DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/16/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim interpretations under 112 (f)
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

Claims 1 and 3 contain limitations invoking 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph as detailed in the following:
Each of the following Claim limitations:
Claim 1: “an application file analysis unit for analyzing …”;
Claim 1: “a data importance level judgment unit for deciding …”;
Claim 1: “a module exploitability judgment unit for deciding …”;
Claim 1: “a security function disposal position judgment unit for deciding …”;
Claim 3: “the module exploitability judgment unit decides …”;
has been interpreted under 35 U.S.C. 112 (f), or pre-AIA  35 U.S.C. 112 sixth paragraph, because it uses a generic placeholder “unit” coupled with functional languages without reciting sufficient structure to achieve the function and equivalents thereof. Furthermore, the generic placeholder is not preceded by a structural modifier.  
Since the claim limitation(s) invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, claims 1 and 3 have been interpreted to cover the corresponding structure described in the specification that achieves the claimed function, and equivalents thereof.  
A review of the specification shows that the following appears to be the corresponding structure described in the specification for the 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph limitation: NONE. The specification fails to show the corresponding structures of the components.
If applicant wishes to provide further explanation or dispute the examiner’s interpretation of the corresponding structure, applicant must identify the corresponding structure with reference to the specification by page and line number, and to the drawing, if any, by reference characters in response to this Office action. 
If applicant does not intend to have the claim limitation(s) treated under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112 , sixth paragraph, applicant may amend the claim(s) so that it/they will clearly not invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, or present a sufficient showing that the claim recites/recite sufficient structure, material, or acts for performing the claimed function to preclude application of 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
For more information, see MPEP § 2173 et seq. and Supplementary Examination Guidelines for Determining Compliance With 35 U.S.C. 112 and for Treatment of Related Issues in Patent Applications, 76 FR 7162, 7167 (Feb. 9, 2011).

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-5 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claims 1 and 3 are interpreted under 35 U.S.C. 112(f) (see above).  Therefore Claims 1 and 3 contain placeholders that require corresponding structure(s).  It is unclear whether the recited structure, material, or acts in these claims are sufficient for performing the claimed function because the Specification is unclear about the corresponding structure(s).  A block diagram such as FIG. 1 does not provide indications of corresponding structure(s).  
Claims 1-5 are rejected under 35 U.S.C. 112 (b) for the above reasons.  

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 2-5 and 7-10 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Regarding claims 2 and 7, each claim recites the limitation “wherein the respective modules compose application flows, and security functions are assigned to positions where the exploitability scores of modules are higher in an application flow including plural modules having high exploitability scores and high importance levels of data exchanged between the plural modules”. Firstly, “the respective modules” does not have a previous recitation of the term and as a result, lacks proper antecedent basis. Secondly, it’s unclear if “positions” claimed here is related to “disposal positions” defined in the respective independent claims. Thirdly, “higher” is a relative word and it’s unclear what standard is used to judge “the exploitability scores of modules are higher in an application flow”.
Dependent claims 3-5 and 8-10 are also rejected for inheriting the deficiencies of the independent claims from which they depend on.

Regarding claims 3 and 8, each claim recites the limitation “the exploitability scores of submodules included in each module”. The claim does not have a previous recitation of the term and as a result, lacks proper antecedent basis. For example, a lack of clarity could arise where a claim refers to "said lever” or “the lever”, where the claim contains no earlier recitation or limitation of a lever and as a result, it would be unclear as to what element the limitation was making reference to (MPEP 2173.05(e) [R-07.2015]). Appropriate corrections is required to ensure proper claim interpretation.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Yamaguchi et al. (Pub. No.: US 2020/0159934, hereinafter Yamaguchi) in view of Mishra et al. (Pub. No.: US 2021/0216643, hereinafter Mishra).
Regarding claim 1: Yamaguchi discloses An application development assistance system for assisting an application development using a flow diagram, comprising:
an application file analysis unit for analyzing an input application description file and outputting application data information and module information (Yamaguchi - [0021]: The system and method preferably extract a set of information flows of an application, which can be used in vulnerability detection in addition to providing details for code analytics. [0022]: Each information flow is preferably a high-level flow model of multiple data flows that traces a vulnerable set of data through either the entire application code, or through a specified domain of the code);
a data importance level judgment unit for deciding importance levels of data exchanged between modules on the basis of the application data information (Yamaguchi - [0039]: Code analysis and interpretation can detect certain parts of the code that have some implications on the data type, handling of data, and interactions with outside systems or code);
a security function disposal position judgment unit for deciding disposal positions of security functions on the basis of data importance level information decided by the data importance level judgment unit, the exploitability score of each module decided by the module exploitability judgment unit, and security measure information read out from a security measure information database (Yamaguchi - [0079]: detecting data vulnerabilities may identify the location, type, the level of exposure, and the potential security risk of data vulnerability. detecting data vulnerabilities may include determining policy violations by evaluating flow descriptions of the information flows. [0083]: The flow description of the security policy preferably specifies patterns of information flows that should be reported as possible instances of vulnerabilities).
However Yamaguchi doesn’t explicitly teach, but Mishra discloses: a module exploitability judgment unit for deciding an exploitability score of each module on the basis of the module information and exploitability information read out from a module exploitability database (Mishra – [0059]: FIG. 3, a flowchart illustrating a process for calculating software vulnerability exploitability scores. [0060]: The process begins when the computer retrieves vulnerability information corresponding to a software package to be installed (i.e., prior to installation) on a data processing system from a plurality of software vulnerability data sources via a network (step 302)).

It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Yamaguchi with Mishra so that software vulnerability exploitability scores are calculated based on the retrieved vulnerability information. The modification would have allowed the system to obtain exploitability score based on the retrieved information for further analysis. 
Regarding claim 6: this claim defines a method claim that corresponds to system claim 1 and does not define beyond limitations of claim 1. Therefore, claim 6 is rejected with the same rational as in the rejection of claim 1. 

Allowable Subject Matter
Claims 2-5 and 7-10 are objected to as being dependent upon a rejected base claim, but would be allowable if the 112b, set forth in this Office action, are overcome and if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The reason for allowance will be furnished upon allowance of the application.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Wade et al. (Pub. No.: US 2013/0091543) - System and method for creating secure applications
HERCOCK et al. (Pub. No.: US 2022/0027477) - Detecting vulnerable software systems 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/
Primary Examiner, Art Unit 2437