DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 601, 602, 603, 604 and 605 from Fig. 6.  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 

Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: 
“an input unit” in claim 1 which is a means for receiving source code of the program which is to be evaluated, without being modified by any structure.
“an input position designating unit” in claim 1 which is a means for designating the input position at which the input information for the program is input in the source code, without being modified by any structure.
“an attack determination position designating unit” in claim 1, which is a means for designating the attack determination position, without being modified by any structure. 
“an attack path analyzing unit” in claim 1, which is a means for analyzing a path from the attack determination position to the input position in the source, without being modified by any structure.
“an input value computing unit” in claim 5 which is a means for calculating information which satisfies a branch condition for establishing the attack path, without being modified by any structure.
“a packet generating unit” in claim 7 which is a means for converting a format of the attack information into a format which complies with communication protocol, without being modified by any structure.
“a source code structure analyzing unit” in claim 8 which is a means to analyze the source code of the program which is to be evaluated, without being modified by any structure. 
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) 
Claim Rejections - 35 USC § 112


The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 1-10 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for being a direct translation instead of written into actual English which renders the claim hard to understand.
Claim limitation “input unit” in claim 1 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The “input unit” is described in page 7, lines 4-5 as an arbitrary interface having function of inputting/outputting various kinds of information. This amounts to a generic recitation of general-purpose processor and software achieving the claimed functions without any algorithm for achieving each of the claimed functions. 

Claim limitation “an attack determination position designating unit” in claim 1 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The “attack determination position designating unit” is described in page 9, lines 3-22 as an arbitrary interface having function of inputting/outputting various kinds of information. This amounts to a generic recitation of general-purpose processor and software achieving the claimed functions without any algorithm for achieving each of the claimed functions. 
Claim limitation “an attack path analyzing unit” in claim 1 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The “attack path analyzing unit” is described in page 9, lines 28-30 and page 10, lines 1-30 as an arbitrary interface having function of inputting/outputting various kinds of information. This amounts to a generic recitation of 
Therefore, claim 1 is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Claim limitation “an input value computing unit” in claim 5 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The “input value computing unit” is described in page 12, lines 18-30 and page 13, lines 1-11 as an arbitrary interface having function of inputting/outputting various kinds of information. This amounts to a generic recitation of general-purpose processor and software achieving the claimed functions without any algorithm for achieving each of the claimed functions. 
Therefore, claim 5 is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Claim limitation “a packet generating unit” in claim 7 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The “packet generating unit” is described in page 13, lines 12-30 and page 14, lines 1-12 as an arbitrary interface having function of inputting/outputting various kinds of information. This amounts to a generic recitation of general-purpose processor and software achieving the claimed functions without any algorithm for achieving each of the claimed functions. 

Claim limitation “a source code structure analyzing unit” in claim 1 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The “source code structure analyzing unit” is described in page 14, lines 13-30 and page 15, lines 1-21 as an arbitrary interface having function of inputting/outputting various kinds of information. This amounts to a generic recitation of general-purpose processor and software achieving the claimed functions without any algorithm for achieving each of the claimed functions. 
Therefore, claim 8 is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph. Claims 2-4, 6, 9 and 10 which are dependent on claim 1 are similarly rejected.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).

(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5 and 8-10 are rejected under 35 U.S.C. 103 as being unpatentable over Oguro et al. (JP 2014174577A), hereinafter Oguro in view of Thrower et al. (U.S. 7530104B1), hereinafter Thrower.
Regarding claim 1, Oguro teaches a vulnerability evaluation apparatus comprising (Oguro: Page 3, Paragraph [7][8] and [12] provide for the vulnerability evaluation apparatus):

information indicating assets which are desired to be preserved and an attack accomplishment condition which is a condition where the assets which are desired to be preserved are not preserved (Oguro: Page 2 Paragraph [4], Page 5 Paragraph [11] provide for the attack accomplishment condition “the route that does not pass through the sanitizer”), 
information indicating an attack determination position which is a position at which whether the condition where the assets which are desired to be preserved are not preserved is satisfied can be determined (Oguro: Page 2 Paragraph [9], Page 4 Paragraph [1] [4] and Page 5 Paragraph [9] provide for the sink information which can be represented by the information indicating an attack determination position and sink node on the source code which can be represented by the attack determination position), and 
input information for the program, which are indicated using a notation method of the source code (Oguro: Page 4 Paragraph [13], Page 5 Paragraph [1] [5], Page 7 Paragraph [13], Page 8 Paragraph [1] provide for the notation method representing variables passed as parameters to the program);
an input position designating unit configured to designate an input position indicating a position at which the input information for the program is input in the source code (Oguro: Page 5 Paragraph [7] provides for the input position designation unit designating an input position “source node on the source code” at which input information for the program is input in the source code); 

an attack path analyzing unit configured to analyze a path from the attack determination position to the input position in the source code (Page 5 Paragraph [9] [11] provide for the data flow analysis unit which can be represented by an attack path analyzing unit configured to analyze data flow from the source node to the sink node).
specify an attack path which is a path for which the attack accomplishment condition is satisfied from the path through specific processing at the attack determination position (Page 5 Paragraph [9] [11] provide for the path that the data flow unit has analyzed as dangerous route (attack path) using information from the rule information storage unit).
Oguro teaches about extracting all the courses to find the attack path and does not specifically teach about the attack determination position designating unit where specific processing is done to satisfy attack accomplishment conditions for the attack path. Thrower, however teaches this limitation (Thrower: Col. 6 Lines 3-38 provides for an attack resolver which processes access data to build the attack path). 
	Oguro and Thrower are both considered to be analogous to the claimed invention because they are in the same field of threat/vulnerability analysis. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to 
	Regarding claim 2, Oguro teaches the vulnerability evaluation apparatus according to claim 1, wherein the information indicating the attack determination position at which whether the condition where the assets which are desired to be preserved are not preserved is satisfied can be determined includes information indicating specific processing indicated using the notation method of the source code and information indicating a position at which the specific processing is to be executed (Oguro: Page 2 Paragraph [9], Page 4 Paragraph [1] [4] and Page 5 Paragraph [9] provide for the sink information which can be represented by the information indicating an attack determination position and sink node on the source code which can be represented by the attack determination position. Page 7 Paragraph [13], Page 8 Paragraph [1-4] provide for the sink node information in source code using notation method).
	Regarding claim 3, Oguro teaches the vulnerability evaluation apparatus according to claim 1, wherein the specific processing includes at least one of processing of rewriting the assets which are desired to be preserved, or processing of making the assets which are desired to be preserved accessible from outside of an electronic apparatus at which the program is implemented. (Oguro: Page 2 Paragraph [10] provides for the sanitizers processing of rewriting the assets, for example escaping a specific character that may cause a vulnerability).
	Regarding claim 4, Oguro teaches the vulnerability evaluation apparatus according to claim 1, wherein the input information for the program is information which directly or indirectly indicates information to be used for establishing the attack path, indicated using the 
	Regarding claim 5, Thrower teaches the vulnerability evaluation apparatus according to claim 1, further comprising: 
an input value computing unit configured to calculate information expressing a value of input information to be input to the program or a range of the value, which is to be utilized for establishing the attack path, as attack information (Thrower: Col 4 Lines 29 – 58 provides for the output 120 which can be used as an input unit to calculate information to be input to the program, which is to be utilized for establishing the attack path).  
Regarding claim 8, Oguro further teaches the vulnerability evaluation apparatus according to claim 1, further comprising: 
a source code structure analyzing unit configured to analyze the source code of  the program which is to be evaluated and express processing procedure and processing content of processing indicated by the source code with a logical model (Oguro: Page 2 Paragraph [6], Page 4 Paragraph [8], Page 5 Paragraph [9] [11] provide for the data flow analysis unit which can be represented by source code structure analyzing unit which express processing procedure and generate a data flow graph which can be represented by a logical model).
Regarding claim 9, Oguro teaches the vulnerability evaluation apparatus according to claim 8, wherein the logical model is a control flow graph or an abstract syntax tree (Oguro: Page 2 Paragraph [6], Page 4 Paragraph [8], Page 5 Paragraph [9] [11] provide for logical model which can be a data flow graph).

the input position designating unit designates the input position on a path of the 10 logical model (Oguro: Page 5 Paragraph [7] provides for the input position designation unit designating the source node on the source code which can be represented by the input position on the path of the data flow graph (logical model)), and 
the attack path analyzing unit specifies the attack accomplishment condition in processing of the logical model (Oguro: Page 5 Paragraph [11] provides for the attack path analyzing unit which specifies the attack conditions and generates the data flow graph (logical model)).
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Oguro (JP 2014174577A), in view of Thrower (U.S. 7530104B1) and Ikuse et al. (WO 2015137235A1), hereinafter Ikuse. 
Regarding claim 6, Oguro/Thrower do not explicitly teach that the input value computing unit calculating information which satisfies a branch condition for establishing the attack path as the attack information in branch processing of the attack path. However, Ikuse teaches this limitation (Ikuse: Page 6 Paragraph [2] provides for the calculating information which satisfies a branch condition for establishing the malware path which can be represented by the attack path).
Oguro, Thrower and Ikuse are all considered to be analogous to the claimed invention because they are in the same field of threat/vulnerability analysis. Therefore, it would have been .
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Oguro (JP 2014174577A), in view of Thrower (U.S. 7530104B1) and Ishihara (U.S. 20210273952A1), hereinafter Ishihara. 
Regarding claim 7, Oguro/Thrower do not explicitly teach a packet generating unit configured to convert a format of the attack information into a format which complies with communication protocol to be used at an electronic apparatus at which the program which is to be evaluated is implemented and generate a communication packet which includes the converted attack information and which can be transmitted to the electronic apparatus. However, Ishihara teaches this limitation (Ishihara: [0023] [0024] [0047] provide for the packet generation with attack information to be used at an electronic apparatus at which the program is implemented.)
 Oguro, Thrower and Ishihara are all considered to be analogous to the claimed invention because they are in the same field of threat/vulnerability analysis. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Oguro/Thrower to incorporate the teachings of Ishihara and provide packet generation unit to generate communication packets containing attack information to be transmitted to the electronic apparatus. Doing so would aid in sending the attack information to the external devices to allow them to prevent the attack.
Pertinent Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
O’Rourke et al. (U.S. 20080098479A1) teaches methods of simulating vulnerability.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YASMIN JAHIR whose telephone number is (571)272-0346. The examiner can normally be reached Mon-Fri 9:00-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/YASMIN JAHIR/            Examiner, Art Unit 2432