DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 2, 4, 5, 13, 14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claims 2, 4, 5, 13 recite the limitation “…a security risk…”.  There is insufficient antecedent basis for this limitation in the claim. Appropriate correction is required.

Claim 14 recites “…a security analysis of the new or changed nodes and re-security risks of the two or more hierarchy levels”. There is insufficient antecedent basis for this limitation. Appropriate correction is required.




Allowable Subject Matter

Claims 6 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claim 13 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-5, 7-12, 14 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by (Chen et al Pub. No. US 2009/0077666).


As per claim 1, Chen discloses a computer-implemented method for analyzing software dependencies, comprising: on a first asset, executing a technology agent configured to: analyze software stored in memory of the first asset, the analysis comprising: identifying nodes within the software, recording a hierarchy of the nodes within the software, identifying any dependencies within the software and with other portions of software (…analyzing security threats associated with software and computer vulnerabilities…the identified stakeholder values are quantified using Analytical Hierarchy Process to prioritize security vulnerabilities of the software system…the Structured Attack Graph includes two or more nodes…with each layer in the graph represent a key entity in security threat modeling…see par. 4-5); and on the first asset, executing a security agent configured to: analyze security of the software stored in the memory of the first asset, the security analysis comprising: identifying security risks in the software and assigning a risk level to each, associating each identified security risk with a node or edge, aggregating security risks at at least two different levels of the software hierarchy into hierarchy level risk scores by adding risk levels of identified security risks associated with nodes or edges within the levels (…the difficulty level of exploiting attack path is assessed based on CVSS…after the attack path attribute-ratings are determined through the value driven evaluations, the T-MAP weighting system can be established to reason and quantify the threat associated with a given COTS system…T-MAP scores the severity of the attack Path…based on risk calculations…see par. 119-123, 130).



As per claim 2, Chen discloses wherein a security risk is identified if a node appears on a CVE list or contains code appearing on a CVE list (see par. 78). 


As per claim 3, Chen discloses wherein the aggregation of security risks includes applying weights to the risk levels prior to their addition (see par. 83).


As per claim 4, Chen discloses wherein: a security risk is identified if a node appears on a CVE list or contains code appearing on a CVE list and a CVE presence weight is applied that increases with a higher number of CVEs identified in nodes or edges within a particular level (see par. 133-137).


As per claim 5, Chen discloses wherein: a security risk is identified if a node appears on a CVE list or contains code appearing on a CVE list and a CVE frequency weight is applied that increases with a higher frequency of CVEs identified in nodes or edges within a particular level (see par. 192-193).
 

As per claim 7, Chen discloses wherein: the security analysis further comprises identifying users responsible for modifications made to each of a plurality of nodes and a modification diversity weight is applied that increases with a higher number of unique users responsible for modifications to a particular node (see par. 27).


As per claim 8, Chen discloses wherein: the security analysis further comprises identifying a number of methods present in each is class and a method abundance weight is applied that increases with a higher number of methods identified for a particular class (see par. 82-83).
 

As per claim 9, Chen discloses wherein: the security analysis further comprises identifying, for each application, a privilege level at which the application is running and an application privilege weight is applied that increases with application privilege level (see par. 116-117). 


As per claim 10, Chen discloses wherein the security analysis further comprises aggregating all risk scores for the different hierarchy levels into a single software risk score (see par. 99).
 

As per claim 11, Chen discloses wherein the aggregation of hierarchy level risk scores includes applying weights to the hierarchy level risk scores prior to their aggregation (see par. 112-114).


As per claim 12, Chen discloses wherein: the security analysis further comprises identifying, for nodes associated with databases, whether data stored in the associated database is of a sensitive nature and a data sensitivity weight is applied that increases for nodes associated with databases storing data of a sensitive nature (see par. 101).


As per claim 14, Chen discloses detecting when the hierarchy has been modified to include one or more new or changed nodes and, upon detecting such modification, initiating a security analysis of the new or changed nodes and re-security risks of the two or more hierarchy levels based on the results of the security analysis of the new or changed nodes (see par. 89-91).




	Conclusion	

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to analyzing the security of software stored and executing on assets distributed throughout an enterprise.

Boulton (Pub. No. US 2020/0167476); “Determining Security Risks in Software Code”;
-Teaches security assessment can be determined based on Common Vulnerabilities and Exposures (CVE) score…22-23, 26.



Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHAZAL B SHEHNI whose telephone number is (571)270-7479. The examiner can normally be reached Mon-Fri 9am-5pm PCT.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 5712724219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GHAZAL B SHEHNI/Primary Examiner, Art Unit 2436