DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This initial written action is responding to the communication dated on 06/24/2020.
Claims 1-8 are submitted for examination.
Claims 1-2 and 7-8 have been withdrawn. Claims 3-6 have been elected without traverse.
Claims 3-6 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Priority
This application filed on June 24, 2020 claims priority of provisional application 62/865,505 filed on June 24, 2019.
Information Disclosure Statement
The following Information Disclosure Statements in the instant application submitted in compliance with the provisions of 37 CFR 1.97, and thus, have been fully considered:
IDS filed on 03 July 2021.

Election/Restrictions
Restriction to one of the following inventions is required under 35 U.S.C. 121:
I.    Claims 1-2 and 7-8 drawn to a method of reducing false positive by 90-95% by analyzing master data set utilizing a classifier model, classified in class G06N20/00  (machine learning).
II.    Claims 3-6, drawn to a method by applying a classification algorithm to label software vulnerabilities and comparing with existing classifiers to output 90-95% less false positive report, classified in class G06F21/577 (Assessing vulnerabilities and evaluating computer system security). 
The inventions are distinct from the other because inventions I and II are related as subcombinations disclosed as usable together in a single combination. The subcombinations are distinct from each other if they are shown to be separately usable. In the instant case, Invention I has analyze data with machine learning and Invention II has methods to classify/label vulnerabilities and comparing the classified vulnerabilities with existing classifiers. See MPEM §806.05(d). Because these inventions are distinct for the reasons given above and have acquired a separate status in the art as shown by their different classification, restriction for examination purposes as indicated is proper.
A telephone call was made to attorney of record, Mr. Todd L. Juneau (Reg. No. 40,669), on 05/26/2022 to request an oral election to the above restriction requirement. The attorney has selected (II) second set of claims, Claims 3-6 without traverse.
Until all claims to the elected product/apparatus are found allowable, an otherwise proper restriction requirement between claims may be maintained. Withdrawn claims that are not commensurate in scope with an allowed claim will not be rejoined. See MPEP § 821.04. Additionally, in order for rejoinder to occur, applicant is advised that the process claims should be amended during prosecution to require the limitations of the claims. Failure to do so may result in no rejoinder. Further, note that the prohibition against double patenting rejections of 35 U.S.C. 121 does not apply where the restriction requirement is withdrawn by the examiner before the patent issues. See MPEP § 804.01.
Applicant is reminded that upon the cancellation of claims to a non-elected invention, the inventorship must be corrected in compliance with 37 CFR 1.48(a) if one or more of the currently named inventors is no longer an inventor of at least one claim remaining in the application. A request to correct inventorship under 37 CFR 1.48(a) must be accompanied by an application data sheet in accordance with 37 CFR 1.76 that identifies each inventor by his or her legal name and by the processing fee required under 37 CFR 1.17(i).

Claim Objection
Claim 4 is objected for following reason.
The claim 4 is written in a form, so it cannot be identified as an independent claim or a dependent claim. In addition Claim 3 is a computer-implemented method claim while Claim 4 is a system claim, and thus both claims are from different statutory classes.  Examiner suggest writing the claim in a proper independent/dependent form with all the required limitations. 

Claim 6 is objected for following reason.
The claim 6 is written in a form, so it cannot be identified as an independent claim or a dependent claim. In addition Claim 5 is a computer-implemented method claim while Claim 6 is a system claim, and thus both claims are from different statutory classes.  Examiner suggest writing the claim in a proper independent/dependent form with all the required limitations. 

Claim 5, recites following recitation(s), “…….. and aggregating scan results into a CSV file of potential vulnerabilities; Selecting a subset of the potential vulnerabilities based on the severity status to identify most critical ones for manual examination and labeling the vulnerabilities as true or false positive; Creating a training and a testing dataset using machine learning software WEKA and a stratified sampling technique;..”. Applicant is reminded that any acronym introduced for the first time is required to be specified in its entirety. Appropriate correction is required.

Claim 5, recites following recitation(s), “…….. Applying to the CSV file the 13 different open source classiiers with the relevant features identified and recording the results (false and true positive)”. Classifiers is misspelled. Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 3-6 are rejected under 35 U.S.C. 103 as being unpatentable over Bezzi et al. (US PGPUB. # US 2019/0347424, hereinafter “Bezzi”) and further in view of. Sharma et al. (US PGPUB. # US 2020/0057858, hereinafter “Sharma”).

Referring to Claims 3 and 4:
Regarding Claim 3, Bezzi teaches,
A computer-implemented method for labelling true and false vulnerabilities in software code (during static code analysis), comprising: 
Providing non-running (static) source code; (¶19, “a novel method that uses machine-learning techniques to extract the needed information directly from source code repositories, without relying on external vulnerability databases (such as the NVD)”, Fig. 3(302), ¶40, “one or more processors (e.g., of a computing device or system, such as client device 110, server system 102, security-relevant code detection system 124, or the like) accesses one or more source code repositories”, ¶41, i.e. source code is provided).
Applying a classification algorithm with its variants to a 10% selection of the source code to label software vulnerabilities in the source code as true or false to generate a classifier model; (¶32-¶33, Fig. 3(304, 306), ¶42, “The data may be obtained by the repository access layer 220 and augmented with annotations (e.g., done by a user such as a security expert) indicating whether the code change is security relevant or not”, ¶43, “the data comprising the plurality of code changes is converted to generate labeled training data for training a security-relevant code detection machine learning model”, i.e. Examiner submits that security expert annotating data to classify as security related (true) and not security related (false) is considered as 10% selection of the source code)
Outputting an Enhanced Vulnerabilities Report containing 90-95% less False Positives than a vulnerabilities report generated by existing classifiers without the classifier model; wherein the method is performed by one or more computing devices. (¶49, “The inventors studied the effect of different choices for class weights on precision and recall and found that setting them to {‘pos’: 0.8, ‘neg’: 0.2} gives precision as high as 97%, with 29% recall”, Fig. 4(412), ¶58, “The results may be provided to a computing device (e.g., client device 110)”, Fig. 6, “The results may be provided to a computing device (e.g., client device 110)”, i.e. enhanced vulnerability report is outputted containing 90-95%  less false positive).
wherein the method is performed by one or more computing devices. (Fig. 9, ¶10).
Bezzi does not teach explicitly,
Applying a selection process to identify a plurality of most important features used in the algorithm to detect and distinguish the true and false positive findings of the classifier model containing source code analysis results using empirical and semantic method of identifying and using personal identifier as a critical feature for classification validated by experimentation and comparison to 13 existing classifiers; 
However, Sharma teaches,
Applying a selection process to identify a plurality of most important features used in the algorithm to detect and distinguish the true and false positive findings of the classifier model containing source code analysis results using empirical and semantic method of identifying and using personal identifier as a critical feature for classification validated by experimentation and comparison to 13 existing classifiers; (¶17, “Among the selected features, titles, descriptions, comments, and labels are text features that contain semantic information which can be processed by the NLP 112”, ¶20, “The generator 116 trains and tests the N classifiers to accurately identify vulnerabilities by classifying the vulnerability vectors 114 and validating identifications with the vulnerability data 102”, ¶23, “The vulnerability database 120 then returns appropriate information for each of the open source libraries in the client data 124 to the client request manager 122”, ¶24, “ the client system 126a may directly request a new search be performed for “openLibraryV1.1” to ensure that vulnerabilities are detected. This request may be made based on operational parameters specified by the client system 126a in the client data 124”, Fig. 2, ¶27, “The vulnerability database 204 contains the open source library data 206a-d for four different open source libraries. The open source library data 206a comprises a table of version histories for the open source library with associated vulnerability data”, ¶29, “The AVIS controller 214 initiates a series of operations to identify vulnerabilities using the data scraper 216, the NLP 218, and the vulnerability classifier ensemble 220. Once identified, vulnerability data is returned to the client request manager 202 as the client vulnerability data 226a by the AVIS controller 214”, ¶31, “The generated vulnerability vectors are sent to the vulnerability identifier 220 for processing”, Fig. 3, Fig. 5,  Examiner submits that a selection process is applied to select certain vulnerabilities based on open source libraries (existing classifiers) and the identified vulnerability in the data (having personal identifier) is classified as true and non identified vulnerabilities in the data is considered as false. In addition open source library contains all the vulnerability classifiers thus comparison is also includes 13 existing classifiers).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Sharma with the invention of Bezzi.
Bezzi teaches, selecting part of the source code for labelling and outputting enhanced vulnerability report. Sharma teaches, identifying critical vulnerabilities based on comparing with open source libraries.  Therefore, it would have been obvious to have identifying critical vulnerabilities based on comparing with open source libraries of Sharma with selecting part of the source code for labelling and outputting enhanced vulnerability report of Bezzi to provide manageable, consistent vulnerability in a timely and reliable manner and address open source vulnerability not reported publicly.
KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 4, it is a system Claim of above method claim 3, and therefore Claim 4 is rejected with same rationale as applied against Claim 3 above.


Referring to Claims 5 and 6:
Regarding Claim 5, Bezzi teaches,
 A computer-implemented method for labeling true and false vulnerabilities in software code after static code analysis, comprising: 
Scanning source code using a plurality of source code analysis tools, and aggregating scan results into a CSV file of potential vulnerabilities; (¶19, “a novel method that uses machine-learning techniques to extract the needed information directly from source code repositories, without relying on external vulnerability databases (such as the NVD)”, Fig. 3(302), ¶40, “one or more processors (e.g., of a computing device or system, such as client device 110, server system 102, security-relevant code detection system 124, or the like) accesses one or more source code repositories”, ¶41, i.e. source code is provided)
Selecting a subset of the potential vulnerabilities based on the severity status to identify most critical ones for manual examination and labeling the vulnerabilities as true or false positive; (¶32-¶33, Fig. 3(304, 306), ¶42, “The data may be obtained by the repository access layer 220 and augmented with annotations (e.g., done by a user such as a security expert) indicating whether the code change is security relevant or not”, ¶43, “the data comprising the plurality of code changes is converted to generate labeled training data for training a security-relevant code detection machine learning model”, i.e. Examiner submits that security expert annotating data to classify as security related (true) and not security related (false) is considered as selection of subset of vulnerability the source code)
Creating a training and a testing dataset using machine learning software WEKA and a stratified sampling technique; (Fig. 3(308), ¶48, “in operation 308, the one or more processors trains the security-relevant code detection machine learning model 204 using, for example, a first subset of the labeled training data to generate a trained security-relevant code detection machine learning model”)
Applying to the CSV file [the 13 different open source classifiers] with the relevant features identified and recording the results (false and true positive); (¶49, “The inventors studied the effect of different choices for class weights on precision and recall and found that setting them to {‘pos’: 0.8, ‘neg’: 0.2} gives precision as high as 97%, with 29% recall”, Fig. 4(412), ¶58, “The results may be provided to a computing device (e.g., client device 110)”, Fig. 6, “The results may be provided to a computing device (e.g., client device 110)”, i.e. the results are stored and an enhanced vulnerability report is outputted containing 90-95%  less false positive).
wherein the method is performed by one or more computing devices. (Fig. 9, ¶10).
Bezzi does not teach explicitly,
Applying 13 different open source classifiers on the testing dataset; 
Identifying one of the 13 different open source classifiers as having a highest accuracy and using the highest accuracy open source classifier to determine and validate a best feature selection result; 
[Applying to the CSV file] the 13 different open source classifiers [with the relevant features identified and recording the results (false and true positive)]; 
However, Sharma teaches,
Applying 13 different open source classifiers on the testing dataset; (¶23, “The vulnerability database 120 then returns appropriate information for each of the open source libraries in the client data 124 to the client request manager 122”, ¶24, “ the client system 126a may directly request a new search be performed for “openLibraryV1.1” to ensure that vulnerabilities are detected. This request may be made based on operational parameters specified by the client system 126a in the client data 124”, Fig. 2, ¶27, “The vulnerability database 204 contains the open source library data 206a-d for four different open source libraries. The open source library data 206a comprises a table of version histories for the open source library with associated vulnerability data”, Fig. 3 (306, 308, 310), ¶35-¶40, “This iterative training and testing of each classifier for each dataset fold yields S×M predictions which are stored as probability vectors. The stored probabilities can be associated with the corresponding classification labels for the samples within the probability vectors or a separate data structure”, Fig. 5,  Examiner submits that a selection process is applied to select certain vulnerabilities based on open source libraries (existing classifiers) and the identified vulnerability in the data (having personal identifier) is classified as true and non identified vulnerabilities in the data is considered as false, In addition open source library contains all the vulnerability classifiers thus comparison is also includes 13 existing classifiers. Thus open source classifier is applied to test dataset)
Identifying one of the 13 different open source classifiers as having a highest accuracy and using the highest accuracy open source classifier to determine and validate a best feature selection result; (Abstract, “The system uses a K-folding cross validation algorithm to partition a sample dataset and then train and test a set of N classifiers with the dataset folds”, ¶20, “The generator 116 trains and tests the N classifiers to accurately identify vulnerabilities by classifying the vulnerability vectors 114 and validating identifications with the vulnerability data 102. This training and testing generates for each vulnerability vector a prediction from each trained classifier”, ¶24, “ the client system 126a may directly request a new search be performed for “openLibraryV1.1” to ensure that vulnerabilities are detected. This request may be made based on operational parameters specified by the client system 126a in the client data 124”, Fig. 2, ¶27, “The vulnerability database 204 contains the open source library data 206a-d for four different open source libraries. The open source library data 206a comprises a table of version histories for the open source library with associated vulnerability data”, ¶29, “The AVIS controller 214 initiates a series of operations to identify vulnerabilities using the data scraper 216, the NLP 218, and the vulnerability classifier ensemble 220. Once identified, vulnerability data is returned to the client request manager 202 as the client vulnerability data 226a by the AVIS controller 214”, ¶31, “The generated vulnerability vectors are sent to the vulnerability identifier 220 for processing”, Fig. 3, Fig. 5,  Examiner submits that a selection process is applied to select certain vulnerabilities based on open source libraries (existing classifiers). In addition open source library contains all the vulnerability classifiers thus comparison is also includes 13 existing classifiers with highest accuracy).
[Applying to the CSV file] the 13 different open source classifiers (Fig. 2, ¶27, “The vulnerability database 204 contains the open source library data 206a-d for four different open source libraries. The open source library data 206a comprises a table of version histories for the open source library with associated vulnerability data”, Examiner submits that open source library contains all the vulnerability classifiers thus comparison is also includes 13 existing classifiers) [with the relevant features identified and recording the results (false and true positive)]; 
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Sharma with the invention of Bezzi.
Bezzi teaches, selecting part of the source code for labelling and outputting enhanced vulnerability report. Sharma teaches, identifying critical vulnerabilities based on comparing with open source libraries.  Therefore, it would have been obvious to have identifying critical vulnerabilities based on comparing with open source libraries of Sharma with selecting part of the source code for labelling and outputting enhanced vulnerability report of Bezzi to provide manageable, consistent vulnerability in a timely and reliable manner and address open source vulnerability not reported publicly.
KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 6, it is a system Claim of above method claim 5, and therefore Claim 6 is rejected with same rationale as applied against Claim 5 above.

Claims 1-2 and 7-8:	Withdrawn

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Kimball et al. (US PAT. # US 10,817,604) discloses, methods that execute tools to identify non-malicious faults in source codes introduced by engineers and programmers. The tools may execute a machine learning model on the source codes to perform sentiment analysis and pattern analysis on information associated with the source codes to generate annotated source code files identifying anomalies based on the sentiment analysis and the pattern analysis. One or more threat levels are then identified and ranked based on the one or more anomalies and a ranked list of the one or more threat levels is displayed on a graphical user interface of a computer.
Farkash et al. (US PGPUB. # US 2020/0320202) discloses, conducting a privacy vulnerability assessment of a software application that comprises program code, by performing at least one of: (i) evaluating the program code to identify code segments presenting a potential dissemination of specified data to an unauthorized destination, (ii) detecting one or more execution paths in the software application which use the specified data for an unauthorized purpose, and (iii) analyzing the content of data flows from the software application to detect the specified data in the data flows. Then, generating one or more vulnerability summaries, based, at least in part, on the results of the evaluating, the detecting, and the analyzing.
Roytman et al. (US PGPUB. # US 2020/0057857) discloses, generation of a first prediction model is caused based on first training data, where the first prediction model enables determining whether an exploit to be developed for software vulnerabilities will be used in an attack. For each training instance in the first training data, the first prediction model is used to generate a score. Each training instance is added to second training data if the score is greater than a threshold value. The second training data is a subset of the first training data. Generation of a second prediction model is caused based on the second training data, where the second prediction model enables determining whether an exploit to be developed for software vulnerabilities will be used in an attack.
Kolychev et al. (US PGPUB. # US 2019/0377880) discloses,  methods for automated verifications of potential vulnerabilities of one or more sites or code utilizing one or more neural networks. The systems, methods and computer readable mediums can transmit one or more scan operations to one or more sites, receive one or more responses to the one or more scan operations, tokenize the one or more responses, transmit to one or more neural networks the one or more tokenized responses, receive from the one or more neural networks verification of the one or more tokenized responses, and determine one or more confidences of the one or more verified responses.
TAN et al. (US PGPUB. # US 2019/0138731) discloses, a method for determining defects and security vulnerabilities in software code. The method includes generating a deep belief network (DBN) based on a set of training code produced by a programmer and evaluating performance of the DBN against a set of test code against the DBN.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316. The examiner can normally be reached M-F 9:00 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DARSHAN I DHRUV/           Primary Examiner, Art Unit 2498