DETAILED ACTION
This office action is in response to the application filed on 06/10/2020. Claims 1-20 are pending and are examined.	
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Notes on Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth 

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are, “wherein the vulnerability manager is coupled to the plurality of network elements and is configured to”, in claim 8 and “the instructions comprising functionality for”, in claim 14.  
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, claims 8 and 14 are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
The Structure and description of such a system is being illustrated by drawing FIG. 1 and at least description paragraphs [0018].

If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) 
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151 , or in an application for patent published or deemed published under section 122(b) , in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-2, 6, 8-9, 13-15 and 19-20, are rejected under AIA  35 U.S.C. 102(a) (1) as being unpatentable over Spisak et al (U.S Pub No. 2020/0092319 A1, referred to as Spisak).
	Regarding claims 1, 8 and 14, Spisak teaches:
obtaining, by a computer processor, internal vulnerability data and external vulnerability data regarding a plurality of security vulnerabilities among a plurality of network elements for a predetermined organization (Fig. 1, Items 100, 104, 120, 140; ¶ 0081, “The security vulnerability analysis engine 120 (EN: computer processor) operates in response to requests received by the cognitive system 100, which may be user initiated requests from users operating client computing devices 110, 112, automatically generated requests from applications or other processes operating on computing devices 110, 112, and/or server computing devices associated with an enterprise infrastructure environment 140 (EN: Organization)”; Fig. 5, Step 510; ¶ 0115, “ingesting content from a plurality of different external and/or internal information sources and annotating instances of terms/phrases or other portions of ”); 
determining, by the computer processor, a plurality of exploitability levels for the plurality of security vulnerabilities using a model, the external vulnerability data, and the internal vulnerability data, wherein the model is generated using a machine-learning algorithm (¶ 0002- ¶ 0003, “ A vulnerability with one or more known instances of working and fully implemented attacks is classified as an exploitable vulnerability, i.e. a vulnerability for which an exploit exists (EN: exploitability levels).”; ¶ 0018, “The illustrative embodiments may utilize natural language processing mechanisms, cognitive system mechanisms, and the like, to evaluate structured/unstructured data to identify trends in security vulnerabilities and exploits, as well as the attacks that take advantage of these vulnerabilities and exploits (EN: plurality of exploitability levels).”; Fig. 1, Item 100; ¶ 0021- ¶ 0024; ¶ 0064, “The request processing pipeline or system is an artificial intelligence application (EN: machine-learning algorithm) executing on data processing hardware that processes requests pertaining to a given subject-matter domain”; ¶ 0045; ¶ 0090; ¶ 0097; Fig. 5, Step 520; ¶ 0115);
determining, by the computer processor, a vulnerability priority for the plurality of security vulnerabilities using the plurality of exploitability levels and organization-specific criteria, wherein the vulnerability priority describes a sequence that the plurality of security vulnerabilities are remediated (¶ 0046, “The resulting identification of security risk and response priorities (EN: vulnerability priority) may be presented to a system administrator or other authorized individual, and/or may initiate automatic application of the security responses according to the determined priorities and the availability of (EN: security vulnerabilities are remediated)”; Fig. 5, Steps 530- 570; ¶ 0115- ¶ 0116); and 
transmitting, by the computer processor and based on the vulnerability priority, a remediation command to a network element comprising a security vulnerability among the plurality of security vulnerabilities, wherein the remediation command initiates a remediation procedure at the network element to address the security vulnerability (¶ 0046, “The resulting identification of security risk and response priorities  may be presented (EN: transmitting remediation command) to a system administrator or other authorized individual, and/or may initiate automatic application of the security responses (EN: initiates a remediation procedure) according to the determined priorities and the availability of the requirements for performing the security response, e.g., patches, updates, fixes, configuration changes, and the like. (EN: security vulnerabilities are remediated); ¶ 0099, “in some illustrative embodiments, the indicators of compromise may be used to perform a lookup operation for patches, updates, or other fixes that are associated with the computing system resource 142-148 (EN: network element) that is affected by the corresponding security vulnerability.”; Fig. 5, Steps 570- 580; ¶ 0116).

Regarding claim 8, Spisak further teaches:
A system, comprising: a plurality of network elements comprising a plurality of security vulnerabilities; and a vulnerability manager comprising a computer processor, wherein the vulnerability manager is coupled to the plurality of network elements (Fig. 1, Items 100, 120, 142- 148; ¶ 0080, “the security vulnerability analysis engine 120 (EN: a vulnerability manager) to facilitate performance of the stage logic's operations specifically with regard to security vulnerability analysis of a specified enterprise infrastructure”; ¶ 0084, “ the probe 127 may be implemented as agent applications loaded into the computing devices 142-148 (EN: plurality of network elements) of the enterprise infrastructure environment 140 ”).

Regarding claim 14, Spisak further teaches:
A non-transitory computer readable medium storing instructions (¶ 0034, “A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se,”).

Regarding claims 2, 9 and 15, Spisak teaches all the features of claims 1, 8 and 14, as outlined above.
Spisak further teaches:
wherein the internal vulnerability data is based on one or more cybersecurity attacks towards one or more network elements among the plurality of network elements that are detected by the predetermined organization (Fig. 1, Items 100, 104, 120, 140; ¶ 0081, “The security vulnerability analysis engine 120 operates in response to requests received by the cognitive system 100, which may be user initiated requests from users operating client computing devices 110, 112, automatically generated requests from applications or other processes operating on computing devices 110, 112, and/or server computing devices associated with an enterprise 140 (EN: plurality of network elements that are detected by the predetermined organization)”; Fig. 5, Step 510; ¶ 0115, “ingesting content from a plurality of different external and/or internal information sources and annotating instances of terms/phrases or other portions of content that reference security vulnerabilities for computing resources to generate annotated security vulnerability content”).

Regarding claims 6, 13 and 19, Spisak teaches all the features of claims 1, 8 and 14, as outlined above.
Spisak further teaches:
wherein the remediation procedure comprises an installation of a software update to the network element that eliminates the security vulnerability (¶ 0028, “the indicators of compromise may be used to perform a lookup operation for patches, updates, or other fixes that are associated with the computing system resource. These patches, updates, or other fixes, if possible, may then be automatically applied to the computing resource so as to harden them against the potential attacks. For those patches, updates (EN: installation of a software update), configuration changes, firewall rules changes, or other fixes that are not able to be automatically applied, a corresponding notification may be generated and sent to the system administrator or other authorized individual so that they may take steps to implement the patches, updates, configuration changes, firewall rules changes, or other fixes.”; ¶ 0046; ¶ 0099).

Regarding claim 20, Spisak teaches all the features of claim 14, as outlined above.
Spisak further teaches:
wherein the internal vulnerability data and the external vulnerability data are obtained from a security vulnerability database on a network (Fig. 1, Items 106, 150; ¶ 0074- ¶ 0077, “the cognitive system 100 receives input from the network 102, a corpus or corpora of electronic documents 106 and/or 150” (EN: database on a network).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was.


Claims 4-5, 11 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Spisak in view of Yadav et al.  (U.S Pub No. 2020/0120144 A1, referred to as Yadav).

Regarding claims 4, 11 and 17, Spisak teaches all the features of claims 1, 8 and 14, as outlined above.
Spisak does not explicitly disclose, however Yadav teaches:
wherein the external vulnerability data is common vulnerabilities and exposures (CVE) data that describe publicly-available security information, and wherein the external vulnerability data is obtained from a CVE data feed (Yadav: Fig. 4, Items 400, 450; ¶ 0055, “FIG. 4 illustrates a graph 400 that represents example enriched security data generated by the context generating module 202”; ¶ 0059, “a CVE (represented by a node 450) of the version of the services”; ¶ 0063).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Spisak by Yadav and have a risk engine to use for reclassification of a risk source in order to improve network security of an online service provider.

Regarding claims 5 and 18, Spisak teaches all the features of claims 1 and 14, as outlined above.
Spisak does not explicitly disclose, however Yadav teaches:
wherein the machine-learning algorithm is a k-means clustering algorithm that identifies a cybersecurity attack possibility of a predetermined software application (Yadav: Fig. 2, Item 204; ¶ 0081,” the classification module 204 may perform a clustering algorithm (e.g., a k-means clustering algorithm, a k-prototype clustering algorithm, etc.)”; ¶ 0092).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Spisak by Yadav and have a risk engine to use for reclassification of a risk source in order to improve network security of an online service provider.


Allowable Subject Matter
Claims 3, 7, 10, 12 and 16 would be allowable if they were rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The following is an examiner’s statement of reasons for identifying allowable subject matter.	

The closest prior arts made of records are, (U.S Pub No. 2020/0092319 A1, referred to as Spisak) and Yadav et al.  (U.S Pub No. 2020/0120144 A1, referred to as Yadav).

Spisak discloses a security vulnerability analysis mechanism that ingests content from a plurality of content source computing devices to identify instances of security vulnerability content in the ingested content. The mechanism performs a security trend analysis on the instances of security vulnerability content to identify a relative ranking of security vulnerabilities. The mechanism identifies computing resources of a specified computing infrastructure and a criticality of the computing resources to an operation of the computing infrastructure. The mechanism generates a prioritized listing of security vulnerabilities associated with the computing infrastructure based on the relative ranking of security vulnerabilities and the criticality of the computing resources in the computing infrastructure. The mechanism outputs a 

Yadav discloses Methods and systems for dynamically adjusting a risk classification of a risk source based on classifications of one or more other risk sources. The risk engine may first classify a first risk source as a first risk type based on an initial analysis of the first risk source. Subsequent to classifying the first risk source as the first risk type, the risk engine may determine that a second risk source is associated with a second risk type. Based on the determination that the second risk source is associated with the second risk type, the risk engine may re-classify the first risk source as the second risk type. The risk engine may then use the reclassification of the first risk source to improve network security of an online service provider.

However, regarding claims 3, 10 and 16, the prior art of Spisak and Yadav when taken in the context of the claim as a whole do not disclose nor suggest, “wherein the organization-specific criteria corresponds to a respective confidentiality level, a respective integrity level, and a respective availability level to a 25PATENT APPLICATION ATTORNEY DOCKET NO. 18733-126001; SA9126 respective software application operating among the plurality of network elements, and wherein the vulnerability priority is determined based on a plurality of vulnerability scores for the plurality of security vulnerabilities based on a respective exploitability level, the respective confidentiality level, the respective integrity level, and the respective availability level.”.

Regarding claims 7 and 12, the prior art of Spisak and Yadav when taken in the context of the claim as a whole do not disclose nor suggest, “determine a remediation queue that organizes a plurality of remediation procedures based on the vulnerability priority, wherein the remediation queue describes a sequence that a plurality of security vulnerabilities are remediated.”.

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  See PTO-892.  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN SAADOUN whose telephone number is (571)272-8408. The examiner can normally be reached Mon-Fri 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, 





/HASSAN SAADOUN/Examiner, Art Unit 2435 

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435