DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/15/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Examiner Note
Regarding 35 U.S.C. 101 analysis for claim 11, the claimed storage device is understood to be a hardware storage device, e.g., a memory (specification, [0028] and [0044]), and the claimed processor is understood to be a hardware processor (specification, [0027]). Therefore, a rejection under 35 U.S.C. 101 is not appropriate. 
Regarding 35 U.S.C. 101 analysis for claim 16, the claimed computer program product comprising a computer readable storage medium is understood to be non-transitory (specification, [0012]). Therefore, a rejection under 35 U.S.C. 101 is not appropriate.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 6, 11-13, and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Toback et al. (US 20140173737 A1; hereinafter “Toback”), cited in the IDS filed 01/15/2020, in view of El Maghraoui et al. (US 20160259638 A1; hereinafter “El Maghraoui”) and further in view of Hines (US 20020112200 A1).
As per claims 1, 11, and 16, Toback discloses: a computer-implemented method, a computer system and a computer program product for identifying and evaluating exploitability of software vulnerabilities, the computer system comprising: 
a bus system (Toback, [0030], one or more buses); 
a storage device connected to the bus system, wherein the storage device stores program instructions (Toback, [0056], memory); and 
a processor connected to the bus system, wherein the processor executes the program instructions (Toback, [0056], processor) to: 
identify a vulnerability and evaluating a level of exploitability of the vulnerability corresponding to a software package based on data collected from a plurality of software vulnerability data sources (Toback, [0016] and [0018], vulnerability data is received for a software component/package to be used, wherein vulnerability data includes a vulnerability score (i.e., level of exploitability) and is received from external repositories, user input, and internal database (i.e., plurality of data sources)); 
identify related alternative software packages corresponding to the software package to be installed on the data processing system based on a comparative analysis between alternative software packages and the software package (Toback, [0031], alternate software components/packages are identified, [0039], comparing vulnerability score between software component/package and alternate software components/packages); and
generate insights based on calculated exploitability scores of the related alternative software package (Toback, [0039], “the computer presents a recommended alternative to the selected software component based upon the vulnerability data describing the vulnerability in the first software component. For example, the computer may determine that a known alternative component has a lower vulnerability score than the currently used software component,” [0043], “the computer may present an alternative software component or version of the software component within the active task. The user, in response, has the option of replacing the vulnerable software component with the presented alternative component/version,” [0031], a plurality of alternative software components/packages are presented with their corresponding vulnerability score).
Toback does not explicitly disclose, however, El Maghraoui, in the same field of endeavor, teaches or suggests: prior to installation of the software package on a data processing system (El Maghraoui, [0060]-[0061], software patch (i.e., software package) is analyzed before installing on a device);
determining a confidence level for each respective related alternative software package for resolving a level of exploitability (El Maghraoui, [0022], a confidence level is determined for each software patch/package, [0056], [0052], and [0032], wherein the confidence level is based on machine-determined sentiment prediction that the software patch will benefit/resolve an exploit/vulnerability); and
using natural language generation to generate insights based on determined confidence levels (El Maghraoui, [0053], natural language processing is used to determine the machine-determined sentiment predications which is used to determine confidence scores of the software patches/packages, [0060], results/insights are presented to a user).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of Toback to include determining confidence scores of software patches and using natural language processing on the software patches prior to installation as taught by El Maghraoui for the benefit of providing and installing software patches, which fix existing vulnerabilities, while ensuring a user with analyzed sentiment that the software patch will succeed in fixing the existing vulnerabilities (El Maghraoui, [0005]-[0006]).
While the modified Toback teaches vulnerability/exploitability scores for alternative software packages (Toback, [0039]) and ranking related alternative software packages based on confidence scores (El Maghraoui, [0058]), the modified Toback does not disclose, however, Hines teaches or suggests: ranking related alternative software packages from least to most vulnerable based on a calculated score corresponding to each respective related alternative software package (Hines, [0044], a report is generated that includes relevant patches (i.e., software packages) and corresponding scores wherein the relevant patches are ranked from highest score to lowest score, the highest scores being the most useful patches to recommend an analyst).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Toback to include ranking alternative software packages from least to most vulnerable based on a calculated score as taught by Hines for the benefit of rapidly providing an analyst a ranking of software patches that are most relevant or useful in fixing an existing vulnerability (Hines, [0044]).

As per claims 2, 12, and 17, claims 1, 11, and 16 are incorporated, respectively, and the modified Toback discloses: providing the insights to a user to enable the user to make an informed decision as to whether to install the software package or one of the related alternative software packages on the data processing system (Toback, [0039], “the computer presents a recommended alternative to the selected software component based upon the vulnerability data describing the vulnerability in the first software component. For example, the computer may determine that a known alternative component has a lower vulnerability score than the currently used software component”).

As per claims 3, 13, and 18, claims 1, 11, and 16 are incorporated, respectively, and the modified Toback discloses: wherein the processor further executes the program instructions to: 
retrieve vulnerability information corresponding to the software package to be installed on the data processing system from the plurality of software vulnerability data sources via a network (Toback, [0016] and [0018], vulnerability data is received for a software component/package which include a vulnerability score (i.e., level of exploitability), wherein vulnerability data is received from external repositories, user input, and internal database (i.e., plurality of data sources)); 
analyze the vulnerability information corresponding to the software package (Toback, [0018]-[0019], vulnerability data is analyzed); and 
identify the vulnerability of the software package based on analyzing the vulnerability information corresponding to the software package (Toback, [0018], vulnerability data describes at least one vulnerability for the one or more software components).

As per claim 6, claim 1 is incorporated and the modified Toback discloses: receiving, by the computer, an identification of the software package to be installed on the data processing system from a user of a client device via a network (Toback, [0016]-[0017], usage data indicating that a software component/package is to be used received by user input); 
checking, by the computer, for vulnerabilities corresponding to the software package using vulnerability information retrieved from the plurality of software vulnerability data sources (Toback, [0018], vulnerability data is received from external repositories, user input, and internal database (i.e., plurality of data sources)); and 
determining, by the computer, whether the vulnerability was found during the check for vulnerabilities corresponding to the software package (Toback, [0018], vulnerability data is received/found).

Claims 4-5, 7-10, 14-15, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Toback in view of El Maghraoui and Hines, and further in view of Shakarian et al. (US 20200356675 A1; hereinafter “Shakarian”).
As per claims 4, 14, and 19, claims 3, 13, and 18 are incorporated, respectively, and the modified Toback does not disclose, however, Shakarian teaches or suggests: generating a bag of words model corresponding to the vulnerability using a description of the vulnerability contained in the vulnerability information (Shakarian, [0044], predicting the likelihood of vulnerability exploitation using machine learning, [0049] and [0096], bag of words model is used on information from data sources); 
generate a vector of word frequencies based on the bag of words model corresponding to the vulnerability (Shakarian, [0111], feature vector is generated from bag of words for 1000 words having the highest frequency); and 
calculate, using machine learning, an exploitability score for the vulnerability of the software package based on the vector of word frequencies corresponding to the vulnerability, wherein the exploitability score indicates a level of risk of installing the software package on the data processing system (Shakarian, [0044], predicting the likelihood of vulnerability exploitation using machine learning, [0101] and Table 5, precision scores are calculated based on feature vector).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Toback to include generating a bag of words model from vulnerability information, generating a vector of word frequencies based on the bag of words, and calculating an exploitability score based on the vector of word frequencies using machine learning as taught by Shakarian for the benefit of efficiently assessing vulnerabilities that will be exploited in the wild while keeping the false alarm rate low (Shakarian, [0005]).

As per claims 5, 15, and 20, claims 4, 14, and 19 are incorporated, respectively, and the modified Toback teaches or suggests: updating an entry for the software package in a common vulnerabilities and exposures database based on a vulnerability score contained in the vulnerability information and the exploitability score for the vulnerability of the software package (Toback, [0024], “updated vulnerability score from the vulnerability database includes an entry for the vulnerability in the vulnerability database changing from one score to another, e.g., due to an updated estimation of the potential risk”).

As per claim 7, claim 6 is incorporated and the modified Toback discloses: responsive to the computer determining that the vulnerability was found during the check for vulnerabilities corresponding to the software package, calculating, by the computer, a probability of the vulnerability being exploited by a threat actor (Toback, [0019], calculate vulnerability score); and 
determining, by the computer, whether any related alternative software packages are available that have a lower probability of being exploited (Toback, [0039], “determine that a known alternative component has a lower vulnerability score than the currently used software component”).
The modified Toback does not disclose, however, Shakarian teaches or suggests: using machine learning to calculate a probability of the vulnerability being exploited by a threat actor (Shakarian, [0044], predicting the likelihood of vulnerability exploitation using machine learning).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Toback to include predicting the likelihood of vulnerability exploitation using machine learning as taught by Shakarian for the benefit of efficiently assessing vulnerabilities that will be exploited in the wild while keeping the false alarm rate low (Shakarian, [0005]).

As per claim 8, claim 7 is incorporated and the modified Toback teaches or suggests: responsive to the computer determining that no related alternative software packages are available that have a lower probability of being exploited, installing, by the computer, the software package on the data processing system (Toback, [0039], suggests that the computer may determine that there are no known alternative software components having a lower vulnerability score, and install the current software component being analyzed).

As per claim 9, claim 7 is incorporated and the modified Toback discloses: responsive to the computer determining that related alternative software packages are available that have a lower probability of being exploited, retrieving, by the computer, vulnerability information corresponding to a set of related alternate software packages having the lower probability of being exploited (Toback, [0039], determining a known alternative component having a lower vulnerability score than the currently used software component); and
calculating, by the computer, an exploitability score for each related alternative software package in the set based on corresponding vulnerability information (Toback, [0039], vulnerability score is calculated for each alternative software component). 
The modified Toback does not disclose, however, Hines teaches or suggests: ranking, by the computer, each related alternative software package in the set from least vulnerable to most vulnerable based on the exploitability score calculated for each related alternative software package (Hines, [0044], a report is generated that includes relevant patches (i.e., software packages) and corresponding scores wherein the relevant patches are ranked from highest score to lowest score, the highest scores being the most useful patches to recommend an analyst).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Toback to include ranking alternative software packages from least to most vulnerable based on a calculated score as taught by Hines for the benefit of rapidly providing an analyst a ranking of software patches that are most relevant or useful in fixing an existing vulnerability (Hines, [0044]).
The modified Toback does not disclose, however, Shakarian teaches using machine learning to calculate an exploitability score (Shakarian, [0044], predicting the likelihood of vulnerability exploitation using machine learning).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Toback to include predicting the likelihood of vulnerability exploitation using machine learning as taught by Shakarian for the benefit of efficiently assessing vulnerabilities that will be exploited in the wild while keeping the false alarm rate low (Shakarian, [0005]).

As per claim 10, claim 9 is incorporated and the modified Toback discloses: 
sending, by the computer, the insights to the user of the client device via the network (Toback, [0039], “the computer presents a recommended alternative to the selected software component based upon the vulnerability data describing the vulnerability in the first software component. For example, the computer may determine that a known alternative component has a lower vulnerability score than the currently used software component,” [0043], “the computer may present an alternative software component or version of the software component within the active task. The user, in response, has the option of replacing the vulnerable software component with the presented alternative component/version”); 
determining, by the computer, whether an input was received from the user to install a selected one of the best related alternative software packages (Toback, [0043], user selects to replace the vulnerable software component with the presented alternative component/version); and 
responsive to the computer determining that an input was received from the user to install a selected one of the best related alternative software packages, installing, by the computer, the selected one of the best related alternative software packages on the data processing system (Toback, [0043], alternative software component is installed and used).
The modified Toback does not disclose, however, as discussed above, El Maghraoui teaches or suggests: applying natural language generation to provide the insights (El Maghraoui, [0053], natural language processing is used to determine the machine-determined sentiment predications which is used to determine confidence scores of the software patches/packages, [0060], results/insights are presented to a user).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Toback to include applying natural language processing on software patches as taught by El Maghraoui for the benefit of providing and installing software patches, which fix existing vulnerabilities, while ensuring a user with analyzed sentiment that the software patch will succeed in fixing the existing vulnerabilities (El Maghraoui, [0005]-[0006]). 
The modified Toback does not disclose, however, as discussed above, Hines teaches or suggests: providing alternative software package rankings as insights (Hines, [0044], a report is generated that includes relevant patches (i.e., software packages) and corresponding scores wherein the relevant patches are ranked from highest score to lowest score, the highest scores being the most useful patches to recommend an analyst).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify/combine the teachings of the modified Toback to include ranking alternative software packages from least to most vulnerable based on a calculated score as taught by Hines for the benefit of rapidly providing an analyst a ranking of software patches that are most relevant or useful in fixing an existing vulnerability (Hines, [0044]). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Bell, JR. et al. (US 20150365437 A1) teaches generating a list of known software packages and calculating corresponding risk/exploit levels according to known or unknown vulnerabilities ([0021], [0028], [0030]).
Hirsave et al. (US 20080263534 A1) teaches deploying a software patch according to a policy and a calculated risk level of the software patch (Fig. 6).

	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEXANDER R LAPIAN whose telephone number is (571)272-7552. The examiner can normally be reached M-F 9:30-6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

ALEXANDER R. LAPIAN
Examiner
Art Unit 2437



/ALEXANDER R LAPIAN/Examiner, Art Unit 2437    

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437