Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response To Argument
Applicant’s arguments, see p11/17-16/17, filed on 2/17/2022, with respect to finality of the office action have been fully considered and are persuasive.  The final rejection of claims 1-39 has been withdrawn. However, a new ground rejection, non-final rejection, is given.

Claim Rejections -35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 7-10, 20, 26-29 and 38-39 are rejected under 35 U.S.C. 103 as being unpatentable over Bellis et al. (US 10114954 B1), hereinafter Bellis, in view of Li et al. (US 20190102564 A1), hereinafter Li.

	Regarding claim 1, Bellis teaches [a] method of training a model for threat score assessment of software vulnerabilities, comprising:
	obtaining training data associated with a first set of software vulnerabilities, the training data for each software vulnerability among the first set of software vulnerabilities including one or more of (Abstract, selecting training data comprising a plurality of features including a prevalence feature for each vulnerability of a first plurality of vulnerabilities; col2 ln53-63, …to provide training and input data as well as to receive output data comprising predictions; col8 ln2-32):
	Bellis does not does not explicitly disclose generating a threat score prediction model based on the training data, wherein the threat score prediction model is configured to determine a threat score for a candidate software vulnerability that is indicative of a likelihood that the candidate software vulnerability will be targeted for exploitation, or successfully exploited within a target window of time, or both. However, in an analogous art, Li teaches generating a threat score prediction model based on the training data, wherein the threat score prediction model is configured to determine a threat score for a candidate software vulnerability that is indicative of a likelihood that the candidate software vulnerability will be targeted for exploitation, or successfully exploited within a target window of time, or both (Li para. 0048, [a]fter obtaining vulnerability information, operators analyze the vulnerability and asset characteristics to determine a remediation plan. When making decisions, operators have some rules in mind and follow these rules to address vulnerabilities. However, these rules depend on many factors, and many of these rules need to be tuned very finely to make the right decisions. Accordingly, the present invention uses, machine learning technologies to automate remediation action analysis. A prediction model is trained first over historical operation data. Then for a new vulnerability, the model takes the vulnerability's asset characteristics and vulnerability characteristics as inputs and outputs a predicted remediation action. This prediction tries to mimic operators' manual decisions in an automated way. To apply machine learning technologies, the following may be considered: what features to be selected, what machine learning model to be used, and how to train the model. Additionally, the machine learning model may be enabled to generate reason codes for predictions so humans can understand and validate the predictions).
	Bellis does not does not explicitly disclose 
	(i) a degree to which the software vulnerability is described across a set of public media sources. 
(ii) a degree to which one or more exploits that have already been developed for the software vulnerability are described across one or more public exploit databases,
(iii) information from one or more third party threat intelligence sources that characterizes one or more historic threat events associated with the software vulnerability
(iv) information that characterizes at least one behavior of an enterprise network in association with the software vulnerability, or 
any combination of (i)-(iv);
	However, in an analogous art, Li teaches
(ii) a degree to which one or more exploits that have already been developed for the software vulnerability are described across one or more public exploit databases (Li para. 0044, provides which products are affected by the vulnerability by specifying the products CPE names under the vulnerability. Each vulnerability also comes with Common Vulnerability Scoring System (CVSS) metrics which describe the vulnerability features. The features and their possible values are shown in Table 1; CVSS Score [degree]; para. 0030, the learning model's input data is a vector consisting of two parts. The first part is vulnerability features, including Common Vulnerability Scoring System (CVSS) score, where the attack is from, attack complexity, privileges required, user interaction, confidentiality metric, integrity metric, availability metric, exploitability, remediation level, and report confidence; para. 0034, central database which includes asset data obtained from baseline configuration management systems and vulnerability data, especially CVSS attributes obtained from vendors, third-party services and/or public databases (i.e., NVD). Based on the database and past operation records and expert inputs, a machine learning engine automatically obtains applicable vulnerabilities, analyzes vulnerabilities, recommends remediation decisions (i.e., patch quickly or defer patching) for vulnerabilities),
(iii) information from one or more third party threat intelligence sources that characterizes one or more historic threat events associated with the software vulnerability, (Li para. 0044, [t]he NVD publishes vulnerabilities for a variety of products daily. Each vulnerability is identified by a unique Common Vulnerability Enumeration (CVE) ID, such as CVE-2016-8882. It provides which products are affected by the vulnerability by specifying the products CPE names under the vulnerability. Each vulnerability also comes with Common Vulnerability Scoring System (CVSS) metrics which describe the vulnerability features. The features and their possible values are shown in Table 1; para. 0034, a central database which includes asset data obtained from baseline configuration management systems and vulnerability data, especially CVSS attributes obtained from vendors, third-party services and/or public databases (i.e., NVD). Based on the database and past operation records and expert inputs, a machine learning engine automatically obtains applicable vulnerabilities, analyzes vulnerabilities, recommends remediation decisions (i.e., patch quickly or defer patching) for vulnerabilities. For recommended remediation decisions, the engine can also output a simple, easy-to-verify reason code for each recommended decision, so that human operators can understand and validate the machine learning; para. 0039 and 0040)
(iv) information that characterizes at least one behavior of an enterprise network in association with the software vulnerability (Li para. 0040, …retrieving vulnerabilities from NVD, an open vulnerability database. Applicable vulnerabilities for a utility can be identified through determining the Common Platform Enumeration (CPE) names of assets and then mapping CPEs to the CVEs/CVSSs in the database; col4 ln2-37), or 
(any combination of (i)-(iv); taught as above) and
	generating a threat score prediction model based on the training data, wherein the threat score prediction model is configured to determine a threat score for a candidate software vulnerability that is indicative of a likelihood that the candidate software vulnerability will be targeted for exploitation, or successfully exploited within a target window of time, or both (Li para. 0048, [a]fter obtaining vulnerability information, operators analyze the vulnerability and asset characteristics to determine a remediation plan. When making decisions, operators have some rules in mind and follow these rules to address vulnerabilities. However, these rules depend on many factors, and many of these rules need to be tuned very finely to make the right decisions. Accordingly, the present invention uses, machine learning technologies to automate remediation action analysis. A prediction model is trained first over historical operation data. Then for a new vulnerability, the model takes the vulnerability's asset characteristics and vulnerability characteristics as inputs and outputs a predicted remediation action. This prediction tries to mimic operators' manual decisions in an automated way. To apply machine learning technologies, the following may be considered: what features to be selected, what machine learning model to be used, and how to train the model. Additionally, the machine learning model may be enabled to generate reason codes for predictions so humans can understand and validate the predictions).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Bellis and Li because it is beneficial to be able to predict whether an exploit will be developed for a particular vulnerability and, if so, whether the exploit will be used in an attack (Li col1 ln48-54).

Regarding claims 7 and 26, the combination of Bellis and Li teaches all of the limitations of claims 1 and 20, respectively, as described above. Bellis further teaches wherein the training data includes the degree to which one or more exploits that have already been developed for the software vulnerability are described across the one or more public exploit databases (col5 ln58-col6 ln2, Common Vulnerability 65 Scoring System (CVSS) score data [degree] may be used in the determination of a risk score).

Regarding claims 8 and 27, the combination of Bellis and Li teaches all of the limitations of claims 7 and 26, respectively, as described above. Bellis further teaches wherein the training data includes a count of a number of entries related to the software vulnerability on the one or more public exploit databases (col4 ln17-22, prevalence feature 116 indicates a number [count] of references, in a particular database, to a particular vulnerability. For example, prevalence feature 116 may indicate that software vulnerability 114 has 250,000 different references to it in a particular organization's configuration management database.)

Regarding claims 9 and 28, the combination of Bellis and Li teaches all of the limitations of claims 1 and 20, respectively, as described above. Bellis further teaches wherein the training data includes the information from the one or more third party threat intelligence sources that characterizes the one or more historic threat events associated with the software vulnerability (col7 ln48-54, learning from historical relationships and trends in the data).

Regarding claims 10 and 29, the combination of Bellis and Li teaches all of the limitations of claims 9 and 28, respectively, as described above. Bellis further teaches wherein the training data includes, for a particular window of time, a total number of threat events related to the software vulnerability, a language, media type associated with one or more threat events, topic associated with the one or more threat events, a number of days since a first threat event, a number of days since a most recent threat event, a number of days having at least one threat event, or any combination thereof (col2 ln64-col3 ln17, training data may also comprise other features, such as a developed exploit feature that indicates whether a particular vulnerability already has an exploit developed for it, an exploit development time feature that indicates whether an exploit was developed within a particular number of days of a particular vulnerability being published, and an attack feature that indicates whether a particular vulnerability was successfully attacked.).

Regarding claim 20, Bellis teaches [a] method for assessing a level of threat associated with a software vulnerability, comprising:
obtaining a set of vulnerability characteristics for the software vulnerability, each vulnerability characteristic in the set of vulnerability characteristics characterizing one or more of (Abstract, selecting training data comprising a plurality of features including a prevalence feature [characteristic] for each vulnerability of a first plurality of vulnerabilities; col2 ln53-63, …to provide training and input data as well as to receive output data comprising predictions; col8 ln2-32; col3 ln56-col6 ln15, variety of features [characteristics]):
applying the set of vulnerability characteristics as input data to a threat score prediction model (col2 ln53-63, …to provide training and input data as well as to receive output data comprising predictions; col8 ln2-32; col3 ln56-col6 ln15, variety of features [characteristics]).
Bellis does not does not explicitly disclose generating, based on the applying, a threat score for the software vulnerability that is indicative of a likelihood that the software vulnerability will be targeted for exploitation, or successfully exploited within a target window of time, or both. However, in an analogous art, Li teaches generating, based on the applying, a threat score for the software vulnerability that is indicative of a likelihood that the software vulnerability will be targeted for exploitation, or successfully exploited within a target window of time, or both (Li para. 0048, [a]fter obtaining vulnerability information, operators analyze the vulnerability and asset characteristics to determine a remediation plan. When making decisions, operators have some rules in mind and follow these rules to address vulnerabilities. However, these rules depend on many factors, and many of these rules need to be tuned very finely to make the right decisions. Accordingly, the present invention uses, machine learning technologies to automate remediation action analysis. A prediction model is trained first over historical operation data. Then for a new vulnerability, the model takes the vulnerability's asset characteristics and vulnerability characteristics as inputs and outputs a predicted remediation action. This prediction tries to mimic operators' manual decisions in an automated way. To apply machine learning technologies, the following may be considered: what features to be selected, what machine learning model to be used, and how to train the model. Additionally, the machine learning model may be enabled to generate reason codes for predictions so humans can understand and validate the predictions).
Bellis does not does not explicitly disclose 
(i) a degree to which the software vulnerability is described across a set of public media sources. 
(ii) a degree to which one or more exploits that have already been developed for the software vulnerability are described across one or more public exploit databases,
(iii) information from one or more third party threat intelligence sources that characterizes one or more historic threat events associated with the software vulnerability
(iv) information that characterizes at least one behavior of an enterprise network in association with the software vulnerability, or 
any combination of (i)-(iv);
However, in an analogous art, Li teaches
(ii) a degree to which one or more exploits that have already been developed for the software vulnerability are described across one or more public exploit databases (Li para. 0044, provides which products are affected by the vulnerability by specifying the products CPE names under the vulnerability. Each vulnerability also comes with Common Vulnerability Scoring System (CVSS) metrics which describe the vulnerability features. The features and their possible values are shown in Table 1; CVSS Score [degree]; para. 0030, the learning model's input data is a vector consisting of two parts. The first part is vulnerability features, including Common Vulnerability Scoring System (CVSS) score, where the attack is from, attack complexity, privileges required, user interaction, confidentiality metric, integrity metric, availability metric, exploitability, remediation level, and report confidence; para. 0034, central database which includes asset data obtained from baseline configuration management systems and vulnerability data, especially CVSS attributes obtained from vendors, third-party services and/or public databases (i.e., NVD). Based on the database and past operation records and expert inputs, a machine learning engine automatically obtains applicable vulnerabilities, analyzes vulnerabilities, recommends remediation decisions (i.e., patch quickly or defer patching) for vulnerabilities),
(iii) information from one or more third party threat intelligence sources that characterizes one or more historic threat events associated with the software vulnerability, (Li para. 0044, [t]he NVD publishes vulnerabilities for a variety of products daily. Each vulnerability is identified by a unique Common Vulnerability Enumeration (CVE) ID, such as CVE-2016-8882. It provides which products are affected by the vulnerability by specifying the products CPE names under the vulnerability. Each vulnerability also comes with Common Vulnerability Scoring System (CVSS) metrics which describe the vulnerability features. The features and their possible values are shown in Table 1; para. 0034, a central database which includes asset data obtained from baseline configuration management systems and vulnerability data, especially CVSS attributes obtained from vendors, third-party services and/or public databases (i.e., NVD). Based on the database and past operation records and expert inputs, a machine learning engine automatically obtains applicable vulnerabilities, analyzes vulnerabilities, recommends remediation decisions (i.e., patch quickly or defer patching) for vulnerabilities. For recommended remediation decisions, the engine can also output a simple, easy-to-verify reason code for each recommended decision, so that human operators can understand and validate the machine learning; para. 0039 and 0040)
(iv) information that characterizes at least one behavior of an enterprise network in association with the software vulnerability (Li para. 0040, …retrieving vulnerabilities from NVD, an open vulnerability database. Applicable vulnerabilities for a utility can be identified through determining the Common Platform Enumeration (CPE) names of assets and then mapping CPEs to the CVEs/CVSSs in the database; col4 ln2-37), or 
(any combination of (i)-(iv); taught as above) and
generating a threat score prediction model based on the training data, wherein the threat score prediction model is configured to determine a threat score for a candidate software vulnerability that is indicative of a likelihood that the candidate software vulnerability will be targeted for exploitation, or successfully exploited within a target window of time, or both (Li para. 0048, [a]fter obtaining vulnerability information, operators analyze the vulnerability and asset characteristics to determine a remediation plan. When making decisions, operators have some rules in mind and follow these rules to address vulnerabilities. However, these rules depend on many factors, and many of these rules need to be tuned very finely to make the right decisions. Accordingly, the present invention uses, machine learning technologies to automate remediation action analysis. A prediction model is trained first over historical operation data. Then for a new vulnerability, the model takes the vulnerability's asset characteristics and vulnerability characteristics as inputs and outputs a predicted remediation action. This prediction tries to mimic operators' manual decisions in an automated way. To apply machine learning technologies, the following may be considered: what features to be selected, what machine learning model to be used, and how to train the model. Additionally, the machine learning model may be enabled to generate reason codes for predictions so humans can understand and validate the predictions).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Bellis and Li because it is beneficial to be able to predict whether an exploit will be developed for a particular vulnerability and, if so, whether the exploit will be used in an attack (Li col1 ln48-54).

Claim 38 is an apparatus claim that is substantially equivalent to method claim 1. Therefore, claim 38 is rejected by a similar rationale.

Claim 39 is an apparatus claim that is substantially equivalent to method claim 20. Therefore, claim 39 is rejected by a similar rationale.

Allowable Subject Matter
Claims 2-6, 11-19, 21-25 and 30-37 are objected to as being dependent upon a rejected base claims 1 and 20 respectively, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday -Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SHU CHUN GAO/Examiner, Art Unit 2437 


/MATTHEW SMITHERS/           Primary Examiner, Art Unit 2437