Notice of Pre-AIA  or AIA  Status
This is a final Office action in response to communications received on 2/22/2022.  Claims 3-4, 7, 10-11, 14, 17-18 and 21 were amended.  No new claims were added or cancelled.  Claims 1-21 are pending and are examined.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Response to Arguments
Applicant argues on page 1 of the Remarks, filed 2/22/2022, that claims 1, 8 and 15 should not be objected to because the claim language “identifying a resource group impacted by the security exploit” does not include a requirement that the identified resource group include only resources that have been impacted by the security exploit is unpersuasive.  To clarify another reason for why the claim language is so confusing, the claim limitation “identifying a resource group impacted by the security exploit” appears to claim a group of resources that are “impacted by the security exploit” but then in a subsequent limitation specifies that the group of resources “impacted by the security exploit” actually comprises two subgroups – one consisting of those impacted and one consisting of those non-impacted.  This second limitation appears to contradict the first limitation because it appears to claim that are non-impacted resources in the resource group, which was already previously stated as being impacted.  The Examiner suggests further clarifying that the limitation to specify “identifying a resource group comprising group members” impacted by the security exploit in order to provide much needed clarification that it is only certain members of the identified resource group, rather than the entire resource group itself that is being impacted by the security exploit.  Accordingly, the objection to claims 1, 8 and 15 (and subsequent dependent claims) is maintained.  
Applicant’s amendment, filed 2/22/2022, to the Specification amending paras. [0067]-[0068] to distinguish resource groups from resource groupings represented as a data structure are sufficient to overcome the objection to the Specification and the rejection of claims 1-21 under 35 U.S.C. 112, second paragraph, for indefiniteness.   Accordingly, the objection to the Specification and the rejection of claims 1-21 under 35 U.S.C. 112, second paragraph, for indefiniteness in the Specification are withdrawn.
Applicant’s amendments, filed 2/22/2022, to claims 3, 4, 7, 10-11, 14, 17-18 and 21 removing the claim limitation “from the identified resource group” or “from the impacted resource group” are sufficient to overcome the rejection of the aforementioned claims under 35 U.S.C 112, second paragraph, for lack of antecedent basis for those limitations.  Accordingly, the rejection of claims 3-4, 7, 10-11, 14, 17-18 and 21 under 35 U.S.C. 112, second paragraph, is withdrawn.
Applicant’s Remarks regarding 103 have been considered, but have not been found persuasive.
Applicant argues on page 2 of the Remarks that Dominessy does not teach the claim limitation “splitting the identified resource group into an impacted resource group and a non-impacted resource group” because the splitting in Applicant’s invention “allows, for example, differential treatment of newly created groups” and “one set of rules and/or policies can be applied to network traffic from the non-impacted resource group and a different set of rules and/or policies can be applied to the impacted resource group”, however the Examiner respectfully disagrees.  In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., rules and/or policies) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).  The Applicant is free to amend the claims to include the features of rules and/or policies allowing differential treatment of the impacted resource and non-impacted resource group.
Applicant argues on pages 2-3 of the Remarks that Dominessy does not teach the claim limitation “splitting the identified resource group into an impacted resource group and a non-impacted resource group” because “Dominessy does not disclose, teach or suggest that the ‘identified resource group’ is changed, let alone split as required by claim 1, however the Examiner respectfully disagrees.  The Examiner notes that the claim limitation is very broad in that it does not specify how the identified resource group is split (i.e. physically, assigning of metadata representing sub-groups, etc.), nor does the claim limitation define the impacted resource group or the non-impacted resource group (i.e. what does the non-impacted resource group consist of).  Dominessy discloses nodes of a tree correspond to components of a target system and security vulnerabilities, where a node may indicate a system node or NIC component and a particular security vulnerability (col. 13, ll. 52-67).  For example, Dominessy specifies a first child tree node may refer to a system node component as not being powered on and a second child tree node may correspond to a NIC system component not being properly configured.  These two child nodes represent sub-trees or sub-groups of the components/resources of the target system and are split based upon the particular security vulnerability the component is suffering from.  The second sub-tree/sub-group comprising, for example, the NIC component, is not being impacted by or suffering from the same security vulnerability that the first sub-tree/sub-group is being impacted by.  The fact that both sub-trees/sub-groups are being impacted by security vulnerabilities is irrelevant because the claim limitation does not specify that the “non-impacted resource group” is not impacted by any security exploits.  Therefore, it is sufficient that the second sub-tree/sub-group not be impacted by the security exploit/vulnerability that the first sub-tree/sub-group is impacted by.  Therefore, Dominessy discloses that nodes of the target system (i.e. identified resource group) are split into nodes of a subtree impacted by one security vulnerability/exploit (i.e. impacted resource group) for target system and nodes of a subtree for nodes of the target system that are impacted by a different security vulnerability (i.e. not impacted by the security exploit of the first group ) (i.e. non-impacted resource group).  Accordingly, Dominessy teaches the limitations for which it is cited.
Any additional remaining arguments fail to comply with 37 C.F.R. 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Consequently, the rejection of the claims under 35 U.S.C. 103 is sustained.

Claim Objections
	Claims 1-21 are objected to because of the following informalities: inconsistent terminology.  Appropriate correction is required.
Regarding claim 1:
Claim 1 recites the limitation “identifying a resource group impacted by the security exploit.”  Hence, Examiner interprets that the identified resource group includes only the resources that have been impacted by the security exploit (and that the identified resource group, therefore, does not include any resource group member that has not been impacted). Claim 1 further recites “identifying that there is a disparate impact to resource group members of the identified resource group.” The specification in [0021] discloses that “a disparate impact to resource group members when one or more resources within the identified resource group are impacted while other resources in the identified resource group are not impacted.”  Thus, the identification of disparate impact to resource group members of the identified resource group (as recited in the above limitations) would logically result in finding no resource group members that are not impacted by the security exploit, since the identified resource group did not include any non-impacted resource group member.  
Regarding claims 8 and 15:
Claims 8 and 15 recite similar limitations, and, hence, are objected to for the same reason as claim 1.
Regarding claims 2-7, 9-14 and 16-21:
Claims 2-7, 9-14 and 16-21 depend on independent base claims 1, 8 and 15 and are objected based on their failure to remedy the deficiencies identified in the objection of claims 1, 8 and 15 and their dependence on claims 1, 8 and 15.
Suggestion to overcome the objection to claims 1-21:
Examiner suggests that claims 1, 8, and 15 be amended to recite “identifying a resource group as being disparately impacted by the security exploit” while deleting the limitation “identifying a resource group impacted by the security exploit” to overcome the objection.  
 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
	 
Claims 1-6, 8-13 and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 10,868,825 B1 (hereinafter "Dominessy") in view of U.S. Patent No. 10,979,446 B1 (hereinafter "Stevens").
Regarding claim 1, the limitations are disclosed by the references as follows:
identifying a security exploit (Dominessy, Col 7, lines 11-14: determining, based on one or more events, a potential security vulnerability (i.e., security exploit) of target computing system) affecting resources of a computing environment (Dominessy, Col 7, line 8: target computing system may be a collection of one or more of target computing systems, also, Fig. 5 depicts resources of a target computing system as hardware/virtual components (70)); 
identifying a resource group impacted by the security exploit (Dominessy, Col 15, lines 26-34: target computing system may include one or more of target computing systems, e.g., Fig. 1 shows target computing system 20A … target computing system 20N, communicating with a threat assessment system.  Dominessy, Col 29, lines 12-13: Target computing systems may be web servers (i.e., a resource group); 
identifying that there is a disparate impact to resource group members of the identified resource group (Dominessy, Col 20, lines 31-37: risk analysis module may discriminate between normal (i.e., non-impacted), suspicious (i.e., impacted), and very likely malicious (i.e., impacted) behavior of target computing systems, thus, identifying disparate impact to target computing systems (i.e., resource group members)),
splitting the identified resource group into an impacted resource group and a non- impacted resource group (Dominessy, Col 13, lines 52-55 discloses that each tree node of the (risk) tree may correspond to an event that may occur in target computing systems, and may represent one or more potential security vulnerabilities associated with a particular target system.”  Dominessy, Col 13, lines 60-67 further provides an example: “… a second child tree node of the particular tree node (sic) may correspond to a network interface controller (NIC) of the system node not being properly configured.”  The above disclosures imply that the nodes of the risk tree may represent resources (e.g., a NIC) that may be potentially impacted by a particular security vulnerability. Since Dominessy, Col 7, lines 11-14 discloses an event-based determination of the impact on each resource, thus, based on a determination of impact of the security exploit on each node (that represents a resource), the nodes become separated (in other words, split) into a subtree of nodes that are impacted by the security vulnerability, and another subtree of nodes that are not impacted).
However, Dominessy doesn’t explicitly teach the rest of the limitations of claim 1, which are taught by Stevens (in the same field of endeavor):
applying exploit mitigation to the impacted resource group (Stevens, Col 4, lines 19-28: the threat management system may cause one or more remedial actions to be performed, such as configuring a router or firewall to remove access to the network for one or more network hosts, quarantining suspicious files on a network host, etc.);
identifying a resolution of the disparate impact to the resource group members of the identified resource group (Stevens, Col 4, limes 12-15: threat management system may include functionality to record remedial actions taken, escalate to other users, and mark tasks as resolved. Being able to record remedial actions taken and mark tasks as resolved imply identifying a resolution of the security vulnerability); and 
performing an action in response to identifying the resolution of the disparate impact to the resource group members of the identified resource group (Stevens, Col 4, limes 12-17: threat management system may include functionality to record remedial actions taken, escalate to other users, and mark tasks as resolved, and may also generate user interfaces such as network pages, mobile application screens. Actions such as recording remedial actions taken and marking tasks as resolved are implied to be actions being performed in response to resolution of a security vulnerability affecting a resource group).
The Supreme Court in KSR int'l Co. v. Teleflex Inc., 550 U.S. 398, 415-421, 82 USPQ2d 1385, 1395-97 (2007) identified a number of rationales to support a conclusion of obviousness which are consistent with the proper "functional approach" to the determination of obviousness as laid down in Graham. One or more of the rationales given by the Supreme Court are applicable and the examiner relies upon the following rationale(s) to support the conclusion of obviousness: [u]se of known technique to improve similar devices (methods, or products) in the same way.
Stevens is combinable with Dominessy because both belong to the same field of endeavor of identification and remediation of security vulnerabilities affecting computing systems. One of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to combine the techniques for analyzing the effects of cybersecurity threats on a system disclosed in Dominessy with the threat management system that recommends or causes one or more remedial actions to be performed in response to security vulnerabilities as disclosed by Stevens in order to gain the advantage of “decreasing operational overhead in responding to computer security threats by performing simplified remedial actions … thereby resulting in fewer computer reboots or patches being applied.” (see, Stevens, Col 2, lines 23-28).
Regarding claims 8 and 15:
Claims 8 and 15 are directed to different statutory categories of a manufacture (non-transitory CRM) and a product (i.e., system or apparatus), respectively, instead of a method.  However, Dominessy discloses both a CRM and a system (see, Dominessy Col 44, lines 41-45 for CRM, and Fig. 1A for a network security and threat assessment system, respectively.) Otherwise the same features and limitations disclosed in claim 1 are also recited in respective and corresponding claims 8 and 15 and no additional feature or detail, apart from being directed to a CRM and an apparatus, are recited. For this reason, the same grounds of rejection given in claims 1 are equally applicable to claims 8 and 15, mutatis mutandis, using the same citations.

Regarding claim 2, The combination of Dominessy in view of Stevens discloses:
identifying a first set of resource group members as impacted by the security exploit and a second set of resource group members as non-impacted by the security exploit (as alluded to with respect to claim 1, Dominessy, Col 15, lines 43-47 combined with Dominessy, Col 7, lines 11-14 disclose the generation of a (risk) tree in which the nodes of the tree may be split (based on an event-based determination for each node (with the node representing a resource) into a first subset of nodes of impacted computing systems (i.e., first set of resource group members), and a second subset of nodes of non-impacted computing systems (i.e., second set of resource group members)).

Regarding claims 9 and 16:
Claims 9 and 16 are directed to different statutory categories of a manufacture (non-transitory CRM) and a product (i.e., system or apparatus), respectively, instead of a method.  However, Dominessy discloses both a CRM and a system (see, Dominessy Col 44, lines 41-45 for CRM, and Fig. 1A for a network security and threat assessment system, respectively.) Otherwise the same features and limitations disclosed in claim 2 are also recited in respective and corresponding claims 9 and 16 and no additional feature or detail, apart from being directed to a CRM and an apparatus, are recited. For this reason, the same grounds of rejection given in claims 2 are equally applicable to claims 9 and 16, mutatis mutandis, using the same citations.

Regarding claim 3, The combination Dominessy in view of Stevens discloses:
generating a first data structure for the first set of resource group members and a second data structure for the second set of resource group members (as alluded to earlier, Dominessy, Col 15, lines 43-47 combined with Dominessy, Col 7, lines 11-14 disclose the generation of a tree in which the nodes of the tree may be split into a first subset of nodes (i.e., first data structure) of impacted computing systems (i.e., resource group members), and a second subset of nodes (i.e., second data structure) of non-impacted computing systems (i.e., resource group members),
moving first metadata for the first set of resource group members from the identified resource group to the first data structure (Dominessy, Col 18, lines 9-15 discloses that information (i.e., metadata) about target computing systems (i.e., resource group members) may be included in or otherwise associated with (i.e., moved to) a node of the tree. In other words, Dominessy discloses the moving of metadata to nodes of the first data structure from resource group members (where the nodes of first data structure represent the first set of impacted resources));    
moving second metadata for the second set of resource group members from the identified resource group to the second data structure (Dominessy, Col 18, lines 9-15 discloses that information (i.e., metadata) about target computing systems (i.e., resource group members) may be included in or otherwise associated with (i.e., moved to) a node of the tree. In other words, Dominessy discloses the moving of metadata to nodes of the second data structure from resource group members (where the nodes of second data structure represent the second set of non-impacted resources)); and  42Attorney Docket No. 10 10P045 
associating the first data structure and the second data structure (as alluded to earlier, Dominessy, Col 15, lines 43-47 combined with Dominessy, Col 7, lines 11-14 disclose the generation of the first and the second data structures, those being subgraphs of the parent tree that are inherently associated).

Regarding claims 10 and 17:
Claims 10 and 17 are directed to different statutory categories of a manufacture (non-transitory CRM) and a product (i.e., system or apparatus), respectively, instead of a method.  However, Dominessy discloses both a CRM and a system (see, Dominessy Col 44, lines 41-45 for CRM, and Fig. 1A for a network security and threat assessment system, respectively.) Otherwise the same features and limitations disclosed in claim 3 are also recited in respective and corresponding claims 10 and 17 and no additional feature or detail, apart from being directed to a CRM and an apparatus, are recited. For this reason, the same grounds of rejection given in claims 3 are equally applicable to claims 10 and 17, mutatis mutandis, using the same citations.

Regarding claim 4, The combination Dominessy in view of Stevens discloses:
generating a first data structure for the first set of resource group members ((Dominessy, Col 15, lines 43-47 combined with Dominessy, Col 7, lines 11-14 teach the generation of a tree in which the nodes of the tree may be split into a first subset of nodes of impacted computing systems (i.e., first data structure));
moving metadata for the first set of resource group members from the identified resource group to the first data structure (Dominessy, Col 18, lines 9-15 discloses that information (i.e., metadata) about target computing systems (i.e., resource group members) may be included in or otherwise associated with a node of the tree. The inclusion of information with nodes belonging to the first data structure (that represent impacted resources) discloses this limitation by inference); and 
associating the first data structure with the identified resource group (as alluded to with earlier limitations, Dominessy, Col 15, lines 43-47 combined with Dominessy, Col 7, lines 11-14 disclose the generation of a first data structure (and also a second data structure), where the first and the second data structure are subtrees (or subgraphs) of one parent tree. The two subgraphs in totality represent the identified resource group, since they individually represent a first set of impacted members of a resource group and a second set of non-impacted members of the group. The subgraphs are inherently associated with each other, and each subgraph is also inherently associated with the parent tree.  In other words, there is an association between the first data structure and the identified resource group (i.e., the parent tree)). 

Regarding claims 11 and 18:
Claims 11 and 18 are directed to different statutory categories of a manufacture (non-transitory CRM) and a product (i.e., system or apparatus), respectively, instead of a method.  However, Dominessy discloses both a CRM and a system (see, Dominessy Col 44, lines 41-45 for CRM, and Fig. 1A for a network security and threat assessment system, respectively.) Otherwise the same features and limitations disclosed in claim 4 are also recited in respective and corresponding claims 11 and 18 and no additional feature or detail, apart from being directed to a CRM and an apparatus, are recited. For this reason, the same grounds of rejection given in claims 4 are equally applicable to claims 11 and 18, mutatis mutandis, using the same citations.

Regarding claim 5, The combination of Dominessy in view of Stevens discloses:
wherein performing the action in response to identifying the resolution of the disparate impact to the resource group members of the identified resource group comprises: combining the impacted resource group and the non-impacted resource group into a single resource group (Dominessy, Col 7, lines 11-14 discloses an event-based determination of a potential security vulnerability (i.e., security exploit) of target computing systems, while Dominessy, Col 15, lines 43-47 discloses the generation of a tree in which the nodes of the tree may be split into a impacted group represented by a subset of nodes of impacted computing systems, and a non-impacted group represented by  a subset of nodes of non-impacted computing systems. The subsets are not static in nature, therefore, upon the resolution of the security exploit, occurrence of future vulnerabilities (i.e., events) on nodes representing previously impacted members of a resource group may cause a new determination of the resource represented by the node as being non-impacted. In other words, upon the resolution of a vulnerability, the disclosure of Dominessy implies that nodes previously representing impacted members may be combined with nodes representing non-impacted group members.)

Regarding claims 12 and 19:
Claims 12 and 19 are directed to different statutory categories of a manufacture (non-transitory CRM) and a product (i.e., system or apparatus), respectively, instead of a method.  However, Dominessy discloses both a CRM and a system (see, Dominessy Col 44, lines 41-45 for CRM, and Fig. 1A for a network security and threat assessment system, respectively.) Otherwise the same features and limitations disclosed in claim 5 are also recited in respective and corresponding claims 12 and 19 and no additional feature or detail, apart from being directed to a CRM and an apparatus, are recited. For this reason, the same grounds of rejection given in claims 5 are equally applicable to claims 12 and 19, mutatis mutandis, using the same citations.

Regarding claim 6, The combination Dominessy in view of Stevens discloses:
merging the first set of resource group members into the non-impacted resource group (Dominessy, Col 7, lines 11-14 discloses an event-based determination of a potential security vulnerability (i.e., security exploit) of target computing systems, while Dominessy, Col 15, lines 43-47 discloses the generation of a tree in which the nodes of the tree may be split into a first set of nodes representing impacted resources, and a non-impacted group represented by a subset of nodes of a parent risk tree. The determination of nodes as impacted or non-impacted is not static, since occurrence of future vulnerability events require a new determination of the impacted or non-impacted nature of the resource represented by any given node. Thus, the disclosure of Dominessy implies that once the resolution of impact on members of a resource group is identified, then the nodes representing previously impacted members may no longer be determined to be impacted when future vulnerability events occur. In other words, previously impacted nodes may be determined to be non-impacted, i.e., merged into the set of nodes representing the non-impacted resource group members).

Regarding claims 13 and 20:
Claims 13 and 20 are directed to different statutory categories of a manufacture (non-transitory CRM) and a product (i.e., system or apparatus), respectively, instead of a method.  However, Dominessy discloses both a CRM and a system (see Dominessy, claim 28 and claim 1, respectively.) Otherwise the same features and limitations disclosed in claim 6 are also recited in respective and corresponding claims 13 and 20 and no additional feature or detail, apart from being directed to a CRM and an apparatus, are recited. For this reason, the same grounds of rejection given in claims 6 are equally applicable to claims 13 and 20, mutatis mutandis, using the same citations.

Claim 7, 14, and 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dominessy in view of Stevens in further view of US Patent No. 10,104,110 B2 (hereinafter "Oliphant").
Regarding claim 7, The following limitation not taught by Dominessy in view of Stevens is taught by Oliphant:
determining that the first set of resource group members of the impacted resource group are updated to a same version of an application as the second set of resource group members of the non-impacted resource group (Oliphant, Col 4 line 58 to Col 5 line 3: security server upon determining that a computer that is vulnerable (based on its current software, patch, policy, and configuration status), may apply remediation technique(s) to all devices subject to the same vulnerability (based on their real-time software, patch, policy, and configuration status). This supports an inference that after the application of a remedial patch, all impacted devices may be updated to the same version as non-impacted resources.
Oliphant is combinable with Dominessy and Stevens because all the references belong to the same field of endeavor of identification and remediation of security vulnerabilities affecting computing systems. One of ordinary skill in the art would have been motivated, before the effective filing date of the claimed invention, to combine the techniques for analyzing the effects of cybersecurity threats on a system disclosed in Dominessy with the threat management system that recommends or causes one or more remedial actions to be performed in response to security vulnerabilities as disclosed by Stevens with the techniques of selective remediation
applied to only those devices subject to a security vulnerability, including installation of a
patch that is known to correct the vulnerability as disclosed by Oliphant, in order to gain the advantage of “easily integrate with and enable network security products such as IDS, scanners, or firewalls to intelligently reference and share the same vulnerability data set, and independently provide complete vulnerability remediation (patching) functionalities … [to] … improve system accuracy and efficiencies, minimize false positives and false negatives, and provide policy compliance and enforcement capabilities.” (see, Oliphant, Col 8, lines 26-36).

Regarding claims 14 and 21:
Claims 14 and 21 are directed to different statutory categories of a manufacture (non-transitory CRM) and a product (i.e., system or apparatus), respectively, instead of a method.  However, Dominessy discloses both a CRM and a system (see, Dominessy Col 44, lines 41-45 for CRM, and Fig. 1A for a network security and threat assessment system, respectively.) Otherwise the same features and limitations disclosed in claim 7 are also recited in respective and corresponding claims 14 and 21 and no additional feature or detail, apart from being directed to a CRM and an apparatus, are recited. For this reason, the same grounds of rejection given in claims 7 are equally applicable to claims 14 and 21, mutatis mutandis, using the same citations.

Related Art
The following prior art made of record and cited on PTO-892, but not relied upon, is considered pertinent to applicant’s disclosure: 
U.S. PGPub. No. 2018/0295154 A1 ("Crabtree") – discloses a system for mitigation of cyberattacks employing an advanced cyber decision platform comprising a directed computational graph data structure, in which the state of a network is monitored and used to produce a cyber-physical graph representing network resources, and network events and their effects are analyzed to produce security recommendations.
U.S. PGPub. No. 2019/0292902 Al ("Johnston") - discloses a system and method (see Fig. 7B and Fig. 8) that classifies devices into groups, and determines that an attempt by a device to access an online resource is a security violation, based on the classifications of the device and the online resource. The
service initiates a mitigation action in the network for the security violation.
U.S. Pat. No. US 11,159,557 B2 ("Vester”) - discloses a system for vulnerability management architecture (as depicted in Fig. 6 and Fig. 7), in which vulnerable resources may be arranged into vulnerability groups. Vulnerable groups are addressed by various remedial actions like applying a software patch, removing a software package, etc., with a change request specifying a distinct modification or set of modifications to be made to one or more vulnerable group items, when the modification(s) should be made, who is responsible for the modification. Vester has many similarities with the applicant's claimed invention, however, it does not constitute prior art as it was filed at a later date.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BISWAJIT GHOSE whose telephone number is (571)272-1878. The examiner can normally be reached M-F 8:00am-5:00pm CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/SHARON S LYNCH/Primary Examiner, Art Unit 2438