated trust zone data … Disclosed herein is an apparatus and related method for reducing a security risk in a networked computer system architecture. According to various implementations discussed below, information about elements of a computer-based network for an organization are stored in a configuration management database (CMDB). The CMDB contains configuration item (CI) records that each contain data about the components making up the network--such components including a computer, computer system, server, router, firewall, etc.) (hardware resource) …)”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Tamir into the teachings of Trepagnier because it discloses that “the response to security incidents or potential security incidents has often been isolated. Significant improvements in handling such responses can be made by integrating security incident responses with IT systems that provide information about the affected systems, what business services may be affected, related incidents, problems, recent changes, known vulnerabilities, and the people who will be affected, the person to contact for each system. This integration enables more intelligent handling of security incident responses, making appropriate prioritizations, making it easier to find the source of a security incident and resolving it, notifying all people/groups involved, and proper handling of interconnected servers and services (Park: Para 0073])”.
However, the combination of Trepagnier-Tamir does not explicitly teach, but Park from same or similar field of endeavor teaches, “a mitigation … by reducing a functionality of the computer system hardware resource in the particular computer system until a solution is implemented that mitigates the vulnerability of the particular computer system to the malicious attack (Park, Col. [22, 23], Lines [47-67, 1-7]: … the Security Device 101 can serve as a bridge between the protected system 103 and the Control Device 105. For example, the Security Device 101 can include a corrective action manager 350 that supports the ability of other components of the cyber security system 100 to make changes to the state of the protected system 103. For example, in the event that a trojan horse embedded in the protected system 103 is activated and detected, and the operator wishes to roll back the compromised system 103 to an earlier non-compromised version, the Control Device 105 can be configured to issue such a rollback request to the Security Device 101. Upon receiving the rollback request, the Security Device 101 converts the request into a sequence of commands suitable for processing by the protected system 103 that will accomplish the rollback to the non-compromised state. As it is possible that attacks can be embedded into the source code or the hardware of the protected system 103, the corrective action manager 350 will, as needed, on a customer and deployment specific basis include the necessary software and hardware needed to restore the system 103 to a desired operating state (e.g., a state that allows the system to operate possibly with a reduced set of functionality, but is still able support the current needs of the mission given the presence of a cyberattack). For example, the Security Device 101 can insert commands back into the system 103 to override the effects of injected malware; thus, mitigating the effect until the malware can be removed …); Tamir as in combination of Trepagnier-Tamir already discloses the hardware resources as cited previously”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Park into the combined teachings of Trepagnier-Tamir because it discloses that “the Security Device 101 can include a corrective action manager 350 that supports the ability of other components of the cyber security system 100 to make changes to the state of the protected system 103. For example, in the event that a trojan horse embedded in the protected system 103 is activated and detected, and the operator wishes to roll back the compromised system 103 to an earlier non-compromised version, the Control Device 105 can be configured to issue such a rollback request to the Security Device 101 (Park: Col. [22, 23], Lines [47-67, 1-7])”, thus allowing the system to function in a safe sate.
Regarding Claim 2. The combination of Trepagnier-Tamir-Park discloses the method of claim 1, Park further discloses, “wherein the solution that mitigates the vulnerability of the particular computer system to the malicious attack also restores the functionality of the computer system hardware resource in the particular computer system (Park, Col. [22, 23], Lines [47-67, 1-7]: … the Security Device 101 can serve as a bridge between the protected system 103 and the Control Device 105. For example, the Security Device 101 can include a corrective action manager 350 that supports the ability of other components of the cyber security system 100 to make changes to the state of the protected system 103. For example, in the event that a trojan horse embedded in the protected system 103 is activated and detected, and the operator wishes to roll back the compromised system 103 to an earlier non-compromised version, the Control Device 105 can be configured to issue such a rollback request to the Security Device 101. Upon receiving the rollback request, the Security Device 101 converts the request into a sequence of commands suitable for processing by the protected system 103 that will accomplish the rollback to the non-compromised state.); the combination of Trepagnier-Tamir-Park already discloses hardware resources in claim 1”
Regarding Claim 6. The combination of Trepagnier-Tamir-Park discloses the method of claim 1, Park further discloses, “wherein the mitigation Park, Col. [8, 30, 31], Lines [1-12, 36-67, 1-7]: … Depending on the complexity of the digital network, much more can be accomplished; ranging from triggered packet capture to actual network participation in terms of in-stream packet analysis. Other foundational security features such as user or device authentication; access and participation logs from the fabric such as association with VRF or VLAN, ACL groups, or other network authentication; and services such as DNS, can also contribute. Bringing all of this information into a consistant, forensic style formatted log is extremely helpful in any after-event reporting that needs to be accomplished … During run time, parameters configured during system setup are available to the Control Device 105 operator while the cyber security system 100 is in operation. The operator can modify the parameters as needed via the Control Device 105 GUI 460 and push the changes into the corresponding Security Device(s) 101 … operators can have access to features related to running the cyber security system 100 during run time operation such as viewing detection logs and marking their resolution, triggering corrective actions, and viewing situational views. Administrators can set up and configure the Control Device 105 including the authority to create, delete, view, and edit user accounts (including changes of user roles), configure detection rules, add/edit/delete and configure individual Security Devices 101, and add/edit/delete/view situational viewers …), changing a host-based agent for handling messages to the computer system hardware resource in the particular computer system (Park, Col. [6, 7], Lines [55-67, 1-8]: … The security devices may include one or more security devices further specialized to serve as host platforms to perform the various security functions described earlier: identity management, network time, log management, asset and configuration management. The overlay cyber security networked system and method may operate in-band or out-of-band within a standard cable communications network. Together, these security services can be implemented as a small footprint security layer designed to complement and integrate with the existing Process Control Network (PCN).  …), and changing a configuration of the computer system hardware resource in the particular computer system (Park, Col. [29], Lines [28-45]: … In some embodiments, the corrective actions made available depends on the particular capabilities supported by the protected system 103. Therefore, a list of available corrective actions can be configured using the Control Device 105 during initial system setup of the Security Device 101 based on the specific implementation and its available entry points into the system. Examples of corrective actions can include, but are not limited to … reset the input data (e.g., re-upload a PLC configuration or parameter configuration from a secure location) …); the combination of Trepagnier-Tamir-Park already discloses hardware resources in claim 1.”
The motivation to further combine Park remains same as in claim 1.
Regarding Claim 8. Trepagnier discloses A computer program product comprising a computer readable storage medium having program code embodied therewith, wherein the computer readable storage medium is not a transitory signal per se, and wherein the program code is readable and executable by a processor to perform a method comprising (Trepagnier, Abstract, Para [0040, 0136-0137]: Systems, methods and computer readable mediums for determining a risk rating for software vulnerabilities of host devices and services on an enterprise network are discussed. Risk-rating systems and methods prioritize cyber defense resources utilizing both network-independent and network-specific approaches … The computing device 2000 includes one or more non-transitory computer-readable media for storing one or more computer-executable instructions or software for implementing exemplary embodiments … memory 2006 included in the computing device 2000 may store computer-readable and computer-executable instructions or software for implementing exemplary embodiments of the risk rating system. The computing device 2000 also includes configurable and/or programmable processor …):
receiving a description of a vulnerability of computer system [hardware] resource in a computer system to a malicious attack (Trepagnier, Para [0032-0033]: … The inputs of box 110 are known vulnerability data and known exploit data, both of which are network or host-independent. The inputs thus convey information on a general threat environment … vulnerability data relating to known software vulnerabilities is input from a third party source, for example, the National Vulnerability Database (NVD) 112 …);
Trepagnier, Para [0041-0042, 0063, 0071-0072, 0114]: … vulnerability module 210 may be a hardware or software implemented module configured to generate a vector space of vectors associated with a set of characteristics for known software vulnerabilities, and to group the vulnerabilities into one or more sets of similar software vulnerabilities based on the similarities between the corresponding vectors. In some embodiments, the vulnerability module 210 is configured to retrieve data, such as but not limited to NVD-based data, relating to known software vulnerabilities from third party data sources and analyze the data to generate the vector space. In some embodiments, the analysis may include natural language processing of vulnerability descriptions found in the NVD … The software vulnerabilities in the generated vector space may be grouped into sets of similar software vulnerabilities using a number of different approaches. Embodiments may utilize spectral clustering, a neural network, logistic regression analysis, partial least squares, a recommender system, random decision forests, least squares linear decision analysis, and other forms of supervised or unsupervised machine learning classifying together items which are close together in a relevant feature space or satisfy another criteria … Hosts/services typically contain multiple vulnerabilities providing varying degrees of risk that may be identified in the manner discussed previously. Embodiments provide a number of techniques to leverage this information to provide an overall security metric for each host/service in an enterprise network …);
comparing the vulnerable computer system [hardware] resource to a computer system [hardware] resource in a particular computer system (Trepagnier, Para [0044, 0058]: … The host-specific and service-specific vulnerability module 230 may be a hardware or software implemented module configured to analyze particular hosts/services to identify software vulnerabilities within the host, compare the host-specific/service-specific vulnerabilities to the sets of similar software vulnerabilities identified by the vulnerability module 210, and determine a risk rating for each of the host-specific/service-specific vulnerabilities using the previously determined risk rating for the set of similar software vulnerabilities … At step 404, the host-specific and service-specific vulnerability module 230 compares each host-specific/service-specific software vulnerability identified via the scan with the sets of similar software vulnerabilities to determine which vulnerabilities on the host are present in which set …); and
in response to the vulnerable computer system [hardware] resource matching the computer system [hardware] resource in the particular computer system, performing a mitigation action that mitigates a vulnerability of the computer system [hardware] resource in the particular computer system to the malicious attack (Trepagnier, Para [0106, 0108]: … FIGS. 11 and 12 depict examples of the relationships between the exploits that may be mitigated according to the rank orderings of the risk rating system inspired both by several cluster choices and CVSS scoring across the entire NVD … The "random patching" curve 1010 in FIG. 11 represents the simplest, least data-informed approach of vulnerability mitigation, implying that exploit-associated vulnerabilities are mitigated in the same proportion as the patched vulnerabilities …) [by reducing a functionality of the computer system [hardware] resource in the particular computer system until a solution is implemented that both restores the functionality of the computer system hardware resource in the particular computer system and mitigates the vulnerability of the particular computer system to the malicious attack].
However, Trepagnier does not explicitly teach, but Tamir from same or similar field of endeavor teaches, “… a description of a vulnerability of a computer system hardware resource in a computer system (Tamir, Abstract, Para [0004]: … the method comprises receiving at a security computer external vulnerability data (description of a vulnerability) from an external source regarding vulnerabilities associated with an attack vector for configuration item (CI) data related to a (CI) device (hardware resource), of the networked computer system. The security computer accesses a configuration management database (CMDB) and the CI data related to the physical device is read. Trust zone data associated with the CI device is determined utilizing the CMDB, and the security computer performs a vulnerability calculation for the CI device utilizing the external vulnerability data and associated trust zone data … Disclosed herein is an apparatus and related method for reducing a security risk in a networked computer system architecture. According to various implementations discussed below, information about elements of a computer-based network for an organization are stored in a configuration management database (CMDB). The CMDB contains configuration item (CI) records that each contain data about the components making up the network--such components including a computer, computer system, server, router, firewall, etc.) (hardware resource) …)”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Tamir into the teachings of Trepagnier because it discloses that “the response to security incidents or potential security incidents has often been isolated. Significant improvements in handling such responses can be made by integrating security incident responses with IT systems that provide information about the affected systems, what business services may be affected, related incidents, problems, recent changes, known vulnerabilities, and the people who will be affected, the person to contact for each system. This integration enables more intelligent handling of security incident responses, making appropriate prioritizations, making it easier to find the source of a security incident and resolving it, notifying all people/groups involved, and proper handling of interconnected servers and services (Park: Para 0073])”.
However, the combination of Trepagnier-Tamir does not explicitly teach, but Park from same or similar field of endeavor teaches, “mitigates a vulnerability … by reducing a functionality of the computer system resource in the particular computer Park, Col. [22, 23], Lines [47-67, 1-7]: … the Security Device 101 can serve as a bridge between the protected system 103 and the Control Device 105. For example, the Security Device 101 can include a corrective action manager 350 that supports the ability of other components of the cyber security system 100 to make changes to the state of the protected system 103. For example, in the event that a trojan horse embedded in the protected system 103 is activated and detected, and the operator wishes to roll back the compromised system 103 to an earlier non-compromised version, the Control Device 105 can be configured to issue such a rollback request to the Security Device 101. Upon receiving the rollback request, the Security Device 101 converts the request into a sequence of commands suitable for processing by the protected system 103 that will accomplish the rollback to the non-compromised state. As it is possible that attacks can be embedded into the source code or the hardware of the protected system 103, the corrective action manager 350 will, as needed, on a customer and deployment specific basis include the necessary software and hardware needed to restore the system 103 to a desired operating state (e.g., a state that allows the system to operate possibly with a reduced set of functionality, but is still able support the current needs of the mission given the presence of a cyber attack). For example, the Security Device 101 can insert commands back into the system 103 to override the effects of injected malware; thus, mitigating the effect until the malware can be removed …)”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Park into the combined teachings of Trepagnier-Tamir because it discloses that “the Security Device 101 can include a corrective action manager 350 that supports the ability of other components of the cyber security system 100 to make changes to the state of the protected system 103. For example, in the event that a trojan horse embedded in the protected system 103 is activated and detected, and the operator wishes to roll back the compromised system 103 to an earlier non-compromised version, the Control Device 105 can be configured to issue such a rollback request to the Security Device 101 (Park, Col. [22, 23], Lines [47-67, 1-7])”, thus allowing the system to function in a safe sate.
Regarding Claim 11. The combination of Trepagnier-Tamir-Park discloses the computer program product of claim 8, Park further discloses, “wherein the mitigation action comprises changing an access control list for access to the computer system hardware resource in the particular computer system (Park, Col. [8, 30, 31], Lines [1-12, 36-67, 1-7]: … Depending on the complexity of the digital network, much more can be accomplished; ranging from triggered packet capture to actual network participation in terms of in-stream packet analysis. Other foundational security features such as user or device authentication; access and participation logs from the fabric such as association with VRF or VLAN, ACL groups, or other network authentication; and services such as DNS, can also contribute. Bringing all of this information into a consistant, forensic style formatted log is extremely helpful in any after-event reporting that needs to be accomplished … During run time, parameters configured during system setup are available to the Control Device 105 operator while the cyber security system 100 is in operation. The operator can modify the parameters as needed via the Control Device 105 GUI 460 and push the changes into the corresponding Security Device(s) 101 … operators can have access to features related to running the cyber security system 100 during run time operation such as viewing detection logs and marking their resolution, triggering corrective actions, and viewing situational views. Administrators can set up and configure the Control Device 105 including the authority to create, delete, view, and edit user accounts (including changes of user roles), configure detection rules, add/edit/delete and configure individual Security Devices 101, and add/edit/delete/view situational viewers …), changing a host-based agent for handling messages to P201805294US01Page 32 of 36the computer system hardware resource in the particular computer system (Park, Col. [6, 7], Lines [55-67, 1-8]: … The security devices may include one or more security devices further specialized to serve as host platforms to perform the various security functions described earlier: identity management, network time, log management, asset and configuration management. The overlay cyber security networked system and method may operate in-band or out-of-band within a standard cable communications network. Together, these security services can be implemented as a small footprint security layer designed to complement and integrate with the existing Process Control Network (PCN).  …), and changing a configuration of the computer system Park, Col. [29], Lines [28-45]: … In some embodiments, the corrective actions made available depends on the particular capabilities supported by the protected system 103. Therefore, a list of available corrective actions can be configured using the Control Device 105 during initial system setup of the Security Device 101 based on the specific implementation and its available entry points into the system. Examples of corrective actions can include, but are not limited to … reset the input data (e.g., re-upload a PLC configuration or parameter configuration from a secure location) …); the combination of Trepagnier-Tamir-Park already discloses hardware resources in claim 8.”
The motivation to further combine Park remains same as in claim 8.
Regarding Claim 13. The combination of Trepagnier-Tamir-Park discloses the computer program product of claim 8, Trepagnier further discloses, “wherein the program instructions are provided as a service in a cloud environment (Trepagnier, Para [0136]: … Each of the server 1920, third party vulnerability database(s) 1930, third party exploit database(s) 1940 and the database(s) 1950 is connected to the network 1905 via a wired or wireless connection. The server 1920 comprises one or more computers or processors configured to communicate with the device 1910, third party vulnerability database(s) 1930, third party exploit database(s) 1940, and database(s) 1950 via network 1905. The server 1920 hosts one or more applications or websites accessed by the device 1910 and/or facilitates access to the content of database(s) 1950. Database(s) 1950 comprise one or more storage devices for storing data and/or instructions (or code) for use by the device 1910 and the server 1920. The database(s) 1950, and/or the server 1920, may be located at one or more geographically distributed locations from each other or from the device 1910. Alternatively, the database(s) 1950 may be included within the server 1920 …).”
Regarding Claim 14. This claim contains all the same or similar limitations as claim 8, and hence similarly rejected as claim 8.
Regarding Claim 16. The combination of Trepagnier-Tamir-Park discloses the computer system of claim 14, Trepagnier further discloses, “wherein the method further comprises: autonomously developing the mitigation action based on a protection rule template for responding to the vulnerability of the computer system to the malicious attack (Trepagnier, Para [0033, 0111]: … vulnerability data relating to known software vulnerabilities is input from a third party source, for example, the National Vulnerability Database (NVD) 112. The NVD is a repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). The NVD includes databases of security-related software flaws, misconfigurations, product names, and impact metrics … A comparison between the exploits that emerge from 2015 through mid-2017 to those that emerge three months later is performed. Similar to the results on the CVSS version 2 clusters (FIG. 15), the results in FIG. 17 show that the exploit emergence into the clusters defined by the risk rating system is stable. Even if exploits are developed for a very different distribution of vulnerabilities, the algorithm implemented in the risk rating system described herein automatically adjusts …).”
Regarding Claim 19. The combination of Trepagnier-Tamir-Park discloses the method of claim 1, Tamir further discloses, “wherein the vulnerable computer system hardware resource is a router (Tamir, Para [0004]: … Disclosed herein is an apparatus and related method for reducing a security risk in a networked computer system architecture. According to various implementations discussed below, information about elements of a computer-based network for an organization are stored in a configuration management database (CMDB). The CMDB contains configuration item (CI) records that each contain data about the components making up the network--such components including a computer, computer system, server, router, firewall, etc.) …).”
The motivation to further combine Tamir remains same as in claim 1.
Regarding Claim 20. This claim contains all the same or similar limitations as claim 13, and hence similarly rejected as claim 13.
Claims 3, 9, 15 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2020/0012796 A1 to Trepagnier et al (hereinafter “Trepagnier”) in view of Pub. No.: US 2018/0219908 A1 to Tamir et al (hereinafter “Tamir”) and Pat. No.: US 10250619 B1 to Park et al. (hereinafter “Park”) as applied to claim 1 above, and further in view of Pub. No.: US 2015/0242637 A1 to Tonn et al (hereinafter “Tonn”).
Regarding Claim 3. The combination of Trepagnier-Tamir-Park discloses the method of claim 1, however it does not explicitly teach, but Tonn from same or similar field of endeavor teaches, “wherein the vulnerability of the computer system to the malicious attack is from a set of newly-identified vulnerabilities, and wherein the set of Tonn, Para [0027-0031]: … FIGS. 2A, 2B and 2C depict a schematic diagram of data types according to some embodiments. Electronically-implemented instances of the data types depicted in FIGS. 2A, 2B and 2C may be used as nodes in a graph as depicted in, e.g., FIGS. 1A and 1B … Fundamentals 204 generally include data types for items of primary concern to computer security analysts. Fundamentals include vulnerabilities 206 … Each instance of a vulnerability fundamental 206 may be characterized by an identifying string, e.g., a Common Vulnerability and Exposure (CVE) identification, provided by the MITRE corporation. Each vulnerability fundamental 206 instance can be related to a file fundamental 230 instance by the words "exploits" or "is exploited by …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Tonn into the combined teachings of Trepagnier-Tamir-Park because it discloses that an “approach may be used to identify CVE identifications representing a vulnerability, domain names, URLs, file hashes, and so on. Known applications do this to in order to transform URLs or email addresses into hyperlinks a user can click on to open in a browser or email client, respectively (Tonn, Para [0060]).”
Regarding Claim 9. The combination of Trepagnier-Tamir-Park discloses the computer program product of claim 8, however it does not explicitly teach, but Tonn from same or similar field of endeavor teaches, “wherein the vulnerability of the Tonn, Para [0027-0031]: … FIGS. 2A, 2B and 2C depict a schematic diagram of data types according to some embodiments. Electronically-implemented instances of the data types depicted in FIGS. 2A, 2B and 2C may be used as nodes in a graph as depicted in, e.g., FIGS. 1A and 1B … Fundamentals 204 generally include data types for items of primary concern to computer security analysts. Fundamentals include vulnerabilities 206 … Each instance of a vulnerability fundamental 206 may be characterized by an identifying string, e.g., a Common Vulnerability and Exposure (CVE) identification, provided by the MITRE corporation. Each vulnerability fundamental 206 instance can be related to a file fundamental 230 instance by the words "exploits" or "is exploited by …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Tonn into the combined teachings of Trepagnier-Tamir-Park because it discloses that an “approach may be used to identify CVE identifications representing a vulnerability, domain names, URLs, file hashes, and so on. Known applications do this to in order to transform URLs or email addresses into hyperlinks a user can click on to open in a browser or email client, respectively (Tonn, Para [0060]).”
Regarding Claim 15. This claim contains all the same or similar limitations as claim 9, and hence similarly rejected as claim 9.
Regarding Claim 18. The combination of Trepagnier-Tamir-Park-Tonn discloses the method of claim 3, Tonn further discloses, “further comprising:
performing, by the one or more processors, an NLP analysis of the CVE listing in order to identify the type of vulnerable computer system hardware resource, the particular computer system, and a particular type of network that are affected by the malicious attack described in the CVE listing (Tonn, Para [0060]: … converting raw data into formatted fundamental instances, generally includes recognizing fundamental data within other data. Techniques can identify the presence of an IP address in a document body in a few different ways; an example approach is to use a regular expression to identify the octet form. A similar approach may be used to identify CVE identifications representing a vulnerability, domain names, URLs, file hashes, and so on. Known applications do this to in order to transform URLs or email addresses into hyperlinks a user can click on to open in a browser or email client, respectively. Another approach incorporates approaches similar to those just described together with natural language processing techniques to extract fundamentals into software …); and
utilizing, by the one or more processors, the NLP analysis of the CVE listing to generate a rule for responding to the malicious attack on the vulnerable computer system hardware resource in the particular computer system (Tonn, Para [0089, 0124]: …. Countermeasure rule engine 518 may obtain the rules by iterating through each vulnerability node of an intelligence graph and determining, for each vulnerability node, whether documents such as intelligence reports mention it by examining the edges joined to the vulnerability node for the presence of "mentions" or "mentioned by" edges … iterating through each vulnerability node may include determining, for each vulnerability node, whether documents such as intelligence reports mention it by examining the edges joined to the vulnerability node for the presence of edges with special labels that indicate the related node may contain relevant information, such as "discusses" … The extraction may insert the resulting data into one or more columns of the distributable vulnerability data database file. In particular, the subroutine may insert mitigation information into a mitigation information column, workaround information into a workaround information column, and patch information into a patch information column. In some embodiments, this information is inserted into a single column. In some embodiments, the mitigation information may be obtained from a countermeasure rules engine, e.g., 518 of FIG. 5, which itself may obtain the mitigation information from an intelligence graph as described in this paragraph …); the combination of Trepagnier-Tamir-Park already discloses hardware resources and NLP analysis in claim 1.”
The motivation to further combine Tonn remains same as in claim 3.
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2020/0012796 A1 to Trepagnier et al (hereinafter “Trepagnier”) in view of Pub. No.: US 2018/0219908 A1 to Tamir et al (hereinafter “Tamir”) and Pat. No.: US 10250619 B1 to Park et al. (hereinafter “Park”) as applied to claim 4 above, and further in view of Pub. No.: US 2018/0063168 A1 to SOFKA (hereinafter “SOFKA”).
Regarding Claim 10. The combination of Trepagnier-Tamir-Park discloses the computer program product of claim 8, Trepagnier further discloses, “wherein the method further comprises:
autonomously developing the mitigation action based on a protection rule template for responding to the vulnerability of the computer system to the malicious attack (Trepagnier, Para [0033, 0111]: … vulnerability data relating to known software vulnerabilities is input from a third party source, for example, the National Vulnerability Database (NVD) 112. The NVD is a repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). The NVD includes databases of security-related software flaws, misconfigurations, product names, and impact metrics … A comparison between the exploits that emerge from 2015 through mid-2017 to those that emerge three months later is performed. Similar to the results on the CVSS version 2 clusters (FIG. 15), the results in FIG. 17 show that the exploit emergence into the clusters defined by the risk rating system is stable. Even if exploits are developed for a very different distribution of vulnerabilities, the algorithm implemented in the risk rating system described herein automatically adjusts …)”;
However, the combination of Trepagnier-Tamir-Park does not explicitly teach, but SOFKA from same or similar field of endeavor teaches:
“inputting the description of the vulnerability of the computer system to the malicious attack into a Recurrent Neural Network (RNN) (SOFKA, Abstract, Para [0028]: … using programmed computer instructions, executing, in computer memory, a recurrent neural network (RNN) comprising a plurality of nodes each implemented as a Long Short-Term Memory (LSTM) cell and comprising a plurality of links between nodes that represent outputs of LSTM cells and inputs to LSTM cells, wherein each LSTM cell implements an input layer, hidden layer and output layer of the RNN; receiving, from a networked computer, network traffic data associated with one or more networked computers; extracting feature data representing a plurality of features of the network traffic data and providing the feature data to the RNN; classifying one or more individual Uniform Resource Locators (URLs) as malicious or legitimate using a plurality of first LSTM cells of the input layer …), wherein neurons in the RNN process data from upstream neurons in the RNN by executing one or more algorithms (SOFKA, Para [0042-0045]: … FIG. 2 illustrates an example computational diagram of an LSTM, which may be implemented using hardware logic, programmed software, or a combination thereof. An LSTM memory unit is controlled by input (f.sub.i), forgetting (f.sub.f), and output (f.sub.o) updates. In addition, state candidate values (g.sub.t) influence the memory contents c.sub.t. The output and state candidate are used to update the hidden state h.sub.t … The inventors also recognized in an inventive moment that combining LSTM memory cells as nodes (neurons) in a recurrent neural network would yield superior solutions to the specified problems. Recurrent neural networks (RNN) update a hidden vector h.sub.t and accept input x.sub.t at every time step t. The update of h.sub.t is a function of x.sub.t and the hidden vector at the previous time step h.sub.t−1. The function introduces a non-linearity and is chosen typically as tanh or a rectified linear unit (ReLU). LSTM architectures address the exploding and vanishing problem by learning over long-term dependencies by introducing a memory cell representation …); and
training the RNN to generate the protection rule template based on the description of the vulnerability to the malicious attack (SOFKA, Abstract, Para [0028- 0031]: … embodiments provide a way to train the representations in an unsupervised way and to use them in automatic description of threats by phrases … Embodiments have particular applicability to sequential modeling in security datasets without the need for manually designing features and expert rules, which becomes untenable when trying to keep up with ever increasing malware samples. Various embodiments provide numerous benefits as compared to past practice, including automatically learning feature representations of proxy logs, events, and user communication. As another benefit, learned representations are data-driven and thus can discover features and their relationships which would be hard or impossible to find out manually. An example is that the presence of the character "?" in a URL may be legitimate when it appears after the first "\" character in the URL but may indicate a malicious URL if it appears repeatedly in other positions in the URL; manually derived rules based on such a feature typically are inaccurate but because the URL is a linear sequence of characters, an LSTM-based RNN can be structured to predict the malicious nature of such a URL with high accuracy …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of SOFKA into the  Trepagnier-Tamir-Park because it discloses that “an LSTM-based RNN can be structured to predict the malicious nature of such a URL with high accuracy (SOFKA, Para [0031]).”
Claims 7 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2020/0012796 A1 to Trepagnier et al (hereinafter “Trepagnier”) in view of Pub. No.: US 2018/0219908 A1 to Tamir et al (hereinafter “Tamir”) and Pat. No.: US 10250619 B1 to Park et al. (hereinafter “Park”) as applied to claim 1 above, and further in view of Pub. No.: US 2017/0286682 A1 to Stappert (hereinafter “Stappert”).
Regarding Claim 7. The combination of Trepagnier-Tamir-Park discloses the method of claim 1, however it does not explicitly teach, but Stappert from same or similar field of endeavor teaches: “further comprising:
receiving, by the one or more processors, a vendor patch for the vulnerability of the particular computer system to the malicious attack (Stappert, Para [0007-0012]: … the security levels are configurable in that the subsets of countermeasures corresponding to said security levels are alterable … the electronic device further comprises a configuration interface unit for receiving a configuration instruction from an external device, and the countermeasure unit is arranged to alter at least one subset of countermeasures in response to said configuration instruction …);
applying, by the one or more processors, the vendor patch for the vulnerability to the particular computer system (Stappert , Para [0034]: … the electronic device 500 comprises a reset interface unit 502 operatively coupled to the countermeasure unit 104. In this embodiment, the reset interface unit 502 is arranged to receive a reset instruction from an external device, for example a device managed by a trusted authority. Furthermore, the countermeasure unit is arranged to activate and/or deactivate specific countermeasures in response to the reset instruction …); and
in response to applying the vendor patch for the vulnerability to the particular computer system, ceasing, by the one or more processors, the mitigation action from the particular computer system (Stappert, Para [0034]: … the countermeasure unit is arranged to activate and/or deactivate specific countermeasures in response to the reset instruction …).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Stappert into the combined teachings of Trepagnier-Tamir-Park because it discloses that “the countermeasure unit 104 is arranged to alter at least one subset of countermeasures in response to said configuration instruction. In this way, the subset of countermeasures belonging to a particular security level may easily be managed by a trusted authority. For example, the device may be upgraded by adding newly developed countermeasures to a particular subset (Stappert: Para [0034]).”
Regarding Claim 12. The combination of Trepagnier-Tamir-Park discloses the computer program product of claim 8, however it does not explicitly teach, but Stappert from same or similar field of endeavor teaches: “wherein the method further comprises:
receiving a vendor patch for the vulnerability of the particular computer system to the malicious attack (Stappert, Para [0007-0012]: … the security levels are configurable in that the subsets of countermeasures corresponding to said security levels are alterable … the electronic device further comprises a configuration interface unit for receiving a configuration instruction from an external device, and the countermeasure unit is arranged to alter at least one subset of countermeasures in response to said configuration instruction …);
applying the vendor patch to the particular computer system (Stappert , Para [0034]: … the electronic device 500 comprises a reset interface unit 502 operatively coupled to the countermeasure unit 104. In this embodiment, the reset interface unit 502 is arranged to receive a reset instruction from an external device, for example a device managed by a trusted authority. Furthermore, the countermeasure unit is arranged to activate and/or deactivate specific countermeasures in response to the reset instruction …); and
in response to applying the vendor patch to the particular computer system, ceasing the mitigation action on the particular computer system (Stappert, Para [0034]: … the countermeasure unit is arranged to activate and/or deactivate specific countermeasures in response to the reset instruction …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Stappert into the combined teachings of Trepagnier-Tamir-Park because it discloses that “the countermeasure unit 104 is arranged to alter at least one subset of countermeasures in response to said configuration instruction. In this way, the subset of countermeasures belonging to a particular security level may easily be managed by a trusted authority. For example, the device may be upgraded by adding newly developed countermeasures to a particular subset (Stappert: Para [0034]).”
Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 2020/0012796 A1 to Trepagnier et al (hereinafter “Trepagnier”) in view of Pub. No.: US 2018/0219908 A1 to Tamir et al (hereinafter “Tamir”) and Pat. No.: US 10250619 B1 to Park et al. (hereinafter “Park”) as applied to claim 2 above, and further in view of Pub. No.: US 2014/0173739 A1 to Ahuja (hereinafter “”).
Regarding Claim 17. The combination of Trepagnier-Tamir-Park discloses the method of claim 2, however, it does not explicitly teach, but Ahuja from same or similar field of endeavor teaches “wherein the mitigation action disables a functionality of the computer system hardware resource until the functionality of the computer system hardware resource in the particular computer system is restored (Ahuja, Abstract, Para [0044, 0043]: … The assets (e.g., 225, 230, 235) can also be protected by one or more active countermeasures that are applied to the asset … if a threat needs either direct physical access or network access to compromise an asset, an example partial passive countermeasure would block network access to the asset … Data used by the security manager 210, and more particularly by a risk assessment engine 288, in this example, can be collected by a variety of different sensors deployed both remote from the assets (e.g., through certain tools of security tool deployment 220) as well as locally on the assets (e.g., through agents 296, 297, 298)  … a passive countermeasure may be configured to detect data having a signature associated with a particular attack, and block data with that signature. As another example, a passive countermeasure may generate back-up copies of particular files targeted by an attack, so that even if the attack attacks the files, the files can be restored …), wherein the computer system is a server, wherein the computer system hardware resource is a specific network server port on the server, and wherein the specific network server port is shut down until a patch is released and installed on the server to overcome the malicious attack (Ahuja, Para [0054]: … In some implementations, asset records 258 can be the product of aggregating data from a variety of different sources having data describing configurations, attributes, and characteristics of the assets (e.g., 225, 230, 235). In some instances, asset records 258 can also include criticality ratings, metrics, and scores generated for the asset by an example criticality assessment engine 205. The configuration of an asset can be a hardware and/or software configuration. Depending on the configuration, various threats may be applicable to an asset. In general, the configuration of the asset can include one or more of the physical configuration of the asset, the software running on the asset, and the configuration of the software running on the asset. Examples of configurations include particular families of operating systems (e.g., Windows.TM., Linux.TM., Apple OS.TM., Apple iOS.TM.), specific versions of operating systems (e.g., Windows 7.TM.), particular network port settings (e.g., network port 8 is open), and particular software products executing on the system (e.g., a particular word processor, enterprise application or service, a particular web server, etc.). In some implementations, the configuration data does not include or directly identify countermeasures in place for the asset, or whether the asset is vulnerable to a particular threat. Further, configuration information and other information in asset records 258 can be used in automated criticality assessments using a criticality assessment engine 205 …).”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Ahuja into the combined teachings of Trepagnier-Tamir-Park because it discloses that “Active countermeasures can make changes to the configuration of assets or the configuration of existing passive countermeasures to actively eliminate a vulnerability. In contrast, passive countermeasures hide the effects of a vulnerability, but do not remove the vulnerability. Each active countermeasure eliminates, or at least reduces, the risk that a threat will affect an asset when the active countermeasure is applied to the asset by eliminating, or at least reducing, a vulnerability. For example, an active countermeasure can close a back door that was open on an asset or correct another type of system vulnerability. Example active countermeasures include, but are not limited to, software patches that are applied to assets (Ahuja: Para [0044]).”
Allowable Subject Matter
Claims 4 and 5 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
Examiner further notes that, should the Applicant amends claim as noted for method claims 4 and 5, the remaining independent claim 8 (computer program product) and claim 14 (computer system) are also to be amended to make all the independent claims similar in scope.
Reasons for allowance will be furnished upon allowance.
Pertinent Prior Arts
The following prior arts made of record but not relied upon for rejections of claims are considered pertinent to Applicant’s disclosure. The attached PTO-892 contains additional prior arts.
PGPUB US 20180205755 A1 (Kavi et al.): Kavi discloses systems and methods providing adaptive vulnerability detection and management are described. Certain embodiments include monitoring system parameters of a cloud-based system, invoking a security ontology knowledge base configured to relate the monitored system parameters to unknown and known vulnerabilities, identifying, based on the monitored system parameters and the invoked security ontology knowledge base, one or more vulnerabilities of the system, and further, implementing a risk management technique for each of the identified one or more vulnerabilities of the system.
The present disclosure relates generally to detection and management of vulnerabilities and, more particularly, to adaptive and automated detection and management of vulnerabilities for cloud systems using ontology knowledge bases.
In certain embodiments, vulnerabilities OKB 101 utilizes system classifiers, e.g., dynamic inputs provided to classify separate classes of vulnerabilities within vulnerabilities OKB 101. Classification may include various vendors in the cloud 
PGPUB US 20130247205 A1 (Schrecker et al.): Schrecker discloses methods, systems, and apparatus, including computer programs encoded on computer storage media, for generating quantitative risk metrics for assets and threats. Risk metrics are generated for individual assets and individual threats. These individual metrics can then be analyzed to generate aggregate risk metrics for assets, groups of assets, and threats. Assets and threats can be ordered according to their aggregate risk metrics.
An asset is a computer or other electronic device. A system of assets can be connected over one or more networks. For example, a home might have five assets, each of which are networked to each other and connected to the outside world through the Internet. As another example, a business might have three physically separate offices, each of which has many assets. The assets within each office and the assets across the offices can be connected over a network.
A network monitor 102 receives one or more of threat definition data 204, vulnerability detection data 206, asset configuration data 207, and countermeasure detection data 208. The threat definition data describes identified threats, what countermeasures (if any) protect assets from the threats, and the severity of the threat. The vulnerability detection data 206 specifies, for each asset and for each threat, whether the asset is vulnerable to the threat, not vulnerable to the threat, or of unknown vulnerability. The configuration data 207 specifies, for each asset, details of the configuration of the asset. The countermeasure detection data 208 specifies, for each asset, what countermeasures are protecting the asset.
The asset configuration data 207 is received from one or more configuration data source(s) 209. In some implementations, the configuration data source(s) 209 are one 
The configuration of an asset is a hardware and/or software configuration. Depending on the configuration, various threats may be applicable to an asset. In general, the configuration of the asset can include one or more of the physical configuration of the asset, the software running on the asset, and the configuration of the software running on the asset. Examples of configurations include particular families of operating systems (e.g., Windows.TM., Linux.TM., Apple OS.TM.), specific versions of operating systems (e.g., Windows Vista.TM.), particular network port settings (e.g., network port 8 is open), and particular software products executing on the system (e.g., a particular word processor or a particular web server). In some implementations, the configuration data does not include countermeasures in place for the asset, or whether the asset is vulnerable to a particular threat.
PAT US 10834120 (Satish et al.): This discloses Systems, methods, and software described herein provide security actions based on related security threat communications. In one example, a method of operating an advisement system includes identifying a security threat within the computing environment, wherein the computing environment comprises a plurality of computing assets. The method further provides obtaining descriptor information for the security threat, and retrieving related communication interactions based on the descriptor information. The method also includes generating a response to the security threat based on the related communication interactions.
PGPUB US 20190052665 A1 (MAHIEU et al.): This discloses A computer security system, comprising: a first input, adapted to receive threat data representing security threats; a second input, adapted to receive vulnerability data representing security vulnerabilities; a processor adapted to: identify a specific vulnerability of a computer entity in dependence on the threat data and the vulnerability data; assign the specific vulnerability a risk rating in dependence on the vulnerability data and the threat data; and to generate output data comprising an identifier of the specific vulnerability and its risk.
PGPUB US 20200011784 A1(CHALUMURI et al.): An AI-based asset maintenance system accesses a variety of data sources related to an entity to analyze data regarding one or more damage mechanisms corresponding to the entity thereby identifying and implementing corrective actions that mitigate the effects of the damage mechanisms within the entity. The accessed data is stored using a parameterized data model that represents the entity. A trained parameter model identifies the most 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 



/MAHABUB S AHMED/Examiner, Art Unit 2434

/DANT B SHAIFER HARRIMAN/Primary Examiner, Art Unit 2434