Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments
Applicant’s arguments with respect to claim(s) 1-23 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Applicant argues that the claims should be allowed because claim 8 was objected to as being allowable subject matter.  Examiner asserts that since not all of claim 8 was amended to be included in the independent claims the claims at issue are not allowable.

Claim 1 now states predicting security incidents and determining a likelihood score.  
Examiner points to Newton [0077] which states that it uses vulnerability data, severity, credibility, and relevance to calculate a threat and likelihood forecast, however no mention of “score” is used.
Examiner points to Li [0039][0040] which state that a large number of metrics including exploitability metric which is how easy or available it is for malicious agents to attack. Examiner believes that this reads on the likelihood of attack or a security incident.  Li teaches that the plurality of factors may be used in scoring.     
However to further prosecution of the claims at issue, Examiner has incorporated Thomson US 2018/0189697 to meet the claim limitations as amended with regard to likelihood score etc.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims  1-4, 7, 9-12, 15, 18-21, 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Newton US 2007/0180107 in view of Li US 2017/0098087 in view of Thomson US 20180189697

As per claims 1, 23  Newton teaches A method for vulnerability management for connected devices in a network, using an Enterprise Aggregation and Analysis Server (EAAS), said method comprising: analyzing data packets from said network, by an Edge Packet Collector and Processor (EPCP) module, coming from one or more devices in said network; [0042][0043][0055][0072]-[0080]  (teaches an enterprise security system including packet collecting and collating, along with vulnerability analysis and remediation, including forecast of likely attacks and success likelihood)

Li teaches identifying a vulnerability, by a Correlation Engine, in a device from said one or more devices using information from at least one among Cloud Aggregation Server and Knowledge Base, one or more external sources, MDS2 database, and internal sources;  determining if said vulnerability affects said device, by said Correlation Engine, by applying one or more rules stored in a Rule Engine; calculating vulnerability score (VS), by a Risk Evaluation and Recall Monitoring (RERM) module, for said vulnerability: predicting one or more security incidents using said VS, by said Correlation Engine, for said device; and identifying one or more recommendations for remediation or mitigation of said vulnerability, by said Correlation Engine. [0019][0021] [0036]-[0040]  (Li teaches using a national database of vulnerabilities in addition to scanning and scoring to determine a priority of remediation)

It would have been obvious to one of ordinary skill in the art to use the scoring of Li with the system of Newton at the time the invention was filed. because it provides a comprehensive way to accurately evaluate system for vulnerabilities.

Thomson teaches wherein predicting one or more security incidents for said device comprises: determining a likelihood score for said device based on vulnerability scores for said one or more vulnerabilities identified for the device and identifying one ore more security incidents associated with said device said on said likelihood score for said device.
[0019][0025][0026][0027][0032][0037]  (teaches receiving threat information including vulnerability information about a system used for calculating threat scores, including threat indicator confidence, target attack risk, asset impact, and risk of loss. Teaches that both TIC, and TAR scores are likelihood scores to indicate that a particular asset will be a threat or vulnerability in the future, teaches combining a plurality of said scores to calculate and overall composite risk for particular assets) 
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teachings of Thomson with the prior combination because it promotes increased efficiency [0004].
As per claim 2. Li teaches The method in claim 1, where calculating VS for said vulnerability comprises: calculating impact metric (IM) and exploitability metric (EM); assigning weights W.sub.i and W.sub.e to IM and EM respectively, based on the context; calculating vulnerability score using IM, EM and their respective weights, using the formula: VS=W.sub.i.times.IM+W.sub.e.times.EM, where IM is impact metric, W.sub.i is the weight for impact metric, EM is exploitability metric, and W.sub.e is the weight for exploitability metric.   [0036][0039]  (teaches calculating a composite vulnerability score based on weighted metrics including impact and exploitability)As per claim 3. Li teaches The method in claim 2, where IM and EM are equally weighted (W.sub.i equals W.sub.e) in computing the vulnerability score for enterprise devices.  [0036][0039]  (teaches calculating a composite vulnerability score based on weighted metrics including impact and exploitability; Examiner asserts the weights are decided based on user/administrator configuration)As per claim 4. Li teaches The method in claim 2, where IM is weighted more compared to EM (W.sub.i is more than W.sub.e) in computing the vulnerability score for personal devices.  [0036][0039]  (teaches calculating a composite vulnerability score based on weighted metrics including impact and exploitability; Examiner asserts the weights are decided based on user/administrator configuration)
As per claim 7. Li teaches The method in claim 1, said method further comprising: identifying plurality of anomalies for said device; assigning scores to each of said plurality of anomalies, based on criticality of anomaly; and determining an overall anomaly score for said device. [0040]As per claim 9. Newton teaches The method in claim 1, said method further comprising: providing a vulnerability report for said device, by said RERM module, to one or more users of EAAS, said report comprising: identity of said device; one or more identified vulnerabilities of said device; vulnerability score associated with said one or more identified vulnerabilities; recommended remediation or mitigating measures for vulnerabilities crossing a pre-configured threshold; and the risk associated with said device. [0055][0056][0078][0080]  (teaches a very complete record and report for users and administrators )As per claim 10. Newton teaches The method in claim 1, where providing report includes displaying said security incidents on a graphical user interface for said one or more users. [0080]As per claim 11. Newton teaches The method in claim 1, where providing report includes sending a message with said security incidents to said one or more users. [0080]As per claim 12. Newton teaches The method in claim 10, said remediation measures can include suggestions relating to network reconfiguration for a device or a set devices of a particular group, where device group may be identified based at least one among type of devices, nature of data being accessed from devices, risk associated with devices, type of operating system on devices, and function of devices. [0079]
As per claim 15. Newton teaches The method in claim 1, where said report highlights high risk assets for user attention. [0055][0056][0078][0080]   (Examiner asserts that “highlights” is subjective, and well known in the art in any case)As per claim 18. Li teaches The method in claim 1, said method further comprising marking said device as high-risk asset, when said device is affected by one or more of pre-identified high-risk vulnerabilities. [0039][0040][0046]As per claim 19. Li teaches The method in claim 1, said method further comprising prioritizing high risk devices for future vulnerability assessments. [0046][0054]  (teaches retesting and or extra testing based on vulnerability and high risk assessments)As per claim 20. Li teaches The method in claim 1, said method further comprising prioritizing devices marked as critical, based on user input, for vulnerability assessments. [0040]As per claim 21. Li teaches The method in claim 1, further comprising: scan for information on vulnerability from relevant sources on the Internet; parse unstructured data from said sources and match specific patterns; create one or more new rules based, when there is a match with the keywords or patterns; update said Rule Engine with said one or more new rules. [0022][0023] (scanner application updated with new rules signatures, etc)


Claims 5, 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Newton US 2007/0180107 in view of Li US 2017/0098087 in view of Pfleger de Aguiar US 2018/0136921.
As per claim 5. Pfleger de Aguiar teaches The method in claim 2, where IM is calculated using: IM=Minimum(1-(1-CI.times.CR).times.(1-II.times.IR).times.(1-AI.times.AR),- 0.915), where CI is Confidentiality Impact, CR is Confidentiality Requirement, II is Integrity Impact, IR is Integrity Requirement, AI is Availability Impact, and AR is Availability Requirement. [0031] (teaches including all these factors in calculating an impact/exploit score)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Pfleger de Aguiar  with the prior combination because it provides a more comprehensive calculationAs per claim 6. Pfleger de Aguiar  teaches The method in claim 2, where EM is calculated using: EM=AV.times.AC.times.PR.times.UI, where AV is Attack Vector, AC is Attack Complexity, PR is Privilege Required, and UI is User Interaction. [0031] (teaches including all these factors in calculating an impact/exploit score)
Claim 13, 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Newton US 2007/0180107 in view of in view of Li US 2017/0098087 in view of Govindarajan US 2006/0095961.
As per claim 13. Govindarajan The method in claim 11, wherein said reconfiguration includes assigning said device or said group of devices to their own VLAN.  [0014][0038]  (teaches that the highly vulnerable device is isolated in a secure VLAN) 
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the isolation of Govindarajan with the previous combination because it increases security.As per claim 14. Govindarajan The method in claim 11, wherein said reconfiguration includes isolating said device or said group of devices by removing connectivity to the rest of the network.  [0014][0038]  (teaches that the highly vulnerable device is isolated in a secure VLAN) 


Claim 16, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Newton US 2007/0180107 in view of in view of Li US 2017/0098087 in view of Navarro US 2019/0230098
As per claim 16. Navarro teaches The method in claim 1, said method further comprising automatically mitigating risk by taking necessary action for vulnerabilities crosses a pre-configured threshold. [0037][0039] (teaches a score crosses a preset threshold and automatically protected against high risk vulnerability threat)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the threshold of Navarro with the previous combination because it helps prioritize remediation.
As per claim 17. Navarro teaches The method in claim 1, said method further comprising marking said device as high-risk asset based on vulnerability score, when said vulnerability score is crosses a pre-configured threshold. [0037][0039] (teaches a score crosses a preset threshold and automatically protected against high risk vulnerability threat)


Claim 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over Newton US 2007/0180107 in view of Li US 2017/0098087 in view of Bar Joseph US 10,963,571
As per claim 22. Bar Joseph teaches The method in claim 1, further comprising: analyzing other impact factors based on said vulnerability, said factors comprising: patient impact factor; data impact factor; and business impact factor.  (Column 4 line 64 to Column 5 line 5) (business risk, healthcare information risk)
It would have been obvious to one of ordinary skill in the art to use the risk of Bar Joseph with the previous combination because it includes more comprehensive vulnerability assessment 



Allowable Subject Matter
Claim 8 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439