DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the application filed on 04/09/2020.
 Claims 1-20 are currently pending in this application.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/07/2020 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Examiner’s Note
Applicant is suggested to include information of the figs. 1 and 5 of the specification (e.g., the communication structures and links, etc.) to the claims to improve the application for providing a better condition for an allowance.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. 

Claims 1-20 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.

Claim 1 (claims 11 and 20 include similar limitations) recites:
“… evaluating … respective perceived criticalities of a first new patch and a second new patch for the security vulnerability based on … and an actual criticality of the first and second new patches for the security vulnerability …”, however, it is not clear how to define the respective perceived criticalities and the actual criticality (e.g., whether respective to the actual criticality or not);
“… installing … the first new patch … based on the respective perceived criticalities (of the first new patch …) … for securing the workload …”, however, it is not clear how the patches with criticalities can be installed for securing the workload (or the patches with security vulnerability are used in the security process).
Claims 2-10 and 12-19 depend from the claim 1 or 11 and are analyzed and rejected accordingly.

Claims 3 and 13 recite “… identifying … another security vulnerability related to  … the perceived criticality of a third new patch for the other security vulnerability …”, however, it is not clear (1) whether “another security vulnerability” are the same type with “the security vulnerability” included before or not; (2) the terms (e.g., the perceived criticality”, “the other security vulnerability”, etc.) have antecedent basis issues (e.g., not defining “a perceived criticality of a third new patch” and “other security vulnerability” before).
Claims 6 and 16 recite “… based on a quality of communication index for installing …”, however, it is not clear how to define the quality to the communication index (e.g., the first communication index has a good quality).
Claims 8 and 18 recite “… downloading … patches from a respective source or … by using a respective resource-specific agent …”, however, it is not clear what “a respective source” and “a respective resource-specific agent” are respecting to.
Claims 10 and 19 recite “… the security vulnerability is defined in a national vulnerability database”, however, it is not clear whether “a national vulnerability database” is the National Vulnerability Database (NVD) of the National Institute of Standards and Technology (NIST) or not.
Claim 20 recites “… storing instructions executable … the instructions comprising: instruction to obtain … instruction to determine … instructions to identify … instructions to evaluate … instructions to install …”, however, it is not clear whether “instruction” and “instructions” included in different locations of the claims are the same or not.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Gao et al. (US 2019/0026091 A1).

As per claim 1, Gao teaches a method comprising:
obtaining, by a processing resource, information of existing patches for each of a plurality of infrastructure resources that are required to execute a workload, wherein the plurality of infrastructure resources is segregated as multiple layers comprising a hardware layer, a host layer, and an application layer [figs. 1, 2, 10; par. 0002, lines 3-7; par. 0017, lines 3-10; par. 0020, lines 1-6; par. 0102, lines 1-8; par. 0105, lines 1-8 of Gao teaches obtaining, by a processing resource, information of existing patches (e.g., collecting the environment information including existing program code, software or patches that are installed for relevancy) each of a plurality of infrastructure resources (e.g., components of environment information of the cloud computing environment) that are required to execute a workload, wherein the plurality of infrastructure resources is segregated as multiple layers comprising a hardware layer, a host layer, and an application layer (e.g., layers in fig. 10)];
determining, by the processing resource, dependency of the plurality of infrastructure resources across the multiple layers; identifying, by the processing resource, a security vulnerability related to the plurality of infrastructure resources [figs. 1, 7; par. 0063, lines 1-15; par. 0064, lines 1-8; par. 0104, lines 9-11 of Gao teaches determining, by the processing resource, dependency of the plurality of infrastructure resources (e.g., dependencies of the computing environment including program code), across the multiple layers; identifying, by the processing resource, a security vulnerability (e.g., impact area or the security information) related to the plurality of infrastructure resources (e.g., components of environment information of the cloud computing environment or resources)];
evaluating, by the processing resource, respective perceived criticalities of a first new patch and a second new patch for the security vulnerability based on a plurality of parameters comprising a workload weightage, a resource age of the plurality of infrastructure resources, and an actual criticality of the first and second new patches for the security vulnerability [figs. 1, 7; par. 0025, lines 1-8; par. 0029, lines 1-20; par. 0030, lines 1-9; par. 0033, lines 1-6; par. 0055, lines 1-17; par. 0105, lines 1-8 of Gao teaches evaluating, by the processing resource, respective perceived criticalities (e.g., severity of the patches) of a first new patch and a second new patch (e.g., patches or program code) for the security vulnerability (e.g., the security area of impact of the patch) based on a plurality of parameters comprising a workload weightage (e.g., according to scale and workload requirements), a resource age of the plurality of infrastructure resources (e.g., the software development and lifecycle), and an actual criticality of the first and second new patches for the security vulnerability (e.g., actually results of the new patches installation)]; and
installing, by the processing resource, the first new patch followed by the second new patch on the plurality of infrastructure resources based on the respective perceived criticalities, in an order of the determined dependency, for securing the workload from the security vulnerability [fig. 5; par. 0052, lines 1-25; par. 0053, lines 1-19;  of Gao teaches installing, by the processing resource, the first new patch followed by the second new patch (e.g., installation of patches providing the results after installation) on the plurality of infrastructure resources based on the respective perceived criticalities, in an order of the determined dependency, for securing the workload from the security vulnerability (e.g., installing from the first-layer/level or domain of the model tree to the leaf node according to the installation recommendation)].

As per claim 2, Gao teaches the method of claim 1. 
Gao further teaches wherein evaluating the respective perceived criticalities comprises determining if the perceived criticality for each of the first and second new patches is greater than a predefined criticality, wherein the predefined criticality is defined by a customer or an administrator of the workload [par. 0020, lines 1-22; par. 0030, lines 1-9; par. 0031, lines 1-11 of Gao teaches wherein evaluating the respective perceived criticalities comprises determining if the perceived criticality for each of the first and second new patches is greater than a predefined criticality (e.g., the user acceptance score), wherein the predefined criticality is defined by a customer or an administrator of the workload (e.g., the user defining the user acceptance score)].

As per claim 3, Gao teaches the method of claim 1. 
Gao further teaches comprising: identifying, by the processing resource, another security vulnerability related to the plurality of infrastructure resources; evaluating, by the processing resource, the perceived criticality of a third new patch for the other security vulnerability based on the plurality of parameters; and deferring, by the processing resource, installing the third new patch based on the perceived criticality [fig. 5; par. 0052, lines 1-25; par. 0053, lines 1-19;  of Gao teaches identifying, by the processing resource, another security vulnerability (e.g., the feedback of the installation results including successful or fail) related to the plurality of infrastructure resources; evaluating, by the processing resource, the perceived criticality of a third new patch for the other security vulnerability (e.g., determination between a proposed patch and those previous patches) based on the plurality of parameters; and deferring, by the processing resource, installing the third new patch (e.g., the patch at node along the path) based on the perceived criticality (e.g., the judgement failure is over a designed threshold)].

As per claim 4, Gao teaches the method of claim 3. 
Gao further teaches installing, by the processing resource, the third new patch on the corresponding infrastructure resource during a pre-scheduled patch update period for the workload to secure the workload from the other security vulnerability [par. 0054, lines 1-14; par. 0055, lines 1-17; par. 0056, lines 1-12 of Gao teaches installing, by the processing resource, the third new patch on the corresponding infrastructure resource during a pre-scheduled patch update period (e.g., predefined for rebuilt or recreation of the model) for the workload to secure the workload from the other security vulnerability – see also rejections to the claim 3].

As per claim 5, Gao teaches the method of claim 3. 
Gao further teaches:
re-evaluating, by the processing resource, the perceived criticality of the third new patch based on a revision of at least one parameter of the plurality of parameters used for determining the perceived criticality [par. 0053, lines 1-19; par. 0054, lines 1-14 of Gao teaches re-evaluating, by the processing resource, the perceived criticality (e.g., judgement failure) of the third new patch based on a revision of at least one parameter (e.g., information of the collected feedback) of the plurality of parameters used for determining the perceived criticality]; and
installing, by the processing resource, the third new patch on the corresponding infrastructure resource based on the perceived criticality for securing the workload from the other security vulnerability [par. 0054, lines 1-14; par. 0055, lines 1-17; par. 0056, lines 1-12 of Gao teaches installing, by the processing resource, the third new patch on the corresponding infrastructure resource (e.g., resource used for the present model) based on the perceived criticality (e.g., the failure) for securing the workload from the other security vulnerability (e.g., the failure reason)].

As per claim 6, Gao teaches the method of claim 1. 
Gao further teaches wherein installing the first and second new patches further comprises identifying at least one patch update engine from a plurality of patch update engines based on a quality of communication index for installing the first and second new patches on the plurality of infrastructure resources [par. 0032, lines 1-8; par. 0033, lines 1-6 of Gao teaches wherein installing the first and second new patches further comprises identifying at least one patch update engine (e.g., the machine or the node) from a plurality of patch update engines based on a quality of communication index (e.g., according to scale and workload requirement) for installing the first and second new patches on the plurality of infrastructure resources].

As per claim 7, Gao teaches the method of claim 1. 
Gao further teaches analyzing, by the processor based device, the existing patches to determine if the security vulnerability is remediated in the plurality of infrastructure resources before installing the first and second new patches [par. 0020, lines 1-8; par. 0022, lines 1-20 of Gao teaches analyzing, by the processor based device, the existing patches to determine if the security vulnerability is remediated (e.g., splitting and adjusting) in the plurality of infrastructure resources before installing the first and second new patches (determining patch applicability before the installing of the patches)].

As per claim 8, Gao teaches the method of claim 1. 
Gao further teaches wherein installing the first and second new patches further comprises: identifying, by the processing resource, the first and second new patches for remediating the security vulnerability; and downloading, by the processing resource, the first and second new patches from a respective source or a patch repository, by using a respective resource-specific agent from a plurality of resource-specific agents [fig. 1; par. 0022, lines 1-20; par. 0023, lines 1-18; par. 0025, lines 1-8; par. 0029, lines 1-20 of Gao teaches identifying, by the processing resource, the first and second new patches for remediating the security vulnerability; and downloading, by the processing resource, the first and second new patches from a respective source or a patch repository (e.g., the patch repository 110), by using a respective resource-specific agent (e.g., the computer system 124) from a plurality of resource-specific agents (see fig. 1)].

As per claim 9, Gao teaches the method of claim 1. 
Gao further teaches wherein the workload weightage and the resource age of the plurality of infrastructure resources are defined by an administrator of the workload [par. 0020, lines 1-22; par. 0022, lines 1-20; par. 0033, lines 1-6 of Gao teaches wherein the workload weightage and the resource age of the plurality of infrastructure resources are defined by an administrator of the workload – see rejections to the claim 1].

As per claim 10, Gao teaches the method of claim 1. 
Gao further teaches wherein the actual criticality of the first and second new patches for the security vulnerability is defined in a national vulnerability database [par. 0029, lines 1-20 of Gao teaches the actual criticality of the first and second new patches for the security vulnerability is defined in a national vulnerability database (e.g., the official guides, websites, etc.)].

Claims 11-19 are system claims that correspond to method claims 1-10, and are analyzed and rejected accordingly – see par. 0004 for the components of the system.

Claim 20 is a medium claim that corresponds to method claim 1, and is analyzed and rejected accordingly.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAUNG T LWIN whose telephone number is (571)270-7845.  The examiner can normally be reached on Monday - Friday 10:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MAUNG T LWIN/Primary Examiner, Art Unit 2495